Can Web Based VPN Solutions Do It All? 48
Bingo Foo asks: "My company is in the process of reviewing replacements to our existing multi-platform VPN, which has now been discontinued. I was under the impression that every major vendor's OS ships with a VPN configuration solution.
What gives? Are these not standard enough? Are they not secure enough? not flexible enough?
Regardless, our IT department is leaning toward a clientless, web-based solution, which frankly sounds too good to be true. Can simply directing your browser at the portal allow X11, NFS, SMB, AFP, ssh, etc. transparently through the firewall? Anyone have experience with Neoteris and their VPN?"
It may be web based... (Score:5, Interesting)
Last time I checked, without a java applet or some sort of client in the html page you can't do socket services. So it's just a client that loads from the web page.
SW
Re:It may be web based... (Score:2, Interesting)
this is also handy if your admins don't like worrying about installing things on your CEO's palm pilot.
Re:It may be web based... (Score:2, Interesting)
Re:It may be web based... (Score:1)
Clientless does work (Score:5, Informative)
I worked for a company, openreach, inc. [openreach.com] that did a nice job on clientless VPN, although their bread-n-butter was site to site VPN.
Is it a VPN? (Score:5, Informative)
This essentially looks like a custom security solution to deliver a specific set of protocols, via the web. So if you want to SSH, you connect over SSL to it, and then log into a Web application and run the SSH client. Possibly they have developed a wicked Java applet that runs on the local machine.
You want to browse the shares, you do it via a web interface. Maybe with IE, it presents the share to you as a webdav environment so you can mount the share directly.
I don't see anything there that leads me to believe I can run an arbitrary custom application over it. (ironically, this is one of the thinks they knock extranet's for). Call them up, ask if you can securely ship internal data over it.
It sure looks like they essentially provide you with a proxy server that you connect to over SSL, that will proxy you on, or just give you access to some form of applet on it. Granted a nifty interface is pretty cool. But if all they are doing is providing you a web interface into the services, and not actually extending the network to you (which I have no idea how they could over a browser in any secure way and portable way). I really want to see a portable way to implement security so that I can Samba mount something via a web brower. Then essentially, this is just off the shelf software, put into an embedded system. While it's pretty neato, I'm guessing using apache, webmail, webmin, and a Java based SSH client, I could do all this with free software off the net.
Ask to see a demonstration, where you get to run SSH on the command line. Ask to do secure copies over it. Ask to see port forwarding done over it.
Ask to see it run your custom contact manager that your sales people use (Okay, that's what I'd ask for our sales people).
Ask to see the configurations that allow arbitrary port forwarding. Ask to see how they can forward information from Quake securely, because you'd hate to get fraged by somebody snoping the net... :-)
The clustering, and failover, and the fact that it's load tested, and has good support, make it extremely valuable. The fact that it has it's security tested, is very good. The actual functionality would be easy to construct with free software off the net as a cool project for a good IT staff.
If your planning on spending real money with them, request a demo unit to test with for a month. If they won't give one up, I'd pass.
Maybe they just run a Web version of VNC and let you have access to a client desktop. That'd be pretty cool. Not sure. Maybe it's cooler then I think, but I'm guessing it's not a true VPN solution, and if you want to do anything that isn't on their list of services, you'll need another solution to address that.
Kirby
SSL and man-in-the-middle (Score:2)
Re:SSL and man-in-the-middle (Score:4, Informative)
The last thing is that you can use a so-called "chain of trust" to safely broadcast public keys. All that you need is one public key on your computer that you absolutely trust, and then the holder of the matching private-key can "sign" other people's public keys (thus ensuring safe broadcast). This last is called a certificate authority (CA for short), and is the role that companies like verisign serve. You pay them to sign your public key, and then because I trust their key, I trust their signature, and I trust your public key. Now that I have your public key (and I know no one has messed with it in transit), and you have your private-key (and you know that no one else knows it), then we have a pre-shared secret, so we can't be man-in-the-middled.
That's the basic deal. The most interesting thing about it is that there needs to be at least one completely vulnerble transfer of information (receiving the public-key of the certificate authority), and this is usually done when your OS (or web browser) is being installed, presumably from a safe copy on a disk or some such... but if someone "man-in-the-middled" that original transfer of information (how do you man-in-the-middle a disk? well, swap the disks, maybe) then they've totally got your ass.
Re:SSL and man-in-the-middle (Score:2)
Hmmm,
"Security Upgrade"
Swap the disks AFTER THE FACT
Performs normally on most original
Recognizes "special" inputs such as sequence so that md5sum will report the specified value rather than computed value.
Trust a hard-coded special certificate as well as the normal.
Put the trojaned? executables into where backups are recovered from. Only later when recovery is
Re:Is it a VPN? (Score:1)
Works great, configuration option to limit who/where ssh tunnels can be established.
Use it to ssh to one of the boxes that I need to check at night. No problems from my end.
Re:Is it a VPN? (Score:2)
Whaa? Why are you running ssh over a vpn? That sounds like about the most convoluted way of running ssh I've ever heard of.
Re:Is it a VPN? (Score:2)
Non standard VPNs still work (Score:5, Informative)
pptp/l2tp work with microsoft clients quite well and I dont see any problems there. L2TP being more scalable is preferable but:
Ipsec is my favorite. It was designed from ground up as a VPN protocol rather than one protocol piggybacking on another. The list of ipsec support on freeswans page is huge for all OSes. It requires some downloads for windows machines, but face it, for any solution at all you will have to patch Windows.
Oh yeah, just make sure your home network's upload speed is good, and the VPN server is not Windows 2000 (just use linux on a Pentium1) and all is well.
Re:Non standard VPNs still work (Score:2)
Linux (and *BSD? and OSX?) supports CIPE. I'm fighting with a corporate firewall right now, otherwise I'd be using it.
Question for those fiddling with a mixed environment; Are the CIPE implementations you've used compatable cross operating systems?
Re:Non standard VPNs still work (Score:2)
That does not have to be the case if your read this [jacco2.dds.nl].
Re:Linux/*BSD boxes. (Score:2, Informative)
Re:Linux/*BSD boxes. (Score:2)
Re:Linux/*BSD boxes. (Score:2)
HTTPS != VPN (Score:4, Informative)
Second problem is that the client itself does not authenticate properly against the server. Problem again for nun-human client (usually).
Re:HTTPS != VPN (Score:1, Interesting)
The client can in some of these solution authenticate with client certificates, and username and password, against RADIUS, LDAP and whatnot. Some even offer multiple authentication stages.
One product does terminal server, netbios, intranet web proxying and (windows client only, afaik it's active-x based) IP tunneling over SSL.
I saw outlook to exchange natively over one of these tu
True enough (Score:2)
So far, nothing in linux world seems to suit my needs, but the original principle was that I wanted to be able to tunnel my internal IPX/SPX connection (games) through TCP/IP on a VPN channel out to external machines.
For games where I want to play against my friends LAN-style but without sometimes boggy servers such as battle.net etc it would be nice. It also helps get around CD-key issues (I
Re:True enough (Score:2, Informative)
(http://www.linux.org/docs/ldp/howto/I
Beware: most VPN solutions (IPSec, PPTP,
Re:True enough (Score:2)
This isn't an advertisement, is it? (Score:2)
The original poster isn't some marketing guy tying to raise awareness of his company's new product, is he?
Re:This isn't an advertisement, is it? (Score:2)
No, I'm not. I work for a medium-sized non-IT R&D lab, where Windows, Macs and various Unix/Linux machines are all well represented. We do have a unit from Neoteris to test for a month, but it isn't us end users who are testing it (yet).
With respect to some of the things that are being brought up in this thread, Getting mail through is a given, but our IT department would be asking for serious tr
Re:This isn't an advertisement, is it? (Score:2)
They're getting more exotic in 3.2 and higher versions, allowing some NetBIOS activity and more of the traditional "Full Ride VPN".
They're still struggling with WebDAV for some reason, but overall making very quick and positive progress.
Also, once item of convenince is that it allows your field user to connect, even if they are doing so from behind a firewalled resource, 80/44
SSL VPN (Score:3, Interesting)
The SSL VPN is being seen as an alternative to the more traditional IPSec VPN for remote access. IPSec VPNs are still seen as the de facto standard for encrypted, secure site-to-site communications.
Re:SSL VPN (Score:2, Informative)
if your organization is like ours and 95% of the time you use the VPN for MS Exchange access, check out the HiPerExchange [seasidesw.com]
We have a netscreen 10 that has a VPN in it.. It was never implemented because the only access these
people need is our exchange and the public folders. So there was no need to implement a VPN . and we use the Hiperexchnage [seasidesw.com]and it even MSblaster proof
I'm Calling You Out (Score:2)
You, sir, are an astroturfer. Your user page [slashdot.org] shows that you have posted 6 comments on /., and each [slashdot.org] and [slashdot.org] every [slashdot.org] one [slashdot.org] of [slashdot.org] them [slashdot.org] contains a link to either the "hiperexchange.com" domain or the "seasidesw.com" domain.
So either you're a HiPerExchange astroturfer, or you are the most devoted fan a MS Exchange utility ever had. YHL. HAND.
Re:SSL VPN (Score:2)
This is very attractive for field users, consultants (shudder) and obnoxious executives. They only have to remember a webaddress instead of "complicated" VPN setups. Have 443 access?, you're in.
It is NOT a 100% or even in my estimation a 90% solution, but since it meets my 80-20 rule metric, it gets a nod.
Person
SSL and VPN's (Score:3, Interesting)
For the most part, SSL VPN products differ from IPSEC VPN products in a fundamental way. SSL VPN products can best be imagined as reverse proxy servers that use SSL based encryption. Typically, it is the SSL VPN device that will be making connections to the "protected" network hosts, not the remote node. TCP sessions are maintained remote node to SSL device, and SSL device to "protected" host.
IPSEC products can be imagined more as encrypted water hoses. A device (or client shim) intercepts traffic at the remote node, puts it in the hose (encrypted tunnel), and pushes it out to the IPSEC device at the protected network. TCP sessions are maintained remote node to "protected" host.
Although the tunnel does normally imply some stateful translation, the session does not terminate on a tunnel device, unless that device is the remote node.
Obviously SSL products are great for Web based applications. IPSEC products lend themselves best to site-to-site connectivity. The grey area between them is remote client situations.
Which solution is better in the remote client (i.e. laptop in a hotel room, or at a client's site) really depends on the where and how the remote client is to be used.
Many organizations don't allow IPSEC tunnels to be initiated from their internal network to an outside location.
On the other hand, those same organizations (and many others) will allow outbound SSL traffic initiated from hosts on the internal network.
Re:SSL and VPN's (Score:1)
You used to be able to say "OK, that's a VPN, it's something that provides a virtual network connection, you get network layer access over it". Now it's "OK, that's a VPN, now is it a network connection or is it a middleware tunnel or a proxy?".
Also, this produces a false dichotomy between "IPSEC" and "SSL". There are VPN technologies that aren't built on top of IPSEC (PPPoE, PPTP, etc). There are other virtual proxy te
Cisco 3000 Series VPN Concentrators (Score:2, Informative)
The CVPN 3000 Series are nice; there are clients for just about every OS under the sun (Windows XP, 2000, Me/98, OS X, OS 8/9, Linux, Solaris) and it's a nice, centrally-managed solution where the client slaves everything from the head-end VPN Concentrator. Suppor
secure remote access (Score:1)
For a true VPN, code running in the browser or invoked by the browser needs to get access to low-level networking, and there is no way in which that can be done without additional user intervention.
In the simplest case, you may be able to create a signed Java applet, bu
Some info on another SSL VPN company (Score:1)
http://www.whalecommunications.com
They have a nice paper explaining SSL VPN's. These provide access to applications from a remote location. As I understand it they do not provide connection for a remote PC to the intranet. You get control of which applications are made available to which users.
i-Planet used to do this (Score:2)
When you clicked on the link to a service (for example an NT server running SQL Server in San Jose) the iPlanet server downloaded to your workstation a java "netlet" that formed a secure tunnel between your w
very last post (Score:1)