|Despite the popularity of SSL VPNs, they are not intended to replace Internet Protocol Security VPNs. The two VPN technologies are complementary and address separate network architectures and business needs.
William Jackson, quoting from Special Publication 800-113
I started to add to a short definition we have for FIPS – Federal Information Processing Standard – to promote our newest site, SearchCompliance.com and somehow I got turned around and started reading about SSL VPNs. (Somewhere in my reading I discovered that Federal agencies deploying SSL VPNs have to configure them to only allow FIPS-compliant cryptography and SSL.)
What got my attention was a blog post by someone named Shakya about how SSL VPNs are vulnerable to man-in-the-middle attacks. The reason? Because many SSL VPNs weren’t built with wireless in mind. Shakya does a really good job explaining the vulnerability in simple terms. His blog is not for the faint of heart, but it reinforces this warning — never check your bank account balance at Starbucks!
Circling round again to SSL VPNs, the Department of Commerce put out a Guide to SSL VPNs last summer. It’s really well written. If you are making a business case for implementing an SSL VPN or you’re an admin who needs help with documentation for the business side, I suggest you take a look. As the report from points out, an SSL VPN is not a magic security bullet. There are still many instances when a VPN application installed on the end-user’s computer is the way to go. Not everything will be done in the cloud.