Posted by: Anonymous Coward
on September 28, 2005 11:44 PM
You referred a few times to corporate laptops being theoretically secure and well managed. Well in my experience that's just not the case.
I know of one very large corporate where, to get round the hassle of IPSec VPN rollout, you can get the VPN client emailed to you. They reckon it's been installed on any number of home PCs. And thanks to the network extension style of access, you can get to everything in the organisation, whereas with SSL VPNs you only have access to specific resources.
What makes this worse is that many organisations believe that because they have a "controlled VPN", they don't need strong authentication. Therefore you get the "IPSec email", install the client, use the pre-shared key and the username/password in the email and you're into EVERYTHING.
At least with SSL VPNs, most people implement strong authentication - if you don't you really should have your head examined. This does add extra cost and complexity, but there are ways and means to reduce this. Portwise have an integrated VPN and strong authentication solution which is pretty cool (I know because I helped implement this for my previous company).
I strongly agree with the point about the stupidity of asking the device if it is secure. With Portwise I remember there was an option to scan the device but send the information back into the corporate network for a decision on what level of access could be granted.
We also evaluated some SSL VPN appliances and I could not believe how difficult they were to setup. I always thought the big deal about SSL VLN was the simplicity, but you definately need training before getting hold of one of those things.
Learn about Linux
Download Linux
Get Linux help
interesting comments
Posted by: Anonymous Coward on September 28, 2005 11:44 PMI know of one very large corporate where, to get round the hassle of IPSec VPN rollout, you can get the VPN client emailed to you. They reckon it's been installed on any number of home PCs. And thanks to the network extension style of access, you can get to everything in the organisation, whereas with SSL VPNs you only have access to specific resources.
What makes this worse is that many organisations believe that because they have a "controlled VPN", they don't need strong authentication. Therefore you get the "IPSec email", install the client, use the pre-shared key and the username/password in the email and you're into EVERYTHING.
At least with SSL VPNs, most people implement strong authentication - if you don't you really should have your head examined. This does add extra cost and complexity, but there are ways and means to reduce this. Portwise have an integrated VPN and strong authentication solution which is pretty cool (I know because I helped implement this for my previous company).
I strongly agree with the point about the stupidity of asking the device if it is secure. With Portwise I remember there was an option to scan the device but send the information back into the corporate network for a decision on what level of access could be granted.
We also evaluated some SSL VPN appliances and I could not believe how difficult they were to setup. I always thought the big deal about SSL VLN was the simplicity, but you definately need training before getting hold of one of those things.
#