Netilla SSL VPN
Results 1 to 4 of 4

Thread: Netilla SSL VPN

  1. #1
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152

    Question Netilla SSL VPN

    We've got a Netilla (I keep wanting to call it Nutella) appliance going on line soon. It's been with the desktop/applications team for a while now and all the manuals/paperwork etc has just been passed to me by my boss to look at from an infosec perspective.

    I've been trawling through a lot of the papers and at an initial glance it looks promising.
    It's going to be used to allow out of hours access to internal applications from an unsecured PC (i.e. the usual malware riddled home pc) via the Netilla appliance.

    The appliance the users will connect to will be located in our DMZ and the appliance should act as an appication-layer (reverse?) proxy. At the users' end everything will be carried out via the web browser which should download a small java applet which in turn should establish the secure connection to the netilla box and a secure terminal (thinclient?) on the users pc. At the end of the session the applet removes itself and any temp files and performs secure erasure of those files.

    Has anyone used this product or similar SSL VPN devices?
    Are their any particular pitfalls/problems with these products?
    Any security issues that could be raised with the introduction of this?

    I'll be speaking to the team involved over the next few days and I'm trying to quickly get myself as well informed as possible.

    TIA.

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    I've seen the product being demonstrated and I talked to one of the developers.
    Looks very interesting indeed.

    The way I understand it is something like this:

    Code:
    [user@home]----<SSL>---[Netilla]-----------------<RDP>------[Win2k box]
                                    \------------<SSH>-----[Unix box]
                                     \-----------<X>------[Unix box with X-Windows]
    The pittfalls I see are only user account related. Make sure you have some sort of strong authentication scheme behind it. All other things are the same as having an SSL site up and running.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    For authentication they're going with 2 factor authentication with the usual username/password which they will have to go through twice (with different details I hope) once to start the session and again for each application they try to use across the vpn.

    They will also have a physical token. I don't know the actual details of the token yet. It might be a usb style plug in key or it may be a number generating device.

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Ehhm. 2-factor authentication always uses some sort of token. 2-factor means something you have (the token; smartcard etc) and something you know (pincode, password etc).

    But AFAIK you use 2-factor authentication to get access to the nettilla box. After that you'll get some admin preconfigured options like making a RDP connection to a Windows box or starting a telnet/ssh session to a un*x box. For the RDP/telnet/ssh connection you'll need to use your "normal" username/password to get into that perticular system.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •