SSL VPN A look at UCD through the tunnel
Background Why? Who is it for?
Stakeholders IET Library Schools and Colleges
Key Requirements Integrate with existing authentication Flexible security groups within system Enforce Network Admission Control Split Tunnel services Granular Administration Browser Support Monitoring and Logging Scalable 24/7/365 operation
Timeline 11-05 VPN Workgroup Established 11-06 Law School Pilot 10-07 SSL VPN Live for Library 3-06 Workgroup Recommends SSL-VPN 3-07 VPN Project Team 11-07 Law School becomes 1 st IVS
The Solution Juniper SA-6000 High Availability Cluster
Juniper SSL VPN What is it? How does it work? The Juniper Networks Instant Virtual Extranet (IVE) platform serves as the underlying hardware and hardened network operating system intermediates the data that flows between external users and your institutions internal resources. The UCD VPN infrastructure was constructed utilizing a two node Juniper Networks SA-6000 IVE cluster capable of providing secure access to institutional resources 24/7/365 even in the face of a catastrophic hardware failure. To diminish the attack surface area of departmental resources, the IVE intermediation process receives requests from the external authenticated users and makes requests to the internal resources on behalf of those users/workstations. This method of service provision adds a layer of protection to institutional resources not available via classic VPN service deployments. Access to the IVE solely requires that end users have only a Web browser that supports SSL, Sun Java runtime and an Internet connection.
Juniper Networks Host Checker and UCD Cyber Security Compliance The UC Davis Cyber Security program dictates that all workstations connecting to the University electronic communications network meet predefined security standards. To ensure that remote clients meet this mandate the Juniper SSL VPN offering was chosen due to its advanced platform agnostic workstation auditing capabilities, known as Host Checker. Architecture Within Host Checker The Juniper Networks Host Checker architecture is based on the TNC (Trusted Network Computing) open architecture for the acquisition and verification of client OS security metrics. The IVE utilizes client-side agents (IMC s) to interrogate and obtain antivirus, antispyware, patch management, firewall, and other configuration and security information. To ensure the integrity of information presented to Host Checker from the client side agents the IVE contains software modules (IMV s) which verify the client-side agent generated information thus ensuring that the metrics presented to Host Checker are accurate and unadulterated. Note: The Trusted Network Connect (TNC) is a subgroup of the Trusted Computing Group. For more information about IMVs and IMCs, see www.trustedcomputinggroup.org.
Remote Access Features Secure Application Manager Windows version (WSAM) The Windows version of the Secure Application Manager is a Windows-based solution that enables you to secure traffic to individual client/server applications and application servers. Java version (JSAM) The Java version of the Secure Application Manager provides support for static TCP port client/server applications, including enhanced support for Microsoft MAPI, Lotus Notes, and Citrix NFuse. JSAM also provides NetBIOS support, which enables users to map drives to specified protected resources. File rewriting This feature enables access to NFS and SMB based file server shares for remote users. Mount points are displayed as links within User Home Page with all file system operations occurring with the security credentials of the authenticated user allowing existing file system ACLs to be used sans modification. Web rewriting This feature uses the VPN to intermediate traffic to Web-based applications and Web pages enabling remote users access to institutional web resources otherwise not accessible from off network clients.
Remote Access Features Telnet/SSH The Telnet/SSH option enables users to connect to internal servers in the clear using Telnet protocols or to communicate over an encrypted Secure Shell (SSH) session through a Web-based terminal session emulation. This feature supports the following applications and protocols: Network Protocols Supported network protocols include Telnet and SSH. Terminal Settings Supported terminal settings include VT100, VT320, and derivatives including screen buffers. Security Supported security mechanisms include Web/client security using SSL and host security (such as SSH if desired). Terminal Services Enables terminal emulation sessions on a Windows terminal server, Citrix NFuse server, or Citrix Metaframe server, providing for a more secure RDP session by intermediating the RDP traffic through the IVE SSL tunnel.
Remote Access Features Secure Meeting The IVE Secure Meeting applications allows users to securely schedule and hold online meetings between institutional and non institutional users. In meetings, users can share their desktops and applications with one another over a secure connection, allowing everyone in the meeting to instantaneously share data on-screen. Meeting attendees can also securely collaborate online by remote-controlling one another's desktops and through text chatting using a separate application window that does not interfere with the presentation. Network Connect The Network Connect option provides secure, SSL-based network-level remote access to all enterprise application resources using the IVE over port 443. When Network Connect runs, the client s machine effectively becomes a node on the remote (corporate) LAN and becomes invisible on the user s local LAN; the IVE appliance serves as the Domain Name Service (DNS) gateway for the client and knows nothing about the user s local LAN. This type of VPN is analogous to the more traditional VPN services such as PP-TP and IPSEC tunnels and is what most folks picture when they think of a VPN.
Resource based routing Split tunnel VPN Split Tunnel When split-tunneling is used, Network Connect modifies the default route on clients such that only traffic destined for institutional networks traverses the VPN tunnel. Traffic not destined for the institutional network will not enter the VPN tunnel. Single Tunnel A single tunnel VPN modifies the route on the client such that ALL traffic traverses the VPN tunnel regardless of destination. Spit Tunnel Benefits By ensuring that only traffic destined to specific departmental network resources traverses the VPN tunnel Net Connect more efficiently utilizes the intuitional networks infrastructure and decreases the attack surface area available to malicious traffic.
Split Tunnel VPN Graphical Representation
Access Control Shared or private, who has access to the VPN? Departments within an institution who participate with the SSL VPN service are granted their own Independent Virtual System (IVS) within the SA-6000 cluster. IVS systems are completely independent from one another with separate VPN-DMZ VLANs and external facing interfaces for client access. Within the IVS the Department IT Staff may construct separate ACL s to provision the amount and type of access granted to users based on a plethora of available criteria (authentication realm, Home Department (from LDAP), IT Staff defined groups, and more) Since the IVS s are independent of each other subscribing department IT Administrators are granted complete control of their IVS. This allows for the Department IT staff to custom tailor the device to their specific needs. What authentication mechanisms are available to the VPN IET CR supports the campus Kerberos directory for authentication via the campus Radius server Internal User Database. The IVS contains its own directory store for available for authentication. Microsoft Active Directory: Supports NTLM V1, NTLM v2, and MS Kerberos. Radius: Hosted via OSS platforms or Microsoft Windows Network Information Service (NIS/YP) for *nix based account authentication. LDAP: Supports LDAP and LDAPS for secure LDAP based authentication.
Access Control Delimiting access based on organizational lines. Departments within an academic institution can be vast in their complexity, IT resources must be flexible to meet the ever changing needs of the department. To meet this charge the SSL VPN has a very powerful ACL engine, allowing for Department Administrators to establish application and network profiles for end users based on organizational lines Roles: Admin Roles: Consist of ACL s to different Admin functions of the box. Basically there are two roles here, Admin and ReadOnlyAdmin. Admin has full control and can make changes within the IVE. Read only can view all areas within the Admin application but cannot make changes to the IVE. This allows senior level Support Staff to grant access to the Administration application to junior level Support Staff for the purposes of diagnostics without the ability to make possibly harmful changes to the IVE User Roles: Consist of ACL s and profiles for the various VPN applications within the IVE. Through the proper utilization of roles a Dept may delineate access to various resources across disparate networks based on department defined criteria Logging and Auditing: The IVE contains extensive diagnostic and logging features for the Dept Support Staff to resolve problems pertaining to Authentication, Role/Policy evaluation, and client side VPN applications. Client side logs capture entire sessions for every application available within the IVS. This grants administrators the data they need to solve any situation that may occur related to the VPN. In the situation where possible device problems are discovered these logs can be used by juniper support to furnish specific patches to resolve such occurrences. The IVS allows for the complete auditing and recording of client sessions to ensure accountability and forensic data for sensitive data situations. Lets look at an imaginary Department with a couple subsidiary units.
Ex. Access Control
Test Drive Now that we have explored the major aspects of the SSL VPN on paper lets take it for a test drive and see how it works in practice. Please feel free to stop me at any point if you have questions or would like an aspect explained in further detail I would also like to take this moment to thank you all for allowing me the opportunity to present the SSL-VPN service to you today. Thank you!