Re: SSL VPN Client -? clientless VPN or not?

From: pankaj ahuja (networksecurityconsultant@gmail.com)
Date: Tue Sep 25 2007 - 11:11:36 ART

• Next message: Gary Duncanson: "Re: DHCP config"
• Previous message: Joseph Brunner: "RE: BGP sync problem"
• Maybe in reply to: pankaj ahuja: "SSL VPN Client -? clientless VPN or not?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Kamal,

Thank you for the explanation. sorry buddy didn't come in to check my emails
any sooner than this. (its me, used to be in VPN with ankur, sukhi, etc)

Thanks David.

I'll be trying it out this week, the SSL VPN client and CSD both.

Shlomi,

Unforutnately checking out Juniper is not an option, coz I'm working on
production network and we need to work with what we have. Cisco has been
serving us well so don't think we'd be moving towards Juniper. Thanks for
the suggestion though.

regards
Pankaj

On 9/21/07, David Vasek <dvasek@satx.rr.com> wrote:
>
> I would definitely recommend looking at Cisco Secure Desktop (CSD), as it
> provides a virtual OS wherein the user's session is contained. All access
> to
> the corporate network takes place in this session, and upon terminating
> the
> SSL connection this session is completely destroyed. While there is a
> client, and the new anyconnect client for ASA 8.X is awesome, it is quite
> small and provides full network access if necessary.
>
> NAC is certainly another great mechanism to control the endpoint, but in
> the
> situation that you described (internet cafi, etc) you most likely won't
> have
> access to modify the software on the client. CSD provides a mechanism for
> basic policy checking on the client machine, key stroke loggers, etc,
> before
> allowing the session.
>
> David Vasek
> CCIE 16333
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Shlomi Kramer
> Sent: Friday, September 21, 2007 3:44 AM
> To: pankaj ahuja
> Cc: Christian Zeng; ccielab@groupstudy.com; security@groupstudy.com
> Subject: Re: SSL VPN Client -? clientless VPN or not?
>
> Check out the JUNIPER SSL VPN solution..
> It seems to give all what your looking for.
> Need any info just ask
> www.juniper.net
>
>
> On 9/20/07, pankaj ahuja <networksecurityconsultant@gmail.com> wrote:
> >
> > Thank you!
> >
> > I agree with you that one should not give broad access to devices not
> > under our control. for some reason the bosses wanted to provide the
> > capability to use almost any system and yet protect security.
> >
> > CSD was one option that looked like could help us in opening a little
> > more access while at the same time protecting the resources.
> >
> > As you suggested I'd start evaluating the kind of services we'd want
> > to provide remote access for and then divide them into less and more
> > secure and configure the methods for accessing the same.
> >
> > Appreciate your help on this.
> >
> > Thanks again !
> >
> > Pankaj
> >
> >
> > On 9/20/07, Christian Zeng <christian@zengl.net> wrote:
> > >
> > > Hi,
> > >
> > > * pankaj ahuja wrote:
> > > > We're looking at providing our users a solution which should
> > prefereably
> > > be
> > > > clientless and should allow users to be able to VPN in from the
> > > > worst possible places like a Cyber cafe and still prevent the
> > > > network from
> > > getting
> > > > infected with Viruses and worms etc.
> > >
> > > I never would allow a device that is not under your control
> > > relatively broad access to a company network - especially not from
> > > internet cafe pcs. For example, our corporate IT has provided two
> > > ways of remote access over SSL VPN: the first is web only to
> > > corporate internet and OWA, the second one is real SSL VPN. You only
> > > get SSL VPN if your end station follows company rules == is
> > > identified as a company end station by looking at various
> > > implementation details. We use Juniper for that, you can try to do
> that
> in a Cisco environment, too (NAC).
> > >
> > > > CSD - don't know much about that yet.
> > >
> > > I had a quick look at it during one of the CCSP exams, I really cant
> > > say much about it. On the other had - why not use a terminal
> > > server-like solution then - Citrix offers web-based access to a
> > > terminal server, for example. Also, the concentrator can function as
> > > a Citrix Secure Gateway through webvpn.
> > >
> > > I know that this can cost a lot of money, perhaps its better to look
> > > first if you can divide the services offered into less secure (=
> > > less access rights, applicable to be used from foreign systems) and
> > > more secure (= only accessible from systems that you control and
> > > that comply to company security rules).
> > >
> > >
> > >
> > > Christian
> >
> >
>
>
> --
> "Keep it going SMILE"
>
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.487 / Virus Database: 269.13.27/1020 - Release Date:
> 9/20/2007
> 12:07 PM
>
>
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.5.487 / Virus Database: 269.13.27/1020 - Release Date:
> 9/20/2007
> 12:07 PM

• Next message: Gary Duncanson: "Re: DHCP config"
• Previous message: Joseph Brunner: "RE: BGP sync problem"
• Maybe in reply to: pankaj ahuja: "SSL VPN Client -? clientless VPN or not?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:15 ART