SSL VPN Virtual Private Networks based on Secure Socket...
Transcript of SSL VPN Virtual Private Networks based on Secure Socket...
![Page 1: SSL VPN Virtual Private Networks based on Secure Socket ...netgroup.polito.it/.../CNTS-TSR_slide/06-SSL-VPN_e.pdfSSL-VPN - 9 ©M. Badl:i seepage 2 In Summary SSL VPNs have a good chance](https://reader036.fdocuments.us/reader036/viewer/2022062609/60fc9b723e05ab28e42d52bd/html5/thumbnails/1.jpg)
SSL VPNVirtual Private Networks based on
Secure Socket Layer
Mario BaldiPolitecnico di Torino
(Technical Univesity of Turin)http://staff.polito.it/mario.baldi
![Page 2: SSL VPN Virtual Private Networks based on Secure Socket ...netgroup.polito.it/.../CNTS-TSR_slide/06-SSL-VPN_e.pdfSSL-VPN - 9 ©M. Badl:i seepage 2 In Summary SSL VPNs have a good chance](https://reader036.fdocuments.us/reader036/viewer/2022062609/60fc9b723e05ab28e42d52bd/html5/thumbnails/2.jpg)
© M. Baldi: see page 2SSL-VPN - 2
SSL VPN: What is that?
SSL as the central mechanism onwhich to base secure access
Site-to-site VPN
Remote access VPN
Secure service access
Loose interpretation of VPNSSL (pseudo)VPN
Tunneling based on TCP or UDP
![Page 3: SSL VPN Virtual Private Networks based on Secure Socket ...netgroup.polito.it/.../CNTS-TSR_slide/06-SSL-VPN_e.pdfSSL-VPN - 9 ©M. Badl:i seepage 2 In Summary SSL VPNs have a good chance](https://reader036.fdocuments.us/reader036/viewer/2022062609/60fc9b723e05ab28e42d52bd/html5/thumbnails/3.jpg)
© M. Baldi: see page 2SSL-VPN - 3
Why Not IPsec VPN?
IPsec too difficult and/or too expensive to use securely
Too many options to be configured and administered
Operates in kernel space
Failures potentially catastrophic
Installation difficult and risky
Concerns fade with maturity
![Page 4: SSL VPN Virtual Private Networks based on Secure Socket ...netgroup.polito.it/.../CNTS-TSR_slide/06-SSL-VPN_e.pdfSSL-VPN - 9 ©M. Badl:i seepage 2 In Summary SSL VPNs have a good chance](https://reader036.fdocuments.us/reader036/viewer/2022062609/60fc9b723e05ab28e42d52bd/html5/thumbnails/4.jpg)
© M. Baldi: see page 2SSL-VPN - 4
Why SSL VPN
Lower complexity
Installation
Configuration
Management
Non-interference with kernel
Most widely used
Higher, more robust security
![Page 5: SSL VPN Virtual Private Networks based on Secure Socket ...netgroup.polito.it/.../CNTS-TSR_slide/06-SSL-VPN_e.pdfSSL-VPN - 9 ©M. Badl:i seepage 2 In Summary SSL VPNs have a good chance](https://reader036.fdocuments.us/reader036/viewer/2022062609/60fc9b723e05ab28e42d52bd/html5/thumbnails/5.jpg)
© M. Baldi: see page 2SSL-VPN - 5
Compared to IPsec VPN
No problem with NAT traversal
No authentication of IPheader
ESP (encapsulation securty payload) IPsec to be used
Packets dropped at a higher level
Critical with DOS attacks
![Page 6: SSL VPN Virtual Private Networks based on Secure Socket ...netgroup.polito.it/.../CNTS-TSR_slide/06-SSL-VPN_e.pdfSSL-VPN - 9 ©M. Badl:i seepage 2 In Summary SSL VPNs have a good chance](https://reader036.fdocuments.us/reader036/viewer/2022062609/60fc9b723e05ab28e42d52bd/html5/thumbnails/6.jpg)
© M. Baldi: see page 2SSL-VPN - 6
Compared to PPTP
Initially proprietary (Microsoft)
Initially weak security
Fixed later
Poor interoperability with non-Microsoft platforms
GRE (generic routing encapsulation) tunneling
Possibly blocked by routers
![Page 7: SSL VPN Virtual Private Networks based on Secure Socket ...netgroup.polito.it/.../CNTS-TSR_slide/06-SSL-VPN_e.pdfSSL-VPN - 9 ©M. Badl:i seepage 2 In Summary SSL VPNs have a good chance](https://reader036.fdocuments.us/reader036/viewer/2022062609/60fc9b723e05ab28e42d52bd/html5/thumbnails/7.jpg)
