* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Solving remote access problems
Survey
Document related concepts
Deep packet inspection wikipedia , lookup
Distributed firewall wikipedia , lookup
Server Message Block wikipedia , lookup
Zero-configuration networking wikipedia , lookup
TV Everywhere wikipedia , lookup
Cross-site scripting wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
SIP extensions for the IP Multimedia Subsystem wikipedia , lookup
Wireless security wikipedia , lookup
Extensible Authentication Protocol wikipedia , lookup
Transport Layer Security wikipedia , lookup
Remote Desktop Services wikipedia , lookup
Transcript
IPsec and SSL VPN’s: Solving Remote Access Problems Joel M Snyder Senior Partner Opus One, Inc. [email protected] Joel’s Definition of an “SSL VPN” “An SSL VPN uses SSL and proxies to provide authorized and secure access for end-users to Web, client/server, and file sharing resources.” 2 Six Basic Requirements of an SSL VPN Proxy access and protocol conversion • End user HTTPS to proxy; proxy • HTTP[S] to resources Application translation (e.g., HTTPS to SMB/CIFS) Clientless (sic) Access • Works within the browser • No thick/thin client required Remote-access Orientation • No site-to-site • Designed with simplicity and Extranet Support • End-user has only a casual connection to resource Highly Granular Access Controls • Primarily a security appliance, not an access method SSL Transport ease-of-use over security 3 Where did SSL VPNs come from? Very Small Organizational Scope IPsec RA Very General Problem IPsec MPLS PPTP Workgroup Department Multiple Departments SSL RA Very Specific Organizational Problem Unit Multi-unit enterprise Multiple/Many Enterprises Very Broad Organizational Scope Connect Buildings Connect Subnets Connect Applications 4 SSL VPNs operate in four different modes Listed in order of simplicity and usability: Simplest & most usable to Most complex and difficult Proxy Application Translation Port Forwarding Network Extension Not every SSL VPN product supports all four modes. Listed in order of support (most supported to least) 5 HTTP proxy is the heart of SSL VPN User • Launch browser • Authenticate gateway • Supply credentials • Issue page requests over SSL • Receive responses over SSL Business Partner SSL VPN gateway • Verify user’s credentials via Auth Server • Confirm user is authorized to access resource requested • Translate URLs • Forward HTTP[S] requests to server • Accept server’s HTTP[S] response • Rewrite HTML, Javascript, etc. • Forward responses over SSL to user SSL VPN Gateway Authentication Server Mobile Worker Internet Teleworker User’s SSL Session to Gateway HTTP HTTPS Web-based Applications 6 Application Translation converts to HTTP Mobile Worker Teleworker User’s SSL Session to Gateway SSL VPN Gateway File Server SMB/CIFS, NFS, FTP, IPX… Internet HTML User • Launch browser • Authenticate gateway • Supply credentials • View web pages which look suspiciously like directories • Click on links and download or upload files Telnet, POP, IMAP, RDC Telnet Server SSL VPN Gateway • Verify user’s credentials • Confirm user authorized to read/write particular resource (file, directory, server) • Connect to File Server using native protocol • Obtain requested resource from File Server • Translate from native protocol to HTML • Send data back to user over HTTPS 7 Port Forwarding Encapsulates in SSL SSL VPN Gateway LDAP Client LDAP LDAP Server LDAP PFR PFL in Browser SSL User • Launch browser; connect to gateway; authenticate; launch port forwarding listener (PFL) • Launch Application which connects back to PFL • PFL builds SSL tunnel to GW and encapsulates traffic SSL VPN Gateway • Verify user • Start port forwarding receiver (PFR) • Receive connect from PFL and verify access to resource is allowed • Connect to application server using selected protocol • Act as network layer gateway • Send data back to PFL over SSL 8 The Buzzword Spin Begins… “it’s not a client, it’s a thin client” Teleworker SSL VPN Appliance Authentication Server Internet Citrix Server User establishes SSL session Agents that provide (generic) port forwarding can be “temporary” Java or ActiveX controls, or Win32 apps SSL VPN appliance does port forwarding of native application 9 Network Extension looks suspiciously like some other VPN SSL VPN Gateway VoIP Client Patch to OS TCP/IP stack SIP Proxy SIP+RTP SSL SIP End Point User • Download some client that patches their operating system • Run client and patch O/S; authenticate; connect to GW • Run application • Patched O/S builds SSL tunnel to encapsulate traffic to GW SSL VPN Gateway • Receive Transport-Layer Tunnel Connect • Authenticate user; verify access • Connect to application server using selected protocol • Act as network layer gateway • Send data back to client over SSL 10 Once upon a time, there was a little SSL VPN gateway… 11 Link to your Authentication Servers RADIUS LDAP Authentication All SSL VPN deployments link to external authentication servers Common examples are RADIUS (which would include SecurID-type services) and LDAP Advanced devices talk directly to Windows via Kerberos Certificate-based authentication is a possibility, but is unusual 12 Authentication Servers provide multiple bits of information RADIUS LDAP Authentication RADIUS Whether the user is properly authenticated Some RADIUS attributes that might be useful for assigning group information LDAP Whether the user is properly authenticated Object attributes for groups (or) “memberOf” type data that identifies groups 13 Group information is critical to definition of roles A “role” is a critical access control element Role definitions vary widely… but they are the “macro” elements that you use in defining your access control lists Roles often include • Username information • Group information • Environment information • (time of day, IP address) End Point Security Status information (virus scanner loaded, personal firewall active) 14 Roles are part of the ACL tuple RADIUS LDAP Authentication Roles 15 Next, identify your resources RADIUS LDAP Authentication Roles Web services File servers and services and protocols Other applications (TCP-based, incoming) Network resources (IP-based, bi-directional) 16 Resources are the second part of the ACL tuple RADIUS LDAP Authentication Roles Rsrcs Web services File servers and services and protocols Other applications (TCP-based, incoming) Network resources (IP-based, bi-directional) 17 Finish the ACL tuple by defining access control rules RADIUS LDAP Authentication Roles Rsrcs Normally, rules match roles and resources Sometimes, the role will be extended or other information will be part of the access control decision 18 ACL rules are usually simple Yes or No decisions RADIUS LDAP Authentication Roles Rsrcs Rule Normally, rules match roles and resources Sometimes, the role will be extended or other information will be part of the access control decision 19 Finally, tune up the portal RADIUS LDAP Authentication Roles Rsrcs Rule The portal is the user “face” to the SSL VPN device Things like short cuts, layout, logos and icons seem to be very important to some users 20 Somewhere in your SSL VPN is an HTTP munger RADIUS LDAP Authentication Roles Rsrcs Rule HTML comes into the SSL VPN device SSL VPN must look at, interpret, and edit the HTML This is not as easy as it looks 21 Application Translation requires pieces to do the translation work RADIUS LDAP Authentication HTTP Roles Rsrcs Rule 22 Port Forwarding uses the same SSL connection but a different handler RADIUS PFR LDAP Authentication HTTP Roles Rsrcs Rule 23 Network extension is a whole different VPN RADIUS LDAP Authentication PFR HTTP Roles Rsrcs Rule 24 Email Listeners sit on entirely different ports RADIUS LDAP Authentication PFR POP IMAP SMTP HTTP Roles Rsrcs Rule Some SSL VPN devices can act as “front end” security gateways to existing POP/IMAP/SMTP servers 25 Environmental Variables extend the ACL tuple RADIUS LDAP Authentication PFR POP IMAP SMTP HTTP Roles Rsrcs Env Rule IP 26 Integration with End Point Security tools is a clear direction RADIUS LDAP Authentication PFR POP IMAP SMTP Roles Rsrcs Env Rule IP HTTP End Point Security EPS Policy Server 27 How do I choose between SSL VPN and IPsec VPN? Obvious Cases where SSL VPN wins HTTP-based applications “Can’t touch the client”; Extranet Obvious Cases where IPsec VPN wins Site-to-site VPN The Fighting Ground Network Extension “One Box to Rule Them All” Corner, Edge, and Hard cases 28 SSL VPN Technology: What is an SSL VPN and why are they interesting? Joel M Snyder Senior Partner Opus One, Inc. [email protected]