Protecting Against Man-In-The-Middle Attacks in SSL VPNs

Your Secure Sockets Layer (SSL) VPN still may not be as secure as you think, especially if your users don't always access the network via corporate-issue laptops. Once they jump on an outside machine to Web browse or check their email, SSL VPN users can leave behind sensitive data or be vulnerable to man-in-the-middle attacks and keystroke loggers, experts say. An infected kiosk can infect your network, too. So even though they may be more convenient than their IPSec counterparts (SSL can be used by browsers anywhere without client software) these VPNs can also backfire if you're not careful in how you deploy them.

SSL VPNs are popular among enterprises that don't have the IT resources to support the administratively-heavy IPSec VPNs, which require client software. Unlike IPSec, which uses digital certifications on both the server and client side, SSL VPNs mostly use certs only on the server side. "With SSL mostly being done in this one-way mode, it opens you up to a man-in-the-middle" attack, says John Pescatore, a vice president with Gartner. SSL VPN products have come a long way in the past year. Many come with features to prevent downloading files or ActiveX or Java applets, for instance, Pescatore observes.

The link for this article located at Dark Reading is no longer available.