RE: Clientless VPN (SSL VPN) vs HTTPS

["Melchior, Raimar" <raimar.melchior () hp com>]

Hi,

SSL-VPN is a very attractive alternative to traditional IPSec.
Especially if you are the owner of a dedicated SSL-VPN appliance
(Juniper, F5, Aventail, etc).
There are some pro and cons I want to enumerate.

In general you can access every ressource in your network (not only
email) over different Client OS (Linux, Mac, Windows). Most of the
appliances have a reverse-proxy implemented from which you can access
most applications over an embedded web-client. But you can also setup a
SSL-Tunnel and start a client program on your machine. Traffic through
the Tunnel is directed transparently. Most of them provide
authentication and authorization (Radius, LDAP, RSA-Secure ID,
certificates, etc).

If you have a large number of remote users in the field you save a lot
of time with rollout, because you don't have to configure the remote
client. All configuration is done centrally on the appliance (Web-GUI).
Further on these appliances are coming with a hardended OS and with
embedded security checks. I like the endpoint security very much
(F5-Firepass). You can check the remote client if he has AV, FW, special
registry entries set, and so on (before he gets logged in). This is a
very powerful feature I haven't seen on IPSec clients.

But there are also some disadvantages. It is not complete clientless.
Most of the appliances use ActiveX/Plugins (must be enabled on remote
client) and you can't build up LAN to LAN Tunnels with SSL. 

Regards
Raimar

-----Original Message-----
From: harbinger [mailto:bluetooth995 () gmail com] 
Sent: Freitag, 11. August 2006 05:56
To: security-basics () securityfocus com
Subject: Clientless VPN (SSL VPN) vs HTTPS

Hi

These days SSL VPN has been the alternative to the tradition IPsec VPN,
particularly for users that require only email access.

However, what is the different in implementing SSL VPN - which
essentially means allowing only webbased traffic i.e webmail, as compare
to just to setup a webmail server running HTTPS.

Can anyone point out the differences??

Thanks

------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has
designated Norwich University a center of Academic Excellence in
Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting
experience. 
Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------