Re: SSL VPN's

From: Rajagopal S (raj_ccie@yahoo.com)
Date: Wed Apr 28 2004 - 03:09:10 GMT-3

• Next message: Győri Gábor: "RE: generic redistribution question"
• Previous message: Todd Veillette: "Re: Port 0 Filter (Repost)"
• Maybe in reply to: Tomikawa: "Re: SSL VPN's"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Great explanation karl. I think we need to stick around with IPSEC clients till the SSL VPN's really give us a great advantage. Anyway we will have to try it once to be very sure of the feature. I'll test it and let you more about this (if any !!)
 
Thanks everyone for the URLs/posts given.
 
Raj

Karl Hsieh <chilins@seed.net.tw> wrote:
Hello All,
Well, Cisco is not an expert in SSL VPN. Therefore, what you read in the CCO
gives you the impression that SSL VPN is not so good as IPSec VPN is.
Besides, the WebVPN feature in the Concentrator is not very mature comparing
to that in other native SSL VPN vendors' appliance.
But Cisco is an ambitious challenger in the area. Cisco, like Nortel, does a
mixed-mode approach, i.e. SSL VPN and IPSec VPN in one box.
Why is SSL VPN a trend? Cisco gives the answer. Last month, Cisco acquired
another SSL VPN company TWINGO after F5 acquired URoam, Symantec acquired
Safeweb and NetScreen that is acquired by Juniper acquired Neoteris.

The features of SSL VPN can be devided to 3 main categories(all in one box):
1. Web-based application and "Network Neighborhood"----> true clientless VPN
which has a highest level application security; only the resoures on a
specific web-based application is allowed. --->Cisco supports this mode, but
there are limitation as stated in their document.
2. Client/Server mode: native client like MS Outlook or Notes client can be
used; almost all other client/server applications are supported in this
mode. ---->Cisco has limited support of this mode.
3. SSL Tunnel mode: like IPSec VPN, client will get an IP from the SSL VPN
appliance; all intranet resources will be accessed like IPSec VPN.--->Cisco
does not support this mode.

Like IPSec VPN, the SSL tunnels from any client terminate on the SSL VPN
appliance. The backend servers do not have to support SSL protocol.
According to my experience, it is recommended that you tried other vendors
product and you will get a better impression on this solution.

HTH,

Karl #12390

----- Original Message -----
From:
Sent: Tuesday, April 27, 2004 9:50 PM
Subject: RE: SSL VPN's

> Yes you are right
>
> If you ask me I don't prefer WebVPN comparing IPSec connection
>
> And also this solution is limited application support..
>
> Serkan Ustundag

> Network and Security Engineer
>
> CCNP,CCDP,CCSE
>
> CCSP (Cisco Certified Security Professional)
>
> Cisco Network Management Specialist
> _____
>
> From: Richard Dumoulin [mailto:richard.dumoulin@vanco.es]
> Sent: Tuesday, April 27, 2004 4:29 PM
> To: Serkan Ustundag - (G|venlik ve Ag M|hendisi -Tepum Secura);
> h-tomikawa@syscomusa.com; istong@stong.org
> Cc: raj_ccie@yahoo.com; Gabor.Gyori@lnx.hu; ccielab@groupstudy.com
> Subject: RE: SSL VPN's
>
>
> After quickly reading the introduction, it seems to me that this kind of
vpn
> is limited. Only ssl enabled servers are accessible from the client side.
> Where is the advantage ? Ah yes, that the client only needs a web
browser. Is
> that really an advantage ? On the other hand you have to have ssl enabled
> servers,
>
> --Richard
>
> -----Original Message-----
> From: sustundag@secura.com.tr [mailto:sustundag@secura.com.tr]
> Sent: martes, 27 de abril de 2004 14:59
> To: h-tomikawa@syscomusa.com; istong@stong.org
> Cc: raj_ccie@yahoo.com; Gabor.Gyori@lnx.hu; ccielab@groupstudy.com
> Subject: RE: SSL VPN's
>
>
>
>
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_
> guide_chapter09186a00801f1dd5.html
>
>
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_
> guide_chapter09186a00801f1fb6.html
>
> These are all I could find
>
>
>
> Serkan Ustundag
>
> Network and Security Engineer
> CCNP,CCDP,CCSE
> CCSP (Cisco Certified Security Professional)
> Cisco Network Management Specialist
>
> sustundag@secura.com.tr
>
> Secura bir TEPUM grup sirketidir
>
> -----Original Message-----
> From: Tomikawa [mailto:h-tomikawa@syscomusa.com]
> Sent: Tuesday, April 27, 2004 3:39 PM
> To: istong@stong.org
> Cc: Rajagopal S; Gyo~ri Ga'bor; ccielab@groupstudy.com
> Subject: Re: SSL VPN's
>
> I am also very interested in this topic.
> As matter of fact, there is upcoming project which will required me to
install
> a concentrator using WebVPN(SSL). But, I could find very little resourses
from
> CCO.
>
> Does anyone know any URL which explains config example, etc...?
>
> Thanks
>
> istong@stong.org wrote:
>
> >HI Raj,
> >
> >With the concentrator you can setup rules/policies that will limit what
> >your PC can get to. In your case you can have it so the PC can only
> >access the one IP on your network.
> >
> >
> >Ian
> >http://www.CCIE4u.com
> >CCIE Lab and Rack Rentals
> >
> >
> >
> >
> >>Hello Gabor,
> >>
> >>Are you refering to the Firewall policy option of a VPN concentrator ?
> >>I think this works with VPN clients 3.5 and above. can i block any
> >>traffic flowing from my network to the client PC network too in this
> >>case ? I want the client PC to access only one
> >> IP in my network. I need to block others. is this
> >>possible through this ?
> >>
> >>let me know any URL which can give me this info.
> >>
> >>regards,
> >>raj
> >>
> >>Gyuri Gabor wrote:
> >>If you use VPN concentrator, the VPN client is the best solution. It
> >>provides personal firewall itself, rules can be downloaded centrally,
> >>block LAN access. The client exists for Windows, Linux, Solaris and
> >>more, it is free to use with VPN concentrator.
> >>
> >>
> >>Gabor
> >>
> >>-----Original Message-----
> >>From: Rajagopal S [mailto:raj_ccie@yahoo.com]
> >>Sent: Tuesday, April 27, 2004 9:08 AM
> >>To: ccielab@groupstudy.com
> >>Subject: OT:SSL VPN's
> >>
> >>
> >>Hello group,
> >>
> >>I have heard a lot on web based SSL clientless VPN's on a cisco VPN
> >>concentrator. Has anybody implemented this ? if so please clarify me
> >>the following:
> >>
> >>1) will the end user access the vpn concentrator through
> >>SSL first and get an IP address from the local pool in
> >>order to access VPN ? or
> >>
> >>2) will the end user access the servers through SSL ? this doesnt
> >>sound meaningful anyway.
> >>
> >>can anybody suggest me the best way fo securing clients connected on
> >>VPN ? Is a personal firewall a good option ?
> >>
> >>let me know
> >>raj
> >>
> >>
> >>---------------------------------
> >>Do you Yahoo!?
> >>Win a $20,000 Career Makeover at Yahoo! HotJobs
> >>
> >>__________________________________________________________
> >>_____________ Please help support GroupStudy by purchasing your study
> >>materials from: http://shop.groupstudy.com
> >>
> >>Subscription information may be found at:
> >>http://www.groupstudy.com/list/CCIELab.html
> >>
> >>---------------------------------
> >>Do you Yahoo!?
> >>Win a $20,000 Career Makeover at Yahoo! HotJobs
> >>
> >>__________________________________________________________
> >>_____________ Please help support GroupStudy by purchasing your study
> >>materials from: http://shop.groupstudy.com
> >>
> >>Subscription information may be found at:
> >>http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >______________________________________________
> >
> >Check Your Email From Any Where in the World!
> >
> >http://www.myemail.com
> >
> >Tell Your Friends about MyEmail.com!
> >______________________________________________
> >
> >_______________________________________________________________________
> >Please help support GroupStudy by purchasing your study materials from:
> >http://shop.groupstudy.com
> >
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Győri Gábor: "RE: generic redistribution question"
• Previous message: Todd Veillette: "Re: Port 0 Filter (Repost)"
• Maybe in reply to: Tomikawa: "Re: SSL VPN's"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:57 GMT-3