SSL VPN的安全漏洞及其解决方案

The Threats in SSL VPN and the Solutions

SSLVPN应用自问世以来便以其相对于传统的IPSECVPN技术的高易用性、良好的可扩展性、低管理和低部署成本等优势而逐渐受到各安全生产商和应用企业的青睐。但是,作为一种新的安全技术,SSLVPN自身又会带来诸多安全性的问题。本文旨在对浏览器/服务器模式的SSLVPN体系结构的安全问题进行分析,分别指出了浏览器端和服务器端存在的隐私数据遗留、非安全退出、应用层漏洞和身份认证等安全威胁,并针对这些问题给出了相应的解决方案。

SSL VPN Applications present an exciting new development trend m remote-access technology. As they require no client-side software other than a Web browser, SSL VPN offers great convenience, and promises to provide a much lower Total Cost of Ownership than the traditional IPSEC VPN. Yet, at the same time, this novel technology presents new challenges in the realm of security. This paper explores the security issues in the SSL VPN client/server model, explains the threats inherent both on the client side and on the server side, such as “sensitive data remaining on insecure access devices”, “insecure logout”, “application-level vulnerabilities”, “authentication”, and so on. Finally, we discuss the technologies to address them.