IPsec and SSL VPN’s: Solving Remote Access Problems Joel M Snyder Senior Partner Opus One, Inc....
29
IPsec and SSL VPN’s: Solving Remote Access Problems Joel M Snyder Senior Partner Opus One, Inc. [email protected]
-
Upload
morris-foster -
Category
Documents
-
view
222 -
download
3
Transcript of IPsec and SSL VPN’s: Solving Remote Access Problems Joel M Snyder Senior Partner Opus One, Inc....
IPsec and SSL VPN’s: Solving Remote Access Problems
Joel M SnyderSenior PartnerOpus One, [email protected]
2
Joel’s Definition of an “SSL VPN”“An SSL VPN uses SSL and proxies to
provide authorized and secure access for end-users to Web, client/server, and file sharing resources.”
3
Six Basic Requirements of an SSL VPNProxy access and protocol
conversion• End user HTTPS to proxy; proxy
HTTP[S] to resources
• Application translation (e.g., HTTPS to SMB/CIFS)
Clientless (sic) Access• Works within the browser
• No thick/thin client required
Remote-access Orientation• No site-to-site
• Designed with simplicity and ease-of-use over security
Extranet Support• End-user has only a
casual connection to resource
Highly Granular Access Controls• Primarily a security
appliance, not an access method
SSL Transport
4
Where did SSL VPNs come from?
Very Small Organizational Scope
Very Broad Organizational Scope
Workgroup
Department
Multiple Departments
Organizational Unit
Multi-unitenterprise
Multiple/Many Enterprises
Very Specifi
cProble
m
Very GeneralProblem
MPLS
IPsec
PPTPIPsec RA
SSL RA
Connect Buildings Connect Subnets Connect Applications
5
SSL VPNs operate in four different modes
ProxyApplication
TranslationPort ForwardingNetwork Extension
Listed in order of simplicity and usability:
Simplest & most usable to Most complex and difficult
Not every SSL VPN product supports all four modes.
Listed in order of support (most supported to least)
6
HTTP proxy is the heart of SSL VPN
Business Partner
Mobile Worker
Teleworker
SSL VPNGateway
Web-basedApplications
User’s SSL Session to Gateway
HTTPInternet
Authentication Server
User • Launch browser• Authenticate gateway• Supply credentials• Issue page requests over SSL• Receive responses over SSL
User • Launch browser• Authenticate gateway• Supply credentials• Issue page requests over SSL• Receive responses over SSL
SSL VPN gateway• Verify user’s credentials via Auth Server• Confirm user is authorized to
access resource requested• Translate URLs• Forward HTTP[S] requests to server • Accept server’s HTTP[S] response• Rewrite HTML, Javascript, etc.• Forward responses over SSL to user
SSL VPN gateway• Verify user’s credentials via Auth Server• Confirm user is authorized to
access resource requested• Translate URLs• Forward HTTP[S] requests to server • Accept server’s HTTP[S] response• Rewrite HTML, Javascript, etc.• Forward responses over SSL to user
HTTPS
7
Application Translation converts to HTTPMobile Worker
Teleworker
SSL VPNGateway
File ServerUser’s SSL Session to Gateway
Internet
User • Launch browser• Authenticate gateway• Supply credentials• View web pages which look
suspiciously like directories• Click on links and download
or upload files
User • Launch browser• Authenticate gateway• Supply credentials• View web pages which look
suspiciously like directories• Click on links and download
or upload files
SSL VPN Gateway• Verify user’s credentials• Confirm user authorized to read/write
particular resource (file, directory, server) • Connect to File Server using native protocol • Obtain requested resource from File Server • Translate from native protocol to HTML• Send data back to user over HTTPS
SSL VPN Gateway• Verify user’s credentials• Confirm user authorized to read/write
