Barracuda Networks SSL VPN Скачать руководство пользователя | Manualshive

Страница: 55 / 124

background image

Access Control 55

Access Control Architecture

The access control framework has been designed to tackle the following main issues.

•

Users and Groups

: Each organization’s view on users and groups is almost always different.

They do though share common behavior, i.e. ‘Add User/Group’ or ‘Delete User/Group’. It is
also likely that the organization’s user/group directory already existed prior to the introduction
of this appliance, for example an existing Active Directory domain or LDAP directory. The
variety offered by such choice invariably gives rise to a number of different approaches and
implementations.

•

Resource Access

: The intended outcome when implementing an SSL VPN solution is to allow

remote access to network-based resources. The number of different types of network resource is
relatively varied and new methods are likely to appear.

•

Resource Distribution

: A resource created within the system must be easily made accessible to

those users that require it. Assigning resources on a per-user basis should be avoided wherever
possible.

•

Resource Permissions

: Resources can have a range of permissions to limit how they may be

assigned. When a resource is assigned to a user the user must be restricted to the access rights
given. For example, a super user may create a resource to administer creation and assignment of
application shortcuts only. This resource is assigned to a user who then attempts to delete an
existing application shortcut; this operation will be declined.

In order to resolve the aforementioned issues the access control architecture relies on three key
entities:

•

Principal

: The intended ‘consumer’ of the resources, i.e. a user or a group.

•

Resource

: The networked resource, internal function or property item that the principal wishes

to utilize, i.e. a Web Forward or the right to manage accounts.

•

Policy

: The relationship defined between the principal and resource. It is the component that

ensures that only the right people can perform the right action.

Utilizing this methodology, the Barracuda SSL VPN is able to maintain robust, secure, and flexible
access control architecture.

Principals

As already mentioned, the ‘principal’ simply refers to a user or group of users. The principal entity
sits at one end of the access control chain. The process flow begins with this entity and ends with the
resource entity.

«
...
53
54
55
56
57
...
»

Содержание SSL VPN

Страница 1: ...Barracuda Networks Inc 3175 S Winchester Blvd Campbell CA 95008 http www barracuda com B a r r a c u d a S S L V P N A d m i n i s t r a t o r s G u i d e V e r s i o n 1 5 x...

Страница 2: ...3 All rights reserved Use of this product and this manual is subject to license Information in this document is subject to change without notice Trademarks Barracuda SSL VPN is a trademark of Barracud...

Страница 3: ...Deployments 16 SSL VPN Concepts 17 Security Policy and Resource Management 17 Organizational Control 18 Chapter 3 Getting Started 19 Initial Setup 20 Prepare for the Installation 20 Connect Barracuda...

Страница 4: ...Network Connector 35 About The Barracuda Network Connector 36 System Requirements 37 Network Connector Interface 37 Connecting a Client to the Barracuda SSL VPN 38 Client Configurations 38 Up and Dow...

Страница 5: ...rwards 65 Types of Attributes 65 How to use Attributes 65 Session Variable 67 Microsoft Exchange 2003 RPC HTTPS 68 RPC HTTPS 68 Configuration 68 Prerequisites 69 Configuring the Barracuda SSL VPN as a...

Страница 6: ...hentication Manager 92 VASCO Digipass Token Configuration 93 Secure Computing SafeWord 93 Chapter 11 Monitoring the Barracuda SSL VPN 95 Monitoring Tasks 96 Viewing Performance Statistics 96 Setting u...

Страница 7: ...107 Using Special Characters in Expressions 108 Examples 108 Appendix C Limited Warranty and License 111 Limited Warranty 111 Exclusive Remedy 111 Exclusions and Restrictions 112 Software License 112...

Страница 8: ...viii Barracuda SSL VPN Administrator s Guide...

Страница 9: ...Introduction 9 Chapter 1 Introduction This chapter provides an overview of the Barracuda SSL VPN and includes the following topics Overview 10 Features of the Barracuda SSL VPN 11...

Страница 10: ...a SSL VPN integrates with third party authentication mechanisms to control user access levels and provide single sign on Enables access to corporate intranets file systems or other Web based applicati...

Страница 11: ...network drives and are safely removed after the session ends The Barracuda SSL VPN Agent transparently encrypts all files copied to and from mapped drives Single Sign On The Barracuda SSL VPN integrat...

Страница 12: ...Auditing and Reporting All resource access via the Barracuda SSL VPN is audited Reports are available in real time showing a comprehensive look at privilege usage failed logins file and intranet use...

Страница 13: ...Concepts 13 Chapter 2 VPN Concepts This chapter provides an overview of the Barracuda SSL VPN and includes the following topics Basic Terminology 14 Barracuda SSL VPN Configurations 15 SSL VPN Concept...

Страница 14: ...on your internal network Web Forwards A type of Resource for defining HTTP HTTPS based access Network Places A type of Resource for defining access to file systems Applications A type of Resource for...

Страница 15: ...iguration Advantages BEHIND your corporate firewall Typical Deployment Allows all authentication to be handled by the Barracuda SSL VPN Only ONE firewall rule is needed to allow only secured traffic i...

Страница 16: ...for Typical Deployments Clustered Deployment If you have a pair of Barracuda SSL VPNs that you would like to load balance then the load balancer would be placed between your firewall and the Barracuda...

Страница 17: ...ome working for all of these employees and as a result each department requires secure access to relevant shared areas and resources on the company network In addition the managers have a level of res...

Страница 18: ...tration type privileges The Managers Policy has Resource Access Rights attached which would allow managers to perform create edit and delete actions for example This enables managers to perform admini...

Страница 19: ...to your corporate network This is followed by the configuration of the Barracuda SSL VPN itself which is performed over two separate Web interfaces the Administrative interface for system related item...

Страница 20: ...ch type of deployment is most suitable to your network For more information on the deployment options see Barracuda SSL VPN Configurations on page 15 2 Verify you have the necessary equipment Barracud...

Страница 21: ...but if not entered at this step then they must be entered in step 3b of Configure Administrative Settings on page 22 Select Exit The new IP address and network settings are applied to your Barracuda...

Страница 22: ...N from the Web administration interface Make sure the system being used to access the Web interface is connected to the same network as the Barracuda SSL VPN and that the appropriate routing is in pla...

Страница 23: ...l as transmitting all secured traffic These will also be the ports over which the ssladmin account will log in for configuring SSL VPN user access and usage policies on the SSL VPN Management Interfac...

Страница 24: ...re Update page Verify that the installed version matches the Latest General Release The Download Now button next to the Latest General Release is disabled if the Barracuda SSL VPN is already up to dat...

Страница 25: ...The SSL VPN Management configurations however will need to be done in order for any users to access your protected resources To complete the SSL VPN Management configurations 1 Log in as the ssladmin...

Страница 26: ...other troubleshooting Access to this interface can be restricted to specific IP addresses by changing the Administrator IP Range as described on Step 4c of Configure Administrative Settings on page 2...

Страница 27: ...Configuration Settings This chapter outlines the various options available for configuration from both the Administrative and SSL VPN Management interfaces Administrative Settings 28 SSL VPN Settings...

Страница 28: ...he port used by your users and the ssladmin account to access the Barracuda SSL VPN default ports are 80 and 443 Change the length of time after which idle Web interface connections will be terminated...

Страница 29: ...owing types of certificates Default Barracuda Networks certificates are signed by Barracuda Networks On some browsers these may generate some benign warnings which can be safely ignored No additional...

Страница 30: ...ts In order for an individual user to use the Barracuda SSL VPN they must either have an account in a user directory that has been imported onto the Barracuda SSL VPN or have access to a resident acco...

Страница 31: ...d have at least one Policy attached to it to determine who is allowed access to the Resource and to what extent Complete details of each Resource type is available in Chapter 6 Resources beginning on...

Страница 32: ...ROL NAC page allows you to limit access to network resources based not just by users but also on a variety of other factors such as the time of day the connecting system s OS operating system and brow...

Страница 33: ...stall an SSL certificate on the Barracuda SSL VPN for this hostname to ensure your users are able to determine that they are connecting to a genuine Barracuda SSL VPN that is registered to your organi...

Страница 34: ...34 Barracuda SSL VPN Administrator s Guide...

