SSL VPN Technical Primer

Transcription

1 4500 Great America Parkway Santa Clara, CA USA NETGEAR ( ) SSL VPN Technical Primer Q U I C K G U I D E

2 Today, small- and mid-sized businesses have an increasingly mobile workforce. Faster broadband service, expanded wireless access, and a proliferation of Internet-enabled devices has boosted the productivity of these remote employees. More and more business owners and employees demand the flexibility to access their data while physically not at work. To meet this demand, a growing number of small- and mid-sized businesses provide remote access to employees and managers. However, for the SMB market, many remote access solutions are cost-prohibitive and too complicated to setup. In addition, limited resources and budgets make it difficult for many small and mid-sized businesses to: Provide secure remote access to multiple users. Enable employees to access information using remote laptops, PCs, kiosks, or PDAs. Provide an easy way to deliver and manage remote access for mobile employees. Deploy a remote access solution that is cost-effective and easy to troubleshoot, maintain, and support. SSL VPN The Right Sized Solution for SMB Due to their flexibility, security, and ease of deployment, SSL VPNs are quickly becoming the preferred solution to meet the remote access needs of small- and mid-sized businesses. SSL VPNs is built on SSL, or Secure Socket Layer, a protocol originally developed by Netscape Communications in the mid-90s. As the standard for secure electronic commerce (e-commerce) transactions on the Internet, SSL has undergone years of public scrutiny. Supported by all standard browsers, including Microsoft Internet Explorer, Apple Safari, and Mozilla Fire Fox, SSL securely transfers information between a web browser and an electronic commerce on the web. Secure Sockets Layer is often represented as the padlock on the bottom right corner of the window when a browser is connected to a secure website. See diagram 1. A secure website is typically identified as https, where the s in https refers to SSL. Diagram 1 1 SSL VPNs combine the security and confidentiality provided by SSL and the mobility of a Virtual Private Network. Together, they enable remote users to connect to their office networks using standard web browsers.

3 Better from the Ground Up SSL VPNs are typically compared to IPSEC VPNs. However, there are significant differences between the two access methods. IPSEC VPNs were designed to provide site-to-site access (branch-to-branch) access. By comparison, SSL VPNs were designed to provide remote access for a mobile user to a corporate resource. When compared to IPSec VPNs, SSL VPNs offer: Platform Independence Because they connect to the network through a web browser, SSL VPNs enable access from anywhere, independent of the platform used. Browser-based access Unlike IPSEC VPNs that require a client to provide remote access, SSL VPNs provide clientless remote access to corporate resources. Granular access controls SSL VPNs provide granular application access to corporate resources while IPSEC VPNs only provide network access. Seamless integration SSL VPNs integrate seamlessly with the existing firewall infrastructure. The protocol is application-based and does not interfere with basic firewall functions operating at the IP Layer. The table below summarizes the key differences between IPSEC VPNs and SSL VPNs and explains when each solution is most appropriate. 2 Description IPSEC VPN SSL VPN Security and OSI Model Method of Access Suite of protocols provides security at the network or IP layer Predicated on trusted relationship between networks or between users and the network Defines how to provide tunneling, encryption, and authentication Allows organizations to select and specify the security policy appropriate for their network Uses tunneling and encryption to provide secure data transfer between one private network and another or between a private network and a user Operates at the application layer Uses any standard Internet browser Provides finely grained access control to the application and associated resources Entire connection is encrypted using Uses proxies, tunneling, encryption, and access control to provide secure remote access between users and a private network Does not provide access between one private network and another Client Client required Clientless access to corporate resources as part of any standard browser Connection Better suited for network-based connection model Better suited for application-based remote access Firewalls and Network Address Translation (NAT) Granular Access Return on Investment Support Platform-Independent Access Encryption Protocol Support Poor integration with existing firewalls using network address translation Limited. Only operates at the network layer (Layer 3) Lower. Additional cost of client increases total cost of ownership Best suited for site-to-site access such as between branch offices Requires installed client on device to connect to the corporate network. Limits access to company laptops and PCs. No access from PDAs, kiosks, and non-company laptops and PCs Tunneling: Authentication Header (AH) and Encapsulating Security Payload (ESP) Encryption: DES, 3DES, 128/192/256 bit AES Operates at application layer for seamless integration with existing firewall infrastructure High-level granular access control for applications. Operates at the application layer of the OSI model Higher. No client to deploy and manage, reducing costs for administration and support Best suited for user-to-site remote access Provides access from a wide variety of devices. Can access applications from any location or device with Internet access, including PDAs, kiosks, and non-company laptops and PCs Encryption: DES, 3DES, AES 256bit Authentication: Local User Database, Microsoft Active Directory, LDAP, NT Domain, and RADIUS.

4 NETGEAR A Leader in SSL VPN Solutions As the leader in the SMB market, NETGEAR makes an ideal vendor for SSL VPN solutions. The NETGEAR ProSafe SSL VPN Concentrator SSL312 provides small- and mid-sized organizations with an easy, secure, and cost-effective solution for remote access for up to 100 employees. Using the Secure Sockets Layer (SSL) protocol supported natively on all standard web browsers, the SSL312 seamlessly integrates with your existing firewall infrastructure to offer industry-standard access and security. The intuitive web interface, customizable portal, and a plug-and-play installation make the SSL312 easy and cost-effective to deploy. NETGEAR ProSafe SSL312 supports up to 25 users simultaneously. Remote employees can safely and securely login from network environments and remote computers that are not controlled or managed by your corporate IT department. The SSL312 s advanced features include: Security The SSL312 uses Secure Sockets Layer version 3.0, TLS 1.0 to ensure security and complete privacy. By leveraging industry-standard security protocols such as DES, 3DES, AES-256, the SSL312 supports MD5 and SHA-1 to ensure data confidentiality over the Internet. The SSL312 can also clear the cache after a remote user logs out to protect the data and privacy of the user. Customizable Portals Administrators can configure and customize user portals to enforce role-based access and ease the end user experience when connected to the corporate network. Granular policy configuration tools give administrator complete control over individual user access to specific network resources. Cost-Effective The SSL312 s support for web-based access eliminates the high cost of installing, configuring, and maintaining client software on each PC. Studies have shown that an SSL-based solution can save businesses $100 to $300 per year per user in client costs. Easy-to-Manage SSL is available wherever there is a standard Web browser, including kiosks and retail business centers, so users don t need a company laptop to access company resources. Administrators have access to and full remote control of employees desktops without client software installation. 3

5 Deployment Scenario The SSL312 can be deployed on a network in a number of ways. The most popular approach is to install the SSL312 on the network behind a firewall, as shown in the diagram 2. Web Database File Server Internal Network Limited access to corporate network Full access to corporate network ProSafe SSL VPN Concentrator SSL312 ProSafe VPN Firewall Broadband Modem INTERNET via PDA from partner site via Kiosk or laptop from your home at a coffee shop or hotspot User s allowed restricted access to the corporate network User s allowed restricted access to the corporate network Diagram 2 A firewall is highly recommended for small and mid-sized companies. However SSL312 is not a firewall and traditionally sits behind one. The SSL312 is responsible for terminating all SSL VPN connections. SSL312 verfies user credentials when remote users login with their user name and password and provide access to corporate resources based upon their user policy. When the SSL312 is deployed behind a firewall, the firewall must be configured to send all inbound SSL connections to the SSL VPN concentrator. Diagram 3 shows the administration interface for the SSL312. 4

6 To fully configure the NETGEAR ProSafe SSL VPN Concentrator SSL312, please refer to the Installation and User Guide available at Diagram 3 After the successful installation of the SSL312, remote users can access corporate resources by entering the IP address or DNS name of the SSL VPN Concentrator in the navigation bar of a supported browser, of the supported browser. SSL312 supports Microsoft Internet Explorer and Apple Safari as the client browsers for access. Once a remote user successfully logs into the SSL VPN box, he/she will see the following screen below. 5 Diagram 4

7 With the SSL312, administrators have the flexibility to provide multiple remote access options to their remote users. These access options include: VPN Tunnel: Using a small (<64K) Active X control downloaded during the first connection to the SSL VPN Concentrator, a VPN tunnel can provide full IPSEC-like connectivity. The Active X control creates a PPP adapter upon installation to deliver full IPSEC-like connectivity to corporate resources. Port Forwarding: Port forwarding provides access to mission-critical applications, such as and mapped network drives, as if they were located on the corporate network. However, port forwarding differs from a VPN tunnel in several ways. o Port forwarding only supports TCP data, not UDP or other IP protocols. o Port forwarding detects and reroutes individual data streams over the port forwarding connection instead through a full tunnel to the corporate network. As a result, port forwarding uses a lighter client than the VPN tunnel and installs more quickly. o Port forwarding offers more fine-grained management than VPN tunnel. Administrators can define individual applications and resources available to remote users. With VPN tunnel, administrators must create access policies to block undesirable traffic at the SSL VPN gateway rather than at the client level. o Port forwarding does not require administrative privileges on the client PC to install the VPN Tunnel ActiveX file. Utilities: SSL312 supports utilities such as ssh, telnet, and ftp utilities to enable administrators and power users to manage servers and desktops on the network when working remotely. : Remote access allows access to a remote desktop, desktop application, or a home directory on a central server using either Microsoft Terminal Services or VNC. Both Microsoft Terminal Services and VNC support the unique ability to launch individual applications running on a remote desktop or server. Conclusions With its ease of use, simple installation, cost-effective maintenance, and secure access, the NETGEAR SSL312 is an excellent solution for small- to medium-size businesses. It provides all the access most remote users need without the burdensome overhead and expense of enterprise-focused IPSEC VPN solutions. And with NETGEAR s SMB market expertise, the SSL VPN ensures this growing technology remains a perfect fit for growing companies NETGEAR, Inc., NETGEAR, the NETGEAR logo, Connect with Innovation, Everybody s connecting, the Gear Guy, IntelliFi, ProSafe, RangeMax, and Smart Wizard are trademarks or registered trademarks of NETGEAR, Inc., in the United States and/or other countries. Microsoft and Windows are trademarks of Microsoft Corporation in the United States and/or other countries. Intel, the Intel logo, Intel Viiv and Intel Viiv logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States or other countries. Other brand and product names are trademarks of registered trademarks of their respective holders. Information is subject to change without notice. All rights reserved.