Download SSL VPN Virtual Private Networks based on Secure Socket Layer

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
Document related concepts

Remote Desktop Services wikipedia , lookup

TCP congestion control wikipedia , lookup

Parallel port wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Internet protocol suite wikipedia , lookup

Transcript 
SSL VPN
Virtual Private Networks based on
Secure Socket Layer
Mario Baldi
Politecnico di Torino
(Technical Univesity of Turin)
http://staff.polito.it/mario.baldi
Nota di Copyright
This set of transparencies, hereinafter referred to as slides, is
protected by copyright laws and provisions of International Treaties.
The title and copyright regarding the slides (including, but not limited
to, each and every image, photography, animation, video, audio,
music and text) are property of the authors specified on page 1.
The slides may be reproduced and used freely by research institutes,
schools and Universities for non-profit, institutional purposes. In
such cases, no authorization is requested.
Any total or partial use or reproduction (including, but not limited to,
reproduction on magnetic media, computer networks, and printed
reproduction) is forbidden, unless explicitly authorized by the
authors by means of written license.
Information included in these slides is deemed as accurate at the
date of publication.
Such information is supplied for merely
educational purposes and may not be used in designing systems,
products, networks, etc. In any case, these slides are subject to
changes without any previous notice. The authors do not assume any
responsibility for the contents of these slides (including, but not
limited to, accuracy, completeness, enforceability, updated-ness of
information hereinafter provided).
In any case, accordance with information hereinafter included must
not be declared.
In any case, this copyright notice must never be removed and must
be reported even in partial uses.
SSL-VPN - 2
© M. Baldi: see page 2
SSL VPN: What is that?
SSL as the central mechanism on
which to base secure access
Site-to-site VPN
Remote access VPN
Secure service access
Loose interpretation of VPN
 SSL (pseudo)VPN
Tunneling based on TCP or UDP
SSL-VPN - 3
© M. Baldi: see page 2
Why Not IPsec VPN?
IPsec too difficult and/or too
expensive to use securely
Too many options to be
configured and administered
Operates in kernel space
Failures potentially
catastrophic
Installation difficult and risky
Concerns fade with maturity
SSL-VPN - 4
© M. Baldi: see page 2
Why SSL VPN
Lower complexity
Installation
Configuration
Management
Non-interference with kernel
Most widely used
Higher, more robust security
SSL-VPN - 5
© M. Baldi: see page 2
Compared to IPsec VPN
No problem with NAT traversal
No authentication of IP
header
No encryption of ports as with
IPsec ESP (encapsulation
securty payload)
Packets dropped at a higher
layer
Critical with DOS attacks
SSL-VPN - 6
© M. Baldi: see page 2
Compared to PPTP
Initially proprietary (Microsoft)
Initially weak security
Fixed later
Poor interoperability with nonMicrosoft platforms
GRE (generic routing
encapsulation) tunneling
Possibly blocked by routers
SSL-VPN - 7
© M. Baldi: see page 2
SSL (pseudo)VPN
IPsec VPNs connect networks
Or hosts to networks
SSL VPNs connect
Users to services
Application clients to
application servers
SSL-VPN - 8
© M. Baldi: see page 2
Why SSL (pseudo)VPN
No client code is to be installed
Usable anywhere (kyosk)
Applications available through
web browser
Deploying HTTPS
Not a general security solution
Specific solutions suitable to
selected applications
SSL-VPN - 9
© M. Baldi: see page 2
In Summary
SSL VPNs have a good chance of
working in any network scenario
TCP or UDP tunneling enable
NAT traversal
Firewall traversal
Router traversal
SSL (pseudo)VPN enable
