SSL VPN : Understanding, evaluating and planning secure, web-based remote access
By Tim Speed and Joseph Steinberg
()
About this ebook
Tim Speed
Timothy Speed is an infrastructure and security architect for Lotus Professional Services (LPS), an IBM company. Tim has been involved in Internet and messaging security for the last 8 years. He has assisted with the Domino infrastructure at the Nagano Olympics and the Lotus Notes systems for the Sydney Olympics. Certifications include MCSE, VCA (VeriSign Certified Administrator), Lotus Domino CLP Principal Administrator, and Lotus Domino CLP Principal Developer. He and Juanita Ellis are the co-authors of books on Internet security and e-business.
Read more from Tim Speed
Internet Security: A Jumpstart for Systems Administrators and IT Managers Rating: 0 out of 5 stars0 ratingsEnterprise Directory and Security Implementation Guide: Designing and Implementing Directories in Your Organization Rating: 0 out of 5 stars0 ratings
Related to SSL VPN
Related ebooks
Hands-On Network Forensics: Investigate network attacks and find evidence using common network forensic tools Rating: 0 out of 5 stars0 ratingsWeb Penetration Testing with Kali Linux - Second Edition Rating: 0 out of 5 stars0 ratingsBuilding a Pentesting Lab for Wireless Networks Rating: 0 out of 5 stars0 ratingsUntangle Network Security Rating: 0 out of 5 stars0 ratingsSolarWinds Server & Application Monitor : Deployment and Administration Rating: 0 out of 5 stars0 ratingsImplementing SSL / TLS Using Cryptography and PKI Rating: 0 out of 5 stars0 ratingsKali Linux 2 – Assuring Security by Penetration Testing - Third Edition Rating: 0 out of 5 stars0 ratingsKali Linux – Assuring Security by Penetration Testing Rating: 3 out of 5 stars3/5Next Generation SSH2 Implementation: Securing Data in Motion Rating: 0 out of 5 stars0 ratingsNetwork Performance and Security: Testing and Analyzing Using Open Source and Low-Cost Tools Rating: 0 out of 5 stars0 ratingsKali Linux Wireless Penetration Testing Essentials Rating: 5 out of 5 stars5/5The Art of Network Penetration Testing: How to take over any company in the world Rating: 0 out of 5 stars0 ratingsLinux Security Fundamentals Rating: 0 out of 5 stars0 ratingsAdvanced Penetration Testing for Highly-Secured Environments - Second Edition Rating: 0 out of 5 stars0 ratingsLearning Nagios 4 Rating: 5 out of 5 stars5/5Learning AirWatch Rating: 5 out of 5 stars5/5Penetration Testing with Raspberry Pi - Second Edition Rating: 5 out of 5 stars5/5Mastering Kali Linux for Advanced Penetration Testing - Second Edition Rating: 0 out of 5 stars0 ratingsHyper-V Security Rating: 0 out of 5 stars0 ratingsCisco Security Professional's Guide to Secure Intrusion Detection Systems Rating: 0 out of 5 stars0 ratingsWeb Application Firewall Assurance Rating: 0 out of 5 stars0 ratingsJuniper(r) Networks Secure Access SSL VPN Configuration Guide Rating: 5 out of 5 stars5/5Learning Penetration Testing with Python Rating: 0 out of 5 stars0 ratingsC++ Networking 101: Unlocking Sockets, Protocols, VPNs, and Asynchronous I/O with 75+ sample programs Rating: 0 out of 5 stars0 ratingsNetcat Power Tools Rating: 3 out of 5 stars3/5Mastering Kali Linux for Advanced Penetration Testing Rating: 4 out of 5 stars4/5Windows Server 2012 Unified Remote Access Planning and Deployment Rating: 0 out of 5 stars0 ratingsThe Concise Guide to SSL/TLS for DevOps Rating: 5 out of 5 stars5/5Learning iOS Penetration Testing Rating: 0 out of 5 stars0 ratings
Information Technology For You
Creating Online Courses with ChatGPT | A Step-by-Step Guide with Prompt Templates Rating: 4 out of 5 stars4/5Health Informatics: Practical Guide Rating: 0 out of 5 stars0 ratingsData Analytics for Beginners: Introduction to Data Analytics Rating: 4 out of 5 stars4/5How to Write Effective Emails at Work Rating: 4 out of 5 stars4/5CompTIA A+ CertMike: Prepare. Practice. Pass the Test! Get Certified!: Core 1 Exam 220-1101 Rating: 0 out of 5 stars0 ratingsHacking Essentials - The Beginner's Guide To Ethical Hacking And Penetration Testing Rating: 3 out of 5 stars3/5Cybersecurity for Beginners : Learn the Fundamentals of Cybersecurity in an Easy, Step-by-Step Guide: 1 Rating: 0 out of 5 stars0 ratingsHow To Use Chatgpt: Using Chatgpt To Make Money Online Has Never Been This Simple Rating: 0 out of 5 stars0 ratingsChatGPT: The Future of Intelligent Conversation Rating: 4 out of 5 stars4/5Computer Science: A Concise Introduction Rating: 4 out of 5 stars4/5Inkscape Beginner’s Guide Rating: 5 out of 5 stars5/5An Ultimate Guide to Kali Linux for Beginners Rating: 3 out of 5 stars3/5Unity Game Development Essentials Rating: 5 out of 5 stars5/5Investigating Child Exploitation and Pornography: The Internet, Law and Forensic Science Rating: 5 out of 5 stars5/5Learning Website Development with Django Rating: 0 out of 5 stars0 ratingsPersonal Knowledge Graphs: Connected thinking to boost productivity, creativity and discovery Rating: 0 out of 5 stars0 ratingsSupercommunicator: Explaining the Complicated So Anyone Can Understand Rating: 3 out of 5 stars3/5Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry Rating: 4 out of 5 stars4/5Linux Command Line and Shell Scripting Bible Rating: 3 out of 5 stars3/5Data Governance For Dummies Rating: 0 out of 5 stars0 ratingsThe Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy Rating: 4 out of 5 stars4/5An Executive Guide to Identity Access Management - 2nd Edition Rating: 4 out of 5 stars4/5Computer Organization and Design: The Hardware / Software Interface Rating: 4 out of 5 stars4/5Panda3d 1.7 Game Developer's Cookbook Rating: 0 out of 5 stars0 ratingsSummary of Super-Intelligence From Nick Bostrom Rating: 5 out of 5 stars5/5Practical Ethical Hacking from Scratch Rating: 5 out of 5 stars5/5CompTIA Network+ CertMike: Prepare. Practice. Pass the Test! Get Certified!: Exam N10-008 Rating: 0 out of 5 stars0 ratings
Reviews for SSL VPN
0 ratings0 reviews
Book preview
SSL VPN - Tim Speed
Table of Contents
SSL VPN
Credits
About the Authors
Introduction
What This Book Covers
Conventions
Reader Feedback
Customer Support
Errata
Questions
1. Introduction to SSL VPN
The Internet
Reference Models
OSI Reference Model
DARPA Model
Introducing Hacker Bob
Trapping Your Data
Basic HTTP Authentication
Keeping Hacker Bob Out of Your Data
VPNs
One Computer to the Corporate Network
Remote Office Network Connected to the Main Office
VPN Examples
IPsec
SSL VPN
IPsec Vs. SSL VPN
Trusted Networks
The DMZ
SSL VPN Scenarios
SSL VPN—Hubs
SSL VPN—Private Network
Summary
2. SSL VPN: The Business Case
SSL VPN: A Historical Background
Remote Access: Measuring Return-on-Investment
So What Does SSL VPN Actually Give Me?
Summary
3. How SSL VPNs Work
Appliances Vs. Software
The SSL Protocol
Background
Overview of SSL Technology
Symmetric Cryptography: Data Confidentiality
Asymmetric Cryptography: Data Confidentiality
Asymmetric Cryptography: Server Authentication
Asymmetric Cryptography: Client Authentication
Key Size
Establishing Secure Tunnels Using SSL
Secure Tunnels
OSI Network Model
Application-Level Communications
Reverse Proxy Technology
SSL Remote Access: Reverse Proxy Technology Plus
Non-Web Traffic over SSL
Establishing Network Connectivity over SSL
Why Different Access Technologies for Web Applications
Applets
Remote Access to Files and Other Resources
Remote Mounting of Network Drives
File Access Interface
Telnet and Host Access
Printers and Other Network Resources
Terminal Services
Internet-Enabling Internal Applications
Web-Based Applications
Remote Access Interface
Login and Single Sign On
Portal Pages
Toolbars
Languages
Multiple Windows Vs. a Single Window
Logout Button
Help
User Interface Based on Browser Type
SSL VPN Status Window
Web Email (WebMail) Interfaces
Administration Tools
Performance
SSL Acceleration
Compression of HTTP Traffic
Caching
Load Balancing: IP Spraying
Access from Older Web Browsers
SSL VPN Sample Session
Summary
4. SSL VPN Security
Authentication and Authorization
Authentication
Passwords
One-Time Passwords
Biometric Information
Client Certificates
Smart Cards or USB Tokens
Two-Factor Authentication
Single Sign On
Authorization
Operating System Permissions
File System Permissions
Native Application Permissions
Restricted Interfaces
Authorization Information Maintained by the SSL VPN
Third-Party Authorization Databases
End Point Security Concerns
The Problem: Sensitive Data in Insecure Locations
Browser Cache Entries
Proprietary Cache Entries
Temporary Files: Viewing E-mail Attachments
Temporary Files: Downloading and other Mechanisms
Form-Field Contents Memorized for AutoComplete
URL Entries Memorized for AutoComplete
Cookies Generated During User Sessions
History Records
User Credentials Memorized by the Browser
The Solution
The Problem: Third Party Search Tools Running on Access Devices
The Solution
Department of Defense (DoD) Requirements
The Problem: Users May Neglect to Log Out
The Solution
Long Timeout Thresholds: Not a Good Idea
Non-Intrusive Timeout Systems
Forced Periodic Re-Authentication
Ignoring Phony Activity
Timeout Thresholds
The Problem: Viruses Enter Corporate Networks via the SSL VPN
The Solution
Check for Anti-Virus Software on the User's Device
Block Uploads
Rely on Internal Network Antivirus
The Problem: Worms Enter Corporate Networks via the SSL VPN
The Solution
Personal Firewalls
Application Firewalls
Negative-Logic-Based Filtering of User Requests
Positive-Logic-Based Filtering
Dynamic-Rules-Based Filtering
Combination of Methods
Problems of Insecure Locations
Spyware
Keystroke Loggers
Hardware Keystroke Loggers
Software Keystroke Loggers
Shoulder Surfing
Video Cameras Aimed at Computers
Emanations
Hackers Bridging to the Corporate Network
The Problem: Internal Networking Information may be Leaked
The Solution
Printing and Faxing
Printers Local to the User
Printers Local to the SSL VPN Server
Deleted Files
Trusted Endpoint
Tiers of Access Based on Endpoint Situation
Internet Provider Controls
Server-Side Security Issues
The Problem: Firewalls and Other Security Technologies may be Undermined
SSL VPN in a DMZ
SSL VPN on the Internal Network
The Solution
The Problem: Application-Level Vulnerabilities
The Solution
Encryption
Patching of SSL VPN Servers
Linux versus Windows
Some Other SSL VPN Appliance Security Concepts
Hardening
Air Gap
Protection from Internal Systems and the Internal Network
ASIC
Summary
5. Planning for an SSL VPN
Determining Business Requirements
Remote Access Paradigms
Determining User Needs
Different Scenarios
Selecting an Appropriate SSL VPN
Ensuring Proper Level of Access
Proper User Interface and Experience
Remote Password Management
Adherence to Security Standards
Platform
Hardware
Operating System
Network Connectivity
Determining which SSL VPN Functions to Use
Where to Deploy the SSL VPN server
Back Office
Pros
Cons
DMZ
Pros
Cons
Outside the Perimeter Firewall
Pros
Cons
Air Gap
Pros
Cons
Offloaded SSL
Pros
Cons
Planning for Deployment
User and Administrator Training
Summary
6. Educating the User
Building an Education Plan
Education Plan: Start the Process
Vision
High-Level Training Plan
The Agreement
The Use Case
Education Plan: Finalize the Plan
Final Training Plan
Include Incident Handling Policies in your Training Plan
The Money
Creating Educational Materials
Reusing the Use Cases
Executing the Test Plan
Education Plan: Testing and Pilots
Unit Tests
Process Tests
Technical Pilots
Production Pilot 1
Production Pilot 2
Implementation
Education Plan: Production
Specific Training for SSL VPNs
Training the Masses
How to use an SSL VPN
Social Engineering
Phishing
Sharing Credentials
Single Sign On (SSO)
SSL Locks and Dialog Boxes: One More Note about Phishing
E-Commerce Scenario
Phishing and the SSL Lock
Summary
7. Legacy Data Access
Computing Elements
Applications
Commercial Off-The-Shelf (COTS)
Custom Programs
Legacy Applications
The Web Challenge
Direct Access
Scrape the Screen
Awareness
SSL VPN with Middleware Access
Meeting the Challenge
Secure Access
Tunneling to the Other Side
Tunneling Techniques
Lotus Notes Tunnel
Tunneling Steps
Other Applications
Summary
8. The Future of SSL VPN Technology
Standardized Feature Sets
Interfaces
Third-Party Security System Interfaces
Authentication Systems
Authorization Systems
Endpoint Security Systems
Application Firewalling Interfaces
Application Interfaces
Logging, Reporting, and Management Interfaces
SSL VPN Products for Small, Medium, and Large Organizations
Application-Specific SSL VPNs
Merging with IPSec VPN and Firewall Technology
SSL Access Platforms
Support for More Diverse Computers
Macintosh
Linux and Other Variants of UNIX
Handheld Devices
Improved Performance and Reliability
Voice-Over-IP
Two Business Developments
Summary
A. A Review of TCP, IP, and Ports
DARPA and OSI
Network Interface
Packets
Packet Routing
TCP Ports
B. SSL VPN Gateways
SSL VPN Offerings
AEP Systems
Company Information
Product Information
Array Networks
Company Information
Product Information
Aventail
Company Information
Product Information
Check Point Software Technologies
Company Information
Product Information
Cisco Systems
Company Information
Product Information
Citrix Systems
Company Information
Product Information
EnKoo
Company Information
Product Information
F5 Networks
Company Information
Product Information
Juniper Networks
Company Information
Product Information
NetScaler
Company Information
Product Information
NetSilica
Company Information
Product Information
Netilla Networks
Company Information
Product Information
Nokia
Company Information
Product Information
Nortel Networks
Company Information
Product Information
Permeo Technologies
Company Information
Product Information
PortWise
Company Information
Product Information
SafeNet
Company Information
Product Information
Symantec
Company Information
Product Information
Whale Communications
Company Information
Product Information
Index
SSL VPN
Joseph Steinberg
Tim Speed
SSL VPN
Copyright © 2005 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, Packt Publishing, nor its dealers or distributors will be held liable for any damages caused or alleged to be caused either directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First edition: February 2005
Published by Packt Publishing Ltd. 32 Lincoln Road Olton Birmingham, B27 6PA, UK.
ISBN 1-904811-07-8
www.packtpub.com
Cover Design by www.visionwt.com
Credits
Authors
Joseph Steinberg
Timothy Speed
Commissioning Editor
David Barnes
Technical Editors
Chris Fernando
Ashutosh Pande
Layout
Nanda Padmanabhan
Indexer
Ashutosh Pande
Proofreader
Chris Smith
Cover Designer
Helen Wood
* Services provided by Editorialindia.com
About the Authors
Joseph Steinberg has been involved with computer networking and security since 1989. He has worked in technical positions at Citibank and AT&T and served in senior-management capacities at several product vendors and consulting firms. He has spent more than four years with Whale Communications, one of the pioneers of SSL VPN technology.
Mr. Steinberg’s May 2003 article, SSL VPN Security, introduced an awareness of critical security issues created by SSL VPN technology; since its publication, nearly every SSL VPN vendor has acted upon the concerns and recommendations made in the article.
Mr. Steinberg earned an M.S. in Computer Science from NYU, and holds a CISSP (Certified Information Systems Security Professional) credential as well as advanced certifications in IT security management (ISSMP) and architecture (ISSAP). He has lectured on several topics related to IT security and management and has authored numerous articles that have appeared in various journals, magazines, and other publications. A recognized expert on IT security, he is also interviewed on a regular basis by media personalities and is a member of several panels discussing IT-security related matters.
Mr. Steinberg lives in the suburbs of New York City with his wife and two daughters.
To Shira, Penina Leora, and Miriam, with all my love.
Timothy Speed is an IBM-Certified IT Architect working for the IBM Lotus Brand (ISSL). Tim has been involved in Internet and messaging security since 1992. He also participated with the Domino infrastructure team at the Nagano Olympics and with the Lotus Notes systems for the Sydney Olympics. His certifications include CISSP, MCSE, A+ Plus Security from CompTIA, Lotus Domino CLP Principal Administrator, and Lotus Domino CLP Principal Developer. (Notes/Domino certifications in R3, R4, R5, and ND6)
Tim has also co-authored four books:
The Internet Security Guidebook, ISBN: 0-12-237471-1, February, 2001
The Personal Internet Security Guidebook, ISBN: 0-12-656561-9, October, 2001
Enterprise Directory and Security Implementation Guide: Designing and Implementing Directories in Your Organization, ISBN: 0-12-160452-7
Internet Security: A Jumpstart for Systems Administrators and IT Managers, ISBN: 1-55558-298-2
I am grateful to Joseph Steinberg for asking me to participate in writing this book. Special thanks to David Barnes, Commissioning Editor, Packt Publishing. Thanks to IBM/ISSL, Steve Keohane, Kathrine Rutledge, Chris Cotton, and Jack Shoemaker for allowing me to co-author this book. Thanks to Ann Marie Darrough for the official IBM review of this book before publishing. Also thanks to the following: The great Shane George, Tery W. Corkran, Chuck Stauber, David Byrd, David Bell, Dick McCarrick, Frederic Dahm, Garry White, Hartmut Samtleben, Hissan C. Waheed, Raj Balasubramanian, Ralph Vawter, William Nunez, Steve Robinson, Larry Berthelsen, Brian Baker, Lillian Speed, Johnny Speed, and Katherine Speed.
To Linda Speed, still my favorite wife!
Introduction
The advent of SSL VPN ushers in a new era in remote computing. Where older remote-access technologies were expensive, complicated to use, and often deployed to only limited user populations, SSL VPN delivers remote access to the masses at a much lower cost than its forerunners, and in a much simpler format. It transforms remote access from a convenience enjoyed by a select few to a mainstream business option available to everyone.
An exciting new technology, SSL VPN leverages web browsers to provide access to enterprise applications, systems, files, and other resources from essentially any Internet-connected web browser, abandoning the long-standing model of requiring specialized client software to enable remote access.
SSL VPN offers several significant benefits over previous generations of remote access tools. Typically:
It is much easier to use.
It is much easier to implement and maintain.
It offers access from many more locations and devices.
It is much less expensive to maintain.
It can serve as an integral component of a business-continuity strategy.
As of the publishing of this book, several key analyst firms have issued reports on the SSL VPN market; while they may differ in the rankings of the vendors in the space, they are all in agreement that SSL VPN is gaining rapid acceptance into corporate infrastructures. Annual SSL VPN related revenue, which exploded in 2002-2003, continues to grow at a healthy pace.
What This Book Covers
In this book, SSL VPN is discussed in detail from both a business and technical standpoint. Readers will gain understanding of what SSL VPN is, how it works, and why it may be of great benefit to their own organizations. Best practices surrounding deploying an SSL VPN, ensuring that an SSL VPN implementation is secure, as well as addressing human factors are also covered.
Chapter 1 introduces the key concepts behind SSL VPN. We look at how it fits into familiar network schemas, and consider how it works and what advantages it offers over tradition IPSec VPNs.
Then, in Chapter 2, we consider the business case for SSL VPN solutions. We see how to measure SSL VPN return on investment, and what practical benefits SSL VPN technology can offer an organization.
Chapter 3 peeks under the bonnet of SSL VPN to see how the technology works, and how you can rely on private communications over an open network like the Internet.
Chapter 4 takes a more detailed look at SSL VPN security, showing you how to make sure you choose SSL VPN tools and configurations that do not fall foul of glitches or security loopholes.
Chapter 5 looks at how to plan your SSL VPN installation by showing where it fits into your current network infrastructure, while Chapter 6 looks at the human angle—how to educate your users so that they do not become security holes themselves!
Worried that an SSL VPN will not work with your existing applications? In Chapter 7 we look at the methods that exist for integrating SSL VPN with your legacy applications.
Finally in Chapter 8 we look to the future of SSL VPN, and consider where the trends are likely to lead in the coming years.
Conventions
In this book you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meanings.
Code words in text are shown as follows: NOCACHE does not prevent caching in AutoComplete stores, in history records, and other areas.
New terms and important words are introduced in a bold-type font. Words that you see on the screen—in menus or dialog boxes, for example—appear in the text as follows: Are you still there?
Note
Tips, suggestions, or important notes appear in a box like this.
Reader Feedback
Feedback from our readers is always welcome. Let us know what you think about this book, what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.
To send us general feedback, simply drop an e-mail to <feedback@packtpub.com>, making sure to mention the book title in the subject of your message.
If there is a book that you need and would like to see us publish, please send us a note in the Suggest a title form on www.packtpub.com or e-mail
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.
Customer Support
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Errata
Although we have taken every care to ensure the accuracy of our contents, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in text or code—we would be grateful if you would report this to us. By doing this you can save other readers from frustration, and also help to improve subsequent versions of this book.
If you find any errata, report them by visiting http://www.packtpub.com/support, selecting your book, clicking on the Submit Errata link, and entering the details of your errata. Once your errata have been verified, your submission will be accepted and the errata added to the list of existing errata. The existing errata can be viewed by selecting your title from http://www.packtpub.com/support.
Questions
You can contact us at <questions@packtpub.com> if you are having a problem with some aspect of the book, and we will do our best to address it.
Chapter 1. Introduction to SSL VPN
History provides us with a map of how technology effectuates changes in the way we live and work. This technological transformation started with simple tools that then expanded to the internal combustion engine and now to the technology of computers and networks. One important example of this is transportation. Through a system of physical networks—roads, trains, airplanes, and so on—people can now work and live outside the congestion of large cities. Large parts of the population moved to 'suburb communities',