SSL VPN Technology White Paper

SSL VPN Technology White Paper

Hewlett-Packard Development Company, L.P. 1

SSL VPN Technology White PaperKeywords: SSL VPN, HTTPS, Web access, TCP access, IP access

Abstract: SSL VPN is an emerging VPN technology based on HTTPS. This document describes its

implementation and application scenarios.

Acronyms:

Acronym Full spelling

AD Active Directory

CA Certificate Authority

HTTPS HTTP Security

LDAP Lightweight Directory Access Protocol

RADIUS Remote Authentication Dial-In User Service

SMB Server Message Block

SSL Secure Sockets Layer

VPN Virtual Private Network



Table of Contents

Overview ··········································································································································································3

Background········································································································································································3

Benefits ···············································································································································································3

SSL VPN Implementation·················································································································································4

Concepts ············································································································································································4

SSL VPN System Components··········································································································································5

Operation of SSL VPN······················································································································································6

SSL VPN Access Modes ···················································································································································8

Web Access······························································································································································9

TCP Access····························································································································································· 10

IP Access································································································································································· 11

Comware V5 Technical Characteristics ······················································································································12

Clients Requiring No Manual Installation and Maintenance ···················································································· 12

Support for Multiple Authentication Methods ············································································································· 13

Rich and Flexible Security Policies ······························································································································· 13

Granular Resource Access Control ······························································································································ 13

Application Scenarios ···················································································································································14

Remote Access································································································································································ 14

SSL VPN Gateway Sharing Application Scenario ····································································································· 15

SSL VPN Networking Modes ········································································································································ 16



Overview

BackgroundWith the popularity of the Internet and fast development of E-commerce, more and more enterprises and

organizations need to allow employees, users, and partners to access the internal resources from any

place at any time, so as to save time and improve efficiency. However, some users may be illegal and

some remote hosts may not be secure, bringing potential security threats to internal networks.

Security VPN (SVPN) technologies are commonly used to solve this problem. They provide a secure

access mechanism, which can well protect the internal networks resources. SVPN technologies mainly

include IPsec VPN and SSL VPN.

Due to the limitations in way of implementing IPsec VPN, IPsec VPN has the following disadvantages.

It requires complicated client software installation on user hosts. There are various user hosts, which

are often mobile. The mobility requires fast client-side VPN deployment, while the diversity requires

the VPN client software to support multiple platforms and be easy to upgrade and maintain.

However, IPsec VPN cannot satisfy the above requirements.

IPsec VPN cannot evaluate the security of user hosts. If users use insecure hosts to access the

corporate network, the corporate network may be infected by viruses.

IPsec VPN cannot provide strict and granular access control. As IPsec is implemented at the network

layer and cannot identify contents of the IP packets, it cannot control access requests from higher

layers. In addition, to improve efficiency, enterprises need to establish extranets to exchange

information and share resources with partners. Therefore, the enterprises need to control accesses

of the partners effectively and strictly to ensure security of the enterprise information system.

However, IPsec VPN cannot control access rights.

IPsec VPN is difficult to be deployed in complicated networking environments. For example, in a

scenario using NAT, you need to configure NAT traversal for IPsec VPN; in a scenario using

firewalls, you need to configure the firewalls to permit IPsec packets to pass, for IPsec headers are

added in front of the original TCP/UDP headers.

In a word, IPsec VPN is suitable for scenarios where connections are fixed and strict access control is not

required. It cannot satisfy the requirements of mobile accesses and precise access control.

Compared with IPsec VPN, SSL VPN can better satisfy the technical and management requirements of

remote access. SSL VPN supports multiple platforms, requires no manual installation and maintenance of

clients, and provides flexible and effective access right management. Therefore it is more and more

popular in the remote access market. The following section details the advantages of SSL VPN.

BenefitsSSL VPN is a VPN technology based on Secure HTTP (HTTPS, that is, SSL-supported HTTP). Using the

certificate-based identity authentication, data encryption and integrity verification mechanisms that the

SSL protocol provides, SSL VPN can establish secure connections for remote users to access the corporate

network. SSL VPN features these advantages:



Support for various application protocols. SSL works between the transport layer and the

application layer. Any application can be secured by SSL VPN without knowing the details of SSL

VPN.

Support for various software platforms. At present, SSL has become a global standard for identity

authentication of websites and webpage viewers and encrypted communication between Web

browsers and Web servers. The SSL protocol has been integrated into most of the browsers, such as

IE, Netscape, and Firefox. This means that almost every PC installed with a browser supports SSL

connections. SSL VPN clients are based on the SSL protocol. Hence, most of the software running

environments can act as the SSL VPN client.

Automatic installation and uninstallaion of the client software. In applications where specific client

software is required, SSL VPN allows the operating system to download and install the client

software automatically and, when the SSL VPN connection is closed, uninstall and delete the client

software automatically.

Security evaluation of client hosts. SSL VPN can evaluate the security status of remote hosts, so as

to determine whether the remote hosts are safe enough to access the enterprise network.

Dynamic authorization. Traditional right control authorizes users mainly by user identity. A user is

always authorized with the same right no matter where the user is when logging in to the network.

This authorization mode is called static authorization. Dynamic authorization authorizes a user

based on not only the user identity but also the security status of the host used by the user. This

allows dynamic control of the user access right. The more secure the remote host is, the higher

access right the SSL VPN will grant the user.

Multiple user authentication methods and granular access control. The SSL VPN gateway supports

various user authentication methods and granular access control, implementing controlled access

of external users to the internal resources.

Deploying SSL VPN does not impact the existing network. As the SSL protocol works over the

transport layer, it does not change the IP header or TCP header. Therefore, SSL packets are

transparent for NAT. Meanwhile, SSL always uses port 443. You just need to open port 443 on

firewalls instead of modifying settings on the firewalls according to different application protocols.

This not only reduces the workload of network administrators but also improves the network

security.

Independent resource access control of domains sharing the same SSL VPN gateway. SSL VPN

allows enterprises or departments of an enterprise share an SSL VPN gateway, so as to reduce

costs. In this case, you can configure multiple domains on the gateway, each of which is for a single

enterprise or department to control its resources and users independently. By creating multiple

domains, you can divide a physical SSL VPN gateway into several logical SSL VPN gateways.

SSL VPN Implementation

ConceptsSSL VPN users include super administrators, domain administrators, and common users.



Super administrator: Manager of the entire SSL VPN gateway. A super administrator can create

domains and set the passwords of domain administrators.

Domain administrator: Manager of an SSL VPN domain. A domain administrator can create local

users and resources, and specify the access right for the users.

Common SSL VPN user: Simply called user, referring to users accessing network resources through

the SSL VPN system. The resource access right of a user is assigned by the domain administrator.

SSL VPN System ComponentsFigure 1 Architecture of SSL VPN

Figure 1 shows a typical SSL VPN network. The SSL VPN system consists of the following components:

Remote host: Terminal from which an administrator or user log in to the network, such as a PC,

mobile phone, and PDA.

SSL VPN gateway: An important component of the SSL VPN system. Administrators maintain the

information of users and internal resources on the SSL VPN gateway. Users can view the resources

that can be accessed on the SSL VPN gateway. The SSL VPN gateway forwards packets between

remote hosts and the internal servers. An SSL connection is established between the SSL VPN

gateway and a remote host to ensure the security of data transmission.

Internal servers: Servers of any type, for example, Web server and FTP server; or hosts in the

enterprise network that need to communicate with a remote host.

CA: Certificate authority. CA issues a digital certificate, which contains the public key, for the SSL

VPN gateway. This is for the SSL VPN gateway to pass identity authentication on the remote host

and establish an SSL connection with the remote host.

Authentication server: External authentication server for remote user authentication. The SSL VPN

gateway supports not only local user authentication but also remote user authentication through an

external authentication server.



Operation of SSL VPNThe following describes the operation of SSL VPN:

The supper administrator creates domains on the SSL VPN gateway.

The domain administrators create users and resources corresponding to the internal servers on the

SSL VPN gateway.

Users access the internal servers through the SSL VPN gateway.

Creating domains

Figure 2 Creates domains

Internet

SSL VPN gateway

Internal servers

LAN

Superadmininstrator

1) Establish an SSL connection with the SSLVPN gateway and enter the login page of the

SSL VPN gateway

2) Input the username and password to passauthentication and enter the Web interface of

the SSL VPN gateway

3) Create domains on the SSL VPN gateway

As shown in Figure 2 , a supper administrator goes through three steps to create domains:

1. Input the URL address of the SSL VPN gateway on the remote host, which will authenticate the

identity of the SSL VPN gateway by the certificate of the gateway and establish an SSL connection

with the SSL VPN gateway. After the SSL connection is established successfully, the login page of

the SSL VPN gateway Web interface appears.

2. Input the username (including the authentication method) and password on the login page of the

SSL VPN gateway Web interface. The SSL VPN gateway will authenticate the super administrator

by using the input information. After passing the identity authentication, the super administrator

enters the Web interface of the SSL VPN gateway.

3. Create domains on the SSL VPN gateway and set the passwords of the domain administrators.



Creating users and resources corresponding to the internal servers

Figure 3 Create users and resources corresponding to the internal servers

As shown in Figure 3 , a domain user goes through the following three steps to create users and

resources corresponding to the internal servers:





2. Input the username (including the authentication method) and password on the login page of the

SSL VPN gateway Web interface. The SSL VPN gateway will authenticate the domain

administrator by using the input information. After passing the identity authentication, the domain

administrator enters the Web interface of the SSL VPN gateway.

3. Create users and resources corresponding to the internal servers, and specify the resource access

rights for the users.



Accessing internal servers

Figure 4 Access internal servers

As shown in Figure 4 , a user goes through the following steps to access the internal servers:





2. Input the username (including the authentication method) and password. The SSL VPN gateway

will authenticate the user identity by using the input information. After passing the identity

authentication, the user enters the Web interface of the SSL VPN gateway.

3. View the list of available resources, such as Web server resources and file sharing resources.

4. Select the resource to access and send the access request to the SSL VPN gateway through the SSL

connection.

5. The SSL VPN gateway resolves the request, checks the access right of the user and, if the user is

authorized to access the resource, forwards the request to the corresponding server in plaintext.

6. The server sends the reply in plaintext to the SSL VPN gateway.

7. After receiving the reply, the SSL VPN gateway forwards the reply to the user through the SSL

connection.

SSL VPN Access ModesSSL VPN provides three access modes:



Web access

TCP access

IP access

Users can use different access modes to access different types of resources. In different access modes, the

data forwarding procedures between the remote host, SSL VPN gateway, and internal servers are

different. The following sections describe the three access modes in details.

Web AccessWeb access allows users to access server resources through the SSL VPN gateway by using browsers in

HTTPS mode. In this mode, all data operations are performed on Web pages.

Resources for web-based accesses include Web server resources and file sharing resources.

Web server resources

Web servers provide services to users through Web pages. Users can get the desired information by

simply clicking the links on the pages. SSL VPN provides secure connections for users to access Web

servers and can prevent illegal users from accessing the protected Web servers.

Figure 5 Access Web server resources

As shown in Figure 5 , during Web server access, the SSL VPN gateway mainly acts as a relay.

1. After receiving the HTTP request from a user, the SSL VPN gateway finds the required resource

according to the URL in the HTTP request, and then forwards the HTTP request to the Web server

that provides the required resource.

2. After receiving the HTTP reply from the server, the SSL VPN gateway changes the webpage links

pointing to the internal network to links pointing to the SSL VPN gateway before forwarding it to

the user, so that the user has to access the internal resources through the SSL VPN gateway. In this

way, the SSL VPN gateway protects the security of the internal network and implements access

control of users.

During the whole process, in the perspective of the user, all HTTP replies are from the SSL VPN gateway;

while in the perspective of the Web server, all HTTP requests are initiated by the SSL VPN gateway.

File sharing resources

File sharing is a common network application. An example is the application of Shared Documents

folder provided by the Windows operating system. File sharing allows users to perform file operations on

a remote server or host, such as browsing files and uploading and downloading files.

The SSL VPN gateway provides the file sharing resources to users through Web.

As shown in Figure 6 , the SSL VPN gateway acts as the protocol converter between the remote host and

the file server.



1. The remote host and the SSL VPN gateway communicate through HTTPS. The remote host sends

the user request of accessing file sharing resources to the SSL VPN gateway through an HTTPS

packet.

2. The SSL VPN gateway and the file server communicate through SMB. After receiving the request

packet from the remote host, the SSL VPN gateway converts it into an SMB packet and then sends

the packet to the filer server.

3. After receiving the reply packet from the file server, the SSL VPN gateway converts the packet into

an HTTPS packet and then sends the packet to the remote host.

Figure 6 Access shared file resources

TCP AccessTCP access is used to support TCP applications on remote hosts to access open ports on internal servers

securely. TCP access allows users to access any TCP-based services, including remote access services

(such as Telnet), desktop sharing services, and mail services.

To access internal servers in TCP access mode, users do not need to upgrade existing TCP programs.

However, a dedicated TCP access client is required. The client uses an SSL connection to transmit the

application layer data.

As shown in Figure 7 , a user goes through the following steps to access TCP-based services:

1. Launch TCP application on the remote host, which automatically downloads the TCP access client

software from the SSL VPN gateway.

2. Click a resource link on the Web interface of the SSL VPN gateway or launches a TCP program,

such as opening the remote desktop connection program to connect to an internal server, the TCP

access client will automatically establish an SSL connection with the SSL VPN gateway and use an

extended HTTP message to request access to the resource.

3. The SSL VPN gateway establishes a TCP connection with the internal server that provides the

resource.

4. After the TCP connection is established successfully, the TCP access client sends the user access

data to the SSL VPN gateway through the SSL connection. Then, the SSL VPN gateway obtains the

application layer data and sends the data to the internal server through the TCP connection.

5. After receiving the reply from the internal server, the SSL VPN gateway forwards the reply to the

TCP access client through the SSL connection. The client will then obtain the reply data and

forward the data to the application program.



Figure 7 Access internal servers in TCP access mode

TCP accessclient

SSL VPNgateway

Internalserver

Application

Connection establishment

Data transmission

SS

HostSSL VPNgateway

Applicationserver

SSL

1) Initiate a TCPconnection

2) Establish an SSL connection withthe SSL VPN gateway and then send

an extended HTTP message torequest access to a resource

3) Establish a TCP connectionwith the internal server

4) TCP connection establishedsuccessfully

5) Return a message to inform theclient of the success6) TCP connection

established

7) Send applicationlayer data 8) Forward the application layer

data to the SSL VPN gatewaythrough the SSL connection 9) Forward the application layer

data to the internal serverthrough the internal network

10) Reply

11) Send the reply to the client throughthe SSL connection

12) Forward the replyto the application

IP AccessIP access is used to implement secure communication between a remote host and an internal server at the

network layer, and thereby, it implements all IP-based intercommunication between remote hosts and

internal servers. For example, ping an internal server from a remote host.

When a user accesses an internal server in IP access mode, a dedicated IP access client is required,

which will install a virtual network interface card (VNIC) on the remote host.

As shown in Figure 8 , a user goes through the following steps to access IP-based resources.

1. Launch the IP application on the remote host, which then automatically downloads the IP access

client software from the SSL VPN gateway. Then, the IP access client establishes an SSL connection

with the SSL VPN gateway, installs a VNIC on the host, requests an IP address for the VNIC, sets

the gateway IP address, and installs routes with the outbound interfaces being the VNIC.

2. Click a resource link on the Web interface of the SSL VPN gateway or execute an IP access

command, such as the ping command, to access an IP network resource, the IP packet will be

routed to the VNIC, and then encapsulated and sent by the VNIC to the SSL VPN gateway through

the SSL connection.

3. After receiving the packet, the SSL VPN gateway de-encapsulates the packet into the IP packet and

sends the IP packet to the corresponding server.



4. After receiving a reply from the server, the SSL VPN gateway encapsulates the reply packet and

then sends the packet to the IP access client through the SSL connection.

5. The client de-encapsulates the packet and then delivers the IP packet through the VNIC to the host

for processing.

Figure 8 Access internal servers in IP access mode

Comware V5 Technical Characteristics

Clients Requiring No Manual Installation and

MaintenanceThe client software running on remote hosts includes:

SSL-supporting Web browser: At present, most operating systems provide browsers that support

SSL. Hence, users can use such browsers to access internal servers in Web mode

Host checker: Used to evaluate the security status of remote hosts. When a user logs in, the remote

host will automatically download and install the host checker.

Cache cleaner: When a user quits the SSL VPN system, the cache cleaner clears the temporary files,

configuration files and downloaded client software used during the SSL VPN communication,

avoiding system information leakage. When a user logs in, the remote host will automatically

download and install the cache cleaner.



TCP access client: Client software used in TCP access mode.

IP access client: Client software used in IP access mode.

Except the Web browsers, other client software is all to be downloaded from the SSL VPN gateway. The

client software requires no manual installation and maintenance. They are downloaded, installed,

configured, and used to establish connections automatically.

Support for Multiple Authentication MethodsSSL VPN supports four authentication methods:

Local authentication: The network administrator configures local users on the SSL VPN gateway.

The SSL VPN gateway authenticates a user by comparing the input username and password with

those locally saved.

RADIUS authentication: User information is saved on the RADIUS server. The SSL VPN gateway

serves as the RADIUS client and exchanges authentication messages with the RADIUS server to

authenticate users.

LDAP authentication: User information is saved on the LDAP server. The SSL VPN gateway serves as

the LDAP client to query user information on the LDAP server to authenticate users.

Active Directory (AD) authentication: LDAP authentication implemented by Microsoft.

A user uses a browser to enter the login page of the Web interface of the SSL VPN gateway, inputs the

username, password, and authentication method, and then the information will be sent to the SSL VPN

gateway through an SSL connection, ensuring the security of data transmission. After the SSL VPN

gateway receives the login information, it authenticates the user according to the authentication method.

The authentication methods provided by the SSL VPN gateway are simple, universal, and of good

extensibility.

Rich and Flexible Security PoliciesInsecure remote hosts may bring potential security threats to the internal network. Host checking is a

good practice to avoid such threats. When a host logs in to the SSL VPN gateway, the host checker can

check the host’s operating system and its patches, version and patches of the browser, version of the

firewall, and version of the anti-virus software, and then determines which resources the host can access

based on the checking results.

You can configure security policies on the SSL VPN gateway, so as to configure the security checking

method, define the checking items, and specify the protected resources, ensuring that only remote hosts

that satisfy the security policies can access the corresponding resources.

Granular Resource Access ControlThe resource access control mechanism of SSL VPN can control user access rights flexibly, implementing

granular resource access control.

A super administrator creates domains and specifies passwords for the domain administrators. The

domain administrators create resources and users of their own domains, add resources into resource



groups, add users into user groups, and then specify the resource groups that can be accessed by each

user group. In addition, the SSL VPN gateway can perform security checking on remote hosts.

After a user logs in, the SSL VPN gateway determines the resource groups allowed to be accessed by the

user based on the security checking results and the user groups to which the user belongs. In this way, the

SSL VPN gateway implements flexible and granular resource access control.

Application Scenarios

Remote AccessFigure 9 Network diagram for remote access application

Partner

Internet

SSL VPN gateway

Enterprisenetwork

Dwelling house Hotel

Mobileemployee

Network accessterminal

Mobile phone

As shown in Figure 9 , SSL VPN has many advantages in remote access application. It is suitable for

various complicated networking scenarios. Compared with IPsec VPN, SSL VPN is especially suitable for

the following scenarios:

Dynamic remote access: Users use various terminals to access the enterprise network through the

Internet from any place at any time.

Scenarios where remote hosts are not surely secure: Users use public computers in, for example,

cybercafes or hotels to access the enterprise network. Public computers are insecure as they are

more likely to be attacked and infected with viruses

Users with different access rights: Remote users using the Extranet may be employees, partners, or

other personnel. The resources that can be accessed by different users are different.

Various running environments on remote terminals: Different remote terminals may use different

operating systems and applications to access the enterprise network.



Figure 10 SSL VPN gateway serves as the ingress of the enterprise network

As shown in Figure 10 , the SSL VPN gateway can cooperate with the firewall to serve as the ingress of

the enterprise network, protecting the enterprise network from being attacked.

Figure 11 SSL VPN gateway protects important servers in the enterprise network

As shown in Figure 11 , the SSL VPN gateway can be used to protect only important internal servers from

being attacked, without affecting other parts of the enterprise network.

SSL VPN Gateway Sharing Application ScenarioFigure 12 Network diagram for SSL VPN gateway sharing application

Internet

LAN

LAN

LAN

Users ofenterprise A

Users ofenterprise C

Users ofenterprise B

Network ofenterprise A

Network ofenterprise C

Network ofenterprise B

SSL VPNgateway

Enterprises can share a single SSL VPN gateway, each of which uses one domain of the SSL VPN

gateway. The SSL VPN gateway allows these enterprises manage their own users independently, saving

network costs for the enterprises. As shown in Figure 12 , enterprises A, B, and C share the same SSL

VPN gateway, using domain A, B, and C on the SSL VPN gateway respectively. Enterprise A manages



its own users and server resources in domain A, and configures its own security policies to ensure that

users of enterprise A can access only the resources of enterprise A. enterprises B and C manage their

users in the same way.

SSL VPN Networking ModesAccording to the way in which the SSL VPN gateway is connected to the network, the SSL VPN

networking modes fall into two types: dual-arm and single-arm.

In dual-arm mode, the SSL VPN gateway resides between the internal network (or internal servers) and

the external network, as shown in Figure 9 , Figure 10 , and Figure 11 . The advantage of the dual-arm

mode is that the SSL VPN gateway can provide full protection to the whole internal network or the

internal servers. The downside is that the gateway, located at the exit of the internal network, may

become a bottleneck of the network. Therefore, it must have high processing capability, availability, and

reliability.

Figure 13 Network diagram for sing-arm mode

As shown in Figure 13 , in sing-arm mode, the SSL VPN gateway acts as a proxy server for the

communication between the remote host and the internal network. The advantage of the single-arm

mode is that the SSL VPN gateway is not the bottleneck of the network as it is not deployed at the key

path. However, the SSL VPN gateway cannot provide full protection to the internal network.

© Copyright 2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only

warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing

herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained

herein.

Date post:	03-Feb-2022
Category:	Documents
Upload:	others
View:	11 times
Download:	0 times