universal client (web browser)
SSL-VPN - 10
© M. Baldi: see page 2
SSL VPN Flavors
Port forwarding
SSL’ed protocols
Web proxying
Application proxying
Pseudo VPN
Application translation
Network extension
Site-to-site connectivity
SSL-VPN - 11
© M. Baldi: see page 2
Application Translation
Native protocol between VPN
server and application server
E.g., FTP, STMP, POP
Application user interface as a
web page
HTTP(S) between VPN server
and client
Not suitable for all applications
Look&feel might be lost
SSL-VPN - 12
© M. Baldi: see page 2
Application Translation
HTTPS
POP3
Mail server
SSL-VPN - 13
© M. Baldi: see page 2
Port Forwarding
Port forwarder on client
Additional software
Platform dependent
 Unless Java or ActiveX
Application points to localhost
To port X
Usual application port
 E.g., TCP port 110 (POP3)
SSL-VPN - 14
© M. Baldi: see page 2
Port Forwarding
SSL/HTTPS
POP3
POP3 (TCP port 110)
Port Forwarder
TCP port 443
HTTPS
SSL-VPN - 15
© M. Baldi: see page 2
Port Forwarding
Port forwarder sends data
stream to SSL connection to VPN
gateway
To port Y
Usually port 443 (HTTPS)
VPN gateway forwards data
stream to application server
To port X
 E.g., TCP port 110 (POP3)
SSL-VPN - 16
© M. Baldi: see page 2
Port Forwarding
SSL/HTTPS
POP3
TCP port 443
HTTPS
TCP port 110
POP3
Port
Forwarding
SSL-VPN - 17
© M. Baldi: see page 2
Port Forwarding
Works only with fixed port
protocols
Problems with address and port
in application layer protocol
SSL-VPN gateway must know
application protocol to
translate
Application layer gateway
(ALG)
SSL-VPN - 18
© M. Baldi: see page 2
SSL’ed Protocols
Secure application protocols
Protocol-over-SSL
E.g., POP-over-SSL, IMAPover-SSL, SMTP-over-SSL
Client and server support
required
POP-over-SSL
TCP port 995
SSL-VPN - 19
© M. Baldi: see page 2
Proxying
VPN Gateway downloads web
pages through HTTP
Ship them through HTTPS
Web server
HTTPS
HTTP
Client
SSL-VPN - 20
VPN Gateway
© M. Baldi: see page 2
Application Proxying
Compatibility with older servers
Client points at SSL-VPN
gateway
TCP port 995
POP-o-SSL
SSL-VPN - 21
TCP port 110
POP3
© M. Baldi: see page 2
Network Extension
Tunnel over SSL
POP3
FTP
POP3
FTP
SSL-VPN - 22
© M. Baldi: see page 2
Performance Pitfalls
IP over TCP
No delivery of packets after a
lost one
Loss leads to throttling of
tunnel
 TCP congestion control
TCP over TCP: unpredictable
Large transmitter buffers in
gateways
SSL-VPN - 23
© M. Baldi: see page 2
Products and Vendors
Open VPN (openvpn.net)
AEP
F5 Networks
NetScreen Technologies
Netilla
Nokia
Symantec
Whale Communications
SSL-VPN - 24
© M. Baldi: see page 2
Main Issues
Interoperability
Product specific features
Implementation weaknesses
Availability of client on specific
platforms
SSL-VPN - 25
© M. Baldi: see page 2
Bibliography
S. Brumbaugh, “VPNs and Public Key
Infrastructure,” O'Reilly, Sep. 2004,
http://www.onlamp.com/pub/a/security/
2004/09/23/vpns_and_pki.html
C. Hosner, “OpenVPN and the SSL
VPN Revolution,” SANS Institute,
Aug. 2004,
http://www.sans.org/rr/whitepapers/vpns
/1459.php
J. Snyder, “SSL VPN Gateways,”
NetworkWorldFusion, Dec. 2004,
http://www.nwfusion.com/reviews/2004/
0112revmain.html
SSL-VPN - 26
© M. Baldi: see page 2
Related documents
web server
web server
What is a VPN? A VPN (Virtual Private Network) is a private
What is a VPN? A VPN (Virtual Private Network) is a private
Chapter 1: Protocols and Layers
Chapter 1: Protocols and Layers
Virtual Private Network(VPN)
Virtual Private Network(VPN)
CLIENT SERVER ARCHITECTURE
CLIENT SERVER ARCHITECTURE
Slides for lecture 26
Slides for lecture 26
Datawire Secure Transport
Datawire Secure Transport
Commercial Sales
Commercial Sales
Virtual Private Network
Virtual Private Network
Solution: Virtual Private Network (VPN)
Solution: Virtual Private Network (VPN)
The Internet and the World Wide Web
The Internet and the World Wide Web