introduction to jmu’s ssl vpn
DESCRIPTION
Introduction to JMU’s SSL VPN. Mike Bayne 15 September 2011 http:// www.jmu.edu/computing/security/sslvpn-intro.pptx. What is a VPN?. Virtual Private Network Provides an encrypted tunnel between a client computer and a remote network - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/1.jpg)
Introduction to JMU’s SSL VPN
Mike Bayne15 September 2011
http://www.jmu.edu/computing/security/sslvpn-intro.pptx
![Page 2: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/2.jpg)
Virtual Private Network Provides an encrypted tunnel between a
client computer and a remote network Remote termination proxies the connection
to other resources All or some traffic routed to remote network
What is a VPN?
![Page 3: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/3.jpg)
Click icon to add picture
VPN Operation
JMU Border
VPN terminal
![Page 4: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/4.jpg)
Gain remote access to applications and data deemed too sensitive to expose directly to the Internet◦ Student Administration system
Gain remote access to resources licensed to JMU by IP address◦ Microsoft site license◦ Online library resources
Why use the VPN?
![Page 5: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/5.jpg)
Required a client◦ No support for new OSes◦ No support for mobile devices
Tunneled all traffic over UDP◦ All traffic had to go through JMU, even if not
destined for JMU Access required configuration on firewalls Rapidly approaching end-of-life
Old VPN: Cisco VPN
![Page 6: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/6.jpg)
New Hotness: Juniper SA6500
http://www.juniper.net/us/en/products-services/security/sa-series/sa6500/
![Page 7: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/7.jpg)
Support for newer OSes Support for mobile devices Uses web browser for basic access Java clients for advanced access LDAP or Active Directory authentication Access granted based upon roles
Juniper SA6500 SSL VPN
![Page 8: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/8.jpg)
Qualified PlatformsPlatform OS: list of browsers and Java EnvironmentWindows •Windows XP Professional SP3 32 bit: Internet Explorer
7.0, 8.0, and Firefox 3.6, 4.0; Sun JRE 6•Vista Enterprise SP2 32 & 64 bit : Internet Explorer 7.0, 8.0, 9.0 and Firefox 3.6, 4.0; Sun JRE 6•Windows 7 Enterprise SP1 32 & 64 bit: Internet Explorer 8.0, 9.0 and Firefox 3.6, 4.0; Sun JRE 6
Mac •Mac OS X 10.6.4, 32 and 64 bit: Safari 5.0, Safari 5.1 Sun JRE 6•Mac OS X 10.5.8, 32 and 64 bit: Safari 4.0 Sun JRE 6
Linux •OpenSuse 11.3 , 32 bit only: Firefox 3.6, 4.0; Sun JRE 6•Ubuntu 10.04 LTS, 32 bit only: Firefox 3.6, 4.0; Sun JRE 6
![Page 9: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/9.jpg)
Compatible PlatformsPlatform Operating System Browsers and JavaWindows Vista with Service Pack 1 or 2 on 32
bit or 64 bit platformsWindows 7 on 32bit or 64 bit platformsXP Professional SP2 or SP3 on 32 bit or 64 bit platformsXP Home Edition SP3
Internet Explorer 9.0Internet Explorer 8.0Internet Explorer 7.0Firefox 3.0 and aboveSun JRE 6 and above
Mac Mac OS X 10.6.x, 32 bit and 64 bitMac OS X 10.5.x, 32 bit and 64 bitMac OS X 10.4.x, 32 bit
Safari 3.0 and aboveSun JRE 6 and above
Linux OpenSuse 10.x and 11.x, 32 bit onlyUbuntu 9.10 and 10.x, 32 bit onlyRed Hat Enterprise Linux 5, 32 bit only
Firefox 3.0 and aboveSun JRE 6 and above
Solaris Solaris 10, 32 bit only Mozilla 2.0 and above
![Page 10: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/10.jpg)
iPhone OS 3.0 and above with default Safari Android 2.0 and above Symbian OS 8.1 and above Windows Mobile 6.0 Standard, Classic and Professional:
Pocket IE 6.0 Windows Mobile 6.1 Standard, Classic and Professional:
Pocket IE 6.0 Windows Mobile 6.5 Standard, Classic and Professional:
Internet Explorer Mobile 6.0 Windows Mobile 5.0 based Pocket PC devices: Pocket IE 4.0 NTT I-mode phone AU/KDDI phone : Open wave Mobile Browser Vodafone phone : Open wave Mobile Browser
Compatible Mobile Devices(Web & File Browsing)
![Page 11: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/11.jpg)
Web Connect WSAM/JSAM Network Connect Junos Pulse (Mobile clients)
SSL VPN Connection Methods
![Page 12: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/12.jpg)
Default connection Provides access to:
◦ Web resources◦ File Access◦ Remote desktop◦ SSH access
Solution for most connections at JMU
Web Connect
![Page 13: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/13.jpg)
Web Connect
![Page 14: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/14.jpg)
Pre-populated Bookmarks
![Page 15: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/15.jpg)
User-added Bookmarks
![Page 16: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/16.jpg)
URL Entry
![Page 17: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/17.jpg)
File Shares
![Page 18: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/18.jpg)
Remote Access: RDP and SSH
![Page 19: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/19.jpg)
Windows only Java program or Activex control Inserts a shim into the network stack Network access to preconfigured resources
are directed through the VPN Resources MUST be preconfigured on the
VPN
Windows Secure Application Manager (WSAM)
![Page 20: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/20.jpg)
WSAM
![Page 21: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/21.jpg)
WSAM
![Page 22: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/22.jpg)
WSAM
![Page 23: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/23.jpg)
Java based proxy Maps local port to remote destination
through the SSL VPN◦ Example: hrweb.jmu.edu:443 is mapped to local
port 8000◦ Connections to https://127.0.0.1:8000 is
forwarded to hrweb.jmu.edu:443 Either WSAM or JSAM per role, not both Not currently used at JMU
Java Secure Access Manager(JSAM)
![Page 24: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/24.jpg)
JSAM
![Page 25: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/25.jpg)
JSAM
![Page 26: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/26.jpg)
JSAM
![Page 27: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/27.jpg)
Most impact on JMU and client system Java application Behavior similar to existing Cisco VPN: all
traffic is routed through the VPN to JMU’s network
Network Connect
![Page 28: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/28.jpg)
Network Connect
![Page 29: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/29.jpg)
Network Connect
![Page 30: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/30.jpg)
Network Connect
![Page 31: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/31.jpg)
Network Connect
![Page 32: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/32.jpg)
Network Connect for mobile devices All traffic tunneled through the VPN Untested
Junos Pulse
![Page 33: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/33.jpg)
Junos Pulse
![Page 34: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/34.jpg)
Junos Pulse
![Page 35: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/35.jpg)
Invoking the Demo Gremlins
![Page 36: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/36.jpg)
Behind the Scenes:Realms, Roles, and
Resources
![Page 37: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/37.jpg)
Network resources that users are allowed or denied access to
Identified by host and port, subnet, URI, etc Can be specific enough to allow access to
parts of a website while denying access to others
Resources
![Page 38: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/38.jpg)
Group of people that share similar access Role membership can be identified by LDAP
group membership or attribute Role membership can be enumerated within
the SSL VPN◦ Most roles are enumerated◦ Want to move to LDAP/AD as identity
management matures Users are often assigned multiple roles
Roles
![Page 39: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/39.jpg)
Logical container containing authentication source and login pages
May be accessed either by a new domain name or by a new URL◦ https://student.sslvpn.jmu.edu◦ https://sslvpn.jmu.edu/student
Realms
![Page 40: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/40.jpg)
Roles are added to a realm◦ Roles may be in more than one domain
Resources are added to roles◦ Both permit and deny resources are added◦ Default deny of access to unmentioned resource◦ Users accumulate resources from each role
they’re assigned to
How They Fit Together
![Page 41: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/41.jpg)
Moving from enumerated roles to group/attributes in a directory
Identifying resources that don’t work with web connect and developing workarounds◦ Internal JMU applications◦ Externally licensed resources (750+ through the
library alone)
Challenges Ahead
![Page 42: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/42.jpg)
Endpoint Security◦ Malware protection◦ Antivirus version monitoring◦ Patch management monitoring
Cache Cleaner Two-factor authentication
◦ One-time passwords◦ Certificates
Single Sign-on Restrictions to access from certain subnets Restrictions to browsers
Unused Features
![Page 43: Introduction to JMU’s SSL VPN](https://reader035.vdocuments.mx/reader035/viewer/2022081502/5681682f550346895dddd460/html5/thumbnails/43.jpg)
Questions?