SSL VPN : Understanding, evaluating and planning secure, web-based remote access E-Book
Joseph Steinberg
39,59 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Wissenschaft und neue Technologien
- Sprache: Englisch
Virtual Private Networks (VPNs) provide remote workers with secure access to their company network via the internet by encrypting all data sent between the company network and the user?s machine (the client). Before SSL VPN this typically required the client machine to have special software installed, or at least be specially configured for the purpose.
Clientless SSL VPNs avoid the need for client machines to be specially configured. Any computer with a Web browser can access SSL VPN systems. This has several benefits:
Low admin costs, no remote configuration
Users can safely access the company network from any machine, be that a public workstation, a palmtop or mobile phone
By pass ISP restrictions on custom VPNs by using standard technologies
SSL VPN is usually provided by a hardware appliance that forms part of the company network. These appliances act as gateways, providing internal services such as file shares, email servers, and applications in a web based format encrypted using SSL. Existing players and new entrants, such as Nokia, Netilla, Symantec, Whale Communications, and NetScreen technologies, are rushing our SSL VPN products to meet growing demand.
This book provides a detailed technical and business introduction to SSL VPN. It explains how SSL VPN devices work along with their benefits and pitfalls. As well as covering SSL VPN technologies, the book also looks at how to authenticate and educate users ? a vital element in ensuring that the security of remote locations is not compromised. The book also looks at strategies for making legacy applications accessible via the SSL VPN.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 277
Veröffentlichungsjahr: 2005
Ähnliche
Table of Contents
SSL VPN
Joseph Steinberg
Tim Speed
SSL VPN
Copyright © 2005 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, Packt Publishing, nor its dealers or distributors will be held liable for any damages caused or alleged to be caused either directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First edition: February 2005
Published by Packt Publishing Ltd. 32 Lincoln Road Olton Birmingham, B27 6PA, UK.
ISBN 1-904811-07-8
www.packtpub.com
Cover Design by www.visionwt.com
Credits
Authors
Joseph Steinberg
Timothy Speed
Commissioning Editor
David Barnes
Technical Editors
Chris Fernando
Ashutosh Pande
Layout
Nanda Padmanabhan
Indexer
Ashutosh Pande
Proofreader
Chris Smith
Cover Designer
Helen Wood
* Services provided by Editorialindia.com
About the Authors
Joseph Steinberg has been involved with computer networking and security since 1989. He has worked in technical positions at Citibank and AT&T and served in senior-management capacities at several product vendors and consulting firms. He has spent more than four years with Whale Communications, one of the pioneers of SSL VPN technology.
Mr. Steinberg’s May 2003 article, SSL VPN Security, introduced an awareness of critical security issues created by SSL VPN technology; since its publication, nearly every SSL VPN vendor has acted upon the concerns and recommendations made in the article.
Mr. Steinberg earned an M.S. in Computer Science from NYU, and holds a CISSP (Certified Information Systems Security Professional) credential as well as advanced certifications in IT security management (ISSMP) and architecture (ISSAP). He has lectured on several topics related to IT security and management and has authored numerous articles that have appeared in various journals, magazines, and other publications. A recognized expert on IT security, he is also interviewed on a regular basis by media personalities and is a member of several panels discussing IT-security related matters.
Mr. Steinberg lives in the suburbs of New York City with his wife and two daughters.
To Shira, Penina Leora, and Miriam, with all my love.
Timothy Speed is an IBM-Certified IT Architect working for the IBM Lotus Brand (ISSL). Tim has been involved in Internet and messaging security since 1992. He also participated with the Domino infrastructure team at the Nagano Olympics and with the Lotus Notes systems for the Sydney Olympics. His certifications include CISSP, MCSE, A+ Plus Security from CompTIA, Lotus Domino CLP Principal Administrator, and Lotus Domino CLP Principal Developer. (Notes/Domino certifications in R3, R4, R5, and ND6)
Tim has also co-authored four books:
I am grateful to Joseph Steinberg for asking me to participate in writing this book. Special thanks to David Barnes, Commissioning Editor, Packt Publishing. Thanks to IBM/ISSL, Steve Keohane, Kathrine Rutledge, Chris Cotton, and Jack Shoemaker for allowing me to co-author this book. Thanks to Ann Marie Darrough for the official IBM review of this book before publishing. Also thanks to the following: The great Shane George, Tery W. Corkran, Chuck Stauber, David Byrd, David Bell, Dick McCarrick, Frederic Dahm, Garry White, Hartmut Samtleben, Hissan C. Waheed, Raj Balasubramanian, Ralph Vawter, William Nunez, Steve Robinson, Larry Berthelsen, Brian Baker, Lillian Speed, Johnny Speed, and Katherine Speed.
