RE: Deploying SSL-based VPNs

["Beauford, Jason" <jbeauford () EightInOnePet com>]

We love the Juniper solution.  Works great.

For an open source solution check out SSL-Explorer.  Another nice
product.

JMB 

        |  -----Original Message-----
        |  From: Miguel Dilaj [mailto:miguel.dilaj () oissg org] 
        |  Sent: Wednesday, March 29, 2006 5:38 PM
        |  To: Joe
        |  Cc: security-basics () securityfocus com
        |  Subject: Re: Deploying SSL-based VPNs
        |  
        |  Hi Joe,
        |  
        |  My personal experience is with a medium size network 
        |  deployed using OpenVPN on Debian for the servers and 
        |  Windows XP SP2 + OpenVPN GUI for the clients, using 
        |  X.509 certificates (we are our own CA).
        |  
        |  Issues?
        |  None at all.
        |  
        |  Programs that do not work?
        |  None of the programs we use... and we use a lot of stuff.
        |  
        |  Features?
        |  We found the flexibility to direct all traffic 
        |  through the VPN (or not) very useful. We have 2 
        |  config files each, one directs all traffic through 
        |  the VPN, and the other only implements traffic to 
        |  our servers on the other, thus we can decide which 
        |  one to use depending on our needs.
        |  
        |  X.509 certificate authentication is a pain to deploy 
        |  in the very beginning, specially if you've a large 
        |  user population (you've to create a certificate for 
        |  every user), but after that maintenance is close to 
        |  nil, other than creating certificates for new 
        |  starters of issuing a CRL to the servers when 
        |  someone leaves the company.
        |  
        |  We have multiple servers, and the configuration 
        |  files for the clients specify all of them. We had a 
        |  server failure (hard disk crash) and we noticed it 
        |  only when the logs failed to arrive by email. No one 
        |  lost connectivity.
        |  
        |  If you're a part of a company that likes to have a 
        |  big team offering you commercial support for big 
        |  bucks, forget about it ;-) If you want a product 
        |  that WORKS FLAWLESSLY and costs you almost nothing, 
        |  go for it.
        |  
        |  Regards,
        |  
        |  Miguel Dilaj
        |  Vice President of IT Security Research, OISSG www.oissg.org
        |  
        |  
        |  
        |  Joe wrote:
        |  > Hi all
        |  > 
        |  > I'm currently interested in SSL-VPN solutions, 
        |  problems and 
        |  > deployments. Personally I prefere much more the 
        |  term "SSL-based remote 
        |  > access" since almost all those products (except 
        |  OpenVPN) claiming to 
        |  > be SSL-VPNs don't offer any network functionality. 
        |  Would you guys 
        |  > share your experiences?
        |  > 
        |  > What are the issues you spotted when deploying 
        |  SSL-based remote access 
        |  > solutions?
        |  > 
        |  > Any experiences with certain products? (my company 
        |  for example made 
        |  > bad experiences with iGate from SafeNet)
        |  > 
        |  > What features make an SSL-remote access solution a 
        |  good one?
        |  > 
        |  > I know these are some very general questions.
        |  > 
        |  > Thanks anyway
        |  > Joe
        |  > 
        |  > 
        |  -----------------------------------------------------
        |  -----------------
        |  > ----- EARN A MASTER OF SCIENCE IN INFORMATION 
        |  ASSURANCE - ONLINE The 
        |  > Norwich University program offers unparalleled 
        |  Infosec management 
        |  > education and the case study affords you unmatched 
        |  consulting experience.
        |  > Tailor your education to your own professional 
        |  goals with degree 
        |  > customizations including Emergency Management, 
        |  Business Continuity 
        |  > Planning, Computer Emergency Response Teams, and 
        |  Digital Investigations.
        |  > 
        |  > http://www.msia.norwich.edu/secfocus
        |  > 
        |  -----------------------------------------------------
        |  -----------------
        |  > -----
        |  > 
        |  > 
        |  
        |  -----------------------------------------------------
        |  ----------------------
        |  EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - 
        |  ONLINE The Norwich University program offers 
        |  unparalleled Infosec management education and the 
        |  case study affords you unmatched consulting experience. 
        |  Tailor your education to your own professional goals 
        |  with degree customizations including Emergency 
        |  Management, Business Continuity Planning, Computer 
        |  Emergency Response Teams, and Digital Investigations. 
        |  
        |  http://www.msia.norwich.edu/secfocus
        |  -----------------------------------------------------
        |  ----------------------
        |  
        |  

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------