[Dr.WoW] [No.43] Network Extension-part 1

Latest reply: Jan 30, 2020 23:35:08 3456 4 1 0

There is an old saying that goes "everything has its place; each has their own abilities." SSL VPN's four major services are similar: users that want to access Web resources need to use the Web proxy service; to access file resources you need to use the file sharing service, etc. With this in mind, I'm sure there will be a few questions, such as: "In what scenarios will the network extension that you're speaking about today be used?" "What are its working principles?" Why is this service called "network extension"? Perhaps you have even more questions, but it's alright, as I'll explain these questions one by one in this section.

1 Network Extension Use Scenarios

Figure 1-1 is a scenario in which a remote user is accessing company internal network resources. Specifically, the remote user needs to access a company's internal voice server (SIP server) to participate in a teleconference. Can SSL VPN's first three services meet this kind of need?

Figure 1-1 Network extension use scenario

[Dr.WoW] [No.43] Network Extension-part 1-1308865-1 

Let's ***yze this first. The remote user wants to access the voice server. SIP protocol communication will be used between the two, and SIP is a kind of application protocol that is normally layered on top of UDP. Web proxy and file sharing solve the specific problems of remote users accessing Web resources and file resources, but these two services are not related to voice resources, and so these services certainly can't aid in meeting this need. Can the port forwarding service resolve this problem? The answer is also no. The reason is that port forwarding can only aid with TCP-based application protocols. But SIP is generally a UDP-based protocol, and so the port forwarding service is helpless in accomplishing this. Is it possible that SSL VPNs can't aid in accomplishing even this need? Of course not, they can, but they need to use the network extension service that we are discussing today.

Initiating the network extension service on a firewall is of great value here, as the network extension service can meet the remote user's need to access all IP resources on the company internal network, and the SIP-based voice resource mentioned above is a kind of IP resource.

Perhaps some readers don't have a very deep understanding regarding what we mean by saying that network extension allows remote users to access all IP resources on company internal networks, and so I've used Figure 1-2 to further my explanation.

Figure 1-2 Network extension is located in the network layer

[Dr.WoW] [No.43] Network Extension-part 1-1308865-2 

From the above figure it can be seen that the user has many kinds of service systems, and indeed there are too many to review separately. But if we dig several layers deeper, we'll discover that regardless of how many service systems the user has at the upper layers, they still need to rely on lower layer protocols to provide communication support for them―it's just that the lower-layer protocol types used by different service systems are different.

The application layer protocols supported by Web proxies and file sharing are very specific. For example, Web proxy can only support applications based in the HTTP protocol; file sharing only supports SMB and NFS protocol applications; port forwarding already supports all applications based in the TCP protocol. However, having the port forwarding service doesn't mean the SSL VPN can do everything: for example, the port forwarding service is in over its head when it encounters some applications based in the UDP protocol (for example the SIP protocol used by the user's teleconference system is based in UDP). If we want to make SSL VPNs able to support more user applications, this requires that we provide protocol support at the layer below this, and network extension is exactly this kind of function: it offers complete support directly at the IP layer. Therefore, the network extension service is able to provide even more varied types of resources to remote users.

2 Network Extension Process

When a remote user uses the network extension function to access internal network resources, the internal exchange process involved is shown in Figure 1-3.

Figure 1-3 Network extension function flow

[Dr.WoW] [No.43] Network Extension-part 1-1308865-3 

1.         The remote users logs in to the virtual gateway using an IE browser.

2.         After the remote user successfully logs in to the virtual gateway, he/she enables the network extension function.

When the remote user enables the network extension function, it will trigger the following actions:

a.         A new SSL VPN tunnel will be established between the remote user and the virtual gateway.

b.         The remote user's local PC will automatically generate a virtual network card. The virtual gateway randomly selects an IP address from the address pool, and assigns the address to the remote user's virtual network card, with this address used for communication between the remote user and the company internal network. With this private IP address, the remote user can conveniently access internal network IP resources just as if they were a user in the company internal network.

c.         The virtual gateway issues routing information for reaching the internal network server to the remote user.

3.         The remote user sends a service request packet to the company internal network's server. This packet reaches the virtual gateway through the SSL VPN tunnel.

