SSL VPN Risk Assessment

[blagoon () gmail com]

Hi all,

I was tasked to do a risk assessment on our SSL VPN deployment. And I came up with the following:
- Authentication: Single factor is too weak, we'll be to use a hard token for a 2nd factor.
- End Point Security: we need to verify the integrity of the connecting host (company asset, antivirus, patches), 
install cache cleaner and force inactive session timeouts.
- Access control: limit full vpn access, implement resource profiles for different group of users, or only RDP to 
users' desktop in the office.

But apparently it is not enough for my manager, and asked to expand this report. Any suggestions on areas I might have 
missed?

Thanks,