This probably wont affect your purchasing decision, but I think it is interesting that most network admins don't really think twice about allowing their employees to use SSL VPN to connect to a third party network. They don't think about the fact that some other admin (the one who owns the SSL VPN Concentrator) controls the split tunneling policy on the clients and decides whether or not your internal workstations can be used to pivot mercilessly through your environment.
Dear Pen test customer, In order to provide you with instant, up to date access to the results of our ongoing penetration we have established a project status portal. Obviously this data is sensitive and most be protected. Please use the following username and password to login to our SSL VPN to access the status page. Moooohahhahaa -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael Douglas Sent: Tuesday, October 19, 2010 9:41 AM To: [email protected] Subject: [Pauldotcom] SSL vs IPSec VPNs Hey all, I'm trying to determine what protocols should be permitted on a new VPN concentrator. I'd like to stick with IPSec, it's tried and true, and to quote Garth: "We fear change". However, it seems that all the vendors are going down the SSL route. Now I know SSL is 'safe', but it seems like it's more open to attacks like SSLStrip (thanks again Moxie for making us aware of the problems!) I get that SSL is easier for administrators and end users alike, but is that convenience at too high a cost? So what are your thoughts? Am I being too paranoid? If there are articles or places where I should RTFM, that's cool... I just need to know what FM to read!! Please send the links/info ;-) Thanks for your input, and have a nice day! - Mick _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
