Penetration Testing mailing list archives
Pen testing SSL VPN appliances?
From: "Lachniet, Mark" <mlachniet () sequoianet com>
Date: Mon, 1 Dec 2003 15:53:23 -0500
Hello all, Has anyone done a technical pen-test on a SSL VPN concentrator recently? If yes, what tools did you use and what facets of the device did you look at? I am speaking of testing above and beyond such tools as vulnerability assessment tools such as Nessus. For example, analyzing the client-side applets, browser cache files, cookie hijacking, weaknesses in authentication, etc. I am not really interested in the policy and practices side of things in this case, such as when and where to use the SSL VPN (e.g. not in a Starbucks or Kinkos), logging out, etc. FWIW, there is a pretty good basic whitepaper by Joseph Steinberg of Whale Communications on this topic at http://www.sans.org/rr/wp/SSL_VPN.pdf, but I was hoping for more along the line of success stories along the lines of "I found this using this" or device-specific problems that are not addressed by current code releases. Thanks, Mark Lachniet --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Pen testing SSL VPN appliances? Lachniet, Mark (Dec 01)
- <Possible follow-ups>
- RE: Pen testing SSL VPN appliances? Palumbo, Dave (Dec 03)