remote access - NetPilot Internet Security

advertisement
SSL VPN-Plus Training
SSL VPN-Plus
© 2005-09 NeoAccel, Inc.
COMPANY OVERVIEW
© 2005-06 NeoAccel, Inc.
Company Snapshot
Founded 2004
Offices
– Founder: Michel Susai
– Headquarters – San Jose, CA
• Former Chairman and CEO, and
Founder of NetScaler (Acquired by Citrix
for $325M)
– First Product Shipped Oct 2005
Technology Focus
– Secure Remote Access: SSL
VPN-Plus™
– Network Access Control: NAM-Plus™
– SSL Based Site to Site VPN
Competitive Advantage
– Patented Architecture (ICAA™)
– 24-Month Technology Lead
Sales Strategy
– Enterprise, OEM, Channel
© 2005-06 NeoAccel, Inc.
– Regional Sales Offices
• Boston, Houston, San Jose
• India, China, Japan
Investors
– Institutional
• Baring Private Equity
• NTT
– Angel
• Sabeer Bhatia (Co-Founder, Hotmail)
• Prabhu Goel (Inventor, Verilog)
Sample Customers
OEM
Service Providers
Enterprise
Financial
Higher Education
Health Care
Manufacturing
Utilities
Non-Profit
Engineering
Insurance
Gov’t
Automotive
Real Estate
Construction
Logistics
Marketing
Online Security
IT Services
Retail
© 2005-06 NeoAccel, Inc.
Awards and Recognitions
SSL VPN Magic Quadrant Q307
"The company [NeoAccel] ... has
established multiple OEM deals and
sold well in the first half of 2007, ...
outperforming some older and
established companies."
-- Gartner SSL VPN MQ 2007
© 2005-06 NeoAccel, Inc.
REMOTE ACCESS
© 2005-06 NeoAccel, Inc.
Remote Access?
• Access Secure Application Servers to update
customer information or submitting a daily
report
• Access Corporate Email server
• Access Mission Critical Application Servers
when at customer site
• Access Corporate Intranet to get latest
information or checking status of your leave
application
© 2005-06 NeoAccel, Inc.
Who Needs Remote Access?
•
•
•
•
•
•
•
Consultants
Partners
Field Engineers and Sales Team
Remote Office Employees
Off office hours workers
Roaming Executives
Bridge branch offices to corporate centre
© 2005-06 NeoAccel, Inc.
Why VPN?
• When Alice talks to Bob
© 2005-06 NeoAccel, Inc.
•
Confidential
•
Integrity
•
Authentication
VPN Technologies?
• PPTP
• L2TP
• IPSec
• SSL
© 2005-06 NeoAccel, Inc.
IPSec Features
•
•
•
•
•
Site-to-Site Access
Complete network access
Transparent to Applications
Least effect on performance
Good security
© 2005-06 NeoAccel, Inc.
SSL VPN – Secure Socket Layer VPN
• Uses SSL protocol for confidentiality,
authentication and integrity and then proxies to
provide authorized and secure access for private
network resource like Web, Client/Server, file
sharing etc.
• Two modes
• Clientless: Proxies web-based applications and uses inbuilt
SSL support in browsers to establish VPN and deliver web
traffic.
• Network Extension: Proxies client-server application,
requires a proprietary client application to establish VPN
and facilitate client-server application communication
© 2005-06 NeoAccel, Inc.
SSL VPN Features
•
•
•
•
•
•
•
Designed for Remote Access
Centralized Access Control
Zero user side management
One minute deployment
Endpoint Security
Clientless - Access Anywhere
Network Extension
• Access Anything
© 2005-06 NeoAccel, Inc.
Current State of VPNs – Remote Access
• 1st-Generation VPN – IPsec
– IP Address-Based Tunnels
– All-or-Nothing Network Access for Employees
– High License & Administration Costs
Users
IP Address-Based Tunnels
• 2nd-Generation VPN – SSL
– User-Based Tunnels
– Conditional Access to Specific Applications
Users
– Significant Advantages over IPsec (see next slide)
User-Based Tunnels
14
© 2005-06 NeoAccel, Inc.
2nd-Generation VPN Advantages over 1st Generation
• Increased Security
SSL VPN Drivers
• User-Based Tunneling
Increased security
• Endpoint Security
• Granular Access Control
80%
Enable clientless VPNs
51%
Decrease operating cost
41%
Support wide variety of client
platforms
• Increased Return on Investment
• Zero Client Software Costs
• Zero Client Upgrade Costs and Pain
• Zero Client Management
Enable Employee access from
handheld devices
Enable employee access from
kiosks and guest computers
38%
29%
23%
% of respondents rating category a driver
Source: Infonetics Research, 2006
• Universal Access
• Employees, Non-Employees
• Access from Any Device – No Device with VPN Client Required
• Cross Platform Support (Mac, Linux, Windows, Smart Phones, PDAs)
15
© 2005-06 NeoAccel, Inc.
IPSec – Why not?
