Home page logo
/

basics logo Security Basics mailing list archives

Re: Deploying SSL-based VPNs
From: Miguel Dilaj <miguel.dilaj () oissg org>
Date: Wed, 29 Mar 2006 23:37:46 +0100

Hi Joe,

My personal experience is with a medium size network deployed using OpenVPN on Debian for the servers and Windows XP SP2 + OpenVPN GUI for the clients, using X.509 certificates (we are our own CA).

Issues?
None at all.

Programs that do not work?
None of the programs we use... and we use a lot of stuff.

Features?
We found the flexibility to direct all traffic through the VPN (or not) very useful. We have 2 config files each, one directs all traffic through the VPN, and the other only implements traffic to our servers on the other, thus we can decide which one to use depending on our needs.

X.509 certificate authentication is a pain to deploy in the very beginning, specially if you've a large user population (you've to create a certificate for every user), but after that maintenance is close to nil, other than creating certificates for new starters of issuing a CRL to the servers when someone leaves the company.

We have multiple servers, and the configuration files for the clients specify all of them. We had a server failure (hard disk crash) and we noticed it only when the logs failed to arrive by email. No one lost connectivity.

If you're a part of a company that likes to have a big team offering you commercial support for big bucks, forget about it ;-) If you want a product that WORKS FLAWLESSLY and costs you almost nothing, go for it.

Regards,

Miguel Dilaj
Vice President of IT Security Research, OISSG
www.oissg.org



Joe wrote:
Hi all

I'm currently interested in SSL-VPN solutions, problems and
deployments. Personally I prefere much more the term „SSL-based remote
access" since almost all those products (except OpenVPN) claiming to
be SSL-VPNs don't offer any network functionality. Would you guys
share your experiences?

What are the issues you spotted when deploying SSL-based remote access
solutions?

Any experiences with certain products? (my company for example made
bad experiences with iGate from SafeNet)

What features make an SSL-remote access solution a good one?

I know these are some very general questions.

Thanks anyway
Joe

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------



---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault