Transcript
SSL VPN Technical Primer QUICKGUIDE
4500 Great America Parkway Santa Clara, CA 95054 USA 1-888-NETGEAR (638-4327) E-mail:
[email protected] www.NETGEAR.com
Today, small- and mid-sized businesses have an increasingly mobile workforce. Faster broadband service, expanded wireless access, and a proliferation of Internet-enabled devices has boosted the productivity of these remote employees. More and more business owners and employees demand the flexibility to access their data while physically not at work. To meet this demand, a growing number of small- and mid-sized businesses provide remote access to employees and managers. However, for the SMB market, many remote access solutions are cost-prohibitive and too complicated to setup. In addition, limited resources and budgets make it difficult for many small and mid-sized businesses to: • Provide secure remote access to multiple users. • Enable employees to access information using remote laptops, PCs, kiosks, or PDAs. • Provide an easy way to deliver and manage remote access for mobile employees. • Deploy a remote access solution that is cost-effective and easy to troubleshoot, maintain, and support.
SSL VPN—The Right Sized Solution for SMB Due to their flexibility, security, and ease of deployment, SSL VPNs are quickly becoming the preferred solution to meet the remote access needs of small- and mid-sized businesses. SSL VPNs is built on SSL, or Secure Socket Layer, a protocol originally developed by Netscape Communications in the mid-90s. As the standard for secure electronic commerce (e-commerce) transactions on the Internet, SSL has undergone years of public scrutiny. Supported by all standard browsers, including Microsoft Internet Explorer, Apple Safari, and Mozilla Fire Fox, SSL securely transfers information between a web browser and an electronic commerce on the web. Secure Sockets Layer is often represented as the padlock on the bottom right corner of the window when a browser is connected to a secure website. See diagram 1. A secure website is typically identified as https, where the “s” in “https” refers to SSL.
Diagram 1
1
SSL VPNs combine the security and confidentiality provided by SSL and the mobility of a Virtual Private Network. Together, they enable remote users to connect to their office networks using standard web browsers.
Better from the Ground Up SSL VPNs are typically compared to IPSEC VPNs. However, there are significant differences between the two access methods. IPSEC VPNs were designed to provide site-to-site access (branch-to-branch) access. By comparison, SSL VPNs were designed to provide remote access for a mobile user to a corporate resource. When compared to IPSec VPNs, SSL VPNs offer: Platform Independence—Because they connect to the network through a web browser, SSL VPNs enable access from anywhere, independent of the platform used. Browser-based access— Unlike IPSEC VPNs that require a client to provide remote access, SSL VPNs provide clientless remote access to corporate resources. Granular access controls—SSL VPNs provide granular application access to corporate resources while IPSEC VPNs only provide network access. Seamless integration—SSL VPNs integrate seamlessly with the existing firewall infrastructure. The protocol is application-based and does not interfere with basic firewall functions operating at the IP Layer. The table below summarizes the key differences between IPSEC VPNs and SSL VPNs and explains when each solution is most appropriate.
Description
IPSEC VPN
SSL VPN
Security and OSI Model
• Suite of protocols provides security at the network or IP layer
• Operates at the application layer
• Predicated on trusted relationship between networks or between users and the network
• Provides finely grained access control to the application and associated resources
• Defines how to provide tunneling, encryption, and authentication
• Uses any standard Internet browser
• Entire connection is encrypted using
• Allows organizations to select and specify the security policy appropriate for their network • Uses tunneling and encryption to provide secure data transfer between one private network and another or between a private network and a user
• Uses proxies, tunneling, encryption, and access control to provide secure remote access between users and a private network
Client
Client required
Clientless access to corporate resources as part of any standard browser
Connection
Better suited for network-based connection model Better suited for application-based remote access
Firewalls and Network Address Translation (NAT)
Poor integration with existing firewalls using network address translation
Operates at application layer for seamless integration with existing firewall infrastructure
Granular Access
Limited. Only operates at the network layer (Layer 3)
High-level granular access control for applications. Operates at the application layer of the OSI model
Return on Investment
Lower. Additional cost of client increases total cost of ownership
Higher. No client to deploy and manage, reducing costs for administration and support
Remote Access Support
Best suited for site-to-site access such as between Best suited for user-to-site remote access branch offices
Platform-Independent Access
Requires installed client on device to connect to the corporate network. Limits access to company laptops and PCs. No access from PDAs, kiosks, and non-company laptops and PCs
Provides access from a wide variety of devices. Can access applications from any location or device with Internet access, including PDAs, kiosks, and non-company laptops and PCs
Encryption Protocol Support
Tunneling: Authentication Header (AH) and Encapsulating Security Payload (ESP) Encryption: DES, 3DES, 128/192/256 bit AES
Encryption: DES, 3DES, AES 256bit Authentication: Local User Database, Microsoft Active Directory, LDAP, NT Domain, and RADIUS.
