VPN Is Dead - here's your new killer app

HTTP over HTTP! (No joke!)

(e)Mail Insecurity — Tue, 01 Aug 2006 21:03:18 GMT

re: VPN Is Dead - here's your new killer app

spatie25 — Wed, 26 Jul 2006 22:48:40 GMT

I am quite concerned about the way things are moving with remote communication in all its aspects. It shows over the last few years that more and more vendors are adopting the approach to encapsulating all sorts of protocols in HTTP. Of course this is a very tempting solution, as HTTP in many cases is about the only protocol that is allowed to travel across a company’s firewall.

I remember a presentation on security, hosted by MS employees, were it was stated bluntly : don’t use VPN, it is a hole in your firewall, which is quite fair to me.

Now, I wonder what the advice would be from the MS security experts on protocols that are ported over HTTP. I try to understand what the risks could be, or why I should be rest assured that this is under control. The way I understand it is that there is no defence against malicious code, encapsulated in an HTTP protocol other than a very performant firewall with state of the art statefull inspection and even then, I am told, it still is risky business. On the why’s, I get various explanations that do not always comply with one another.

Now, I understand that this IPsec solution, offered by ISA2006, is pretty nice in terms of setting up a secure P2P connection without the hassle of a VPN client. But this is not the discussion. What to think about an employee, trying to access the OWA servers from a public computer : no VPN, no IPsec, just a certificate and a password. Once compromised, you can only but imagine what could go wrong. And in this case we are ‘talking’ HTTP, plain simple (for the firewall that is).
What if that employee tries to do RDP over HTTP or whatever other traffic that could be routed over HTTP. I am making to much fuzz out of nothing, or should we be careful in how we ‘adopt’ these new features?

Interesting Finds: July 8, 2006

Jason Haley — Sat, 08 Jul 2006 18:32:19 GMT

re: VPN Is Dead - here's your new killer app

Hugo Batista — Sat, 08 Jul 2006 14:28:05 GMT

Hi Keith,

I agree with you that time is money and productivity can be increased using a solution like this. I would use it for some internal apps i would like to expose, but definitely not to some LoB apps which could expose my internal secrets.

IPSEC took its time to be trusted by the community, and even if there is easier ways to get connected, those ways will have to proof its credibility before being considered a replacement for it. That's why i don't think this would be a killer app for VPN..

Although, this is a very interesting improvement and solution to expose some non-critical apps, like expense reporting, project reporting, knowledge bases, etc...

VPN Is Dead - here's your new killer app (Artigo muito interessante)

Chaves — Sat, 08 Jul 2006 11:38:01 GMT