chuckcounty
IS-IT--Management
We are looking into purchasing a SSL VPN appliance and I am trying to determine if a virus can be transmitted thru a session. Does any one have any ideas?
thanks
thanks
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Can a virus spread thru a SSL VPN
- Thread starter chuckcounty
- Start date
- Status
I'm afraid Spirt is right. The VPN connection is nothing more than an extension of your LAN. A firewall wouldn't likely catch the virus unless it was betweem your VPN server and your LAN becuase VPN traffic packets are encapsulated and encrypted.
This is a really good question.
I'm surprised that this is not a major problem for companies that have setup VPN access especially for home users, who are not exactly the greatest at patching and keeping antivirus software up to date.
How do companies stop viruses spreading via VPN's?
Thanks,
- Thread starter
- #5
chuckcounty
IS-IT--Management
Thanks for your thoughts. We already have an IPsec VPN installed, however there seems to be alot of administration
with the client software and firewalls needed. We thought about a SSL VPN for our business partners who may need to access to 1 or 2 applications inside our network and we cannot control their PC's. SSL initially sounded perfect, but it seems like this could be a problem also.
chuck
with the client software and firewalls needed. We thought about a SSL VPN for our business partners who may need to access to 1 or 2 applications inside our network and we cannot control their PC's. SSL initially sounded perfect, but it seems like this could be a problem also.
chuck
I have read about an SSL VPN which effectively provides a layer-3 connection, like IPsec. This would have all of the same issues as IPsec.
Most SSL "VPN" implementations are browser-based. This method limits data transfer between the remote computer and the network, and is probably what you're thinking of.
Most SSL "VPN" implementations are browser-based. This method limits data transfer between the remote computer and the network, and is probably what you're thinking of.
The best answer is "It Depends". Really - it depends upon the vendor.
Traditionally IPSec VPN's have the same inherent risk as L2TP and PPTP did in regards to the spread of viruses. Typically if a remote machine becomes infected, it could easily broadcast and propagate itself to any corporate hosts due to the layer 3 nature of an IPSec tunnel (or Layer 2 for L2TP/PPTP).
I state traditionally because there are a new wave of IPSec tunnel terminators that are content aware. That is, they have the ability to not only terminate tunnel traffic but also inspect some popular protocols such as HTTP, SMTP, POP, IMAP and FTP. Still not perfect because uncommon ports can still be broadcast and MAPI is not being scanned.
SSL VPN’s on the other hand offer another layer of defense. As stated above in the thread, some remedial vendors only offer secure access to internal web servers (greatly reducing your networks exposure to Trojans and viruses). Furthermore, some vendors who have a true SSL tunneling technology actually operate at layer 5 instead – proxying all connections (remember the ole’ stateful vs. proxy firewall battles).
In this case, since all connections are proxied – an infected remote machine can only send attacks to pre-defined destinations that are allowed to be proxied; they are not able to broadcast them to your entire corporate network. Typically the destinations you are proxing are either well known mail, web or application servers and should be hardened in your DMZ. Further security could be implemented by deploying a gateway AV behind your SSL appliance and/or having strict AV software enforcement on your core servers that will be accessed via the SSL VPN.
Traditionally IPSec VPN's have the same inherent risk as L2TP and PPTP did in regards to the spread of viruses. Typically if a remote machine becomes infected, it could easily broadcast and propagate itself to any corporate hosts due to the layer 3 nature of an IPSec tunnel (or Layer 2 for L2TP/PPTP).
I state traditionally because there are a new wave of IPSec tunnel terminators that are content aware. That is, they have the ability to not only terminate tunnel traffic but also inspect some popular protocols such as HTTP, SMTP, POP, IMAP and FTP. Still not perfect because uncommon ports can still be broadcast and MAPI is not being scanned.
SSL VPN’s on the other hand offer another layer of defense. As stated above in the thread, some remedial vendors only offer secure access to internal web servers (greatly reducing your networks exposure to Trojans and viruses). Furthermore, some vendors who have a true SSL tunneling technology actually operate at layer 5 instead – proxying all connections (remember the ole’ stateful vs. proxy firewall battles).
In this case, since all connections are proxied – an infected remote machine can only send attacks to pre-defined destinations that are allowed to be proxied; they are not able to broadcast them to your entire corporate network. Typically the destinations you are proxing are either well known mail, web or application servers and should be hardened in your DMZ. Further security could be implemented by deploying a gateway AV behind your SSL appliance and/or having strict AV software enforcement on your core servers that will be accessed via the SSL VPN.
- Status
Similar threads
- Locked
- Question