mailing list archives
Re: SSL VPNs and security
From: "Brian Eaton" <eaton.lists () gmail com>
Date: Fri, 9 Jun 2006 10:11:55 -0400
On 6/9/06, Tim <tim-security () sentinelchicken org> wrote:
Set up a wildcard record, *.webvpn.example.org, pointing to the device.
The device then maps all internal domain names or IP addresses to a
unique hostname, such as: internalhost.webvpn.example.org, or
Wouldn't this properly segment different internal sites, such that an
XSS in one wouldn't impact the other? If so, pay attention all SSL VPN
vendors: it is your free idea for the week.
That depends on whether the solution tries to solve single-sign-on
problems as well. If the vendor is trying to handle SSO in such an
environment, then they are probably using domain cookies. The
problems are exactly the same as the ones Michal listed, plus some
additional ones specific to domain cookies.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
Re: SSL VPNs and security Michael Holstein (Jun 09)