Table of Contents. 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2

Transcription

1 Table of Contents 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance Features and Benefits 2-1 Key Features 2-1 Support for the Browser/Server Resource Access Model 2-1 Support for Client/Server Applications 2-1 Support for IP Layer-Based Network Applications 2-2 Effective Security Assessment of Remote Hosts 2-2 Granular and Dynamic Authorization for Remote Users 2-2 Support for Multiple Authentication Methods 2-2 Client that Needs No Manual Installation and Maintenance 2-3 High-Performance Hardware Encryption 2-3 Customized User Interface Functions and Specifications 3-1 Function List 3-1 Performance and Specifications System Components and Application Scenarios 4-1 System Components 4-1 SSL VPN Gateway 4-1 SSL VPN Client 4-1 Application Scenarios 4-1 SecBlade SSL VPN 4-1 SecBlade SSL VPN Redundancy Ordering Information 5-1 Appendix A Acronyms 1 i

2 1 Overview Introduction The H3C SecBlade SSL VPN cards are developed by H3C for secure remote access. They support the Open Application Architecture (OAA) and can be used in H3C S7500E and S9500 series switches. The SecBlade SSL VPN cards are connected with the switches through the internal high-speed Ethernet interfaces. With the SecBlade SSL VPN cards, the switches can support SSL VPN applications. The H3C SecBlade SSL VPN cards provide comprehensive SSL VPN service processing capabilities: It supports three remote access modes: Web access (HTTP proxy), TCP access (port forwarding), and IP access (network extension), implementing comprehensive and effective support for various IP-based applications. It improves the access rights management granularity to URLs, file directories, IP addresses and port numbers, and IP segments. It enables dynamic user authorization based on security status of remote hosts. It requires no client installation and maintenance, not only facilitating deployment, but also reducing the maintenance cost. Equipped with high-performance multi-core processing units and embedded with multiple encryption engines, the SecBlade SSL VPN cards support high throughput and concurrent SSL VPN services. Currently, the H3C SecBlade SSL VPN cards come in two models: LSQ1SSLSC0 for H3C S7500E series Ethernet switches and LSB1SSL1A1for H3C S9500 series Ethernet switches. Product Design The SecBlade SSL VPN cards are high-performance, large-capacity SSL VPN gateway products. They support OAA and can be used in H3C medium and high-end switches to provide remote access services for medium-sized and large network systems. As VPN products, the cards can satisfy these remote access requirements: Confidentiality of transmitted data. Supporting multiple access modes, so that access to network is not affected by dynamic IP address and NAT. Supporting the browser/server resource access model. Requiring no extra client software but being able to control user access rights perfectly. Supporting the client/server network application model, so that applications based on TCP/UDP can access internal network resources securely through encrypted connections. Supporting network applications based on IP, so that these applications can access internal network resources securely through encrypted connections. More granular management of remote user access rights. Checking the security status of remote hosts and restricting insecure remote access. Less management and maintenance of VPN clients. 1-1

3 Appearance Currently, the H3C SecBlade SSL VPN cards are available in two models: LSQ1SSLSC0: Used with the H3C S7500E series Ethernet switches. Each has four internal GE interfaces, one console port, two USB interfaces, and one CF card interface. LSB1SSL1A0: Used with the H3C S9500 series Ethernet switches. Each has one internal 10-GE interface, one console port, two USB interfaces and one CF card interface. Figure 1-1 Appearance of the LSQ1SSLSC0 card Figure 1-2 Appearance of the LSB1SSL1A0 card 1-2

