Re: Prohibiting SSL VPNs

[John Kougoulos <koug () intranet gr>]

Thanks everyone for their replies. What worries me most of all is that in
the near future probably MS will bundle such VPN connection with every
Winxxx server product, enabled by default, thus enabling everyone to
establish a VPN connection to everywhere (his ADSL connected home?). Less
"security aware" people will think that "since it's a VPN, it's safe"
making this a nightmare for virus propagation issues & enabling lots of
backdoors.

Of course there is software (like http://www.loopholesoftware.com) which
will tunnel everything over HTTP so disabling SSL/TLS is a temporary
solution.

The fact that these devices are certified means that the product gives the
ability to the administrator of such device to enforce a policy. He may
not. These are features that worry the one who wants to offer VPN services
to his employees. Is there any method that this tunnel could be identified
by the network administrator where the client VPN initiates? This is what
a certification authority should do!

I know of course that a malicious user can connect two networks if there
is Layer 3 connectivity between the two sites. A telnet/SLIP like
combination would be enough. However we are facing here the fact that we
have "certified firewall-bypassing-with-no-method-to-identify VPNs".

It is difficult to convince some people that the VPN service (which is
certified) offered by the "big-x-company/bank/whatever" may not be secure
enough (having in mind that they already use it for the past 6 months with
no problems). It would be nice if this VPN couldn't work and given the
fact that someone has to do some business using this technology I would be
contacted to provide a solution (providing some external connection to
this PC). That's the way it worked on classic IPSEC (using ESP/IKE
methods).

Anyway, thanks again all for their replies.

--koug

On Fri, 21 May 2004, Frederick M Avolio wrote:

> At 01:40 PM 5/20/2004 +0300, John Kougoulos wrote:
> > ...
> > Does anybody have any ideas on how I could prohibit the usage of SSL VPNs
> > like the one offered by F5 (Firepass), since this requires only the
> > ability for the client to make an https connection (bypassing any kind of
> > firewall/proxy)? Since this product (or any similar) creates some kind of
> > PPP connection over https, installs routes on the PC etc. it will create a
> > lot of problems. (see also: Worms, Air Gaps etc)
> > ...
>
> Generally speaking, SSL VPNs require authentication and then provide access
> control. IE, to call itself a "VPN" and SSL device has to do more than just
> do SSL (or TLS) encryption and server authentication. It has to also
> provide access control.  Firepass, for example, supports strong
> authentication and access control and passed ICSA Labs SSL VPN certification.
>
> But, to answer your question, rather than just suggest it is based on a
> false premise, you could 1) write a policy that outlaws their use and 2)
> disallow SSL or TLS through the firewall (or other intrusion prevention
> device).
>
> DISCLOSURE: I've done consulting work for SSL VPN vendors in the past
> (writing papers for Aventail and Whale Communications) and consult for ICSA
> Labs in the SSL-TLS Consortium program.
>
>
>
> Fred
> Avolio Consulting, Inc.
> URL: http://www.avolio.com/
> Weblog: http://www.avolio.com/weblog/
> AIM: fmavolio, Yahoo Messenger: avolio, MSN Messenger: fred () avolio com
> PGP Key Fingerprint:    928D 0903 934F 8CFA 6124
>                          BBF6 0B45 93C7 3521 CEA0

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards