Overheard: Word of the Day

Jan 19 2009   2:06PM GMT

Overheard – Security and the SSL VPN

Margaret Rouse Margaret Rouse Profile: Margaret Rouse

Despite the popularity of SSL VPNs, they are not intended to replace Internet Protocol Security VPNs. The two VPN technologies are complementary and address separate network architectures and business needs.

William Jackson, quoting from Special Publication 800-113

I started to add to a short definition we have for FIPS – Federal Information Processing Standard – to promote our newest site, SearchCompliance.com and somehow I got turned around and started reading about SSL VPNs.  (Somewhere in my reading I discovered that Federal agencies deploying SSL VPNs have to configure them to only allow FIPS-compliant cryptography and SSL.)

What got my attention was a blog post by someone named Shakya about how SSL VPNs are vulnerable to man-in-the-middle attacks. The reason? Because many SSL VPNs weren’t built with wireless in mind.  Shakya does a really good job explaining the vulnerability in simple terms.  His blog is not for the faint of heart, but it reinforces this warning — never check your bank account balance at Starbucks!

Circling round again to SSL VPNs, the Department of Commerce put out a Guide to SSL VPNs last summer.  It’s really well written. If you are making a business case for implementing an SSL VPN or you’re an admin who needs help with documentation for the business side, I suggest you take a look.  As the report from  points out, an SSL VPN is not a magic security bullet.  There are still many instances when a VPN application installed on the end-user’s computer is the way to go.  Not everything will be done in the cloud.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: