There's a different problem with the Cisco (and some other) "clientless" (there's a BS marketing term) VPNs. There's a lame Cert vuln report at: http://www.kb.cert.org/vuls/id/261869 with lots of misinformation (most VPN products are not vulnerable to this). Two posts over at Securosis clarify and explain this issue: http://securosis.com/blog/your-clientless-ssl-vpn-sucks/ and http://securosis.com/blog/clientless-ssl-vpn-redux/
Basically, the "web browser as VPN client" systems where the "VPN server" rewrites the remote services and serves them to the browser/client via a web server break domain security models if used improperly. I *assume* (with all attendant dangers) that these same pure web-browser based systems are as vulnerable to sslstrip as conventional websites, but I do not know for sure. What is driving the change from IPSec? Jack -- ______________________________________ Jack Daniel, Reluctant CISSP http://twitter.com/jack_daniel http://www.linkedin.com/in/jackadaniel http://blog.uncommonsensesecurity.com On Sun, Jan 31, 2010 at 2:49 PM, Michael Douglas <[email protected]> wrote: > Do any of the ssl strip type attacks work against SSL VPNs? > Specifically the Cisco variant? > > I have a side client who's all but ready to ditch IPSec and that's got > me a bit concerned. I've tried noodling around on google/bing to see > what I can find, and my search-fu is weak today. > > Any tips are welcomed. > > Thanks & have a nice day! > - Mick > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
