Post on 03-Feb-2022
transcript
SSL VPN Technology White Paper
Hewlett-Packard Development Company, L.P. 1
SSL VPN Technology White PaperKeywords: SSL VPN, HTTPS, Web access, TCP access, IP access
Abstract: SSL VPN is an emerging VPN technology based on HTTPS. This document describes its
implementation and application scenarios.
Acronyms:
Acronym Full spelling
AD Active Directory
CA Certificate Authority
HTTPS HTTP Security
LDAP Lightweight Directory Access Protocol
RADIUS Remote Authentication Dial-In User Service
SMB Server Message Block
SSL Secure Sockets Layer
VPN Virtual Private Network
SSL VPN Technology White Paper
Hewlett-Packard Development Company, L.P. 2
Table of Contents
Overview ··········································································································································································3
Background········································································································································································3
Benefits ···············································································································································································3
SSL VPN Implementation·················································································································································4
Concepts ············································································································································································4
SSL VPN System Components··········································································································································5
Operation of SSL VPN······················································································································································6
SSL VPN Access Modes ···················································································································································8
Web Access······························································································································································9
TCP Access····························································································································································· 10
IP Access································································································································································· 11
Comware V5 Technical Characteristics ······················································································································12
Clients Requiring No Manual Installation and Maintenance ···················································································· 12
Support for Multiple Authentication Methods ············································································································· 13
Rich and Flexible Security Policies ······························································································································· 13
Granular Resource Access Control ······························································································································ 13
Application Scenarios ···················································································································································14
Remote Access································································································································································ 14
SSL VPN Gateway Sharing Application Scenario ····································································································· 15
SSL VPN Networking Modes ········································································································································ 16
SSL VPN Technology White Paper
Hewlett-Packard Development Company, L.P. 3
Overview
BackgroundWith the popularity of the Internet and fast development of E-commerce, more and more enterprises and
organizations need to allow employees, users, and partners to access the internal resources from any
place at any time, so as to save time and improve efficiency. However, some users may be illegal and
some remote hosts may not be secure, bringing potential security threats to internal networks.
Security VPN (SVPN) technologies are commonly used to solve this problem. They provide a secure
access mechanism, which can well protect the internal networks resources. SVPN technologies mainly
include IPsec VPN and SSL VPN.
Due to the limitations in way of implementing IPsec VPN, IPsec VPN has the following disadvantages.
It requires complicated client software installation on user hosts. There are various user hosts, which
are often mobile. The mobility requires fast client-side VPN deployment, while the diversity requires
the VPN client software to support multiple platforms and be easy to upgrade and maintain.
However, IPsec VPN cannot satisfy the above requirements.
IPsec VPN cannot evaluate the security of user hosts. If users use insecure hosts to access the
corporate network, the corporate network may be infected by viruses.
IPsec VPN cannot provide strict and granular access control. As IPsec is implemented at the network
layer and cannot identify contents of the IP packets, it cannot control access requests from higher
layers. In addition, to improve efficiency, enterprises need to establish extranets to exchange
information and share resources with partners. Therefore, the enterprises need to control accesses
of the partners effectively and strictly to ensure security of the enterprise information system.
However, IPsec VPN cannot control access rights.
IPsec VPN is difficult to be deployed in complicated networking environments. For example, in a
scenario using NAT, you need to configure NAT traversal for IPsec VPN; in a scenario using
firewalls, you need to configure the firewalls to permit IPsec packets to pass, for IPsec headers are
added in front of the original TCP/UDP headers.
In a word, IPsec VPN is suitable for scenarios where connections are fixed and strict access control is not
required. It cannot satisfy the requirements of mobile accesses and precise access control.
Compared with IPsec VPN, SSL VPN can better satisfy the technical and management requirements of
remote access. SSL VPN supports multiple platforms, requires no manual installation and maintenance of
clients, and provides flexible and effective access right management. Therefore it is more and more
popular in the remote access market. The following section details the advantages of SSL VPN.
BenefitsSSL VPN is a VPN technology based on Secure HTTP (HTTPS, that is, SSL-supported HTTP). Using the
certificate-based identity authentication, data encryption and integrity verification mechanisms that the
SSL protocol provides, SSL VPN can establish secure connections for remote users to access the corporate
network. SSL VPN features these advantages:
SSL VPN Technology White Paper
Hewlett-Packard Development Company, L.P. 4
Support for various application protocols. SSL works between the transport layer and the
application layer. Any application can be secured by SSL VPN without knowing the details of SSL
VPN.
Support for various software platforms. At present, SSL has become a global standard for identity
authentication of websites and webpage viewers and encrypted communication between Web
browsers and Web servers. The SSL protocol has been integrated into most of the browsers, such as
IE, Netscape, and Firefox. This means that almost every PC installed with a browser supports SSL
connections. SSL VPN clients are based on the SSL protocol. Hence, most of the software running
environments can act as the SSL VPN client.
Automatic installation and uninstallaion of the client software. In applications where specific client
software is required, SSL VPN allows the operating system to download and install the client
software automatically and, when the SSL VPN connection is closed, uninstall and delete the client
software automatically.
Security evaluation of client hosts. SSL VPN can evaluate the security status of remote hosts, so as
to determine whether the remote hosts are safe enough to access the enterprise network.
Dynamic authorization. Traditional right control authorizes users mainly by user identity. A user is
always authorized with the same right no matter where the user is when logging in to the network.
This authorization mode is called static authorization. Dynamic authorization authorizes a user
based on not only the user identity but also the security status of the host used by the user. This
allows dynamic control of the user access right. The more secure the remote host is, the higher
access right the SSL VPN will grant the user.
Multiple user authentication methods and granular access control. The SSL VPN gateway supports
various user authentication methods and granular access control, implementing controlled access
of external users to the internal resources.
Deploying SSL VPN does not impact the existing network. As the SSL protocol works over the
transport layer, it does not change the IP header or TCP header. Therefore, SSL packets are
transparent for NAT. Meanwhile, SSL always uses port 443. You just need to open port 443 on
firewalls instead of modifying settings on the firewalls according to different application protocols.
This not only reduces the workload of network administrators but also improves the network
security.
Independent resource access control of domains sharing the same SSL VPN gateway. SSL VPN
allows enterprises or departments of an enterprise share an SSL VPN gateway, so as to reduce
costs. In this case, you can configure multiple domains on the gateway, each of which is for a single
enterprise or department to control its resources and users independently. By creating multiple
domains, you can divide a physical SSL VPN gateway into several logical SSL VPN gateways.
SSL VPN Implementation
ConceptsSSL VPN users include super administrators, domain administrators, and common users.
SSL VPN Technology White Paper
Hewlett-Packard Development Company, L.P. 5
Super administrator: Manager of the entire SSL VPN gateway. A super administrator can create
domains and set the passwords of domain administrators.
Domain administrator: Manager of an SSL VPN domain. A domain administrator can create local
users and resources, and specify the access right for the users.
Common SSL VPN user: Simply called user, referring to users accessing network resources through
the SSL VPN system. The resource access right of a user is assigned by the domain administrator.
SSL VPN System ComponentsFigure 1 Architecture of SSL VPN
Figure 1 shows a typical SSL VPN network. The SSL VPN system consists of the following components:
Remote host: Terminal from which an administrator or user log in to the network, such as a PC,
mobile phone, and PDA.
SSL VPN gateway: An important component of the SSL VPN system. Administrators maintain the
information of users and internal resources on the SSL VPN gateway. Users can view the resources
that can be accessed on the SSL VPN gateway. The SSL VPN gateway forwards packets between
remote hosts and the internal servers. An SSL connection is established between the SSL VPN
gateway and a remote host to ensure the security of data transmission.
Internal servers: Servers of any type, for example, Web server and FTP server; or hosts in the
enterprise network that need to communicate with a remote host.
CA: Certificate authority. CA issues a digital certificate, which contains the public key, for the SSL
VPN gateway. This is for the SSL VPN gateway to pass identity authentication on the remote host
and establish an SSL connection with the remote host.
Authentication server: External authentication server for remote user authentication. The SSL VPN
gateway supports not only local user authentication but also remote user authentication through an
external authentication server.
SSL VPN Technology White Paper
Hewlett-Packard Development Company, L.P. 6
Operation of SSL VPNThe following describes the operation of SSL VPN:
The supper administrator creates domains on the SSL VPN gateway.
The domain administrators create users and resources corresponding to the internal servers on the
SSL VPN gateway.
Users access the internal servers through the SSL VPN gateway.
Creating domains
Figure 2 Creates domains
Internet
SSL VPN gateway
Internal servers
LAN
Superadmininstrator
1) Establish an SSL connection with the SSLVPN gateway and enter the login page of the
SSL VPN gateway
2) Input the username and password to passauthentication and enter the Web interface of
the SSL VPN gateway
3) Create domains on the SSL VPN gateway
As shown in Figure 2 , a supper administrator goes through three steps to create domains:
1. Input the URL address of the SSL VPN gateway on the remote host, which will authenticate the
identity of the SSL VPN gateway by the certificate of the gateway and establish an SSL connection
with the SSL VPN gateway. After the SSL connection is established successfully, the login page of
the SSL VPN gateway Web interface appears.
2. Input the username (including the authentication method) and password on the login page of the
SSL VPN gateway Web interface. The SSL VPN gateway will authenticate the super administrator
by using the input information. After passing the identity authentication, the super administrator
enters the Web interface of the SSL VPN gateway.
3. Create domains on the SSL VPN gateway and set the passwords of the domain administrators.
SSL VPN Technology White Paper
Hewlett-Packard Development Company, L.P. 7
Creating users and resources corresponding to the internal servers
Figure 3 Create users and resources corresponding to the internal servers
As shown in Figure 3 , a domain user goes through the following three steps to create users and
resources corresponding to the internal servers:
1. Input the URL address of the SSL VPN gateway on the remote host, which will authenticate the
identity of the SSL VPN gateway by the certificate of the gateway and establish an SSL connection
with the SSL VPN gateway. After the SSL connection is established successfully, the login page of
the SSL VPN gateway Web interface appears.
2. Input the username (including the authentication method) and password on the login page of the
SSL VPN gateway Web interface. The SSL VPN gateway will authenticate the domain
administrator by using the input information. After passing the identity authentication, the domain
administrator enters the Web interface of the SSL VPN gateway.
3. Create users and resources corresponding to the internal servers, and specify the resource access
rights for the users.
SSL VPN Technology White Paper
Hewlett-Packard Development Company, L.P. 8
Accessing internal servers
Figure 4 Access internal servers
As shown in Figure 4 , a user goes through the following steps to access the internal servers:
1. Input the URL address of the SSL VPN gateway on the remote host, which will authenticate the
identity of the SSL VPN gateway by the certificate of the gateway and establish an SSL connection
with the SSL VPN gateway. After the SSL connection is established successfully, the login page of
the SSL VPN gateway Web interface appears.
2. Input the username (including the authentication method) and password. The SSL VPN gateway
will authenticate the user identity by using the input information. After passing the identity
authentication, the user enters the Web interface of the SSL VPN gateway.
3. View the list of available resources, such as Web server resources and file sharing resources.
4. Select the resource to access and send the access request to the SSL VPN gateway through the SSL
connection.
5. The SSL VPN gateway resolves the request, checks the access right of the user and, if the user is
authorized to access the resource, forwards the request to the corresponding server in plaintext.
6. The server sends the reply in plaintext to the SSL VPN gateway.
7. After receiving the reply, the SSL VPN gateway forwards the reply to the user through the SSL
connection.
SSL VPN Access ModesSSL VPN provides three access modes:
SSL VPN Technology White Paper
Hewlett-Packard Development Company, L.P. 9
Web access
TCP access
IP access
Users can use different access modes to access different types of resources. In different access modes, the
data forwarding procedures between the remote host, SSL VPN gateway, and internal servers are
different. The following sections describe the three access modes in details.
Web AccessWeb access allows users to access server resources through the SSL VPN gateway by using browsers in
HTTPS mode. In this mode, all data operations are performed on Web pages.
Resources for web-based accesses include Web server resources and file sharing resources.
Web server resources
Web servers provide services to users through Web pages. Users can get the desired information by
simply clicking the links on the pages. SSL VPN provides secure connections for users to access Web
servers and can prevent illegal users from accessing the protected Web servers.
Figure 5 Access Web server resources
As shown in Figure 5 , during Web server access, the SSL VPN gateway mainly acts as a relay.
1. After receiving the HTTP request from a user, the SSL VPN gateway finds the required resource
according to the URL in the HTTP request, and then forwards the HTTP request to the Web server
that provides the required resource.
2. After receiving the HTTP reply from the server, the SSL VPN gateway changes the webpage links
pointing to the internal network to links pointing to the SSL VPN gateway before forwarding it to
the user, so that the user has to access the internal resources through the SSL VPN gateway. In this
way, the SSL VPN gateway protects the security of the internal network and implements access
control of users.
During the whole process, in the perspective of the user, all HTTP replies are from the SSL VPN gateway;
while in the perspective of the Web server, all HTTP requests are initiated by the SSL VPN gateway.
File sharing resources
File sharing is a common network application. An example is the application of Shared Documents
folder provided by the Windows operating system. File sharing allows users to perform file operations on
a remote server or host, such as browsing files and uploading and downloading files.
The SSL VPN gateway provides the file sharing resources to users through Web.
As shown in Figure 6 , the SSL VPN gateway acts as the protocol converter between the remote host and
the file server.
SSL VPN Technology White Paper
Hewlett-Packard Development Company, L.P. 10
1. The remote host and the SSL VPN gateway communicate through HTTPS. The remote host sends
the user request of accessing file sharing resources to the SSL VPN gateway through an HTTPS
packet.
2. The SSL VPN gateway and the file server communicate through SMB. After receiving the request
packet from the remote host, the SSL VPN gateway converts it into an SMB packet and then sends
the packet to the filer server.
3. After receiving the reply packet from the file server, the SSL VPN gateway converts the packet into
an HTTPS packet and then sends the packet to the remote host.
Figure 6 Access shared file resources
TCP AccessTCP access is used to support TCP applications on remote hosts to access open ports on internal servers
securely. TCP access allows users to access any TCP-based services, including remote access services
(such as Telnet), desktop sharing services, and mail services.
To access internal servers in TCP access mode, users do not need to upgrade existing TCP programs.
However, a dedicated TCP access client is required. The client uses an SSL connection to transmit the
application layer data.
As shown in Figure 7 , a user goes through the following steps to access TCP-based services:
1. Launch TCP application on the remote host, which automatically downloads the TCP access client
software from the SSL VPN gateway.
2. Click a resource link on the Web interface of the SSL VPN gateway or launches a TCP program,
such as opening the remote desktop connection program to connect to an internal server, the TCP
access client will automatically establish an SSL connection with the SSL VPN gateway and use an
extended HTTP message to request access to the resource.
3. The SSL VPN gateway establishes a TCP connection with the internal server that provides the
resource.
4. After the TCP connection is established successfully, the TCP access client sends the user access
data to the SSL VPN gateway through the SSL connection. Then, the SSL VPN gateway obtains the
application layer data and sends the data to the internal server through the TCP connection.
5. After receiving the reply from the internal server, the SSL VPN gateway forwards the reply to the
TCP access client through the SSL connection. The client will then obtain the reply data and
forward the data to the application program.
SSL VPN Technology White Paper
Hewlett-Packard Development Company, L.P. 11
Figure 7 Access internal servers in TCP access mode
TCP accessclient
SSL VPNgateway
Internalserver
Application
Connection establishment
Data transmission
SS
HostSSL VPNgateway
Applicationserver
SSL
1) Initiate a TCPconnection
2) Establish an SSL connection withthe SSL VPN gateway and then send
an extended HTTP message torequest access to a resource
3) Establish a TCP connectionwith the internal server
4) TCP connection establishedsuccessfully
5) Return a message to inform theclient of the success6) TCP connection
established
7) Send applicationlayer data 8) Forward the application layer
data to the SSL VPN gatewaythrough the SSL connection 9) Forward the application layer
data to the internal serverthrough the internal network
10) Reply
11) Send the reply to the client throughthe SSL connection
12) Forward the replyto the application
IP AccessIP access is used to implement secure communication between a remote host and an internal server at the
network layer, and thereby, it implements all IP-based intercommunication between remote hosts and
internal servers. For example, ping an internal server from a remote host.
When a user accesses an internal server in IP access mode, a dedicated IP access client is required,
which will install a virtual network interface card (VNIC) on the remote host.
As shown in Figure 8 , a user goes through the following steps to access IP-based resources.
1. Launch the IP application on the remote host, which then automatically downloads the IP access
client software from the SSL VPN gateway. Then, the IP access client establishes an SSL connection
with the SSL VPN gateway, installs a VNIC on the host, requests an IP address for the VNIC, sets
the gateway IP address, and installs routes with the outbound interfaces being the VNIC.
2. Click a resource link on the Web interface of the SSL VPN gateway or execute an IP access
command, such as the ping command, to access an IP network resource, the IP packet will be
routed to the VNIC, and then encapsulated and sent by the VNIC to the SSL VPN gateway through
the SSL connection.
3. After receiving the packet, the SSL VPN gateway de-encapsulates the packet into the IP packet and
sends the IP packet to the corresponding server.
SSL VPN Technology White Paper
Hewlett-Packard Development Company, L.P. 12
4. After receiving a reply from the server, the SSL VPN gateway encapsulates the reply packet and
then sends the packet to the IP access client through the SSL connection.
5. The client de-encapsulates the packet and then delivers the IP packet through the VNIC to the host
for processing.
Figure 8 Access internal servers in IP access mode
Comware V5 Technical Characteristics
Clients Requiring No Manual Installation and
MaintenanceThe client software running on remote hosts includes:
SSL-supporting Web browser: At present, most operating systems provide browsers that support
SSL. Hence, users can use such browsers to access internal servers in Web mode
Host checker: Used to evaluate the security status of remote hosts. When a user logs in, the remote
host will automatically download and install the host checker.
Cache cleaner: When a user quits the SSL VPN system, the cache cleaner clears the temporary files,
configuration files and downloaded client software used during the SSL VPN communication,
avoiding system information leakage. When a user logs in, the remote host will automatically
download and install the cache cleaner.
SSL VPN Technology White Paper
Hewlett-Packard Development Company, L.P. 13
TCP access client: Client software used in TCP access mode.
IP access client: Client software used in IP access mode.
Except the Web browsers, other client software is all to be downloaded from the SSL VPN gateway. The
client software requires no manual installation and maintenance. They are downloaded, installed,
configured, and used to establish connections automatically.
Support for Multiple Authentication MethodsSSL VPN supports four authentication methods:
Local authentication: The network administrator configures local users on the SSL VPN gateway.
The SSL VPN gateway authenticates a user by comparing the input username and password with
those locally saved.
RADIUS authentication: User information is saved on the RADIUS server. The SSL VPN gateway
serves as the RADIUS client and exchanges authentication messages with the RADIUS server to
authenticate users.
LDAP authentication: User information is saved on the LDAP server. The SSL VPN gateway serves as
the LDAP client to query user information on the LDAP server to authenticate users.
Active Directory (AD) authentication: LDAP authentication implemented by Microsoft.
A user uses a browser to enter the login page of the Web interface of the SSL VPN gateway, inputs the
username, password, and authentication method, and then the information will be sent to the SSL VPN
gateway through an SSL connection, ensuring the security of data transmission. After the SSL VPN
gateway receives the login information, it authenticates the user according to the authentication method.
The authentication methods provided by the SSL VPN gateway are simple, universal, and of good
extensibility.
Rich and Flexible Security PoliciesInsecure remote hosts may bring potential security threats to the internal network. Host checking is a
good practice to avoid such threats. When a host logs in to the SSL VPN gateway, the host checker can
check the host’s operating system and its patches, version and patches of the browser, version of the
firewall, and version of the anti-virus software, and then determines which resources the host can access
based on the checking results.
You can configure security policies on the SSL VPN gateway, so as to configure the security checking
method, define the checking items, and specify the protected resources, ensuring that only remote hosts
that satisfy the security policies can access the corresponding resources.
Granular Resource Access ControlThe resource access control mechanism of SSL VPN can control user access rights flexibly, implementing
granular resource access control.
A super administrator creates domains and specifies passwords for the domain administrators. The
domain administrators create resources and users of their own domains, add resources into resource
SSL VPN Technology White Paper
Hewlett-Packard Development Company, L.P. 14
groups, add users into user groups, and then specify the resource groups that can be accessed by each
user group. In addition, the SSL VPN gateway can perform security checking on remote hosts.
After a user logs in, the SSL VPN gateway determines the resource groups allowed to be accessed by the
user based on the security checking results and the user groups to which the user belongs. In this way, the
SSL VPN gateway implements flexible and granular resource access control.
Application Scenarios
Remote AccessFigure 9 Network diagram for remote access application
Partner
Internet
SSL VPN gateway
Enterprisenetwork
Dwelling house Hotel
Mobileemployee
Network accessterminal
Mobile phone
As shown in Figure 9 , SSL VPN has many advantages in remote access application. It is suitable for
various complicated networking scenarios. Compared with IPsec VPN, SSL VPN is especially suitable for
the following scenarios:
Dynamic remote access: Users use various terminals to access the enterprise network through the
Internet from any place at any time.
Scenarios where remote hosts are not surely secure: Users use public computers in, for example,
cybercafes or hotels to access the enterprise network. Public computers are insecure as they are
more likely to be attacked and infected with viruses
Users with different access rights: Remote users using the Extranet may be employees, partners, or
other personnel. The resources that can be accessed by different users are different.
Various running environments on remote terminals: Different remote terminals may use different
operating systems and applications to access the enterprise network.
SSL VPN Technology White Paper
Hewlett-Packard Development Company, L.P. 15
Figure 10 SSL VPN gateway serves as the ingress of the enterprise network
As shown in Figure 10 , the SSL VPN gateway can cooperate with the firewall to serve as the ingress of
the enterprise network, protecting the enterprise network from being attacked.
Figure 11 SSL VPN gateway protects important servers in the enterprise network
As shown in Figure 11 , the SSL VPN gateway can be used to protect only important internal servers from
being attacked, without affecting other parts of the enterprise network.
SSL VPN Gateway Sharing Application ScenarioFigure 12 Network diagram for SSL VPN gateway sharing application
Internet
LAN
LAN
LAN
Users ofenterprise A
Users ofenterprise C
Users ofenterprise B
Network ofenterprise A
Network ofenterprise C
Network ofenterprise B
SSL VPNgateway
Enterprises can share a single SSL VPN gateway, each of which uses one domain of the SSL VPN
gateway. The SSL VPN gateway allows these enterprises manage their own users independently, saving
network costs for the enterprises. As shown in Figure 12 , enterprises A, B, and C share the same SSL
VPN gateway, using domain A, B, and C on the SSL VPN gateway respectively. Enterprise A manages
SSL VPN Technology White Paper
Hewlett-Packard Development Company, L.P. 16
its own users and server resources in domain A, and configures its own security policies to ensure that
users of enterprise A can access only the resources of enterprise A. enterprises B and C manage their
users in the same way.
SSL VPN Networking ModesAccording to the way in which the SSL VPN gateway is connected to the network, the SSL VPN
networking modes fall into two types: dual-arm and single-arm.
In dual-arm mode, the SSL VPN gateway resides between the internal network (or internal servers) and
the external network, as shown in Figure 9 , Figure 10 , and Figure 11 . The advantage of the dual-arm
mode is that the SSL VPN gateway can provide full protection to the whole internal network or the
internal servers. The downside is that the gateway, located at the exit of the internal network, may
become a bottleneck of the network. Therefore, it must have high processing capability, availability, and
reliability.
Figure 13 Network diagram for sing-arm mode
As shown in Figure 13 , in sing-arm mode, the SSL VPN gateway acts as a proxy server for the
communication between the remote host and the internal network. The advantage of the single-arm
mode is that the SSL VPN gateway is not the bottleneck of the network as it is not deployed at the key
path. However, the SSL VPN gateway cannot provide full protection to the internal network.
© Copyright 2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only
warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing
herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained
herein.