Re: Clientless SSL VPN vulnerability

[Brian Epstein <bepstein () IAS EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/05/2010 11:46 AM, Jay Graham wrote:
> We use the SSL VPN to allow web access to our library journals and now
> the users just can't copy and paste URLs of these journals in e-mail
> messages since the URL is different depending if you are on campus
> versus off campus. (i.e. through the VPN tunnel).
>
> What I was wondering was if other schools have done anything similar and
> how they are coping with the change? (i.e. Workarounds etc.)
>
> I understand the convenience of the address bar, but in this case, I
> think the risk outweighs it.

Jay,

        A lot of our folks would rather directly type in the address rather
than click around to find the resources.  What we did was stand up a
proxy in front of the VPN using WCCPv2.  The proxy then makes the
decision on whether to allow the traffic out, or block it.  This was
convenient because we already use a proxy to route web traffic.

        You can make a nice error screen with your proxy, too, reminding folks
not to use the VPN to check their facebook account, it is only for
library resources.

        Alternatively, you could create ACLs in the juniper device.  We already
had the proxy, so it was easy for us.

Good luck,
ep

- -- 
Brian Epstein <bepstein () ias edu>                     +1 609-734-8179
Network and Security Officer            Institute for Advanced Study
Key fingerprint = 128A 38F4 4CFA 5EDB 99CE  4734 6117 4C25 0371 C12A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iD8DBQFLlQBFYRdMJQNxwSoRAkk0AJ4+mEHyCV3i7foa9P3Z7+zYHpuc9QCgkerV
M4aqOhc9tdA6GM01gqW/UkE=
=KMys
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature