Slashdot Mirror
Evaluating SSL-Based VPNs?
Saqib Ali asks: "There are numerous SSL based VPNs available in the market. They all offer same basic functionality, but a varied set of features. I am currently evaluating a few of these of SSL based VPN solutions. Compared to a IPsec based VPN, SSL based VPNs are fairly easy to test and evaluate, since no client installation is required for the SSL based VPNs. One way to evaluate is to test all of my applications against the each product. I am also planning to test support for various browsers. I was wondering if Slashdot readers have some suggestion/ideas on what else to include in my evaluation matrix. Are there any features that are a MUST, or things that I should watch out for while evaluating SSL based VPNs?."
OpenVPN is SSL based, and runs on Linux and Windows.
http://openvpn.sourceforge.net
The other types are pptp, ssh-based and cipe. IPSec has become a standard between cisco, openbsd, win32, linux and devices like netscreen and solaris.
So why fragment the VPN scene further, and what do you mean no client installation is required. Does it come prebuilt in linux, openbsd, windows 98, qnx, beos?
If clients and servers are available, from how many different vendors, based on which RFCs?
I am curious be cause I never heard of SSL-based VPNs, but I wont contribute to further fragmentation; IPSec has been good to me.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
you want to test scalability. Try hitting it with lots of different "virtual users" simultaneously, and have a few do uploads/downloads of big files if that's functionality you're going to offer.
You'd be surprised how badly some of these solutions scale from a performance perspective. CPU utilisation is the usual culprit, and many of the "off the shelf" solutions don't offer lots of CPU scalability options.
There are basically two kinds of SSL:
* SSL with server-side authentication only, followed by client-side password authentication inside the SSL connection.
* SSL with mutual authentication (client side and server side at the same time).
If you're deploying or ever plan to deploy this VPN with client-side SSL authentication, check support for so-called "SSLv3" or TLS 1.0, versus SSLv2.
Another important point to check then is how you provision user accounts (in the case of SSLv3). Ask yourself questions such as, how do I give a new user access to the VPN, or what will the procedure be when (not "if") someone has lost/compromised their passwords or other form of credentials? It's a good idea to simulate all this and see if the config interface allows you to do all these tasks easily.
The Neoteris stuff in particular provides you with a sort of "secure web portal" to your intranet (they call their product the Instant Virtual Extranet). It's very easy to configure and get setup, supports tons of different authentication mechanisms and the various penetration tests we've had conducted on ours have had it pass without a problem. Underneath it all it's basically a Linux box (right down to a LILO menu letting you select the image to boot, to rollback to an older version, or to perform a factory restore).
We have ours setup with SecurID token based authentication so we can present a secure SSL two-factor authenticated gateway to any of our internal sites without fscking around with the RSA Web Agent software and relying on IIS or Apache for webserver security. I'm not even sure where to start describing it since it has so many features... logging is very detailed down to the URL level, you can access Windows file shares and NFS exports via servlets, etc.
One of the neat features of it though is the secure application manager piece which basically does port forwarding. You can either let users setup their own application forwarding options or present them with a list of preconfigured ones (or both). The Java (or Active-X app.. it's configurable) app even goes so far as to modify the hosts table so users don't have to reconfigure their software. For example, say you want to allow POP access to your internal POP server to authenticated users. Basically when they login this Java app binds to a localhost address like 127.0.0.12 port 110 and then edits the hosts table to point smtp.whatever.com to 127.0.0.12. When you fire off your mail reader and connect to smtp.whatever.com it connects to 127.0.0.12, gets tunneled over the SSL connection and then redirected to the "real" server on the other side. Anyone doing SSH port forwarding should find this familiar, but it's done transparently enough that the end user doesn't have to know how it works. When the session terminates it removes the hosts table entries and cleans itself up by unbinding the ports. We've had good luck with this and laptop users roaming between home and the work LAN without making any changes at all to their applications.
Now, how is this better than IPSec? We don't have to worry about a network layer tunnel being established between some user's "dirty" home workstation and our protected network. There's a lot less chance of something accidently slipping through like a NetBIOS worm because it only allows what you explicitly configure it to allow. This appeals to us mainly because we're interested in it for the RAS replacement functionality. 99% of our users VPN in to our older VPN gateway to check mail or grab a file via Windows file sharing... The Neoteris box totally fits their needs and requires zero software installed on their system for us to worry about supporting. Ever try to make Checkpoint Secure Remote client live nicely with Cisco's VPN software?
By the way, I should point out that SSL VPNs are aimed at real enterprises and not small offices with 20, or even 200 people in them. These boxes costs tens of thousands of dollars to purchase and thousands of dollars in maintenance contract costs per year. These are not meant to replace someone's hacked up OpenBSD VPN gateway with some free IPSec Windows clients they found on the net sort of setup. These are definitely aimed at the bigger corporate environments.
One of our biggest uses has been putting the boxes in front of previously buggy and insecure Windows IIS webservers to offer an additional layer of security. Users don't need some clunky Cisco IPSEC vpn software installed before they can access the web sites in question.. jus
Also check if the product supports the authentication method you want to use. This should normally not be a problem but since authentication systems may cost quite a lot it is a good idea to check it out.
Another thing to look at is reliability. How stable is the box, what happens if the box breaks? Can you connect multiple boxes in a cluster?
Also do not stare blindly at the SSL protocol but rather focus on functionality. There are other products which have similar functionality but builds on different protocols. For example AppGate which uses SSH as the basic protocol (disclaimer: I work for AppGate:-).
The most common functionalities people tend to look at are:
As I write this, I'm sitting at an Internet Cafe in London Heathrow aiport. I just tried to log on to our company SSL VPN/portal which is based on Citrix's Nfuse product.
The reason I'm now on Slashdot is that the portal needs to download a small applet onto the desktop, I believe it's Citrix's ICA client - and the browser here is locked down so tight I can't run the app! So, buyer beware!!
Matt
Hi,
n .h tml
It has all been done for you. Read:
http://www.nwfusion.com/reviews/2004/0112revmai
Regards,
Paul
Depending of the algorithm in use you will have a slow or fast VPN in use.
For instance IPSEC
- you could have 512 keys (breakable with a lot of effort) or 2048 key pair encryption.
Defenitly if the 512 key pair is in use it will be faster.
I make a balance between speed and the weight of data you need to protect.
To protect my financial data, I would use a good tight VPN.
For instance @ home, I use CIPE for wireless VPN into my server. Reliable and speed are the keywords. I don't care, I someone is capable to decrypt my most favorite websites etc...(after a few weeks). I don't share confidential info on it.
Just need to protect my wireless network from script kiddies using tools for cracking WEP.
Depending on the use, you should use a type of VPN. Just like you made the difference between a truck and a car.
Geert
A firewall/tunnel/authentication scheme/protocol/whatever is only as good as its ASN.1 Buffer Underflows.
Don't laugh - have you strcpy()'ed today?
I know this sounds dumb but make sure when you're testing the product that the transactions are indeed secured. I don't know how many times I've been called into a lab to find flaws in people's tests to find out that they didn't even check to see if transactions were secure.
Dolemite
______________________
Save the World! Use a Quote!
Is it wise to log in to your company's VPN via a public web terminal which may be running all sorts of keypress loggers?
Unless you have a disposable password scheme, this is very dangerous, right?
--jeff++
ipv6 is my vpn