4 2 Features and Benefits Key Features As VPN devices for secure remote access, the SecBlade SSL VPN cards can provide these key features: Support for the browser/server resource access model Client/server applications IP layer-based network applications Effective security assessment of remote hosts Granular and dynamic authorization for remote users Multiple authentication methods Client that needs no manual installation and maintenance High-performance hardware encryption Customized user interface Support for the OAA architecture, which makes the cards able to work with medium and high-end switches The ability of processing large-traffic and highly-concurrent SSL VPN access services. Support for the Browser/Server Resource Access Model At present, many network applications are implemented based on Web, such as information issuing and browsing, and database querying and updating. SSL VPN supports the Web access mode, which requires no VPN client installation on the user side. Remote users can access the network resources through a Web browser. If a remote user wants to access a Web site on the internal network, the SSL VPN gateway will act as the HTTP proxy, forwarding the HTTP requests from the user to the corresponding Web server and the responses from the server to the user. Different from ordinary Web proxies, the SSL VPN gateway requires users to use HTTPS links and the URL of the SSL VPN gateway for network access, instead of HTTP links and the URL of the internal server. Support for Client/Server Applications At present, many network applications are based on the client/server model, such as Telnet, POP3, and SMTP, where the client communicates with the server through a TCP or UDP connection. SSL VPN implements the port forwarding mode, which allows the gateway to act as the TCP proxy to terminate the SSL connection from the client and establish a TCP/UDP connection with the internal server, and then forward packets between the client and the server. The port forwarding technology can provide higher network security than the IPsec VPN technology. With IPsec VPN, the whole IP network is exposed to remote users; while with port forwarding, only the IP addresses and port numbers of the internal servers are open for remote users. When a remote user logs in to the SSL VPN system from a host, SSL VPN will automatically download to the host a TCP access client, which will listen to the local TCP/UDP port and initiate an SSL 2-1

5 connection with the gateway. Thus, there is no need to make any change to the existing TCP/UDP client. Support for IP Layer-Based Network Applications To support more IP-based network applications, SSL VPN provides the remote access (network extension) mode. This access mode requires that each remote host download and install an IP access client program, for which the SSL VPN gateway will assign an IP address. The remote hosts will then be connected with the internal network at the IP layer, as if they were in the same LAN. The SSL VPN cards support granular control of IP access. They can control which IP network segments can be accessed by users, so as to reduce the harms that may be caused by remote access. Effective Security Assessment of Remote Hosts When a remote host tries to log in to the SSL VPN system, SSL VPN automatically installs and runs a piece of software called host checker on the host. The software will check the running environment of the host, and feed back the security status of the host to the gateway, which will in turn assess the security status of the host and then authorize the host according to the security status. The security check items of the SSL VPN card include: Operating system version and patches Browser version and patches Firewall version Virus Killer version User s PKI certificate Specified files Specified processes Granular and Dynamic Authorization for Remote Users Compared with IPsec VPN, SSL VPN features the advantage of granular access control. The SSL VPN cards support access control at the granularity of: URL IP address and port number IP network segment SSL VPN can authorize the access right for a user based on the user identity or the security status of the remote host. Authorization based on user identity is static. No matter when and where a user logs in to the SSL VPN system, the user will get the same access right. Authorization based on host security status is dynamic. Whenever a user tries to log in, SSL VPN checks the security status of the host and grants the user an access right accordingly. Support for Multiple Authentication Methods The SSL VPN cards support the following authentication methods: Local authentication. RADIUS authentication LDAP authentication AD authentication 2-2

6 RSA SecureID Any of these authentication methods can be used in conjunction with the certificate authentication to form the two-factor authentication. The local authentication method is suitable when there are a few users. The SSL VPN cards can be integrated seamlessly with the existing network authentication systems (RADIUS, LDAP, or AD), facilitating centralized and unified management of user accounts. Client that Needs No Manual Installation and Maintenance After a user logs in, the SSL VPN client can be automatically downloaded, installed, configured, and run through a Web page. After the user logs off, the SSL VPN client itself can automatically clear the installation program, the configuration, and the data cached. These features not only make it easy for users to use SSL VPN, but also facilitate the maintenance and upgrade of the SSL VPN system. High-Performance Hardware Encryption The SSL VPN cards use a multi-core processing unit with built-in encryption engines, which can handle encryption and decryption calculations of large amounts of SSL packets, and therefore it can easily match the requirement of processing SSL packets at wirespeed at a GE port. Customized User Interface For user interface customization, the SSL VPN cards allow administrators to: Change the company logo picture. Customize page titles. 2-3

