Psg Sslvpn Smallbusiness

7/27/2019 Psg Sslvpn Smallbusiness

1/10

SS

for Small BProduct Solution G

ZyXEL North America

Tel: 714.632.0882

Fax: 714.632.0858

Email: [email protected]

http://www.us.zyxel.com

Copyright 2008 ZyXEL Communications. ZyXEL is a trademark of ZyXEL Communications, Co. Reproduction in whole or part without permission is prohibited.

All other trademarks are the property of their respective owners.

0812v100PSG-SSL-VPN


2/10

Contents

What is a SSL VPN?

Why use SSL over a traditional VPN technology?

Typical SSL Users

Drawbacks of SSL VPNs

Introducing SecuExtender

Typical Scenarios

Example: ZyWALL Gateway

Configuration

Example: Existing Gateway

Configuration of ZyWALL SSL 10

4

4

5

5

6

7

9

9

15

15

SSL VPNs

for Small BusinessProduct Solution Guide


3/10

What is a SSL VPN?

SSL VPNs (Secure Socket Layer Virtual Private

Networks) provide access to a companys

network resources to individuals who are not on

their corporate network. A secure connection is

made between their PC and the corporate

network over a standard Internet connection.

SSL VPNs differ from traditional VPN technology

in that no software needs to be installed or

configured on the remote computer.

Why use SSL instead oftraditional VPNtechnology?

Most traditional VPNs use IPSec (Internet

Protocol Security) to create the secure tunnelto

the company network from the remote user,

although some traditional VPNs may use PPTP

(Point-to-Point Tunneling Protocol) or L2TP

(Layer 2 Tunneling Protocol). One of the biggest

challenges required when using traditional VPNs

is the time and effort required to install and

configure the VPN software on each device that

needs remote access. Software needs to be

installed and configured on each device that is

going to connect back to the network, and

configuring a VPN client usually needs to be

done by trained IT staff, and not by the end user.

In addition the VPN aggregator on the company

network needs to be configured for each device

that will connect to it.

>

>

>

>

The drawbacks of this method are as fo

A license must be procured for each d

that needs to connect to the company

network remotely. This is costly, and fo

businesses the management of these

can become quite a chore.

IT resources must be used to install an

configure the software for each device

Users need to know in advance that th

need remote access to the network an

device they will use for the access.

These VPN tunnels are based on the IP

providing limited opportunity to contr

individual access to network resources

The use of SSL VPN tunnels overcomes a

these issues. No additional software is req

for access to the company VPN and gene

there is no need for any configuration ch

all remote users need is a web browser a

web address (URL) for VPN access. The Zy

solution, unlike many of its competitors,

on Java (not Active-X), insuring the broad

range of device/operating system compa

Since applications and network shares ar

accessed via the web interface, it is very e

set up user- or group-based access to res

as well as configure various security chec

based on the user or group accessing the

network. The SSL appliance can be linked

to the existing user authentication system

(Active Directory, RADIUS, LDAP) to allow

the username and groups already create

company LAN.

SSL VPNsfor Small Business

Product Solution Guide


4/10

SecuExtender is designed to provide traditional

VPN functionality without the traditional VPN

hassles. With ZyXELs SecuExtender technology,

the user can send/receive just about any type of

IP based traffic over the SSL VPN Simply sign in

to the SSL VPN, and download a small Java

applet. No configuration by the end user is

necessary.

IntroducingSecuExtender

Users wanting to access files to work at home

Outside sales team wanting to access the inventory

or order system, or check for latest price lists

Contractors wanting to easily share files with

company employees

Business partners requiring better communications

SSL does have a few drawbacks. One of the

biggest is that the SSL VPN limits access only to

corporate resources that can be shared over a

web browser. This restricts users to

uploading/downloading files from network

shares and web-based applications such as

webmail, the company Intranet site, inventory

systems, etc.

The other big drawback is security. The SSL

encryption itself is very safe; this is the same

technology that is used to protect millions of

online credit card transactions every day.

Unlike traditional IPSec (and similar) VPNs,

there is no special software required. Any web

capable device can access the Intranet,

lowering the barriers for those looking to hack

into the network.

Thankfully, ZyXEL has solutions to both of

those problems.

Typical SSL Users

Drawbacks ofSSL VPNs

Security by Token

To help increase security on the SSL V

recommends the use of a One Time P

(OTP) token, such as ZyXELs ZyWALL

dramatically reduces the chances of t

VPN being forcibly hacked, or accesse

stolen credentials. It does this by prov

additional field that must be entered

users want to access the SSL VPN. In a

needing to provide a username and p

they must also input a 6 di git pin. The

generated by small battery operated

(which has a life of up to 3 years) that

provided to any users wanting to acce

VPN. This PIN is constantly changing,

any brute force attacks because of the

interval between PINs. It also reduces

someone stealing network credential

onto the network, because they not o

to know the valid username/passwor

must have physical possession of a to

>

>

>

>




5/10

Jan goes home after work, and that night while

watching TV she gets inspired for a new

marketing promotion. She rushes to her personal

computer, logs into the company network, and

types up a short treatment and saves i t to the

shared drive at work.

Steve is on vacation in Hawaii and gets an urgent

call from the office. They are abo ut to close a

very big deal and need Steve to review the

contract before they sign it. Steve left his laptop

Typical Scenarios

Application Diagrams

Employee on

Home Computer

ZyWALL UTM or

Third-party firewall

ZyWALL SSL 10

Firewall DMZ Zone

Encrypted Decrypted

Firewall DMZ Zone

WAN

WAN

DMZ

LAN

Email Server

File Share

Web-based

Application

Remote Desktop

BI System

OA,ERP System

CRM System

Application Server

(Inventory,Store..)

Network Extend

Employee Laptop

In Airport Kiosk

or In Hotel

Internet

Authorized Partner

Authorized Customer

ZyWALL S SL 10LAN/DMZ 10/100

PWR

SYS

ACT RESET

CARD

12

34

WAN

10/100

CONSOLE

at home to help for him to relax, but this is

important. No problem, Steve is able to go to the

nearby Internet Caf and pull up the document

over the SSL VPN connection.

Mike is an outside sales rep. He spends his time on

the road, but needs access to the companys web

based inventory and order system, as well as access

to .pdf copies of promotional material that he can

have printed out at Kinkos.

ZyWAL L 5LAN/ DMZ 10/100

WANPWR

SYS

ACT RESET

CARD10/100

1

23

4

Employee on

Home Computer

Encrypted Decrypted

LAN Zon

WAN LAN

Email Server

File Share

Web-based

Application

Remote Desktop

O

Ap

(In

N

Employee Laptop

in Airport Kiosk

or in Hotel

Internet

Authorized Partner

Authorized Customer

Two-Factor Authenti

External Data

Local DatabZyWALL USG Series

ZyWALL USG Series

Remote Users

ZyWALL OTP(One-Time Password)

justin

zyxel

130201

justin

zyxel

130201

130201

InternetZyWALL SSL 10

LAN/ DMZ 10/100

PWR

SYS

ACT RESET

CARD

1

23

4

WAN

10/100

CONS OLE

ZyWAL L 5LAN/DMZ 10/100

WANPWR

SYS

ACT RESET

CARD10/100

1

23

4

Enter PIN code displayed

on the ZyWALL OTP token

User

Group1

Active

Director

RADIUS

>

>

>




6/10

Example: ZyWALL Gateway

Configuration:1. Create a user that can access the SSL VPN. Go to Object User / Group.

2. Create an IP Address pool that will be handed out to the SSL VPN User. Go to Object Address.

Device: ZyWALL USG Series or ZyWALL 1050

OS: Windows XP / 2000 / 2003

Java: 1.6 or higher

Note: Windows Vista is not currently supported.

3. Create Web Applications / Fileshares the Clients will have access to.

a. Create a Web Application. Go to Object SSL Applicationand add a new SSL Application

Point the ZyWALL to the internal web site.

b. Create a Fileshare. Go to Object SSL Applicationand add a new SSL Application.

Point the ZyWALL to a shared folder on the network.

- Configuring a SSL VPN with a ZyWALL Firewall Appliance




7/10

b. Select the SSL Applications for the clients to access.

c. Enable Network Extension and select the IP Pool that was created for the VPN.

4. Create the SSL VPN Connection. Go to VPN SSL VPN. d. Select the networks that the SSL VPN will have access to.

a. Add the user that was created for the VPN Connection.

5. Allow the clients to be able to reach port 443 of the ZyWALL.

Go to Firewall and add a new rule for HTTPS from WAN to ZyWALL.

SSL VPNs



8/10

Topology

Configuration

SSL 10

NAT Firewall

192.168.1.33 192.168.1.34

192.168.2.33 192.168.1.35

Computer A Comp

Internet

6. To log into the SSL VPN, the client needs to point their web browser to HTTPS://

and enter their username and password, check on Log into SSL and clickLogin.

SSL VPNs



9/10

Example: Existing Gateway

Configuration of ZyWALL SSL 10

1. Connect an Ethernet cable from the NAT Firewall (LAN or DMZ) to the WAN of the ZyWALL SSL 10

2. Port Forward 443 and 8443* to the WAN IP of the SSL 10 (192.168.1.33)

3. Create firewall exceptions from WAN to (LAN or DMZ)

a. Source: Any

b. Destination: WAN IP of the SSL 10 (192.168.1.33)

c. Port 443 and 8443

4. Create a static route from LAN of the NAT Firewall to the LAN of the SSL 10 **

a. Destination IP: Starting LAN IP of the SSL 10 (192.168.2.1)

b. Destination Subnet: Subnet Mask of the LAN of the SSL 10 (255.255.255.0)

c. Gateway IP: WAN IP of the SSL 10 (192.168.1.33)

d. Metric: 2

* Port 8443 is for remote management, this port is op tional.

** Static Route is used for Computer A and Computer B to pass data to each other. If there is not a

secondary LAN or this is not required, do not add the static route.

1. Set a static IP address that is in the same subnet as the LAN of the Firewall on the WAN of

the ZyWALL SSL 10. Go to System WAN.

2. Create a user account. This will be used at the login screen of the ZyWALL SSL 10. Go to User

3. Create an IP address pool to be handed out to the end users. Go to Object Remote User

- Configuring an SSL Tunnel using a ZyWALL SSL10 and a pre-existing firewall device




10/10

4. Setup the VPN network the clients are to have access too. Go to Object VPN Networkand

enter in the subnet of the LAN network of the NAT Firewall..

5. Setup a policy to enable the authenticated users to have access to the VPN network. Go to SSL.

a. Select which user accounts to have access.

b. Select which VPN network the authenticated user to have access too and which IP address

pool the user is going to use.

6. If NAT and SPI firewall is enabled (System WAN) you must create an access policy for the u

Go to SSL Access Control and setup when the client can have access to the VPN Network.

SSL VPNs


Documents

Psg Sslvpn Smallbusiness