I am looking into running private applications via the Internet. Obviously, I have been working with IPSec / VPN techniques. I am intrigued by SSL however, as some of the applications are web based. The idea of having SSL built right into a browser sounds very convenient, and there seems to be sufficient robustness and modularity built into the SSL standard. What confuses me a bit is how can the client can be restricted and authenticated? It seems as thought SSL is biased more toward server authentication. I am equally concerned about allowing access to a select few clients. What options do I have to limit the web application to a select list?
Thank you for your post to the Networking Professionals Connection message board. The issue of authentication you present may be of interest to many of our community members. If any of our members have an idea or solution for ETMS, please feel free to post it here as a reply to the original message.
IPSec clients work on the IP layer. The authentication occurs via IKE. It can best be done using digital certificates. When the client is started it gets authenticated on the VPN gateway to which it is connecting.
We have had a similar discussion at our company. We have client-server applications we need to host for customers. Since security has just become an important issue, most of the apps have no inherent security. Our plan is to provide IPSec VPN's while the developers get the same functionality (SSL et.al)into the apps themselves. Once that's done, we can drop the IP-layer VPN and let the apps handle this themselves.
The downside for IPSec is that you need to get network admins to agree to do IPSec with you (difficult if you don't have any influence with the other company or they don't have the hardware or skill to do it) it usually involves some network reconfigs that can be painful or politically difficult (been there. . . ) There can also be some incompatabilites that IPSec adds (MTU etc) that might need to be worked around.
As for restricting clients, you can do IOS ACL's if all the clients are from known addresses (almost never a reality) or require a strong authentication (token-based or other one-time method) which is what we're doing.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...