particular resource (file, directory, server) • Connect to File Server using native protocol • Obtain requested resource from File Server • Translate from native protocol to HTML• Send data back to user over HTTPS
Telnet, POP, IMAP, RDCHTMLTelnet Server
SMB/CIFS, NFS, FTP, IPX…
8
Port Forwarding Encapsulates in SSL
SSL VPNGateway
LDAP Server
User • Launch browser; connect to
gateway; authenticate; launchport forwarding listener (PFL)
• Launch Application whichconnects back to PFL
• PFL builds SSL tunnel to GWand encapsulates traffic
User • Launch browser; connect to
gateway; authenticate; launchport forwarding listener (PFL)
• Launch Application whichconnects back to PFL
• PFL builds SSL tunnel to GWand encapsulates traffic
SSL VPN Gateway• Verify user• Start port forwarding receiver (PFR)• Receive connect from PFL and verify access
to resource is allowed• Connect to application server using selected
protocol • Act as network layer gateway • Send data back to PFL over SSL
SSL VPN Gateway• Verify user• Start port forwarding receiver (PFR)• Receive connect from PFL and verify access
to resource is allowed• Connect to application server using selected
protocol • Act as network layer gateway • Send data back to PFL over SSL
SSL
LDAPLDAP Client
PFL in Browser
LDAPPFR
9
The Buzzword Spin Begins…“it’s not a client, it’s a thin client”Teleworker
SSL VPNAppliance
Citrix Server
Internet
Authentication Server
User establishesSSL session
User connects to application over “shim”
Appliance uploads “agent”
software to user browser
User accesses “redirected”application over SSL
Agents that provide (generic) port forwarding
can be “temporary” Java or ActiveX controls, or Win32 apps
SSL VPN appliancedoes port forwarding of
native application
10
Network Extension looks suspiciously like some other VPN
SSL VPNGateway
SIP Proxy
User • Download some client that
patches their operating system• Run client and patch O/S;
authenticate; connect to GW• Run application• Patched O/S builds SSL tunnel
to encapsulate traffic to GW
User • Download some client that
patches their operating system• Run client and patch O/S;
authenticate; connect to GW• Run application• Patched O/S builds SSL tunnel
to encapsulate traffic to GW
SSL VPN Gateway• Receive Transport-Layer Tunnel Connect• Authenticate user; verify access• Connect to application server using selected
protocol • Act as network layer gateway • Send data back to client over SSL
SSL VPN Gateway• Receive Transport-Layer Tunnel Connect• Authenticate user; verify access• Connect to application server using selected
protocol • Act as network layer gateway • Send data back to client over SSL
SSL
SIP+RTPVoIP Client
TCP/IP stackPatch to OS
SIP End Point
11
Once upon a time, there was a little SSL VPN gateway…
12
AuthenticationAuthentication
Link to your Authentication Servers
LDAPLDAP
RADIUSRADIUS
All SSL VPN deployments link to external authentication servers
Common examples are RADIUS (which would include SecurID-type services) and LDAP
Advanced devices talk directly to Windows via Kerberos
Certificate-based authentication is a possibility, but is unusual
13
AuthenticationAuthenticationLDAPLDAP
RADIUSRADIUS
Authentication Servers provide multiple bits of information
RADIUSWhether the user is
properly authenticatedSome RADIUS
attributes that might be useful for assigning group information
LDAPWhether the user is
properly authenticatedObject attributes for
groups (or)“memberOf” type data
that identifies groups
14
Group information is critical to definition of roles
A “role” is a critical access control element
Role definitions vary widely… but they are the “macro” elements that you use in defining your access control lists
Roles often include• Username information
• Group information
• Environment information (time of day, IP address)
• End Point Security Status information (virus scanner loaded, personal firewall active)
15
RolesRoles
AuthenticationAuthentication
Roles are part of the ACL tuple
LDAPLDAP
RADIUSRADIUS
16
RolesRoles
AuthenticationAuthenticationLDAPLDAP
RADIUSRADIUS
Next, identify your resources
Web services File servers and services and protocolsOther applications (TCP-based, incoming)Network resources (IP-based, bi-directional)
17
LDAPLDAP
RADIUSRADIUS
Resources are the second part of the ACL tuple
Web services File servers and services and protocolsOther applications (TCP-based, incoming)Network resources (IP-based, bi-directional)
RolesRoles RsrcsRsrcs
AuthenticationAuthentication
18
LDAPLDAP
RADIUSRADIUS
Finish the ACL tuple by defining access control rules
Normally, rules match roles and resourcesSometimes, the role will be extended or other
information will be part of the access control decision
RolesRoles RsrcsRsrcs
AuthenticationAuthentication
19
LDAPLDAP
RADIUSRADIUS
ACL rules are usually simple Yes or No decisions
Normally, rules match roles and resourcesSometimes, the role will be extended or other
information will be part of the access control decision
RolesRoles RsrcsRsrcs RuleRule
AuthenticationAuthentication
20
LDAPLDAP
RADIUSRADIUS
Finally, tune up the portal
The portal is the user “face” to the SSL VPN device
Things like short cuts, layout, logos and icons seem to be very important to some users
RolesRoles RsrcsRsrcs RuleRule
AuthenticationAuthentication
21
LDAPLDAPRADIUSRADIUS
Somewhere in your SSL VPN is an HTTP munger
HTML comes into the SSL VPN deviceSSL VPN must look at, interpret, and edit the
HTMLThis is not as easy as it looks
RolesRoles RsrcsRsrcs RuleRule
AuthenticationAuthentication
22
RolesRoles RsrcsRsrcs RuleRule
Application Translation requires pieces to do the translation work
LDAPLDAPRADIUSRADIUS
AuthenticationAuthenticationSM
BSMB
FTPFTP
NFSNFSHTTPHTTP
23
RolesRoles RsrcsRsrcs RuleRule
Port Forwarding uses the same SSL connection but a different handler
LDAPLDAPRADIUSRADIUS
AuthenticationAuthentication SMB
SMB
FTPFTP
NFSNFS
HTTPHTTP
PFRPFR
24
RolesRoles RsrcsRsrcs RuleRule
Network extension is a whole different VPN
LDAPLDAPRADIUSRADIUS
AuthenticationAuthenticationSM
BSMB
FTPFTP
NFSNFSHTTPHTTPPFRPFR
25
RolesRoles RsrcsRsrcs RuleRule
Email Listeners sit on entirely different ports
LDAPLDAPRADIUSRADIUS
AuthenticationAuthenticationSM
BSMB
FTPFTP
NFSNFSHTTPHTTPPFRPFR
POPPOPIMAPIMAPSMTPSMTP
Some SSL VPN devices can act as “front end” security gateways to existing POP/IMAP/SMTP servers
26
RolesRoles
Environmental Variables extend the ACL tuple
LDAPLDAPRADIUSRADIUS
PFRPFR
RsrcsRsrcsPOPPOPIMAPIMAPSMTPSMTP
EnvEnv RuleRule
AuthenticationAuthenticationSM
BSMB
FTPFTP
NFSNFSHTTPHTTP
IPIP
27
RolesRoles
Integration with End Point Security tools is a clear direction
LDAPLDAPRADIUSRADIUS
PFRPFR
RsrcsRsrcsPOPPOPIMAPIMAPSMTPSMTP
EnvEnv
AuthenticationAuthentication
IPIP
RuleRule
SMB
SMB
FTPFTP
NFSNFSHTTPHTTP
EndEndPointPoint
SecuritySecurity
EPSPolicy Server
28
How do I choose between SSL VPN and IPsec VPN?
Obvious Cases where SSL VPN wins
HTTP-based applications“Can’t touch the client”;
Extranet
Obvious Cases where IPsec VPN wins
Site-to-site VPN
The Fighting GroundNetwork Extension“One Box to Rule Them All”Corner, Edge, and Hard cases
SSL VPN Technology:What is an SSL VPN and why are they interesting?
Joel M SnyderSenior PartnerOpus One, [email protected]
