SSL VPN Technology White Paper

Transcription

1 SSL VPN Technology White Paper Keywords: SSL VPN, HTTPS, Web access, TCP access, IP access Abstract: SSL VPN is an emerging VPN technology based on HTTPS. This document describes its implementation and application scenarios. Acronyms: Acronym AD CA HTTPS LDAP RADIUS SMB SSL VPN Full spelling Active Directory Certificate Authority HTTP Security Lightweight Directory Access Protocol Remote Authentication Dial-In User Service Server Message Block Secure Sockets Layer Virtual Private Network Hewlett-Packard Development Company, L.P. 1

2 Table of Contents Overview 3 Background 3 Benefits 3 SSL VPN Implementation 4 Concepts 4 SSL VPN System Components 5 Operation of SSL VPN 6 SSL VPN Access Modes 8 Web Access 9 TCP Access 10 IP Access 11 Comware V5 Technical Characteristics 12 Clients Requiring No Manual Installation and Maintenance 12 Support for Multiple Authentication Methods 13 Rich and Flexible Security Policies 13 Granular Resource Access Control 13 Application Scenarios 14 Remote Access 14 SSL VPN Gateway Sharing Application Scenario 15 SSL VPN Networking Modes 16 Hewlett-Packard Development Company, L.P. 2

3 Overview Background With the popularity of the Internet and fast development of E-commerce, more and more enterprises and organizations need to allow employees, users, and partners to access the internal resources from any place at any time, so as to save time and improve efficiency. However, some users may be illegal and some remote hosts may not be secure, bringing potential security threats to internal networks. Security VPN (SVPN) technologies are commonly used to solve this problem. They provide a secure access mechanism, which can well protect the internal networks resources. SVPN technologies mainly include IPsec VPN and SSL VPN. Due to the limitations in way of implementing IPsec VPN, IPsec VPN has the following disadvantages. It requires complicated client software installation on user hosts. There are various user hosts, which are often mobile. The mobility requires fast client-side VPN deployment, while the diversity requires the VPN client software to support multiple platforms and be easy to upgrade and maintain. However, IPsec VPN cannot satisfy the above requirements. IPsec VPN cannot evaluate the security of user hosts. If users use insecure hosts to access the corporate network, the corporate network may be infected by viruses. IPsec VPN cannot provide strict and granular access control. As IPsec is implemented at the network layer and cannot identify contents of the IP packets, it cannot control access requests from higher layers. In addition, to improve efficiency, enterprises need to establish extranets to exchange information and share resources with partners. Therefore, the enterprises need to control accesses of the partners effectively and strictly to ensure security of the enterprise information system. However, IPsec VPN cannot control access rights. IPsec VPN is difficult to be deployed in complicated networking environments. For example, in a scenario using NAT, you need to configure NAT traversal for IPsec VPN; in a scenario using firewalls, you need to configure the firewalls to permit IPsec packets to pass, for IPsec headers are added in front of the original TCP/UDP headers. Benefits In a word, IPsec VPN is suitable for scenarios where connections are fixed and strict access control is not required. It cannot satisfy the requirements of mobile accesses and precise access control. Compared with IPsec VPN, SSL VPN can better satisfy the technical and management requirements of remote access. SSL VPN supports multiple platforms, requires no manual installation and maintenance of clients, and provides flexible and effective access right management. Therefore it is more and more popular in the remote access market. The following section details the advantages of SSL VPN. SSL VPN is a VPN technology based on Secure HTTP (HTTPS, that is, SSL-supported HTTP). Using the certificate-based identity authentication, data encryption and integrity verification mechanisms that the SSL protocol provides, SSL VPN can establish secure connections for remote users to access the corporate network. SSL VPN features these advantages: Hewlett-Packard Development Company, L.P. 3

4 Support for various application protocols. SSL works between the transport layer and the application layer. Any application can be secured by SSL VPN without knowing the details of SSL VPN. Support for various software platforms. At present, SSL has become a global standard for identity authentication of websites and webpage viewers and encrypted communication between Web browsers and Web servers. The SSL protocol has been integrated into most of the browsers, such as IE, Netscape, and Firefox. This means that almost every PC installed with a browser supports SSL connections. SSL VPN clients are based on the SSL protocol. Hence, most of the software running environments can act as the SSL VPN client. Automatic installation and uninstallaion of the client software. In applications where specific client software is required, SSL VPN allows the operating system to download and install the client software automatically and, when the SSL VPN connection is closed, uninstall and delete the client software automatically. Security evaluation of client hosts. SSL VPN can evaluate the security status of remote hosts, so as to determine whether the remote hosts are safe enough to access the enterprise network. Dynamic authorization. Traditional right control authorizes users mainly by user identity. A user is always authorized with the same right no matter where the user is when logging in to the network. This authorization mode is called static authorization. Dynamic authorization authorizes a user based on not only the user identity but also the security status of the host used by the user. This allows dynamic control of the user access right. The more secure the remote host is, the higher access right the SSL VPN will grant the user. Multiple user authentication methods and granular access control. The SSL VPN gateway supports various user authentication methods and granular access control, implementing controlled access of external users to the internal resources. Deploying SSL VPN does not impact the existing network. As the SSL protocol works over the transport layer, it does not change the IP header or TCP header. Therefore, SSL packets are transparent for NAT. Meanwhile, SSL always uses port 443. You just need to open port 443 on firewalls instead of modifying settings on the firewalls according to different application protocols. This not only reduces the workload of network administrators but also improves the network security. Independent resource access control of domains sharing the same SSL VPN gateway. SSL VPN allows enterprises or departments of an enterprise share an SSL VPN gateway, so as to reduce costs. In this case, you can configure multiple domains on the gateway, each of which is for a single enterprise or department to control its resources and users independently. By creating multiple domains, you can divide a physical SSL VPN gateway into several logical SSL VPN gateways. SSL VPN Implementation Concepts SSL VPN users include super administrators, domain administrators, and common users. Hewlett-Packard Development Company, L.P. 4

5 Super administrator: Manager of the entire SSL VPN gateway. A super administrator can create domains and set the passwords of domain administrators. Domain administrator: Manager of an SSL VPN domain. A domain administrator can create local users and resources, and specify the access right for the users. Common SSL VPN user: Simply called user, referring to users accessing network resources through the SSL VPN system. The resource access right of a user is assigned by the domain administrator. SSL VPN System Components Figure 1 Architecture of SSL VPN Figure 1 shows a typical SSL VPN network. The SSL VPN system consists of the following components: Remote host: Terminal from which an administrator or user log in to the network, such as a PC, mobile phone, and PDA. SSL VPN gateway: An important component of the SSL VPN system. Administrators maintain the information of users and internal resources on the SSL VPN gateway. Users can view the resources that can be accessed on the SSL VPN gateway. The SSL VPN gateway forwards packets between remote hosts and the internal servers. An SSL connection is established between the SSL VPN gateway and a remote host to ensure the security of data transmission. Internal servers: Servers of any type, for example, Web server and FTP server; or hosts in the enterprise network that need to communicate with a remote host. CA: Certificate authority. CA issues a digital certificate, which contains the public key, for the SSL VPN gateway. This is for the SSL VPN gateway to pass identity authentication on the remote host and establish an SSL connection with the remote host. Authentication server: External authentication server for remote user authentication. The SSL VPN gateway supports not only local user authentication but also remote user authentication through an external authentication server. Hewlett-Packard Development Company, L.P. 5

6 Operation of SSL VPN The following describes the operation of SSL VPN: The supper administrator creates domains on the SSL VPN gateway. The domain administrators create users and resources corresponding to the internal servers on the SSL VPN gateway. Users access the internal servers through the SSL VPN gateway. Creating domains Figure 2 Creates domains Super admininstrator SSL VPN gateway Internal servers Internet LAN 1) Establish an SSL connection with the SSL VPN gateway and enter the login page of the SSL VPN gateway 2) Input the username and password to pass authentication and enter the Web interface of the SSL VPN gateway 3) Create domains on the SSL VPN gateway As shown in Figure 2, a supper administrator goes through three steps to create domains: 1. Input the URL address of the SSL VPN gateway on the remote host, which will authenticate the identity of the SSL VPN gateway by the certificate of the gateway and establish an SSL connection with the SSL VPN gateway. After the SSL connection is established successfully, the login page of the SSL VPN gateway Web interface appears. 2. Input the username (including the authentication method) and password on the login page of the SSL VPN gateway Web interface. The SSL VPN gateway will authenticate the super administrator by using the input information. After passing the identity authentication, the super administrator enters the Web interface of the SSL VPN gateway. 3. Create domains on the SSL VPN gateway and set the passwords of the domain administrators. Hewlett-Packard Development Company, L.P. 6

