In this article, Top VPN security breaches of 2011, you discussed that SSL VPNs have inherent security holes because...
they use unreliable clients (Web browsers) and have had their certificate authorities (CAs) spoofed. What do you see happening to Web VPNs in order to address these security issues? Will another type of Web VPN emerge that’s more secure?
I am a true believer in gradual improvements of mature technologies over rip-and-replace strategies. SSL, when it was designed many years back, was a great effort, but not everything can be foreseen or assessed during initial technology development. With that in mind, it is remarkable how long SSL has served in its original form.
Similar to IPsec, SSL has a good foundation with flaws and weaknesses. A few vendors that focus on VPN technology have recognized the major benefits of IPsec and addressed its weaknesses in their product offerings. Likewise, there are ways to fix the key weaknesses in SSL. For example, a registration process within the Domain Name System Security Extensions (DNSSEC) could potentially address the weak link in the chain of the certificate authority model. Conceptually, DNSSEC is a good ide a, even though it suffers from this chain of trust model to some degree.
My core philosophy is best of breed, so why not use the best of both worlds -- hybrid IPsec and SSL? I’ve never believed in the promised land of SSL VPN as a rip-and-replace approach for existing, well-developed IPsec VPNs. Until a new disruptive technology is available, the best approach is to complement and improve existing solutions.
Email your VPN-related questions to email@example.com.
Related Q&A from Rainer Enders
Administrators don't have to worry about interoperability; integrated mobile application and device management is the best approach.continue reading
Ensuring that the client software itself is up to date is just one of many reasons why it's critical to oversee VPN clients.continue reading
To ensure mobile device security, VPN expert Rainer Enders explains that it is crucial to monitor changed states and block software modifications.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.