© 2005-09 neoaccel, inc. ssl vpn-plus training ssl vpn-plus
Post on 18-Dec-2015
237 Views
Preview:
TRANSCRIPT
© 2005-09 NeoAccel, Inc.
SSL VPN-Plus Training
SSL VPN-Plus
© 2005-06 NeoAccel, Inc.
COMPANY OVERVIEW
© 2005-06 NeoAccel, Inc.
Company Snapshot
Founded 2004– Founder: Michel Susai
• Former Chairman and CEO, and Founder of NetScaler (Acquired by Citrix for $325M)
– First Product Shipped Oct 2005
Technology Focus– Secure Remote Access: SSL VPN-Plus™
– Network Access Control: NAM-Plus™
– SSL Based Site to Site VPN
Competitive Advantage– Patented Architecture (ICAA™)
– 24-Month Technology Lead
Sales Strategy– Enterprise, OEM, Channel
Offices– Headquarters – San Jose, CA
– Regional Sales Offices• Boston, Houston, San Jose
• India, China, Japan
Investors– Institutional
• Baring Private Equity
• NTT
– Angel• Sabeer Bhatia (Co-Founder, Hotmail)
• Prabhu Goel (Inventor, Verilog)
© 2005-06 NeoAccel, Inc.
Sample Customers
FinancialService Providers
Health Care Manufacturing
Gov’t
Enterprise
Non-Profit
Utilities
Insurance
Higher Education
Engineering Automotive Real Estate
Construction Online SecurityMarketingLogistics IT Services Retail
OEM
© 2005-06 NeoAccel, Inc.
Awards and Recognitions
SSL VPN Magic Quadrant Q307
"The company [NeoAccel] ... has established multiple OEM deals and sold well in the first half of 2007, ... outperforming some older and established companies."-- Gartner SSL VPN MQ 2007
© 2005-06 NeoAccel, Inc.
REMOTE ACCESS
© 2005-06 NeoAccel, Inc.
Remote Access?
• Access Secure Application Servers to update customer information or submitting a daily report
• Access Corporate Email server• Access Mission Critical Application
Servers when at customer site• Access Corporate Intranet to get latest
information or checking status of your leave application
© 2005-06 NeoAccel, Inc.
Who Needs Remote Access?
• Consultants• Partners• Field Engineers and Sales Team• Remote Office Employees• Off office hours workers• Roaming Executives• Bridge branch offices to corporate centre
© 2005-06 NeoAccel, Inc.
Why VPN?
• When Alice talks to Bob
• Confidential
• Integrity
• Authentication
© 2005-06 NeoAccel, Inc.
VPN Technologies?
• PPTP
• L2TP
• IPSec
• SSL
© 2005-06 NeoAccel, Inc.
IPSec Features
• Site-to-Site Access• Complete network access• Transparent to Applications• Least effect on performance• Good security
© 2005-06 NeoAccel, Inc.
SSL VPN – Secure Socket Layer VPN
• Uses SSL protocol for confidentiality, authentication and integrity and then proxies to provide authorized and secure access for private network resource like Web, Client/Server, file sharing etc.
• Two modes• Clientless: Proxies web-based applications and uses
inbuilt SSL support in browsers to establish VPN and deliver web traffic.
• Network Extension: Proxies client-server application, requires a proprietary client application to establish VPN and facilitate client-server
application communication
© 2005-06 NeoAccel, Inc.
SSL VPN Features
• Designed for Remote Access• Centralized Access Control• Zero user side management• One minute deployment• Endpoint Security• Clientless - Access Anywhere• Network Extension
• Access Anything
© 2005-06 NeoAccel, Inc.14
Current State of VPNs – Remote Access
• 1st-Generation VPN – IPsec– IP Address-Based Tunnels
– All-or-Nothing Network Access for Employees
– High License & Administration Costs
• 2nd-Generation VPN – SSL– User-Based Tunnels
– Conditional Access to Specific Applications
– Significant Advantages over IPsec (see next slide)
User-Based Tunnels
IP Address-Based Tunnels
Users
Users
© 2005-06 NeoAccel, Inc.15
2nd-Generation VPN Advantages over 1st Generation
• Increased Security• User-Based Tunneling
• Endpoint Security
• Granular Access Control
• Increased Return on Investment• Zero Client Software Costs
• Zero Client Upgrade Costs and Pain
• Zero Client Management
• Universal Access• Employees, Non-Employees
• Access from Any Device – No Device with VPN Client Required• Cross Platform Support (Mac, Linux, Windows, Smart Phones, PDAs)
Increased security
Enable clientless VPNs
Decrease operating cost
Support wide variety of client platforms
Enable Employee access from handheld devices
Enable employee access from kiosks and guest computers
SSL VPN Drivers
% of respondents rating category a driver
Source: Infonetics Research, 2006
80%
51%
41%
38%
29%
23%
© 2005-06 NeoAccel, Inc.
IPSec – Why not?
• Not designed for remote access• Traversal problem over NAT devices• Firewall configuration required• All corporate services are exposed on f/w• No Centralized Access control• Per User administration and configuration• Interoperability among vendors• Time consuming deployment
© 2005-06 NeoAccel, Inc.
What’s Missing in SSL VPN
• Performance Degradation• SSL VPN falls prey to TCP over TCP melt-down• Extra context switching of SSL VPN’s causes
performance loss• Poor End User Experience• Limited or no connectivity over low
bandwidth or high packet loss networks like• Wireless• DSL• Data Cards
• Increased Support Cost• No Site to Site VPN capabilities
© 2005-06 NeoAccel, Inc.
Why Companies are Not Buying SSL ?
• Extra context switching of SSL VPN’s causes performance loss
• SSL VPN falls prey to TCP over TCP melt-down
• Performance degradation affects the SSL gateway and all users
• Many companies stay with IPSec to avoid user complaints
What can IT do?
© 2005-06 NeoAccel, Inc.
NeoAccel: The Third-Generation VPN
• Increased Security– User-Based Access Control with Endpoint Security
• Increased ROI, Lower TCO– 10% of IPSec Costs in Large Installations
• Ubiquitous Access– Any User from Any Device
• IPSec-Level (or Better) Performance
• Site-to-Site VPN Support – New!
© 2005-06 NeoAccel, Inc.
NeoAccel SSL VPN – Plus Features
• Best of World of IPSec and SSL VPN• High Performance
• Overcomes TCP over TCP meltdown• Overcomes Extra Context Switch
• Designed for Remote Access• Centralized Access Control• Zero user side management• One minute deployment• Endpoint Security• Clientless - Access Anywhere• Network Extension
• Access Anything• IPSec replacement capabilities
• Site to Site VPN over SSL
© 2005-06 NeoAccel, Inc.
NeoAccel SSL VPN-Plus Deployment
NeoAccel NAM-Plus Gatekeeper
InternetInternet
Sales Users
Wireless Users
Guest Users
SSL VPN-Plus Gateway
roaming user
Secure Remote Access
roaming user
NeoAccel SSL VPN-Plus Gateway with HA
Branch Office
• Site-to-Site• Endpoint Security• Host Checking• Compression• 4 Forms of Access• Self-Updating Full-Client• Node on the Network• Supports VOIP• IPsec-Like Speeds• Client-Side Cleanup• High Availability
Directory Services
App Servers
CorporateNetwork /Data Center /DR Site
Site-to-Site Access
NAC Integration
© 2005-06 NeoAccel, Inc.
End to End Secure Access
Endpoint Security
Compliance
Hardened Appliance
Network Security Services
Directory Integration
Directory Store
Data Transit Security
Dynamic Access
Privilege Mgmt
Strong Authentication• Eliminate PW Spoofing• Ensure Non-Repudiation
Host Checker• 3rd Party Software
Compliance• Registry, processes, files,
custom DLLs• Application Authenticity
Check• Recurring Host Check
Cache Cleaner• Eliminate session data• Delete temp files
Centralized Security Gateway Network Security
• DDOS Protection• URL Attack Protection• Network Firewall• SSL Transport
Dynamic Authentication Policy• Certificate, Source IP,
Host Checker, Cache Cleaner, User Agent, Interface, etc.
Granular Authorization Rules• Group Based • URL, Host, Port• Client/Destination• End Point/Connection Check
• In-Transit Data Protection• Data Trap
• Non-Cacheable HTML rendering
• Cookies• Host Name Encoding
MRP/ERP
MRP/ERP
Intranet /Web Server
Unix/NFS
ServerFarms
SSLAppliance
© 2005-06 NeoAccel, Inc.
PERFORMANCE
© 2005-06 NeoAccel, Inc.
Packet Loss Leads to Performance Degradation
• Packet Loss is a Real World problem • Packet loss translates to severe performance
degradation due to architectural flaw in current SSL VPN products from the market leaders
• In the US, it is not unusual to see 5~8% packet loss across the public internet
• 15-20% packet loss is typical in wireless networks (i.e., 802.11)
• In some parts of Asia 50% packet loss is typical• Worldwide average is >24% packet loss
© 2005-06 NeoAccel, Inc.
SD DD
A
SD A
D
ASASA
D: Application TCP data packetA: application TCP ACK packetSD: SSL tunnel data packetSA: SSL tunnel ACK packet
DA
This is what will be achieved.This happens when the user is working in office, i.e. connected to LAN
Private network servers
SSL VPN GatewaySSL VPN client agent running on remote users machine
Other SSL VPNs: Packet flow
© 2005-06 NeoAccel, Inc.
TCP-Over-TCP Meltdown
All 1st and 2nd Generation SSL VPN’s are subject to TCP-Over TCP-Meltdown. NeoAccel is not!
© 2005-06 NeoAccel, Inc.
SD DD
A
SD A
D
ASASA
D: Application TCP data packetA: application TCP ACK packetSD: SSL tunnel data packetSA: SSL tunnel ACK packet
A
This is what will be achieved.This happens when the user is working in office, i.e. connected to LAN
Private network servers
SSL VPN GatewaySSL VPN client agent running on remote users machine
SSL VPN : Packet Drop
SD DSD D
© 2005-06 NeoAccel, Inc.
How SSL VPN – Plus Improves Performance
• Key Technologies
• Intelligent Compression Acceleration Architecture (ICAA) : Overcomes TCP over TCP meltdown
• Transparent SSL (TSSL) : Kernel ported SSL encryption engine. Reduces Context switching
• Acceleration Triggered Compression Engine (ATCE) : Intelligent compression
© 2005-06 NeoAccel, Inc.
SD DD
AD
ASA
D: Application TCP data packetA: application TCP ACK packetSD: SSL tunnel data packetSA: SSL tunnel ACK packet
This is what will be achieved.This happens when the user is working in office, i.e. connected to LAN
Private network servers
SSL VPN GatewaySSL VPN client agent running on remote users machine
SSL VPN – Plus : Packet Drop
SD D
© 2005-06 NeoAccel, Inc.
Non NeoAccel SSL VPN very slow, huge Packet Loss; TCP-Over-TCP problem
OpenSSL
Client Applications
Client TCP/IP Stack
NIC
VNIC- TUN/TAP Internet VNIC- TUN/TAP
NIC-1
Server TCP/IP Stack
OpenSSL L3 SSLVPN ModuleL3 SSLVPN Module
NIC-2
Private Network
Client Gateway
User Mode
Kernel Mode
Client Server
Context Switch
2 2
IP TCP SSL IP TCP DataDLL
Packet flowing across the network
© 2005-06 NeoAccel, Inc.
NeoAccel' SSL VPN-Plus : Packet Flow
Client Applications
Client TCP/IP Stack
NIC InternetNIC-1
Server TCP/IP Stack
NeoAccel' SSL VPN-Plus ICAA integrated with Kernel Level SSL
NIC-2
Private Network
Client Server
User Mode
Kernel Mode
Client Server
Context Switch
0 0
Packet Processing and VPNization of TCP data
NeoAccel' SSL VPN-Plus ICAA integrated with kernel level SSL
IP TCP SSL DataDLL Node header
© 2005-06 NeoAccel, Inc.
User
Kernel
IPSec SSL VPN NeoAccelSSL VPN-Plus
ICAATSSL
IPSec
Unencrypted
App
TCP
IP
Enet
App App
TCP
IP
Enet
TCP
IP
SSL
TCP
IP
Enet
App
#1
#2
Comparison of NeoAccel vs. Others
IP
Enet
© 2005-06 NeoAccel, Inc.
Why ICAA?
• It is observed that other SSL VPN vendors simply tunnel (proxy) a complete Ethernet frame over the SSL connection to private network resulting in two TCP layers for each packet. This results in redundant layer of reliability which causes TCP over TCP meltdown problem. (Slide 4)
• Many of the applications are not designed to work over varying bandwidth lousy networks like Internet.
• There are known issues with TCP layer when working over Internet. In case of SSL VPNs when multiple application TCP connections are tunneled into a single TCP connection, the effect of TCP problems is increased exponentially. This results in frequent connection disconnects.
© 2005-06 NeoAccel, Inc.
ICAA Benefits
• ICAA avoids the overhead of extra reliability layer induced because of tunneling application TCP traffic into SSL VPN TCP tunnel.
• ICAA reduces TCP packet loss recovery time by 30 times by avoiding tunneling of TCP connection inside another TCP connection.
• ICAA avoids the TCP layer limitations which makes TCP not suitable for remote application connections over WAN with varying bandwidth and congestion. ICAA avoids parameters like TCP window size and congestion window for each application connection. The parameters of a single SSL VPN TCP tunnel are applied to all application connections.
• ICAA does not let application connection to flow over WAN, thus avoiding TCP slow start problem, fragmentation and avoids congestion control algorithm limitations for each application connection.
• Even in 0% packet loss networks (like LAN), the number of packets are reduced by 50% straightaway.
© 2005-06 NeoAccel, Inc.
BN Mod Exponent SSLWeb
Server
HostTCP/IP
Stack
SYN
SYN+ACK
ACK
Client Hello
Server Hello, Server Certificate, Server Hello Done
Client Key Exchange, Change cipher spec, client Finish
Change cipher spec,Server Finish
Encrypted Request
Encrypted Response
Total User/Kernel Context Switches: 13
Hard-ware
Accel-erator
True Random Number Generator
3DES Decrypt
SHA-1 Calculation
3DES Encrypt
SHA-1 Calculation
Conventional SSL implementation slows downs the gateway
CONFIDENTIAL
© 2005-06 NeoAccel, Inc.
Hard-ware
Accel-rator
TSSLEngine
WebServer
HostTCP/IP
Stack
SYN
SYN+ACK
ACK
Client Hello
Server Hello, Server Certificate, Server Hello Done
Client Key Exchange, Change cipher spec, client Finish
Change cipher spec,Server Finish
Encrypted Request
Encrypted Response
Total User/Kernel Context Switches: 3
SSL Connection Establishment
NeoAccel’s TSSL Engine speeds up by saving 10 Context Switches
CONFIDENTIAL
© 2005-06 NeoAccel, Inc.
Why TSSL?
• It was observed that other SSL VPN vendors do encryption/decryption at application layer which is normally implemented at less privileged level in an OS (Slide 3, 4). This results in slow SSL processing resulting in high latency for applications connections
• The high context switching of CPU results in slower packet processing, higher latency, less throughput and low user logins/sec.
• Because SSL processing is done at user mode (less privileged mode of OS), there is an overhead between SSL module and SSL hardware accelerator cards. This results in less output from SSL hardware accelerator cards.
© 2005-06 NeoAccel, Inc.
TSSL Benefits
• TSSL avoids the CPU context switching for both SSL VPN Gateway and Client while handling each application connection over SSL VPN resulting in high tunnel throughput.
• TSSL helps CPU spend less time doing non-VPN related tasks and helps process VPN data faster resulting in low latency and faster user logins per second.
• TSSL enables SSL VPN Gateway and SSL VPN Client to do bulk encryption resulting in better throughput.
• TSSL reduces the communication over head between SSL VPN Gateway and SSL accelerator card resulting in maximum throughput and higher SSL transactions per second.
• TSSL helps control latency added because of SSL processing for real time traffic like VOIP and video.
© 2005-06 NeoAccel, Inc.
Why ATCE (Dynamic Compression) ?
• Other VPN solutions have a switch like functionality for compression.
• Compression benefits are truly based on the available bandwidth and the current load on the VPN gateway. Other VPNs do not consider these factors
• A ON/OFF functionality makes compression increase more load of VPN gateway even if compression of data is not required
© 2005-06 NeoAccel, Inc.
ATCE Benefits
• Calibrates compression benefits at regular interval of times.
• Low bandwidth connections get more compression benefits compared to higher Internet bandwidth users
• Data is compressed only if data is compressible
• Optimizes the ratio of load/bandwidth
© 2005-06 NeoAccel, Inc.
3362
15871360
3510
460
0
500
1000
1500
2000
2500
3000
3500
4000
KBytes
No Encryption/Layer2
NoEncryption/Routed
SSL VPN-Plus (ICAA disabled)
SSL VPN-Plus ICAA SonicWALL 200
NeoAccel SSL VPN-Plus vs. SonicWALL SSLVPN 200Throughput Kbytes/ sec
Performance Comparison
© 2005-06 NeoAccel, Inc.
DEPLOYMENTS
© 2005-06 NeoAccel, Inc.
SSL VPN-Plus
Providing a single point of entry for all remote application needs, secure, reliable and user friendly.
Wireless/mobile user
NeoAccel SSL VPN-Plus Gateway
Private Corporate Network
A Simple SSL VPN-Plus Solution deployment
© 2005-06 NeoAccel, Inc.
Deployment Options
© 2005-06 NeoAccel, Inc.
Deployment Options
© 2005-06 NeoAccel, Inc.
Deployment Options
© 2005-06 NeoAccel, Inc.
Deployment Options
© 2005-06 NeoAccel, Inc.
Deployment Options
© 2005-06 NeoAccel, Inc.
COMPONENTS
© 2005-06 NeoAccel, Inc.
Various Components’
• Gateway: Base OS• NeoAccel Hardened OS
• SSL VPN-Plus Gateway• Authentication Module
Local Database LDAP AD Radius RSA Secure ID Certificate based authentication
• Authorization Module ACL’s : Network and Application Access Control
• Auditing• End Point Security
© 2005-06 NeoAccel, Inc.
Various Components’ Contd.
• Access Terminals• SSL VPN-Plus portal : Clientless access named Web
Access Terminal. Supports IE 5.0 & above, Firefox, NetScape
• SSL VPN-Plus client QAT : Browser integrated java based port forward
client. Supports Windows 2000, Windows XP, Windows Vista, Windows Server 2000 & 2003
PHAT : Network Extension client. Supports Windows 98, Windows 2000, Windows XP, Windows Vista, Windows Server 2000 & 2003, Windows Mobile, Red Hat 9.0, Red Hat EL 3, Knoppix, Debian, MAC OSX
• Management Console• Requires JRE 1.4.2 or above on administrator’s PC
© 2005-06 NeoAccel, Inc.
