SSL VPN-Plus - NetPilot Internet Security

Download Report

Transcript SSL VPN-Plus - NetPilot Internet Security

Training
Access Modes
© 2005,2006 NeoAccel Inc.
Agenda
1. Need of SSL VPN
2. Access Terminals
3. SSL VPN-Plus Access Terminals
a) Introduction
b) Usage scenario
4. Network extension concepts
5. Full Access Client
6. Quick Access Terminal Client
© 2005,2006 NeoAccel Inc.
What Users Want
Access Business Applications
• Web based applications: Intranets,…
• Client-Server applications: VOIP, SAP,…
• Hybrid Web applications: Oracle forms,…
On Demand Access
• Take work home: in-office experience, full
productivity
• At customer site: need mission critical
application to run
• Roaming: Email, Intranet portal, least
productivity
© 2005,2006 NeoAccel Inc.
What Users Want…contd…
No more classes n trainings!!
• Simplified, one click access … like web…
• In office experience
• Don’t rely on us
© 2005,2006 NeoAccel Inc.
What Users Want…contd…
Securely Access
from
using
Anything
Anywhere
Any device
That’s what SSL VPN are about !
© 2005,2006 NeoAccel Inc.
SSL VPN Deployment
Private network
services
NeoAccel SSL VPN-Plus
Gateway
Authentication
ServerRadius/AD/LDAP
Internal data-centre
Firewall
Wireless/mobile user
Encrypted SSL VPN
tunnels
Home user/
consultant/partner
Other corporate
office/ Partners
© 2005,2006 NeoAccel Inc.
Access Terminals
• Entry points to private corporate network
• Requirement
• Usability
• Accessibility
• Security
© 2005,2006 NeoAccel Inc.
Common Access Terminals
1.1 SSL VPN Web portal (with terminal emulators)
1.2 Port Forwarding Client
1.3 Network extension Client
© 2005,2006 NeoAccel Inc.
SSL VPN-Plus Access Terminals
Access Terminals are modes through which remote users can
access corporate resources
• SSL VPN-Plus has three Access Modes
• Web Access Terminal (WAT)
• Browser based SSL VPN access mode
• Commonly known as Clientless SSL VPN access
• Private Hyper Access Transport (PHAT)
• A native client for full access to corporate network
• Commonly known as Full Access Client
• Quick Access Terminal (QAT)
• An agent based terminal that enables access to all TCP
applications without installing any software on machine
• Commonly known as Port Forwarding Client
© 2005,2006 NeoAccel Inc.
Web Access Terminal
• Only a browser is required to initiate a VPN and
access corporate resources
• known as Clientless VPN also
• A browser that supports javascript can setup VPN
connection
• For a user, accessing VPN services is like accessing a
company portal or company web
• Zero management/Maintenance
• Administrator configures the resources available on
portal for users
• Per Group portal customization
© 2005,2006 NeoAccel Inc.
Web Access Terminal…contd.
• VPN resources accessible through WAT are:
• Web servers; e.g.
• Corporate Intranet/portal
• Sharepoint
• Web-based application servers; e.g.
• Outlook Web Access
• Lotus Domino
• Web-based databases like Oracle 9i, SQL
• Portal can be configured to provide
Documents/Manuals to users
© 2005,2006 NeoAccel Inc.
Web Access Terminal…contd.
• User opens WAT login page
• https://companyvpn/sslvpn-plus/
© 2005,2006 NeoAccel Inc.
Web Access Terminal…contd.
• Upon successful login, the WAT portal is available to
user to access private network resources
© 2005,2006 NeoAccel Inc.
Web Portal - Thin Applications
• Terminal emulators are provided on portal to access
terminal servers and legacy hosts
• RDP, VNC, SSH and Telnet java clients are available
• Useful to access legacy applications without installing
any software on user machine or access from kiosk,
hotel, etc.
© 2005,2006 NeoAccel Inc.
Why Web portal is not enough
• Business application are not just web-based
application. They include client – server components.
• Application implementation dependent
• URL rewriting is more than just HTML rewriting:
Applets, flash, exe, …
• No in-office experience
© 2005,2006 NeoAccel Inc.
Private Hyper Access Transport PHAT
• IPSec replacement client which provides IPSec like full access but
with zero configuration on client machine
• Support for all TCP/IP based application and protocols (TCP, UDP,
IP) is provided.
• Best use for
• In office experience for maximum productivity
• VOIP and video conferencing
• Full Access client is configured from management console
• Administrative rights are required to install the client
• Client auto-updates without administrative rights
• Complete and strong endpoint security
• Supported on
• Windows (2000 and above)
• Linux (Redhat, Knoppix, Debian)
• MAC OS-X (beta)
© 2005,2006 NeoAccel Inc.
Network extension technology
TRANSMISSION
Establish a SSL
connection with SSL
gateway
RECEPTION
Pass the data to
applications
transparently
Intercept Application
Traffic transparently
Encapsulate the control
commands and data in
proprietary protocols
Encrypt the data and
send through SSL
connection to gateway
© 2005,2006 NeoAccel Inc.
Decode the control
commands
Decrypt the data
received on SSL
connection from
gateway
SSL VPN Network extension technology
SSL VPN
App
SSL
User
TCP
TCP
Kernel
IP
#1
#2
IP
Enet
© 2005,2006 NeoAccel Inc.
Other SSL VPNs: Packet flow
This is what will be achieved.
This happens when the user is working in office, i.e. connected to LAN
D
A
A
D
Private network servers
A
SDSAD
SSL VPN client agent running on remote users machine
SD SAA
D
SSL VPN Gateway
D: Application TCP data packet
A: application TCP ACK packet
SD: SSL tunnel data packet
SA: SSL tunnel ACK packet
© 2005,2006 NeoAccel Inc.
SSL VPN-Plus technology
SSL VPN
App
User
ICAA-TSSL
Kernel
TCP #1
IP
Enet
© 2005,2006 NeoAccel Inc.
Architecture difference
Architecture: Other SSL VPN
Remote User
Resource Gateway
Remote User
Resource Gateway
From Application
From Application
SSL Module
Applicati
on Level
Architecture: SSL VPN-Plus
User
Mode
SSL Module
ICAA-TSSL
Module
ICAA-TSSL
Module
Network Module
Network Module
OS
Network
Stack
OS
Network
Stack
To private Network
Next
© 2005,2006 NeoAccel Inc.
To private Network
What not so good about PHAT
• PHAT client can not be used “Anywhere”. It has to get installed
• Administrative rights are required on user machine
• Secure transport for malware, spyware, trojans and viruses
• Where is my portal?
© 2005,2006 NeoAccel Inc.
Quick Access Terminal
• A Java enabled browser is required to initiate a VPN
and access corporate resources
• known as Port forwarding client also
• A Java applet gets downloaded on user machine and
initiate VPN
• User can access TCP based client-server appliance off
the portal
• Zero management/Installation/Maintenance
• Works like Full access client with only limitation of
support for IP, UDP and MS File shares
• Administrator configures the network resources for
users
• Access to QAT client can be controlled from NMC on
per group basis.
© 2005,2006 NeoAccel Inc.
Quick Access Terminal…contd.
• VPN resources accessible through QAT are:
• Any TCP based Application servers
• Web Servers, E-mail servers, Citrix, SAP, Lotus
Domino, Direct database from anywhere
• Terminal Servers
• SSH, Telnet and other legacy terminal
emulators like TN5250 for IBM Mainframes access
• True Anything from Anywhere access
• In 2.0 beta, QAT runs only on Windows 2000 &
above.
© 2005,2006 NeoAccel Inc.
Quick Access Terminal…contd.
• User opens WAT login page
• https://companyvpn/sslvpn-plus/
© 2005,2006 NeoAccel Inc.
Quick Access Terminal…contd.
• Upon successful login, the QAT link is provided on
WAT portal
Access QAT using
this link
© 2005,2006 NeoAccel Inc.
Quick Access Terminal…contd.
• Upon successful login, the QAT link is provided on
WAT portal
Status of QAT.
© 2005,2006 NeoAccel Inc.
Quick Access Terminal…contd.
• Access your TCP applications the normal way your
work
Access any TCP
based application
© 2005,2006 NeoAccel Inc.
Questions ?
© 2005,2006 NeoAccel Inc.