SSL VPN-Plus Training SSL VPN-Plus © 2005-09 NeoAccel, Inc. COMPANY OVERVIEW © 2005-06 NeoAccel, Inc. Company Snapshot Founded 2004 Offices – Founder: Michel Susai – Headquarters – San Jose, CA • Former Chairman and CEO, and Founder of NetScaler (Acquired by Citrix for $325M) – First Product Shipped Oct 2005 Technology Focus – Secure Remote Access: SSL VPN-Plus™ – Network Access Control: NAM-Plus™ – SSL Based Site to Site VPN Competitive Advantage – Patented Architecture (ICAA™) – 24-Month Technology Lead Sales Strategy – Enterprise, OEM, Channel © 2005-06 NeoAccel, Inc. – Regional Sales Offices • Boston, Houston, San Jose • India, China, Japan Investors – Institutional • Baring Private Equity • NTT – Angel • Sabeer Bhatia (Co-Founder, Hotmail) • Prabhu Goel (Inventor, Verilog) Sample Customers OEM Service Providers Enterprise Financial Higher Education Health Care Manufacturing Utilities Non-Profit Engineering Insurance Gov’t Automotive Real Estate Construction Logistics Marketing Online Security IT Services Retail © 2005-06 NeoAccel, Inc. Awards and Recognitions SSL VPN Magic Quadrant Q307 "The company [NeoAccel] ... has established multiple OEM deals and sold well in the first half of 2007, ... outperforming some older and established companies." -- Gartner SSL VPN MQ 2007 © 2005-06 NeoAccel, Inc. REMOTE ACCESS © 2005-06 NeoAccel, Inc. Remote Access? • Access Secure Application Servers to update customer information or submitting a daily report • Access Corporate Email server • Access Mission Critical Application Servers when at customer site • Access Corporate Intranet to get latest information or checking status of your leave application © 2005-06 NeoAccel, Inc. Who Needs Remote Access? • • • • • • • Consultants Partners Field Engineers and Sales Team Remote Office Employees Off office hours workers Roaming Executives Bridge branch offices to corporate centre © 2005-06 NeoAccel, Inc. Why VPN? • When Alice talks to Bob © 2005-06 NeoAccel, Inc. • Confidential • Integrity • Authentication VPN Technologies? • PPTP • L2TP • IPSec • SSL © 2005-06 NeoAccel, Inc. IPSec Features • • • • • Site-to-Site Access Complete network access Transparent to Applications Least effect on performance Good security © 2005-06 NeoAccel, Inc. SSL VPN – Secure Socket Layer VPN • Uses SSL protocol for confidentiality, authentication and integrity and then proxies to provide authorized and secure access for private network resource like Web, Client/Server, file sharing etc. • Two modes • Clientless: Proxies web-based applications and uses inbuilt SSL support in browsers to establish VPN and deliver web traffic. • Network Extension: Proxies client-server application, requires a proprietary client application to establish VPN and facilitate client-server application communication © 2005-06 NeoAccel, Inc. SSL VPN Features • • • • • • • Designed for Remote Access Centralized Access Control Zero user side management One minute deployment Endpoint Security Clientless - Access Anywhere Network Extension • Access Anything © 2005-06 NeoAccel, Inc. Current State of VPNs – Remote Access • 1st-Generation VPN – IPsec – IP Address-Based Tunnels – All-or-Nothing Network Access for Employees – High License & Administration Costs Users IP Address-Based Tunnels • 2nd-Generation VPN – SSL – User-Based Tunnels – Conditional Access to Specific Applications Users – Significant Advantages over IPsec (see next slide) User-Based Tunnels 14 © 2005-06 NeoAccel, Inc. 2nd-Generation VPN Advantages over 1st Generation • Increased Security SSL VPN Drivers • User-Based Tunneling Increased security • Endpoint Security • Granular Access Control 80% Enable clientless VPNs 51% Decrease operating cost 41% Support wide variety of client platforms • Increased Return on Investment • Zero Client Software Costs • Zero Client Upgrade Costs and Pain • Zero Client Management Enable Employee access from handheld devices Enable employee access from kiosks and guest computers 38% 29% 23% % of respondents rating category a driver Source: Infonetics Research, 2006 • Universal Access • Employees, Non-Employees • Access from Any Device – No Device with VPN Client Required • Cross Platform Support (Mac, Linux, Windows, Smart Phones, PDAs) 15 © 2005-06 NeoAccel, Inc. IPSec – Why not? • • • • • • • • Not designed for remote access Traversal problem over NAT devices Firewall configuration required All corporate services are exposed on f/w No Centralized Access control Per User administration and configuration Interoperability among vendors Time consuming deployment © 2005-06 NeoAccel, Inc. What’s Missing in SSL VPN • Performance Degradation • SSL VPN falls prey to TCP over TCP melt-down • Extra context switching of SSL VPN’s causes performance loss • Poor End User Experience • Limited or no connectivity over low bandwidth or high packet loss networks like • Wireless • DSL • Data Cards • Increased Support Cost • No Site to Site VPN capabilities © 2005-06 NeoAccel, Inc. Why Companies are Not Buying SSL ? • Extra context switching of SSL VPN’s causes performance loss • SSL VPN falls prey to TCP over TCP melt-down • Performance degradation affects the SSL gateway and all users • Many companies stay with IPSec to avoid user complaints What can IT do? © 2005-06 NeoAccel, Inc. NeoAccel: The Third-Generation VPN • Increased Security – User-Based Access Control with Endpoint Security • Increased ROI, Lower TCO – 10% of IPSec Costs in Large Installations • Ubiquitous Access – Any User from Any Device • IPSec-Level (or Better) Performance • Site-to-Site VPN Support – New! © 2005-06 NeoAccel, Inc. NeoAccel SSL VPN – Plus Features • Best of World of IPSec and SSL VPN • High Performance • • • • • • • • Overcomes TCP over TCP meltdown • Overcomes Extra Context Switch Designed for Remote Access Centralized Access Control Zero user side management One minute deployment Endpoint Security Clientless - Access Anywhere Network Extension • Access Anything • IPSec replacement capabilities • Site to Site VPN over SSL © 2005-06 NeoAccel, Inc. NeoAccel SSL VPN-Plus Deployment • • • • • • • • • • • Site-to-Site Endpoint Security Host Checking Compression 4 Forms of Access Self-Updating FullClient Node on the Network Supports VOIP IPsec-Like Speeds Client-Side Cleanup High Availability App Servers Directory Services NeoAccel SSL VPN-Plus Gateway with HA Corporate Network / Data Center / DR Site Site-to-Site Access NAC Integration NeoAccel NAM-Plus Gatekeeper SSL VPN-Plus Gateway Internet Secure Remote Access roaming user Branch Office roaming user Wireless Users © 2005-06 NeoAccel, Inc. Sales Users Guest Users End to End Secure Access Server Farms E-mail MRP/ERP MRP/ERP Unix/NFS Directory Store Intranet / Web Server Endpoint Security Compliance Data Transit Security Strong Authentication • Eliminate PW Spoofing • Ensure Non-Repudiation Host Checker • 3rd Party Software Compliance • Registry, processes, files, custom DLLs • Application Authenticity Check • Recurring Host Check Cache Cleaner • Eliminate session data • Delete temp files © 2005-06 NeoAccel, Inc. Network Security Services Hardened Appliance Centralized Security Gateway Network Security • • • • DDOS Protection URL Attack Protection Network Firewall SSL Transport Dynamic Authentication Policy • Certificate, Source IP, Host Checker, Cache Cleaner, User Agent, Interface, etc. Dynamic Access Privilege Mgmt Directory Integration Granular Authorization Rules • • • • Group Based URL, Host, Port Client/Destination End Point/Connection Check • In-Transit Data Protection • Data Trap • Non-Cacheable HTML rendering • Cookies • Host Name Encoding PERFORMANCE © 2005-06 NeoAccel, Inc. Packet Loss Leads to Performance Degradation • Packet Loss is a Real World problem • Packet loss translates to severe performance degradation due to architectural flaw in current SSL VPN products from the market leaders • In the US, it is not unusual to see 5~8% packet loss across the public internet • 15-20% packet loss is typical in wireless networks (i.e., 802.11) • In some parts of Asia 50% packet loss is typical • Worldwide average is >24% packet loss © 2005-06 NeoAccel, Inc. Other SSL VPNs: Packet flow This is what will be achieved. This happens when the user is working in office, i.e. connected to LAN D A A D Private network servers A SDSAD SSL VPN client agent running on remote users machine SD SAA D SSL VPN Gateway D: Application TCP data packet A: application TCP ACK packet SD: SSL tunnel data packet SA: SSL tunnel ACK packet © 2005-06 NeoAccel, Inc. TCP-Over-TCP Meltdown All 1st and 2nd Generation SSL VPN’s are subject to TCP-Over TCP-Meltdown. NeoAccel is not! © 2005-06 NeoAccel, Inc. SSL VPN : Packet Drop This is what will be achieved. This happens when the user is working in office, i.e. connected to LAN A A D Private network servers A SADD SD SD SSL VPN client agent running on remote users machine SD SAA D SSL VPN Gateway D: Application TCP data packet A: application TCP ACK packet SD: SSL tunnel data packet SA: SSL tunnel ACK packet © 2005-06 NeoAccel, Inc. How SSL VPN – Plus Improves Performance • Key Technologies • Intelligent Compression Acceleration Architecture (ICAA) : Overcomes TCP over TCP meltdown • Transparent SSL (TSSL) : Kernel ported SSL encryption engine. Reduces Context switching • Acceleration Triggered Compression Engine (ATCE) : Intelligent compression © 2005-06 NeoAccel, Inc. SSL VPN – Plus : Packet Drop This is what will be achieved. This happens when the user is working in office, i.e. connected to LAN A D Private network servers A D SD SD DD SSL VPN client agent running on remote users machine SA SSL VPN Gateway D: Application TCP data packet A: application TCP ACK packet SD: SSL tunnel data packet SA: SSL tunnel ACK packet © 2005-06 NeoAccel, Inc. Non NeoAccel SSL VPN very slow, huge Packet Loss; TCP-Over-TCP problem Gateway Client Client Applications L3 SSLVPN Module OpenSS L OpenSSL User Mode Kernel Mode Client TCP/IP Stack NIC DLL Server TCP/IP Stack Internet VNIC- TUN/TAP IP TCP SSL IP L3 SSLVPN Module TCP VNIC- TUN/TAP NIC-1 NIC-2 Data Packet flowing across the network Client Context Switch 2 © 2005-06 NeoAccel, Inc. Server 2 Private Network NeoAccel' SSL VPN-Plus : Packet Flow Client Server Client Applications User Mode Kernel Mode NeoAccel' SSL VPN-Plus ICAA integrated with kernel level SSL NeoAccel' SSL VPN-Plus ICAA integrated with Kernel Level SSL Client TCP/IP Stack Server TCP/IP Stack Internet NIC DLL Context Switch Client Server 0 0 © 2005-06 NeoAccel, Inc. IP TCP SSL Node header NIC-1 NIC-2 Data Private Network Packet Processing and VPNization of TCP data Comparison of NeoAccel vs. Others IPSec SSL VPN App App App TCP TCP TCP Unencrypted User NeoAccel SSL VPN-Plus App SSL ICAA TSSL #1 IP IP IP TCP Kernel Enet IPSec IP Enet © 2005-06 NeoAccel, Inc. IP Enet #2 Enet Why ICAA? • It is observed that other SSL VPN vendors simply tunnel (proxy) a complete Ethernet frame over the SSL connection to private network resulting in two TCP layers for each packet. This results in redundant layer of reliability which causes TCP over TCP meltdown problem. (Slide 4) • Many of the applications are not designed to work over varying bandwidth lousy networks like Internet. • There are known issues with TCP layer when working over Internet. In case of SSL VPNs when multiple application TCP connections are tunneled into a single TCP connection, the effect of TCP problems is increased exponentially. This results in frequent connection disconnects. © 2005-06 NeoAccel, Inc. ICAA Benefits • ICAA avoids the overhead of extra reliability layer induced because of tunneling application TCP traffic into SSL VPN TCP tunnel. • ICAA reduces TCP packet loss recovery time by 30 times by avoiding tunneling of TCP connection inside another TCP connection. • ICAA avoids the TCP layer limitations which makes TCP not suitable for remote application connections over WAN with varying bandwidth and congestion. ICAA avoids parameters like TCP window size and congestion window for each application connection. The parameters of a single SSL VPN TCP tunnel are applied to all application connections. • ICAA does not let application connection to flow over WAN, thus avoiding TCP slow start problem, fragmentation and avoids congestion control algorithm limitations for each application connection. • Even in 0% packet loss networks (like LAN), the number of packets are reduced by 50% straightaway. © 2005-06 NeoAccel, Inc. Conventional SSL implementation slows downs the gateway Total User/Kernel Context Switches: 13 SYN SYN+ACK ACK Client Hello True Random Number Generator Server Hello, Server Certificate, Server Hello Done Client Key Exchange, Change cipher spec, client Finish Change cipher spec, Server Finish Host TCP/IP Stack Hardware Accelerator BN Mod Exponent 3DES Decrypt Encrypted Request SHA-1 Calculation 3DES Encrypt Encrypted Response © 2005-06 NeoAccel, Inc. SHA-1 Calculation CONFIDENTIAL SSL Web Server NeoAccel’s TSSL Engine speeds up by saving 10 Context Switches Total User/Kernel Context Switches: 3 SYN SYN+ACK ACK Client Hello Server Hello, Server Certificate, Server Hello Done Client Key Exchange, Change cipher spec, client Finish Change cipher spec, Server Finish Host TCP/ IP Stack Web Hard- TSSL Server ware Engine SSL Connection Establishment Accelrator Encrypted Request Encrypted Response © 2005-06 NeoAccel, Inc. CONFIDENTIAL Why TSSL? • It was observed that other SSL VPN vendors do encryption/decryption at application layer which is normally implemented at less privileged level in an OS (Slide 3, 4). This results in slow SSL processing resulting in high latency for applications connections • The high context switching of CPU results in slower packet processing, higher latency, less throughput and low user logins/sec. • Because SSL processing is done at user mode (less privileged mode of OS), there is an overhead between SSL module and SSL hardware accelerator cards. This results in less output from SSL hardware accelerator cards. © 2005-06 NeoAccel, Inc. TSSL Benefits • TSSL avoids the CPU context switching for both SSL VPN Gateway and Client while handling each application connection over SSL VPN resulting in high tunnel throughput. • TSSL helps CPU spend less time doing non-VPN related tasks and helps process VPN data faster resulting in low latency and faster user logins per second. • TSSL enables SSL VPN Gateway and SSL VPN Client to do bulk encryption resulting in better throughput. • TSSL reduces the communication over head between SSL VPN Gateway and SSL accelerator card resulting in maximum throughput and higher SSL transactions per second. • TSSL helps control latency added because of SSL processing for real time traffic like VOIP and video. © 2005-06 NeoAccel, Inc. Why ATCE (Dynamic Compression) ? • Other VPN solutions have a switch like functionality for compression. • Compression benefits are truly based on the available bandwidth and the current load on the VPN gateway. Other VPNs do not consider these factors • A ON/OFF functionality makes compression increase more load of VPN gateway even if compression of data is not required © 2005-06 NeoAccel, Inc. ATCE Benefits • Calibrates compression benefits at regular interval of times. • Low bandwidth connections get more compression benefits compared to higher Internet bandwidth users • Data is compressed only if data is compressible • Optimizes the ratio of load/bandwidth © 2005-06 NeoAccel, Inc. Performance Comparison NeoAccel SSL VPN-Plus vs. SonicWALL SSLVPN 200 Throughput Kbytes/sec 4000 3510 3362 3500 3000 2500 KBytes 2000 1587 1360 1500 1000 460 500 0 No Encryption/Layer No 2 Encryption/Routed © 2005-06 NeoAccel, Inc. SSL VPN-Plus (ICAA disabled) SSL VPN-Plus ICAA SonicWALL 200 DEPLOYMENTS © 2005-06 NeoAccel, Inc. SSL VPN-Plus Providing a single point of entry for all remote application needs, secure, reliable and user friendly. A Simple SSL VPN-Plus Solution deployment Private Corporate Network NeoAccel SSL VPN-Plus Gateway Wireless/mobile user © 2005-06 NeoAccel, Inc. Deployment Options © 2005-06 NeoAccel, Inc. Deployment Options © 2005-06 NeoAccel, Inc. Deployment Options © 2005-06 NeoAccel, Inc. Deployment Options © 2005-06 NeoAccel, Inc. Deployment Options © 2005-06 NeoAccel, Inc. COMPONENTS © 2005-06 NeoAccel, Inc. Various Components’ • Gateway: Base OS • NeoAccel Hardened OS • SSL VPN-Plus Gateway • Authentication Module Local Database LDAP AD Radius RSA Secure ID Certificate based authentication ACL’s : Network and Application Access Control • Authorization Module • Auditing • End Point Security © 2005-06 NeoAccel, Inc. Various Components’ Contd. • Access Terminals • SSL VPN-Plus portal : Clientless access named Web Access Terminal. Supports IE 5.0 & above, Firefox, NetScape • SSL VPN-Plus client QAT : Browser integrated java based port forward client. Supports Windows 2000, Windows XP, Windows Vista, Windows Server 2000 & 2003 PHAT : Network Extension client. Supports Windows 98, Windows 2000, Windows XP, Windows Vista, Windows Server 2000 & 2003, Windows Mobile, Red Hat 9.0, Red Hat EL 3, Knoppix, Debian, MAC OSX • Management Console • Requires JRE 1.4.2 or above on administrator’s PC © 2005-06 NeoAccel, Inc. Full-Range, High-Capacity Product Line Feature SGX-800 SGX-1200 SGX-2400 SGX-4800 Target Market Entry-Level Sm-Med Enterprise Enterprise Large Enterprise 50 100 2,000 10,000 100Mbps 250 Mbps 500 Mbps 950Mbps Operating System NHOS* NHOS NHOS NHOS Gigabit Interfaces 4 2 2 2 Yes Yes Yes Yes Hardware Acceleration ─ ─ √ √ Dual Power Supply ─ ─ √ √ Dual Hard Drives ─ ─ √ √ Concurrent Users Throughput High Availability *NeoAccel Hardened Operating System © 2005-06 NeoAccel, Inc. NeoAccel Management Console Module 1 © 2005-06 NeoAccel, Inc. NeoAccel Management Console The NeoAccel Management Console (NMC) is a java based administration console. To access the NMC open a web browser and enter the following path http(s)://<ipaddress>/sslvpn-plus/nmc Example: https://192.168.10.1/sslvpn-plus/nmc To access the NMC from the Internet configure your firewall to allow TCP port 443 and TCP port 8090. Be sure to allow pop-up windows from the NMC URL. © 2005-06 NeoAccel, Inc. Access Management Console..contd • Management Console login: • Default power-user credentials: admin/admin © 2005-06 NeoAccel, Inc. Menu Bar The Menu Bar at the top of the browser has multiple options •Logout •Logout of the NMC •Refresh •To refresh the NMC screen •Save •Save current running configuration •Change Password •Change the admin password (recommended) •About •Copyright information •Help •Open Help resources © 2005-06 NeoAccel, Inc. General The landing page is the System/General which displays information such as; Version Number, Processor Information, Memory Utilization and interface information. © 2005-06 NeoAccel, Inc. Interface Configuration The interface configuration allows the administrator to change/modify ip address information for each network interface adapter. To configure the SSL VPN-Plus Gateway for single arm mode select the desired interface and check the box “Configure for Single ARM mode” and click Save. Advanced configuration allows specifying Link speed & MTU size © 2005-06 NeoAccel, Inc. Route The route menu option displays currently configured routes. To add routes to other networks select the Add button and provide the necessary information. © 2005-06 NeoAccel, Inc. DNS The DNS and Hosts Configuration sets parameter related to the SSL VPN-Plus Gateway. Setting Hostname, Primary and Secondary DNS servers as well as defining static computer hostname to IP address mappings. © 2005-06 NeoAccel, Inc. NMC Administration Ability to create multiple administrators with different access over configuration of appliance ranging from full control, restricted or read only access. 1 Full control, 8 Restricted and 8 Read only administrators can be configured. © 2005-06 NeoAccel, Inc. Module 2 – SSL VPN-Plus Module 2 focuses on creating and configuring the SSL VPN-Plus Gateway instance that end users will establish the tunnel with. It is possible and often useful to run multiple instances or gateways on a single device. This allows the administrator to provide different options for user connectivity. One example would be configuring a separate gateway for third party business partners who need tunnel connectivity. Creating a separate gateway with a single authentication source and other options is an effective way to plan your Remote Access strategy. © 2005-06 NeoAccel, Inc. Gateways The Gateways menu allows you to Add/Modify/Remove gateways and parameters. The right hand side of the screen lists the configured options. © 2005-06 NeoAccel, Inc. Modify Gateway Highlight the gateway in previous screen and select Modify. This opens a dialogue window with the General/Authentication and Advanced tabs. Administrator can define the IP address, port, certificate and the cipher used to encrypt traffic over SSL server. A broadcast message can be optionally specified to be displayed to all end users when they get connected to VPN. © 2005-06 NeoAccel, Inc. Authentication Select the Authentication tab to change Authentication options such as Enable or Disable Authentication, prevent multiple logons with same username as well as prioritizing the cascaded authentication server list. Dual Authentication can be enabled wherein the end user will need to authenticate twice against two different authentication servers. © 2005-06 NeoAccel, Inc. Certificate Authentication Enable Client certificate Authentication such that end user will need to provide a certificate to be able to access private network resources. CA list contains the list of CA certificates to which the client certificate can belong. Username can also be extracted from the certificate such that end user will only be allowed to enter password for username extracted from certificate used for authentication. © 2005-06 NeoAccel, Inc. Portal Customization Portal customization allows complete redesign of how the web based access is visible to user. Look & feel can be chosen from a list of Layout & Color schemes. Layout scheme allows for logo, company name or title to be defined as per the corporation. Color scheme allows for complete change in look and feel of the portal. © 2005-06 NeoAccel, Inc. Advanced The Advance tab sets parameters for Enabling Acceleration triggered Compression, Client Auto Update Notification, Endpoint Securing Agents, Virtual Keyboard, SSO, User Logging and timeout values and enabling Forced Timeout. © 2005-06 NeoAccel, Inc. Active Clients The Active Clients shows the users who are logged into the SSL VPN-Plus and information regarding the tunnel established. The administrator can disconnect a single tunnel or all tunnels by select the appropriate button. © 2005-06 NeoAccel, Inc. License The license screen shows the type of license, number of concurrent tunnels allowed and the option to Update License. © 2005-06 NeoAccel, Inc. Update License Select the update license button and enter the Software Serial Number provided to you at time of installation. Click OK © 2005-06 NeoAccel, Inc. Update License cont. •Select Copy to Clipboard •Open License Server •Paste this selection into the License server and retrieve your license •Paste the new license from clipboard •Select OK © 2005-06 NeoAccel, Inc. Certificates Allows the administrator to Add/View/Remove SSL certificates for the gateway © 2005-06 NeoAccel, Inc. Add Certificates Enter the Certificate name and browse to the location where the