Solution of Wireless Authentication
Base on PnPVPN
Hillstone Networks Inc.
July 31th, 2015
Author
Auditor
Tianjiao Chen
Version
Date
1.0
2015-07-31
Contents
1
Solution Background .................................................................................................... 3
2
Requirements Analysis ................................................................................................. 4
2.1
2.2
3
Solution ......................................................................................................................... 7
3.1
3.2
4
Topology ......................................................................................................... 7
System Deployment Statements ................................................................... 7
3.2.1
PnP VPN Deployment ....................................................................................... 7
3.2.2
Branch Wireless Coverage Deployment............................................................ 8
3.2.3
Headquarter Firewall Policy Deployment ......................................................... 8
Implementation ............................................................................................................. 9
4.1
4.2
5
Wireless Network Building Target .................................................................. 4
The Entire Network Security Target ............................................................... 4
2.2.1
The Compliance of Requirement for Access and Control ................................. 4
2.2.2
Guarantee the Healthy Internet Access ............................................................. 5
Verification Topology ...................................................................................... 9
Regarding Configuration ................................................................................ 9
4.2.1
Headquarter Office Configuration..................................................................... 9
4.2.2
Branch Configuration ...................................................................................... 12
4.2.3
Attention Point of Solution ............................................................................. 13
Effectiveness .............................................................................................................. 14
1 Solution Background
There is a company with one headquarter office and few more branch connecting
with client to client VPN, the network topology as below:
A.
Link Type：
a) 4M ADSL
b) 2M Telecom Special Line
c) China Unicom 3G Network
B.
Main Device Model：
a) Branch Store： VPN Router Device-- CISCO RV042 ，Hikvision Monitoring
b) Headquarter： Firewall-CISCO ASA5540，Core Switch Model：H3C S7510E
2 Requirements Analysis
2.1 Wireless Network Building Target
A. According to the current company network architecture to perform the
deployment of full wireless coverage with all the stores.
B. Using headquarter firewall to connect with store in wireless security gateway
mode by PnP VPN to replace the current VPN router（RV042） to headquarter
CISCO ASA5540 by client to client of IPsec connection.
C. The headquarter firewall centralized united management and controlling of all
the store’s wireless security gateway.
D. Centralized united management and authentication of remote terminal device,
make sure only permitted device can access network.
E. Perform the network security policy base on the policy management of user or
role.
F. Perform the manageability, security, security defense and WEB filtering of
wireless network.
G. Perform the current and future application system running stable in the safe
wireless platform.
2.2 The Entire Network Security Target
2.2.1 The Compliance of Requirement for Access and Control
A. The key precautions：Proceed effective control base on access source, access
target, access action and access time.
The principal element of network security construction is access control, the
core of control is access action, which should block the access from nonpermission access and limit the resource of use-pattern of employee and guest.
The business diversification of enterprise will cause the diversification of access
action. Therefore, it is extremely important to recognize the permitted access and
non-permitted access, especially for the access action of internet, the effectively
control measures should be taken to avoid the access action with overuse
bandwidth and guarantee the normal service and internet access.
For those important application server and database of enterprise, it should
recognize the legal business access and potential attack access action, taking the
necessary security control method to guarantee the key business access.
2.2.2 Guarantee the Healthy Internet Access
A. The key precautions：Depth recognition of application（P2P、IM、Online game、
Online Video、Stocks etc） and access control；URL filtering
Access control is the most important role of enterprise information network 访
security, but the traditional access control technology is getting more and more
new challenge now, the most classic one is that the current internet application
becomes more and more intelligent, some of accesses are hard to be recognize,
for example, P2P, Online video and IM etc.
Need to recognize role and control
A. The key precautions：Identity of identification and role definition; Access control
base on user role
Distribute the regarding resource according to the role. In the application
system, distribute the accessible content and accessible data according to the
user role, and consider the network resource distribution, for example,
bandwidth source distribution, different server access permission for different
user role etc.
3 Solution
3.1 Topology
3.2 System Deployment Statements
3.2.1 PnP VPN Deployment
PnPVPN means plug and play VPN, it contain two parts：
♦ PnPVPN Server，usually deployed in the Headquarter of enterprise, IT engineer
is responsible for the maintenance, the configuration of client will be release from
the server end. PnPVPN Server usually select Hillstone SG series.
♦ PnPVPN Client，usually deployed in the branch of enterprise, IT engineer is
responsible for the maintenance work via remote session, simple configuration
need only( for example, client ID, password and server IP address), get configuration
information form the server side after the negotiation with server(for example, DNS,
WINS, DHCP pool etc). PnPVPN Server usually select Hillstone SG series.
3.2.2 Branch Wireless Coverage Deployment
The wireless coverage of security wireless gateway to store is using 802.11b/g/n
technology ， with independent security defense, anti-virus, IPS etc, signal
strength >=-75dBm。
3.2.3 Headquarter Firewall Policy Deployment
A. WEB Authentication
Web authentication function is using for the identity identification of user who
access to the internet. Hillstone Security appliance supports the third party
authentication, which is able to perform the access control under “real name”,
it will enhance the accuracy of access control.
B. Access Control Policy
a) Limit the non-permitted access type：web surfing, email, file-transmission
etc.
b) Limit the non-permitted access address：Limit the access of parts webpage
according to URL filtering and HTTP behavior control.
c) Access control base on Role：Accuracy location.
