Attachment: Wireless Project Introduction
SSL VPN
A device with a browser can use SSL , and then use SSL VPN . There is no need to worry about client issues, so SSL VPN is also called clientless VPN. SSL VPN is particularly advantageous in the client to lan scenario.
The actual implementation process ( based on TCP implementation )
(1) SSL protocol handshake implementation
handshake phase
The first phase of the SSL protocol handshake
The client first sends a client hello message to the server, and the server sends a server hello message to the client after receiving the client hello message
- Random number : 32-bit timestamp + 28-byte random sequence, used to calculate summary information and parameters of pre-master key or master key
- Session ID : one-time session ID to prevent replay attacks
The second phase of the SSL protocol handshake
- Server's certificate : a certificate containing the public key of the server, which is used for encryption when the client sends information to the server
- server key exchange server key exchange : determine the key exchange form, such as DH, RSA, including a series of parameters required for key exchange
The third phase of the SSL protocol handshake
client key exchange Client key exchange : Calculate a pre-master based on the random number of the server, send it to the server, and the server generates a main-master according to the pre-master key after receiving it
Attachment: The relationship between the pre-master key and the master key
Initialization Vector Purpose
The fourth phase of the SSL protocol handshake
session recovery phase
(2) SSL record protocol
The recording protocol mainly implements data block, encryption and decryption, compression and decompression, integrity verification, and encapsulation
The SSL Record Protocol contains information:
- content type
- protocol version number
- Data length
- data payload
- Authentication code for the hash algorithm
(3) Comparison between SSL and IPSEC
the difference:
- IPSec is a protocol family provided by the network layer to ensure IP communication, with the network layer as the center
- SSL is a protocol for protecting HTTP communication at the socket layer, centered on the application layer
Advantages of SSL VPNs
(4) SSL VPN implementation
[1] Virtual Gateway
Each virtual gateway of SSL VPN can be managed independently, and its own resources, users, authentication methods, access control and administrators can be configured and isolated from each other .
[2] web proxy
Implementation process
Method to realize
- web-link: use the activeX control method to request the page
- web list: rewrite the link on the requested page, and keep the other content unchanged
ActiveX is Microsoft's name for a series of strategic object-oriented programming technologies and tools, the main technology of which is Component Object Model (COM). In networks with directory and other support, COM becomes Distributed COM (DCOM)
Realize the result (realize access to intranet web resources)
- Intranet web resources only have private network addresses, and without NAT, secure access to its proxy can be achieved through SSL VPN
- Intranet web resources only have private network addresses. In the case of NAT, public network users can achieve secure access, but web resources do not use secure transmission protocols. SSL VPN can achieve secure access to https
[3] File Sharing
Implementation process
Realization principle
- Protocol conversion: No client is required, and the corresponding protocol format for intranet file sharing can be directly accessed through a browser, using activeX controls.
supporting agreement
- SMB windows
- NFS linux
[4] Port forwarding
Implementation process
Implementation principle: install activeX control, the essence is the NAT process
Provide access to intranet TCP resources, C/S resources
- TCP applications that provide rich static ports
Single port, single service: telnet, SSH, MS, RDP, VNC,
single port, multiple services: notes,
multiple ports, multiple services: outlook
- Dynamic port TCP application
- Provides port access control
Automatically install and run an ActiveX control to obtain the port forwarding resource list (destination server IP, port) configured on the management side. The control compares the TCP message initiated by the client with the resource list, and when it finds that the destination IP/Port of the message matches the entry in the resource list, it intercepts the message, opens the listening port (the destination port is obtained through a specific algorithm), and rewrites the destination address as a loopback address and forwards it to the listening port. Encrypt and encapsulate the message, add a private message header, set the destination address to the IP address of the USG, and send it to the USG through the listening port. The USG decrypts the received packet and sends it to the real destination server port. After receiving the response from the server, the USG encrypts and encapsulates it and sends it back to the listening port of the user terminal.
features
[5] Network extension
Implementation process
access mode
Three types of traffic: to the other party's intranet; to the Internet; to the local LAN
- Full routing mode : all three kinds of traffic go through the tunnel, which means that the local area cannot access the Internet, but can also access through the tunnel or local area network
- Separation mode : The intranet traffic of the other party goes through the tunnel, the local LAN traffic goes through the physical network card, and the Internet traffic cannot go through. It means that you can access the other party's intranet, you can access the local area network, and you cannot access the Internet.
- Manual mode : The intranet traffic of the other party goes through the tunnel, and the local LAN traffic and Internet traffic go through the physical network card. It means that they can be accessed, and the Internet goes locally
(5) Terminal security required by SSL VPN
Terminal security is to deploy a software on the requesting intranet host, and check the security of the terminal through the software, including: host check, cache clearing, authentication and authorization.
[1] Host check
- Antivirus Check
- Firewall settings check
- registry check
- port check
- process check
- OS check
[2] Cache busting
- temporary internet files
- Browser automatically saves passwords
- cookie record
- Browser access history
- Trash and recently opened files
- Specify a file or folder
[3] Authentication and authorization
- Authentication and authorization of vpndb
- Third-party service authentication and authorization
- Authentication with digital certificates
- SMS Assisted Authentication