Security Basics mailing list archives
Re: SSL VPN Risk Assessment
From: Nick Owen <nickowen () mindspring com>
Date: Fri, 07 Mar 2008 14:34:26 -0500
blagoon () gmail com wrote:
Hi all, I was tasked to do a risk assessment on our SSL VPN deployment. And I came up with the following: - Authentication: Single factor is too weak, we'll be to use a hard token for a 2nd factor. - End Point Security: we need to verify the integrity of the connecting host (company asset, antivirus, patches), install cache cleaner and force inactive session timeouts. - Access control: limit full vpn access, implement resource profiles for different group of users, or only RDP to users' desktop in the office. But apparently it is not enough for my manager, and asked to expand this report. Any suggestions on areas I might have missed?
Be sure to perform mutual authentication - ie verify the identity of theserver to the client as well as client to the server. This will thwart network-based MITM attacks such as DNS poisoning which cannot be stopped by end-point security. These types of attacks are fairly simple because of the prevalence of Wifi and of poorly configured DNS servers. Relying on users to validate server certificates has proven to be ineffective
I have written a how-to on this: http://www.wikidsystems.com/documentation/howtos/how-to-secure-an-ssl-vpn-with-one-time-passcodes-and-mutual-authenticationfor SSL-Explorer. However, I would guess that there are many ways to skin this cat...
hth, nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication irc.freenode.net: #wikid
Current thread:
- SSL VPN Risk Assessment blagoon (Mar 07)
- Re: SSL VPN Risk Assessment Nick Owen (Mar 07)
- Re: SSL VPN Risk Assessment Pierre Cadieux (Mar 11)
- <Possible follow-ups>
- RE: SSL VPN Risk Assessment Eric Pinkerton (Mar 11)