cancel
Showing results for 
Search instead for 
Did you mean: 

WSAM vs. VPN Tunneling - Security Considerations

New Contributor

WSAM vs. VPN Tunneling - Security Considerations

Within our current environment, we provide our employees with remote access to certain resources on our internal network via WSAM. However, we have recently begun to consider instead allowing them to connect using VPN Tunneling. Obviously, this will make them a full node on the network as opposed to giving them access to only select systems. That aside, assuming that in either case the user will be (1) connecting in using a corporate-managed laptop and (2) using two-factor authentication, are there any specific security considerations that we should be taking into consideration? Particularly, are there any differences in the authentication, handshake, etc. between the two that would make one more or less secure when connecting over public, non-encrypted WiFi?

Thanks for the help.

Model: MAG-4610
Current version: 8.1R7 (build 41041)
5 REPLIES 5
ruc
Pulser

Re: WSAM vs. VPN Tunneling - Security Considerations

My personal opinion is that this move will be beneficial as WSAM is a much older client compared to Pulse L3 VPN which is supported on multiple OS and mobile platforms and is a main focus area for Pulse.

From a security standpoint one important aspect is to only allow the destinations that you allowed via WSAM both within the Split Tunnel polices and also within the ACLs for the L3 VPN.

Also If you are using the Pulse L3 VPN client based functionality I find significant advantage in avoiding browsers and directly launching the Pulse client as this removes any possible issues that impact browsers in general.
New Contributor

Re: WSAM vs. VPN Tunneling - Security Considerations

Thanks, that's helpful. Appreciate it.
Moderator

Re: WSAM vs. VPN Tunneling - Security Considerations

For your security question, the handshake and security is the same and both are still over SSL. The ACLs will need to be adjusted to control access over an L3 session to match your L4 access (you do not need to grant full network access if not desirable).

The ability to login directly from the Pulse client, as mentioned by ruc, can be applied to WSAM over Pulse if you want to take advantage of potentially reduced browser dependency while maintaining the WSAM-style silo.
New Contributor

Re: WSAM vs. VPN Tunneling - Security Considerations

Great, good to know. Thanks.
Moderator

Re: WSAM vs. VPN Tunneling - Security Considerations

You are welcome