Re: SSL VPN Client -? clientless VPN or not?

From: pankaj ahuja (networksecurityconsultant@gmail.com)
Date: Thu Sep 20 2007 - 17:37:52 ART

• Next message: Edison Ortiz: "RE: Saving and reloading configs from remote racks !!!!!"
• Previous message: Christian Zeng: "Re: SSL VPN Client -? clientless VPN or not?"
• Maybe in reply to: pankaj ahuja: "SSL VPN Client -? clientless VPN or not?"
• Next in thread: Kamal N Malhotra: "RE: SSL VPN Client -? clientless VPN or not?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thank you!

I agree with you that one should not give broad access to devices not under
our control. for some reason the bosses wanted to provide the capability to
use almost any system and yet protect security.

CSD was one option that looked like could help us in opening a little more
access while at the same time protecting the resources.

As you suggested I'd start evaluating the kind of services we'd want to
provide remote access for and then divide them into less and more secure and
configure the methods for accessing the same.

Appreciate your help on this.

Thanks again !

Pankaj

On 9/20/07, Christian Zeng <christian@zengl.net> wrote:
>
> Hi,
>
> * pankaj ahuja wrote:
> > We're looking at providing our users a solution which should prefereably
> be
> > clientless and should allow users to be able to VPN in from the worst
> > possible places like a Cyber cafe and still prevent the network from
> getting
> > infected with Viruses and worms etc.
>
> I never would allow a device that is not under your control relatively
> broad access to a company network - especially not from internet cafe
> pcs. For example, our corporate IT has provided two ways of remote
> access over SSL VPN: the first is web only to corporate internet and
> OWA, the second one is real SSL VPN. You only get SSL VPN if your end
> station follows company rules == is identified as a company end station
> by looking at various implementation details. We use Juniper for that,
> you can try to do that in a Cisco environment, too (NAC).
>
> > CSD - don't know much about that yet.
>
> I had a quick look at it during one of the CCSP exams, I really cant say
> much about it. On the other had - why not use a terminal server-like
> solution then - Citrix offers web-based access to a terminal server, for
> example. Also, the concentrator can function as a Citrix Secure Gateway
> through webvpn.
>
> I know that this can cost a lot of money, perhaps its better to look
> first if you can divide the services offered into less secure (= less
> access rights, applicable to be used from foreign systems) and more
> secure (= only accessible from systems that you control and that comply
> to company security rules).
>
>
>
> Christian

• Next message: Edison Ortiz: "RE: Saving and reloading configs from remote racks !!!!!"
• Previous message: Christian Zeng: "Re: SSL VPN Client -? clientless VPN or not?"
• Maybe in reply to: pankaj ahuja: "SSL VPN Client -? clientless VPN or not?"
• Next in thread: Kamal N Malhotra: "RE: SSL VPN Client -? clientless VPN or not?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:14 ART