Re: SSL VPN Risk Assessment

[Pierre Cadieux <hobbit () theshire com>]

Not sure how decisions are made in your organization, but it sounds like 
they want the ammo to use when they are questioned about spending the 
money (likely the VPN solution is fairly new and someone is likely to 
ask, why these things weren't identified originally, etc.).

I would first rate the risks you identified by priority and by impact, 
so you can show what would be the consequence if your recommendations 
are not accepted.  Also be clear about what can be done in phases (you 
can implement end point security without necessarily changing the 
authentication method/adding a second factor).  Be clear in your 
assessment of the solutions, there may be solutions you can suggest that 
can be low/minimum impact from a time or resource commitment. 

Depending on the types of business and data your organization deals 
with, there may be additional factors that may help you make your point 
(Regulatory compliance requirements, PCI requirements, company 
architecture or policy).

Good luck,

->Pierre


blagoon () gmail com wrote:
> Hi all,
>
> I was tasked to do a risk assessment on our SSL VPN deployment. And I came up with the following:
> - Authentication: Single factor is too weak, we'll be to use a hard token for a 2nd factor.
> - End Point Security: we need to verify the integrity of the connecting host (company asset, antivirus, patches), 
> install cache cleaner and force inactive session timeouts.
> - Access control: limit full vpn access, implement resource profiles for different group of users, or only RDP to 
> users' desktop in the office.
>
> But apparently it is not enough for my manager, and asked to expand this report. Any suggestions on areas I might have 
> missed?
>
> Thanks,
>
>
>