Educause Security Discussion mailing list archives
Clientless SSL VPN vulnerability
From: Jay Graham <jwg+ () PITT EDU>
Date: Fri, 5 Mar 2010 11:46:57 -0500
Hi, We are using the Juniper (aka Netscreen aka Neoterisis) SSL VPN product. We recently made a security decision to remove the address bar from within the SSL VPN interface to limit the risk of this vulnerability. This has caused some people to complain since they used this address bar to directly proxy to various sites. We use the SSL VPN to allow web access to our library journals and now the users just can't copy and paste URLs of these journals in e-mail messages since the URL is different depending if you are on campus versus off campus. (i.e. through the VPN tunnel). What I was wondering was if other schools have done anything similar and how they are coping with the change? (i.e. Workarounds etc.) I understand the convenience of the address bar, but in this case, I think the risk outweighs it. Thanks, Jay Graham University of Pittsburgh ====================
Current thread:
- Clientless SSL VPN vulnerability Jay Graham (Mar 05)
- <Possible follow-ups>
- Re: Clientless SSL VPN vulnerability Brian Epstein (Mar 08)