Страница 35: ...The Barracuda Network Connector Resources are the key entities that a user of the system will interact with The following topics are covered in this chapter About The Barracuda Network Connector 36 Co...

Страница 36: ...consists of two components the server side component which opens up server interfaces and the client side component which connects to these interfaces It is through these connections that data is tran...

Страница 37: ...Connector can be installed on the following systems Microsoft Windows 2000 XP Vista Linux 2 4 or higher with integrated TUN TAP driver Macintosh 9 x 10 x Intel based Network Connector Interface The B...

Страница 38: ...nd the closing commands when the client disconnects These are called the Up Commands and the Down Commands and must be added into the configuration The exact commands may differ based on the operating...

Страница 39: ...hat user will see a Network Connector page on their RESOURCES page From there the client for the desired operating system can be downloaded Microsoft Windows 1 Go to the RESOURCES Network Connector pa...

Страница 40: ...ce it is installed return to the RESOURCES Network Connector page of the SSL VPN Management interface Click the More link under Actions and select Launch Network Connect Client 6 This will start the c...

Страница 41: ...ntly requires that the user is running the GNOME Desktop and has the gksudo command installed Support for other desktops may be added 6 After the client has been downloaded the user will be presented...

Страница 42: ...de VPN server For the Client Configuration field enter the exact name of the Network Connector client that was created above 3 To connect simply click the icon and select connect The icon should turn...

Страница 43: ...ter 6 Resources Resources are the key entities that a user of the system will interact with The following topics are covered in this chapter Web Forwards 45 Network Places 48 Applications 50 SSL Tunne...

Страница 44: ...administrator s responsibility to create these Resources and provide a secure working environment for the remote user population Without the right configuration of Resources accessing areas of the co...

Страница 45: ...policy settings can restrict those users that can even access the Web Forward Because different Web applications have different behavior it is necessary to have different types of Web Forward to acce...

Страница 46: ...plication are known If the Web site runs on the root of the Web server i e http example com then there are no defined paths to proxy so another method will have to be used NOTE If the target site has...

Страница 47: ...to the number of ways it is possible to create links in many different languages this proxy type is not always successful However it is possible to create custom replacement values to get a Web site w...

Страница 48: ...lders a remote user can access the organization s network through the standard Windows Explorer interface without actually needing to log into the Barracuda SSL VPN When using Windows XP or later alon...

Страница 49: ...aved as long as it supports random access can be accessed and is fully modifiable Another difference is that WebDAV supports only local buffering For any file needing to be edited WebDAV will download...

Страница 50: ...i e Application Type Hostname of the remote machine For example an Application Shortcut can be created to allow users access to their office pc desktop from home To use Microsoft s Remote Desktop an...

Страница 51: ...is to secure the SMTP POP protocols used for email access In short anything that uses TCP IP client server architecture will usually be able to be secured in this manner There are two types of tunnel...

Страница 52: ...SSL VPN Agent is mainly used by Resources such as SSL tunnels and Web Forwards The session parameters affect how the active session behaves and includes such things as session inactivity timeout which...

Страница 53: ...scribes how the Barracuda SSL VPN is able to achieve control of users and resources and the relationships between them The following topics are covered in this chapter Overview 54 Access Control Archi...

Страница 54: ...a significant part of remote access the Barracuda SSL VPN solution has been designed to allow for either coarsely grained or finely grained access control This approach allows the product to mirror m...

Страница 55: ...esources can have a range of permissions to limit how they may be assigned When a resource is assigned to a user the user must be restricted to the access rights given For example a super user may cre...

Страница 56: ...uctured and organized system This is often imperative as the user base grows The administrator however is not categorized as a standard user in fact the administrator is classified as the administrato...

Страница 57: ...r objective that a user wishes to achieve This could be something as simple as a user accessing their email client to read their mail In this case the Resource would be the email Similarly an intranet...

Страница 58: ...assigned Policies that grant them fewer privileges A user of the system who has the need to manage a particular user database for instance must have a higher degree of trust and consequently is grant...

Страница 59: ...into their respective areas Resource Rights Items that can be managed in this area are all Resources such as Web Forwards Profiles and Network Places can all have their create edit and delete actions...

Страница 60: ...gainst your Windows domain Once you have entered the relevant properties in the configuration page a connection is made to the domain controller and when the service account has been authenticated the...

Страница 61: ...d If an OU called Marketing was stored under the Employees OU to add Marketing the correct syntax would be OU Marketing OU Employees with the separating comma being used to separate each element in th...

Страница 62: ...each filter Every Organizational Unit must begin with OU If a hierarchy structure is being included be sure to separate each element with a comma Also avoid using unnecessary spacing Clear the organi...

Страница 63: ...Advanced Configuration This chapter details advanced configuration options and attributes The following topics are covered in this chapter Attributes 64 Session Variable 67 Microsoft Exchange 2003 RP...

Страница 64: ...butes can be used with application shortcuts For example an attribute can be created which defines a hostname to use with a VNC Server application shortcut The attribute is created within the Manage S...

Страница 65: ...pportPassword attributes are submitted during authentication into the Web site The FORM object takes the supportId and identifies the username then takes the supportPassword as the associated password...

Страница 66: ...iving e g smb examplepath com users attr myNetHome 3 When this is executed the system replaces the attr myNetHome with the user attribute value 4 Each user is now able to define this attribute specify...

Страница 67: ...ace this with the username being used in this current session This means that if the user s home share on the network is named the same as the username used to log into the appliance as might be the c...

Страница 68: ...and access to this service is provided by way of authorized policies RPC HTTPS RPC over HTTP allows Microsoft Outlook clients to access Microsoft Exchange server over the internet The MAPI protocol us...

Страница 69: ...onfiguring the Barracuda SSL VPN as a RPC Proxy Browse to the Outlook configuration settings under Manage System Advanced Configuration From here the Exchange server can be specified along with the as...

Страница 70: ...70 Barracuda SSL VPN Administrator s Guide 2 From mail setup access Email Accounts 3 Select Add a new email account from the wizard options...

Страница 71: ...Advanced Configuration 71 4 Under server type select Microsoft Exchange Server 5 Under the Exchange server settings select the newly configured Exchange server and the name of your new mailbox...

Страница 72: ...that you check the Connect to my Exchange mailbox using HTTP checkbox 7 Selecting the Exchange proxy settings button opens a final window in which the FQDN of the Barracuda SSL VPN should be keyed int...

Страница 73: ...ed to use the same Windows account as the one the user is currently logged on with the system will prompt for the Barracuda SSL VPN authentication credentials After which if the user is recognized as...

Страница 74: ...relies on a Web forward The following provides basic steps on how to configure the mail check feature 1 Create a Web forward that connects to the mail server and check that it works correctly No user...

Страница 75: ...it takes the individual user s authentication details to connect to their account and retrieve mail details 4 Once all the user details have been provided the user should log back into the system The...

Страница 76: ...76 Barracuda SSL VPN Administrator s Guide...

Страница 77: ...the Barracuda SSL VPN 77 Chapter 9 Agents of the Barracuda SSL VPN This chapter explains the roles of various agents of the Barracuda SSL VPN Agent The Barracuda SSL VPN Agent 78 The Barracuda Server...

Страница 78: ...user session to provide SSL tunneling and application launching facilities provided by the appliance The Barracuda SSL VPN Agent is launched by a small Java applet placed on all pages that require acc...

Страница 79: ...rce assigned to you directly from the taskbar icon Clicking the right mouse button over the Agent icon will present a list of resources that can be executed directly from the Agent By opening the Tunn...

Страница 80: ...e port on the firewall protecting the remote network This same process can be used to access resources inside the LAN from a Barracuda SSL VPN residing in a DMZ In the diagram below the appliance sits...

Страница 81: ...ources Installing the Server Agent Client Before any routing can begin the Server Agent client needs to be installed on a machine This machine should be sufficiently placed so that the destined routes...

Страница 82: ...a higher level of security a certificate can be used instead of a simple password Confirm Password Confirmation of above password 5 Once installed the client needs to be started This is run as a proce...

Страница 83: ...means of verifying a user s identity this can be in the form of a password or a key code To allow for greater security the Barracuda SSL VPN uses authentication schemes to provide a multiple staged a...

Страница 84: ...selves that is they cannot be combined with other Authentication Modules When a user starts the authentication process they first have to enter a Username Once the Username is submitted checks are mad...

Страница 85: ...ses this certificate as a means of authenticating itself to the server The server aware of the provided certificate is able to verify the client and automatically grant authentication Since a unique c...

Страница 86: ...sed Authentication Scheme and it is the simplest and easiest to configure The length format and expiration of passwords are all configurable however initially these parameters are defaulted and whenev...

Страница 87: ...ed to authenticate the user The client side private key is used to sign the ticket This ticket is then sent to the server On receipt the server uses the corresponding public key to validate the signat...

Страница 88: ...t Authentication Key can force users to create their own identities 1 Select the Update Authentication Key action 2 This takes us to the Update Identity window From here the user s identity can be upd...

Страница 89: ...privileges When the appliance scans a device such as a USB key it tries to find the Authentication Key This key should be in the root directory of the device in a sub folder called sslvpn ids So in or...

Страница 90: ...P Authentication the password can only be used once and once only not only that the expiration of the password is measured in minutes and not days so even the OTP s existence is short lived Any email...

Страница 91: ...sents this to the user A comparison is made between the current answer and the preset answer if a match is made the user is authenticated This authentication method is a secondary option only and must...

Страница 92: ...tificate authentication to present a certificate to the appliance making textbook use of the something you know something you have security methodology by combining a secret passphrase with the certif...

Страница 93: ...ver with their product therefore you will need to use an external RADIUS server i e FreeRADIUS to provide the RADIUS component of this solution Secure Computing SafeWord The Barracuda SSL VPN applianc...

Страница 94: ...94 Barracuda SSL VPN Administrator s Guide...

Страница 95: ...VPN This chapter describes the monitoring tasks you can perform from the Web interface Monitoring Tasks 96 Note For more detailed information about a specific page in the Web interface view the online...

Страница 96: ...the value exceeds the normal threshold These values will fluctuate based on the amount of traffic that is being handled but if any setting remains consistently in the red for a long period of time ple...

Страница 97: ...busy The Task Errors section will list an error until you manually remove it from the list The errors are not phased out over time Understanding the Indicator Lights The Barracuda SSL VPN has five ind...

Страница 98: ...98 Barracuda SSL VPN Administrator s Guide...

Страница 99: ...Maintenance 99 Chapter 12 Maintenance This chapter provides general instructions for general maintenance of the Barracuda SSL VPN Maintenance Functions 100...

Страница 100: ...lowing about the backup file Do not edit backup files Any configuration changes you want to make need to be done through the Web interface The configuration backup file contains a checksum that preven...

Страница 101: ...s 3175 S Winchester Blvd Campbell CA 95008 attn RMA your RMA number Reloading Restarting and Shutting Down the System The System Reload Shutdown section on the BASIC Administration page allows you to...

Страница 102: ...tact Barracuda Networks Technical Support for additional troubleshooting tips As a last resort you can reboot your Barracuda SSL VPN and run a memory test or perform a complete system recovery as desc...

Страница 103: ...d clears out all configuration information Enable remote administration Initiates a connection to Barracuda Central that allows Barracuda Networks Technical Support to access the system Another method...

Страница 104: ...104 Barracuda SSL VPN Administrator s Guide...

Страница 105: ...About the Hardware 105 Appendix A About the Hardware This appendix provides hardware information for the Barracuda SSL VPN The following topics are covered Hardware Compliance 106...

Страница 106: ...ause harmful interference to radio or television reception which can be determined by turning the equipment off and on the user in encouraged to try one or more of the following measures Reorient or r...

Страница 107: ...ported by the Barracuda SSL VPN Table B 1 Common Regular Expressions Expression Matches Operators Zero or more occurrences of the character immediately preceding One or more occurrences of the charact...

Страница 108: ...used s Space character shortcut for n r t s Non space character Miscellaneous Beginning of line End of line b Word boundary t Tab character Table B 2 Special Characters Table B 3 Regular Expressions E...

Страница 109: ...Regular Expressions 109 FREE FREE FREE V GRA FREE VIAGRA FREE VEHICLEGRA etc Table B 3 Regular Expressions Example Matches...

Страница 110: ...110 Barracuda SSL VPN Administrator s Guide...

Страница 111: ...d warranty extends only to you the original buyer of the Barracuda Networks product and is non transferable Exclusive Remedy Your sole and exclusive remedy and the entire liability of Barracuda Networ...

Страница 112: ...NG THE BARRACUDA SOFTWARE BY USING THE BARRACUDA SOFTWARE YOU ARE AGREEING TO BE BOUND BY THE TERMS OF THIS LICENSE IF YOU DO NOT AGREE TO THE TERMS OF THIS LICENSE DO NOT USE THE SOFTWARE IF YOU DO N...

Страница 113: ...ECESSARY SERVICING REPAIR OR CORRECTION 6 License YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT YOU WILL PROVIDE AN UNLIMITED ZERO COST LICENSE TO BARRACUDA FOR ANY PATENTS OR OTHER INTELLECTUAL PROPERTY R...

Страница 114: ...omer may have paid Barracuda Networks the required license fee and Customer s use of the Energize Update Software shall also be limited as applicable and set forth in Customer s purchase order or in B...

Страница 115: ...reasonable security measures to protect and maintain the confidentiality of such trade secrets and copyrighted material Title to Energize Update Software and documentation shall remain solely with Bar...

Страница 116: ...G FROM A COURSE OF DEALING LAW USAGE OR TRADE PRACTICE ARE HEREBY EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW TO THE EXTENT AN IMPLIED WARRANTY CANNOT BE EXCLUDED SUCH WARRANTY IS LIMITED IN DURA...

Страница 117: ...to know that what they have is not the original so that any problems introduced by others will not reflect on the original authors reputations Finally any free program is threatened constantly by soft...

Страница 118: ...e anything that is normally distributed in either source or binary form with the major components compiler kernel and so on of the operating system on which the executable runs unless that component i...

Страница 119: ...R INABILITY TO USE THE PROGRAM INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY O...

Страница 120: ...ovided with the distribution The name Carnegie Mellon University must not be used to endorse or promote products derived from this software without prior written permission For permission or any other...

Страница 121: ...Your own attribution notices within Derivative Works that You distribute alongside or as an addendum to the NOTICE text from the Work provided that such additional attribution notices cannot be constr...

Страница 122: ...r express or implied See the License for the specific language governing permissions and limitations under the License Source Code Availability Per the GPL and other open source license agreements the...

Страница 123: ...e Type 29 certificates 29 character tags 105 111 Concepts 17 configuration reloading 101 D Default Barracuda Networks certificates 29 definitions updating 24 101 diagnostic memory test 103 E Energize...

Страница 124: ...SNMP alerts 96 SSL Certificate Configuration 29 SSL certificates 29 ssladmin user 26 SSL only access 29 statistics 96 subscription status 24 system reboot 101 shutdown 101 system alerts 96 T tasks 97...

Отзывы:

Нет отзывов

Похожие инструкции для SSL VPN

Бренд: Garmin Страницы: 6

ENTERPRISE SOLUTION ERASING FI

Бренд: Blackberry Страницы: 10

Бренд: Microtek Страницы: 177

NAPCKE-AB-AA - VirusScan For NetApp

Бренд: McAfee Страницы: 54

PARTNER ACS PC Administration

Бренд: Avaya Страницы: 56

Бренд: Avaya Страницы: 61

Бренд: Vonamic Страницы: 31

Бренд: RGB Spectrum Страницы: 158

Бренд: Silicon Image Страницы: 36

POLICY MANAGER 9.0

Бренд: F-SECURE Страницы: 102

Бренд: Accordiva Страницы: 31

Бренд: Commax Страницы: 34

ThinkCentre M50

Бренд: Lenovo Страницы: 440

Бренд: Brother Страницы: 8

BES Monogramming Suite

Бренд: Brother Страницы: 10

Бренд: Brother Страницы: 80

Бренд: Nokia Страницы: 6

N73 - Smartphone 42 MB

Бренд: Nokia Страницы: 2

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды