vpn question - SSL vs IPSec
Tom Emerson
plug-discuss@lists.plug.phoenix.az.us
Thu, 29 Aug 2002 06:43:24 -0700 (MST)
A typical "Enterprise" VPN implementation includes an enforcement of IP
traffic routing. For example, it is not uncommon for the Policy to
disallow any IP traffic outside of the IPSec tunnel. So, when a user is
connected to the corporate VPN, web surfing, music listening, etc... all
IP traffic traverses the VPN, then makes it's way out over the Public
Internet (if allowed).
Most of the corporate VPN setups I've worked with have a very restrictive
Policy. When connected, web surfing passes through some sort of "nanny
filter" or a tracking appliance. Access to Internet resources not on the
approved list are blocked, everything else is logged with your username on
the record.
How does the SSL VPN product differ from a custom Apache/SSL solution, I
can't see much difference there between this and the ssh tunnels we use
for the same purpose. Although, a well constructed IPSec or ssh tunnel
solution is a lot more difficult to spoof or crack than is SSL. If you
have a need to really keep the bad guys out of your data stream, SSL is
not neccessarily secure enough. (Good enough for typical consumer credit
card transaction, not good enough for real secrets!)
- tom e.
-----------------------------
On Wed, 28 Aug 2002, Mike Starke wrote:
Would anyone like to comment on this page/article?
http://www.aventail.com/ssl_vpn_benefits.asp
My only experience with VPN's is either using
OpenBSD w/IPsec for Lan-to-Lan connectivity, or
we had a Cisco Concentrator and their client software
at my last place of employment for the road warriors.
I suppose my question would be this:
How does this (above link's hardware) differ from
connecting to something like an Apache server running
SSL?
Another question I have in my mind goes like this:
At my last employer's place I had a Citrix Server
with numerous "Published Applications", and access
to these pulblished apps via my debian/apache-ssl intranet
web sever. The other neat thing I had in this environment
was a NetApp filer. My web server NFS mount'd the NetApp
(snapshots) departmental web directories. The departmental
'assignee' maintained their perspective "web site" via their
mapped out drives; and the web server just provided the
access/front end to all of the info.
Now I am wondering if I could create a comparable environment
using Linux. Wouldn't it be neat if one could log into
their Debian (big D fan :-) apache-ssl server, click on a link,
and have a GNU/Enterprise window open that is actually running
on my internal Debian/Application Server?
v/r
Mike
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss