Upload
preetvibe
View
223
Download
0
Embed Size (px)
Citation preview
7/27/2019 Psg Sslvpn Smallbusiness
1/10
SS
for Small BProduct Solution G
ZyXEL North America
Tel: 714.632.0882
Fax: 714.632.0858
Email: [email protected]
http://www.us.zyxel.com
Copyright 2008 ZyXEL Communications. ZyXEL is a trademark of ZyXEL Communications, Co. Reproduction in whole or part without permission is prohibited.
All other trademarks are the property of their respective owners.
0812v100PSG-SSL-VPN
7/27/2019 Psg Sslvpn Smallbusiness
2/10
Contents
What is a SSL VPN?
Why use SSL over a traditional VPN technology?
Typical SSL Users
Drawbacks of SSL VPNs
Introducing SecuExtender
Typical Scenarios
Example: ZyWALL Gateway
Configuration
Example: Existing Gateway
Configuration of ZyWALL SSL 10
4
4
5
5
6
7
9
9
15
15
SSL VPNs
for Small BusinessProduct Solution Guide
7/27/2019 Psg Sslvpn Smallbusiness
3/10
What is a SSL VPN?
SSL VPNs (Secure Socket Layer Virtual Private
Networks) provide access to a companys
network resources to individuals who are not on
their corporate network. A secure connection is
made between their PC and the corporate
network over a standard Internet connection.
SSL VPNs differ from traditional VPN technology
in that no software needs to be installed or
configured on the remote computer.
Why use SSL instead oftraditional VPNtechnology?
Most traditional VPNs use IPSec (Internet
Protocol Security) to create the secure tunnelto
the company network from the remote user,
although some traditional VPNs may use PPTP
(Point-to-Point Tunneling Protocol) or L2TP
(Layer 2 Tunneling Protocol). One of the biggest
challenges required when using traditional VPNs
is the time and effort required to install and
configure the VPN software on each device that
needs remote access. Software needs to be
installed and configured on each device that is
going to connect back to the network, and
configuring a VPN client usually needs to be
done by trained IT staff, and not by the end user.
In addition the VPN aggregator on the company
network needs to be configured for each device
that will connect to it.
>
>
>
>
The drawbacks of this method are as fo
A license must be procured for each d
that needs to connect to the company
network remotely. This is costly, and fo
businesses the management of these
can become quite a chore.
IT resources must be used to install an
configure the software for each device
Users need to know in advance that th
need remote access to the network an
device they will use for the access.
These VPN tunnels are based on the IP
providing limited opportunity to contr
individual access to network resources
The use of SSL VPN tunnels overcomes a
these issues. No additional software is req
for access to the company VPN and gene
there is no need for any configuration ch
all remote users need is a web browser a
web address (URL) for VPN access. The Zy
solution, unlike many of its competitors,
on Java (not Active-X), insuring the broad
range of device/operating system compa
Since applications and network shares ar
accessed via the web interface, it is very e
set up user- or group-based access to res
as well as configure various security chec
based on the user or group accessing the
network. The SSL appliance can be linked
to the existing user authentication system
(Active Directory, RADIUS, LDAP) to allow
the username and groups already create
company LAN.
SSL VPNsfor Small Business
Product Solution Guide
7/27/2019 Psg Sslvpn Smallbusiness
4/10
SecuExtender is designed to provide traditional
VPN functionality without the traditional VPN
hassles. With ZyXELs SecuExtender technology,
the user can send/receive just about any type of
IP based traffic over the SSL VPN Simply sign in
to the SSL VPN, and download a small Java
applet. No configuration by the end user is
necessary.
IntroducingSecuExtender
Users wanting to access files to work at home
Outside sales team wanting to access the inventory
or order system, or check for latest price lists
Contractors wanting to easily share files with
company employees
Business partners requiring better communications
SSL does have a few drawbacks. One of the
biggest is that the SSL VPN limits access only to
corporate resources that can be shared over a
web browser. This restricts users to
uploading/downloading files from network
shares and web-based applications such as
webmail, the company Intranet site, inventory
systems, etc.
The other big drawback is security. The SSL
encryption itself is very safe; this is the same
technology that is used to protect millions of
online credit card transactions every day.
Unlike traditional IPSec (and similar) VPNs,
there is no special software required. Any web
capable device can access the Intranet,
lowering the barriers for those looking to hack
into the network.
Thankfully, ZyXEL has solutions to both of
those problems.
Typical SSL Users
Drawbacks ofSSL VPNs
Security by Token
To help increase security on the SSL V
recommends the use of a One Time P
(OTP) token, such as ZyXELs ZyWALL
dramatically reduces the chances of t
VPN being forcibly hacked, or accesse
stolen credentials. It does this by prov
additional field that must be entered
users want to access the SSL VPN. In a
needing to provide a username and p
they must also input a 6 di git pin. The
generated by small battery operated
(which has a life of up to 3 years) that
provided to any users wanting to acce
VPN. This PIN is constantly changing,
any brute force attacks because of the
interval between PINs. It also reduces
someone stealing network credential
onto the network, because they not o
to know the valid username/passwor
must have physical possession of a to
>
>
>
>
SSL VPNsfor Small Business
Product Solution Guide
7/27/2019 Psg Sslvpn Smallbusiness
5/10
Jan goes home after work, and that night while
watching TV she gets inspired for a new
marketing promotion. She rushes to her personal
computer, logs into the company network, and
types up a short treatment and saves i t to the
shared drive at work.
Steve is on vacation in Hawaii and gets an urgent
call from the office. They are abo ut to close a
very big deal and need Steve to review the
contract before they sign it. Steve left his laptop
Typical Scenarios
Application Diagrams
Employee on
Home Computer
ZyWALL UTM or
Third-party firewall
ZyWALL SSL 10
Firewall DMZ Zone
Encrypted Decrypted
Firewall DMZ Zone
WAN
WAN
DMZ
LAN
Email Server
File Share
Web-based
Application
Remote Desktop
BI System
OA,ERP System
CRM System
Application Server
(Inventory,Store..)
Network Extend
Employee Laptop
In Airport Kiosk
or In Hotel
Internet
Authorized Partner
Authorized Customer
ZyWALL S SL 10LAN/DMZ 10/100
PWR
SYS
ACT RESET
CARD
12
34
WAN
10/100
CONSOLE
at home to help for him to relax, but this is
important. No problem, Steve is able to go to the
nearby Internet Caf and pull up the document
over the SSL VPN connection.
Mike is an outside sales rep. He spends his time on
the road, but needs access to the companys web
based inventory and order system, as well as access
to .pdf copies of promotional material that he can
have printed out at Kinkos.
ZyWAL L 5LAN/ DMZ 10/100
WANPWR
SYS
ACT RESET
CARD10/100
1
23
4
Employee on
Home Computer
Encrypted Decrypted
LAN Zon
WAN LAN
Email Server
File Share
Web-based
Application
Remote Desktop
O
Ap
(In
N
Employee Laptop
in Airport Kiosk
or in Hotel
Internet
Authorized Partner
Authorized Customer
Two-Factor Authenti
External Data
Local DatabZyWALL USG Series
ZyWALL USG Series
Remote Users
ZyWALL OTP(One-Time Password)
justin
zyxel
130201
justin
zyxel
130201
130201
InternetZyWALL SSL 10
LAN/ DMZ 10/100
PWR
SYS
ACT RESET
CARD
1
23
4
WAN
10/100
CONS OLE
ZyWAL L 5LAN/DMZ 10/100
WANPWR
SYS
ACT RESET
CARD10/100
1
23
4
Enter PIN code displayed
on the ZyWALL OTP token
User
Group1
Active
Director
RADIUS
>
>
>
SSL VPNsfor Small Business
Product Solution Guide
7/27/2019 Psg Sslvpn Smallbusiness
6/10
Example: ZyWALL Gateway
Configuration:1. Create a user that can access the SSL VPN. Go to Object User / Group.
2. Create an IP Address pool that will be handed out to the SSL VPN User. Go to Object Address.
Device: ZyWALL USG Series or ZyWALL 1050
OS: Windows XP / 2000 / 2003
Java: 1.6 or higher
Note: Windows Vista is not currently supported.
3. Create Web Applications / Fileshares the Clients will have access to.
a. Create a Web Application. Go to Object SSL Applicationand add a new SSL Application
Point the ZyWALL to the internal web site.
b. Create a Fileshare. Go to Object SSL Applicationand add a new SSL Application.
Point the ZyWALL to a shared folder on the network.
- Configuring a SSL VPN with a ZyWALL Firewall Appliance
SSL VPNsfor Small Business
Product Solution Guide
7/27/2019 Psg Sslvpn Smallbusiness
7/10
b. Select the SSL Applications for the clients to access.
c. Enable Network Extension and select the IP Pool that was created for the VPN.
4. Create the SSL VPN Connection. Go to VPN SSL VPN. d. Select the networks that the SSL VPN will have access to.
a. Add the user that was created for the VPN Connection.
5. Allow the clients to be able to reach port 443 of the ZyWALL.
Go to Firewall and add a new rule for HTTPS from WAN to ZyWALL.
SSL VPNs
for Small BusinessProduct Solution Guide
7/27/2019 Psg Sslvpn Smallbusiness
8/10
Topology
Configuration
SSL 10
NAT Firewall
192.168.1.33 192.168.1.34
192.168.2.33 192.168.1.35
Computer A Comp
Internet
6. To log into the SSL VPN, the client needs to point their web browser to HTTPS://
and enter their username and password, check on Log into SSL and clickLogin.
SSL VPNs
for Small BusinessProduct Solution Guide
7/27/2019 Psg Sslvpn Smallbusiness
9/10
Example: Existing Gateway
Configuration of ZyWALL SSL 10
1. Connect an Ethernet cable from the NAT Firewall (LAN or DMZ) to the WAN of the ZyWALL SSL 10
2. Port Forward 443 and 8443* to the WAN IP of the SSL 10 (192.168.1.33)
3. Create firewall exceptions from WAN to (LAN or DMZ)
a. Source: Any
b. Destination: WAN IP of the SSL 10 (192.168.1.33)
c. Port 443 and 8443
4. Create a static route from LAN of the NAT Firewall to the LAN of the SSL 10 **
a. Destination IP: Starting LAN IP of the SSL 10 (192.168.2.1)
b. Destination Subnet: Subnet Mask of the LAN of the SSL 10 (255.255.255.0)
c. Gateway IP: WAN IP of the SSL 10 (192.168.1.33)
d. Metric: 2
* Port 8443 is for remote management, this port is op tional.
** Static Route is used for Computer A and Computer B to pass data to each other. If there is not a
secondary LAN or this is not required, do not add the static route.
1. Set a static IP address that is in the same subnet as the LAN of the Firewall on the WAN of
the ZyWALL SSL 10. Go to System WAN.
2. Create a user account. This will be used at the login screen of the ZyWALL SSL 10. Go to User
3. Create an IP address pool to be handed out to the end users. Go to Object Remote User
- Configuring an SSL Tunnel using a ZyWALL SSL10 and a pre-existing firewall device
SSL VPNsfor Small Business
Product Solution Guide
7/27/2019 Psg Sslvpn Smallbusiness
10/10
4. Setup the VPN network the clients are to have access too. Go to Object VPN Networkand
enter in the subnet of the LAN network of the NAT Firewall..
5. Setup a policy to enable the authenticated users to have access to the VPN network. Go to SSL.
a. Select which user accounts to have access.
b. Select which VPN network the authenticated user to have access too and which IP address
pool the user is going to use.
6. If NAT and SPI firewall is enabled (System WAN) you must create an access policy for the u
Go to SSL Access Control and setup when the client can have access to the VPN Network.
SSL VPNs
for Small BusinessProduct Solution Guide