SSL VPN - Anyconnect or clientless

Unanswered Question
Nov 29th, 2009

Hi,

I have heard that SSL VPN using clientless feature is not so secure as compared to using Anyconnect client.

Is this true , if so what is the concern & cause for this.

Thank You!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dbgreekas Thu, 12/03/2009 - 00:24

The Clientless mode is extremely limited. You can only use it for http/https and a few TCP only services using the Smart Tunnel feature. If you want to use applications that pass UDP packets you need the Anyconnect client.

Richard Burts Thu, 12/03/2009 - 05:27

The original post asked if the clientless SSL VPN was less secure than the AnyConnect. To the extent that both are based on SSL processing and encryption of data I would believe that both are equally secure from a protocol standpoint.

I am doing a project for a customer in which we use AnyConnect and various users are assigned to different groups/profiles based on their network access requirements. The profiles assign unique ranges of IP addresses to the users. And we will use access control to limit network access based on which pool address (source address of the packet) is used. So perhaps we can say that there are some potential security controls available in AnyConnect that are not available for clientless SSL VPN.

HTH

Rick

dbgreekas Thu, 12/03/2009 - 08:45

There is a security issue with the Clientless modes IF you allow the clientless portal to connect to external untrusted sites.

http://www.kb.cert.org/vuls/id/261869

You can avoid this issue with good web ACLs and or additional firewall rules that keep the gateway from connecting to external pages.

Where as with the AnyConnect you are likely going to avoid split tunnel and want to process all traffic from the remote clients so that it goes through your enterprise firewall rules.

Actions

This Discussion