Full-Range, High-Capacity Product Line
Feature SGX-800 SGX-1200 SGX-2400 SGX-4800Target Market Entry-Level Sm-Med Enterprise Enterprise Large Enterprise
Concurrent Users 50 100 2,000 10,000
Throughput 100Mbps 250 Mbps 500 Mbps 950Mbps
Operating System NHOS* NHOS NHOS NHOS
Gigabit Interfaces 4 2 2 2
High Availability Yes Yes Yes Yes
Hardware Acceleration
─ ─ √ √
Dual Power Supply ─ ─ √ √
Dual Hard Drives ─ ─ √ √
*NeoAccel Hardened Operating System
© 2005-06 NeoAccel, Inc.
NeoAccel Management Console
Module 1
© 2005-06 NeoAccel, Inc.
NeoAccel Management Console
The NeoAccel Management Console (NMC) is a java based administration console. To access the NMC open a web browser and enter the following path
http(s)://<ipaddress>/sslvpn-plus/nmc
Example: https://192.168.10.1/sslvpn-plus/nmc
To access the NMC from the Internet configure your firewall to allow TCP port 443 and TCP port 8090. Be sure to allow pop-up windows from the NMC URL.
© 2005-06 NeoAccel, Inc.
Access Management Console..contd
• Management Console login:• Default power-user credentials: admin/admin
© 2005-06 NeoAccel, Inc.
Menu Bar
The Menu Bar at the top of the browser has multiple options
•Logout•Logout of the NMC
•Refresh•To refresh the NMC screen
•Save•Save current running configuration
•Change Password•Change the admin password (recommended)
•About•Copyright information
•Help•Open Help resources
© 2005-06 NeoAccel, Inc.
General
The landing page is the System/General which displays information suchas; Version Number, Processor Information, Memory Utilization and interfaceinformation.
© 2005-06 NeoAccel, Inc.
Interface Configuration
The interface configuration allows the administrator to change/modify ipaddress information for each network interface adapter.
To configure the SSL VPN-Plus Gateway for single arm mode select the desired interface and check the box “Configure for Single ARM mode” and click Save.Advanced configuration allows specifying Link speed & MTU size
© 2005-06 NeoAccel, Inc.
Route
The route menu option displays currently configured routes. To add routesto other networks select the Add button and provide the necessary information.
© 2005-06 NeoAccel, Inc.
DNS
The DNS and Hosts Configuration sets parameter related to the SSL VPN-PlusGateway. Setting Hostname, Primary and Secondary DNS servers as well asdefining static computer hostname to IP address mappings.
© 2005-06 NeoAccel, Inc.
NMC Administration
Ability to create multiple administrators with different access over configuration of appliance ranging from full control, restricted or read only access. 1 Full control, 8 Restricted and 8 Read only administrators can be configured.
© 2005-06 NeoAccel, Inc.
Module 2 – SSL VPN-Plus
Module 2 focuses on creating and configuring the SSL VPN-Plus Gatewayinstance that end users will establish the tunnel with. It is possible and oftenuseful to run multiple instances or gateways on a single device. This allowsthe administrator to provide different options for user connectivity.
One example would be configuring a separate gateway for third party business partners who need tunnel connectivity. Creating a separate gateway with a singleauthentication source and other options is an effective way to plan your RemoteAccess strategy.
© 2005-06 NeoAccel, Inc.
Gateways
The Gateways menu allows you to Add/Modify/Remove gateways and parameters. The right hand side of the screen lists the configured options.
© 2005-06 NeoAccel, Inc.
Modify Gateway
Highlight the gateway in previous screen and select Modify. This opensa dialogue window with the General/Authentication and Advanced tabs.
Administrator can define the IP address, port, certificate and the cipher used to encrypt traffic over SSL server. A broadcast message can be optionally specified to be displayed to all end users when they get connected to VPN.
© 2005-06 NeoAccel, Inc.
Authentication
Select the Authentication tab to change Authentication options such asEnable or Disable Authentication, prevent multiple logons with same usernameas well as prioritizing the cascaded authentication server list.Dual Authentication can be enabled wherein the end user will need to authenticate twice against two different authentication servers.
© 2005-06 NeoAccel, Inc.
Certificate Authentication
Enable Client certificate Authentication such that end user will need to provide a certificate to be able to access private network resources. CA list contains the list of CA certificates to which the client certificate can belong.Username can also be extracted from the certificate such that end user will only be allowed to enter password for username extracted from certificate used for authentication.
© 2005-06 NeoAccel, Inc.
Portal Customization
Portal customization allows complete redesign of how the web based access is visible to user. Look & feel can be chosen from a list of Layout & Color schemes.Layout scheme allows for logo, company name or title to be defined as per the corporation.Color scheme allows for complete change in look and feel of the portal.
© 2005-06 NeoAccel, Inc.
Advanced
The Advance tab sets parameters for Enabling Acceleration triggered Compression,Client Auto Update Notification, Endpoint Securing Agents, Virtual Keyboard, SSO, User Logging and timeout values and enabling Forced Timeout.
© 2005-06 NeoAccel, Inc.
Active Clients
The Active Clients shows the users who are logged into the SSL VPN-Plusand information regarding the tunnel established. The administrator candisconnect a single tunnel or all tunnels by select the appropriate button.
© 2005-06 NeoAccel, Inc.
License
The license screen shows the type of license, number of concurrent tunnelsallowed and the option to Update License.
© 2005-06 NeoAccel, Inc.
Update License
Select the update license button and enter the Software Serial Numberprovided to you at time of installation. Click OK
© 2005-06 NeoAccel, Inc.
Update License cont.
•Select Copy to Clipboard•Open License Server•Paste this selection into the License server and retrieve your license•Paste the new license from clipboard•Select OK
© 2005-06 NeoAccel, Inc.
Certificates
Allows the administrator to Add/View/Remove SSL certificates for the gateway
© 2005-06 NeoAccel, Inc.
Add Certificates
Enter the Certificate name and browse to the location where the certificateis stored. Select the Private Key to import the Servers private key as well.
© 2005-06 NeoAccel, Inc.
View Certificate
Allows the administrator to view the contents of the SSL certificate.
© 2005-06 NeoAccel, Inc.
Module 3 – Users/Groups
The NeoAccel SSL VPN-Plus allows granular control of users and groups.You will find that most of the power of this access control is based on groupmembership. The ability to limit access methods, apply access control policies, Provide resources to access, do cleanup as well as provide the user with a customized experience is gained by the use of Group policies.
When using an external authentication source such as RADIUS or Active Directory it is not necessary to configure users directly on the gateway provided you have selected the Group Extraction option in the configuration of the external authentication servers.
Upon presenting credentials to the PHAT client or Portal, the gateway will forward that request to the authentication server and extract the users group membership and apply configured Group Policies to that user.
© 2005-06 NeoAccel, Inc.
Authentication Servers
The SSL VPN-Plus Gateways supports the following authentication methods
•Local Database•Active Directory with/without Group Extraction•RADIUS with/without Group Extraction•LDAP with/without Group Extraction•RSA Secure ID•Client Certificates – X.509
SSL VPN-Plus utilizes a “cascading authentication” mechanism wherebythe user credentials supplied at time of login can be validated against multipleauthentication servers. Authentication servers are bound to the Gateway instanceand not the User/Group. Order of search precedence is determined by the administrator.
© 2005-06 NeoAccel, Inc.
Menu Section
This menu selection will allow the administrator to configure Groups, Users and Auth Servers.
© 2005-06 NeoAccel, Inc.
List of Authentication Servers
© 2005-06 NeoAccel, Inc.
Add Auth Server - RADIUS
•Select Server type RADIUS•Provide an alias identifier•Enter the IP address of the RADIUS server•Enter the Port listening on the server•Server timeout value in seconds•Shared secret •NAS IP Address•Retry count•Enable/Disable Group Extraction based on the Class attribute in the server
Click OK to complete the operation
© 2005-06 NeoAccel, Inc.
Auth Servers – Active Directory
• Select Server type• Define alias identifier• Provide server ip address• Set server listening port• Set server timeout• Configure AD search base• Configure bindDN• Supply users password• Set Login attribute name• Set search filter• Enable/Disable Group
Extraction(continued next slide)
© 2005-06 NeoAccel, Inc.
Auth Servers – Active Directory cont.
• Set Group attribute name• Sub attribute name• Click OK to add
Useful tool for extracting information from AD.
LDAP Browserhttp://www.ldapbrowser.com
© 2005-06 NeoAccel, Inc.
Users - Local
In many cases the administrator may want to create local users for authenticationrather than using an external authentication server. One example would beallowing third party personnel to use the SSL VPN-Plus tunnel and rather thanadding this third party user to Active Directory simple configure a local user.
© 2005-06 NeoAccel, Inc.
Groups
This screen shows a list of all Groups configured on the Gateway andallows the addition/modification or removal of Groups.
© 2005-06 NeoAccel, Inc.
Add Group
• Supply a Group Name
• Additional description to identify group
• Set Group Access Policies
© 2005-06 NeoAccel, Inc.
Group - Portal
• Select Portal tab
• Enable/disable Public URL access
• Set Web App links available to this group
• Select Application list
© 2005-06 NeoAccel, Inc.
Group – Portal cont.
• File Share list• PHAT client
package
© 2005-06 NeoAccel, Inc.
Group – Network Extension
• Allow QAT access• Start QAT automatically• Set Client
Configuration Name• Select Tunnel mode• Define Default
Gateway for full tunnel• Set Private Network list• Add IP Pool – only necessary
if using PHAT access
© 2005-06 NeoAccel, Inc.
Group – IP Pool (PHAT client)
Select the Add button to set the IP Pool that will be assigned to the Group.IP Pools are like DHCP addresses that are configured to provide IP Address, Netmask, DNS servers, WINS server and other options.
© 2005-06 NeoAccel, Inc.