7 Creating users and resources corresponding to the internal servers Figure 3 Create users and resources corresponding to the internal servers As shown in Figure 3, a domain user goes through the following three steps to create users and resources corresponding to the internal servers: 1. Input the URL address of the SSL VPN gateway on the remote host, which will authenticate the identity of the SSL VPN gateway by the certificate of the gateway and establish an SSL connection with the SSL VPN gateway. After the SSL connection is established successfully, the login page of the SSL VPN gateway Web interface appears. 2. Input the username (including the authentication method) and password on the login page of the SSL VPN gateway Web interface. The SSL VPN gateway will authenticate the domain administrator by using the input information. After passing the identity authentication, the domain administrator enters the Web interface of the SSL VPN gateway. 3. Create users and resources corresponding to the internal servers, and specify the resource access rights for the users. Hewlett-Packard Development Company, L.P. 7

8 Accessing internal servers Figure 4 Access internal servers As shown in Figure 4, a user goes through the following steps to access the internal servers: 1. Input the URL address of the SSL VPN gateway on the remote host, which will authenticate the identity of the SSL VPN gateway by the certificate of the gateway and establish an SSL connection with the SSL VPN gateway. After the SSL connection is established successfully, the login page of the SSL VPN gateway Web interface appears. 2. Input the username (including the authentication method) and password. The SSL VPN gateway will authenticate the user identity by using the input information. After passing the identity authentication, the user enters the Web interface of the SSL VPN gateway. 3. View the list of available resources, such as Web server resources and file sharing resources. 4. Select the resource to access and send the access request to the SSL VPN gateway through the SSL connection. 5. The SSL VPN gateway resolves the request, checks the access right of the user and, if the user is authorized to access the resource, forwards the request to the corresponding server in plaintext. 6. The server sends the reply in plaintext to the SSL VPN gateway. 7. After receiving the reply, the SSL VPN gateway forwards the reply to the user through the SSL connection. SSL VPN Access Modes SSL VPN provides three access modes: Hewlett-Packard Development Company, L.P. 8

9 Web access TCP access IP access Users can use different access modes to access different types of resources. In different access modes, the data forwarding procedures between the remote host, SSL VPN gateway, and internal servers are different. The following sections describe the three access modes in details. Web Access Web access allows users to access server resources through the SSL VPN gateway by using browsers in HTTPS mode. In this mode, all data operations are performed on Web pages. Resources for web-based accesses include Web server resources and file sharing resources. Web server resources Web servers provide services to users through Web pages. Users can get the desired information by simply clicking the links on the pages. SSL VPN provides secure connections for users to access Web servers and can prevent illegal users from accessing the protected Web servers. Figure 5 Access Web server resources As shown in Figure 5, during Web server access, the SSL VPN gateway mainly acts as a relay. 1. After receiving the HTTP request from a user, the SSL VPN gateway finds the required resource according to the URL in the HTTP request, and then forwards the HTTP request to the Web server that provides the required resource. 2. After receiving the HTTP reply from the server, the SSL VPN gateway changes the webpage links pointing to the internal network to links pointing to the SSL VPN gateway before forwarding it to the user, so that the user has to access the internal resources through the SSL VPN gateway. In this way, the SSL VPN gateway protects the security of the internal network and implements access control of users. During the whole process, in the perspective of the user, all HTTP replies are from the SSL VPN gateway; while in the perspective of the Web server, all HTTP requests are initiated by the SSL VPN gateway. File sharing resources File sharing is a common network application. An example is the application of Shared Documents folder provided by the Windows operating system. File sharing allows users to perform file operations on a remote server or host, such as browsing files and uploading and downloading files. The SSL VPN gateway provides the file sharing resources to users through Web. As shown in Figure 6, the SSL VPN gateway acts as the protocol converter between the remote host and the file server. Hewlett-Packard Development Company, L.P. 9

10 1. The remote host and the SSL VPN gateway communicate through HTTPS. The remote host sends the user request of accessing file sharing resources to the SSL VPN gateway through an HTTPS packet. 2. The SSL VPN gateway and the file server communicate through SMB. After receiving the request packet from the remote host, the SSL VPN gateway converts it into an SMB packet and then sends the packet to the filer server. 3. After receiving the reply packet from the file server, the SSL VPN gateway converts the packet into an HTTPS packet and then sends the packet to the remote host. Figure 6 Access shared file resources TCP Access TCP access is used to support TCP applications on remote hosts to access open ports on internal servers securely. TCP access allows users to access any TCP-based services, including remote access services (such as Telnet), desktop sharing services, and mail services. To access internal servers in TCP access mode, users do not need to upgrade existing TCP programs. However, a dedicated TCP access client is required. The client uses an SSL connection to transmit the application layer data. As shown in Figure 7, a user goes through the following steps to access TCP-based services: 1. Launch TCP application on the remote host, which automatically downloads the TCP access client software from the SSL VPN gateway. 2. Click a resource link on the Web interface of the SSL VPN gateway or launches a TCP program, such as opening the remote desktop connection program to connect to an internal server, the TCP access client will automatically establish an SSL connection with the SSL VPN gateway and use an extended HTTP message to request access to the resource. 3. The SSL VPN gateway establishes a TCP connection with the internal server that provides the resource. 4. After the TCP connection is established successfully, the TCP access client sends the user access data to the SSL VPN gateway through the SSL connection. Then, the SSL VPN gateway obtains the application layer data and sends the data to the internal server through the TCP connection. 5. After receiving the reply from the internal server, the SSL VPN gateway forwards the reply to the TCP access client through the SSL connection. The client will then obtain the reply data and forward the data to the application program. Hewlett-Packard Development Company, L.P. 10

11 Figure 7 Access internal servers in TCP access mode Host SSL VPN gateway Application server SSL Application TCP access client SSL VPN gateway Internal server Connection establishment Data transmission 1) Initiate a TCP connection 6) TCP connection established 7) Send application layer data 12) Forward the reply to the application 2) Establish an SSL connection with the SSL VPN gateway and then send an extended HTTP message to request access to a resource 5) Return a message to inform the client of the success 8) Forward the application layer data to the SSL VPN gateway through the SSL connection 11) Send the reply to the client through the SSL connection 3) Establish a TCP connection with the internal server 4) TCP connection established successfully 9) Forward the application layer data to the internal server through the internal network 10) Reply IP Access IP access is used to implement secure communication between a remote host and an internal server at the network layer, and thereby, it implements all IP-based intercommunication between remote hosts and internal servers. For example, ping an internal server from a remote host. When a user accesses an internal server in IP access mode, a dedicated IP access client is required, which will install a virtual network interface card (VNIC) on the remote host. As shown in Figure 8, a user goes through the following steps to access IP-based resources. 1. Launch the IP application on the remote host, which then automatically downloads the IP access client software from the SSL VPN gateway. Then, the IP access client establishes an SSL connection with the SSL VPN gateway, installs a VNIC on the host, requests an IP address for the VNIC, sets the gateway IP address, and installs routes with the outbound interfaces being the VNIC. 2. Click a resource link on the Web interface of the SSL VPN gateway or execute an IP access command, such as the ping command, to access an IP network resource, the IP packet will be routed to the VNIC, and then encapsulated and sent by the VNIC to the SSL VPN gateway through the SSL connection. 3. After receiving the packet, the SSL VPN gateway de-encapsulates the packet into the IP packet and sends the IP packet to the corresponding server. Hewlett-Packard Development Company, L.P. 11

12 4. After receiving a reply from the server, the SSL VPN gateway encapsulates the reply packet and then sends the packet to the IP access client through the SSL connection. 5. The client de-encapsulates the packet and then delivers the IP packet through the VNIC to the host for processing. Figure 8 Access internal servers in IP access mode Comware V5 Technical Characteristics Clients Requiring No Manual Installation and Maintenance The client software running on remote hosts includes: SSL-supporting Web browser: At present, most operating systems provide browsers that support SSL. Hence, users can use such browsers to access internal servers in Web mode Host checker: Used to evaluate the security status of remote hosts. When a user logs in, the remote host will automatically download and install the host checker. Cache cleaner: When a user quits the SSL VPN system, the cache cleaner clears the temporary files, configuration files and downloaded client software used during the SSL VPN communication, avoiding system information leakage. When a user logs in, the remote host will automatically download and install the cache cleaner. Hewlett-Packard Development Company, L.P. 12

13 TCP access client: Client software used in TCP access mode. IP access client: Client software used in IP access mode. Except the Web browsers, other client software is all to be downloaded from the SSL VPN gateway. The client software requires no manual installation and maintenance. They are downloaded, installed, configured, and used to establish connections automatically. Support for Multiple Authentication Methods SSL VPN supports four authentication methods: Local authentication: The network administrator configures local users on the SSL VPN gateway. The SSL VPN gateway authenticates a user by comparing the input username and password with those locally saved. RADIUS authentication: User information is saved on the RADIUS server. The SSL VPN gateway serves as the RADIUS client and exchanges authentication messages with the RADIUS server to authenticate users. LDAP authentication: User information is saved on the LDAP server. The SSL VPN gateway serves as the LDAP client to query user information on the LDAP server to authenticate users. Active Directory (AD) authentication: LDAP authentication implemented by Microsoft. A user uses a browser to enter the login page of the Web interface of the SSL VPN gateway, inputs the username, password, and authentication method, and then the information will be sent to the SSL VPN gateway through an SSL connection, ensuring the security of data transmission. After the SSL VPN gateway receives the login information, it authenticates the user according to the authentication method. The authentication methods provided by the SSL VPN gateway are simple, universal, and of good extensibility. Rich and Flexible Security Policies Insecure remote hosts may bring potential security threats to the internal network. Host checking is a good practice to avoid such threats. When a host logs in to the SSL VPN gateway, the host checker can check the host s operating system and its patches, version and patches of the browser, version of the firewall, and version of the anti-virus software, and then determines which resources the host can access based on the checking results. You can configure security policies on the SSL VPN gateway, so as to configure the security checking method, define the checking items, and specify the protected resources, ensuring that only remote hosts that satisfy the security policies can access the corresponding resources. Granular Resource Access Control The resource access control mechanism of SSL VPN can control user access rights flexibly, implementing granular resource access control. A super administrator creates domains and specifies passwords for the domain administrators. The domain administrators create resources and users of their own domains, add resources into resource Hewlett-Packard Development Company, L.P. 13

14 groups, add users into user groups, and then specify the resource groups that can be accessed by each user group. In addition, the SSL VPN gateway can perform security checking on remote hosts. After a user logs in, the SSL VPN gateway determines the resource groups allowed to be accessed by the user based on the security checking results and the user groups to which the user belongs. In this way, the SSL VPN gateway implements flexible and granular resource access control. Application Scenarios Remote Access Figure 9 Network diagram for remote access application Mobile employee Network access terminal Mobile phone SSL VPN gateway Internet Partner Enterprise network Dwelling house Hotel As shown in Figure 9, SSL VPN has many advantages in remote access application. It is suitable for various complicated networking scenarios. Compared with IPsec VPN, SSL VPN is especially suitable for the following scenarios: Dynamic remote access: Users use various terminals to access the enterprise network through the Internet from any place at any time. Scenarios where remote hosts are not surely secure: Users use public computers in, for example, cybercafes or hotels to access the enterprise network. Public computers are insecure as they are more likely to be attacked and infected with viruses Users with different access rights: Remote users using the Extranet may be employees, partners, or other personnel. The resources that can be accessed by different users are different. Various running environments on remote terminals: Different remote terminals may use different operating systems and applications to access the enterprise network. Hewlett-Packard Development Company, L.P. 14

15 Figure 10 SSL VPN gateway serves as the ingress of the enterprise network As shown in Figure 10, the SSL VPN gateway can cooperate with the firewall to serve as the ingress of the enterprise network, protecting the enterprise network from being attacked. Figure 11 SSL VPN gateway protects important servers in the enterprise network As shown in Figure 11, the SSL VPN gateway can be used to protect only important internal servers from being attacked, without affecting other parts of the enterprise network. SSL VPN Gateway Sharing Application Scenario Figure 12 Network diagram for SSL VPN gateway sharing application Users of enterprise A LAN Network of enterprise A Internet SSL VPN gateway LAN Network of enterprise B Users of enterprise B Users of enterprise C LAN Network of enterprise C Enterprises can share a single SSL VPN gateway, each of which uses one domain of the SSL VPN gateway. The SSL VPN gateway allows these enterprises manage their own users independently, saving network costs for the enterprises. As shown in Figure 12, enterprises A, B, and C share the same SSL VPN gateway, using domain A, B, and C on the SSL VPN gateway respectively. Enterprise A manages Hewlett-Packard Development Company, L.P. 15

16 its own users and server resources in domain A, and configures its own security policies to ensure that users of enterprise A can access only the resources of enterprise A. enterprises B and C manage their users in the same way. SSL VPN Networking Modes According to the way in which the SSL VPN gateway is connected to the network, the SSL VPN networking modes fall into two types: dual-arm and single-arm. In dual-arm mode, the SSL VPN gateway resides between the internal network (or internal servers) and the external network, as shown in Figure 9, Figure 10, and Figure 11. The advantage of the dual-arm mode is that the SSL VPN gateway can provide full protection to the whole internal network or the internal servers. The downside is that the gateway, located at the exit of the internal network, may become a bottleneck of the network. Therefore, it must have high processing capability, availability, and reliability. Figure 13 Network diagram for sing-arm mode As shown in Figure 13, in sing-arm mode, the SSL VPN gateway acts as a proxy server for the communication between the remote host and the internal network. The advantage of the single-arm mode is that the SSL VPN gateway is not the bottleneck of the network as it is not deployed at the key path. However, the SSL VPN gateway cannot provide full protection to the internal network. Copyright 2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Hewlett-Packard Development Company, L.P. 16