Security defense --- SSL VPN

Enterprise 2023-07-21 04:35:34 views: null

Attachment: Wireless Project Introduction

SSL VPN

A device with a browser can use SSL , and then use SSL VPN . There is no need to worry about client issues, so SSL VPN is also called clientless VPN. SSL VPN is particularly advantageous in the client to lan scenario.

The actual implementation process ( based on TCP implementation )

(1) SSL protocol handshake implementation

handshake phase

The first phase of the SSL protocol handshake

The client first sends a client hello message to the server, and the server sends a server hello message to the client after receiving the client hello message

  • Random number : 32-bit timestamp + 28-byte random sequence, used to calculate summary information and parameters of pre-master key or master key
  • Session ID : one-time session ID to prevent replay attacks

The second phase of the SSL protocol handshake

  • Server's certificate : a certificate containing the public key of the server, which is used for encryption when the client sends information to the server
  • server key exchange server key exchange : determine the key exchange form, such as DH, RSA, including a series of parameters required for key exchange

The third phase of the SSL protocol handshake

client key exchange Client key exchange : Calculate a pre-master based on the random number of the server, send it to the server, and the server generates a main-master according to the pre-master key after receiving it

Attachment: The relationship between the pre-master key and the master key


Initialization Vector Purpose

The fourth phase of the SSL protocol handshake

session recovery phase

(2) SSL record protocol

The recording protocol mainly implements data block, encryption and decryption, compression and decompression, integrity verification, and encapsulation

The SSL Record Protocol contains information:

  • content type
  • protocol version number
  • Data length
  • data payload
  • Authentication code for the hash algorithm

(3) Comparison between SSL and IPSEC


the difference:

  • IPSec is a protocol family provided by the network layer to ensure IP communication, with the network layer as the center
  • SSL is a protocol for protecting HTTP communication at the socket layer, centered on the application layer

Advantages of SSL VPNs

(4) SSL VPN implementation

[1] Virtual Gateway

Each virtual gateway of SSL VPN can be managed independently, and its own resources, users, authentication methods, access control and administrators can be configured and isolated from each other .

[2] web proxy

Implementation process

Method to realize

  • web-link: use the activeX control method to request the page
  • web list: rewrite the link on the requested page, and keep the other content unchanged

ActiveX is Microsoft's name for a series of strategic object-oriented programming technologies and tools, the main technology of which is Component Object Model (COM). In networks with directory and other support, COM becomes Distributed COM (DCOM)

Realize the result (realize access to intranet web resources)

  • Intranet web resources only have private network addresses, and without NAT, secure access to its proxy can be achieved through SSL VPN
  • Intranet web resources only have private network addresses. In the case of NAT, public network users can achieve secure access, but web resources do not use secure transmission protocols. SSL VPN can achieve secure access to https

[3] File Sharing

Implementation process

Realization principle

  • Protocol conversion: No client is required, and the corresponding protocol format for intranet file sharing can be directly accessed through a browser, using activeX controls.

supporting agreement

  • SMB  windows
  • NFS  linux

[4] Port forwarding

Implementation process

Implementation principle: install activeX control, the essence is the NAT process

Provide access to intranet TCP resources, C/S resources

  • TCP applications that provide rich static ports

Single port, single service: telnet, SSH, MS, RDP, VNC,
single port, multiple services: notes,
multiple ports, multiple services: outlook

  • Dynamic port TCP application
  • Provides port access control

Automatically install and run an ActiveX control to obtain the port forwarding resource list (destination server IP, port) configured on the management side. The control compares the TCP message initiated by the client with the resource list, and when it finds that the destination IP/Port of the message matches the entry in the resource list, it intercepts the message, opens the listening port (the destination port is obtained through a specific algorithm), and rewrites the destination address as a loopback address and forwards it to the listening port. Encrypt and encapsulate the message, add a private message header, set the destination address to the IP address of the USG, and send it to the USG through the listening port. The USG decrypts the received packet and sends it to the real destination server port. After receiving the response from the server, the USG encrypts and encapsulates it and sends it back to the listening port of the user terminal.

features

[5] Network extension

Implementation process

access mode

Three types of traffic: to the other party's intranet; to the Internet; to the local LAN

  • Full routing mode : all three kinds of traffic go through the tunnel, which means that the local area cannot access the Internet, but can also access through the tunnel or local area network
  • Separation mode : The intranet traffic of the other party goes through the tunnel, the local LAN traffic goes through the physical network card, and the Internet traffic cannot go through. It means that you can access the other party's intranet, you can access the local area network, and you cannot access the Internet.
  • Manual mode : The intranet traffic of the other party goes through the tunnel, and the local LAN traffic and Internet traffic go through the physical network card. It means that they can be accessed, and the Internet goes locally

(5) Terminal security required by SSL VPN

Terminal security is to deploy a software on the requesting intranet host, and check the security of the terminal through the software, including: host check, cache clearing, authentication and authorization.

[1] Host check

  • Antivirus Check
  • Firewall settings check
  • registry check
  • port check
  • process check
  • OS check

[2] Cache busting

  • temporary internet files
  • Browser automatically saves passwords
  • cookie record
  • Browser access history
  • Trash and recently opened files
  • Specify a file or folder

[3] Authentication and authorization

  • Authentication and authorization of vpndb
  • Third-party service authentication and authorization
  • Authentication with digital certificates
  • SMS Assisted Authentication

SSL VPN Function Summary

Guess you like

Origin blog.csdn.net/weixin_62443409/article/details/131402905
VPN
Recommended
Ranking
PAT Level B 1094 Google's Recruitment (20 points) Python
Old Wei wins the offer to take you to learn --- brush (integer number 31. 1 appears) title series
Bilibili: Barrage Screening: Baijiaxing: Import XML directly
개체 배열 중복 제거
matplotlib—patches.Circle
[Observation] It is also a cordless vacuum cleaner, why does Dyson V10 dare to sell 4990 yuan?
0410
Apache Kafka message delivery reliability analysis
How hotel occupancy records inquiry etj
Essential knowledge for getting started with speculating in spot silver
Daily
More
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)

Code World

© 2018 codetd.com