4 Implementation
4.1 Verification Topology
4.2 Regarding Configuration
4.2.1 Headquarter Office Configuration
Hardware Platform：SG-6000-E1700
Verification Version：SG6000-M-3-5.0R4P7.bin
Regarding Configuration：
A. Interface Configuration
interface ethernet0/1
zone "untrust"
ip address 10.88.16.127 255.255.255.0
exit
interface ethernet0/2
zone "trust"
ip address 201.1.1.1 255.255.255.0
exit
interface tunnel1
zone "VPNHub"
ip address 1.1.1.1 255.255.255.0
manage ping
tunnel ipsec "client2" gw 1.1.1.10
exit
B. PnPVPN configuration
aaa-server "local" type local
user "client2"
password "zpto+QVnNtQ6aBxI3uJKlzJ7I8Y0"
ike-id fqdn "client2"
dhcp-pool-gateway 192.168.3.1
dhcp-pool-netmask 255.255.255.0
tunnel-ip-address 1.1.1.10
dhcp-pool-address 192.168.3.2 192.168.3.254
dns 10.86.249.11 10.88.7.10
split-tunnel-route 0.0.0.0/0
exit
isakmp peer "client2"
mode aggressive
type usergroup
isakmp-proposal "psk-md5-des-g2"
pre-share "myjGXapxRNhjvI3wf8xOGT9IuYIBI0"
aaa-server "local"
interface ethernet0/2
exit
tunnel ipsec "client2" auto
isakmp-peer "client2"
ipsec-proposal "esp-md5-des-g2"
exit
C. Routing Configuration
ip vrouter "trust-vr"
ip route 192.168.3.0/24 tunnel1 1.1.1.10
exit
D. Network Behavior Configuration
behavior-profile "shopping"
http get "*.jd.com" block log
rule id 2193
exit
role "http-role"
role "hillstone"
role-mapping-rule "map"
match user "test" role "http-role"
match user "hillstone" role "hillstone"
exit
aaa-server "local" type local
role-mapping-rule "map"
user "test"
password "inz0ZGoEnlAF2TjMzAKVjSmaNZQa"
exit
rule id 2193 #WEBUI Automatic generated Policy of HTTP control via NBC
dst-zone "untrust"
src-addr "Any"
dst-addr "Any"
service "Any"
role "http-role"
behavior "shopping"
exit
rule id 10
action permit
src-zone "VPNHub"
dst-zone "untrust"
src-addr "Any"
dst-addr "Any"
service "DNS"
exit
rule id 9
action webauth "local"
src-zone "VPNHub"
dst-zone "untrust"
src-addr "Any"
dst-addr "Any"
service "Any"
role "unknown"
exit
rule id 8
action permit
src-zone "VPNHub"
dst-zone "untrust"
src-addr "Any"
dst-addr "Any"
service "HTTP"
service "HTTPS"
role "http-role"
exit
rule id 2
action permit
src-zone "VPNHub"
dst-zone "untrust"
src-addr "Any"
dst-addr "Any"
service "Any"
role "hillstone"
exit
E. Complete Configuration
4.2.2 Branch Configuration
Hardware Platform：SG-6000-E1100
Verification Version：SG6000-M-3-5.0R4P7.bin
A. Interface Configuration
interface ethernet0/4
zone "untrust"
ip address 201.1.1.2 255.255.255.0
exit
interface wlan0/2
zone "trust"
ip address 192.168.3.1 255.255.255.0
dns-proxy
manage ping
dhcp-server enable pool "pnpauto"
exit
interface tunnel1
zone "VPN"
ip address 1.1.1.10 255.255.255.255
tunnel ipsec "PnP-vpn" gw 201.1.1.1
exit
B. PnP configuration
isakmp peer "PnP-vpn"
mode aggressive
type pnp-vpn
pre-share "IGKuErMzVl7g5AuZIF0eLb5tWpMY42Dp4wQfuN6o5VILqsG0DU"
peer 201.1.1.1
local-id fqdn "client2"
connection-type initiator-only
nat-traversal
dpd interval 2 retry 4
interface ethernet0/4
exit
tunnel ipsec "PnP-vpn" auto
isakmp-peer "PnP-vpn"
auto-connect
auto-save
interface-start-dhcp wlan0/2
exit
dhcp-server pool "pnpauto"
netmask 255.255.255.0
gateway 192.168.3.1
address 192.168.3.2 192.168.3.254
exit
C. Complete Configuration
4.2.3 Attention Point of Solution
A. The PnPVPN tunnel interface of Headquarter office must configure IP address，
also the PnP client user also need to release tunnel interface IP
B. Must fill up the gateway (the regarding branch tunnel interface IP address) when
bind the Headquarter tunnel interface.
C. The route from headquarter to the branch also need to configure gateway,
which means the regarding branch tunnel interface IP address.
5 Effectiveness
A. The branch side only need to configure simple PnP client to get the regarding
configuration, all the configuration will be managed by the administrator of
headquarter, it will reduce the maintenance cost of branch side.
B. The configuration of headquarter base on the RBNS of role to control the user
of branch via real name authentication, for example, the regarding role “httprole” of user “Test” can access any webpage without “ebay”, but the
regarding role “Hillstone” of user “Hillstone” can access any webpage
without any limitation.