William Jackson, quoting from Special Publication 800-113

I started to add to a short definition we have for FIPS – Federal Information Processing Standard – to promote our newest site, SearchCompliance.com and somehow I got turned around and started reading about SSL VPNs.  (Somewhere in my reading I discovered that Federal agencies deploying SSL VPNs have to configure them to only allow FIPS-compliant cryptography and SSL.)

What got my attention was a blog post by someone named Shakya about how SSL VPNs are vulnerable to man-in-the-middle attacks. The reason? Because many SSL VPNs weren’t built with wireless in mind.  Shakya does a really good job explaining the vulnerability in simple terms.  His blog is not for the faint of heart, but it reinforces this warning — never check your bank account balance at Starbucks!

Circling round again to SSL VPNs, the Department of Commerce put out a Guide to SSL VPNs last summer.  It’s really well written. If you are making a business case for implementing an SSL VPN or you’re an admin who needs help with documentation for the business side, I suggest you take a look.  As the report from  points out, an SSL VPN is not a magic security bullet.  There are still many instances when a VPN application installed on the end-user’s computer is the way to go.  Not everything will be done in the cloud.