[Dr.WoW] [No.46] Integrated Use of the Four Major SSL VPN Functions

Latest reply: Nov 3, 2015 09:49:12 2550 1 0 0

After finishing their review of network extension, most readers will be a bit confused, and wonder why, if network extension is so powerful, can't we simply use the network extension service for a user regardless of what type of internal network resource the user wants to access―why do we still use Web proxy, file sharing, etc.?

This is a key question. SSL VPNs' provision of services at so many different layers and different granularities is to control remote users' access permissions to internal network systems; in the end this is done for one goal―security. When the network extension service is used, this means a remote user can access all types of resources in the company internal network. Although this is quite convenient for the user, this undoubtedly increases management and control risk for internal network resources. Both meeting user needs and correctly controlling permissions requires configuring different services for the user according to the user's needs, thus avoiding the aforesaid problem.

Figure 1-1 shows a hypothetical network scenario in which a certain company has deployed firewall equipment and provided SSL VPN service for company traveling employees.

Figure 1-1 SSL VPN integrated scenario

[Dr.WoW] [No.46] Integrated Use of the Four Major SSL VPN Functions-1340373-1

 

Company remote users' needs for access to the internal network and the plan on the firewall for opening SSL VPN services for traveling employees are shown in Table 1-1.

Table 1-1 SSL VPN service plan

Traveling employee identity

Access need

Service type

Role authorization

Ordinary employees

Access OA system

Web proxy

Create a www.oa.com resource in the Web proxy service, and bind this resource with an ordinary employee or the group the ordinary employee belongs to.

Use the company email system to send and receive emails

Port forwarding

Create an email server resource in the port forwarding service, and bind this resource with an ordinary employee or the group the ordinary employee belongs to.

Managers

Access the OA system and the finance system

Web proxy

Create two resources-- www.oa.com (already created) and www. finance.com―in the Web proxy service, and bind these resources to a manager or the group the manager belongs to.

Access the file sharing server

File sharing

Create a file server resource in the file sharing service and bind this resource with a manager or the group the manager belongs to.

Use the company email system to send and receive emails

Port forwarding

Create a file server resource in the port forwarding service, and bind the email server resource with a manager or the group a manager belongs to.

Convene teleconferences

Network extension

Enable the network extension function, and configure the voice server's address into "the accessible internal network segment", and then bind the network extension service with a manager or the manager's group.

 

 

Once network service configuration is complete, when users with different identities log in to the virtual gateway, the service resources they are able to see are also different.

l   Ordinary employees

After ordinary traveling employees log in to the virtual gateway, they can see the resource links they are able to access, as shown in Figure 1-2, and then access them by single clicking on the link.

Figure 1-2 Ordinary employee login interface

[Dr.WoW] [No.46] Integrated Use of the Four Major SSL VPN Functions-1340373-2

 

l   Managers

Figure 1-3 displays the interface traveling mangers see after logging in to the virtual gateway.

Figure 1-3 Manager login interface

[Dr.WoW] [No.46] Integrated Use of the Four Major SSL VPN Functions-1340373-3

 

Of these, Web proxy and file sharing resources are all provided for selection by the user using links. Port forwarding and network extension can only be used after clicking "Enable". But how does a remote user know which of the company's internal network resources they will be able to access after clicking enable? This requires that the network administrator use other channels, for example a bulletin, to inform the remote user of the company internal network resource server domain name and address. In this regard, Web proxy and file sharing are both advantageous, because when the remote user utilizes these two services, he/she can see which resources he/she can access from the resources list after logging in to the virtual gateway.

The relationship between a remote user's need to access the company internal network and what kind of SSL VPN service should be enabled on the firewall can be broken down into two points.

l   The resource type (Web resource, file resource, TCP, IP) that the remote user accesses on the company's internal network determines what kind of SSL VPN service the network administrator should select.

For example, for a traveling employee who only needs to access Web resources and email resources, just two services, Web proxy and port forwarding, can be enabled. However, if a manager needs to access four types of resources, then this requires that four types of services be initiated for this user.

It is necessary to state that as network extension is equipped with the functionality of the former three services, to make configuration more convenient, we can also enable only the network extension service for the manager, allowing the manager to access all of the internal network's IP resources.

l   Whether the remote user possesses access permissions to a certain resource is determined through role authorization configuration.

In order to avoid having to configure services authorization for each and every employee, we can establish two groups (ordinary employees and managers), add these two types of employees into the appropriate group, and then simply conduct service authorization for these two role groups.

For example, if a traveling employee and a manager both enable the Web proxy service, the traveling employee would only be able to access the OA system (www.oa.com), while the manager could enjoy access permissions to both the OA system and the finance system (www.finance.com) at the same time―this would have been configured in role authorization.

 

 

Questions from Dr. WoW:

1.         During the SSL handshake protocol, in order to resolve the problems of the public key encryption algorithm being too complicated and the encryption/decryption computing load being too large, what kinds of methods can be adopted to increase efficiency?

2.         Does the file sharing function support new file creation?

3.         After a traveling employee logs in to an SSL VPN, he discovers that the resource list is empty, but then suddenly remembers that their administrator gave him a secret solution. Can anyone guess what the content of this secret solution is?

4.         What is the relationship between Web-Link and port forwarding?

5.         In SSL VPNs, if the client and the server both use a certificate(s) to verify each other's identity, which certificate(s) do the client and server need to acquire respectively?

 

 

To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

user_2790689
Created Nov 3, 2015 09:49:12 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login