© M. Baldi: see page 2SSL-VPN - 7
SSL (pseudo)VPN
IPsec VPNs connect networks
Or hosts to networks
SSL VPNs connect
Users to services
Application clients to application servers
![Page 8: SSL VPN Virtual Private Networks based on Secure Socket ...netgroup.polito.it/.../CNTS-TSR_slide/06-SSL-VPN_e.pdfSSL-VPN - 9 ©M. Badl:i seepage 2 In Summary SSL VPNs have a good chance](https://reader036.fdocuments.us/reader036/viewer/2022062609/60fc9b723e05ab28e42d52bd/html5/thumbnails/8.jpg)
© M. Baldi: see page 2SSL-VPN - 8
Why SSL (pseudo)VPN
No client code is to be installed
Usable anywhere (kyosk)
Applications available through web browser
Deploying HTTPS
Not a general security solution
Specific solutions suitable to selected applications
![Page 9: SSL VPN Virtual Private Networks based on Secure Socket ...netgroup.polito.it/.../CNTS-TSR_slide/06-SSL-VPN_e.pdfSSL-VPN - 9 ©M. Badl:i seepage 2 In Summary SSL VPNs have a good chance](https://reader036.fdocuments.us/reader036/viewer/2022062609/60fc9b723e05ab28e42d52bd/html5/thumbnails/9.jpg)
© M. Baldi: see page 2SSL-VPN - 9
In Summary
SSL VPNs have a good chance of working on any network
scenario
TCP or UDP tunneling enable
NAT traversal
Firewall traversal
Router traversal
SSL (pseudo)VPN enable universal client (web browser)
![Page 10: SSL VPN Virtual Private Networks based on Secure Socket ...netgroup.polito.it/.../CNTS-TSR_slide/06-SSL-VPN_e.pdfSSL-VPN - 9 ©M. Badl:i seepage 2 In Summary SSL VPNs have a good chance](https://reader036.fdocuments.us/reader036/viewer/2022062609/60fc9b723e05ab28e42d52bd/html5/thumbnails/10.jpg)
© M. Baldi: see page 2SSL-VPN - 10
SSL VPN Flavors
Web proxying
Application translation
Port forwarding
SSL’ed protocols
Application proxying
Network extension
Site-to-site connectivity
Pse
ud
o V
PN
![Page 11: SSL VPN Virtual Private Networks based on Secure Socket ...netgroup.polito.it/.../CNTS-TSR_slide/06-SSL-VPN_e.pdfSSL-VPN - 9 ©M. Badl:i seepage 2 In Summary SSL VPNs have a good chance](https://reader036.fdocuments.us/reader036/viewer/2022062609/60fc9b723e05ab28e42d52bd/html5/thumbnails/11.jpg)
© M. Baldi: see page 2SSL-VPN - 11
HTTPSHTTP
Proxying
VPN Gateway downloads webpages through HTTP
Ship them through HTTPS
VPN GatewayClient
Web server
![Page 12: SSL VPN Virtual Private Networks based on Secure Socket ...netgroup.polito.it/.../CNTS-TSR_slide/06-SSL-VPN_e.pdfSSL-VPN - 9 ©M. Badl:i seepage 2 In Summary SSL VPNs have a good chance](https://reader036.fdocuments.us/reader036/viewer/2022062609/60fc9b723e05ab28e42d52bd/html5/thumbnails/12.jpg)
© M. Baldi: see page 2SSL-VPN - 12
Application Translation
Native protocol between VPN server and application server
E.g., FTP, STMP, POP
Application user interface as a web page
HTTP(S) between VPN server and client
Not suitable for all applications
Look&feel might be lost
![Page 13: SSL VPN Virtual Private Networks based on Secure Socket ...netgroup.polito.it/.../CNTS-TSR_slide/06-SSL-VPN_e.pdfSSL-VPN - 9 ©M. Badl:i seepage 2 In Summary SSL VPNs have a good chance](https://reader036.fdocuments.us/reader036/viewer/2022062609/60fc9b723e05ab28e42d52bd/html5/thumbnails/13.jpg)
© M. Baldi: see page 2SSL-VPN - 13
Application Translation
HTTPS POP3
Mail server
![Page 14: SSL VPN Virtual Private Networks based on Secure Socket ...netgroup.polito.it/.../CNTS-TSR_slide/06-SSL-VPN_e.pdfSSL-VPN - 9 ©M. Badl:i seepage 2 In Summary SSL VPNs have a good chance](https://reader036.fdocuments.us/reader036/viewer/2022062609/60fc9b723e05ab28e42d52bd/html5/thumbnails/14.jpg)
© M. Baldi: see page 2SSL-VPN - 14
HTTPS
Port Forwarding
POP3 (TCP port 110)
POP3SSL/HTTPS
TCP port 443
Port Forwarder
![Page 15: SSL VPN Virtual Private Networks based on Secure Socket ...netgroup.polito.it/.../CNTS-TSR_slide/06-SSL-VPN_e.pdfSSL-VPN - 9 ©M. Badl:i seepage 2 In Summary SSL VPNs have a good chance](https://reader036.fdocuments.us/reader036/viewer/2022062609/60fc9b723e05ab28e42d52bd/html5/thumbnails/15.jpg)
© M. Baldi: see page 2SSL-VPN - 15
POP3
Port Forwarding
TCP port 110
POP3SSL/HTTPS
TCP port 443
HTTPS
Port Forwarding
![Page 16: SSL VPN Virtual Private Networks based on Secure Socket ...netgroup.polito.it/.../CNTS-TSR_slide/06-SSL-VPN_e.pdfSSL-VPN - 9 ©M. Badl:i seepage 2 In Summary SSL VPNs have a good chance](https://reader036.fdocuments.us/reader036/viewer/2022062609/60fc9b723e05ab28e42d52bd/html5/thumbnails/16.jpg)
© M. Baldi: see page 2SSL-VPN - 16
Port Forwarding
Works only with fixed port protocols
Problems with address and portin application layer protocol
SSL-VPN gateway must know application protocol to translate
Application layer gateway(ALG)
![Page 17: SSL VPN Virtual Private Networks based on Secure Socket ...netgroup.polito.it/.../CNTS-TSR_slide/06-SSL-VPN_e.pdfSSL-VPN - 9 ©M. Badl:i seepage 2 In Summary SSL VPNs have a good chance](https://reader036.fdocuments.us/reader036/viewer/2022062609/60fc9b723e05ab28e42d52bd/html5/thumbnails/17.jpg)
© M. Baldi: see page 2SSL-VPN - 17
SSL’ed Protocols
Secure application protocols
Protocol-over-SSL
E.g., POP-over-SSL, IMAP-over-SSL, SMTP-over-SSL
Client and server support required
POP-over-SSL
TCP port 995
![Page 18: SSL VPN Virtual Private Networks based on Secure Socket ...netgroup.polito.it/.../CNTS-TSR_slide/06-SSL-VPN_e.pdfSSL-VPN - 9 ©M. Badl:i seepage 2 In Summary SSL VPNs have a good chance](https://reader036.fdocuments.us/reader036/viewer/2022062609/60fc9b723e05ab28e42d52bd/html5/thumbnails/18.jpg)
© M. Baldi: see page 2SSL-VPN - 18
Application Proxying
Compatibility with older servers
Client points at SSL-VPNgateway
POP3POP-o-SSL
TCP port 995 TCP port 110
![Page 19: SSL VPN Virtual Private Networks based on Secure Socket ...netgroup.polito.it/.../CNTS-TSR_slide/06-SSL-VPN_e.pdfSSL-VPN - 9 ©M. Badl:i seepage 2 In Summary SSL VPNs have a good chance](https://reader036.fdocuments.us/reader036/viewer/2022062609/60fc9b723e05ab28e42d52bd/html5/thumbnails/19.jpg)
© M. Baldi: see page 2SSL-VPN - 19
FTP
POP3Tunnel o
ver SSL
Network Extension
FTP
POP3Tunnel over SSL
![Page 20: SSL VPN Virtual Private Networks based on Secure Socket ...netgroup.polito.it/.../CNTS-TSR_slide/06-SSL-VPN_e.pdfSSL-VPN - 9 ©M. Badl:i seepage 2 In Summary SSL VPNs have a good chance](https://reader036.fdocuments.us/reader036/viewer/2022062609/60fc9b723e05ab28e42d52bd/html5/thumbnails/20.jpg)
© M. Baldi: see page 2SSL-VPN - 20
Products and Vendors
Open VPN (openvpn.net)
AEP
F5 Networks
NetScreen Technologies
Netilla
Nokia
Symantec
Whale Communications
![Page 21: SSL VPN Virtual Private Networks based on Secure Socket ...netgroup.polito.it/.../CNTS-TSR_slide/06-SSL-VPN_e.pdfSSL-VPN - 9 ©M. Badl:i seepage 2 In Summary SSL VPNs have a good chance](https://reader036.fdocuments.us/reader036/viewer/2022062609/60fc9b723e05ab28e42d52bd/html5/thumbnails/21.jpg)
© M. Baldi: see page 2SSL-VPN - 21
Main Issues
Interoperability
Product specific features
Implementation weaknesses
Availability of client on specific platforms