[horde] Horde and WebVPN/SSLVPN Problem

[Ben Klang]

Hi Ulrich,

>> If you want security there are plenty of SSL VPN products that  
>> handle this in a much more graceful way.  Juniper has a product  
>> that creates an SSL VPN from a Web browser Java applet or ActiveX  
>> control.  I happen to know of that one personally but there are  
>> most definitely other competitors with similar products.  I  
>> imagine Cisco has one as well.  If you want to stay with the Open  
>> Source world then give a look to OpenVPN.  Since all of these SSL  
>> VPN tools create network tunnels there is no need for strange  
>> voodoo like rewriting links in web pages.  You also have the  
>> option of getting improved security by "locking out" all routes  
>> except those into/out of the VPN.
> Also Cisco provides such a solution with a Javabased SSLVPN-Client  
> which has two disadvantages:
> 1. It only works on Windows
> 2. It needs Administrator privilege to work (no way in  
> internetcafes or business systems).
> I think other products have the same disadvantage.
At the risk of straying from the purpose of this list...

That is true.  However Cisco can provide, or you can find, solutions  
the work cross-platform.  For example, OpenVPN can run under Mac OSX,  
Linux, and Windows.  You are correct that an administrator will need  
to initially install and configure it, but the user will be able to  
stop and start it at will.
>>> So my question again: Does anyone have a solution for my problem  
>>> or do
>>> the developer know a
>>> workaround without a lot of patching?
>>>
>> Why not just implement HTTPS?  That seems to me to be the most  
>> direct route.   If your network architecture won't allow it I  
>> would recommend you consider a "real" VPN system like what I  
>> referenced above or any IPsec based product.
> Yes, but I don't want to have my apache directly exposed to the  
> Internet. As my IOS router
> is already exposed and my confidence in Cisco is slightly higher  
> then in my own skill to
> secure an apache.
I'm not trying to be too critical of your decisions here, but your  
requirements are starting to approach an intersection where there is  
no solution.  At some point you have to trust parts of your  
infrastructure, or never roll them out in the first place.  There are  
plenty of guides out there on how to secure Apache.  If you aren't  
confident in your ability to secure Horde you might consider Apache +  
SSL with HTTP BASIC authentication.  That way the authentication is  
done outside Horde or any other PHP application.  If you aren't  
comfortable leaving your webserver accessible to the public then  
consider a "real" VPN.  In my opinion, I don't put much trust at all  
in browser-based VPN products as the browser is a *terrible* platform  
for such things.

> As already said, I want a simple Mailfrontend and perhaps Horde is  
> too advanced for my needs.
There are plenty of mail frontends to chose from.  Yes Horde is a  
very feature-rich system that tries to take advantage of many  
features of the modern browser (JS included).  There are certainly  
simpler products out there.  You might Google around a bit.

> Any further suggestions?
My suggestion is to pick from any of the following:
1) Design and implement a "real" VPN.
2) Learn how to secure Apache and accept the potential security risk
3) Find a simpler framework which doesn't rely on modern browser  
features

If you have any further questions please reply off-list as I believe  
we are quickly getting off-topic for the Horde users mailing list.

Regards,
/BAK/
--Ben Klang
Alkaloid Networks
bklang at alkaloid.net
404.475.4850
http://projects.alkaloid.net