Transcript Slide 1

Internal Training
SSL VPN – An introduction
© 2005,2006 NeoAccel Inc.
Agenda
•
•
•
•
•
•
•
Need of Remote Access?
What is VPN?
VPN Types
IPSec VPN
SSL VPN
SSL VPN working
IPSec VPN vs SSL VPN
© 2005,2006 NeoAccel Inc.
Remote Access?
• Access Secure Application Servers to update
customer information or submitting a daily
report
• Access Corporate Email server
• Access Mission Critical Application Servers
when at customer site
• Access Corporate Intranet to get latest
information or checking status of your leave
application
© 2005,2006 NeoAccel Inc.
Remote Access Forecasts
• As per a recent study by Gartner group, in
year 2005-06
60% of the F5000
employees uses personal
wireless devices to access
email
30% Telework on a
part time basis
from home
10% wish they could
use their own PCs at
work
• Gartner forecasts that by year 2009
60% of the F5000
employees will be accessing
business applications on
personal wireless devices
© 2005,2006 NeoAccel Inc.
30% Telework
formally on a full
time basis from
home
10% will bring their
own PCs to work by
company policy
Example of Users
•
•
•
•
•
Consultants
Field Engineers and Sales Team
Remote Office Employees
Off office hours workers
Roaming Executives
© 2005,2006 NeoAccel Inc.
Access Scenario
E-mail
Sales &
Service
Telecommuters
Mobile
Employees
Directory
Store
Intranet /
Web Server
Unix/NFS
Partner A
Extranet
Partners
MRP/ERP
Partner B
Hacker
© 2005,2006 NeoAccel Inc.
Why VPN?
• What is VPN?
– When Alice talks to Bob
• Confidential
• Integrity
• Authentication
© 2005,2006 NeoAccel Inc.
VPN Technologies?
•
•
•
•
PPTP
L2TP
IPSec
SSL
© 2005,2006 NeoAccel Inc.
IPSec VPN – IP Security
• Securing Internet Protocol (IP) communications
by encrypting and/or authenticating each IP packet
in data stream
• Two Modes
– Transport: Only payload message of IP packet is
encrypted, generally used for host-to-host
communications over a LAN or routable WAN
– Tunnel: Entire IP packet is encrypted and encapsulated
over new IP packet for routing. It used for network-tonetwork communications (secure tunnels between
routers) or host-to-network and host-to-host
communications over the Internet.
© 2005,2006 NeoAccel Inc.
IPSec Access Scenario
Home Users
Sales &
Service
IPSec Client
Software
IPSec Client
Software
E-mail
Directory
Store
Intranet /
Web Server
Unix/NFS
MRP/ERP
Branch
Office LAN
© 2005,2006 NeoAccel Inc.
IPSec Features
•
•
•
•
•
Site-to-Site Access
Complete network access
Transparent to Applications
Least effect on performance
Good security
© 2005,2006 NeoAccel Inc.
IPSec – Why not?
•
•
•
•
•
•
•
•
Not designed for remote access
Traversal problem over NAT devices
Firewall configuration required
All corporate services are exposed on f/w
No Centralized Access control
Per User administration and configuration
Interoperability among vendors
Time consuming deployment
© 2005,2006 NeoAccel Inc.
SSL VPN – Secure Socket Layer VPN
• Uses SSL protocol for confidentiality,
authentication and integrity and then proxies to
provide authorized and secure access for private
network resource like Web, Client/Server, file
sharing etc.
• Two modes
– Clientless: Proxies web-based applications and uses
inbuilt SSL support in browsers to establish VPN and
deliver web traffic.
– Network Extension: Proxies client-server application,
requires a proprietary client application to establish VPN
and facilitate client-server application communication
© 2005,2006 NeoAccel Inc.
How SSL VPN Works: Clientless mode
Application Server
Web
server
Database Server
SSL Tunnel
DMZ
© 2005,2006 NeoAccel Inc.
Internal Corporate LAN
Secure Remote Access
Corporate
LAN
Telecommuters
Sales &
Service
Mobile
Employees
Directory
Store
Partner A
Extranet
Partners
Partner B
E-mail
= Encrypted External Session
= Standard Internal Session
© 2005,2006 NeoAccel Inc.
Intranet /
Web Server
Unix/NFS
MRP/ERP
Server
Farms
SSL VPN - Features
•
•
•
•
•
•
•
Designed for Remote Access
Centralized Access Control
Zero user side management
One minute deployment
Endpoint Security
Clientless - Access Anywhere
Network Extension
– Access Anything
– IPSec replacement capabilities
© 2005,2006 NeoAccel Inc.
End to End Secure Access
Server
Farms
E-mail
MRP/ERP
MRP/ERP
Unix/NFS
Directory
Store
Intranet /
Web Server
Endpoint
Security
Compliance
Data
Transit
Security
 Strong Authentication
• Eliminate PW Spoofing
• Ensure Non-Repudiation
 Host Checker
• 3rd Party Software Compliance
• Registry, processes, files,
custom DLLs
• Application Authenticity Check
• Recurring Host Check
 Cache Cleaner
• Eliminate session data
• Delete temp files
© 2005,2006 NeoAccel Inc.
Network
Security
Services
Hardened
Appliance
 Centralized Security Gateway
 Network Security
•
•
•
•
DDOS Protection
URL Attack Protection
Network Firewall
SSL Transport
 Dynamic Authentication Policy
• Certificate, Source IP,
Host Checker, Cache Cleaner, User
Agent, Interface, etc.
Dynamic
Access
Privilege Mgmt
Directory
Integration
 Granular Authorization Rules
•
•
•
•
Group Based
URL, Host, Port
Client/Destination
End Point/Connection Check
• In-Transit Data Protection
• Data Trap
• Non-Cacheable
HTML rendering
• Cookies
• Host Name Encoding
SSL VPN Components
• SSL VPN Gateway
– Authentication module
• Local database, RADIUS/AD/LDAP client
– Authorization module
• ACLS
– Auditing
• SSL VPN Access Terminals
– SSL VPN Portal: Clientless access
– SSL VPN Client software: Network Extension
• SSL VPN Management Console
© 2005,2006 NeoAccel Inc.
Clientless SSL VPN – Web proxy
•
User
– Launches browser
– Supply URL for SSL VPN
gateway
(https://nea.neoaccel.com)
– Authenticate gateway –
Digital Certificate
– Supply user credentials –
(User name/Password, Digital
Certificate etc.)
– Issue page requests over SSL
– Receive response over SSL
© 2005,2006 NeoAccel Inc.
•
SSL VPN Gateway
– Verify user’s credentials via
Auth server
– Confirm user is authorized to
access resource requested
– Translate URLs
– Forward HTTP[S] request to
server
– Accept server’s HTTP[S]
response
– Rewrite HTML, Javascript etc.
– Forward response over SSL to
user
Clientless SSL VPN – Application Proxy on HTTP
•
User
– Launches browser
– Supply URL for SSL VPN
gateway
(https://nea.neoaccel.com)
– Authenticate gateway –
Digital Certificate
– Supply user credentials –
(User name/Password, Digital
Certificate etc.)
– View web pages which look
like Windows File share
– Click on link to download
and upload file
© 2005,2006 NeoAccel Inc.
•
SSL VPN Gateway
– Verify user’s credentials via
Auth server
– Confirm user is authorized to
access resource requested (file,
directory, server)
– Connect to File server using
native protocol
– Obtain requested resource from
file server
– Translate from native protocol
to HTML
– Sends data back to user over
HTTPS
Clientless SSL VPN – Application Proxy on HTTP
Mobile Worker
Teleworker
User’s SSL
Session to
Gateway
File Server
SMB/CIFS, NFS, FTP, IPX…
Internet
HTTP
© 2005,2006 NeoAccel Inc.
SSL VPN
Gateway
Telnet, POP, IMAP, RDC
Telnet Server
Network Extension Mode
•
User
– Launches browser; connects
to gateway; authenticate
– Downloads client and some
program which patches OS
– Run client and patch OS;
establish SSL connection;
Authenticate
– Launches application which
access private network
resource
– Patched OS encapsulates the
traffic to gateway
© 2005,2006 NeoAccel Inc.
•
SSL VPN Gateway
– Receives SSL connect from
client
– Authenticate user; verify access
– Retrieve IP packet from the
tunnel
– Route IP packet to destination
server
– Received IP packet from
destination server
– Sends packet back to client over
SSL
Network Extension Mode
Application to Application
virtual connection
File Server
IPSec Client
Software
SSL Tunnel
Internet
Application Packets over
TCP based SSL tunnel
© 2005,2006 NeoAccel Inc.
SSL VPN
Gateway
Telnet Server
Access Methods
Secure File Share Access
Access to Windows
and Unix Files
(CIFS/NFS) Dynamically webifies
files to display in
browser
Quick Access Terminal
Access to client/server
applications, including
native messaging clients,
like Microsoft Outlook and
IBM/Lotus Notes
Web Application Access
Access Web based
content and
applications,
supporting HTML,
Javascript, DHTML,
VBScript, socketbased Java applets,
etc.
Standards-Based
E-mail Client Access
Access Email using
Standards-based
e-mail protocols
(IMAP, POP,
SMTP)
© 2005,2006 NeoAccel Inc.
Full Access Client
Secure Terminal Access
Access to
Telnet/SSH server
hosts (VT100,
VT320…)
Endpoint Security
Check for Antivirus
Scan
machine
for
User
logshost
in using
NeoAccel
required
software
and
SSL VPN-Plus
Client
Check
for Firewall
cleanliness
Check for Anti-Spy Wares
Check for OS Patches
Check for Desktop Search
engine
Check for Key loggers
Check for Browser Security
Settings
Check for IP-forwarding &
network bridging
Depending upon security
level, Gateway decides
how much access to be
given to remote user.
Remote desktop
Check for customized
files/process/service/port
Web-mail
(http)
File sharing
FTP
Remote user
Real time End-point security
checks keeps the host safe.
© 2005,2006 NeoAccel Inc.
Security level of host
machine is calculated and
is sent to gateway.
SSL VPN
Gateway
Private network
resources
Two level of authorization
Pre
Authentication
Gathers information
from user, network,
endpoint
Digital Cert = NO
Source IP = outside
Host Check = failure
Dynamic
Authentication
Roles
Assignment
Authenticate user Map
user to role
Assign session
properties for user
role
Authentication = Strong
Mapped to Field role
From a Kiosk
Digital Cert = YES
Source IP = outside
Host Check = success
Authentication = Strong
Mapped to Sales role
From the field
Digital Cert = YES; Source
IP = LAN;
Host Check = success
From the LAN
© 2005,2006 NeoAccel Inc.
Authentication = PW
Mapped to Sales role
Network ext = No
File = No
Web Download=Yes
Web Upload=No
Timeout = ½ hour
Host Check = Recurring
Network Ext = Yes
File = Yes
Web Download=Yes
Web Upload = Yes
Timeout = 2 hours
Host Check = Recurring
Network Ext = Yes
Timeout = 12 hours
Host Check = No
Resource Policy
Grant access to
resource as
specified by policy
Resources =
CRM Web-read only
Outlook Web Access
•
•
•
Resources =
CRM Client/Server
• Exchange
Resources =
Full network access
IPSec VPN vs SSL VPN
Mobile
Users
Remote Office
Branch Office
Fixed
telecommuters
Sales
HR
Finance
Business
Partners
Department
Servers
Business
Partners
DMZ-1
HQ
Application Type
Mobile User
Partner Extranet
Type of Connection
Remote, Branch Office
Telecommuter
Partner Network
Connect
Fixed
Type of Connection
Mobile or Fixed
VPN Type
IPSec VPN
VPN Type
SSL VPN
Access Requirement
Network Access
Access Requirement
Per Application Access
Control Requirement
IP to IP control
Control Requirement
Remote Network Security
Managed, Trusted
Remote Network Security
User to Application
control
UnManaged, UnTrusted
Application Type
© 2005,2006 NeoAccel Inc.
SSL VPN – Why Not?
• Clientless
– Application dependency
– Browser support
– No endpoint security
• Security
– Requires admin right
– Not completely clientless
• Network Extension
– Performance problem
– Device/OS support
• Scalability
© 2005,2006 NeoAccel Inc.
SSL VPN Vendors
• Neoterris – Acquired by Netscreen and then by
Juniper
• Citrix
• Aventail
• Cisco
• F5 Networks
• Array Networks
• Whale – Acquired by Microsoft
• Netilla – Merged as AEP Networks
• OpenVPN – Open Source
• NeoAccel
© 2005,2006 NeoAccel Inc.
• The End
© 2005,2006 NeoAccel Inc.