Re: Prohibiting SSL VPNs

[Frederick M Avolio <fred () avolio com>]

At 01:40 PM 5/20/2004 +0300, John Kougoulos wrote:
> ...
> Does anybody have any ideas on how I could prohibit the usage of SSL VPNs
> like the one offered by F5 (Firepass), since this requires only the
> ability for the client to make an https connection (bypassing any kind of
> firewall/proxy)? Since this product (or any similar) creates some kind of
> PPP connection over https, installs routes on the PC etc. it will create a
> lot of problems. (see also: Worms, Air Gaps etc)
> ...

Generally speaking, SSL VPNs require authentication and then provide access 
control. IE, to call itself a "VPN" and SSL device has to do more than just 
do SSL (or TLS) encryption and server authentication. It has to also 
provide access control.  Firepass, for example, supports strong 
authentication and access control and passed ICSA Labs SSL VPN certification.

But, to answer your question, rather than just suggest it is based on a 
false premise, you could 1) write a policy that outlaws their use and 2) 
disallow SSL or TLS through the firewall (or other intrusion prevention 
device).

DISCLOSURE: I've done consulting work for SSL VPN vendors in the past 
(writing papers for Aventail and Whale Communications) and consult for ICSA 
Labs in the SSL-TLS Consortium program.



Fred
Avolio Consulting, Inc.
URL: http://www.avolio.com/
Weblog: http://www.avolio.com/weblog/
AIM: fmavolio, Yahoo Messenger: avolio, MSN Messenger: fred () avolio com
PGP Key Fingerprint:    928D 0903 934F 8CFA 6124
                        BBF6 0B45 93C7 3521 CEA0

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards