CISCO - WebVPN Security concerns
In a WebVPN connection, the security appliance acts as proxy between the end user web browser ans the target Web server. When the WebVPN user connects to an SSL-enabled web server, the security appliance estzblishes a secure connection and validates the server SSL certificate. The end user browser never receives the presented certificate, so therefore cannot examine and validate the certficate.The current implementation of WebVPN on the security appliance does not permit communication with sites that present expired certificates.
To minimize the risks involved with SSL certificates :
- Configure a group policy that consist of all users who need WebVPN access and enbale the WebVPN feature only for that group policy.
- Limit Internet access for WebVPN users, One way to do this is to disable the URL entry.
- Educate users. If a SSL-enable site in not inside the private network, users should not visist this site over a WebVPN connection. They should open a separate browser window to visit such sites, and use that browser to view the presented certificate.
posted by Hervé SCHLECHT @ 6:07 PM
<< Home