Firewall Wizards mailing list archives
Re: Prohibiting SSL VPNs
From: John Kougoulos <koug () intranet gr>
Date: Tue, 25 May 2004 15:59:59 +0300 (EEST)
Thanks everyone for their replies. What worries me most of all is that in the near future probably MS will bundle such VPN connection with every Winxxx server product, enabled by default, thus enabling everyone to establish a VPN connection to everywhere (his ADSL connected home?). Less "security aware" people will think that "since it's a VPN, it's safe" making this a nightmare for virus propagation issues & enabling lots of backdoors. Of course there is software (like http://www.loopholesoftware.com) which will tunnel everything over HTTP so disabling SSL/TLS is a temporary solution. The fact that these devices are certified means that the product gives the ability to the administrator of such device to enforce a policy. He may not. These are features that worry the one who wants to offer VPN services to his employees. Is there any method that this tunnel could be identified by the network administrator where the client VPN initiates? This is what a certification authority should do! I know of course that a malicious user can connect two networks if there is Layer 3 connectivity between the two sites. A telnet/SLIP like combination would be enough. However we are facing here the fact that we have "certified firewall-bypassing-with-no-method-to-identify VPNs". It is difficult to convince some people that the VPN service (which is certified) offered by the "big-x-company/bank/whatever" may not be secure enough (having in mind that they already use it for the past 6 months with no problems). It would be nice if this VPN couldn't work and given the fact that someone has to do some business using this technology I would be contacted to provide a solution (providing some external connection to this PC). That's the way it worked on classic IPSEC (using ESP/IKE methods). Anyway, thanks again all for their replies. --koug On Fri, 21 May 2004, Frederick M Avolio wrote:
At 01:40 PM 5/20/2004 +0300, John Kougoulos wrote:... Does anybody have any ideas on how I could prohibit the usage of SSL VPNs like the one offered by F5 (Firepass), since this requires only the ability for the client to make an https connection (bypassing any kind of firewall/proxy)? Since this product (or any similar) creates some kind of PPP connection over https, installs routes on the PC etc. it will create a lot of problems. (see also: Worms, Air Gaps etc) ...Generally speaking, SSL VPNs require authentication and then provide access control. IE, to call itself a "VPN" and SSL device has to do more than just do SSL (or TLS) encryption and server authentication. It has to also provide access control. Firepass, for example, supports strong authentication and access control and passed ICSA Labs SSL VPN certification. But, to answer your question, rather than just suggest it is based on a false premise, you could 1) write a policy that outlaws their use and 2) disallow SSL or TLS through the firewall (or other intrusion prevention device). DISCLOSURE: I've done consulting work for SSL VPN vendors in the past (writing papers for Aventail and Whale Communications) and consult for ICSA Labs in the SSL-TLS Consortium program. Fred Avolio Consulting, Inc. URL: http://www.avolio.com/ Weblog: http://www.avolio.com/weblog/ AIM: fmavolio, Yahoo Messenger: avolio, MSN Messenger: fred () avolio com PGP Key Fingerprint: 928D 0903 934F 8CFA 6124 BBF6 0B45 93C7 3521 CEA0
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Prohibiting SSL VPNs John Kougoulos (May 21)
- Re: Prohibiting SSL VPNs Frederick M Avolio (May 21)
- Re: Prohibiting SSL VPNs John Kougoulos (May 25)
- Re: Prohibiting SSL VPNs Paul D. Robertson (May 21)
- <Possible follow-ups>
- RE: Prohibiting SSL VPNs Melson, Paul (May 21)
- RE: Prohibiting SSL VPNs Desai, Ashish (May 21)
- Re: Prohibiting SSL VPNs Frederick M Avolio (May 21)