•
•
•
•
•
•
•
•
Not designed for remote access
Traversal problem over NAT devices
Firewall configuration required
All corporate services are exposed on f/w
No Centralized Access control
Per User administration and configuration
Interoperability among vendors
Time consuming deployment
© 2005-06 NeoAccel, Inc.
What’s Missing in SSL VPN
• Performance Degradation
• SSL VPN falls prey to TCP over TCP melt-down
• Extra context switching of SSL VPN’s causes performance
loss
• Poor End User Experience
• Limited or no connectivity over low bandwidth
or high packet loss networks like
• Wireless
• DSL
• Data Cards
• Increased Support Cost
• No Site to Site VPN capabilities
© 2005-06 NeoAccel, Inc.
Why Companies are Not Buying SSL ?
• Extra context switching of SSL VPN’s causes
performance loss
• SSL VPN falls prey to TCP over TCP melt-down
• Performance degradation affects the SSL gateway and
all users
• Many companies stay with IPSec to avoid user
complaints
What can IT do?
© 2005-06 NeoAccel, Inc.
NeoAccel: The Third-Generation VPN
• Increased Security
– User-Based Access Control with Endpoint Security
• Increased ROI, Lower TCO
– 10% of IPSec Costs in Large Installations
• Ubiquitous Access
– Any User from Any Device
• IPSec-Level (or Better) Performance
• Site-to-Site VPN Support – New!
© 2005-06 NeoAccel, Inc.
NeoAccel SSL VPN – Plus Features
• Best of World of IPSec and SSL VPN
• High Performance
•
•
•
•
•
•
•
• Overcomes TCP over TCP meltdown
• Overcomes Extra Context Switch
Designed for Remote Access
Centralized Access Control
Zero user side management
One minute deployment
Endpoint Security
Clientless - Access Anywhere
Network Extension
• Access Anything
• IPSec replacement capabilities
• Site to Site VPN over SSL
© 2005-06 NeoAccel, Inc.
NeoAccel SSL VPN-Plus Deployment
•
•
•
•
•
•
•
•
•
•
•
Site-to-Site
Endpoint Security
Host Checking
Compression
4 Forms of Access
Self-Updating FullClient
Node on the Network
Supports VOIP
IPsec-Like Speeds
Client-Side Cleanup
High Availability
App Servers
Directory
Services
NeoAccel SSL VPN-Plus
Gateway with HA
Corporate
Network /
Data Center /
DR Site
Site-to-Site Access
NAC Integration
NeoAccel NAM-Plus
Gatekeeper
SSL VPN-Plus
Gateway
Internet
Secure Remote Access
roaming user
Branch Office
roaming user
Wireless
Users
© 2005-06 NeoAccel, Inc.
Sales
Users
Guest
Users
End to End Secure Access
Server
Farms
E-mail
MRP/ERP
MRP/ERP
Unix/NFS
Directory
Store
Intranet /
Web Server
Endpoint
Security
Compliance
Data
Transit
Security
 Strong Authentication
• Eliminate PW Spoofing
• Ensure Non-Repudiation
 Host Checker
• 3rd Party Software Compliance
• Registry, processes, files,
custom DLLs
• Application Authenticity Check
• Recurring Host Check
 Cache Cleaner
• Eliminate session data
• Delete temp files
© 2005-06 NeoAccel, Inc.
Network
Security
Services
Hardened
Appliance
 Centralized Security Gateway
 Network Security
•
•
•
•
DDOS Protection
URL Attack Protection
Network Firewall
SSL Transport
 Dynamic Authentication Policy
• Certificate, Source IP,
Host Checker, Cache Cleaner, User
Agent, Interface, etc.
Dynamic
Access
Privilege Mgmt
Directory
Integration
 Granular Authorization Rules
•
•
•
•
Group Based
URL, Host, Port
Client/Destination
End Point/Connection Check
• In-Transit Data Protection
• Data Trap
• Non-Cacheable
HTML rendering
• Cookies
• Host Name Encoding
PERFORMANCE
© 2005-06 NeoAccel, Inc.
Packet Loss Leads to Performance
Degradation
• Packet Loss is a Real World problem
• Packet loss translates to severe performance
degradation due to architectural flaw in current
SSL VPN products from the market leaders
• In the US, it is not unusual to see 5~8% packet
loss across the public internet
• 15-20% packet loss is typical in wireless networks
(i.e., 802.11)
• In some parts of Asia 50% packet loss is typical
• Worldwide average is >24% packet loss
© 2005-06 NeoAccel, Inc.
Other SSL VPNs: Packet flow
This is what will be achieved.
This happens when the user is working in office, i.e. connected to LAN
D
A
A
D
Private network servers
A
SDSAD
SSL VPN client agent running on remote users machine
SD SAA
D
SSL VPN Gateway
D: Application TCP data packet
A: application TCP ACK packet
SD: SSL tunnel data packet
SA: SSL tunnel ACK packet
© 2005-06 NeoAccel, Inc.
TCP-Over-TCP Meltdown
All 1st and 2nd Generation SSL VPN’s are subject to TCP-Over
TCP-Meltdown. NeoAccel is not!
