Presentation is loading. Please wait.

Presentation is loading. Please wait.

IPsec and SSL VPN’s: Solving Remote Access Problems Joel M Snyder Senior Partner Opus One, Inc.

Published byMorris Foster Modified over 9 years ago

Similar presentations

Presentation on theme: "IPsec and SSL VPN’s: Solving Remote Access Problems Joel M Snyder Senior Partner Opus One, Inc."— Presentation transcript:

1 IPsec and SSL VPN’s: Solving Remote Access Problems Joel M Snyder Senior Partner Opus One, Inc. jms@opus1.com

2 2 Joel’s Definition of an “SSL VPN” “An SSL VPN uses SSL and proxies to provide authorized and secure access for end-users to Web, client/server, and file sharing resources.”

3 3 Six Basic Requirements of an SSL VPN Proxy access and protocol conversion End user HTTPS to proxy; proxy HTTP[S] to resources Application translation (e.g., HTTPS to SMB/CIFS) Clientless (sic) Access Works within the browser No thick/thin client required Remote-access Orientation No site-to-site Designed with simplicity and ease-of-use over security Extranet Support End-user has only a casual connection to resource Highly Granular Access Controls Primarily a security appliance, not an access method SSL Transport

4 4 Where did SSL VPNs come from? Very Small Organizational Scope Very Broad Organizational Scope Workgroup Department Multiple Departments Organizational Unit Multi-unit enterprise Multiple/Many Enterprises Very Specific Problem Very General Problem MPLS IPsec PPTP IPsec RA SSL RA Connect Buildings Connect Subnets Connect Applications

5 5 SSL VPNs operate in four different modes Proxy Application Translation Port Forwarding Network Extension Listed in order of simplicity and usability: Simplest & most usable to Most complex and difficult Not every SSL VPN product supports all four modes. Listed in order of support (most supported to least)

6 6 HTTP proxy is the heart of SSL VPN Business Partner Mobile Worker Teleworker SSL VPN Gateway Web-based Applications User’s SSL Session to Gateway HTTP Internet Authentication Server User Launch browser Authenticate gateway Supply credentials Issue page requests over SSL Receive responses over SSL User Launch browser Authenticate gateway Supply credentials Issue page requests over SSL Receive responses over SSL SSL VPN gateway Verify user’s credentials via Auth Server Confirm user is authorized to access resource requested Translate URLs Forward HTTP[S] requests to server Accept server’s HTTP[S] response Rewrite HTML, Javascript, etc. Forward responses over SSL to user SSL VPN gateway Verify user’s credentials via Auth Server Confirm user is authorized to access resource requested Translate URLs Forward HTTP[S] requests to server Accept server’s HTTP[S] response Rewrite HTML, Javascript, etc. Forward responses over SSL to user HTTPS

7 7 Application Translation converts to HTTP Mobile Worker Teleworker SSL VPN Gateway File Server User’s SSL Session to Gateway Internet User Launch browser Authenticate gateway Supply credentials View web pages which look suspiciously like directories Click on links and download or upload files User Launch browser Authenticate gateway Supply credentials View web pages which look suspiciously like directories Click on links and download or upload files SSL VPN Gateway Verify user’s credentials Confirm user authorized to read/write particular resource (file, directory, server) Connect to File Server using native protocol Obtain requested resource from File Server Translate from native protocol to HTML Send data back to user over HTTPS SSL VPN Gateway Verify user’s credentials Confirm user authorized to read/write particular resource (file, directory, server) Connect to File Server using native protocol Obtain requested resource from File Server Translate from native protocol to HTML Send data back to user over HTTPS Telnet, POP, IMAP, RDC HTML Telnet Server SMB/CIFS, NFS, FTP, IPX…

8 8 Port Forwarding Encapsulates in SSL SSL VPN Gateway LDAP Server User Launch browser; connect to gateway; authenticate; launch port forwarding listener (PFL) Launch Application which connects back to PFL PFL builds SSL tunnel to GW and encapsulates traffic User Launch browser; connect to gateway; authenticate; launch port forwarding listener (PFL) Launch Application which connects back to PFL PFL builds SSL tunnel to GW and encapsulates traffic SSL VPN Gateway Verify user Start port forwarding receiver (PFR) Receive connect from PFL and verify access to resource is allowed Connect to application server using selected protocol Act as network layer gateway Send data back to PFL over SSL SSL VPN Gateway Verify user Start port forwarding receiver (PFR) Receive connect from PFL and verify access to resource is allowed Connect to application server using selected protocol Act as network layer gateway Send data back to PFL over SSL SSL LDAP LDAP Client PFL in Browser LDAP PFR

9 9 The Buzzword Spin Begins… “it’s not a client, it’s a thin client” Teleworker SSL VPN Appliance Citrix Server Internet Authentication Server User establishes SSL session User connects to application over “shim” Appliance uploads “agent” software to user browser User accesses “redirected” application over SSL Agents that provide (generic) port forwarding can be “temporary” Java or ActiveX controls, or Win32 apps SSL VPN appliance does port forwarding of native application

10 10 Network Extension looks suspiciously like some other VPN SSL VPN Gateway SIP Proxy User Download some client that patches their operating system Run client and patch O/S; authenticate; connect to GW Run application Patched O/S builds SSL tunnel to encapsulate traffic to GW User Download some client that patches their operating system Run client and patch O/S; authenticate; connect to GW Run application Patched O/S builds SSL tunnel to encapsulate traffic to GW SSL VPN Gateway Receive Transport-Layer Tunnel Connect Authenticate user; verify access Connect to application server using selected protocol Act as network layer gateway Send data back to client over SSL SSL VPN Gateway Receive Transport-Layer Tunnel Connect Authenticate user; verify access Connect to application server using selected protocol Act as network layer gateway Send data back to client over SSL SSL SIP+RTP VoIP Client TCP/IP stack Patch to OS SIP End Point

11 11 Once upon a time, there was a little SSL VPN gateway…

12 12 Authentication Link to your Authentication ServersLDAP RADIUS All SSL VPN deployments link to external authentication servers Common examples are RADIUS (which would include SecurID-type services) and LDAP Advanced devices talk directly to Windows via Kerberos Certificate-based authentication is a possibility, but is unusual

13 13 AuthenticationLDAP RADIUS Authentication Servers provide multiple bits of information RADIUS Whether the user is properly authenticated Some RADIUS attributes that might be useful for assigning group information LDAP Whether the user is properly authenticated Object attributes for groups (or) “memberOf” type data that identifies groups

14 14 Group information is critical to definition of roles A “role” is a critical access control element Role definitions vary widely… but they are the “macro” elements that you use in defining your access control lists Roles often include Username information Group information Environment information (time of day, IP address) End Point Security Status information (virus scanner loaded, personal firewall active)

15 15 Roles Authentication Roles are part of the ACL tupleLDAP RADIUS

16 16 Roles AuthenticationLDAP RADIUS Next, identify your resources Web services File servers and services and protocols Other applications (TCP-based, incoming) Network resources (IP-based, bi-directional)

17 17LDAP RADIUS Resources are the second part of the ACL tuple Web services File servers and services and protocols Other applications (TCP-based, incoming) Network resources (IP-based, bi-directional) Roles Rsrcs Authentication

18 18LDAP RADIUS Finish the ACL tuple by defining access control rules Normally, rules match roles and resources Sometimes, the role will be extended or other information will be part of the access control decision Roles Rsrcs Authentication

19 19LDAP RADIUS ACL rules are usually simple Yes or No decisions Normally, rules match roles and resources Sometimes, the role will be extended or other information will be part of the access control decision Roles Rsrcs Rule Authentication  

20 20LDAP RADIUS Finally, tune up the portal The portal is the user “face” to the SSL VPN device Things like short cuts, layout, logos and icons seem to be very important to some users Roles Rsrcs Rule Authentication  

21 21LDAP RADIUS Somewhere in your SSL VPN is an HTTP munger HTML comes into the SSL VPN device SSL VPN must look at, interpret, and edit the HTML This is not as easy as it looks Roles Rsrcs Rule Authentication  

22 22 Roles Rsrcs Rule   Application Translation requires pieces to do the translation workLDAP RADIUSAuthentication SMB FTP NFS HTTP

23 23 Roles Rsrcs Rule   Port Forwarding uses the same SSL connection but a different handlerLDAP RADIUSAuthentication SMB FTP NFS HTTP PFR

24 24 Roles Rsrcs Rule   Network extension is a whole different VPNLDAP RADIUSAuthentication SMB FTP NFS HTTP PFR

25 25 Roles Rsrcs Rule   Email Listeners sit on entirely different portsLDAP RADIUSAuthentication SMB FTP NFS HTTP PFR POP IMAP SMTP Some SSL VPN devices can act as “front end” security gateways to existing POP/IMAP/SMTP servers

26 26 Roles Environmental Variables extend the ACL tupleLDAP RADIUSPFR Rsrcs POP IMAP SMTP Env Rule   Authentication SMB FTP NFS HTTP IP

27 27 Roles Integration with End Point Security tools is a clear directionLDAP RADIUSPFR Rsrcs POP IMAP SMTP Env Authentication IP Rule   SMB FTP NFS HTTP End Point Security EPS Policy Server

28 28 How do I choose between SSL VPN and IPsec VPN? Obvious Cases where SSL VPN wins HTTP-based applications “Can’t touch the client”; Extranet Obvious Cases where IPsec VPN wins Site-to-site VPN The Fighting Ground Network Extension “One Box to Rule Them All” Corner, Edge, and Hard cases

29 SSL VPN Technology: What is an SSL VPN and why are they interesting? Joel M Snyder Senior Partner Opus One, Inc. jms@opus1.com

Download ppt "IPsec and SSL VPN’s: Solving Remote Access Problems Joel M Snyder Senior Partner Opus One, Inc."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Layer 7- Application Layer

Layer 7- Application Layer
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.

Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.
Remote Networking Architectures

Remote Networking Architectures
1 © J. Liebeherr, All rights reserved Virtual Private Networks.

1 © J. Liebeherr, All rights reserved Virtual Private Networks.
© 2005,2006 NeoAccel Inc. Training Access Modes. © 2005,2006 NeoAccel Inc. Agenda 2. Access Terminals 6. Quick Access Terminal Client 3. SSL VPN-Plus.

© 2005,2006 NeoAccel Inc. Training Access Modes. © 2005,2006 NeoAccel Inc. Agenda 2. Access Terminals 6. Quick Access Terminal Client 3. SSL VPN-Plus.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Application Layer Functionality and Protocols Network Fundamentals – Chapter 3.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Application Layer Functionality and Protocols Network Fundamentals – Chapter 3.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 7: Securing Site-to-Site Connectivity Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 7: Securing Site-to-Site Connectivity Connecting Networks.
Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 IPSec or SSL VPN? Decision Criteria.

Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 IPSec or SSL VPN? Decision Criteria.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Similar presentations

Ads by Google