SSLVPN opinions?

[Geates]

Our Network team is experimenting with a VPN solution called SSLVPN. The name suggests security. Our Network team discribed it as a client-less VPN connection. However, one needs to consider the trade-off between features and integrity. What are the general pros and cons? Does anyone have personal/enterprise experience and/or opinions.

-Geates

 

[North323]

ssl vpn's are the way to go! dont have to mess with a local client and depending on the gear (i used aventail). you can get much more granular in your access control. ssl vpn's are awesome! very easy to support as well.

 

[psi07004]

You can gather a bunch of info on SSLVPN and the differences from ipsec by going to the following link.

http://www.sonicwall.com/us/products/resources/188.html#heading_759

Then pick the SSL VPN Secure Remote Access Solutions.

 

[HungryHouse]

You must be very careful to consider what applications are pushed across the SSL-VPN. Clientless SSL-VPNs are web-based by nature and use the gateway as a proxy to the inside network. If you need a true client-server application, then this probably will not work.

There are SSL-VPN perishable clients that can use Java or ActiveX applets for some of this (which can usually be pushed to the client), and there are even thick SSL-VPN clients in some cases that can mitigate this issue, however, it is dependent on vendor and application.

My general experience with this is that IPSec is still the king as it will allow for ANY IP-based application regardless of application, whereas SSL is usually only a fit for web-based apps in environments where you can't control nor able to deploy thick clients easily.

I hope this helps.

-HH

 

[burtsbees]

I am with HH. Also, IPSEC is MUCH more secure.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[unclerico]

If you go with something like WebVPN from Cisco they offer both the clientless as well as full client options. There are numerous third party security vendors that provide OTP (one-time password) for two-factor authentication. The WebVPN offering also allows you to update the base SVC (SSL VPN Client) so that when a new version of the client software comes available you can install it to the ASA and the clients will automatically update themselves when they connect. You also create SVC profiles that can enable or disable such things as SBL (start before logon) so that logon scripts can be run as well as a variety of other options. You can do host scanning for registry keys, system processes, updates, etc. (most good SSL VPN products will do this) and allow or deny connections to the network based on metrics that you put in place. The SVC gives you a full IP stack and operates just as an IPSec VPN Client would meaning you can use any client/server based application on your local computer when you are connected.

If you go according to Gartner you'll find the Juniper SSL VPN appliances at the top with Citrix right behind them. I've also tried WatchGuard (terrible product) and Array Networks (great product).

my .0000000002

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)