Hi
These days SSL VPN has been the alternative to
the tradition IPsec VPN, particularly for users that
require only email access.
However, what is the different in implementing SSL VPN -
which essentially means allowing only webbased traffic i.e webmail,
as compare to just to setup a webmail server running HTTPS.
Can anyone point out the differences?
Thanks
This list is sponsored by: Norwich University
EARN A MASTER F SCIENCE IN INFRMATIN ASSURANCE - NLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

harbinger wrote:
Hi

These days SSL VPN has been the alternative to
the tradition IPsec VPN, particularly for users that
require only email access.

However, what is the different in implementing SSL VPN -
which essentially means allowing only webbased traffic i.e webmail,
as compare to just to setup a webmail server running HTTPS.

Can anyone point out the differences?

Thanks

Some of the more feature packed SSL VPN products are basically a portal
with some web applications or even fat client software that allow you to
use the SSL VPN box as a jump off point into your network to connect to
other services like Citrix. products I have seen are really lame
and only allow you to connect to a single IP/port per the IP/port that
is listening on the external side. If you just want to give your people
access to web services on your intranet, I would look into just setting
up a reverse proxy with cert and password authentication. You then just
have to set your proxy configuration in your browser to point at it.
Then you can get around to internal web services no problem. :)

Client SSL Reverse proxy/portal HTTP/RDP/SSH/etc
Internal network

This list is sponsored by: Norwich University

EARN A MASTER F SCIENCE IN INFRMATIN ASSURANCE - NLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

Hi Harbinger,

I believe that you are misinformed with respect to capabilities of
SSL VPN.
You will note that on http://openvpn.net/ (an open source
implementation)
that SSL VPN is quite robust and provides support for many networking
services that are not normally tunnelled over HTTPS. For example:

With VPN, you can:

* tunnel any IP subnetwork or virtual ethernet adapter over a
single UDP or TCP port,
* configure a scalable, load-balanced VPN server farm using one
or more machines which can handle thousands of dynamic connections
from incoming VPN clients,
* use all of the encryption, authentication, and certification
features of the SSL library to protect your private network
traffic as it transits the internet,
* use any cipher, key size, or HMAC digest (for datagram
integrity checking) supported by the SSL library,
* choose between static-key based conventional encryption or
certificate-based public key encryption,
* use static, pre-shared keys or TLS-based dynamic key exchange,
* use real-time adaptive link compression and traffic-shaping to
manage link bandwidth utilization,
* tunnel networks whose public endpoints are dynamic such as
DHCP or dial-in clients,
* tunnel networks through connection-oriented stateful firewalls
without having to use explicit firewall rules,
* tunnel networks over NAT,
* create secure ethernet bridges using virtual tap devices, and
* control VPN using a GUI on Windows or Mac S X.

As you will no doubt agree, this is much more robust than what you
would normally expect from HTTPS.

Because SSL operates below http and has no knowledge of the higher
level protocol,
SSL servers can only present one certificate for a particular IP/port
combination.

A small amount of searching (googling for places that allow google as
a verb ;) ) finds:

2005-03/0077.html

Which includes a quite detailed analysis of SSL-VPN v. IPsec VPN.

Good luck with your implementation

Sincerely,

Sean Swayze
info AT pcsage DT biz

10-Aug-06, at 11:55 PM, harbinger wrote:

Hi

These days SSL VPN has been the alternative to
the tradition IPsec VPN, particularly for users that
require only email access.

However, what is the different in implementing SSL VPN -
which essentially means allowing only webbased traffic i.e webmail,
as compare to just to setup a webmail server running HTTPS.

Can anyone point out the differences?

Thanks

This list is sponsored by: Norwich University

EARN A MASTER F SCIENCE IN INFRMATIN ASSURANCE - NLINE
The NSA has designated Norwich University a center of Academic
Excellence in Information Security. program offers unparalleled
Infosec management education and the case study affords you
unmatched consulting experience. Using interactive e-Learning
technology, you can earn this esteemed degree, without disrupting
your career or home life.

This list is sponsored by: Norwich University

EARN A MASTER F SCIENCE IN INFRMATIN ASSURANCE - NLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

Hello

There are various ways to implement SSL-VPNs. The simplest one is
accessing HTTP based services using a browser. In such an
implementation there is not much difference from accessing an HTTPS
website directly. In the SSL-VPN scenario, the browser connects to the
SSL-VPN gateway using HTTPS. The SSL-VPN gateway then acts as a
reverse proxy to the HTTP based service. So the main difference
between normal HTTPS access and a simple SSL-VPN access is basically
just that you access the resource over a reverse-proxy that is able to
talk SSL.

However, there are more sophisticated ways to implement SSL-VPNs. You
can for example implement port-forwarding or even tunnel all kind of
IP traffic. Those techniques, however, do not have much similarity to
HTTPS base access.

Regards
Joe

8/11/06, harbinger <bluetooth995 (AT) gmail (DOT) comwrote:
Hi

These days SSL VPN has been the alternative to
the tradition IPsec VPN, particularly for users that
require only email access.

However, what is the different in implementing SSL VPN -
which essentially means allowing only webbased traffic i.e webmail,
as compare to just to setup a webmail server running HTTPS.

Can anyone point out the differences?

Thanks

This list is sponsored by: Norwich University

EARN A MASTER F SCIENCE IN INFRMATIN ASSURANCE - NLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

--

This list is sponsored by: Norwich University

EARN A MASTER F SCIENCE IN INFRMATIN ASSURANCE - NLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

Hi,

I tend to only read these lists, but the increasing amount of
mis-information presented on this list just has to stop and this is my
attempt to thwart this ever increasing trend by hopefully bringing some
clarity to at least this topic.

As Sean Swayze correctly states SSL VPN is NT related to HTTP in
anyway. There are some serious problems with the marketing of IT
security products and services these days with completely incorrect
information spreading like a plague. Let's use the terms for what they are.

SSL contains ciphers and algorithms to securely authenticate, provide
confidentiality and integrity to services using it. VPN in combination
with SSL can provide virtual private networks running across the
Internetwork securely. It is used to create virtual private network(s)
using the SSL cipher suite. implementation of this is VPN.

Let me attempt to illustrate this by a simple example:
(The information below is for reference and sake of clarity.)
Network setup:
User network is: 192.168.0.0/24
Company internal network is: 192.168.1.0/24 (A very small one I know!)
Company external address: mycompany.com (whatever the IP address might be)

Virtual NIC IP: 192.168.0.127 ("gateway" for internal network)
Real NIC IP: 192.168.0.1
Router IP: 192.168.0.254 (default gateway)
VPN port: 1023 (example only)

A mobile user wants to connect to a service which her company provides
but only to users on the internal network. So essentially we need a way
for this user to become part of the internal network, while
simultaneously residing on the external side of the company firewall and
network. This is exactly that a VPN provides.

Implementation at client side varies between different operating
systems, but conceptually this is what we will happens. A virtual
Network Interface Card (NIC) will be created on the client computer
through which we will "route" all traffic targeted for internal network
of the company. The virtual NIC will encapsulate our original packets
and send them out like regular packets through the default gateway, but
now encapsulated by SSL. Before all this the user should of course have
been authenticated, something that VPN also provides. We also have
to consider routing tables. We either have to tell the router (default
gateway) that packets destined for 192.168.1.0/24 should be routed back
through the virtual NIC, or we simply modify the local routing table
and directly route packets destined for 192.168.1.0/24 through the
virtual NIC.

Below is an attempt to "illustrate" what happens to a packet in transit
from the user to the internal network of the company:

Packet (dst: 192.168.1.5) -VNIC (encapsulates packet and now it will
have a new dst address: mycompany.com) -mycompany.com:1023 (VPN end
point will decapsulate the packet, and now the dst address is once again
192.168.1.5) -target machine.

I know this is not the most illustrative example, but it should
hopefully bring some sort of clarity in how a SSL based VPN work, or
function. Following this it should also be fairly obvious that it can
pretty much tunnel through any traffic, be it Instant Messaging, Network
File Systems, or a game of Quake World.

It is hopefully clear by now that there is a massive difference between
a secure web mail and a SSL VPN. Perhaps i've managed to explain it so
well that you can now also see they are not even related nor should be
mixed up in conversation, ever.

// Christopher

PS: I might have made some assumptions in my explanation which could
make it seem inaccurate, I just hope that is not the case. :)

harbinger wrote:
Hi

These days SSL VPN has been the alternative to
the tradition IPsec VPN, particularly for users that
require only email access.

However, what is the different in implementing SSL VPN -
which essentially means allowing only webbased traffic i.e webmail,
as compare to just to setup a webmail server running HTTPS.

Can anyone point out the differences?

Thanks

This list is sponsored by: Norwich University

EARN A MASTER F SCIENCE IN INFRMATIN ASSURANCE - NLINE
The NSA has designated Norwich University a center of Academic
Excellence in Information Security. program offers unparalleled
Infosec management education and the case study affords you unmatched
consulting experience. Using interactive e-Learning technology, you
can earn this esteemed degree, without disrupting your career or home
life.

--

This list is sponsored by: Norwich University

EARN A MASTER F SCIENCE IN INFRMATIN ASSURANCE - NLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.