Educause Security Discussion mailing list archives
Re: Clientless SSL VPN vulnerability
From: Brian Epstein <bepstein () IAS EDU>
Date: Mon, 8 Mar 2010 08:48:53 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/05/2010 11:46 AM, Jay Graham wrote:
We use the SSL VPN to allow web access to our library journals and now the users just can't copy and paste URLs of these journals in e-mail messages since the URL is different depending if you are on campus versus off campus. (i.e. through the VPN tunnel). What I was wondering was if other schools have done anything similar and how they are coping with the change? (i.e. Workarounds etc.) I understand the convenience of the address bar, but in this case, I think the risk outweighs it.
Jay, A lot of our folks would rather directly type in the address rather than click around to find the resources. What we did was stand up a proxy in front of the VPN using WCCPv2. The proxy then makes the decision on whether to allow the traffic out, or block it. This was convenient because we already use a proxy to route web traffic. You can make a nice error screen with your proxy, too, reminding folks not to use the VPN to check their facebook account, it is only for library resources. Alternatively, you could create ACLs in the juniper device. We already had the proxy, so it was easy for us. Good luck, ep - -- Brian Epstein <bepstein () ias edu> +1 609-734-8179 Network and Security Officer Institute for Advanced Study Key fingerprint = 128A 38F4 4CFA 5EDB 99CE 4734 6117 4C25 0371 C12A -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iD8DBQFLlQBFYRdMJQNxwSoRAkk0AJ4+mEHyCV3i7foa9P3Z7+zYHpuc9QCgkerV M4aqOhc9tdA6GM01gqW/UkE= =KMys -----END PGP SIGNATURE-----
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Clientless SSL VPN vulnerability Jay Graham (Mar 05)
- <Possible follow-ups>
- Re: Clientless SSL VPN vulnerability Brian Epstein (Mar 08)