Security Basics mailing list archives
Re: Deploying SSL-based VPNs
From: Miguel Dilaj <miguel.dilaj () oissg org>
Date: Wed, 29 Mar 2006 23:37:46 +0100
Hi Joe,My personal experience is with a medium size network deployed using OpenVPN on Debian for the servers and Windows XP SP2 + OpenVPN GUI for the clients, using X.509 certificates (we are our own CA).
Issues? None at all. Programs that do not work? None of the programs we use... and we use a lot of stuff. Features?We found the flexibility to direct all traffic through the VPN (or not) very useful. We have 2 config files each, one directs all traffic through the VPN, and the other only implements traffic to our servers on the other, thus we can decide which one to use depending on our needs.
X.509 certificate authentication is a pain to deploy in the very beginning, specially if you've a large user population (you've to create a certificate for every user), but after that maintenance is close to nil, other than creating certificates for new starters of issuing a CRL to the servers when someone leaves the company.
We have multiple servers, and the configuration files for the clients specify all of them. We had a server failure (hard disk crash) and we noticed it only when the logs failed to arrive by email. No one lost connectivity.
If you're a part of a company that likes to have a big team offering you commercial support for big bucks, forget about it ;-) If you want a product that WORKS FLAWLESSLY and costs you almost nothing, go for it.
Regards, Miguel Dilaj Vice President of IT Security Research, OISSG www.oissg.org Joe wrote:
Hi all I'm currently interested in SSL-VPN solutions, problems and deployments. Personally I prefere much more the term „SSL-based remote access" since almost all those products (except OpenVPN) claiming to be SSL-VPNs don't offer any network functionality. Would you guys share your experiences? What are the issues you spotted when deploying SSL-based remote access solutions? Any experiences with certain products? (my company for example made bad experiences with iGate from SafeNet) What features make an SSL-remote access solution a good one? I know these are some very general questions. Thanks anyway Joe --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
--------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Deploying SSL-based VPNs Joe (Mar 29)
- Re: Deploying SSL-based VPNs Miguel Dilaj (Mar 30)
- Message not available
- Re: Deploying SSL-based VPNs Miguel Dilaj (Mar 30)
- Message not available
- Re: Deploying SSL-based VPNs Miguel Dilaj (Mar 30)
- Re: Deploying SSL-based VPNs Saqib Ali (Mar 30)
- Re: Deploying SSL-based VPNs Alice Bryson (Mar 31)
- <Possible follow-ups>
- RE: Deploying SSL-based VPNs Hayes, Ian (Mar 30)
- RE: Deploying SSL-based VPNs Charles Hammett (Mar 30)
- RE: Deploying SSL-based VPNs Beauford, Jason (Mar 30)