[Dr.WoW] [No.39] SSL VPN Mechanisms -part 2

Latest reply: Sep 23, 2015 09:41:14 3080 1 0 0

4 User Identity Authentication

In order to guarantee the legitimacy of SSL VPN remote users, and to improve system security, the SSL VPN server normally supports multiple authentication methods. Above, we used configuring and storing a user name/password on the firewall as an example. This is the most basic and simple authentication method. Huawei's firewalls support the following authentication methods:

l   Local authentication of user name/password: refers to configuring and storing a user name/password on the firewall. The user can successfully log in by simply entering the matching user name/password.

l   Server authentication of user name/password: refers to storing the user name/password on a special third party authentication server. After the user enters the user name/password, the firewall forwards this to the authentication server for authentication. Currently supported types of authentication servers include RADIUS, HWTACACS, SecurID, AD, and LDAP.

l   Anonymous certificate authentication: refers to the user's client configuring a client certificate. The firewall verifies the client certificate to authenticate the user's identity.

l   Challenge certificate authentication: refers to the server using two-factor authentication (user name/password+ client certificate) to authenticate a user's identity. This kind of method is clearly the most secure.

?       If only client certificate authentication is used, it is impossible to guarantee security if the client is lost or is illegally used;

?       If only the client name/password is used for authentication, if a different client is used, the client may present a security hazard.

The two-factor authentication method guarantees a designated user uses a designated client to log in to the SSL VPN server, thereby legitimately accessing internal network resources.

Local authentication and third party server authentication of user name/password are the most common user authentication methods, and won't be described further here. Below, I will introduce certificate authentication.

Challenge certificate authentication has one more authentication of user name/password than anonymous certificate authentication, but the principles remain the same, and they can thus be described together.

The firewall (the SSL VPN server) uses verification of the client's certificate to authenticate the user's identity. The process is shown in Figure 1-4.

Figure 1-4 Certificate authentication process


The firewall authenticates user identity through verification of the client's certificate. The process is as follows:

1.         The user and firewall respectively import a client certificate (user) and client CA certificate (firewall) issued by the same CA authority.

2.         The user (client) sends its own certificate to the firewall, and the firewall conducts authentication of this certificate. Authentication will be successful if the following conditions are met.

?       The client's certificate and the client CA certificate imported onto the firewall have been issued by the same CA.

?       The client certificate is within its validity period.

?       The user filtering field in the client certificate is the user name that has already been configured and stored on the firewall. For example, if the client certificate's user filtering field reads CN=user000019, and the corresponding user name user000019 has already been configured on the firewall, this demonstrates that this is the client certificate issued to user000019.



3.         After the user passes the firewall's identity authentication, the user will successfully log in to the resource interface, and can access the internal network's designated resources.

Above, I, Dr. WoW, have already displayed a packet capture from the SSL handshake stage when using the user name/password to log in to the firewall's virtual gateway, and below we'll change the authentication method to anonymous certificate authentication to take a look at how the server authenticates a client certificate during the transfer of encrypted data.

On the firewall virtual gateway interface, and after configuration of the certificate the client needs to utilize, the packet capture information is as shown below. It is impossible to discern what packet this is from the information, and so we import the firewall's (the SSL server) private key, and use the packet capturing tool to decode the captured packet.


To compare the left and right columns briefly, we can see that in No. 895, the first message that appears as 'Encrypted Handshake Message' is actually a Hello Request sent from Server to Client The client then responds, after which the server sends a Server Hello. Following this message, the server sends a request to authenticate the client's certificate to the client. From the packet capture, it seems that this negotiation wasn't successful for some reason, and negotiation between the client and the server will continue.

Beginning with No. 1045, the server again discovers a Hello Request, and then continues on with operations. In No. 1085, the server requests that the client provide a certificate. In No. 1088, the client sends its certificate to the server, and in No. 1097 the server authenticates the client's certificate, with the packet capture displaying that the certificate is illegitimate and cannot pass authentication. Although authentication was unsuccessful, the aforesaid information factually reflects the entire process of server authentication of the client's certificate; please compare the left and right sides to aid your understanding.

Above, I've finished my entire introduction of the process of establishing a connection between a remote user and the SSL VPN server and successfully logging in to the SSL VPN server. In the following sections, I will use the USG6000 family of firewalls as an example, and first introduce file access and Web access (of e-mails, etc.; file access and Web access are extremely common uses in an office scenario), and then introduce port forwarding and network extension, organizing our discussion from more refined access control granularity to coarser access control granularity.


We're using the USG6000 family of firewalls in our introduction because compared to the USG2000/5000 series of firewalls, the SSL VPN functionality on the USG6000 has an improved user authentication method, using the universal authentication method provided by the Firewall (this was introduced in "8.1.4 user identity authentication) to render the configuration logic and process clearer and easier to understand. Below, we'll shift our focus to SSL VPN operational configuration, resource authorization and access control to introduce SSL VPN functionality, and will not give a further detailed introduction regarding user authentication.





To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

Created Sep 23, 2015 09:41:14 Helpful(0) Helpful(0)

Thank you for sharing.
  • x
  • convention:


You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits