Tải bản đầy đủ - 0 (trang)
Chapter 18. Secure Sockets Layer VPN (SSL VPN)

Chapter 18. Secure Sockets Layer VPN (SSL VPN)

Tải bản đầy đủ - 0trang

AlthoughSSLandTLSvaryinsomerespectsandarenot

interoperable,theprotocolarchitecturelargelyremainsthe

same.Theprimaryobjectiveofbothprotocolsistoprovidedata

privacyanddataintegrity,therebyprovidingsecure

communicationsbetweenapplications.Bydefault,SSLusesTCP

port443.

Note

TLSwasoriginallydocumentedinIETFRFC2246—"The

TLSProtocolVersion1.0,"andwasmadeobsoleteby

IETFRFC4346—"TheTransportLayerSecurity(TLS)

ProtocolVersion1.1,"which,asofthiswriting,isthe

currentapprovedTLSversion.



Chapter18.SecureSocketsLayerVPN

(SSLVPN)

TheubiquitousInternetfuelsnetworkaccessreachabilityand

availabilitytouserswheneverandwhereverneeded.

Today'sVPNsolutionsofferstate-of-the-artsecuretechnologies

thatextendthereachofnetworkstoanyone,anyplace,

anytime.

RemoteAccessVPNtechnologyisthelogicalsolutionforremote

connectivityprovidingsecurecommunicationswithaccess

rightstailoredtoindividualusers.

SSL-basedRemoteAccessVPNtechnologyprovidesremoteaccessconnectivityfromanyInternet-enabledcomputer

throughastandardwebbrowseranditsnativeSSLencryption.

SSLVPNsolutionsoffernetworkaccessatanytimeandany

place,therebyprovidingthepossibilityofincreasing

productivity.SSLVPNsolutionsalsooffergreaterflexibilityfor

theremoteworkforce.

ThischapterprovidesacompleteoverviewoftheSSL-based

RemoteAccessVPNtechnology,describingsolution

architecture,deployment,andimplementationguidelines.The

chapteralsointroducesthenewlyreleasedCiscoAnyConnect

VPNclientsolution.



SecureSocketsLayer(SSL)Protocol

SSLisanapplicationlayer(Layer7)cryptographicprotocolthat

providessecurecommunicationsovertheInternetforweb

browsing,e-mail,instantmessaging,andotherdatatraffic.

SSL,whichwasoriginallydevelopedbyNetscapeandreleased

in1996,laterservedasthefoundationfortheIETFstandard—

TransportLayerSecurity(TLS)protocol.



AlthoughSSLandTLSvaryinsomerespectsandarenot

interoperable,theprotocolarchitecturelargelyremainsthe

same.Theprimaryobjectiveofbothprotocolsistoprovidedata

privacyanddataintegrity,therebyprovidingsecure

communicationsbetweenapplications.Bydefault,SSLusesTCP

port443.

Note

TLSwasoriginallydocumentedinIETFRFC2246—"The

TLSProtocolVersion1.0,"andwasmadeobsoleteby

IETFRFC4346—"TheTransportLayerSecurity(TLS)

ProtocolVersion1.1,"which,asofthiswriting,isthe

currentapprovedTLSversion.



SSLVPNSolutionArchitecture

VPNtechnologiesinrecentyearshaveevolvedandhavebeen

widelyusedtoprovidesecureconnectivity,extendingthereach

ofnetworks.AsdiscussedinChapter15,"IPsecVPN,"two

primarymethodsareusedtodeployRemoteAccessVPN

technology:

RemoteAccess:IPsecVPN(coveredinChapter15)

RemoteAccess:SSLVPN

CiscoIPsecVPNandSSLVPNarecomplementarytechnologies.

Bothsolutionsofferremoteaccessconnectivityandcanbe

deployedtogetherorindividuallytobetteraddressthe

deploymentrequirements.Selectingtheappropriatemethod

dependsonthedeploymentrequirementsandthenetwork

architecture.

Table18-1showsacomparisonsummarybetweenIPsecVPN

andSSLVPNtechnologiesthatcanassistyouinevaluatingthe

appropriateRemoteAccessVPNtechnologyasneeded.



Table18-1.IPsecandSSLVPNCom





IPsecVPN



End-UserSystemOptions



Enablesaccessprimarilyfrom

company-manageddesktops.



End-UserAccessMethod



InitiatedusingapreinstalledVPN

clientsoftware.



End-UserSystemSoftware

Requirements



Requiresproprietarypreinstalled

clientsoftware.



SoftwareUpdates



Canautomaticallyupdate,butis

moreintrusiveandrequiresuser



input.



CustomizedUserAccess



Offersgranularaccesspolicies,but

nowebportals.



Note:TheinformationinTable18-1iscompiledfromaCiscowhitepaper

Communications"at

http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns125/networkin



SSLVPNOverview

SSLVPNisanemergingtechnologyofferingaflexible,low-cost

Internet-basedremotesolutionbyusingthenativeSSL

encryptionofawebbrowser.SSLVPNdoesnotrequirea

special-purposeclientsoftwaretobepreinstalledonthe

system,thusenablingausertoconnectfromanycomputer,

whetheritisacompany-managedoranon-company-managed

system,suchasapersonallaptop,cybercafé,orhomePC.SSL

VPNsessionscanbeestablishedfromanyInternet-enabled

computer,therebyextendingnetworkaccesswhenandwhere

required.

TheCiscoSSL-basedRemoteAccessVPNsolutionisapowerful

toolthatprovidesuserswithavirtualenvironmentthat

emulatestheworkingconditionsofamainofficewithno

geographicalboundaries.

TheCiscoRemoteAccessVPNsolutionsofferbothIPsecVPN

andSSLVPNtechnologiesintegratedonasingleplatformwith

unifiedmanagement.TheCiscosecuritysolutionsgroupoffers

theSSLVPNsolutionaspartofthesecurityproductsrange.

ExamplesincludeCiscoIntegratedServicesRouters(ISR),VPN

Security,andFirewallAppliances.

Note

TheCiscoSSLVPNsolutionisalsocommonlyknownas

theCiscoWebVPNsolution,andthetwotermsare



interchangeablyusedinpublications.



SSLVPNFeatures

SSLVPNtechnologyoffersawiderangeofbenefits.Key

featuresincludethefollowing:

Doesnotrequirespecial-purposedesktopVPNclient

softwaretobepreinstalledonthesystem.

Usesastandardwebbrowsertoestablisharemoteaccess

VPNconnection.

UsesthenativeSSLencryptionofawebbrowsertoprovide

dataconfidentiality.

Offersgranularaccesscontrol.

Enablesadditionalclient-serverapplicationstobe

downloadeddynamicallywithmultipledeliverymethodsto

helpensuretransparentdownloadanddistributionwith

Java,ActiveX,or.exefiles.

OffersflexibilitytoestablishVPNconnectionsfromany

Internet-enabledsystem,beitacompany-managedornoncompany-managedsystem.

Allowseasyfirewallandnetworktraversalfromany

location.

Allowstransparentwirelessroaming.

OffersenhancedsecurityusingtheintegratedCiscoIOS

Firewallfeature.

Figure18-1illustratestheconceptofSSLVPNandhowa

remoteaccessusercanaccessprotectedresourcesviathe

Internetoverasecureencryptedchannel.



Figure18-1.CiscoSSLVPNSolution

[Viewfullsizeimage]



Note

Astheindustryleaderininnovation,Ciscointroduced

thefirst-everrouterplatformtointegratetheSSLVPN

solutioninCiscoIOSSoftwareonCiscoIntegrated

ServicesRouters(ISR)series.TheCiscoSSLVPN

solutionisalsoknownasCiscoWebVPN.



SSLVPNDeploymentConsideration

SSLVPNisanenhancedCiscoRemoteAccessVPNsolutionthat

offersdataconfidentialitybyusingthenativeSSLencryption

technologywithinawebbrowser.Table18-2summarizesthe

characteristicsthatneedtobeconsideredwhenevaluatingthe

SSLVPNdeploymentoption.



