SSL VPN Technology White Paper

(1)

SSL VPN Technology White Paper

Keywords:SSL VPN, HTTPS, Web access, TCP access, IP access

Abstract: SSL VPN is an emerging VPN technology based on HTTPS. This document describes its implementation and application scenarios.

Acronyms:

Acronym Full spelling

AD Active Directory

CA Certificate Authority

HTTPS HTTP Security

LDAP Lightweight Directory Access Protocol

RADIUS Remote Authentication Dial-In User Service

SMB Server Message Block

SSL Secure Sockets Layer

VPN Virtual Private Network

(2)

Overview

Background

With the popularity of the Internet and fast development of E-commerce, more and more enterprises and organizations need to allow employees, users, and partners to access the internal resources from any place at any time, so as to save time and improve efficiency. However, some users may be illegal and some remote hosts may not be secure, bringing potential security threats to internal networks.

Security VPN (SVPN) technologies are commonly used to solve this problem. They provide a secure access mechanism, which can well protect the internal networks resources. SVPN technologies mainly include IPsec VPN and SSL VPN.

Due to the limitations in way of implementing IPsec VPN, IPsec VPN has the following disadvantages.



It requires complicated client software installation on user hosts. There are various user hosts, which are often mobile. The mobility requires fast client-side VPN deployment, while the diversity requires the VPN client software to support multiple platforms and be easy to upgrade and maintain.

However, IPsec VPN cannot satisfy the above requirements.



IPsec VPN cannot evaluate the security of user hosts. If users use insecure hosts to access the corporate network, the corporate network may be infected by viruses.



IPsec VPN cannot provide strict and granular access control. As IPsec is implemented at the network layer and cannot identify contents of the IP packets, it cannot control access requests from higher layers. In addition, to improve efficiency, enterprises need to establish extranets to exchange information and share resources with partners. Therefore, the enterprises need to control accesses of the partners effectively and strictly to ensure security of the enterprise information system.

However, IPsec VPN cannot control access rights.



IPsec VPN is difficult to be deployed in complicated networking environments. For example, in a scenario using NAT, you need to configure NAT traversal for IPsec VPN; in a scenario using firewalls, you need to configure the firewalls to permit IPsec packets to pass, for IPsec headers are added in front of the original TCP/UDP headers.

In a word, IPsec VPN is suitable for scenarios where connections are fixed and strict access control is not required. It cannot satisfy the requirements of mobile accesses and precise access control.

Compared with IPsec VPN, SSL VPN can better satisfy the technical and management requirements of remote access. SSL VPN supports multiple platforms, requires no manual installation and maintenance of clients, and provides flexible and effective access right management. Therefore it is more and more popular in the remote access market. The following section details the advantages of SSL VPN.

Benefits

(4)



Support for various application protocols. SSL works between the transport layer and the application layer. Any application can be secured by SSL VPN without knowing the details of SSL VPN.



Support for various software platforms. At present, SSL has become a global standard for identity authentication of websites and webpage viewers and encrypted communication between Web browsers and Web servers. The SSL protocol has been integrated into most of the browsers, such as IE, Netscape, and Firefox. This means that almost every PC installed with a browser supports SSL connections. SSL VPN clients are based on the SSL protocol. Hence, most of the software running environments can act as the SSL VPN client.



Automatic installation and uninstallaion of the client software. In applications where specific client software is required, SSL VPN allows the operating system to download and install the client software automatically and, when the SSL VPN connection is closed, uninstall and delete the client software automatically.



Security evaluation of client hosts. SSL VPN can evaluate the security status of remote hosts, so as to determine whether the remote hosts are safe enough to access the enterprise network.



Dynamic authorization. Traditional right control authorizes users mainly by user identity. A user is always authorized with the same right no matter where the user is when logging in to the network.

This authorization mode is called static authorization. Dynamic authorization authorizes a user based on not only the user identity but also the security status of the host used by the user. This allows dynamic control of the user access right. The more secure the remote host is, the higher access right the SSL VPN will grant the user.



Multiple user authentication methods and granular access control. The SSL VPN gateway supports various user authentication methods and granular access control, implementing controlled access of external users to the internal resources.



Deploying SSL VPN does not impact the existing network. As the SSL protocol works over the transport layer, it does not change the IP header or TCP header. Therefore, SSL packets are transparent for NAT. Meanwhile, SSL always uses port 443. You just need to open port 443 on firewalls instead of modifying settings on the firewalls according to different application protocols.

This not only reduces the workload of network administrators but also improves the network security.



Independent resource access control of domains sharing the same SSL VPN gateway. SSL VPN allows enterprises or departments of an enterprise share an SSL VPN gateway, so as to reduce costs. In this case, you can configure multiple domains on the gateway, each of which is for a single enterprise or department to control its resources and users independently. By creating multiple domains, you can divide a physical SSL VPN gateway into several logical SSL VPN gateways.

SSL VPN Implementation

Concepts

SSL VPN users include super administrators, domain administrators, and common users.

(5)



Super administrator: Manager of the entire SSL VPN gateway. A super administrator can create domains and set the passwords of domain administrators.



Domain administrator: Manager of an SSL VPN domain. A domain administrator can create local users and resources, and specify the access right for the users.



Common SSL VPN user: Simply called user, referring to users accessing network resources through the SSL VPN system. The resource access right of a user is assigned by the domain administrator.

SSL VPN System Components

Figure 1Architecture of SSL VPN

Figure 1 shows a typical SSL VPN network. The SSL VPN system consists of the following components:



Remote host: Terminal from which an administrator or user log in to the network, such as a PC, mobile phone, and PDA.



SSL VPN gateway: An important component of the SSL VPN system. Administrators maintain the information of users and internal resources on the SSL VPN gateway. Users can view the resources that can be accessed on the SSL VPN gateway. The SSL VPN gateway forwards packets between remote hosts and the internal servers. An SSL connection is established between the SSL VPN gateway and a remote host to ensure the security of data transmission.



Internal servers: Servers of any type, for example, Web server and FTP server; or hosts in the enterprise network that need to communicate with a remote host.



CA: Certificate authority. CA issues a digital certificate, which contains the public key, for the SSL VPN gateway. This is for the SSL VPN gateway to pass identity authentication on the remote host and establish an SSL connection with the remote host.



Authentication server: External authentication server for remote user authentication. The SSL VPN gateway supports not only local user authentication but also remote user authentication through an external authentication server.

(6)

Operation of SSL VPN

The following describes the operation of SSL VPN:



The supper administrator creates domains on the SSL VPN gateway.



The domain administrators create users and resources corresponding to the internal servers on the SSL VPN gateway.



Users access the internal servers through the SSL VPN gateway.

Creating domains Figure 2Creates domains

Internet

SSL VPN gateway

Internal servers

LAN Super

admininstrator

1) Establish an SSL connection with the SSL VPN gateway and enter the login page of the

SSL VPN gateway

2) Input the username and password to pass authentication and enter the Web interface of

the SSL VPN gateway

3) Create domains on the SSL VPN gateway

As shown inFigure 2, a supper administrator goes through three steps to create domains:

1. Input the URL address of the SSL VPN gateway on the remote host, which will authenticate the identity of the SSL VPN gateway by the certificate of the gateway and establish an SSL connection with the SSL VPN gateway. After the SSL connection is established successfully, the login page of the SSL VPN gateway Web interface appears.

2. Input the username (including the authentication method) and password on the login page of the SSL VPN gateway Web interface. The SSL VPN gateway will authenticate the super administrator by using the input information. After passing the identity authentication, the super administrator enters the Web interface of the SSL VPN gateway.

3. Create domains on the SSL VPN gateway and set the passwords of the domain administrators.

(7)

Creating users and resources corresponding to the internal servers Figure 3Create users and resources corresponding to the internal servers

As shown in Figure 3 , a domain user goes through the following three steps to create users and resources corresponding to the internal servers:

2. Input the username (including the authentication method) and password on the login page of the SSL VPN gateway Web interface. The SSL VPN gateway will authenticate the domain

administrator by using the input information. After passing the identity authentication, the domain administrator enters the Web interface of the SSL VPN gateway.

3. Create users and resources corresponding to the internal servers, and specify the resource access rights for the users.

(8)

Accessing internal servers Figure 4Access internal servers

As shown inFigure 4, a user goes through the following steps to access the internal servers:

2. Input the username (including the authentication method) and password. The SSL VPN gateway will authenticate the user identity by using the input information. After passing the identity authentication, the user enters the Web interface of the SSL VPN gateway.

3. View the list of available resources, such as Web server resources and file sharing resources.

4. Select the resource to access and send the access request to the SSL VPN gateway through the SSL connection.

5. The SSL VPN gateway resolves the request, checks the access right of the user and, if the user is authorized to access the resource, forwards the request to the corresponding server in plaintext.

6. The server sends the reply in plaintext to the SSL VPN gateway.

7. After receiving the reply, the SSL VPN gateway forwards the reply to the user through the SSL connection.

SSL VPN Access Modes

SSL VPN provides three access modes:

(9)



Web access



TCP access



IP access

Users can use different access modes to access different types of resources. In different access modes, the data forwarding procedures between the remote host, SSL VPN gateway, and internal servers are different. The following sections describe the three access modes in details.

Web Access

Web access allows users to access server resources through the SSL VPN gateway by using browsers in HTTPS mode. In this mode, all data operations are performed on Web pages.

Resources for web-based accesses include Web server resources and file sharing resources.

Web server resources

Web servers provide services to users through Web pages. Users can get the desired information by simply clicking the links on the pages. SSL VPN provides secure connections for users to access Web servers and can prevent illegal users from accessing the protected Web servers.

Figure 5Access Web server resources

As shown inFigure 5, during Web server access, the SSL VPN gateway mainly acts as a relay.

1. After receiving the HTTP request from a user, the SSL VPN gateway finds the required resource according to the URL in the HTTP request, and then forwards the HTTP request to the Web server that provides the required resource.

2. After receiving the HTTP reply from the server, the SSL VPN gateway changes the webpage links pointing to the internal network to links pointing to the SSL VPN gateway before forwarding it to the user, so that the user has to access the internal resources through the SSL VPN gateway. In this way, the SSL VPN gateway protects the security of the internal network and implements access control of users.

During the whole process, in the perspective of the user, all HTTP replies are from the SSL VPN gateway;

while in the perspective of the Web server, all HTTP requests are initiated by the SSL VPN gateway.

File sharing resources

File sharing is a common network application. An example is the application of Shared Documents folder provided by the Windows operating system. File sharing allows users to perform file operations on a remote server or host, such as browsing files and uploading and downloading files.

The SSL VPN gateway provides the file sharing resources to users through Web.

(10)

1. The remote host and the SSL VPN gateway communicate through HTTPS. The remote host sends the user request of accessing file sharing resources to the SSL VPN gateway through an HTTPS packet.

2. The SSL VPN gateway and the file server communicate through SMB. After receiving the request packet from the remote host, the SSL VPN gateway converts it into an SMB packet and then sends the packet to the filer server.

3. After receiving the reply packet from the file server, the SSL VPN gateway converts the packet into an HTTPS packet and then sends the packet to the remote host.

Figure 6Access shared file resources

TCP Access

TCP access is used to support TCP applications on remote hosts to access open ports on internal servers securely. TCP access allows users to access any TCP-based services, including remote access services (such as Telnet), desktop sharing services, and mail services.

To access internal servers in TCP access mode, users do not need to upgrade existing TCP programs.

However, a dedicated TCP access client is required. The client uses an SSL connection to transmit the application layer data.

As shown inFigure 7, a user goes through the following steps to access TCP-based services:

1. Launch TCP application on the remote host, which automatically downloads the TCP access client software from the SSL VPN gateway.

2. Click a resource link on the Web interface of the SSL VPN gateway or launches a TCP program, such as opening the remote desktop connection program to connect to an internal server, the TCP access client will automatically establish an SSL connection with the SSL VPN gateway and use an extended HTTP message to request access to the resource.

3. The SSL VPN gateway establishes a TCP connection with the internal server that provides the resource.

4. After the TCP connection is established successfully, the TCP access client sends the user access data to the SSL VPN gateway through the SSL connection. Then, the SSL VPN gateway obtains the application layer data and sends the data to the internal server through the TCP connection.

5. After receiving the reply from the internal server, the SSL VPN gateway forwards the reply to the TCP access client through the SSL connection. The client will then obtain the reply data and forward the data to the application program.

(11)

Figure 7Access internal servers in TCP access mode

TCP access client

SSL VPN gateway

Internal server Application

Connection establishment

Data transmission

SS

Host SSL VPN

gateway

Application server

SSL

1) Initiate a TCP connection

2) Establish an SSL connection with the SSL VPN gateway and then send

an extended HTTP message to request access to a resource

3) Establish a TCP connection with the internal server

4) TCP connection established successfully 5) Return a message to inform the

client of the success 6) TCP connection

established

7) Send application

layer data 8) Forward the application layer data to the SSL VPN gateway

through the SSL connection 9) Forward the application layer data to the internal server through the internal network

10) Reply

11) Send the reply to the client through the SSL connection 12) Forward the reply

to the application

IP Access

IP access is used to implement secure communication between a remote host and an internal server at the network layer, and thereby, it implements all IP-based intercommunication between remote hosts and internal servers. For example, ping an internal server from a remote host.

When a user accesses an internal server in IP access mode, a dedicated IP access client is required, which will install a virtual network interface card (VNIC) on the remote host.

As shown inFigure 8, a user goes through the following steps to access IP-based resources.

1. Launch the IP application on the remote host, which then automatically downloads the IP access client software from the SSL VPN gateway. Then, the IP access client establishes an SSL connection with the SSL VPN gateway, installs a VNIC on the host, requests an IP address for the VNIC, sets the gateway IP address, and installs routes with the outbound interfaces being the VNIC.

2. Click a resource link on the Web interface of the SSL VPN gateway or execute an IP access command, such as the ping command, to access an IP network resource, the IP packet will be routed to the VNIC, and then encapsulated and sent by the VNIC to the SSL VPN gateway through

(12)

4. After receiving a reply from the server, the SSL VPN gateway encapsulates the reply packet and then sends the packet to the IP access client through the SSL connection.

5. The client de-encapsulates the packet and then delivers the IP packet through the VNIC to the host for processing.

Figure 8Access internal servers in IP access mode

Comware V5 Technical Characteristics

Clients Requiring No Manual Installation and

Maintenance

The client software running on remote hosts includes:



SSL-supporting Web browser: At present, most operating systems provide browsers that support SSL. Hence, users can use such browsers to access internal servers in Web mode



Host checker: Used to evaluate the security status of remote hosts. When a user logs in, the remote host will automatically download and install the host checker.



Cache cleaner: When a user quits the SSL VPN system, the cache cleaner clears the temporary files, configuration files and downloaded client software used during the SSL VPN communication, avoiding system information leakage. When a user logs in, the remote host will automatically download and install the cache cleaner.

(13)



TCP access client: Client software used in TCP access mode.



IP access client: Client software used in IP access mode.

Except the Web browsers, other client software is all to be downloaded from the SSL VPN gateway. The client software requires no manual installation and maintenance. They are downloaded, installed, configured, and used to establish connections automatically.

Support for Multiple Authentication Methods

SSL VPN supports four authentication methods:



Local authentication: The network administrator configures local users on the SSL VPN gateway.

The SSL VPN gateway authenticates a user by comparing the input username and password with those locally saved.



RADIUS authentication: User information is saved on the RADIUS server. The SSL VPN gateway serves as the RADIUS client and exchanges authentication messages with the RADIUS server to authenticate users.



LDAP authentication: User information is saved on the LDAP server. The SSL VPN gateway serves as the LDAP client to query user information on the LDAP server to authenticate users.



Active Directory (AD) authentication: LDAP authentication implemented by Microsoft.

A user uses a browser to enter the login page of the Web interface of the SSL VPN gateway, inputs the username, password, and authentication method, and then the information will be sent to the SSL VPN gateway through an SSL connection, ensuring the security of data transmission. After the SSL VPN gateway receives the login information, it authenticates the user according to the authentication method.

The authentication methods provided by the SSL VPN gateway are simple, universal, and of good extensibility.

Rich and Flexible Security Policies

Insecure remote hosts may bring potential security threats to the internal network. Host checking is a good practice to avoid such threats. When a host logs in to the SSL VPN gateway, the host checker can check the host’s operating system and its patches, version and patches of the browser, version of the firewall, and version of the anti-virus software, and then determines which resources the host can access based on the checking results.

You can configure security policies on the SSL VPN gateway, so as to configure the security checking method, define the checking items, and specify the protected resources, ensuring that only remote hosts that satisfy the security policies can access the corresponding resources.

Granular Resource Access Control

The resource access control mechanism of SSL VPN can control user access rights flexibly, implementing

(14)

groups, add users into user groups, and then specify the resource groups that can be accessed by each user group. In addition, the SSL VPN gateway can perform security checking on remote hosts.

After a user logs in, the SSL VPN gateway determines the resource groups allowed to be accessed by the user based on the security checking results and the user groups to which the user belongs. In this way, the SSL VPN gateway implements flexible and granular resource access control.

Application Scenarios

Remote Access

Figure 9Network diagram for remote access application

Partner

Internet

SSL VPN gateway

Enterprise network

Dwelling house Hotel

Mobile employee

Network access terminal

Mobile phone

As shown inFigure 9 , SSL VPN has many advantages in remote access application. It is suitable for various complicated networking scenarios. Compared with IPsec VPN, SSL VPN is especially suitable for the following scenarios:



Dynamic remote access: Users use various terminals to access the enterprise network through the Internet from any place at any time.



Scenarios where remote hosts are not surely secure: Users use public computers in, for example, cybercafes or hotels to access the enterprise network. Public computers are insecure as they are more likely to be attacked and infected with viruses



Users with different access rights: Remote users using the Extranet may be employees, partners, or other personnel. The resources that can be accessed by different users are different.



Various running environments on remote terminals: Different remote terminals may use different operating systems and applications to access the enterprise network.

(15)

Figure 10SSL VPN gateway serves as the ingress of the enterprise network

As shown inFigure 10, the SSL VPN gateway can cooperate with the firewall to serve as the ingress of the enterprise network, protecting the enterprise network from being attacked.

Figure 11SSL VPN gateway protects important servers in the enterprise network

As shown inFigure 11, the SSL VPN gateway can be used to protect only important internal servers from being attacked, without affecting other parts of the enterprise network.

SSL VPN Gateway Sharing Application Scenario

Figure 12Network diagram for SSL VPN gateway sharing application

Internet

LAN

LAN Users of

enterprise A

Users of enterprise C Users of

enterprise B

Network of enterprise A

Network of enterprise C

Network of enterprise B SSL VPN

gateway

(16)

its own users and server resources in domain A, and configures its own security policies to ensure that users of enterprise A can access only the resources of enterprise A. enterprises B and C manage their users in the same way.

SSL VPN Networking Modes

According to the way in which the SSL VPN gateway is connected to the network, the SSL VPN networking modes fall into two types: dual-arm and single-arm.

In dual-arm mode, the SSL VPN gateway resides between the internal network (or internal servers) and the external network, as shown inFigure 9,Figure 10, andFigure 11. The advantage of the dual-arm mode is that the SSL VPN gateway can provide full protection to the whole internal network or the internal servers. The downside is that the gateway, located at the exit of the internal network, may become a bottleneck of the network. Therefore, it must have high processing capability, availability, and reliability.

Figure 13Network diagram for sing-arm mode

As shown in Figure 13 , in sing-arm mode, the SSL VPN gateway acts as a proxy server for the communication between the remote host and the internal network. The advantage of the single-arm mode is that the SSL VPN gateway is not the bottleneck of the network as it is not deployed at the key path. However, the SSL VPN gateway cannot provide full protection to the internal network.

© Copyright 2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

SSL VPN Technology White Paper