Group – Private Network List
Select the Private IP network that you want to allow via the tunnel. To selectmultiple subnets hold the Control key down and select then click Add.
© 2005-06 NeoAccel, Inc.
Group – Private Network ICAA options
The administrator can enable/disable private networks from usingICAA® technology. ICAA greatly increases traffic performance but in somecases is not compatible with certain applications/protocols.
Exclude allows the administrator to direct the client computer to exclude portions of a private network subnet traffic from being sent over VPN tunnel.
© 2005-06 NeoAccel, Inc.
Group – Logon & Logoff Scripts
Upload certain scripts to be executed when the user gets connected to VPN or at the end of users VPN session.
Scripts could be either a batch,Java or vb based.
© 2005-06 NeoAccel, Inc.
Group – End Point Protection
The administrator can enable certain data cleanup mechanisms for set of users belonging to a group. Either Browser cache cleanup can be enabled or blocking of cut/copy/paste canbe enabled for the duration of end users session.Secure workspace can be activated such that end user will need to work inside a secure desktop and all data will be stored in a encrypted manner on end users machine,traces of which will be deleted at the end of users VPN session.
© 2005-06 NeoAccel, Inc.
Authorization
The authorization menu selection allows the administratorTo configure Access Control Policies, Endpoint Security scansand Security Zones
© 2005-06 NeoAccel, Inc.
Access Control Policies - ACL
This screen is a repository of configured ACL’s. These ACL’s can be appliedto Groups and Security Zones to control user access. Much like firewall rulestake caution in applying these rules.
© 2005-06 NeoAccel, Inc.
Add Policy – Network ACL
© 2005-06 NeoAccel, Inc.
Add Policy – Application ACL
Blacklist / Whitelist specific set of application from being executed during the VPN Session on the basis of name or MD5 of the process.
Block VPN Access to allow execution of process , but disallow any of the traffic generated by the process to be sent over VPN tunnel.
© 2005-06 NeoAccel, Inc.
Apply Group Access Control Policy
• Select Groups• Modify• Add ACL on
General tab and set priority
• OK
© 2005-06 NeoAccel, Inc.
Endpoint Security Policies
Endpoint Security Policies allow the administrator to define machine specificscans to validate whether the client computer meets the security policies of the company. These security scans, host validation, are pre-user authentication.
The administrator can configure scans for the following items•File•Process•Registry•Ports•Services•WMI•Certificate Template
EPS policies are evaluated in the following order of precedence
Zone=ANDPolicy=ORRule=AND
© 2005-06 NeoAccel, Inc.
Endpoint Security Policies
The SSL VPN-Plus comes with approximately 100 pre-configured Endpoint Security checks. The administrator can create custom check byselecting the Add button.
© 2005-06 NeoAccel, Inc.
Modify Existing Policy
© 2005-06 NeoAccel, Inc.
Creating Process Policy
To create a Process policy use the Windows Task Manager to locatethe running process to test for and note the executable name.In this case the test will check for Skype.exe running.
© 2005-06 NeoAccel, Inc.
Add Policy – Skype running
Select Add Rule and enter the required information
© 2005-06 NeoAccel, Inc.
Completed Skype EPS check
© 2005-06 NeoAccel, Inc.
EPS - File
The administrator can check for the following attributes of Files by specifyingthe File Name and full path and File Properties.
© 2005-06 NeoAccel, Inc.
EPS - Registry
The administrator can test for the Existence of Registry entries.
© 2005-06 NeoAccel, Inc.
EPS – Registry cont.
The above example would check to determine if the client machine isa member of the company domain
© 2005-06 NeoAccel, Inc.
EPS – Port Status
This allows the administrator to perform a basic port scan on theClient machine to determine whether certain ports are open/closed/listening
© 2005-06 NeoAccel, Inc.
EPS - Service
This scan detects whether the client computer has a Windows service andwhether the service is Running or Not Running.
© 2005-06 NeoAccel, Inc.
EPS - WMI
WMI helps in reading dynamic database of Windows. Rules created using WMIare used to check for health of firewall, anti-virus, anti-spyware.
© 2005-06 NeoAccel, Inc.
EPS – Certificate Template
This scan helps to do a water mark check of the end users machine to identify a corporate issues machine
© 2005-06 NeoAccel, Inc.
Security Zones
Once the administrator has configured EPS policies, upon the client computerestablishing a tunnel and prior to authentication, the results of the EPS scan willdetermine Zone membership. SSL VPN-Plus ships with 5 pre-configured Zonesand the ability to create up to 40 different security zones.
Membership of a particular zone starts at the Highest level and based upon Pass/Failof the EPS policies will traverse downward into lower zones where ACL’s may beapplied to limit resource access.
Zones allow the administrator to over-ride Group policies and control access basedupon the validation of the client computer.
In general one should never add an allow policy to a Security Zone with the exception of the Quarantine Zone.
© 2005-06 NeoAccel, Inc.
Zones
© 2005-06 NeoAccel, Inc.
EPS – Modify Zone
Allows the modification of EPS checks for particular Zone.
© 2005-06 NeoAccel, Inc.
EPS – Modify Zone with ACL
This example denies RDP based on the client be placed in Semi-Trusted Zone.
© 2005-06 NeoAccel, Inc.
EPS Upgrade
Periodic synchronization with Global EPS Upgrade server to update factory default list of policies with new releases of firewalls, anti-virus etc and security patches, servicepacks of windows.
© 2005-06 NeoAccel, Inc.
Module 5 – Network Extension
Network Extension provides end users with variousparameters for PHAT client access as well as QAT.
© 2005-06 NeoAccel, Inc.
Dynamic IP Address – IP Pool
• Functions like DHCP
• Create multiple pools for assignment to groups
© 2005-06 NeoAccel, Inc.
Create Dynamic IP Address Config
Set a name, IP Range, Netmask, Primary and Second DNS, DNS suffixAnd if necessary WINS server and select OK
© 2005-06 NeoAccel, Inc.
Private Network Lists
• Define private network resources that users tunnels will access
• Set multiple subnets/hosts for use by Groups
© 2005-06 NeoAccel, Inc.
Create Private Network Profile
Set Name, Private Network, Netmask, Gateway if necessary and Portsif desired.
© 2005-06 NeoAccel, Inc.
Client Configuration Lists
• Set client configuration options that apply to both PHAT and QAT
© 2005-06 NeoAccel, Inc.
Add Client Configuration
The Client Configuration allows the administrator to define various parametersto be applied. These parameters are then applied at the Group level to control such features as Show Endpoint Security Details, Idle Timeouts use DHCP for IP assignment and other parameters.
© 2005-06 NeoAccel, Inc.
Installation Package Configuration PHAT
• Create PHAT packages to be delivered to end users.
• Create multiple PHAT packages and assign based on Group membership
© 2005-06 NeoAccel, Inc.
Add Installation Package
Set various client options for use with the PHAT client.
© 2005-06 NeoAccel, Inc.
Module 6 - PortalThe Portal selection allows the administrator to customize web based links that are presented to users upon successful login. The Layout and Colors selections allows the branding of the web based portal to your companies needs including logo and colors.
© 2005-06 NeoAccel, Inc.
Module 6 - Portal
List of Resources that are made available to Groups.
© 2005-06 NeoAccel, Inc.
Module 6 - Portal
Create Web Application which provides a quick link for users to accessinternal or external websites.
© 2005-06 NeoAccel, Inc.
Module 6 - Portal
Configures Thin Applications such as Telnet, RDP, VNC and SSH whichallow the Groups to use integrated Java based applets.
© 2005-06 NeoAccel, Inc.
Module 6 - Portal
Defines web based File Access for CIFS files servers or shared directories.
© 2005-06 NeoAccel, Inc.
Module 6 - Portal
Allows the administrator to change the Login and Portal pages logos, titles and PHAT client banner.
© 2005-06 NeoAccel, Inc.
Module 6 - Portal
Modifies the web portal color scheme to meet your needs
© 2005-06 NeoAccel, Inc.
Module 7 - Firewall
© 2005-06 NeoAccel, Inc.
Add Filter Rule
© 2005-06 NeoAccel, Inc.
Add Port Mapping
© 2005-06 NeoAccel, Inc.
Module 8 - Tools
© 2005-06 NeoAccel, Inc.
Ping
© 2005-06 NeoAccel, Inc.
ARP
© 2005-06 NeoAccel, Inc.
System Date/Time
Allows the administrator to set date and time or synchronize with an external NTP resource
© 2005-06 NeoAccel, Inc.
Miscellaneous
Allows the import and export of the current configuration and other options. Pay special attention to the Client Upgrade URL.
© 2005-06 NeoAccel, Inc.
Reboot / Shutdown
Allows the administrator to Reboot the Gateway or gracefully Shutdown the gateway
© 2005-06 NeoAccel, Inc.
Module 9 - Logs
© 2005-06 NeoAccel, Inc.
Logs - User Settings
Enable logging for the appliance wherein logs could either be stored on the appliance locally or be sent to an external syslog server periodically
© 2005-06 NeoAccel, Inc.
Logs - User Settings
Logs can be viewed on the system by selecting View Logs. The logs are refreshed every 10 seconds.
© 2005-06 NeoAccel, Inc.
Logs - Reporting
Generate log reports within a specific period of time and apply certain filters to pin point specific logs. These logs can either be viewed over NMC, exported and stored in CSV format in a Excel sheet or printed over printer.
© 2005-06 NeoAccel, Inc.
Logs - Statistics
View, save or print statistics on a daily or a weekly basis. Statistics can be used by administrators administrator for statistical analysis or usage of appliance
© 2005-06 NeoAccel, Inc.
Thank You.
top related