Table18-2.SSLVPNDeployment

Characteristics



Anywhereaccessfromnon-company-managedsystems,suchasanemplo



owneddesktop,apersonallaptop,cybercafés,andhotspots

Businesspartneraccess

User-customizedwebportals

Minimizeddesktopsupportandsoftwaredistribution

Flexibilitytotheendusers

VPNclientcustomizability

CapabilitytomaintainexistingITdeploymentandsupportprocesses



TheinformationinTable18-2iscompiledfromtheCiscowhitepaperon"

http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns125/networkin



SSLVPNAccessMethods

SSLVPNcanbedeployedinoneofthefollowingthreeaccess

modes,asillustratedinFigure18-2:

Clientlessmode(Layer7):Clientlessmodeprovides

secureaccesstowebresourcesandaccesstoweb-based

content.Thismodeisusefulforaccessingcontentthatcan

beaccessedinawebbrowser,suchasInternetaccess,

databases,andonlineweb-basedtools.Clientlessmodecan

alsoofferremotefilesharingbyusingthecommonInternet

filesystem(CIFS)thatprovidesalistoffileserverlinksin

thewebportalpage,therebyallowingtheremoteuserto

browselistingsofdomains,servers,anddirectoryfolders,

downloadafile,createanewfile/directory,andsoon.

Clientlessmodeislimitedtoweb-basedcontentonly.

Thinclientmode(Layer7)(alsoknownasport

forwarding):Thinclientmodeprovidesremoteaccessto

TCP-basedservicessuchasPostOfficeProtocol(POP3),

SimpleMailTransferProtocol(SMTP),InternetMessage

AccessProtocol(IMAP),Telnet,andSecureShell(SSH)



applications.ThethinclientisdeliveredviaaJavaapplet

thatisdynamicallydownloadedfromtheSSLVPNappliance

uponsessionestablishment.Thismodeextendsthe

capabilityofthecryptographicfunctionsofthewebbrowser.

Thickclientmode(Layer3)(alsoknownastunnel

modeorfulltunnelingclient):Thethickclientmode

providesremoteaccesstoanextensivearrayofapplication

supportandisdelivereddynamicallybydownloadingSSL

VPNClient(SVC)softwareortheCiscoAnyConnectVPN

clientsoftwarefromtheVPNserverappliance.Thismode

deliversalightweight,centrallyconfigured,andeasy-tosupportSSLVPNtunnelingclientthatprovidesfullnetwork

layer(Layer3)accesstovirtuallyanyapplication.

Figure18-2.SSLVPNAccessModes



TheinformationinFigure18-2istakenfromtheCisco

configurationguideon"CiscoIOSSoftwareReleases

12.4T-SSLVPN"at

http://www.cisco.com/en/US/products/ps6441/products_feature

[Viewfullsizeimage]



Figure18-2illustratesthebasicSSLVPNaccessmodesthat

werediscussedpreviously.



SSLVPNCitrixSupport

TheCiscoSSLVPNsolutionalsooffersclientlessCitrixsupport

thatallowsCitrixclientstouseapplicationsrunningonaremote

Citrixserverasiftheywereexecutedlocallyontheinternal

LAN.

ClientlessSSLVPNiscommonlyusedforremoteaccesstoCitrix

applications.OneofthemajoradvantagesofusingtheCisco

SSLVPNsolutionisthatnoadditionalhelperapplicationsare

requiredforCitrixaccessoverclientlessSSLVPN,whichhelps

ensurefastapplicationinitiationtimeandreducestheriskof

desktopsoftwareconflicts.ManyotherSSLVPNsolutionsonthe

marketrequireproprietaryappletstobepusheddownforCitrix

tofunction.

Figure18-3illustratesCitrixsupportcomparisonwitha

traditionalSSLVPNandtheCiscoSSLVPNsolution.

Figure18-3.SSLVPNCitrixSupport

TheinformationconceptinFigure18-3istakenfromthe

CiscoNetworkerssessionpresentation#SEC-2010–

"DeployingRemoteAccessIPSecandSSLVPNs."

[Viewfullsizeimage]



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 18. Secure Sockets Layer VPN (SSL VPN)

Tải bản đầy đủ ngay(0 tr)

×