© 2005-06 NeoAccel, Inc.
SSL VPN : Packet Drop
This is what will be achieved.
This happens when the user is working in office, i.e. connected to LAN
A
A
D
Private network servers
A
SADD
SD
SD
SSL VPN client agent running on remote users machine
SD SAA
D
SSL VPN Gateway
D: Application TCP data packet
A: application TCP ACK packet
SD: SSL tunnel data packet
SA: SSL tunnel ACK packet
© 2005-06 NeoAccel, Inc.
How SSL VPN – Plus Improves
Performance
• Key Technologies
• Intelligent Compression Acceleration Architecture
(ICAA) : Overcomes TCP over TCP meltdown
• Transparent SSL (TSSL) : Kernel ported SSL
encryption engine. Reduces Context switching
• Acceleration Triggered Compression Engine (ATCE) :
Intelligent compression
© 2005-06 NeoAccel, Inc.
SSL VPN – Plus : Packet Drop
This is what will be achieved.
This happens when the user is working in office, i.e. connected to LAN
A
D
Private network servers
A
D
SD
SD DD
SSL VPN client agent running on remote users machine
SA
SSL VPN Gateway
D: Application TCP data packet
A: application TCP ACK packet
SD: SSL tunnel data packet
SA: SSL tunnel ACK packet
© 2005-06 NeoAccel, Inc.
Non NeoAccel SSL VPN very slow, huge
Packet Loss; TCP-Over-TCP problem
Gateway
Client
Client Applications
L3 SSLVPN
Module
OpenSS
L
OpenSSL
User Mode
Kernel Mode
Client TCP/IP Stack
NIC
DLL
Server TCP/IP Stack
Internet
VNIC- TUN/TAP
IP
TCP
SSL
IP
L3 SSLVPN Module
TCP
VNIC- TUN/TAP
NIC-1
NIC-2
Data
Packet flowing across the network
Client
Context
Switch
2
© 2005-06 NeoAccel, Inc.
Server
2
Private
Network
NeoAccel' SSL VPN-Plus : Packet Flow
Client
Server
Client
Applications
User Mode
Kernel Mode
NeoAccel' SSL VPN-Plus ICAA
integrated with kernel level SSL
NeoAccel' SSL VPN-Plus ICAA
integrated with Kernel Level SSL
Client TCP/IP Stack
Server TCP/IP Stack
Internet
NIC
DLL
Context
Switch
Client
Server
0
0
© 2005-06 NeoAccel, Inc.
IP
TCP
SSL
Node header
NIC-1
NIC-2
Data
Private
Network
Packet Processing and VPNization of TCP data
Comparison of NeoAccel vs. Others
IPSec
SSL VPN
App
App
App
TCP
TCP
TCP
Unencrypted
User
NeoAccel
SSL VPN-Plus
App
SSL
ICAA
TSSL
#1
IP
IP
IP
TCP
Kernel
Enet
IPSec
IP
Enet
© 2005-06 NeoAccel, Inc.
IP
Enet
#2
Enet
Why ICAA?
• It is observed that other SSL VPN vendors simply tunnel
(proxy) a complete Ethernet frame over the SSL
connection to private network resulting in two TCP layers
for each packet. This results in redundant layer of
reliability which causes TCP over TCP meltdown problem.
(Slide 4)
• Many of the applications are not designed to work over
varying bandwidth lousy networks like Internet.
• There are known issues with TCP layer when working
over Internet. In case of SSL VPNs when multiple
application TCP connections are tunneled into a single
TCP connection, the effect of TCP problems is increased
exponentially. This results in frequent connection
disconnects.
© 2005-06 NeoAccel, Inc.
ICAA Benefits
• ICAA avoids the overhead of extra reliability layer induced
because of tunneling application TCP traffic into SSL VPN TCP
tunnel.
• ICAA reduces TCP packet loss recovery time by 30 times by
avoiding tunneling of TCP connection inside another TCP
connection.
• ICAA avoids the TCP layer limitations which makes TCP not
suitable for remote application connections over WAN with
varying bandwidth and congestion. ICAA avoids parameters
like TCP window size and congestion window for each
application connection. The parameters of a single SSL VPN
TCP tunnel are applied to all application connections.
• ICAA does not let application connection to flow over WAN,
thus avoiding TCP slow start problem, fragmentation and
avoids congestion control algorithm limitations for each
application connection.
• Even in 0% packet loss networks (like LAN), the number of
packets are reduced by 50% straightaway.
© 2005-06 NeoAccel, Inc.
Conventional SSL implementation slows
downs the gateway
Total User/Kernel Context Switches: 13
SYN
SYN+ACK
ACK
Client Hello
True Random
Number Generator
Server Hello,
Server Certificate,
Server Hello Done
Client Key Exchange,
Change cipher spec,
client Finish
Change cipher spec,
Server Finish
Host
TCP/IP
Stack
Hardware
Accelerator
BN Mod Exponent
3DES Decrypt
Encrypted Request
SHA-1 Calculation
3DES Encrypt
Encrypted Response
© 2005-06 NeoAccel, Inc.
SHA-1 Calculation
CONFIDENTIAL
SSL
Web
Server
NeoAccel’s TSSL Engine speeds up by
saving 10 Context Switches
Total User/Kernel Context Switches: 3
SYN
SYN+ACK
ACK
Client Hello
Server Hello,
Server Certificate,
Server Hello Done
Client Key
Exchange,
Change cipher
spec, client Finish
Change cipher spec,
Server Finish
Host
TCP/
IP
Stack
Web
Hard- TSSL
Server
ware Engine
SSL Connection Establishment
Accelrator
Encrypted Request
Encrypted Response
© 2005-06 NeoAccel, Inc.
CONFIDENTIAL
Why TSSL?
• It was observed that other SSL VPN vendors do
encryption/decryption at application layer which is
normally implemented at less privileged level in an OS
(Slide 3, 4). This results in slow SSL processing resulting
in high latency for applications connections
• The high context switching of CPU results in slower
packet processing, higher latency, less throughput and
low user logins/sec.
• Because SSL processing is done at user mode (less
privileged mode of OS), there is an overhead between
SSL module and SSL hardware accelerator cards. This
results in less output from SSL hardware accelerator
cards.
© 2005-06 NeoAccel, Inc.
TSSL Benefits
• TSSL avoids the CPU context switching for both SSL VPN
Gateway and Client while handling each application
connection over SSL VPN resulting in high tunnel
throughput.
• TSSL helps CPU spend less time doing non-VPN related
tasks and helps process VPN data faster resulting in low
latency and faster user logins per second.
• TSSL enables SSL VPN Gateway and SSL VPN Client to
do bulk encryption resulting in better throughput.
• TSSL reduces the communication over head between
SSL VPN Gateway and SSL accelerator card resulting in
maximum throughput and higher SSL transactions per
second.
• TSSL helps control latency added because of SSL
processing for real time traffic like VOIP and video.
© 2005-06 NeoAccel, Inc.
Why ATCE (Dynamic Compression) ?
• Other VPN solutions have a switch like
functionality for compression.
• Compression benefits are truly based on the
available bandwidth and the current load on the
VPN gateway. Other VPNs do not consider
these factors
• A ON/OFF functionality makes compression
increase more load of VPN gateway even if
compression of data is not required
© 2005-06 NeoAccel, Inc.
ATCE Benefits
• Calibrates compression benefits at regular
interval of times.
• Low bandwidth connections get more
compression benefits compared to higher
Internet bandwidth users
• Data is compressed only if data is
compressible
• Optimizes the ratio of load/bandwidth
© 2005-06 NeoAccel, Inc.
Performance Comparison
NeoAccel SSL VPN-Plus vs. SonicWALL SSLVPN 200
Throughput Kbytes/sec
4000
3510
3362
3500
3000
2500
KBytes 2000
1587
1360
1500
1000
460
500
0
No Encryption/Layer
No
2
Encryption/Routed
© 2005-06 NeoAccel, Inc.
SSL VPN-Plus
(ICAA disabled)
SSL VPN-Plus ICAA
SonicWALL 200
DEPLOYMENTS
© 2005-06 NeoAccel, Inc.
SSL VPN-Plus
Providing a single point of entry for all remote
application needs, secure, reliable and user friendly.
A Simple SSL VPN-Plus
Solution deployment
Private
Corporate
Network
NeoAccel SSL VPN-Plus
Gateway
Wireless/mobile user
© 2005-06 NeoAccel, Inc.
Deployment Options
© 2005-06 NeoAccel, Inc.
Deployment Options
© 2005-06 NeoAccel, Inc.
Deployment Options
© 2005-06 NeoAccel, Inc.
Deployment Options
© 2005-06 NeoAccel, Inc.
Deployment Options
© 2005-06 NeoAccel, Inc.
COMPONENTS
© 2005-06 NeoAccel, Inc.
Various Components’
• Gateway: Base OS
• NeoAccel Hardened OS
• SSL VPN-Plus Gateway
• Authentication Module






Local Database
LDAP
AD
Radius
RSA Secure ID
Certificate based authentication

ACL’s : Network and Application Access Control
• Authorization Module
• Auditing
• End Point Security
© 2005-06 NeoAccel, Inc.
Various Components’ Contd.
• Access Terminals
• SSL VPN-Plus portal : Clientless access named Web Access
Terminal. Supports IE 5.0 & above, Firefox, NetScape
• SSL VPN-Plus client
 QAT : Browser integrated java based port forward client.
Supports Windows 2000, Windows XP, Windows Vista,
Windows Server 2000 & 2003
 PHAT : Network Extension client. Supports Windows 98,
Windows 2000, Windows XP, Windows Vista, Windows
Server 2000 & 2003, Windows Mobile, Red Hat 9.0, Red
Hat EL 3, Knoppix, Debian, MAC OSX
• Management Console
• Requires JRE 1.4.2 or above on administrator’s PC
© 2005-06 NeoAccel, Inc.
Full-Range, High-Capacity Product Line
Feature
SGX-800
SGX-1200
SGX-2400
SGX-4800
Target Market
Entry-Level
Sm-Med Enterprise
Enterprise
Large Enterprise
50
100
2,000
10,000
100Mbps
250 Mbps
500 Mbps
950Mbps
Operating System
NHOS*
NHOS
NHOS
NHOS
Gigabit Interfaces
4
2
2
2
Yes
Yes
Yes
Yes
Hardware
Acceleration
─
─
√
√
Dual Power Supply
─
─
√
√
Dual Hard Drives
─
─
√
√
Concurrent Users
Throughput
High Availability
*NeoAccel Hardened Operating System
© 2005-06 NeoAccel, Inc.
NeoAccel Management Console
Module 1
© 2005-06 NeoAccel, Inc.
NeoAccel Management Console
The NeoAccel Management Console (NMC) is a java based
administration console. To access the NMC open a web browser
and enter the following path
http(s)://<ipaddress>/sslvpn-plus/nmc
Example: https://192.168.10.1/sslvpn-plus/nmc
To access the NMC from the Internet configure your firewall to allow TCP port
443 and TCP port 8090. Be sure to allow pop-up windows from the NMC URL.
© 2005-06 NeoAccel, Inc.
Access Management Console..contd
• Management Console login:
• Default power-user credentials: admin/admin
© 2005-06 NeoAccel, Inc.
Menu Bar
The Menu Bar at the top of the browser has multiple options
•Logout
•Logout of the NMC
•Refresh
•To refresh the NMC screen
•Save
•Save current running configuration
•Change Password
•Change the admin password (recommended)
•About
•Copyright information
•Help
•Open Help resources
© 2005-06 NeoAccel, Inc.
General
The landing page is the System/General which displays information such
as; Version Number, Processor Information, Memory Utilization and interface
information.
© 2005-06 NeoAccel, Inc.
Interface Configuration
The interface configuration allows
the administrator to change/modify ip
address information for each network
interface adapter.
To configure the SSL VPN-Plus Gateway for single arm mode select the
desired interface and check the box “Configure for Single ARM mode” and
click Save.
Advanced configuration allows specifying Link speed & MTU size
© 2005-06 NeoAccel, Inc.
Route
The route menu option displays currently configured routes. To add routes
to other networks select the Add button and provide the necessary information.
© 2005-06 NeoAccel, Inc.
DNS
The DNS and Hosts Configuration sets parameter related to the SSL VPN-Plus
Gateway. Setting Hostname, Primary and Secondary DNS servers as well as
defining static computer hostname to IP address mappings.
© 2005-06 NeoAccel, Inc.
NMC Administration
Ability to create multiple administrators with different access over configuration of
appliance ranging from full control, restricted or read only access. 1 Full control,
8 Restricted and 8 Read only administrators can be configured.
© 2005-06 NeoAccel, Inc.
Module 2 – SSL VPN-Plus
Module 2 focuses on creating and configuring the SSL VPN-Plus Gateway
instance that end users will establish the tunnel with. It is possible and often
useful to run multiple instances or gateways on a single device. This allows
the administrator to provide different options for user connectivity.
One example would be configuring a separate gateway for third party business
partners who need tunnel connectivity. Creating a separate gateway with a single
authentication source and other options is an effective way to plan your Remote
Access strategy.
© 2005-06 NeoAccel, Inc.
Gateways
The Gateways menu allows you to Add/Modify/Remove gateways and
parameters. The right hand side of the screen lists the configured options.
© 2005-06 NeoAccel, Inc.
Modify Gateway
Highlight the gateway in previous screen and select Modify. This opens
a dialogue window with the General/Authentication and Advanced tabs.
Administrator can define the IP address, port, certificate and the cipher used to
encrypt traffic over SSL server. A broadcast message can be optionally specified
to be displayed to all end users when they get connected to VPN.
© 2005-06 NeoAccel, Inc.
Authentication
Select the Authentication tab to change Authentication options such as
Enable or Disable Authentication, prevent multiple logons with same username
as well as prioritizing the cascaded authentication server list.
Dual Authentication can be enabled wherein the end user will need to authenticate
twice against two different authentication servers.
© 2005-06 NeoAccel, Inc.
Certificate Authentication
Enable Client certificate Authentication such that end user will need to provide a
certificate to be able to access private network resources. CA list contains the list
of CA certificates to which the client certificate can belong.
Username can also be extracted from the certificate such that end user will only
be allowed to enter password for username extracted from certificate used for
authentication.
© 2005-06 NeoAccel, Inc.
Portal Customization
Portal customization allows complete redesign of how the web based access is
visible to user. Look & feel can be chosen from a list of Layout & Color schemes.
Layout scheme allows for logo, company name or title to be defined as per the
corporation.
Color scheme allows for complete change in look and feel of the portal.
© 2005-06 NeoAccel, Inc.
Advanced
The Advance tab sets parameters for Enabling Acceleration triggered Compression,
Client Auto Update Notification, Endpoint Securing Agents, Virtual Keyboard, SSO,
User Logging and timeout values and enabling Forced Timeout.
© 2005-06 NeoAccel, Inc.
Active Clients
The Active Clients shows the users who are logged into the SSL VPN-Plus
and information regarding the tunnel established. The administrator can
disconnect a single tunnel or all tunnels by select the appropriate button.
© 2005-06 NeoAccel, Inc.
License
The license screen shows the type of license, number of concurrent tunnels
allowed and the option to Update License.
© 2005-06 NeoAccel, Inc.
Update License
Select the update license button and enter the Software Serial Number
provided to you at time of installation. Click OK
© 2005-06 NeoAccel, Inc.
Update License cont.
•Select Copy to Clipboard
•Open License Server
•Paste this selection into the License server and retrieve your license
•Paste the new license from clipboard
•Select OK
© 2005-06 NeoAccel, Inc.
Certificates
Allows the administrator to Add/View/Remove SSL certificates for the gateway
© 2005-06 NeoAccel, Inc.
Add Certificates
Enter the Certificate name and browse to the location where the certificate
is stored. Select the Private Key to import the Servers private key as well.
© 2005-06 NeoAccel, Inc.
View Certificate
Allows the administrator to view the contents of the SSL certificate.
© 2005-06 NeoAccel, Inc.
Module 3 – Users/Groups
The NeoAccel SSL VPN-Plus allows granular control of users and groups.
You will find that most of the power of this access control is based on group
membership. The ability to limit access methods, apply access control policies,
Provide resources to access, do cleanup as well as provide the user with a
customized experience is gained by the use of Group policies.
When using an external authentication source such as RADIUS or Active
Directory it is not necessary to configure users directly on the gateway
provided you have selected the Group Extraction option in the configuration
of the external authentication servers.
Upon presenting credentials to the PHAT client or Portal, the gateway will
forward that request to the authentication server and extract the users group
membership and apply configured Group Policies to that user.
© 2005-06 NeoAccel, Inc.
Authentication Servers
The SSL VPN-Plus Gateways supports the following authentication methods
•Local Database
•Active Directory with/without Group Extraction
•RADIUS with/without Group Extraction
•LDAP with/without Group Extraction
•RSA Secure ID
•Client Certificates – X.509
SSL VPN-Plus utilizes a “cascading authentication” mechanism whereby
the user credentials supplied at time of login can be validated against multiple
authentication servers. Authentication servers are bound to the Gateway instance
and not the User/Group. Order of search precedence is determined by the
administrator.
© 2005-06 NeoAccel, Inc.
Menu Section
This menu selection will allow the administrator to
configure Groups, Users and Auth Servers.
© 2005-06 NeoAccel, Inc.
List of Authentication Servers
© 2005-06 NeoAccel, Inc.
Add Auth Server - RADIUS
•Select Server type RADIUS
•Provide an alias identifier
•Enter the IP address of the RADIUS server
•Enter the Port listening on the server
•Server timeout value in seconds
•Shared secret
•NAS IP Address
•Retry count
•Enable/Disable Group Extraction based on
the Class attribute in the server
Click OK to complete the operation
© 2005-06 NeoAccel, Inc.
Auth Servers – Active Directory
•
•
•
•
•
•
•
•
•
•
•
Select Server type
Define alias identifier
Provide server ip address
Set server listening port
Set server timeout
Configure AD search base
Configure bindDN
Supply users password
Set Login attribute name
Set search filter
Enable/Disable Group
Extraction
(continued next slide)
© 2005-06 NeoAccel, Inc.
Auth Servers – Active Directory cont.
• Set Group attribute name
• Sub attribute name
• Click OK to add
Useful tool for extracting information from AD.
LDAP Browser
http://www.ldapbrowser.com
© 2005-06 NeoAccel, Inc.
Users - Local
In many cases the administrator may want to create local users for authentication
rather than using an external authentication server. One example would be
allowing third party personnel to use the SSL VPN-Plus tunnel and rather than
adding this third party user to Active Directory simple configure a local user.
© 2005-06 NeoAccel, Inc.
Groups
This screen shows a list of all Groups configured on the Gateway and
allows the addition/modification or removal of Groups.
© 2005-06 NeoAccel, Inc.
Add Group
•
•
•
© 2005-06 NeoAccel, Inc.
Supply a Group Name
Additional description
to identify group
Set Group Access
Policies
Group - Portal
•
•
•
•
© 2005-06 NeoAccel, Inc.
Select Portal tab
Enable/disable Public
URL access
Set Web App links
available to this group
Select Application list
Group – Portal cont.
• File Share list
• PHAT client
package
© 2005-06 NeoAccel, Inc.
Group – Network Extension
• Allow QAT access
• Start QAT
automatically
• Set Client
Configuration Name
• Select Tunnel mode
• Define Default
Gateway for full tunnel
• Set Private Network list
• Add IP Pool – only necessary
if using PHAT access
© 2005-06 NeoAccel, Inc.
Group – IP Pool (PHAT client)
Select the Add button to set the IP Pool that will be assigned to the Group.
IP Pools are like DHCP addresses that are configured to provide IP Address,
Netmask, DNS servers, WINS server and other options.
