08-14-2019 10:30 PM
I was told that clients accessing vpn over browser page(webvpn- putting https://vpnaddress) is not advised for security reasons.
Instead a client is always preferred.
I am curious to know more about this from this forum on which method is more preferred & if there are any good reasons to go one way.
Appreciate all inputs. Thanks in advance.
Solved! Go to Solution.
08-15-2019 05:27 AM
I think it is more on an interoperability issue than a security one. When you use clientless webvpn, the ASA has to re-write the content it receives from the backend web pages to present it to the end user. This may not work all the time as there are restrictions to what content the ASA can re-write. Think of this almost as a proxy.
AnyConnect (or client VPN) avoids this by creating a tunnel so that the end user traffic is just routed to the internal network by the ASA. There is no re-write by the ASA, so you access the content as is.
If you ask me, security-wise, clientless can be thought of as more secure than client because it restricts what type of content you can receive while remote to the network. The content received is only web-based and it can be restricted to what networks/resources the administrator publishes on the portal. With client based vpn, you are not restricting what applications the end client can use over the tunnels - only network and ports.
Hope this helps.
08-15-2019 12:11 AM
From notes :
They both use different protocols SSH and IPSEC, and there are both secure in terms of security.
Q1. Whats the difference between SSL VPN Client & WEBVPN
Ans. The difference between the webvpn and SSL VPN Client is the WebVPN uses SSL/TLS and port
forwarding via a java app for application support, it also only supports unicast TCP
traffic, no ip address is assigned to the client, and all the web-browsing down the tunnel is done with an SSL web-mangle that allows us to stuff things into the SSL session. The SSL VPN Client is a full tunneling client using SSL/TCP that installs an app on the machine and envelopes the vpn traffic into the ssl session and also has an ip address assigned so the tunnel is two way, not uni-directional. It allows for application support over the tunnel without having to set up a port forward for each application.
Q2. Is it true that with SSL VPN Client we will have more features than WEBVPN ?
Ans. It is a fact that the SSL VPN Client provides more support than the WebVPN does, but in regards to features WebVPN has more features because every little bit of it has to be configured. The SSL VPN Client provides wider support with less to configure and is much more functional.
Q3. Which soultion would be right for us WEBVPN or SSL VPN ?
Ans. This last question I really cannot answer as it's not TAC's position to tell you what
you do and do not need. My opinion is that the SSL VPN is by far a better solution as
it runs over SSL over TCP, had small impact to all traffic to determine if traffic is destined for STC client and faster than mangled WebVPN, but in the end it's really up to you to decide which features you do and do not need.
08-15-2019 02:22 AM
08-15-2019 05:27 AM
I think it is more on an interoperability issue than a security one. When you use clientless webvpn, the ASA has to re-write the content it receives from the backend web pages to present it to the end user. This may not work all the time as there are restrictions to what content the ASA can re-write. Think of this almost as a proxy.
AnyConnect (or client VPN) avoids this by creating a tunnel so that the end user traffic is just routed to the internal network by the ASA. There is no re-write by the ASA, so you access the content as is.
If you ask me, security-wise, clientless can be thought of as more secure than client because it restricts what type of content you can receive while remote to the network. The content received is only web-based and it can be restricted to what networks/resources the administrator publishes on the portal. With client based vpn, you are not restricting what applications the end client can use over the tunnels - only network and ports.
Hope this helps.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: