vpn question - SSL vs IPSec

Tom Emerson plug-discuss@lists.plug.phoenix.az.us
Thu, 29 Aug 2002 06:43:24 -0700 (MST)


A typical "Enterprise" VPN implementation includes an enforcement of IP 
traffic routing.  For example, it is not uncommon for the Policy to 
disallow any IP traffic outside of the IPSec tunnel.  So, when a user is 
connected to the corporate VPN, web surfing, music listening, etc... all 
IP traffic traverses the VPN, then makes it's way out over the Public 
Internet (if allowed).

Most of the corporate VPN setups I've worked with have a very restrictive 
Policy.  When connected, web surfing passes through some sort of "nanny 
filter" or a tracking appliance.  Access to Internet resources not on the 
approved list are blocked, everything else is logged with your username on 
the record.

How does the SSL VPN product differ from a custom Apache/SSL solution, I 
can't see much difference there between this and the ssh tunnels we use 
for the same purpose.  Although, a well constructed IPSec or ssh tunnel 
solution is a lot more difficult to spoof or crack than is SSL.  If you 
have a need to really keep the bad guys out of your data stream, SSL is 
not neccessarily secure enough.  (Good enough for typical consumer credit 
card transaction, not good enough for real secrets!)

 - tom e.
-----------------------------

On Wed, 28 Aug 2002, Mike Starke wrote:

Would anyone like to comment on this page/article?
http://www.aventail.com/ssl_vpn_benefits.asp

My only experience with VPN's is either using
OpenBSD w/IPsec for Lan-to-Lan connectivity, or
we had a Cisco Concentrator  and their client software
at my last place of employment for the road warriors.

I suppose my question would be this:
How does this (above link's hardware) differ from
connecting to something like an Apache server running
SSL?

Another question I have in my mind goes like this:
At my last employer's place I had a Citrix Server
with numerous "Published Applications", and access
to these pulblished apps via my debian/apache-ssl intranet
web sever. The other neat thing I had in this environment
was a NetApp filer. My web server NFS  mount'd the NetApp
(snapshots) departmental web directories. The departmental
'assignee' maintained their perspective "web site" via their
mapped out drives; and the web server just provided the
access/front end to all of the info.

Now I am wondering if I could create a comparable environment
using Linux. Wouldn't it be neat if one could log into
their Debian (big D fan :-) apache-ssl server, click on a link,
and have a GNU/Enterprise window open that is actually running
on my internal Debian/Application Server?

v/r
Mike
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change  you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss