From: Rob Laidlaw (laidlaw@consecro.com)
Date: Tue Apr 27 2004 - 11:41:30 GMT-3
I have implimented the ssl vpn and there are some bad points and some up
points. There is an optional url bar that you can put on the web page that
allows the user to enter any url they want so they can go to resources that
are not preconfigured. You can remove the url bar if you want. Most of the
time you preconfigure links to appear on the main page so users just click
on the link and they go to the internal webpage (you can go to either http
or https pages). You can enable cifs share browsing through the webpage but
I did not want to follow this option as it screams security hazard.
The most interesting feature I found was the application access piece.
Basically you predefine the hostname on your concentrator that you want to
allow access to and the port that you want to allow in. The client logs in,
starts the application access program which is a java script, and it starts
a listener on the port you defined on ip 127.0.0.2. It also adds an entry
to the host file for the hostname you configured to point at 127.0.0.2. So
for intance, you clients connect to the mail server mail.wiget.org, the mail
client tries to resolve this and it find the host file entry first, so it
sends the traffic to itself and the java program picks it up and sends it
accross the ssl session to the concentrator who then sends it to the server.
Its kind of like a very striped down portable vpn client but it doesn't
require deployment ahead of time. The down side is that you only have
access to the preconfigured services.
The whole downside to the webvpn is its lack of support for webdav and most
java applets. Can't access things like cisco acs or web consoles for
netscreen firewalls thorugh the webvpn so its limited now.
-Rob
----- Original Message -----
From: "Richard Dumoulin" <richard.dumoulin@vanco.es>
To: <sustundag@secura.com.tr>; <h-tomikawa@syscomusa.com>;
<istong@stong.org>
Cc: <raj_ccie@yahoo.com>; <Gabor.Gyori@lnx.hu>; <ccielab@groupstudy.com>
Sent: Tuesday, April 27, 2004 8:29 AM
Subject: RE: SSL VPN's
> After quickly reading the introduction, it seems to me that this kind of
vpn
> is limited. Only ssl enabled servers are accessible from the client side.
> Where is the advantage ? Ah yes, that the client only needs a web
browser.
> Is that really an advantage ? On the other hand you have to have ssl
> enabled servers,
>
> --Richard
>
> -----Original Message-----
> From: sustundag@secura.com.tr [mailto:sustundag@secura.com.tr]
> Sent: martes, 27 de abril de 2004 14:59
> To: h-tomikawa@syscomusa.com; istong@stong.org
> Cc: raj_ccie@yahoo.com; Gabor.Gyori@lnx.hu; ccielab@groupstudy.com
> Subject: RE: SSL VPN's
>
>
>
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration
> _guide_chapter09186a00801f1dd5.html
>
>
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration
> _guide_chapter09186a00801f1fb6.html
>
> These are all I could find
>
>
> Serkan Ustundag
>
> Network and Security Engineer
> CCNP,CCDP,CCSE
> CCSP (Cisco Certified Security Professional)
> Cisco Network Management Specialist
>
> sustundag@secura.com.tr
>
> Secura bir TEPUM grup sirketidir
>
> -----Original Message-----
> From: Tomikawa [mailto:h-tomikawa@syscomusa.com]
> Sent: Tuesday, April 27, 2004 3:39 PM
> To: istong@stong.org
> Cc: Rajagopal S; Gyo~ri Ga'bor; ccielab@groupstudy.com
> Subject: Re: SSL VPN's
>
> I am also very interested in this topic.
> As matter of fact, there is upcoming project which will required me to
> install a concentrator using WebVPN(SSL). But, I could find very little
> resourses from CCO.
>
> Does anyone know any URL which explains config example, etc...?
>
> Thanks
>
> istong@stong.org wrote:
>
> >HI Raj,
> >
> >With the concentrator you can setup rules/policies that will limit what
> >your PC can get to. In your case you can have it so the PC can only
> >access the one IP on your network.
> >
> >
> >Ian
> >http://www.CCIE4u.com
> >CCIE Lab and Rack Rentals
> >
> >
> >
> >
> >>Hello Gabor,
> >>
> >>Are you refering to the Firewall policy option of a VPN concentrator ?
> >>I think this works with VPN clients 3.5 and above. can i block any
> >>traffic flowing from my network to the client PC network too in this
> >>case ? I want the client PC to access only one
> >> IP in my network. I need to block others. is this
> >>possible through this ?
> >>
> >>let me know any URL which can give me this info.
> >>
> >>regards,
> >>raj
> >>
> >>Gyuri Gabor <Gabor.Gyori@lnx.hu> wrote:
> >>If you use VPN concentrator, the VPN client is the best solution. It
> >>provides personal firewall itself, rules can be downloaded centrally,
> >>block LAN access. The client exists for Windows, Linux, Solaris and
> >>more, it is free to use with VPN concentrator.
> >>
> >>
> >>Gabor
> >>
> >>-----Original Message-----
> >>From: Rajagopal S [mailto:raj_ccie@yahoo.com]
> >>Sent: Tuesday, April 27, 2004 9:08 AM
> >>To: ccielab@groupstudy.com
> >>Subject: OT:SSL VPN's
> >>
> >>
> >>Hello group,
> >>
> >>I have heard a lot on web based SSL clientless VPN's on a cisco VPN
> >>concentrator. Has anybody implemented this ? if so please clarify me
> >>the following:
> >>
> >>1) will the end user access the vpn concentrator through
> >>SSL first and get an IP address from the local pool in
> >>order to access VPN ? or
> >>
> >>2) will the end user access the servers through SSL ? this doesnt
> >>sound meaningful anyway.
> >>
> >>can anybody suggest me the best way fo securing clients connected on
> >>VPN ? Is a personal firewall a good option ?
> >>
> >>let me know
> >>raj
> >>
> >>
> >>---------------------------------
> >>Do you Yahoo!?
> >>Win a $20,000 Career Makeover at Yahoo! HotJobs
> >>
> >>__________________________________________________________
> >>_____________ Please help support GroupStudy by purchasing your study
> >>materials from: http://shop.groupstudy.com
> >>
> >>Subscription information may be found at:
> >>http://www.groupstudy.com/list/CCIELab.html
> >>
> >>---------------------------------
> >>Do you Yahoo!?
> >>Win a $20,000 Career Makeover at Yahoo! HotJobs
> >>
> >>__________________________________________________________
> >>_____________ Please help support GroupStudy by purchasing your study
> >>materials from: http://shop.groupstudy.com
> >>
> >>Subscription information may be found at:
> >>http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >______________________________________________
> >
> >Check Your Email From Any Where in the World!
> >
> >http://www.myemail.com
> >
> >Tell Your Friends about MyEmail.com!
> >______________________________________________
> >
> >_______________________________________________________________________
> >Please help support GroupStudy by purchasing your study materials from:
> >http://shop.groupstudy.com
> >
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:56 GMT-3