Download Solving remote access problems

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
Document related concepts

Deep packet inspection wikipedia , lookup

Distributed firewall wikipedia , lookup

Server Message Block wikipedia , lookup

Zero-configuration networking wikipedia , lookup

TV Everywhere wikipedia , lookup

Cross-site scripting wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Lag wikipedia , lookup

SIP extensions for the IP Multimedia Subsystem wikipedia , lookup

Wireless security wikipedia , lookup

Extensible Authentication Protocol wikipedia , lookup

Transport Layer Security wikipedia , lookup

Remote Desktop Services wikipedia , lookup

Hypertext Transfer Protocol wikipedia , lookup

Authentication wikipedia , lookup

Transcript 
IPsec and SSL VPN’s: Solving
Remote Access Problems
Joel M Snyder
Senior Partner
Opus One, Inc.
[email protected]
Joel’s Definition of an “SSL VPN”
 “An SSL VPN uses SSL and proxies to
provide authorized and secure access for
end-users to Web, client/server, and file
sharing resources.”
2
Six Basic Requirements of an SSL VPN
 Proxy access and protocol
conversion
• End user HTTPS to proxy; proxy
•
HTTP[S] to resources
Application translation (e.g.,
HTTPS to SMB/CIFS)
 Clientless (sic) Access
• Works within the browser
• No thick/thin client required
 Remote-access Orientation
• No site-to-site
• Designed with simplicity and
 Extranet Support
• End-user has only a
casual connection to
resource
 Highly Granular
Access Controls
• Primarily a security
appliance, not an access
method
 SSL Transport
ease-of-use over security
3
Where did SSL VPNs come from?
Very Small Organizational Scope
IPsec RA
Very
General
Problem
IPsec
MPLS
PPTP
Workgroup
Department
Multiple
Departments
SSL RA
Very
Specific Organizational
Problem Unit
Multi-unit
enterprise
Multiple/Many
Enterprises
Very Broad Organizational Scope
Connect Buildings
Connect Subnets Connect Applications
4
SSL VPNs operate in four different modes
Listed in order of simplicity
and usability:
Simplest & most usable to
Most complex and difficult
 Proxy
 Application
Translation
 Port Forwarding
 Network Extension
Not every SSL VPN product
supports all four modes.
Listed in order of support
(most supported to least)
5
HTTP proxy is the heart of SSL VPN
User
• Launch browser
• Authenticate gateway
• Supply credentials
• Issue page requests over SSL
• Receive responses over SSL
Business Partner
SSL VPN gateway
• Verify user’s credentials via Auth Server
• Confirm user is authorized to
access resource requested
• Translate URLs
• Forward HTTP[S] requests to server
• Accept server’s HTTP[S] response
• Rewrite HTML, Javascript, etc.
• Forward responses over SSL to user
SSL VPN
Gateway
Authentication
Server
Mobile Worker
Internet
Teleworker
User’s SSL
Session to
Gateway
HTTP
HTTPS
Web-based
Applications
6
Application Translation converts to HTTP
Mobile Worker
Teleworker
User’s SSL
Session to
Gateway
SSL VPN
Gateway
File Server
SMB/CIFS, NFS, FTP, IPX…
Internet
HTML
User
• Launch browser
• Authenticate gateway
• Supply credentials
• View web pages which look
suspiciously like directories
• Click on links and download
or upload files
Telnet, POP, IMAP, RDC
Telnet Server
SSL VPN Gateway
• Verify user’s credentials
• Confirm user authorized to read/write
particular resource (file, directory, server)
• Connect to File Server using native protocol
• Obtain requested resource from File Server
• Translate from native protocol to HTML
• Send data back to user over HTTPS
7
Port Forwarding Encapsulates in SSL
SSL VPN
Gateway
LDAP Client
LDAP
LDAP Server
LDAP
PFR
PFL in Browser
SSL
User
• Launch browser; connect to
gateway; authenticate; launch
port forwarding listener (PFL)
• Launch Application which
connects back to PFL
• PFL builds SSL tunnel to GW
and encapsulates traffic
SSL VPN Gateway
• Verify user
• Start port forwarding receiver (PFR)
• Receive connect from PFL and verify access
to resource is allowed
• Connect to application server using selected
protocol
• Act as network layer gateway
• Send data back to PFL over SSL
8
The Buzzword Spin Begins…
“it’s not a client, it’s a thin client”
Teleworker
SSL VPN
Appliance
Authentication
Server
Internet
Citrix Server
User establishes
SSL session
Agents that provide
(generic) port forwarding
can be “temporary” Java or
ActiveX controls, or Win32 apps
SSL VPN appliance
does port forwarding of
native application
9
Network Extension looks suspiciously
like some other VPN
SSL VPN
Gateway
VoIP Client
Patch to OS
TCP/IP stack
SIP Proxy
SIP+RTP
SSL
SIP End Point
User
• Download some client that
patches their operating system
• Run client and patch O/S;
authenticate; connect to GW
• Run application
• Patched O/S builds SSL tunnel
to encapsulate traffic to GW
SSL VPN Gateway
• Receive Transport-Layer Tunnel Connect
• Authenticate user; verify access
• Connect to application server using selected
protocol
• Act as network layer gateway
• Send data back to client over SSL
10
Once upon a time, there was a little SSL
VPN gateway…
11
Link to your Authentication Servers
RADIUS
LDAP
Authentication
 All SSL VPN deployments link to external
authentication servers
 Common examples are RADIUS (which would
include SecurID-type services) and LDAP
 Advanced devices talk directly to Windows via
Kerberos
 Certificate-based authentication is a possibility,
but is unusual
12
Authentication Servers provide multiple
bits of information
RADIUS
LDAP
Authentication
RADIUS
 Whether the user is
properly authenticated
 Some RADIUS
attributes that might
be useful for assigning
group information
LDAP
 Whether the user is
properly authenticated
 Object attributes for
groups (or)
 “memberOf” type data
that identifies groups
13
Group information is critical to definition
of roles
 A “role” is a critical
access control element
 Role definitions vary
widely… but they are the
“macro” elements that
you use in defining your
access control lists
 Roles often include
• Username information
• Group information
• Environment information
•
(time of day, IP address)
End Point Security Status
information (virus scanner
loaded, personal firewall
active)
14
Roles are part of the ACL tuple
RADIUS
LDAP
Authentication
Roles
15
Next, identify your resources
RADIUS
LDAP
Authentication
Roles




Web services
File servers and services and protocols
Other applications (TCP-based, incoming)
Network resources (IP-based, bi-directional)
16
Resources are the second part of the ACL
tuple
RADIUS
LDAP
Authentication
Roles Rsrcs




Web services
File servers and services and protocols
Other applications (TCP-based, incoming)
Network resources (IP-based, bi-directional)
17
Finish the ACL tuple by defining access
control rules
RADIUS
LDAP
Authentication
Roles Rsrcs
 Normally, rules match roles and resources
 Sometimes, the role will be extended or other
information will be part of the access control
decision
18
ACL rules are usually simple
Yes or No decisions
RADIUS
LDAP
Authentication

Roles Rsrcs Rule

 Normally, rules match roles and resources
 Sometimes, the role will be extended or other
information will be part of the access control
decision
19
Finally, tune up the portal
RADIUS
LDAP
Authentication

Roles Rsrcs Rule

 The portal is the user “face” to the SSL VPN device
 Things like short cuts, layout, logos and icons
seem to be very important to some users
20
Somewhere in your SSL VPN is an
HTTP munger
RADIUS
LDAP
Authentication

Roles Rsrcs Rule

 HTML comes into the SSL VPN device
 SSL VPN must look at, interpret, and edit the HTML
 This is not as easy as it looks
21
Application Translation requires pieces to
do the translation work
RADIUS
LDAP
Authentication

HTTP
Roles Rsrcs Rule

22
Port Forwarding uses the same SSL
connection but a different handler
RADIUS
PFR
LDAP
Authentication

HTTP
Roles Rsrcs Rule

23
Network extension is a whole different VPN
RADIUS
LDAP
Authentication
PFR

HTTP
Roles Rsrcs Rule

24
Email Listeners sit on entirely different
ports
RADIUS
LDAP
Authentication
PFR
POP
IMAP
SMTP

HTTP
Roles Rsrcs Rule

Some SSL VPN devices can act as “front end” security
gateways to existing POP/IMAP/SMTP servers
25
Environmental Variables extend the ACL
tuple
RADIUS
LDAP
Authentication

PFR
POP
IMAP
SMTP
HTTP
Roles Rsrcs Env Rule
IP

26
Integration with End Point Security tools
is a clear direction
RADIUS
LDAP
Authentication

PFR
POP
IMAP
SMTP
Roles Rsrcs Env Rule
IP

HTTP
End
Point
Security
EPS
Policy
Server
27
How do I choose between SSL VPN and
IPsec VPN?
Obvious Cases where
SSL VPN wins
 HTTP-based applications
 “Can’t touch the client”;
Extranet
Obvious Cases where
IPsec VPN wins
 Site-to-site VPN
The Fighting Ground
 Network Extension
 “One Box to Rule Them All”
 Corner, Edge, and Hard cases
28
SSL VPN Technology:
What is an SSL VPN and why
are they interesting?
Joel M Snyder
Senior Partner
Opus One, Inc.
[email protected]
Related documents
Panel: Security and the World Wide Web
Panel: Security and the World Wide Web
Mullvad Barnprogram
Mullvad Barnprogram
Secure Mobility - Grand Rapids ISSA
Secure Mobility - Grand Rapids ISSA
Chapter 19
Chapter 19
Britestream Applied: Check Point NGX Web Intelligence Accelerator
Britestream Applied: Check Point NGX Web Intelligence Accelerator
what are the three "core/key skills"?
what are the three "core/key skills"?
BUS 352 Week 4 Discussion 2 (Security components)
BUS 352 Week 4 Discussion 2 (Security components)
Information Security in Real Business
Information Security in Real Business
Slides for lecture 26
Slides for lecture 26
Multi-Homing Gateway MHG-1500
Multi-Homing Gateway MHG-1500