Slashdot Mirror

← Back to Stories (view on slashdot.org)

Can Web Based VPN Solutions Do It All?

Posted by Cliff on from the aspiring-to-be-jack-of-all-trades dept.

Bingo Foo asks: "My company is in the process of reviewing replacements to our existing multi-platform VPN, which has now been discontinued. I was under the impression that every major vendor's OS ships with a VPN configuration solution. What gives? Are these not standard enough? Are they not secure enough? not flexible enough? Regardless, our IT department is leaning toward a clientless, web-based solution, which frankly sounds too good to be true. Can simply directing your browser at the portal allow X11, NFS, SMB, AFP, ssh, etc. transparently through the firewall? Anyone have experience with Neoteris and their VPN?"

2 of 48 comments (clear)

  1. It may be web based... by shadwwulf · · Score: 4, Interesting

    but it's not clientless.

    Last time I checked, without a java applet or some sort of client in the html page you can't do socket services. So it's just a client that loads from the web page.

    SW

  2. SSL and VPN's by freebase · · Score: 3, Interesting

    While I don't have direct experience with the product line mentioned in the question, I have implemented Aventail in the past, and am looking at them again for a project next year.

    For the most part, SSL VPN products differ from IPSEC VPN products in a fundamental way. SSL VPN products can best be imagined as reverse proxy servers that use SSL based encryption. Typically, it is the SSL VPN device that will be making connections to the "protected" network hosts, not the remote node. TCP sessions are maintained remote node to SSL device, and SSL device to "protected" host.

    IPSEC products can be imagined more as encrypted water hoses. A device (or client shim) intercepts traffic at the remote node, puts it in the hose (encrypted tunnel), and pushes it out to the IPSEC device at the protected network. TCP sessions are maintained remote node to "protected" host.

    Although the tunnel does normally imply some stateful translation, the session does not terminate on a tunnel device, unless that device is the remote node.

    Obviously SSL products are great for Web based applications. IPSEC products lend themselves best to site-to-site connectivity. The grey area between them is remote client situations.

    Which solution is better in the remote client (i.e. laptop in a hotel room, or at a client's site) really depends on the where and how the remote client is to be used.

    Many organizations don't allow IPSEC tunnels to be initiated from their internal network to an outside location.

    On the other hand, those same organizations (and many others) will allow outbound SSL traffic initiated from hosts on the internal network.

    --
    Sig??? I don't need no stinkin Sig!