SSL VPN attacks?

[jackadaniel at gmail.com (Jack Daniel)]

There's a different problem with the Cisco (and some other)
"clientless" (there's a BS marketing term) VPNs.  There's a lame Cert
vuln report at:
http://www.kb.cert.org/vuls/id/261869 with lots of misinformation
(most VPN products are not vulnerable to this).
Two posts over at Securosis clarify and explain this issue:
http://securosis.com/blog/your-clientless-ssl-vpn-sucks/
and
http://securosis.com/blog/clientless-ssl-vpn-redux/

Basically, the "web browser as VPN client" systems where the "VPN
server" rewrites the remote services and serves them to the
browser/client via a web server break domain security models if used
improperly.

I *assume* (with all attendant dangers) that these same pure
web-browser based systems are as vulnerable to sslstrip as
conventional websites, but I do not know for sure.

What is driving the change from IPSec?


Jack


-- 
______________________________________
Jack Daniel, Reluctant CISSP
http://twitter.com/jack_daniel
http://www.linkedin.com/in/jackadaniel
http://blog.uncommonsensesecurity.com




On Sun, Jan 31, 2010 at 2:49 PM, Michael Douglas <mick at pauldotcom.com> wrote:
> Do any of the ssl strip type attacks work against SSL VPNs?
> Specifically the Cisco variant?
>
> I have a side client who's all but ready to ditch IPSec and that's got
> me a bit concerned. ? I've tried noodling around on google/bing to see
> what I can find, and my search-fu is weak today.
>
> Any tips are welcomed.
>
> Thanks & have a nice day!
> - Mick
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com