To Linda Speed, still my favorite wife!
Introduction
The advent of SSL VPN ushers in a new era in remote computing. Where older remote-access technologies were expensive, complicated to use, and often deployed to only limited user populations, SSL VPN delivers remote access to the masses at a much lower cost than its forerunners, and in a much simpler format. It transforms remote access from a convenience enjoyed by a select few to a mainstream business option available to everyone.
An exciting new technology, SSL VPN leverages web browsers to provide access to enterprise applications, systems, files, and other resources from essentially any Internet-connected web browser, abandoning the long-standing model of requiring specialized client software to enable remote access.
SSL VPN offers several significant benefits over previous generations of remote access tools. Typically:
As of the publishing of this book, several key analyst firms have issued reports on the SSL VPN market; while they may differ in the rankings of the vendors in the space, they are all in agreement that SSL VPN is gaining rapid acceptance into corporate infrastructures. Annual SSL VPN related revenue, which exploded in 2002-2003, continues to grow at a healthy pace.
What This Book Covers
In this book, SSL VPN is discussed in detail from both a business and technical standpoint. Readers will gain understanding of what SSL VPN is, how it works, and why it may be of great benefit to their own organizations. Best practices surrounding deploying an SSL VPN, ensuring that an SSL VPN implementation is secure, as well as addressing human factors are also covered.
Chapter 1 introduces the key concepts behind SSL VPN. We look at how it fits into familiar network schemas, and consider how it works and what advantages it offers over tradition IPSec VPNs.
Then, in Chapter 2, we consider the business case for SSL VPN solutions. We see how to measure SSL VPN return on investment, and what practical benefits SSL VPN technology can offer an organization.
Chapter 3 peeks under the bonnet of SSL VPN to see how the technology works, and how you can rely on private communications over an open network like the Internet.
Chapter 4 takes a more detailed look at SSL VPN security, showing you how to make sure you choose SSL VPN tools and configurations that do not fall foul of glitches or security loopholes.
Chapter 5 looks at how to plan your SSL VPN installation by showing where it fits into your current network infrastructure, while Chapter 6 looks at the human angle—how to educate your users so that they do not become security holes themselves!
Worried that an SSL VPN will not work with your existing applications? In Chapter 7 we look at the methods that exist for integrating SSL VPN with your legacy applications.
Finally in Chapter 8 we look to the future of SSL VPN, and consider where the trends are likely to lead in the coming years.
Conventions
In this book you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meanings.
Code words in text are shown as follows: "NOCACHE does not prevent caching in AutoComplete stores, in history records, and other areas."
New terms and important words are introduced in a bold-type font. Words that you see on the screen—in menus or dialog boxes, for example—appear in the text as follows: Are you still there?
Note
Tips, suggestions, or important notes appear in a box like this.
Reader Feedback
Feedback from our readers is always welcome. Let us know what you think about this book, what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.
To send us general feedback, simply drop an e-mail to <[email protected]>, making sure to mention the book title in the subject of your message.
If there is a book that you need and would like to see us publish, please send us a note in the Suggest a title form on www.packtpub.com or e-mail <[email protected]>.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.
Customer Support
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Errata
Although we have taken every care to ensure the accuracy of our contents, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in text or code—we would be grateful if you would report this to us. By doing this you can save other readers from frustration, and also help to improve subsequent versions of this book.
If you find any errata, report them by visiting http://www.packtpub.com/support, selecting your book, clicking on the Submit Errata link, and entering the details of your errata. Once your errata have been verified, your submission will be accepted and the errata added to the list of existing errata. The existing errata can be viewed by selecting your title from http://www.packtpub.com/support.
Questions
You can contact us at <[email protected]> if you are having a problem with some aspect of the book, and we will do our best to address it.
Chapter 1. Introduction to SSL VPN
History provides us with a map of how technology effectuates changes in the way we live and work. This technological transformation started with simple tools that then expanded to the internal combustion engine and now to the technology of computers and networks. One important example of this is transportation. Through a system of physical networks—roads, trains, airplanes, and so on—people can now work and live outside the congestion of large cities. Large parts of the population moved to 'suburb communities', and started the famous daily commute. In spite of high petrol prices, people stayed in their suburbs. Today, with the advent of the Internet, people can work almost anywhere. One of the technologies that allow the ubiquitous access required is a technology known as SSL VPN. This chapter starts you on the knowledge roads that will educate you about this technology. Nevertheless, before we get into too much detail, let's first understand how this technology will help you.
Many people work for what is now known as a 'virtual' organization. Workers in a virtual organization will not necessarily need an office, cube, or a parking space. More and more companies are letting staffers work remotely. The term used to describe these types of worker is teleworkers. As per the ITAC (International Telework Association and Council), the number of U.S. employees who work remotely has grown every year since 1999. The ITAC commissioned a study conducted by Dieringer Research Group (statistically based on teleworkers working at least one day per month), which shows teleworking has grown by nearly forty percent since 2001. What makes teleworking possible is the ability to connect your computer to the Internet from anywhere, anytime. This process of connecting remotely to the Internet is easy, and now with wireless, access is ubiquitous. Teleworking and remote computing is more than just working from poolside at your ranch house. It includes:
Note
Wireless Network
A wireless LAN is just that—wireless. Computers and routers will connect to each other via a set protocol and via a Radio Frequency circuit. Much like TV or your cell phone, your home network can connect computers together without wires. The name of the wireless networking protocol is IEEE 802.11. This standard was developed to maximize interoperability between differing brands of wireless LANs (WLANs). The 802.11 technologies can work with standard Ethernet via a bridge or Access Point (AP) . Wireless Ethernet uses a Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA)scheme, whereas standard Ethernet uses a Carrier Sense Multiple Access with Collision Detection (CSMA/CD) scheme. One of the biggest advantages the 802.11 standard is the ability for products from different vendors to interoperate with each other. This means that as a user, you can purchase a wireless LAN card from one vendor and a wireless LAN card from another vendor and they can communicate with each other, independent of the brand name of the card.
Now you can be online almost anywhere and anytime. There are very few limits to anywhere with wireless access in North America, Asia, and Europe, and soon you will be able to Google from anywhere in the world. So as you can see, all is happy and secure in the world of ubiquitous Internet access. OK, let us stop and review that last statement. We used the words: 'anytime' and 'anywhere'; so far, so good. The word secure is not always true. In fact, with today's Internet, the traffic is rarely secure. The days of the 9600-baud modem are gone, along with the naive attitude that "all is secure". Access to the Internet is no longer safe.
The Internet is the communication backbone for more than just e-commerce; today you can access the Internet for almost everything:
The Internet
In order to understand the security issues of the Internet, you first need to understand what the Internet really is. The Internet is not just one network. The Internet includes thousands of individual networks. The communication core of these networks is two protocols known as Transmission Control Protocol and Internet Protocol (TCP/IP) . These historic protocols provide connectivity between equipment from many vendors over a variety of networking technologies. The Transmission Control Protocol (TCP) is intended for use as a highly reliable host-to-host protocol in a packet-switched computer communication network. The Internet Protocol (IP) is specifically limited in scope to provide the functions necessary to deliver an envelope of data from one computer system to another. Each computer or device on a network will have some type of address that identifies where it is on the network.