7 3 Functions and Specifications Function List Item Access modes Authentication methods Host security status checking Cache clearing Dynamic authorization Authorization granularity Hardware encryption Customized interface Web access (HTTP proxy) TCP access (port forwarding) IP access (network extension) Local authentication RADIUS authentication LDAP authentication AD authentication RSA SecureID Certificate authentication Two-factor authentication Description Operating system: type, version, and patches Browser: type, version and patches Firewall: type and version Virus killer: type and version User certificate Specified files Specified processes Clear the cached web pages Clear cookies Clear downloaded programs Clear the configuration file User and user group Resource and resource group Security policy URL File directory IP address and port number IP network segment RSA digital signature algorithm MD5 and SHA1 digest algorithms Encryption algorithms of RC4, DES, 3DES, and AES Customize the company logo Customize page titles 3-1

8 Performance and Specifications Model Number of concurrent users allowed Number of concurrent connections allowed Number of connections established per second Throughput (Gbps) LSQ1SSLSC LSB1SSL1A

9 4 System Components and Application Scenarios System Components The SSL VPN system consists of two parts: SSL VPN gateway SSL VPN client. SSL VPN Gateway Used in an S7500E or S9500 switch, the SSL VPN card acts as the SSL VPN gateway, which forwards packets between the remote hosts and the internal network servers and performs user access control. SSL VPN Client The SSL VPN client is saved on the SSL VPN gateway. When a user logs in to the SSL VPN system, the SSL VPN client will be downloaded to the remote host, get installed, and run automatically. The client software consists of the following parts: Host checker Cache cleaner TCP access client IP access client As the SSL client is installed and maintained automatically by SSL VPN, it is easy for users to use. Application Scenarios SecBlade SSL VPN A SecBlade SSL VPN card can be used in an S7500E or S9500 switch to provide SSL VPN services for an enterprise network. The SSL VPN solution can be implemented in two networking modes: dual-arm and single-arm. However, a SecBlade SSL VPN card can be used in a medium and high-end switch, and can support only the single-arm mode because data transceiving is implemented by the switch. 4-1

10 Figure 4-1 Network diagram for SecBlade SSL VPN solution File server OA Data center of the Intranet Internet SecBlade SSL VPN+ S9500 Finance Dept. Web R&D Dept. POP3 Supply Dept. POP3 SecBlade SSL VPN Redundancy Two SecBlade SSL VPN cards can be inserted in a high-end switch to form a VRRP group for redundancy backup. It is recommended to use the master-backup mode for SecBlade SSL VPN cards. Figure 4-2 Network diagram for SecBlade SSL VPN redundancy solution File Server OA Data center of the Intranet Internet SecBlade SSL VPN redundancy backup Finance Dept. WEB R&D Dept. POP3 Supply Dept. 4-2

11 5 Ordering Information Networking requirements The SecBlade SSL VPN cards cannot be used independently; they must be inserted into S7500E/S9500 switches to provide the SSL VPN function. In networking, a SecBlade SSL VPN card is used in a switch and supports only the single-arm networking mode. The card serves as a proxy server to provide the IP address and SSL service port number (defaults to 443) for remote users to access. The IP addresses of the card are configured on the internal interfaces, and the internal interfaces must belong to a Layer 3 VLAN of the switch. For reliability, the SecBlade SSL VPN card supports VRRP and can implement master-backup backup and master-master backup. Order list Model LSQ1SSLSC0 LSB1SSL1A0 Description 256M CF/2GB DRAM, for S7500E switches 256M CF/2GB DRAM, for S9500 switches 5-1

12 Appendix A Acronyms Acronym Full spelling AD HTTP LDAP PKI SSL VPN Active Directory Hyper Text Transport Protocol Light Directory Access Protocol Public Key Infrastructure Security Socket Layer Virtual Private Network 1