[Info-vax] SSL VPNs

Tue Nov 2 08:29:16 EDT 2010

On Oct 28, 5:39 pm, "Richard Maher" <maher... at hotspamnotmail.com>
wrote:
> Hi John,
>
> "jbriggs444" <jbriggs... at gmail.com> wrote in message
>
> news:250fe72a-6c01-4ea8-af6b-d785d4af1d44 at v16g2000yqn.googlegroups.com...
> On Oct 27, 6:19 pm, "Richard Maher" <maher... at hotspamnotmail.com>
> wrote:> Hi,
>
> > Is anyone out there using SSL VPNs to secure remote client access to your
> > VMS servers?
>
> > If so are you using a Juniper network appliance (not cheap!), a HP
> > offering,
> > or something else?
>
> ]]]]]]]]]]]
> Juniper here.  Along with secured web access for the web based stuff
> like
> timekeeping and OWA, we offer our users "full tunnel", remote desktop
> and
> ssh.
>
> My preferred usage pattern is remote desktop to access my at-work
> Windows
> workstation and SSH from there to the target server.
> [[[[[[[[[[[[
>
> So even though the Juniper appliance is behind the firewall you'd prefer to
> remote desktop to your Windows workstation and then SSH to the VMS box
> rather than just Telnet from the originating client?

In my case, I'm the network guy.  I need sessions to a lot
of devices, not just one.  Go to a router, go to a switch,
go to a network accelerator, go to an out-of-band terminal
server.  My task bar fills up fast.

I can create a session a LOT more quickly by sitting at a
DOS command prompt and doing "putty <devicename>"
than by bringing my Juniper window to the foreground,
finding the appropriate terminal services icon and clicking
on it.

> I asked a guy at one site if Juniper supported IPsec from the network
> appliance to the host but he was a bit dismissive and said something like
> "you can run a cable from the Network Appliance direct to the host if you're
> really worried". By the looks of things your site is still not happy about
> in the clear transmissions behind the firewall.

We are not happy about plaintext passwords flitting hither and yon
on the internal network.  We use SSH wherever possible.  But we
don't do wholesale end to end encryption.

I don't have a clear picture of how that would even work -- do you
put a standalone crypto box on every JetDirect card?  Do you
conceptually have two network layers -- the real network with
physical connectivity that only carries ciphertext and the
virtual network with fully-meshed point to point connectivity
via IPsec, both using the same address space?

> I believe CISCO supports
> IPsec from there appliance to the hosts and SSL/VPN from remote clients;
> would anyone see this as a desirable configuration?

IPsec support on Cisco gear is pretty much a given.  Even the
routers support it.  However, as above, IPsec for the last
few yards is overkill for us.

> Apparently Gartner are big on Juniper and I love the thin(ish) Java client
> (too bad for Mac clients now that Ayotolah Jobs has pronounced more fatwahs)
> and transparent configuration for split-tunneling et al. But what is theire
> global solution for securing the last few yards?