certificate is stored. Select the Private Key to import the Servers private key as well. © 2005-06 NeoAccel, Inc. View Certificate Allows the administrator to view the contents of the SSL certificate. © 2005-06 NeoAccel, Inc. Module 3 – Users/Groups The NeoAccel SSL VPN-Plus allows granular control of users and groups. You will find that most of the power of this access control is based on group membership. The ability to limit access methods, apply access control policies, Provide resources to access, do cleanup as well as provide the user with a customized experience is gained by the use of Group policies. When using an external authentication source such as RADIUS or Active Directory it is not necessary to configure users directly on the gateway provided you have selected the Group Extraction option in the configuration of the external authentication servers. Upon presenting credentials to the PHAT client or Portal, the gateway will forward that request to the authentication server and extract the users group membership and apply configured Group Policies to that user. © 2005-06 NeoAccel, Inc. Authentication Servers The SSL VPN-Plus Gateways supports the following authentication methods •Local Database •Active Directory with/without Group Extraction •RADIUS with/without Group Extraction •LDAP with/without Group Extraction •RSA Secure ID •Client Certificates – X.509 SSL VPN-Plus utilizes a “cascading authentication” mechanism whereby the user credentials supplied at time of login can be validated against multiple authentication servers. Authentication servers are bound to the Gateway instance and not the User/Group. Order of search precedence is determined by the administrator. © 2005-06 NeoAccel, Inc. Menu Section This menu selection will allow the administrator to configure Groups, Users and Auth Servers. © 2005-06 NeoAccel, Inc. List of Authentication Servers © 2005-06 NeoAccel, Inc. Add Auth Server - RADIUS •Select Server type RADIUS •Provide an alias identifier •Enter the IP address of the RADIUS server •Enter the Port listening on the server •Server timeout value in seconds •Shared secret •NAS IP Address •Retry count •Enable/Disable Group Extraction based on the Class attribute in the server Click OK to complete the operation © 2005-06 NeoAccel, Inc. Auth Servers – Active Directory • • • • • • • • • • • Select Server type Define alias identifier Provide server ip address Set server listening port Set server timeout Configure AD search base Configure bindDN Supply users password Set Login attribute name Set search filter Enable/Disable Group Extraction (continued next slide) © 2005-06 NeoAccel, Inc. Auth Servers – Active Directory cont. • Set Group attribute name • Sub attribute name • Click OK to add Useful tool for extracting information from AD. LDAP Browser http://www.ldapbrowser.com © 2005-06 NeoAccel, Inc. Users - Local In many cases the administrator may want to create local users for authentication rather than using an external authentication server. One example would be allowing third party personnel to use the SSL VPN-Plus tunnel and rather than adding this third party user to Active Directory simple configure a local user. © 2005-06 NeoAccel, Inc. Groups This screen shows a list of all Groups configured on the Gateway and allows the addition/modification or removal of Groups. © 2005-06 NeoAccel, Inc. Add Group • • • © 2005-06 NeoAccel, Inc. Supply a Group Name Additional description to identify group Set Group Access Policies Group - Portal • • • • © 2005-06 NeoAccel, Inc. Select Portal tab Enable/disable Public URL access Set Web App links available to this group Select Application list Group – Portal cont. • File Share list • PHAT client package © 2005-06 NeoAccel, Inc. Group – Network Extension • Allow QAT access • Start QAT automatically • Set Client Configuration Name • Select Tunnel mode • Define Default Gateway for full tunnel • Set Private Network list • Add IP Pool – only necessary if using PHAT access © 2005-06 NeoAccel, Inc. Group – IP Pool (PHAT client) Select the Add button to set the IP Pool that will be assigned to the Group. IP Pools are like DHCP addresses that are configured to provide IP Address, Netmask, DNS servers, WINS server and other options. © 2005-06 NeoAccel, Inc. Group – Private Network List Select the Private IP network that you want to allow via the tunnel. To select multiple subnets hold the Control key down and select then click Add. © 2005-06 NeoAccel, Inc. Group – Private Network ICAA options The administrator can enable/disable private networks from using ICAA® technology. ICAA greatly increases traffic performance but in some cases is not compatible with certain applications/protocols. Exclude allows the administrator to direct the client computer to exclude portions of a private network subnet traffic from being sent over VPN tunnel. © 2005-06 NeoAccel, Inc. Group – Logon & Logoff Scripts Upload certain scripts to be executed when the user gets connected to VPN or at the end of users VPN session. Scripts could be either a batch, Java or vb based. © 2005-06 NeoAccel, Inc. Group – End Point Protection The administrator can enable certain data cleanup mechanisms for set of users belonging to a group. Either Browser cache cleanup can be enabled or blocking of cut/copy/paste can be enabled for the duration of end users session. Secure workspace can be activated such that end user will need to work inside a secure desktop and all data will be stored in a encrypted manner on end users machine, traces of which will be deleted at the end of users VPN session. © 2005-06 NeoAccel, Inc. Authorization The authorization menu selection allows the administrator To configure Access Control Policies, Endpoint Security scans and Security Zones © 2005-06 NeoAccel, Inc. Access Control Policies - ACL This screen is a repository of configured ACL’s. These ACL’s can be applied to Groups and Security Zones to control user access. Much like firewall rules take caution in applying these rules. © 2005-06 NeoAccel, Inc. Add Policy – Network ACL © 2005-06 NeoAccel, Inc. Add Policy – Application ACL Blacklist / Whitelist specific set of application from being executed during the VPN Session on the basis of name or MD5 of the process. Block VPN Access to allow execution of process , but disallow any of the traffic generated by the process to be sent over VPN tunnel. © 2005-06 NeoAccel, Inc. Apply Group Access Control Policy • Select Groups • Modify • Add ACL on General tab and set priority • OK © 2005-06 NeoAccel, Inc. Endpoint Security Policies Endpoint Security Policies allow the administrator to define machine specific scans to validate whether the client computer meets the security policies of the company. These security scans, host validation, are pre-user authentication. The administrator can configure scans for the following items •File •Process •Registry •Ports •Services •WMI •Certificate Template EPS policies are evaluated in the following order of precedence Zone=AND Policy=OR Rule=AND © 2005-06 NeoAccel, Inc. Endpoint Security Policies The SSL VPN-Plus comes with approximately 100 pre-configured Endpoint Security checks. The administrator can create custom check by selecting the Add button. © 2005-06 NeoAccel, Inc. Modify Existing Policy © 2005-06 NeoAccel, Inc. Creating Process Policy To create a Process policy use the Windows Task Manager to locate the running process to test for and note the executable name. In this case the test will check for Skype.exe running. © 2005-06 NeoAccel, Inc. Add Policy – Skype running Select Add Rule and enter the required information © 2005-06 NeoAccel, Inc. Completed Skype EPS check © 2005-06 NeoAccel, Inc. EPS - File The administrator can check for the following attributes of Files by specifying the File Name and full path and File Properties. © 2005-06 NeoAccel, Inc. EPS - Registry The administrator can test for the Existence of Registry entries. © 2005-06 NeoAccel, Inc. EPS – Registry cont. The above example would check to determine if the client machine is a member of the company domain © 2005-06 NeoAccel, Inc. EPS – Port Status This allows the administrator to perform a basic port scan on the Client machine to determine whether certain ports are open/closed/listening © 2005-06 NeoAccel, Inc. EPS - Service This scan detects whether the client computer has a Windows service and whether the service is Running or Not Running. © 2005-06 NeoAccel, Inc. EPS - WMI WMI helps in reading dynamic database of Windows. Rules created using WMI are used to check for health of firewall, anti-virus, anti-spyware. © 2005-06 NeoAccel, Inc. EPS – Certificate Template This scan helps to do a water mark check of the end users machine to identify a corporate issues machine © 2005-06 NeoAccel, Inc. Security Zones Once the administrator has configured EPS policies, upon the client computer establishing a tunnel and prior to authentication, the results of the EPS scan will determine Zone membership. SSL VPN-Plus ships with 5 pre-configured Zones and the ability to create up to 40 different security zones. Membership of a particular zone starts at the Highest level and based upon Pass/Fail of the EPS policies will traverse downward into lower zones where ACL’s may be applied to limit resource access. Zones allow the administrator to over-ride Group policies and control access based upon the validation of the client computer. In general one should never add an allow policy to a Security Zone with the exception of the Quarantine Zone. © 2005-06 NeoAccel, Inc. Zones © 2005-06 NeoAccel, Inc. EPS – Modify Zone Allows the modification of EPS checks for particular Zone. © 2005-06 NeoAccel, Inc. EPS – Modify Zone with ACL This example denies RDP based on the client be placed in Semi-Trusted Zone. © 2005-06 NeoAccel, Inc. EPS Upgrade Periodic synchronization with Global EPS Upgrade server to update factory default list of policies with new releases of firewalls, anti-virus etc and security patches, service packs of windows. © 2005-06 NeoAccel, Inc. Module 5 – Network Extension Network Extension provides end users with various parameters for PHAT client access as well as QAT. © 2005-06 NeoAccel, Inc. Dynamic IP Address – IP Pool • Functions like DHCP • Create multiple pools for assignment to groups © 2005-06 NeoAccel, Inc. Create Dynamic IP Address Config Set a name, IP Range, Netmask, Primary and Second DNS, DNS suffix And if necessary WINS server and select OK © 2005-06 NeoAccel, Inc. Private Network Lists • Define private network resources that users tunnels will access • Set multiple subnets/hosts for use by Groups © 2005-06 NeoAccel, Inc. Create Private Network Profile Set Name, Private Network, Netmask, Gateway if necessary and Ports if desired. © 2005-06 NeoAccel, Inc. Client Configuration Lists • Set client configuration options that apply to both PHAT and QAT © 2005-06 NeoAccel, Inc. Add Client Configuration The Client Configuration allows the administrator to define various parameters to be applied. These parameters are then applied at the Group level to control such features as Show Endpoint Security Details, Idle Timeouts use DHCP for IP assignment and other parameters. © 2005-06 NeoAccel, Inc. Installation Package Configuration PHAT • Create PHAT packages to be delivered to end users. • Create multiple PHAT packages and assign based on Group membership © 2005-06 NeoAccel, Inc. Add Installation Package Set various client options for use with the PHAT client. © 2005-06 NeoAccel, Inc. Module 6 - Portal The Portal selection allows the administrator to customize web based links that are presented to users upon successful login. The Layout and Colors selections allows the branding of the web based portal to your companies needs including logo and colors. © 2005-06 NeoAccel, Inc. Module 6 - Portal List of Resources that are made available to Groups. © 2005-06 NeoAccel, Inc. Module 6 - Portal Create Web Application which provides a quick link for users to access internal or external websites. © 2005-06 NeoAccel, Inc. Module 6 - Portal Configures Thin Applications such as Telnet, RDP, VNC and SSH which allow the Groups to use integrated Java based applets. © 2005-06 NeoAccel, Inc. Module 6 - Portal Defines web based File Access for CIFS files servers or shared directories. © 2005-06 NeoAccel, Inc. Module 6 - Portal Allows the administrator to change the Login and Portal pages logos, titles and PHAT client banner. © 2005-06 NeoAccel, Inc. Module 6 - Portal Modifies the web portal color scheme to meet your needs © 2005-06 NeoAccel, Inc. Module 7 - Firewall © 2005-06 NeoAccel, Inc. Add Filter Rule © 2005-06 NeoAccel, Inc. Add Port Mapping © 2005-06 NeoAccel, Inc. Module 8 - Tools © 2005-06 NeoAccel, Inc. Ping © 2005-06 NeoAccel, Inc. ARP © 2005-06 NeoAccel, Inc. System Date/Time Allows the administrator to set date and time or synchronize with an external NTP resource © 2005-06 NeoAccel, Inc. Miscellaneous Allows the import and export of the current configuration and other options. Pay special attention to the Client Upgrade URL. © 2005-06 NeoAccel, Inc. Reboot / Shutdown Allows the administrator to Reboot the Gateway or gracefully Shutdown the gateway © 2005-06 NeoAccel, Inc. Module 9 - Logs © 2005-06 NeoAccel, Inc. Logs - User Settings Enable logging for the appliance wherein logs could either be stored on the appliance locally or be sent to an external syslog server periodically © 2005-06 NeoAccel, Inc. Logs - User Settings Logs can be viewed on the system by selecting View Logs. The logs are refreshed every 10 seconds. © 2005-06 NeoAccel, Inc. Logs - Reporting Generate log reports within a specific period of time and apply certain filters to pin point specific logs. These logs can either be viewed over NMC, exported and stored in CSV format in a Excel sheet or printed over printer. © 2005-06 NeoAccel, Inc. Logs - Statistics View, save or print statistics on a daily or a weekly basis. Statistics can be used by administrators administrator for statistical analysis or usage of appliance © 2005-06 NeoAccel, Inc. Thank You. © 2005-06 NeoAccel, Inc.