Steve Lamb's Blog

Security Matters

Blogs

Microsoft intend to acquire Whale Communications - they're a "leading provider of SSL VPN" technologies

  • Comments 4
  • Likes

Our PressPass announcement provides more information about the stated intent to acquire Whale Communications.

Whale Communications are well known as a provider of SSL VPN and Application Security Technologies.

What's your view about the role of SSL VPN (from any vendor) in today's security oriented infrastructure?  Some of you know my view but I'm very interested to hear yours hence I'm not going to bias this by re-stating it.

 

Comments
  • Interesting timing, on the day the government announces they want to enforce part 3 of the RIP Act, which means everyone must turn over encryption keys to a governmental escrow service. Now considering how VPNs automatically generate, then disgard keys, I guess you all should start looking at how to submit them automatically to some part of GCHQ :)

  • Hey Steve,

    I'm not sure of the value of SSL VPNs myself.

    Native L3/L4 TCP/IP is more than capable of being used to pass traffic over the Internet as it has been successfully doing for a number of years ;)

    For encryption, a mutually-authenticating IPSEC ESP based solution seems to offer more security than the rather cumbersome SSL VPN equivalent!

    The only time SSL VPNs seem to offer "benefit" is when roaming users can bypass other organisations' firewalls because of the relatively unrestricted access provided to the Internet, especially when using SSL...

    (Although DNS VPN would seem to be more universal - it even bypasses some of those pay services at hotels - give it a bash!)

    The Whale eGap solution is a ridiculous affair in many respects. It seems to major on having two machines connected via a lump of NVRAM on the back of a shared SCSI bus with only one machine being connected at the same time.

    Somehow, people then assume that this isolation means that the eGap solution isn't capable of passing "bad" traffic from the client, through the eGap solution and then to the web server. I've had a dig and I'm not that impressed by the basic web filtering that the box provides.

    I'll commend the marketing folks at Whale - the appeal of this solution is to the business decision makers that can comprehend the basic concept (which initially seems strong) but not the minutae of the solution.

    I have a sneaky feeling that SSL VPNs are part of a conspiracy theory by communications providers to encourage people to make inefficient use of bandwidth to drive up their sales ;)

    Now to patent the DNS VPN concept...

    Paul Jackson

  • Barry> I'm not a legal expert so please correct me if you know to the contrary but we don't need to escrow the keys for VPN as the data itself does not remain in encrypted form - it's only encrypted during transportation. If the target system (or source system) encrypt the data using something like EFS / PGP then RIPA comes into play.

    My understanding of RIPA is that an organisation / individual must provide the means to recover cipher text UPON REQUEST DURING AN INVESTIGATION - there's no requirement to Escrow the keys. Has this changed recently under part 3 of the act?

    As far as I can see it's not possible to comply with RIPA whilst your users have unmanaged machines (i.e. they have admin rights and/or non-domain joined machines) as you can't be sure that they haven't encrypted data using keys that you can't recover - this could be the case by using 3rd party encryption tools or EFS without Domain membership.

    What do you think?

  • My understanding is the same; the s3 enforcement is basically the crypto equivalent of being forced to open a secure vault on production of a warrant.

    It also doesn't seem to state any requirement to provide "enabling" technology; merely an obligation on a keyholder to present the key if served with a notice; from s49:

    "(2) If any person with the appropriate permission under Schedule 2 believes, on reasonable grounds-

         (a) that a key to the protected information is in the possession of any person,

    ...

    the person with that permission may, by notice to the person whom he believes to have possession of the key, impose a disclosure requirement in respect of the protected information."

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment