Working principle of SSL VPN on the USG


Working principle of Secure Sockets Layer (SSL) VPN on the USG
1. Concept
SSL is a security protocol that provides security connections for application layer protocols that are based on TCP. The SSL protocol is widely applied in fields such as e-commerce and e-banking to ensure security for data transmitted over the network.
SSL can implement connection privacy, identity authentication, and connection reliability.
2. SSL
The SSL protocol is composed of two layers.
a. Lower-layer protocol
SSL record protocol
The SSL record protocol divides upper-layer data into records, compresses and calculates the records, appends message authentication codes (MACs) to the records, encrypts the records, and then transmits the records to the peer party.
b. Upper-layer protocols
(1) SSL handshake protocol: The client and server establish a session through the handshake protocol. The session contains a group of parameters, including the session ID, certificate of the peer party, encryption algorithm list (including the key exchange algorithm, data encryption algorithm, and MAC algorithm), compression algorithm, and primary key. The SSL session can be shared by multiple connections to reduce the session negotiation overhead.
(2) SSL change cipher spec protocol: The client and server notify the recipient through the SSL change cipher spec protocol that subsequent packets are protected and transmitted based on the newly negotiated encryption algorithm list and key.
(3) SSL alert protocol: used by a party to report alarm information to the other party. The message carries the alarm severity and description.
3. SSL VPN provides four types of services:
a. Web proxy
The web proxy allows users to access web servers on the internal network through the USG and provides HTTP-based web services for users.
b. Network extension
After a user installs the network extension client of the USG on the local PC, a virtual NIC is generated. The user can then conduct SSL data communication with the intranet through this virtual NIC.
c. Port forwarding
As a non-web application mode, port forwarding provides security access for TCP-based applications. In port forwarding, user access is controlled at the application level.
d. File sharing
File sharing involves providing shared resources in Windows systems that support different server protocols such as the System Management Board (SMB) protocol, or Linux systems that support the Network File System (NFS) protocol as web pages to users.

Other related questions:
Working mechanism of IPSec on AR series routers
Huawei AR series routers support IPSec. Most data is transmitted in plain text on the Internet. This transmission mode has many potential risks. For example, bank account and password data may be intercepted or tampered, and user identities are used, and malicious attacks occur. After IPSec is deployed on the network, transmitted IP data is protected to reduce risks of information leakage. IPSec is a security protocol suite defined by the Internet Engineering Task Force (IETF). IPSec secures data transmission on the Internet through data origin authentication, data encryption, data integrity check, and anti-replay functions. For details, see Configuration Guide-VPN.

IPSec working principles on USG firewalls
IPSec working principles on USG firewalls What is IPSec? 1. IPSec is an open network-layer security framework protocol, stipulated by the Internet Engineering Task Force (IETF). It is a series of protocols and services that provide IP network security instead of an independent protocol. IPSec mainly includes the Authentication Header (AH), Encapsulating Security Payload (ESP), Internet Key Exchange (IKE), and algorithms used for network authentication and encryption. 2. IPSec mainly provides security services for IP packets by means of encryption and authentication. The IPSec provides the following security services: a. User data encryption: It ensures data privacy by encrypting user data. b. Data integrity verification: It ensures that data is not tampered on the transmission path by means of data integrity verification. c. Data source verification: It ensures that data is from the real sender by verifying the data source. d. Data replay prevention: It rejects repeated packets at the receiving end to prevent malicious users from repeatedly sending captured packets to perform attacks. 3 Application scenarios a. Interworking between LANs over the VPN (1) Point-to-point VPN (site-to-site VPN) The point-to-point VPN is also known as LAN-to-LAN VPN or gateway-to-gateway VPN. It is mainly used to establish an IPSec tunnel between the company HQ network and the branch network to achieve interworking between LANs. (2) Point-to-point VPN extension (L2TP over IPSec) The L2TP over IPSec mechanism encapsulates packets based on L2TP and then IPSec. In this way, the L2TP over IPSec mechanism integrates advantages of two types of VPNs, implements user authentication and address allocation based on L2TP, and assures security using IPSec. (3) Point-to-point VPN extension (GRE over IPSec) IPSec cannot encapsulate multicast, broadcast, and non-IP packets. Therefore, when transmitting the preceding packets over the IPSec VPN, IPSec encapsulates the packets as IP packets using the GRE and then encapsulates the packets as IPSec packets. (4) Point-to-multipoint VPN (Hub-Spoke VPN) In actual networking, the point-to-multipoint IPSec VPN is commonly used for the interworking between the company HQ network and branch networks. b. If the IP address of a mobile device used by a mobile user to remotely access the VPN is unstable, to avoid attacks from insecure network devices, an IPSec security tunnel needs to be established between the dial-in user and the HQ gateway. The HQ gateway needs to authenticate the dial-in user. The dial-in user can access the HQ network only after passing the authentication. L2TP over IPSec supports the dialing of mobile devices using the Windows embedded dialing software, other dialing software, or IKEv2 dialing software.

SSL VPN virtual gateway on the USG
Configure SSL parameters. Configure the SSL version supported by the USG, encryption suite, session timeout duration, and life cycle. You can retain the default values. Procedure: system-view v-gateway v-gateway-name //Access the virtual gateway view. basic, //Access the basic virtual gateway view. ssl version { sslv30+tlsv10 | tlsv10 } //Configure the SSL version supported by the USG. By default, the USG supports SSL3.9 and TLS1.0. ssl ciphersuit { allciphersuit | custom { aes256-sha | non-aes256-sha } { des-cbc3-sha | non-des-cbc3-sha } { rc4-sha | non-rc4-sha } { rc4-md5 | non-rc4-md5 } { aes128-sha | non-aes128-sha } { des-cbc-sha | non-des-cbc-sha } } //Configure the SSL encryption suite. ssl timeout time //Configure the SSL session timeout duration. ssl lifecycle { time | no-time-limit } //Configure the SSL life cycle. ssl session-reuse enable //Enable the SSL session reuse function. Follow-up processing display ssl //View SSL configuration.

Support for SSL VPN on the USG
Support of USG series firewalls for the SSL VPN function 1. The USG2100, USG2200, and USG5100 BSR do not support the SSL VPN function. 2. In USG2000 or USG5000 V300R001, the SSL VPN function can be configured in CLI mode instead of web UI mode in V300R001C00SPCa00 and V300R001C00SPCb00. The SSL VPN function can be configured in web UI or CLI mode in other versions of V300R001. 3. The USG6000 series firewalls support the SSL VPN function.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top