• No results found

Table of Contents. 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Table of Contents. 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2"

Copied!
12
0
0

Loading.... (view fulltext now)

Download now ( 12 Page )

Full text

(1)

Table of Contents

1 Overview···1-1

Introduction···1-1 Product Design···1-1 Appearance···1-2

2 Features and Benefits···2-1

Key Features···2-1 Support for the Browser/Server Resource Access Model···2-1 Support for Client/Server Applications···2-1 Support for IP Layer-Based Network Applications···2-2 Effective Security Assessment of Remote Hosts···2-2 Granular and Dynamic Authorization for Remote Users···2-2 Support for Multiple Authentication Methods···2-2 Client that Needs No Manual Installation and Maintenance···2-3 High-Performance Hardware Encryption···2-3 Customized User Interface···2-3

3 Functions and Specifications···3-1

Function List···3-1 Performance and Specifications···3-2

4 System Components and Application Scenarios···4-1

(2)

1-1

1

Overview

Introduction

The H3C SecBlade SSL VPN cards are developed by H3C for secure remote access. They support the Open Application Architecture (OAA) and can be used in H3C S7500E and S9500 series switches. The SecBlade SSL VPN cards are connected with the switches through the internal high-speed Ethernet interfaces. With the SecBlade SSL VPN cards, the switches can support SSL VPN applications.

The H3C SecBlade SSL VPN cards provide comprehensive SSL VPN service processing capabilities:

l It supports three remote access modes: Web access (HTTP proxy), TCP access (port forwarding), and IP access (network extension), implementing comprehensive and effective support for various IP-based applications.

l It improves the access rights management granularity to URLs, file directories, IP addresses and

port numbers, and IP segments.

l It enables dynamic user authorization based on security status of remote hosts.

l It requires no client installation and maintenance, not only facilitating deployment, but also reducing the maintenance cost.

Equipped with high-performance multi-core processing units and embedded with multiple encryption engines, the SecBlade SSL VPN cards support high throughput and concurrent SSL VPN services.

Currently, the H3C SecBlade SSL VPN cards come in two models: LSQ1SSLSC0 for H3C S7500E series Ethernet switches and LSB1SSL1A1for H3C S9500 series Ethernet switches.

Product Design

The SecBlade SSL VPN cards are high-performance, large-capacity SSL VPN gateway products. They support OAA and can be used in H3C medium and high-end switches to provide remote access services for medium-sized and large network systems.

As VPN products, the cards can satisfy these remote access requirements:

l Confidentiality of transmitted data.

l Supporting multiple access modes, so that access to network is not affected by dynamic IP address and NAT.

l Supporting the browser/server resource access model. Requiring no extra client software but being able to control user access rights perfectly.

l Supporting the client/server network application model, so that applications based on TCP/UDP can access internal network resources securely through encrypted connections.

l Supporting network applications based on IP, so that these applications can access internal

network resources securely through encrypted connections.

l More granular management of remote user access rights.

l Checking the security status of remote hosts and restricting insecure remote access.

(3)

Appearance

Currently, the H3C SecBlade SSL VPN cards are available in two models:

l LSQ1SSLSC0: Used with the H3C S7500E series Ethernet switches. Each has four internal GE interfaces, one console port, two USB interfaces, and one CF card interface.

l LSB1SSL1A0: Used with the H3C S9500 series Ethernet switches. Each has one internal 10-GE interface, one console port, two USB interfaces and one CF card interface.

Figure 1-1 Appearance of the LSQ1SSLSC0 card

(4)

2-1

2

Features and Benefits

Key Features

As VPN devices for secure remote access, the SecBlade SSL VPN cards can provide these key features:

l Support for the browser/server resource access model

l Client/server applications

l IP layer-based network applications

l Effective security assessment of remote hosts

l Granular and dynamic authorization for remote users l Multiple authentication methods

l Client that needs no manual installation and maintenance

l High-performance hardware encryption

l Customized user interface

l Support for the OAA architecture, which makes the cards able to work with medium and high-end

switches

l The ability of processing large-traffic and highly-concurrent SSL VPN access services.

Support for the Browser/Server Resource Access Model

At present, many network applications are implemented based on Web, such as information issuing and browsing, and database querying and updating. SSL VPN supports the Web access mode, which requires no VPN client installation on the user side. Remote users can access the network resources through a Web browser.

If a remote user wants to access a Web site on the internal network, the SSL VPN gateway will act as the HTTP proxy, forwarding the HTTP requests from the user to the corresponding Web server and the responses from the server to the user. Different from ordinary Web proxies, the SSL VPN gateway requires users to use HTTPS links and the URL of the SSL VPN gateway for network access, instead of HTTP links and the URL of the internal server.

Support for Client/Server Applications

At present, many network applications are based on the client/server model, such as Telnet, POP3, and SMTP, where the client communicates with the server through a TCP or UDP connection. SSL VPN implements the port forwarding mode, which allows the gateway to act as the TCP proxy to terminate the SSL connection from the client and establish a TCP/UDP connection with the internal server, and then forward packets between the client and the server.

The port forwarding technology can provide higher network security than the IPsec VPN technology. With IPsec VPN, the whole IP network is exposed to remote users; while with port forwarding, only the IP addresses and port numbers of the internal servers are open for remote users.

(5)

connection with the gateway. Thus, there is no need to make any change to the existing TCP/UDP client.

Support for IP Layer-Based Network Applications

To support more IP-based network applications, SSL VPN provides the remote access (network extension) mode. This access mode requires that each remote host download and install an IP access client program, for which the SSL VPN gateway will assign an IP address. The remote hosts will then be connected with the internal network at the IP layer, as if they were in the same LAN.

The SSL VPN cards support granular control of IP access. They can control which IP network segments can be accessed by users, so as to reduce the harms that may be caused by remote access.

Effective Security Assessment of Remote Hosts

When a remote host tries to log in to the SSL VPN system, SSL VPN automatically installs and runs a piece of software called host checker on the host. The software will check the running environment of the host, and feed back the security status of the host to the gateway, which will in turn assess the security status of the host and then authorize the host according to the security status.

The security check items of the SSL VPN card include:

l Operating system version and patches l Browser version and patches

l Firewall version

l Virus Killer version

l User’s PKI certificate l Specified files l Specified processes

Granular and Dynamic Authorization for Remote Users

Compared with IPsec VPN, SSL VPN features the advantage of granular access control. The SSL VPN cards support access control at the granularity of:

l URL

l IP address and port number l IP network segment

SSL VPN can authorize the access right for a user based on the user identity or the security status of the remote host.

Authorization based on user identity is static. No matter when and where a user logs in to the SSL VPN system, the user will get the same access right. Authorization based on host security status is dynamic. Whenever a user tries to log in, SSL VPN checks the security status of the host and grants the user an access right accordingly.

Support for Multiple Authentication Methods

The SSL VPN cards support the following authentication methods:

l Local authentication.

l RADIUS authentication

l LDAP authentication

(6)

2-3

l RSA SecureID

Any of these authentication methods can be used in conjunction with the certificate authentication to form the two-factor authentication.

The local authentication method is suitable when there are a few users. The SSL VPN cards can be integrated seamlessly with the existing network authentication systems (RADIUS, LDAP, or AD), facilitating centralized and unified management of user accounts.

Client that Needs No Manual Installation and Maintenance

l After a user logs in, the SSL VPN client can be automatically downloaded, installed, configured, and run through a Web page. After the user logs off, the SSL VPN client itself can automatically clear the installation program, the configuration, and the data cached.

l These features not only make it easy for users to use SSL VPN, but also facilitate the maintenance and upgrade of the SSL VPN system.

High-Performance Hardware Encryption

The SSL VPN cards use a multi-core processing unit with built-in encryption engines, which can handle encryption and decryption calculations of large amounts of SSL packets, and therefore it can easily match the requirement of processing SSL packets at wirespeed at a GE port.

Customized User Interface

For user interface customization, the SSL VPN cards allow administrators to:

l Change the company logo picture.

(7)

3

Functions and Specifications

Function List

Item Description

Access modes

l Web access (HTTP proxy)

l TCP access (port forwarding)

l IP access (network extension)

Authentication methods l Local authentication l RADIUS authentication l LDAP authentication l AD authentication l RSA SecureID l Certificate authentication l Two-factor authentication

Host security status checking

l Operating system: type, version, and patches

l Browser: type, version and patches l Firewall: type and version

l Virus killer: type and version

l User certificate

l Specified files l Specified processes

Cache clearing

l Clear the cached web pages

l Clear cookies

l Clear downloaded programs

l Clear the configuration file

Dynamic authorization

l User and user group

l Resource and resource group l Security policy

Authorization granularity

l URL

l File directory

l IP address and port number l IP network segment

Hardware encryption

l RSA digital signature algorithm

l MD5 and SHA1 digest algorithms

l Encryption algorithms of RC4, DES, 3DES, and AES

Customized interface l Customize the company logo

(8)

3-2

Performance and Specifications

(9)

4

System Components and Application Scenarios

System Components

The SSL VPN system consists of two parts:

l SSL VPN gateway

l SSL VPN client.

SSL VPN Gateway

Used in an S7500E or S9500 switch, the SSL VPN card acts as the SSL VPN gateway, which forwards packets between the remote hosts and the internal network servers and performs user access control.

SSL VPN Client

The SSL VPN client is saved on the SSL VPN gateway. When a user logs in to the SSL VPN system, the SSL VPN client will be downloaded to the remote host, get installed, and run automatically. The client software consists of the following parts:

l Host checker

l Cache cleaner

l TCP access client

l IP access client

As the SSL client is installed and maintained automatically by SSL VPN, it is easy for users to use.

Application Scenarios

SecBlade SSL VPN

(10)

4-2

Figure 4-1 Network diagram for SecBlade SSL VPN solution

SecBlade SSL VPN Redundancy

Two SecBlade SSL VPN cards can be inserted in a high-end switch to form a VRRP group for redundancy backup. It is recommended to use the master-backup mode for SecBlade SSL VPN cards.

Figure 4-2 Network diagram for SecBlade SSL VPN redundancy solution

File Server

Finance Dept.

R&D Dept.

Supply Dept.

OA Data center of the Intranet

Internet

POP3 WEB SecBlade SSL VPN redundancy backup File server POP3 Finance Dept. Supply Dept.

(11)

5

Ordering Information

Networking requirements

l The SecBlade SSL VPN cards cannot be used independently; they must be inserted into S7500E/S9500 switches to provide the SSL VPN function.

l In networking, a SecBlade SSL VPN card is used in a switch and supports only the single-arm

networking mode. The card serves as a proxy server to provide the IP address and SSL service port number (defaults to 443) for remote users to access. The IP addresses of the card are configured on the internal interfaces, and the internal interfaces must belong to a Layer 3 VLAN of the switch.

l For reliability, the SecBlade SSL VPN card supports VRRP and can implement master-backup

backup and master-master backup.

Order list

Model Description

LSQ1SSLSC0 256M CF/2GB DRAM, for S7500E switches

(12)

1

Appendix A Acronyms

Acronym Full spelling

AD Active Directory

HTTP Hyper Text Transport Protocol

LDAP Light Directory Access Protocol

PKI Public Key Infrastructure

SSL Security Socket Layer

References

Download now ( PDF - 12 Page - 333.94 KB )

Related documents

APPENDIX E: STANDARDS AND BEST MANAGEMENT PRACTICES FOR SHALE OIL AND GAS DEVELOPMENT

 Transportation  activities  include  personnel  and   freight  movements  and  mobile  plant  activities..  Intertwined  with  these  BMPs  are  enforceable

Appendix A: Articulated Associate Degrees. Central Arizona College Degree

College Mathematics (3 Credits) Biology (6 Credits) Arts and Humanities 3 Arts and Humanities 3 TOTAL 35 20 8.00 **Total up RED # ** Excess credits 0.00 8.00 Analyzing and

Teacher s Fear Never Wanes After Assault

• High Anxiety • Denial • Anger • Shame • Guilt • Remorse • Grief • Reconciliation • High Anxiety • Denial • Anger • Shame • Guilt • Remorse • Grief • Reconciliation Order May

Using Discussions to Promote Critical Thinking in an Online Environment

Most students support the involvement of an online instructor in the online discussion, and faculty members involved in these discussions function as helpers in the development

Savings accounts will earn you more

In view of the present satisfactory level of computerisation in commercial bank branches, it is proposed that, ‘‘payment of interest on savings bank accounts by scheduled

Huawei Your solution partner

No.3 IP Fixed Mobile All-IP based FMC Single Platform Box Module Site or Central Office One Cabinet One Site 9KW 3×3KW Smart modularized power management 2KW

A study on machine learning and regression based models for performance estimation of LTE HetNets

Motivation Problem statement Simulation scenario Results of performance prediction ConclusionsB. A study on machine learning and regression based models for performance

1.2 How will my holiday be confirmed? 1.3 What information must I provide to you and why?

Please Note: If you book a Royal Caribbean International holiday in conjunction with other services (such as flights, on-shore accommodation and/or ground transfers) which