Re: Deploying SSL-based VPNs

[Miguel Dilaj <miguel.dilaj () oissg org>]

Hi Joe,

My personal experience is with a medium size network deployed using 
OpenVPN on Debian for the servers and Windows XP SP2 + OpenVPN GUI for 
the clients, using X.509 certificates (we are our own CA).

Issues?
None at all.

Programs that do not work?
None of the programs we use... and we use a lot of stuff.

Features?
We found the flexibility to direct all traffic through the VPN (or not) 
very useful. We have 2 config files each, one directs all traffic 
through the VPN, and the other only implements traffic to our servers on 
the other, thus we can decide which one to use depending on our needs.

X.509 certificate authentication is a pain to deploy in the very 
beginning, specially if you've a large user population (you've to create 
a certificate for every user), but after that maintenance is close to 
nil, other than creating certificates for new starters of issuing a CRL 
to the servers when someone leaves the company.

We have multiple servers, and the configuration files for the clients 
specify all of them. We had a server failure (hard disk crash) and we 
noticed it only when the logs failed to arrive by email. No one lost 
connectivity.

If you're a part of a company that likes to have a big team offering you 
commercial support for big bucks, forget about it ;-)
If you want a product that WORKS FLAWLESSLY and costs you almost 
nothing, go for it.

Regards,

Miguel Dilaj
Vice President of IT Security Research, OISSG
www.oissg.org



Joe wrote:
> Hi all
>
> I'm currently interested in SSL-VPN solutions, problems and
> deployments. Personally I prefere much more the term „SSL-based remote
> access" since almost all those products (except OpenVPN) claiming to
> be SSL-VPNs don't offer any network functionality. Would you guys
> share your experiences?
>
> What are the issues you spotted when deploying SSL-based remote access
> solutions?
>
> Any experiences with certain products? (my company for example made
> bad experiences with iGate from SafeNet)
>
> What features make an SSL-remote access solution a good one?
>
> I know these are some very general questions.
>
> Thanks anyway
> Joe
>
> ---------------------------------------------------------------------------
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The Norwich University program offers unparalleled Infosec management 
> education and the case study affords you unmatched consulting experience. 
> Tailor your education to your own professional goals with degree 
> customizations including Emergency Management, Business Continuity Planning, 
> Computer Emergency Response Teams, and Digital Investigations. 
>
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------------

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------