Method of Access
2
• Does not provide access between one private network and another
NETGEAR—A Leader in SSL VPN Solutions As the leader in the SMB market, NETGEAR makes an ideal vendor for SSL VPN solutions. The NETGEAR ProSafe SSL VPN Concentrator SSL312 provides small- and mid-sized organizations with an easy, secure, and cost-effective solution for remote access for up to 100 employees. Using the Secure Sockets Layer (SSL) protocol supported natively on all standard web browsers, the SSL312 seamlessly integrates with your existing firewall infrastructure to offer industry-standard access and security. The intuitive web interface, customizable portal, and a plug-and-play installation make the SSL312 easy and cost-effective to deploy. NETGEAR ProSafe SSL312 supports up to 25 users simultaneously. Remote employees can safely and securely login from network environments and remote computers that are not controlled or managed by your corporate IT department. The SSL312’s advanced features include: • Security – The SSL312 uses Secure Sockets Layer version 3.0, TLS 1.0 to ensure security and complete privacy. By leveraging industry-standard security protocols such as DES, 3DES, AES-256, the SSL312 supports MD5 and SHA-1 to ensure data confidentiality over the Internet. The SSL312 can also clear the cache after a remote user logs out to protect the data and privacy of the user. • Customizable Portals – Administrators can configure and customize user portals to enforce role-based access and ease the end user experience when connected to the corporate network. Granular policy configuration tools give administrator complete control over individual user access to specific network resources. • Cost-Effective – The SSL312’s support for web-based access eliminates the high cost of installing, configuring, and maintaining client software on each PC. Studies have shown that an SSL-based solution can save businesses $100 to $300 per year per user in client costs. • Easy-to-Manage – SSL is available wherever there is a standard Web browser, including kiosks and retail business centers, so users don’t need a company laptop to access company resources. Administrators have access to and full remote control of employees’ desktops without client software installation.
3
Deployment Scenario The SSL312 can be deployed on a network in a number of ways. The most popular approach is to install the SSL312 on the network behind a firewall, as shown in the diagram 2.
Email
Web
Database
File Server
Internal Network
Limited access to corporate network
ProSafe SSL VPN Concentrator SSL312
Full access to corporate network ProSafe VPN Firewall Broadband Modem
INTERNET
Remote Access from partner site
Remote Access via PDA
Remote Access via Kiosk or laptop
Remote Access at a coffee shop or hotspot Remote Access from your home
User’s allowed restricted access to the corporate network
User’s allowed restricted access to the corporate network
Diagram 2 A firewall is highly recommended for small and mid-sized companies. However SSL312 is not a firewall and traditionally sits behind one. The SSL312 is responsible for terminating all SSL VPN connections. SSL312 verfies user credentials when remote users login with their user name and password and provide access to corporate resources based upon their user policy. When the SSL312 is deployed behind a firewall, the firewall must be configured to send all inbound SSL connections to the SSL VPN concentrator. Diagram 3 shows the administration interface for the SSL312.
4
To fully configure the NETGEAR ProSafe SSL VPN Concentrator SSL312, please refer to the Installation and User Guide available at http://www.netgear.com.
Diagram 3 After the successful installation of the SSL312, remote users can access corporate resources by entering the IP address or DNS name of the SSL VPN Concentrator in the navigation bar of a supported browser, of the supported browser. SSL312 supports Microsoft Internet Explorer and Apple Safari as the client browsers for access. Once a remote user successfully logs into the SSL VPN box, he/she will see the following screen below.
5
Diagram 4
With the SSL312, administrators have the flexibility to provide multiple remote access options to their remote users. These access options include: • VPN Tunnel: Using a small (<64K) Active X control downloaded during the first connection to the SSL VPN Concentrator, a VPN tunnel can provide full IPSEC-like connectivity. The Active X control creates a PPP adapter upon installation to deliver full IPSEC-like connectivity to corporate resources. • Port Forwarding: Port forwarding provides access to mission-critical applications, such as email and mapped network drives, as if they were located on the corporate network. However, port forwarding differs from a VPN tunnel in several ways. o Port forwarding only supports TCP data, not UDP or other IP protocols. o Port forwarding detects and reroutes individual data streams over the port forwarding connection instead through a full tunnel to the corporate network. As a result, port forwarding uses a lighter client than the VPN tunnel and installs more quickly. o Port forwarding offers more fine-grained management than VPN tunnel. Administrators can define individual applications and resources available to remote users. With VPN tunnel, administrators must create access policies to block undesirable traffic at the SSL VPN gateway rather than at the client level. o Port forwarding does not require administrative privileges on the client PC to install the VPN Tunnel ActiveX file. • Utilities: SSL312 supports utilities such as ssh, telnet, and ftp utilities to enable administrators and power users to manage servers and desktops on the network when working remotely. • Remote Access: Remote access allows access to a remote desktop, desktop application, or a home directory on a central server using either Microsoft Terminal Services or VNC. Both Microsoft Terminal Services and VNC support the unique ability to launch individual applications running on a remote desktop or server.
Conclusions With its ease of use, simple installation, cost-effective maintenance, and secure access, the NETGEAR SSL312 is an excellent solution for small- to medium-size businesses. It provides all the access most remote users need without the burdensome overhead and expense of enterprise-focused IPSEC VPN solutions. And with NETGEAR’s SMB market expertise, the SSL VPN ensures this growing technology remains a perfect fit for growing companies.
6
© 2006 NETGEAR, Inc., NETGEAR, the NETGEAR logo, Connect with Innovation, Everybody’s connecting, the Gear Guy, IntelliFi, ProSafe, RangeMax, and Smart Wizard are trademarks or registered trademarks of NETGEAR, Inc., in the United States and/or other countries. Microsoft and Windows are trademarks of Microsoft Corporation in the United States and/or other countries. Intel, the Intel logo, Intel Viiv and Intel Viiv logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States or other countries. Other brand and product names are trademarks of registered trademarks of their respective holders. Information is subject to change without notice. All rights reserved.
