Proposal of Secure and Easy
Remote Access Technology: SoftWire
Nobuyuki ENOMOTO, Hideo YOSHIMI,
Youichi HIDAKA, Kazuo TAKAGI,
and Atsushi IWATA
ubiCNS 2005 June 9-10
Jeju University, Jeju, Korea
System Platforms Research Laboratories,
NEC Corporaton
Typical remote access approach – SSL-VPN
RAS via PSTN(Remote Access Server)
SSL-VPN via the Internet
(Secure Socket Layer - Virtual Private Network)
Office Home Client PC Intraet Application Server SSL-VPN Gateway DMZ Internet SSL Encrypted Firewall & Proxy
Changing
High Speed & Low Cost Low Speed & High Cost
SSL-VPN System
社団法人 情報処理学会 研究報告 IPSJ SIG Technical Report
2005−UBI−8(90) 2005/6/10
Problem of SSL-VPN
To avoid the problem:
These ports basically should be closed, and open only for specific IP.
Internet Firewall Intranet
Gateway SSL Module Server Application Server Client SSL Module Controller (WEB SV) (3) (2) (3) = Access Request = Data Transport Controller (Browser) (1) Application Client
Opened port for access request
Opened port for data transport
Detail of SSL-VPN System:
Problem of SSL-VPN:
Opened ports Cracking points (Security holes)
Current Approach
Problems of SSL-VPN Current approach (Instant Messenger) Internet Intranet Gateway SSL Module Server Application Server Client Application Client SSLModule Controller Controller SIP Server = Access Request = Data TransportSIP scheme Outbound Session scheme
Internet Firewall Intranet
Gateway SSL Module Server Application Server Client SSL Module Controller (WEB SV) = Access Request = Data Transport Controller (Browser) Application Client
Attacks to opened port for request
Attacks to opened port for transport
Current Approach (Access Request)
→Enable the firewall to open access-request port only for specific IP. →Avoid DoS attacks to the gateway
Causes administration problem: Requires additional server on Internet. Working Procedure:
The gateway in intranet picks up requests from the SIP server in internet. This action is from inside to outside of the firewall .
Internet Firewall Intranet
Gateway SSL Module Server Application Server Client Application Client SSLModule Controller (SIP Client) (4) (3) (4) Controller (SIP Client) (1) SIP Server (2) = Access Request = Data Transport
SIP scheme
-Current Approach (Data Transport)
Working Procedure:
When a gateway receives an access request, the gateway creates SSL session. SSL session is created from inside to outside of the firewall .
→Enable the firewall to open data-transport ports only for specific IP. →Avoid DoS attacks to the gateway
Causes security problem:
Requires clients to always open a data transport port.
Internet Firewall Intranet
Gateway SSL Module Server Application Server Client Application Client SSLModule Controller (4) (3) (4) Controller (1) SIP Server (2) = Access Request = Data Transport Cracking points at clients
Outbound session scheme
-SoftWire Approach
Remaining Problems of current approach
SoftWire approach
Client Firewall Scheme E-mail based access request scheme Additional server required
DoS attacks to the client
Internet Firewall Intranet
Gateway SSL Module Server Application Server Client Application Client SSLModule Controller Controller SIP Server = Access Request = Data Transport Firewall Internet Gateway Client Server Application Client SSLModule Controller (Mail Recv) Application Server SSL Module Controller (Mail Send) Client Firewall Intranet POP Server SMTP Server = Access Request = Data Transport Mail Servers on ISP
SoftWire (Access Request)
Problem to be solved:
SIP server approach requires users to locate the SIP server on Internet. It is dis-administration.
SoftWire Approach:
SoftWire utilizes existing Mail servers as access request servers. (Mail servers are usually provided by ISPs.)
Result:
No additional servers required.
Internet Gateway Client Server Application Client SSL Module Controller (Mail Recv) Application Server SSL Module Controller (Mail Send) (2) (3) (4) (4) Client Firewall Intranet Firewall POP Server Mail Servers on ISP
SMTP Server
(1)
= Access Request = Data Transport
-SoftWire (Data Transport)
Problem to be solved:
The client is required to open a port for accepting requests from the gateway. This feature may cause DoS attacks to the clients.
SoftWire Approach:
SoftWire adopts a firewall to the client. It accepts the requests
only for a short period after a user sends an access request by E-mail. Result:
Minimum risks of DoS attacks.
Internet Gateway Client Server Application Client SSL Module Controller (Mail Recv) Application Server SSL Module Controller (Mail Send) (2) (3) (4) (4) Client Firewall Intranet Firewall POP Server Mail Servers on ISP
SMTP Server
(1)
= Access Request = Data Transport
Client firewall scheme for outband session
-Comparison
○ Avoid attacks to firewall ○ Avoid attacks to firewall
Result SoftWire Current approach (Instant Messenger) SSL-VPN ○ Minimum risks of DoS attacks ○ No additional server required Result × Attacks to firewall × Attacks to firewall Problem Data Transport Access Request Client Firewall E-mail based access
request Scheme
× Attacks to client × Additional server (SIP
server) required Problem
Outbound Session SIP
Scheme
♪ ♪♪
SoftWire System Overview
Intranet PC Office Home Firewall or Proxy Client PC (Handheld PC) ⑥Authentication (Password) ④ Callback SSL connection ② E-mail for an Access Request Intranet Application Server
Secure Tunnel (Ether over SSL)
File Share Voice Conference Remote maintainance e Intranet Web Applications SoftWire Gateway
Enables to access Intranet from a PC on the Internet !
③Authentication (Certificate) Client Firewall ①Open Port ⑤Close Port ⑦Start Data Transport
Summary
SoftWire is a new secure and easy remote access technology,
Secure
Easy Easy
E-mail based access request:
→
No additional servers are required.
→
No manual configurations are required to firewalls.
Client firewall scheme:
→
To avoid DoS attack to Client
Outbound session scheme:
→
To avoid DoS attack to Gateway
→
No manual configurations are required to firewalls.
Based on:
Secure
