SSL or SSL VPN

SSL or SSL VPN

am 03.05.2006 16:16:04 von BrianHesseling

I have a web site that will connect to our HR system for employees to
view benefit info, pay stubs, w2's etc from outside the office at home.
Which is a better way to secure access to this server, just use an ssl
certificate or should I use an ssl vpn? The web server can sit either
inside the network or in a DMZ. Either way I hope to use two factor
authentication such as RSA tokens to add a layer of protection.

Re: SSL or SSL VPN

am 03.05.2006 17:59:27 von Miha Pihler

It is really hard to give you a sound advice since we don't have enough
information here (e.g. all functionality requirements for the website), but
if this is more or less standard HR webpage then SSL should be more then
enough...

--
Mike
Microsoft MVP - Windows Security

wrote in message
news:1146663380.508549.243820@v46g2000cwv.googlegroups.com.. .
>I have a web site that will connect to our HR system for employees to
> view benefit info, pay stubs, w2's etc from outside the office at home.
> Which is a better way to secure access to this server, just use an ssl
> certificate or should I use an ssl vpn? The web server can sit either
> inside the network or in a DMZ. Either way I hope to use two factor
> authentication such as RSA tokens to add a layer of protection.
>

Re: SSL or SSL VPN

am 08.05.2006 23:51:58 von owen.nick

brianhesseling@gmail.com wrote:
> I have a web site that will connect to our HR system for employees to
> view benefit info, pay stubs, w2's etc from outside the office at home.
> Which is a better way to secure access to this server, just use an ssl
> certificate or should I use an ssl vpn? The web server can sit either
> inside the network or in a DMZ. Either way I hope to use two factor
> authentication such as RSA tokens to add a layer of protection.

It sounds like this is personal, non-public information. That may be
covered by HIPAA, GLB, or some other regulation, so I would be careful.
Perhaps a talk with corporate counsel would be smart.

You may get better security with an SSL-based VPN since some come with
tools that check the client for security such as the age of the virus
database, etc. You will also get increased cost, since you should be
able to roll your own certs. I would look at the functionality of the
SSL-VPNs and see if they would help you sleep better at night ;). They
should all talk Radius, which will allow you to integrate 2 factor
authentication.

HTH,

nick
--
Nick Owen
WiKID Systems, Inc.
Commercial/Open Source Two-Factor Authentication
http://www.wikidsystems.com
https://sourceforge.net/projects/wikid-twofactor/