Virtual private networking software from Cisco Systems, Juniper, and other manufacturers can make users susceptible to a variety of web-based attacks, the US Computer Emergency Readiness Team warned on Monday. So-called clientless SSL VPN products, which provide browser-based access to intranets, email and other internal …
thanks Reg - you just really made my night and week :-(
and this comes hot on the heels of P2P users saying they are going to switch to VPN's due to all the Anti-Piracy activity.
I smell something fishy.
As the advisory notes, this issue is mitigated by restricting access to trusted domains/networks. Users don't need to use the VPN to access the Internet - they only need it to access specific internal trusted domains/networks.
That using a VPN to use the interwebs is a sound piece of advice if using a untrusted connection- i.e WLAN's at airports, etc etc.
well, kind of...
... of course if you have your users VPN'd into the intranet and at the same time surfing or otherwise in contact with the rest of the net for non-trusted domain usage, they can act as an inadvertent bridge between your network and the whole internet. That's why some proper full VPN clients (e.g. cisco) are configured to seize all network interfaces and redirect all traffic when the VPN is connected.
I think what JohnG meant is that if you are using an SSLVPN to access your company network, the SSLVPN box should not be proxying your connections to internet (non-internal, trusted hosts).
it's not a fucking tenant
Who is driving your spellchecker now? Spellcheck would have offered both tenet and tenant as alternate spellings for whatever was fat-fingered in, so someone obviously doesn't know much about, hm, words.
The author should be off the hook; if the author used the word tenet, one hopes...
okay. scratch that.
Where did using tenant come from there? And can that person's left pinky fingernail be torn out as a way to raise staff morale and inspire them to stop making everyone look like droolers?
And can the resulting Staff Morale and Inspiration Lifting Exercise (SMILE) be posted to Youtube?
Actually that's not strictly true. If you have an organisational subscription to a website (magazine, research or even business service such as finance) then you'll need to appear as coming from that organisation to get your access. There are also other circumstances where you need access to a WAN beyond your perimeter and the only way to do so is to proxy via your SSL VPN.
Hmmm. Pubs are open. Can I just give Tuesday up as a bad job already?
for what it's worth.
I've never trusted clientless VPN. So this story makes me happy.