Hello! My name is Vladimir and I am paranoiac.
During this COVID-19 epidemic we have to greatly expand the number of the remote workers in our organization. We use Huawei USG firewall and SSL VPN feature to make it possible. In this topic I would like to describe the problems that we faced and how we fighted them.
Let’s talk about security risks of massive VPN. Many users with many computers are connecting to the enterprise network. They use their own equipment to do that. And we can’t control the security politics and even antivirus software in their PCs. The VPN give them an ability to connect their PCs to the enterprise LAN. When user connects VPN client to the VPN server, the user PC is “placed to the enterprise LAN”. If we have not limited the possibilities of the connections then every virus (or little hacker) will get an ability to make dysfunction of our ICT. Now I will describe the network diagram of this connection to provide more clear look at this.
Remote user connects his own device to the Internet. Then he starts the VPN client (SecoClient). VPN client establishes connection to the VPN server (USG firewall) and creates “SSL VPN tunnel”. When it is done, the VPN client got IP address from the VPN server and create LAN adapter at the users host with IP parameters from the VPN server. After that user can send packets to the VPN server. And VPN server know that user have IP address from VPN clients IP addresses pool. It is important to understand that user can not send packets to the enterprise network anyway else but thru the VPN server.
To have an ability to send and receive network packets we need to configure some routing. User should know which network segments can be routed with VPN server and LAN routers should know that VPN clients IP addresses are routed with VPN server. Both routes should exist to start VPN work.
Now we will talk about Huawei SSL VPN possibilities and their implementation.
| Service | Definition |
|---|---|
Web proxy | Used by remote users to access intranet web resources. |
File sharing | Used by remote users to access an intranet file server running the Server Message Block (SMB)-capable Windows OS and those running the Network File System (NFS)-capable Linux OS. Users can use web browsers to perform some operations on an intranet file system as easily as they do on a local file system. The operations include creating and browsing a directory and downloading, uploading, renaming, and deleting a file. |
Port forwarding | Used by remote services to access intranet TCP resources. Port forwarding applies to TCP application services, such as Telnet, remote desktop, FTP, and email. Port forwarding allows for port-level secure access to intranet resources. |
Network extension | Used by remote services to access intranet IP resources. Web resources, file resources, and TCP resources are IP resources. The network extension service is enabled when the types of resources that users want to access do not need to be distinguished. |
I will not explain all the variants of services – only ones that we use. And we use the first one and the last one.
Using web proxy
When user needs to configure his computer at home, he needs some instructions and software. Most of our remote users start to work remotely after closing of the office. In this case we need to give them instructions and software to install VPN clients. To do that we upload VPN software and files with instructions to the local web server. After that we publish these files with web proxy feature of the SSL VPN. Now user can use browser to connect our “firewall SSL VPN portal” and download software from it. But he will be able to do that only after the authentication and authorization. At this phase you don’t need VPN client. You download it from the “firewall SSL VPN portal”.
When user uses web proxy he doesn’t get full access to the enterprise network. He just gets ability to access some web servers. If you want to use it to check your sites, some features don’t work (we had problems with external links and maybe cookies or sessions). But it is a good way to publish the instructions and software.
Using network extension
This is the main way for our remote workers. They got access to some internal web based software and virtual desktop infrastructure (VDI). We limit the list of the accessible resources to get maximum protection of the ICT. After limiting the accessible IP addresses we limit services with security policies. After this to limitations we can permit only 80 port for web server and deny it for FTP server. Usage of the web systems in this configuration is better than with web proxy because you don’t get the URL rewriting and browser can work directly with web server and use all its features.
Some people need more then web based systems. They need access to the files in the NAS or other software. If we allow remote file access then we will allow the remote access to the NAS from the users home PC and all its viruses. I don’t want to do that. And to let people work we use VDI. Why VDI is more secure? Because we don’t send files from user PC, we only send mouse and keyboard actions and receive the picture of the screen (yes, we deny local files sharing with VDI). When user connect to the VDI he get his own virtual computer inside the enterprise LAN. He can work with all enterprise resources. To permit VDI usage we need to permit limited number of the protocols to pass thru VPN. To find the list of the ports and protocols that must be permitted you can search with “FusionAccess firewall” or something similar.
VDI give not only pluses. It have some minuses. First of all – you need VDI: servers, storages, software, administrators. Second is “users don’t like to work in VDI”. It freeze on videos, need additional software, doesn’t look like “own PC”. In case of VPN we get some additional problems with Internet bandwidth. VDI consume it. More VDI connections with VPN – more Internet bandwidth they use. To protect from this problem we make some preferences for the remote VDI clients to reduce the Internet bandwidth – reduce the frames per second and some picture quality parameters. We also can limit the maximum bandwidth of the VDI client (and we did that). The more bandwidth is used when the picture on the screen is changed. And in “normal conditions” it isn’t very big.
Huawei documentation: https://support.huawei.com/hedex/hdx.do?docid=EDOC1100013380&lang=en&idPath=24030814|9856724|21430823|21100508|8661805
