9.6. SSL VPN
9.6.1. Overview
NetDefendOS provides an additional type of VPN connection called SSL VPN. This makes use of
the Secure Sockets Layer (SSL) protocol to provide a secure tunnel between a remote client
computer and a NetDefend Firewall. Any application on the client can then communicate securely
with servers located on the protected side of the firewall.
The Advantage of SSL VPN
The key advantage of SSL VPN is that it enables secure communications between a client and a
firewall using the HTTPS protocol. In some environments where roaming clients have to operate,
such as hotels or airports, network equipment will often not allow other tunnelling protocols, such as
IPsec, to be used.
In such cases, SSL VPN provides a viable, simple, secure client connection solution.
The SSL VPN Disadvantage
A disadvantage of SSL VPN is that it relies on tunneling techniques that make extensive use of TCP
protocol encapsulation for reliable transmission. This leads to extra processing overhead which can
cause noticable latencies in some high load situations.
SSL VPN therefore demands more processing resources than, for example, IPsec. In addition,
hardware acceleration for IPsec is available on some hardware platforms to further boost processing
efficiency.
A Summary of SSL VPN Setup Steps
SSL VPN setup requires the following steps:
•
On the NetDefend Firewall side:
i.
An SSL VPN Interface object needs to be created which configures a particular Ethernet
interface to accept SSL VPN connections.
ii.
An Authentication Rule needs to be defined for incoming SSL VPN clients and the rule
must have the Interface property set to be the name of the SSL VPN object created above.
The Authentication Agent of the rule must be set to L2TP/PPTP/SSL VPN and the rule's
Terminator IP must be set to the external IP address address of the firewall's listening
interface.
The PPP Agent Options for the rule can be any combination of PAP, CHAP, MS-CHAP,
MS-ChAPv2 and no authentication. The SSL client will go through all the options until it
finds a method that works. By default, all options are enabled except for no authentication.
This topic is discussed further in Section 8.2.5, “Authentication Rules”.
iii.
Client users need to be defined in the Authentication Source of the authentication rule. This
source can be a local user database, a RADIUS server or an LDAP server.
iv.
Define appropriate NetDefendOS IP rules to allow data flow within the SSL VPN tunnel.
As discussed below, IP rules do not normally need to be defined for the setup of the SSL
VPN tunnel itself, they are only needed for the traffic that flows inside the tunnel.
v.
Specify the interfaces on which client IPs will be ARP published. This is necessary so a
9.6. SSL VPN
Chapter 9. VPN
472
Содержание NetDefend DFL-1660
Страница 28: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 28 ...
Страница 88: ...2 6 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 88 ...
Страница 166: ...3 10 DNS Chapter 3 Fundamentals 166 ...
Страница 254: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 254 ...
Страница 268: ...5 4 IP Pools Chapter 5 DHCP Services 268 ...
Страница 368: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 368 ...
Страница 390: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 390 ...
Страница 414: ...8 3 Customizing Authentication HTML Pages Chapter 8 User Authentication 414 ...
Страница 490: ...9 8 6 Specific Symptoms Chapter 9 VPN 490 ...
Страница 528: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 528 ...
Страница 544: ...11 7 HA Advanced Settings Chapter 11 High Availability 544 ...
Страница 551: ...12 3 5 Limitations Chapter 12 ZoneDefense 551 ...
Страница 574: ...Default 512 13 9 Miscellaneous Settings Chapter 13 Advanced Settings 574 ...
Страница 575: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 575 ...