1 / 29

IPsec and SSL VPN’s: Solving Remote Access Problems

Learn about IPsec and SSL VPNs, their origins, modes, and operation, with a focus on solving remote access challenges. Discover the key components and working principles of SSL VPNs.

rbeatriz
Download Presentation

IPsec and SSL VPN’s: Solving Remote Access Problems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IPsec and SSL VPN’s: Solving Remote Access Problems Joel M Snyder Senior Partner Opus One, Inc. jms@opus1.com

  2. Joel’s Definition of an “SSL VPN” • “An SSL VPN uses SSL and proxies to provide authorized and secure access for end-users to Web, client/server, and file sharing resources.”

  3. Proxy access and protocol conversion End user HTTPS to proxy; proxy HTTP[S] to resources Application translation (e.g., HTTPS to SMB/CIFS) Clientless (sic) Access Works within the browser No thick/thin client required Remote-access Orientation No site-to-site Designed with simplicity and ease-of-use over security Extranet Support End-user has only a casual connection to resource Highly Granular Access Controls Primarily a security appliance, not an access method SSL Transport Six Basic Requirements of an SSL VPN

  4. Where did SSL VPNs come from? Very Small Organizational Scope Workgroup Department Multiple Departments Organizational Unit Multi-unitenterprise Multiple/Many Enterprises IPsec RA PPTP Very GeneralProblem SSL RA Very SpecificProblem IPsec MPLS Very Broad Organizational Scope Connect Buildings Connect Subnets Connect Applications

  5. Proxy Application Translation Port Forwarding Network Extension SSL VPNs operate in four different modes Listed in order of simplicity and usability: Simplest & most usable to Most complex and difficult Not every SSL VPN product supports all four modes. Listed in order of support (most supported to least)

  6. Authentication Server Internet HTTP proxy is the heart of SSL VPN • User • Launch browser • Authenticate gateway • Supply credentials • Issue page requests over SSL • Receive responses over SSL • SSL VPN gateway • Verify user’s credentials via Auth Server • Confirm user is authorized toaccess resource requested • Translate URLs • Forward HTTP[S] requests to server • Accept server’s HTTP[S] response • Rewrite HTML, Javascript, etc. • Forward responses over SSL to user Business Partner SSL VPNGateway Mobile Worker HTTP Teleworker User’s SSL Session to Gateway Web-basedApplications HTTPS

  7. Internet Application Translation converts to HTTP User’s SSL Session to Gateway Mobile Worker File Server SSL VPNGateway SMB/CIFS, NFS, FTP, IPX… Teleworker HTML Telnet, POP, IMAP, RDC Telnet Server • User • Launch browser • Authenticate gateway • Supply credentials • View web pages which looksuspiciously like directories • Click on links and downloador upload files • SSL VPN Gateway • Verify user’s credentials • Confirm user authorized to read/writeparticular resource (file, directory, server) • Connect to File Server using native protocol • Obtain requested resource from File Server • Translate from native protocol to HTML • Send data back to user over HTTPS

  8. Port Forwarding Encapsulates in SSL LDAP Server SSL VPNGateway LDAP LDAP Client LDAP PFR PFL in Browser SSL • User • Launch browser; connect togateway; authenticate; launchport forwarding listener (PFL) • Launch Application whichconnects back to PFL • PFL builds SSL tunnel to GWand encapsulates traffic • SSL VPN Gateway • Verify user • Start port forwarding receiver (PFR) • Receive connect from PFL and verify accessto resource is allowed • Connect to application server using selectedprotocol • Act as network layer gateway • Send data back to PFL over SSL

  9. Authentication Server User connects to application over “shim” Internet Appliance uploads “agent” software to user browser User accesses “redirected”application over SSL The Buzzword Spin Begins…“it’s not a client, it’s a thin client” Teleworker SSL VPNAppliance Citrix Server User establishesSSL session Agents that provide (generic) port forwardingcan be “temporary” Java or ActiveX controls, or Win32 apps SSL VPN appliancedoes port forwarding of native application

  10. Network Extension looks suspiciously like some other VPN SIP Proxy SSL VPNGateway SIP+RTP VoIP Client SSL TCP/IP stack Patch to OS SIP End Point • User • Download some client thatpatches their operating system • Run client and patch O/S; authenticate; connect to GW • Run application • Patched O/S builds SSL tunnel to encapsulate traffic to GW • SSL VPN Gateway • Receive Transport-Layer Tunnel Connect • Authenticate user; verify access • Connect to application server using selectedprotocol • Act as network layer gateway • Send data back to client over SSL

  11. Once upon a time, there was a little SSL VPN gateway… SSL VPN

  12. RADIUS LDAP Link to your Authentication Servers SSL VPN • All SSL VPN deployments link to external authentication servers • Common examples are RADIUS (which would include SecurID-type services) and LDAP • Advanced devices talk directly to Windows via Kerberos • Certificate-based authentication is a possibility, but is unusual Authentication

  13. RADIUS Whether the user is properly authenticated Some RADIUS attributes that might be useful for assigning group information LDAP Whether the user is properly authenticated Object attributes for groups (or) “memberOf” type data that identifies groups RADIUS LDAP Authentication Servers provide multiple bits of information SSL VPN Authentication

  14. A “role” is a critical access control element Role definitions vary widely… but they are the “macro” elements that you use in defining your access control lists Roles often include Username information Group information Environment information (time of day, IP address) End Point Security Status information (virus scanner loaded, personal firewall active) Group information is critical to definition of roles

  15. RADIUS LDAP Roles are part of the ACL tuple SSL VPN Authentication Roles

  16. RADIUS LDAP Next, identify your resources SSL VPN • Web services • File servers and services and protocols • Other applications (TCP-based, incoming) • Network resources (IP-based, bi-directional) Authentication Roles

  17. Roles RADIUS LDAP Resources are the second part of the ACL tuple SSL VPN • Web services • File servers and services and protocols • Other applications (TCP-based, incoming) • Network resources (IP-based, bi-directional) Authentication Rsrcs

  18. Roles RADIUS LDAP Finish the ACL tuple by defining access control rules SSL VPN Authentication • Normally, rules match roles and resources • Sometimes, the role will be extended or other information will be part of the access control decision Rsrcs

  19. Roles RADIUS LDAP ACL rules are usually simple Yes or No decisions SSL VPN Authentication • Normally, rules match roles and resources • Sometimes, the role will be extended or other information will be part of the access control decision Rsrcs Rule  

  20. Roles RADIUS LDAP Finally, tune up the portal SSL VPN Authentication • The portal is the user “face” to the SSL VPN device • Things like short cuts, layout, logos and icons seem to be very important to some users Rsrcs Rule  

  21. Roles RADIUS LDAP Somewhere in your SSL VPN is an HTTP munger SSL VPN Authentication • HTML comes into the SSL VPN device • SSL VPN must look at, interpret, and edit the HTML • This is not as easy as it looks Rsrcs Rule  

  22. SSL VPN Roles Rule  RADIUS  LDAP Application Translation requires pieces to do the translation work Authentication Rsrcs SMB FTP HTTP NFS

  23. SSL VPN Roles Rule  RADIUS  LDAP Port Forwarding uses the same SSL connection but a different handler Authentication SMB Rsrcs FTP PFR NFS HTTP

  24. SSL VPN Roles Rule  RADIUS  LDAP Network Extension Network extension is a whole different VPN Authentication Rsrcs SMB FTP PFR HTTP NFS

  25. SSL VPN Roles Rule  RADIUS  LDAP Network Extension Email Listeners sit on entirely different ports Authentication Rsrcs SMB FTP PFR HTTP NFS POPIMAPSMTP Some SSL VPN devices can act as “front end” security gateways to existing POP/IMAP/SMTP servers

  26. SSL VPN Roles Rsrcs Rule SMB FTP  HTTP NFS RADIUS POPIMAPSMTP  LDAP Network Extension Environmental Variables extend the ACL tuple Authentication Env PFR IP

  27. SSL VPN Roles Rsrcs Rule SMB FTP  HTTP NFS RADIUS POPIMAPSMTP  LDAP Network Extension Integration with End Point Security tools is a clear direction Authentication Env PFR EndPointSecurity IP EPSPolicy Server

  28. Obvious Cases where SSL VPN wins HTTP-based applications “Can’t touch the client”; Extranet Obvious Cases where IPsec VPN wins Site-to-site VPN How do I choose between SSL VPN and IPsec VPN? The Fighting Ground • Network Extension • “One Box to Rule Them All” • Corner, Edge, and Hard cases

  29. SSL VPN Technology:What is an SSL VPN and why are they interesting? Joel M Snyder Senior Partner Opus One, Inc. jms@opus1.com

More Related