SSL VPN Technical Primer



Similar documents
Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Professional Integrated SSL-VPN Appliance for Small and Medium-sized businesses

Novell Access Manager SSL Virtual Private Network

Chapter 6 Virtual Private Networking Using SSL Connections

Licenses are not interchangeable between the ISRs and NGX Series ISRs.

Initial Access and Basic IPv4 Internet Configuration

Secure remote access to your applications and data. Secure Application Access

Clientless SSL VPN Users

WebEx Remote Access White Paper. The CBORD Group, Inc.

SSL VPN Technology White Paper

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

Citrix Access Gateway

Sophos UTM. Remote Access via SSL. Configuring UTM and Client

IPSec or SSL VPN? Copyright 2004 Juniper Networks, Inc. 1

Permeo Technologies WHITE PAPER. HIPAA Compliancy and Secure Remote Access: Challenges and Solutions

Table of Contents. 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2

Aventail White Paper. Comparing Secure Remote Access Options: IPSec VPNs vs. SSL VPNs

Securing Citrix with SSL VPN Technology

WHITEPAPER IPSEC VPN Vs. SSL VPN

VPN. Date: 4/15/2004 By: Heena Patel

SSL SSL VPN

Chapter 6 Basic Virtual Private Networking

2003, Rainbow Technologies, Inc.

What s New in ISA Server 2004 ISA Server 2004 contains a fullfeatured,

SSL-Based Remote-Access VPN Solution

Remote-Access VPNs: Business Productivity, Deployment, and Security Considerations

Best Practices for Secure Remote Access. Aventail Technical White Paper

SSL VPN. Virtual Private Networks based on Secure Socket Layer. Mario Baldi. Politecnico di Torino. Dipartimento di Automatica e Informatica

IPSec vs. SSL: Why Choose?

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

Requirements Collax Security Gateway Collax Business Server or Collax Platform Server including Collax SSL VPN module

MaaS360 Mobile Enterprise Gateway

Integrated Services Router with the "AIM-VPN/SSL" Module

Building Your Complete Remote Access Infrastructure on Windows Server 2012

Direct or Transparent Proxy?

Virtual Data Centre. User Guide

Microsoft Azure Configuration

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

White Paper. SSL vs. IPSec. Streamlining Site-to-Site VPN Deployments

Remote Desktop Gateway. Accessing a Campus Managed Device (Windows Only) from home.

SSL VPN Portal Options

SA Series SSL VPN Virtual Appliances

Integrated Services Router with the "AIM-VPN/SSL" Module

Why Switch from IPSec to SSL VPN. And Four Steps to Ease Transition

Get Success in Passing Your Certification Exam at first attempt!

Dell SonicWALL Secure Virtual Assist: Clientless remote support over SSL VPN

Cisco IOS SSL VPN: Router-Based Remote Access for Employees and Partners

Cisco Cisco 3845 X X X X X X X X X X X X X X X X X X

vcloud Director User's Guide

Using a Firewall General Configuration Guide

Security. TestOut Modules

To participate in the hands-on labs in this class, you need to bring a laptop computer with the following:

Implementing PCoIP Proxy as a Security Server/Access Point Alternative

CenturyLink Cloud Configuration

Application Note Secure Enterprise Guest Access August 2004

ReadyNAS Replicate. Software Reference Manual. 350 East Plumeria Drive San Jose, CA USA. November v1.0

Understanding the Cisco VPN Client

Configuring Global Protect SSL VPN with a user-defined port

ION Networks. White Paper

Configuration Guide. How to Configure SSL VPN Features in DSR Series. Overview

Secure, Mobile Access to Corporate , Applications, and Intranet Resources

Contents Notice to Users

Network Configuration Settings

Enterprise Security Management CheckPoint SecuRemote VPN v4.0 for pcanywhere

Comparing Mobile VPN Technologies WHITE PAPER

MOBILITY & INTERCONNECTIVITY. Features SECURITY OF INFORMATION TECHNOLOGIES

Proof of Concept Guide

Chapter 5 Configuring the Remote Access Web Portal

Why SSL is better than IPsec for Fully Transparent Mobile Network Access

Security Technology: Firewalls and VPNs

PRODUCT CATEGORY BROCHURE. Juniper Networks SA Series

MaaS360 Mobile Enterprise Gateway

Fireware Essentials Exam Study Guide

Using Entrust certificates with VPN

VPN. VPN For BIPAC 741/743GE

SSL VPN Server Guide Access Manager 3.1 SP5 January 2013

Gigabit SSL VPN Security Router

This section provides a summary of using network location profiles to identify network connection types. Details include:

Network Management Card Security Implementation

How To Configure A Kiwi Ip Address On A Gbk (Networking) To Be A Static Ip Address (Network) On A Ip Address From A Ipad (Netware) On An Ipad Or Ipad 2 (

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Computer Networks. Secure Systems

Web Request Routing. Technical Brief. What s the best option for your web security deployment?

Cisco IOS SSL VPN: Router-Based Remote Access for Employees and Partners

Connecting an Android to a FortiGate with SSL VPN

SSL VPN Server Guide. Access Manager 3.2 SP2. June 2013

CISCO REMOTE ACCESS VPN SOLUTIONS

Ensuring the security of your mobile business intelligence

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

Using ipass Secure Anywhere. Secure Remote Access for Hallmark Independent Retailers

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

VPN Configuration Guide. ZyWALL USG Series / ZyWALL 1050

Preparing for GO!Enterprise MDM On-Demand Service

Technical papers Virtual private networks

Alteon SSL Accelerator. A remote access gateway for today s extended enterprise

Web Remote Access. User Guide

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

Millbeck Communications. Secure Remote Access Service. Internet VPN Access to N3. VPN Client Set Up Guide Version 6.0

For more information refer: UTM - FAQ: What are the basics of SSLVPN setup on Gen5 UTM appliances running SonicOS Enhanced 5.2?

Transcription:

4500 Great America Parkway Santa Clara, CA 95054 USA 1-888-NETGEAR (638-4327) E-mail: info@netgear.com www.netgear.com SSL VPN Technical Primer Q U I C K G U I D E

Today, small- and mid-sized businesses have an increasingly mobile workforce. Faster broadband service, expanded wireless access, and a proliferation of Internet-enabled devices has boosted the productivity of these remote employees. More and more business owners and employees demand the flexibility to access their data while physically not at work. To meet this demand, a growing number of small- and mid-sized businesses provide remote access to employees and managers. However, for the SMB market, many remote access solutions are cost-prohibitive and too complicated to setup. In addition, limited resources and budgets make it difficult for many small and mid-sized businesses to: Provide secure remote access to multiple users. Enable employees to access information using remote laptops, PCs, kiosks, or PDAs. Provide an easy way to deliver and manage remote access for mobile employees. Deploy a remote access solution that is cost-effective and easy to troubleshoot, maintain, and support. SSL VPN The Right Sized Solution for SMB Due to their flexibility, security, and ease of deployment, SSL VPNs are quickly becoming the preferred solution to meet the remote access needs of small- and mid-sized businesses. SSL VPNs is built on SSL, or Secure Socket Layer, a protocol originally developed by Netscape Communications in the mid-90s. As the standard for secure electronic commerce (e-commerce) transactions on the Internet, SSL has undergone years of public scrutiny. Supported by all standard browsers, including Microsoft Internet Explorer, Apple Safari, and Mozilla Fire Fox, SSL securely transfers information between a web browser and an electronic commerce on the web. Secure Sockets Layer is often represented as the padlock on the bottom right corner of the window when a browser is connected to a secure website. See diagram 1. A secure website is typically identified as https, where the s in https refers to SSL. Diagram 1 1 SSL VPNs combine the security and confidentiality provided by SSL and the mobility of a Virtual Private Network. Together, they enable remote users to connect to their office networks using standard web browsers.

Better from the Ground Up SSL VPNs are typically compared to IPSEC VPNs. However, there are significant differences between the two access methods. IPSEC VPNs were designed to provide site-to-site access (branch-to-branch) access. By comparison, SSL VPNs were designed to provide remote access for a mobile user to a corporate resource. When compared to IPSec VPNs, SSL VPNs offer: Platform Independence Because they connect to the network through a web browser, SSL VPNs enable access from anywhere, independent of the platform used. Browser-based access Unlike IPSEC VPNs that require a client to provide remote access, SSL VPNs provide clientless remote access to corporate resources. Granular access controls SSL VPNs provide granular application access to corporate resources while IPSEC VPNs only provide network access. Seamless integration SSL VPNs integrate seamlessly with the existing firewall infrastructure. The protocol is application-based and does not interfere with basic firewall functions operating at the IP Layer. The table below summarizes the key differences between IPSEC VPNs and SSL VPNs and explains when each solution is most appropriate. 2 Description IPSEC VPN SSL VPN Security and OSI Model Method of Access Suite of protocols provides security at the network or IP layer Predicated on trusted relationship between networks or between users and the network Defines how to provide tunneling, encryption, and authentication Allows organizations to select and specify the security policy appropriate for their network Uses tunneling and encryption to provide secure data transfer between one private network and another or between a private network and a user Operates at the application layer Uses any standard Internet browser Provides finely grained access control to the application and associated resources Entire connection is encrypted using Uses proxies, tunneling, encryption, and access control to provide secure remote access between users and a private network Does not provide access between one private network and another Client Client required Clientless access to corporate resources as part of any standard browser Connection Better suited for network-based connection model Better suited for application-based remote access Firewalls and Network Address Translation (NAT) Granular Access Return on Investment Support Platform-Independent Access Encryption Protocol Support Poor integration with existing firewalls using network address translation Limited. Only operates at the network layer (Layer 3) Lower. Additional cost of client increases total cost of ownership Best suited for site-to-site access such as between branch offices Requires installed client on device to connect to the corporate network. Limits access to company laptops and PCs. No access from PDAs, kiosks, and non-company laptops and PCs Tunneling: Authentication Header (AH) and Encapsulating Security Payload (ESP) Encryption: DES, 3DES, 128/192/256 bit AES Operates at application layer for seamless integration with existing firewall infrastructure High-level granular access control for applications. Operates at the application layer of the OSI model Higher. No client to deploy and manage, reducing costs for administration and support Best suited for user-to-site remote access Provides access from a wide variety of devices. Can access applications from any location or device with Internet access, including PDAs, kiosks, and non-company laptops and PCs Encryption: DES, 3DES, AES 256bit Authentication: Local User Database, Microsoft Active Directory, LDAP, NT Domain, and RADIUS.

NETGEAR A Leader in SSL VPN Solutions As the leader in the SMB market, NETGEAR makes an ideal vendor for SSL VPN solutions. The NETGEAR ProSafe SSL VPN Concentrator SSL312 provides small- and mid-sized organizations with an easy, secure, and cost-effective solution for remote access for up to 100 employees. Using the Secure Sockets Layer (SSL) protocol supported natively on all standard web browsers, the SSL312 seamlessly integrates with your existing firewall infrastructure to offer industry-standard access and security. The intuitive web interface, customizable portal, and a plug-and-play installation make the SSL312 easy and cost-effective to deploy. NETGEAR ProSafe SSL312 supports up to 25 users simultaneously. Remote employees can safely and securely login from network environments and remote computers that are not controlled or managed by your corporate IT department. The SSL312 s advanced features include: Security The SSL312 uses Secure Sockets Layer version 3.0, TLS 1.0 to ensure security and complete privacy. By leveraging industry-standard security protocols such as DES, 3DES, AES-256, the SSL312 supports MD5 and SHA-1 to ensure data confidentiality over the Internet. The SSL312 can also clear the cache after a remote user logs out to protect the data and privacy of the user. Customizable Portals Administrators can configure and customize user portals to enforce role-based access and ease the end user experience when connected to the corporate network. Granular policy configuration tools give administrator complete control over individual user access to specific network resources. Cost-Effective The SSL312 s support for web-based access eliminates the high cost of installing, configuring, and maintaining client software on each PC. Studies have shown that an SSL-based solution can save businesses $100 to $300 per year per user in client costs. Easy-to-Manage SSL is available wherever there is a standard Web browser, including kiosks and retail business centers, so users don t need a company laptop to access company resources. Administrators have access to and full remote control of employees desktops without client software installation. 3

Deployment Scenario The SSL312 can be deployed on a network in a number of ways. The most popular approach is to install the SSL312 on the network behind a firewall, as shown in the diagram 2. Email Web Database File Server Internal Network Limited access to corporate network Full access to corporate network ProSafe SSL VPN Concentrator SSL312 ProSafe VPN Firewall Broadband Modem INTERNET via PDA from partner site via Kiosk or laptop from your home at a coffee shop or hotspot User s allowed restricted access to the corporate network User s allowed restricted access to the corporate network Diagram 2 A firewall is highly recommended for small and mid-sized companies. However SSL312 is not a firewall and traditionally sits behind one. The SSL312 is responsible for terminating all SSL VPN connections. SSL312 verfies user credentials when remote users login with their user name and password and provide access to corporate resources based upon their user policy. When the SSL312 is deployed behind a firewall, the firewall must be configured to send all inbound SSL connections to the SSL VPN concentrator. Diagram 3 shows the administration interface for the SSL312. 4

To fully configure the NETGEAR ProSafe SSL VPN Concentrator SSL312, please refer to the Installation and User Guide available at http://www.netgear.com. Diagram 3 After the successful installation of the SSL312, remote users can access corporate resources by entering the IP address or DNS name of the SSL VPN Concentrator in the navigation bar of a supported browser, of the supported browser. SSL312 supports Microsoft Internet Explorer and Apple Safari as the client browsers for access. Once a remote user successfully logs into the SSL VPN box, he/she will see the following screen below. 5 Diagram 4

With the SSL312, administrators have the flexibility to provide multiple remote access options to their remote users. These access options include: VPN Tunnel: Using a small (<64K) Active X control downloaded during the first connection to the SSL VPN Concentrator, a VPN tunnel can provide full IPSEC-like connectivity. The Active X control creates a PPP adapter upon installation to deliver full IPSEC-like connectivity to corporate resources. Port Forwarding: Port forwarding provides access to mission-critical applications, such as email and mapped network drives, as if they were located on the corporate network. However, port forwarding differs from a VPN tunnel in several ways. o Port forwarding only supports TCP data, not UDP or other IP protocols. o Port forwarding detects and reroutes individual data streams over the port forwarding connection instead through a full tunnel to the corporate network. As a result, port forwarding uses a lighter client than the VPN tunnel and installs more quickly. o Port forwarding offers more fine-grained management than VPN tunnel. Administrators can define individual applications and resources available to remote users. With VPN tunnel, administrators must create access policies to block undesirable traffic at the SSL VPN gateway rather than at the client level. o Port forwarding does not require administrative privileges on the client PC to install the VPN Tunnel ActiveX file. Utilities: SSL312 supports utilities such as ssh, telnet, and ftp utilities to enable administrators and power users to manage servers and desktops on the network when working remotely. : Remote access allows access to a remote desktop, desktop application, or a home directory on a central server using either Microsoft Terminal Services or VNC. Both Microsoft Terminal Services and VNC support the unique ability to launch individual applications running on a remote desktop or server. Conclusions With its ease of use, simple installation, cost-effective maintenance, and secure access, the NETGEAR SSL312 is an excellent solution for small- to medium-size businesses. It provides all the access most remote users need without the burdensome overhead and expense of enterprise-focused IPSEC VPN solutions. And with NETGEAR s SMB market expertise, the SSL VPN ensures this growing technology remains a perfect fit for growing companies. 6 2006 NETGEAR, Inc., NETGEAR, the NETGEAR logo, Connect with Innovation, Everybody s connecting, the Gear Guy, IntelliFi, ProSafe, RangeMax, and Smart Wizard are trademarks or registered trademarks of NETGEAR, Inc., in the United States and/or other countries. Microsoft and Windows are trademarks of Microsoft Corporation in the United States and/or other countries. Intel, the Intel logo, Intel Viiv and Intel Viiv logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States or other countries. Other brand and product names are trademarks of registered trademarks of their respective holders. Information is subject to change without notice. All rights reserved.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information