© 2005-06 NeoAccel, Inc.
Group – Private Network List
Select the Private IP network that you want to allow via the tunnel. To select
multiple subnets hold the Control key down and select then click Add.
© 2005-06 NeoAccel, Inc.
Group – Private Network ICAA options
The administrator can enable/disable private networks from using
ICAA® technology. ICAA greatly increases traffic performance but in some
cases is not compatible with certain applications/protocols.
Exclude allows the administrator to direct the client computer to exclude
portions of a private network subnet traffic from being sent over VPN tunnel.
© 2005-06 NeoAccel, Inc.
Group – Logon & Logoff Scripts
Upload certain scripts to be
executed when the user gets
connected to VPN or at the
end of users VPN session.
Scripts could be either a batch,
Java or vb based.
© 2005-06 NeoAccel, Inc.
Group – End Point Protection
The administrator can enable certain data cleanup mechanisms for set of users belonging
to a group.
Either Browser cache cleanup can be enabled or blocking of cut/copy/paste can
be enabled for the duration of end users session.
Secure workspace can be activated such that end user will need to work inside a
secure desktop and all data will be stored in a encrypted manner on end users machine,
traces of which will be deleted at the end of users VPN session.
© 2005-06 NeoAccel, Inc.
Authorization
The authorization menu selection allows the administrator
To configure Access Control Policies, Endpoint Security scans
and Security Zones
© 2005-06 NeoAccel, Inc.
Access Control Policies - ACL
This screen is a repository of configured ACL’s. These ACL’s can be applied
to Groups and Security Zones to control user access. Much like firewall rules
take caution in applying these rules.
© 2005-06 NeoAccel, Inc.
Add Policy – Network ACL
© 2005-06 NeoAccel, Inc.
Add Policy – Application ACL
Blacklist / Whitelist specific set of application from being executed during the VPN
Session on the basis of name or MD5 of the process.
Block VPN Access to allow execution of process , but disallow any of the traffic
generated by the process to be sent over VPN tunnel.
© 2005-06 NeoAccel, Inc.
Apply Group Access Control Policy
• Select Groups
• Modify
• Add ACL on
General tab and
set priority
• OK
© 2005-06 NeoAccel, Inc.
Endpoint Security Policies
Endpoint Security Policies allow the administrator to define machine specific
scans to validate whether the client computer meets the security policies of the
company. These security scans, host validation, are pre-user authentication.
The administrator can configure scans for the following items
•File
•Process
•Registry
•Ports
•Services
•WMI
•Certificate Template
EPS policies are evaluated in the following order of precedence
Zone=AND
Policy=OR
Rule=AND
© 2005-06 NeoAccel, Inc.
Endpoint Security Policies
The SSL VPN-Plus comes with approximately 100 pre-configured
Endpoint Security checks. The administrator can create custom check by
selecting the Add button.
© 2005-06 NeoAccel, Inc.
Modify Existing Policy
© 2005-06 NeoAccel, Inc.
Creating Process Policy
To create a Process policy use the Windows Task Manager to locate
the running process to test for and note the executable name.
In this case the test will check for Skype.exe running.
© 2005-06 NeoAccel, Inc.
Add Policy – Skype running
Select Add Rule and enter the required information
© 2005-06 NeoAccel, Inc.
Completed Skype EPS check
© 2005-06 NeoAccel, Inc.
EPS - File
The administrator can check for the following attributes of Files by specifying
the File Name and full path and File Properties.
© 2005-06 NeoAccel, Inc.
EPS - Registry
The administrator can test for the Existence of Registry entries.
© 2005-06 NeoAccel, Inc.
EPS – Registry cont.
The above example would check to determine if the client machine is
a member of the company domain
© 2005-06 NeoAccel, Inc.
EPS – Port Status
This allows the administrator to perform a basic port scan on the
Client machine to determine whether certain ports are open/closed/listening
© 2005-06 NeoAccel, Inc.
EPS - Service
This scan detects whether the client computer has a Windows service and
whether the service is Running or Not Running.
© 2005-06 NeoAccel, Inc.
EPS - WMI
WMI helps in reading dynamic database of Windows. Rules created using WMI
are used to check for health of firewall, anti-virus, anti-spyware.
© 2005-06 NeoAccel, Inc.
EPS – Certificate Template
This scan helps to do a water mark check of the end users machine to
identify a corporate issues machine
© 2005-06 NeoAccel, Inc.
Security Zones
Once the administrator has configured EPS policies, upon the client computer
establishing a tunnel and prior to authentication, the results of the EPS scan will
determine Zone membership. SSL VPN-Plus ships with 5 pre-configured Zones
and the ability to create up to 40 different security zones.
Membership of a particular zone starts at the Highest level and based upon Pass/Fail
of the EPS policies will traverse downward into lower zones where ACL’s may be
applied to limit resource access.
Zones allow the administrator to over-ride Group policies and control access based
upon the validation of the client computer.
In general one should never add an allow policy to a Security Zone with the exception
of the Quarantine Zone.
© 2005-06 NeoAccel, Inc.
Zones
© 2005-06 NeoAccel, Inc.
EPS – Modify Zone
Allows the modification of EPS checks for particular Zone.
© 2005-06 NeoAccel, Inc.
EPS – Modify Zone with ACL
This example denies RDP based on the client be placed in Semi-Trusted Zone.
© 2005-06 NeoAccel, Inc.
EPS Upgrade
Periodic synchronization with Global EPS Upgrade server to update factory default
list of policies with new releases of firewalls, anti-virus etc and security patches, service
packs of windows.
© 2005-06 NeoAccel, Inc.
Module 5 – Network Extension
Network Extension provides end users with various
parameters for PHAT client access as well as QAT.
© 2005-06 NeoAccel, Inc.
Dynamic IP Address – IP Pool
• Functions like
DHCP
• Create multiple
pools for
assignment to
groups
© 2005-06 NeoAccel, Inc.
Create Dynamic IP Address Config
Set a name, IP Range, Netmask, Primary and Second DNS, DNS suffix
And if necessary WINS server and select OK
© 2005-06 NeoAccel, Inc.
Private Network Lists
• Define private
network
resources that
users tunnels
will access
• Set multiple
subnets/hosts
for use by
Groups
© 2005-06 NeoAccel, Inc.
Create Private Network Profile
Set Name, Private Network, Netmask, Gateway if necessary and Ports
if desired.
© 2005-06 NeoAccel, Inc.
Client Configuration Lists
• Set client
configuration
options that
apply to both
PHAT and QAT
© 2005-06 NeoAccel, Inc.
Add Client Configuration
The Client Configuration allows the administrator to define various parameters
to be applied. These parameters are then applied at the Group level to control
such features as Show Endpoint Security Details, Idle Timeouts use DHCP for
IP assignment and other parameters.
© 2005-06 NeoAccel, Inc.
Installation Package Configuration PHAT
• Create PHAT
packages to be
delivered to end
users.
• Create multiple
PHAT packages
and assign
based on Group
membership
© 2005-06 NeoAccel, Inc.
Add Installation Package
Set various client options for use with the PHAT client.
© 2005-06 NeoAccel, Inc.
Module 6 - Portal
The Portal selection allows the administrator to customize web
based links that are presented to users upon successful login.
The Layout and Colors selections allows the branding of the
web based portal to your companies needs including logo and
colors.
© 2005-06 NeoAccel, Inc.
Module 6 - Portal
List of Resources that are made available to Groups.
© 2005-06 NeoAccel, Inc.
Module 6 - Portal
Create Web Application which provides a quick link for users to access
internal or external websites.
© 2005-06 NeoAccel, Inc.
Module 6 - Portal
Configures Thin Applications such as Telnet, RDP, VNC and SSH which
allow the Groups to use integrated Java based applets.
© 2005-06 NeoAccel, Inc.
Module 6 - Portal
Defines web based File Access for CIFS files servers or shared
directories.
© 2005-06 NeoAccel, Inc.
Module 6 - Portal
Allows the administrator to change the Login and Portal pages logos, titles
and PHAT client banner.
© 2005-06 NeoAccel, Inc.
Module 6 - Portal
Modifies the web portal color scheme to meet your needs
© 2005-06 NeoAccel, Inc.
Module 7 - Firewall
© 2005-06 NeoAccel, Inc.
Add Filter Rule
© 2005-06 NeoAccel, Inc.
Add Port Mapping
© 2005-06 NeoAccel, Inc.
Module 8 - Tools
© 2005-06 NeoAccel, Inc.
Ping
© 2005-06 NeoAccel, Inc.
ARP
© 2005-06 NeoAccel, Inc.
System Date/Time
Allows the administrator to set date and time or synchronize with
an external NTP resource
© 2005-06 NeoAccel, Inc.
Miscellaneous
Allows the import and export of the current configuration and other options. Pay
special attention to the Client Upgrade URL.
© 2005-06 NeoAccel, Inc.
Reboot / Shutdown
Allows the administrator to Reboot the Gateway or gracefully Shutdown the
gateway
© 2005-06 NeoAccel, Inc.
Module 9 - Logs
© 2005-06 NeoAccel, Inc.
Logs - User Settings
Enable logging for the appliance wherein logs could either be stored on the
appliance locally or be sent to an external syslog server periodically
© 2005-06 NeoAccel, Inc.
Logs - User Settings
Logs can be viewed on the system by selecting View Logs. The logs are
refreshed every 10 seconds.
© 2005-06 NeoAccel, Inc.
Logs - Reporting
Generate log reports within a specific period of time and apply certain filters to
pin point specific logs. These logs can either be viewed over NMC, exported
and stored in CSV format in a Excel sheet or printed over printer.
© 2005-06 NeoAccel, Inc.
Logs - Statistics
View, save or print statistics on a daily or a weekly basis. Statistics can be
used by administrators administrator for statistical analysis or usage of
appliance
© 2005-06 NeoAccel, Inc.
Thank You.
© 2005-06 NeoAccel, Inc.
Download