I have tested SSLStrip against ASA 5520s and 40s running version 8.0(2) and 8.0(4) of the code releases, and while it worked against the authentication page, the AnyConnect client bugged out and crashed when I started actively sending traffic across the established tunnel. I think speed, cost and management is what drives people away from the IPSec VPN. Not to mention that it is a bit more secure (It's not terribly hard to recover the group password in about 3 seconds from an Cisco VPN client profile file). The SSL VPN client is WAAYYYY faster than the IPSec client and much more stable, plus you don't have to wrap its ugly drivers around your NIC. However, the biggest concern I would have is depending on how many SSL clients you are moving towards is that I have seen the ASAs start to really bog down with a large number of SSL VPN clients unless they have the crypto accelerator modules installed in them. Management is a lot easier too with no software installation or configuration of the client profile. Mick, There are also some other rumors around the AnyConnect client I can discuss off list. ________________________________
From: [email protected] on behalf of Michael Douglas Sent: Sun 1/31/2010 1:49 PM To: PaulDotCom Security Weekly Mailing List Subject: [Pauldotcom] SSL VPN attacks? Do any of the ssl strip type attacks work against SSL VPNs? Specifically the Cisco variant? I have a side client who's all but ready to ditch IPSec and that's got me a bit concerned. I've tried noodling around on google/bing to see what I can find, and my search-fu is weak today. Any tips are welcomed. Thanks & have a nice day! - Mick _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com <http://pauldotcom.com/> ****************************************************************************** This email contains confidential and proprietary information and is not to be used or disclosed to anyone other than the named recipient of this email, and is to be used only for the intended purpose of this communication. ******************************************************************************
<<winmail.dat>>
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