4.         After receiving the packet, the virtual gateway decapsulates it, and then sends the decapsulated service request packet to the internal network server.

5.         The internal network server responds to the remote user's service request.

6.         After arriving at the virtual gateway, the response packet enters the SSL VPN tunnel.

7.         After the remote user receives the service response packet, it decapsulates the packet to extract the service response packet within.

The above is the basic process of a remote user utilizing the network extension service to access company internal network IP resources. If we compare network extension with the other three methods of implementing SSL VPN services, it's not hard to see that the mechanisms by which these three services (Web proxy, file sharing and port forwarding) are accomplished are largely the same as each other―they map the enterprise network's internal resources onto the firewall, and these are then presented for viewing to the remote user by the firewall. From this perspective, the firewall is simply a piece of secure proxy equipment, and the remote user hasn't actually connected into the company internal network.

However, network extension is different. During the network extension service, the remote user obtains a company internal private network IP address from the firewall, and uses this IP address to access the enterprise network's internal resources. When an Internet user possesses the company private IP address, it is as if the user itself is located inside the enterprise network. Or, to switch our perspective, this is equivalent to the borders of the enterprise network being extended to the remote user's location. The area surrounded with gray dashes in Figure 1-4 can be understood to be the extension of the enterprise network onto the Internet, so it's not hard to understand why this service is called network extension.

Figure 1-4 Network extension schematic

[Dr.WoW] [No.43] Network Extension-part 1-1308865-4 

To allow us to further understand the internal implementation mechanisms for network extension, I will use the aforesaid exchange process and add in an explanation of the principles behind encapsulation and decapsulation of service request packets entering the VPN tunnel and packets emerging from the VPN tunnel.

3 Reliable Transport Mode and Fast Transport Mode

There are two methods by which the network extension function can establish an SSL VPN tunnel: reliable transport mode and fast transport mode. In reliable transport mode, the SSL VPN uses the SSL protocol to encapsulate the packet, and uses the TCP protocol as the transport protocol; in fast transport mode, the SSL VPN uses the QUIC (Quick UDP Internet Connections) protocol to encapsulate the packet, and uses the UDP protocol as the transport protocol. QUIC is also a data encryption protocol based in the TLS/SSL protocols, and its role is the same as SSL, except that packets encapsulated by it need to be transported using the UDP protocol.

Figure 1-5 displays the use of reliable transport mode for packet encapsulation. From the figure it can be seen that the source address (SRC: for communication between the remote user and the company internal network (the SIP Server) is its virtual gateway card's IP address. Packets being exchanged in the process safely reach the two communicating parties following repeated encapsulation and decapsulation. When the remote user accesses the SIP server, the source port for the inner packet layer is 5880 (random), the destination port is 5060, and the transport protocol is UDP-based. The encapsulation protocol used for the outer packet layer is SSL, and the transport protocol is TCP.

Figure 1-5 Packet encapsulation process when using reliable transport mode

[Dr.WoW] [No.43] Network Extension-part 1-1308865-5 

Figure 1-6 shows the process of using fast transport mode to conduct packet encapsulation. The packet encapsulation principles in this mode are the same as those for packet encapsulation using the reliable mode, with the difference that the outer layer packet encapsulation protocol has been changed from SSL to QUIC, and the transport protocol has been changed from TCP to UDP.

Figure 1-6 Packet encapsulation process when using fast transfer mode

[Dr.WoW] [No.43] Network Extension-part 1-1308865-6 

In unstable network environments, reliable transport mode is the suggested mode; however, when the network environment is relatively stable, fast encapsulation mode is suggested, as this improves data transmission efficiency.




To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

Created Oct 21, 2015 10:15:10 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:

Created Dec 24, 2019 19:47:14 Helpful(0) Helpful(0)

@dr.wow good day.

Excellent contribution, I think this will help me to present my H12-721 HCIP-Security-CISN V3.0 certification exam.

  • x
  • convention:

Senior Cybersecurity Engineer
Created Jan 19, 2020 22:45:01 Helpful(0) Helpful(0)

  • x
  • convention:

Created Jan 30, 2020 23:35:08 Helpful(0) Helpful(0)

Thank you
  • x
  • convention:


You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits