From: pankaj ahuja (networksecurityconsultant@gmail.com)
Date: Thu Sep 20 2007 - 16:32:05 ART
Thank you Dip for the prompt answers.
Thank you Christian for the detailed answers. Appreciate your insights about
this.
Would you know about Cisco Secure Desktops with SSL VPN ? Is it doing well
so far?
Is it able to prevent any viruses or worms from the host computer to enter
the Secured Desktop and network subject to the condition that Desktop
switching is not allowed ?
We're looking at providing our users a solution which should prefereably be
clientless and should allow users to be able to VPN in from the worst
possible places like a Cyber cafe and still prevent the network from getting
infected with Viruses and worms etc.
WebVPN seemed like a good option, but it has got a lot of limitations i.e.
Java wouldn't work, applications may not work.
SSL client - needs to install a client and then it'll open access just like
IPsec client which we may have to restrict by addiing rules so that if the
client computer was compromised the network is still safe.
CSD - don't know much about that yet.
Anything else that could help us out in this goal?
Would appreciate your suggestions.
Thanks
Regards
Pankaj
On 9/20/07, Christian Zeng <christian@zengl.net> wrote:
>
> Hi,
>
> * pankaj ahuja wrote:
> > What Im not sure about is after you configure Concentrator for SSL VPN
> > client do the Users get prompted to install SSL VPN Client software when
> > connecting using WebVPN? If yes then it wouldn't really be a client less
> > VPN.
>
> Correct - I also dont consider this as true clientless and I think
> providing full tunneled IP access and VPN remote access features like
> assigning an IP address ala IKE mode config always requires some
> software on a client (Windows, at least). Even OpenVPN requires you to
> install a tun/tap interface driver on windows...
>
> There will be a prompt when visiting the website to install the client
> and users will need to install a piece of software. It even requires
> administrative rights on windows machines, iirc. If you look closer, its
> not so heavy as a real VPN client and it doesnt have a true installer
> that binds the client deep into windows, but still, it creates a
> directory and put in some files there on the client (which can be
> removed after a session has ended, afaik).
>
> > Also once you're connected using SSL VPN can u access all resources via
> VPN
> > just like the way you would in an IPsec client i.e. some resources may
> be
> > accessed via command prompt some using another browser n stuff
>
> Its a tunnel for all kind of IP-based traffic, from a functionality
> perspective its comparable to what a IPSec remote access connection
> offers (you even can apply attributes like split-tunneling, the client
> gets an IP address assigned etc.).
>
> Not sure if this still applies to newer releases of the client, but
> users always have to connect to the website via their browsers to
> re-initiate a tunnel, even if you tell the installer to be persistent on
> a client. Juniper does this better, you will get a program group entry
> in the start menu to launch the SSL client on its own, without opening a
> browser first.
>
> Regards,
>
>
>
> Christian
This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:14 ART