Evaluating SSL-Based VPNs? 34
Saqib Ali asks: "There are numerous SSL based VPNs available in the market. They all offer same basic functionality, but a varied set of features. I am currently evaluating a few of these of SSL based VPN solutions. Compared to a IPsec based VPN, SSL based VPNs are fairly easy to test and evaluate, since no client installation is required for the SSL based VPNs. One way to evaluate is to test all of my applications against the each product. I am also planning to test support for various browsers. I was wondering if Slashdot readers have some suggestion/ideas on what else to include in my evaluation matrix. Are there any features that are a MUST, or things that I should watch out for while evaluating SSL based VPNs?."
OpenVPN is SSL Based (Score:5, Informative)
http://openvpn.sourceforge.net [sourceforge.net]
Re:OpenVPN is SSL Based (Score:1)
Capabilities? (Score:2)
I know a lot of people whom play LAN games are looking for a good VPN server/client which is easily NAT'able - to be used for playing LAN (often using IPX/SPX protocol) games or using LAN software as if two remote computers are within the same network.
Anyone tried this for those purposes?
So far, I've played a lot with GIT [morpheussoftware.net] for such purposes, but it doesn't do exactly what I want, and doesn't seem overly secure (though possibly
Re:Capabilities? (Score:1, Informative)
I've run a UDP-based tunnel between one computer which was behind a crappy Linksys router using NAT (it wouldn't route anything besides TCP or UDP, even if I made my computer the DMZ host - I initially wanted to use IPv6), and an
Re:Capabilities? (Score:2)
In fact, if you set it up to use ethertap, it tunnels ethernet frames, and you can tunnel IPX, NetBeui, whatever strange things you want, even ARP.
Re:Capabilities? (Score:2)
I emailed the author a few months back, begging for SOCKS5 support. He said sorry, I have no plans for it. Politely. But damned if the latest release doesn't support socks. I'm nominating him for networking godhood.
And I think for practical purposes, it's as secure as anything out there. Certainly easier to use than freeswan...
IPSec is a standard (Score:3, Informative)
So why fragment the VPN scene further, and what do you mean no client installation is required. Does it come prebuilt in linux, openbsd, windows 98, qnx, beos?
If clients and servers are available, from how many different vendors, based on which RFCs?
I am curious be cause I never heard of SSL-based VPNs, but I wont contribute to further fragmentation; IPSec has been good to me.
Re:IPSec is a standard (Score:2)
I don't know how cross platform that would be, or how the permissions would need to look. But I imagine that is what this solution is.
IPSec tunnels the kitchen sink... (Score:5, Informative)
The Neoteris stuff in particular provides you with a sort of "secure web portal" to your intranet (they call their product the Instant Virtual Extranet). It's very easy to configure and get setup, supports tons of different authentication mechanisms and the various penetration tests we've had conducted on ours have had it pass without a problem. Underneath it all it's basically a Linux box (right down to a LILO menu letting you select the image to boot, to rollback to an older version, or to perform a factory restore).
We have ours setup with SecurID token based authentication so we can present a secure SSL two-factor authenticated gateway to any of our internal sites without fscking around with the RSA Web Agent software and relying on IIS or Apache for webserver security. I'm not even sure where to start describing it since it has so many features... logging is very detailed down to the URL level, you can access Windows file shares and NFS exports via servlets, etc.
One of the neat features of it though is the secure application manager piece which basically does port forwarding. You can either let users setup their own application forwarding options or present them with a list of preconfigured ones (or both). The Java (or Active-X app.. it's configurable) app even goes so far as to modify the hosts table so users don't have to reconfigure their software. For example, say you want to allow POP access to your internal POP server to authenticated users. Basically when they login this Java app binds to a localhost address like 127.0.0.12 port 110 and then edits the hosts table to point smtp.whatever.com to 127.0.0.12. When you fire off your mail reader and connect to smtp.whatever.com it connects to 127.0.0.12, gets tunneled over the SSL connection and then redirected to the "real" server on the other side. Anyone doing SSH port forwarding should find this familiar, but it's done transparently enough that the end user doesn't have to know how it works. When the session terminates it removes the hosts table entries and cleans itself up by unbinding the ports. We've had good luck with this and laptop users roaming between home and the work LAN without making any changes at all to their applications.
Now, how is this better than IPSec? We don't have to worry about a network layer tunnel being established between some user's "dirty" home workstation and our protected network. There's a lot less chance of something accidently slipping through like a NetBIOS worm because it only allows what you explicitly configure it to allow. This appeals to us mainly because we're interested in it for the RAS replacement functionality. 99% of our users VPN in to our older VPN gateway to check mail or grab a file via Windows file sharing... The Neoteris box totally fits their needs and requires zero software installed on their system for us to worry about supporting. Ever try to make Checkpoint Secure Remote client live nicely with Cisco's VPN software?
By the way, I should point out that SSL VPNs are aimed at real enterprises and not small offices with 20, or even 200 people in them. These boxes costs tens of thousands of dollars to purchase and thousands of dollars in maintenance contract costs per year. These are not meant to replace someone's hacked up OpenBSD VPN gateway with some free IPSec Windows clients they found on the net sort of setup. These are definitely aimed at the bigger corporate environments.
One of our biggest uses has been putting the boxes in front of previously buggy and insecure Windows IIS webservers to offer an additional layer of security. Users don't need some clunky Cisco IPSEC vpn software installed before they can access the web sites in question.. jus
Re:IPSec tunnels the kitchen sink... (Score:2, Interesting)
Seriously, I'm glad our products have worked so well for you. We just release our new code, version 4.0, and there have been some significant improvements and additions. Particularly in the areas of security and access management. Check it out, you'll be pleased with all the new features.
As for loo
Re:IPSec tunnels the kitchen sink... (Score:2)
Also, on the VPN server that it connects to,
If you're looking at portal-type VPNs (Score:5, Insightful)
You'd be surprised how badly some of these solutions scale from a performance perspective. CPU utilisation is the usual culprit, and many of the "off the shelf" solutions don't offer lots of CPU scalability options.
SSLv3, configuration (Score:5, Informative)
* SSL with server-side authentication only, followed by client-side password authentication inside the SSL connection.
* SSL with mutual authentication (client side and server side at the same time).
If you're deploying or ever plan to deploy this VPN with client-side SSL authentication, check support for so-called "SSLv3" or TLS 1.0, versus SSLv2.
Another important point to check then is how you provision user accounts (in the case of SSLv3). Ask yourself questions such as, how do I give a new user access to the VPN, or what will the procedure be when (not "if") someone has lost/compromised their passwords or other form of credentials? It's a good idea to simulate all this and see if the config interface allows you to do all these tasks easily.
Re:SSLv3, configuration (Score:3, Insightful)
I would imagine with most of them they'd tie into the same authentication mechanisms your current RAS dial
Test your applictions (Score:4, Informative)
Also check if the product supports the authentication method you want to use. This should normally not be a problem but since authentication systems may cost quite a lot it is a good idea to check it out.
Another thing to look at is reliability. How stable is the box, what happens if the box breaks? Can you connect multiple boxes in a cluster?
Also do not stare blindly at the SSL protocol but rather focus on functionality. There are other products which have similar functionality but builds on different protocols. For example AppGate [appgate.com] which uses SSH as the basic protocol (disclaimer: I work for AppGate:-).
The most common functionalities people tend to look at are:
Re:Test your applictions (Score:1, Insightful)
Ahem. *cough*bullshit*cough*
Anything that uses TCP as a transport is inherently going to have poorer performance than something that uses a non-stream based protocol (such as IPSec, which uses ESP, or even PPTP, which uses GRE.)
This is because of the error-correcting overhead involved with a TCP stream. See this [sites.inka.de] for more information.
Find one that doesn't need a download! :( (Score:5, Informative)
The reason I'm now on Slashdot is that the portal needs to download a small applet onto the desktop, I believe it's Citrix's ICA client - and the browser here is locked down so tight I can't run the app! So, buyer beware!!
Matt
Re:Find one that doesn't need a download! :( (Score:1)
Of course, using NFuse from a locked-down public terminal is a hindrance. (Darn inconveient, too, I reckon).
Re:Find one that doesn't need a download! :( (Score:4, Insightful)
Unless you have a disposable password scheme, this is very dangerous, right?
--jeff++
Re:Find one that doesn't need a download! :( (Score:1)
ssl review at nwfusion (Score:2, Informative)
It has all been done for you. Read:
http://www.nwfusion.com/reviews/2004/0112revmai
Regards,
Paul
Re:ssl review at nwfusion (Score:1)
Strength of encryption versus speed. (Score:2, Informative)
For instance IPSEC
- you could have 512 keys (breakable with a lot of effort) or 2048 key pair encryption.
Defenitly if the 512 key pair is in use it will be faster.
I make a balance between speed and the weight of data you need to protect.
To protect my financial data, I would use a good tight VPN.
For instance @ home, I use CIPE for wireless VPN into my server. Reliable and speed are the keywords. I don't care, I someone is capable
Re:Strength of encryption versus speed. (Score:2)
To set up an IPSec tunnel, IKE (Internet Key Exchange) happens first, to securely establish all the necessary session and keying information. This typically uses 1024 bit RSA, and most devices also support 1536 bits. As a result of the IKE process, both sides have agreed on all the IPSec session parameters and computed a session key.
The session key is used by the negotiated encryption algorithm {DES, 3DES, AES-128, AES-256, RC4, etc.} to secu
Re:Strength of encryption versus speed. (Score:1)
Just Remember: (Score:2, Funny)
A firewall/tunnel/authentication scheme/protocol/whatever is only as good as its ASN.1 Buffer Underflows [slashdot.org].
Don't laugh - have you strcpy()'ed today?
Be sure to include stunne;-to-stunnel (Score:1)
Has anyone else benchmarked PPPD/stunnel vs. PoPTop or FreeS/WAN?
VPE (Score:2)
http://freshmeat.net/projects/vpe/ [freshmeat.net]
Packet Sniffer (Score:3, Informative)
Dolemite
______________________