Much like computers, the Internet is a new concept for the world of communication. In 1973 Vinton Cerf, a UCLA (University of California, Los Angeles) graduate student who is also known as the Father of the Internet, and Robert Kahn, an MIT (Massachusetts Institute of Technology) math professor, developed a set of software protocols to enable different types of computers to exchange data. The software they developed is now known as TCP/IP. The base part of the protocol is called IP or Internet Protocol. While the IP part of the protocol transports the packets of data between the various computer systems on the Internet, the TCP part ports data to the applications. TCP is the mechanism that allows the WWW(World Wide Web) to communicate. (All of this will be discussed in detail later in this book.) Programs are built on top of this medium, which allows communication between server and client. A network can be connected with cables and/or wireless adapters. Basically the computer is connected via a Network Interface Card (NIC) . The NIC card's job is to place data into the network. All network data is crafted into packets and each packet has the information needed to find its target computer and knows where it came from.
Reference Models
The process of creating data packets is based on two connection models—the OSI and DARPA reference models. The Open Systems Interconnection (OSI) model is a standard reference model for how network data is transmitted between any two points in a computer network. TCP/IP in its most basic form supports the Defense Advanced Research Projects Agency (DARPA) model of internetworking and its network-defined layers. Much like the DARPA model, the OSI was designed to connect dissimilar computer network systems. The OSI reference model defines seven layers of functions that take place at each end of a network communication:
OSI Reference Model
Layer
Description
Application (7)
This is the layer at which programs are identified; user authentication and privacy are implemented here.
Presentation (6)
This is a layer—usually part of an operating system—that converts incoming and outgoing data from one presentation format to another.
Session (5)
This layer sets up, coordinates, ends conversations, exchanges, and dialogs between the applications at each end of the dialog.
Transport (4)
This layer manages the end-to-end control and error checking.
Network (3)
This layer handles the routing and forwarding of the data.
Data link (2)
This layer provides error control and synchronization for the physical level.
Physical (1)
This layer transmits the bit stream through the network at the electrical and mechanical level.
TCP/IP also has a much simpler protocol model called the DARPA model:
DARPA Model
Layer
Description
Process (4)
This is the layer where higher-level processes such as FTP, SMTP, and HTTP are defined and executed.
Host to Host (3)
This is where TCP lives. This is the mechanism that actually ports the data to the correct application. TCP ports are defined here.
Internet (2)
IP addresses are used to direct packets to the correct destination. Routing protocols live here along with Address Resolution Protocol (ARP) and Internet Control Message Protocol (ICMP) .
Network Interface (1)
This is the physical connection to the network: Ethernet, token ring, and so on. The packets are placed onto the network at this point.
Introducing Hacker Bob
Network architecture is discussed in detail in Appendix A. It is important for you to understand network architecture, since hackers understand it! Hacking into computers can include TCP port scanning, fake emails, trojans, and IP address spoofing. The essence of TCP port surfing is to pick out a target computer and explore it to see what ports are open and what a hacker can do with them. If you understand ports then you can understand what hackers can do to you and your systems. With this knowledge you can understand how to effectively keep your computers and networks secure.
Next is our introduction to Hacker Bob.
The above figure shows how Hacker Bob uses his evil hacker tools (and experience) to monitor your network.
Remember those packets and TCP ports? Hacker Bob can monitor the Internet and copy packets into his evil network. Once he has the copied packets, then he can analyze them and extract your sensitive data as explained below:
Trapping Your Data
Once Hacker Bob has your data then he can use a simple tool to review and analyze it. The following example shows how Hacker Bob could analyze your IP packet:
In this example below, the data section is 1460 bytes. This payload is transferred in ASCII text using HTML. As a result, it is easy for Hacker Bob to read the data:
Now in the hacker's words "That data is mine."
Basic HTTP Authentication
To make things worse, at some point, during your normal Internet browsing activities, you have likely received one of these types of pop-up windows from your browser:
Typically the username is some name that an administrator (or software utility) has assigned to you or you have assigned yourself. The Web is full of places that require a username. The username is a mechanism that identifies who you are in relation to the program or data you are trying to access. The password is the key that proves that you have the authority to use that username. This is a simple and effective mechanism to access controlled data. In Basic HTTP Authentication, the password passed over the network is neither encrypted nor plain text, but is 'uuencoded'. Anyone watching packet traffic on the network will see the password encoded in a simple format that is easily decoded by anyone who happens to catch the right network packet. Therefore, our friend Hacker Bob could just extract the right packet and he has your username and password. All Hacker Bob had to do was to read RFC2617 (http://www.ietf.org/rfc/rfc2617.txt) for all the information he needed.
Keeping Hacker Bob Out of Your Data
Here is the scenario: you are the network manager of a large worldwide enterprise company. You know that you must provide secure access from about 50 sites from around the world to your corporate networking at your headquarters in Dallas. In addition, each site will have a local network with about 10-12 computers each. Making your task a bit harder, the CIO of your company has mandated that you must save money and, at the same time, quickly get the network service up and running. How can you do this? One answer to this problem would be to set up direct connect circuits to each site, also known as a private network. However, this can be a really expensive solution. So, the solution to this quagmire is obvious—you can create a Virtual Private Network (VPN) .
VPNs
You now ask: "So what is a VPN?" The most basic definition of a VPN is "a secure connection between two or more locations over some type of a public network". A more detailed definition of a VPN is a private data network that makes use of the public communication infrastructure. A VPN can provide secure data transmission by tunneling data between two points—that is it uses encryption to ensure that no systems other than those at the endpoints can understand the communications. The following diagram shows a basic example:
Traveling sales people will connect to the Internet via a local provider. This provider can be AOL, EarthLink, a local community Internet Service Provider (also known as a POP—Point Of Presence). The diagram above shows the concept of the VPN. The VPN now hides, or encrypts, the data, thus keeping Hacker Bob out of your data.
Remember your challenge from the CIO—"secure access from 50 sites around the world into the corporate network and each site having about 10-12 computers?" We have the answer for you. Let's look at two examples:
One Computer to the Corporate Network
In the example, below, a traveling user is able to connect securely to the corporate network via the VPN. The user will connect to the VPN via a local Internet service provider, then that traffic will be routed to the corporate network. At this point the VPN traffic from the end user will terminate into a VPN receiving device or server.
As you can see, Hacker Bob cannot read and/or trap your data—he is stopped.
Note
In this example above Hacker Bob may still be able to trap a copy of each packet, but the encrypted data will not be readable.
Remote Office Network Connected to the Main Office
In the example below, a remote office will be able to connect to the computers and servers in another office via the Internet. An end user on the remote network will access one of the corporate network services. The traffic will route from the remote office to a VPN device, travel securely over the Internet, and into the VPN device on the corporate network. Once on the corporate network the end user will have the potential to access any of the corporate services or servers. As shown below, Hacker Bob is thwarted once again and cannot read your sensitive data:
Now your problem is solved; your company is able to provide access to its corporate office computers from anywhere in the world. And the final result—Hacker Bob will be looking elsewhere to launch his evil plan.
VPN Examples
Let's look at some of the different protocols for creating secure VPNs over the Internet:
L2TP or Layer-2 Tunneling Protocol is a combination of Microsoft's Point-to-Point Tunneling Protocol (PPTP) and the Cisco Layer-2 Forwarding (L2F) . L2TP is a network protocol and it can send encapsulated packets over networks like IP, X.25, Frame Relay, Multiprotocol Label Switching (MPLS) , or Asynchronous Transfer Mode (ATM) .
IPsec will encrypt all outgoing data and decrypt all incoming data so that you can use a public network, like the Internet, as a transportation media. IPsec VPNs normally utilize protocols at Layer 3 of the OSI Model. This is effectuated by using two different techniques:
The Authentication Header provides two-way device authentication, which can be implemented in hardware or software, and in many cases provide user authentication via a standard set of credentials—user ID and password. You may also see implementations using a token, or an X.509 user certificate.
The Encapsulating Security Payload protocol provides the data encryption. Most implementations support algorithms such as DES (Data Encryption Standard), 3DES (Triple Data Encryption Standard), or AES (Advanced Encryption Standard). In its most basic configuration, IPsec will implement a handshake that requires each end point to exchange keys and then agree on security policies.
IPsec
IPsec can support two encryption modes:
