© 2005-09 NeoAccel, Inc. SSL VPN-Plus Training SSL VPN-Plus

© 2005-09 NeoAccel, Inc.

SSL VPN-Plus Training

SSL VPN-Plus


COMPANY OVERVIEW


Company Snapshot

Founded 2004– Founder: Michel Susai

• Former Chairman and CEO, and Founder of NetScaler (Acquired by Citrix for $325M)

– First Product Shipped Oct 2005

Technology Focus– Secure Remote Access: SSL VPN-Plus™

– Network Access Control: NAM-Plus™

– SSL Based Site to Site VPN

Competitive Advantage– Patented Architecture (ICAA™)

– 24-Month Technology Lead

Sales Strategy– Enterprise, OEM, Channel

Offices– Headquarters – San Jose, CA

– Regional Sales Offices• Boston, Houston, San Jose

• India, China, Japan

Investors– Institutional

• Baring Private Equity

• NTT

– Angel• Sabeer Bhatia (Co-Founder, Hotmail)

• Prabhu Goel (Inventor, Verilog)


Sample Customers

FinancialService Providers

Health Care Manufacturing

Gov’t

Enterprise

Non-Profit

Utilities

Insurance

Higher Education

Engineering Automotive Real Estate

Construction Online SecurityMarketingLogistics IT Services Retail

OEM


Awards and Recognitions

SSL VPN Magic Quadrant Q307

"The company [NeoAccel] ... has established multiple OEM deals and sold well in the first half of 2007, ... outperforming some older and established companies."-- Gartner SSL VPN MQ 2007


REMOTE ACCESS


Remote Access?

• Access Secure Application Servers to update customer information or submitting a daily report

• Access Corporate Email server• Access Mission Critical Application

Servers when at customer site• Access Corporate Intranet to get latest

information or checking status of your leave application


Who Needs Remote Access?

• Consultants• Partners• Field Engineers and Sales Team• Remote Office Employees• Off office hours workers• Roaming Executives• Bridge branch offices to corporate centre


Why VPN?

• When Alice talks to Bob

• Confidential

• Integrity

• Authentication


VPN Technologies?

• PPTP

• L2TP

• IPSec

• SSL


IPSec Features

• Site-to-Site Access• Complete network access• Transparent to Applications• Least effect on performance• Good security


SSL VPN – Secure Socket Layer VPN

• Uses SSL protocol for confidentiality, authentication and integrity and then proxies to provide authorized and secure access for private network resource like Web, Client/Server, file sharing etc.

• Two modes• Clientless: Proxies web-based applications and uses

inbuilt SSL support in browsers to establish VPN and deliver web traffic.

• Network Extension: Proxies client-server application, requires a proprietary client application to establish VPN and facilitate client-server

application communication


SSL VPN Features

• Designed for Remote Access• Centralized Access Control• Zero user side management• One minute deployment• Endpoint Security• Clientless - Access Anywhere• Network Extension

• Access Anything

© 2005-06 NeoAccel, Inc.14

Current State of VPNs – Remote Access

• 1st-Generation VPN – IPsec– IP Address-Based Tunnels

– All-or-Nothing Network Access for Employees

– High License & Administration Costs

• 2nd-Generation VPN – SSL– User-Based Tunnels

– Conditional Access to Specific Applications

– Significant Advantages over IPsec (see next slide)

User-Based Tunnels

IP Address-Based Tunnels

Users

Users

© 2005-06 NeoAccel, Inc.15

2nd-Generation VPN Advantages over 1st Generation

• Increased Security• User-Based Tunneling

• Endpoint Security

• Granular Access Control

• Increased Return on Investment• Zero Client Software Costs

• Zero Client Upgrade Costs and Pain

• Zero Client Management

• Universal Access• Employees, Non-Employees

• Access from Any Device – No Device with VPN Client Required• Cross Platform Support (Mac, Linux, Windows, Smart Phones, PDAs)

Increased security

Enable clientless VPNs

Decrease operating cost

Support wide variety of client platforms

Enable Employee access from handheld devices

Enable employee access from kiosks and guest computers

SSL VPN Drivers

% of respondents rating category a driver

Source: Infonetics Research, 2006

80%

51%

41%

38%

29%

23%


IPSec – Why not?

• Not designed for remote access• Traversal problem over NAT devices• Firewall configuration required• All corporate services are exposed on f/w• No Centralized Access control• Per User administration and configuration• Interoperability among vendors• Time consuming deployment


What’s Missing in SSL VPN

• Performance Degradation• SSL VPN falls prey to TCP over TCP melt-down• Extra context switching of SSL VPN’s causes

performance loss• Poor End User Experience• Limited or no connectivity over low

bandwidth or high packet loss networks like• Wireless• DSL• Data Cards

• Increased Support Cost• No Site to Site VPN capabilities


Why Companies are Not Buying SSL ?

• Extra context switching of SSL VPN’s causes performance loss

• SSL VPN falls prey to TCP over TCP melt-down

• Performance degradation affects the SSL gateway and all users

• Many companies stay with IPSec to avoid user complaints

What can IT do?


NeoAccel: The Third-Generation VPN

• Increased Security– User-Based Access Control with Endpoint Security

• Increased ROI, Lower TCO– 10% of IPSec Costs in Large Installations

• Ubiquitous Access– Any User from Any Device

• IPSec-Level (or Better) Performance

• Site-to-Site VPN Support – New!


NeoAccel SSL VPN – Plus Features

• Best of World of IPSec and SSL VPN• High Performance

• Overcomes TCP over TCP meltdown• Overcomes Extra Context Switch

• Designed for Remote Access• Centralized Access Control• Zero user side management• One minute deployment• Endpoint Security• Clientless - Access Anywhere• Network Extension

• Access Anything• IPSec replacement capabilities

• Site to Site VPN over SSL


NeoAccel SSL VPN-Plus Deployment

NeoAccel NAM-Plus Gatekeeper

InternetInternet

Sales Users

Wireless Users

Guest Users

SSL VPN-Plus Gateway

roaming user

Secure Remote Access

roaming user

NeoAccel SSL VPN-Plus Gateway with HA

Branch Office

• Site-to-Site• Endpoint Security• Host Checking• Compression• 4 Forms of Access• Self-Updating Full-Client• Node on the Network• Supports VOIP• IPsec-Like Speeds• Client-Side Cleanup• High Availability

Directory Services

App Servers

CorporateNetwork /Data Center /DR Site

Site-to-Site Access

NAC Integration


End to End Secure Access

Endpoint Security

Compliance

Hardened Appliance

Network Security Services

Directory Integration

Directory Store

Data Transit Security

Dynamic Access

Privilege Mgmt

Strong Authentication• Eliminate PW Spoofing• Ensure Non-Repudiation

Host Checker• 3rd Party Software

Compliance• Registry, processes, files,

custom DLLs• Application Authenticity

Check• Recurring Host Check

Cache Cleaner• Eliminate session data• Delete temp files

Centralized Security Gateway Network Security

• DDOS Protection• URL Attack Protection• Network Firewall• SSL Transport

Dynamic Authentication Policy• Certificate, Source IP,

Host Checker, Cache Cleaner, User Agent, Interface, etc.

Granular Authorization Rules• Group Based • URL, Host, Port• Client/Destination• End Point/Connection Check

• In-Transit Data Protection• Data Trap

• Non-Cacheable HTML rendering

• Cookies• Host Name Encoding

MRP/ERP

MRP/ERP

Intranet /Web Server

Unix/NFS

ServerFarms

E-mail

SSLAppliance


PERFORMANCE


Packet Loss Leads to Performance Degradation

• Packet Loss is a Real World problem • Packet loss translates to severe performance

degradation due to architectural flaw in current SSL VPN products from the market leaders

• In the US, it is not unusual to see 5~8% packet loss across the public internet

• 15-20% packet loss is typical in wireless networks (i.e., 802.11)

• In some parts of Asia 50% packet loss is typical• Worldwide average is >24% packet loss


SD DD

A

SD A

D

ASASA

D: Application TCP data packetA: application TCP ACK packetSD: SSL tunnel data packetSA: SSL tunnel ACK packet

DA

This is what will be achieved.This happens when the user is working in office, i.e. connected to LAN

Private network servers

SSL VPN GatewaySSL VPN client agent running on remote users machine

Other SSL VPNs: Packet flow


TCP-Over-TCP Meltdown

All 1st and 2nd Generation SSL VPN’s are subject to TCP-Over TCP-Meltdown. NeoAccel is not!


SD DD

A

SD A

D

ASASA


A




SSL VPN : Packet Drop

SD DSD D


How SSL VPN – Plus Improves Performance

• Key Technologies

• Intelligent Compression Acceleration Architecture (ICAA) : Overcomes TCP over TCP meltdown

• Transparent SSL (TSSL) : Kernel ported SSL encryption engine. Reduces Context switching

• Acceleration Triggered Compression Engine (ATCE) : Intelligent compression


SD DD

AD

ASA





SSL VPN – Plus : Packet Drop

SD D


Non NeoAccel SSL VPN very slow, huge Packet Loss; TCP-Over-TCP problem

OpenSSL

Client Applications

Client TCP/IP Stack

NIC

VNIC- TUN/TAP Internet VNIC- TUN/TAP

NIC-1

Server TCP/IP Stack

OpenSSL L3 SSLVPN ModuleL3 SSLVPN Module

NIC-2

Private Network

Client Gateway

User Mode

Kernel Mode

Client Server

Context Switch

2 2

IP TCP SSL IP TCP DataDLL

Packet flowing across the network


NeoAccel' SSL VPN-Plus : Packet Flow

Client Applications

Client TCP/IP Stack

NIC InternetNIC-1

Server TCP/IP Stack

NeoAccel' SSL VPN-Plus ICAA integrated with Kernel Level SSL

NIC-2

Private Network

Client Server

User Mode

Kernel Mode

Client Server

Context Switch

0 0

Packet Processing and VPNization of TCP data

NeoAccel' SSL VPN-Plus ICAA integrated with kernel level SSL

IP TCP SSL DataDLL Node header


User

Kernel

IPSec SSL VPN NeoAccelSSL VPN-Plus

ICAATSSL

IPSec

Unencrypted

App

TCP

IP

Enet

App App

TCP

IP

Enet

TCP

IP

SSL

TCP

IP

Enet

App

#1

#2

Comparison of NeoAccel vs. Others

IP

Enet


Why ICAA?

• It is observed that other SSL VPN vendors simply tunnel (proxy) a complete Ethernet frame over the SSL connection to private network resulting in two TCP layers for each packet. This results in redundant layer of reliability which causes TCP over TCP meltdown problem. (Slide 4)

• Many of the applications are not designed to work over varying bandwidth lousy networks like Internet.

• There are known issues with TCP layer when working over Internet. In case of SSL VPNs when multiple application TCP connections are tunneled into a single TCP connection, the effect of TCP problems is increased exponentially. This results in frequent connection disconnects.


ICAA Benefits

• ICAA avoids the overhead of extra reliability layer induced because of tunneling application TCP traffic into SSL VPN TCP tunnel.

• ICAA reduces TCP packet loss recovery time by 30 times by avoiding tunneling of TCP connection inside another TCP connection.

• ICAA avoids the TCP layer limitations which makes TCP not suitable for remote application connections over WAN with varying bandwidth and congestion. ICAA avoids parameters like TCP window size and congestion window for each application connection. The parameters of a single SSL VPN TCP tunnel are applied to all application connections.

• ICAA does not let application connection to flow over WAN, thus avoiding TCP slow start problem, fragmentation and avoids congestion control algorithm limitations for each application connection.

• Even in 0% packet loss networks (like LAN), the number of packets are reduced by 50% straightaway.


BN Mod Exponent SSLWeb

Server

HostTCP/IP

Stack

SYN

SYN+ACK

ACK

Client Hello

Server Hello, Server Certificate, Server Hello Done

Client Key Exchange, Change cipher spec, client Finish

Change cipher spec,Server Finish

Encrypted Request

Encrypted Response

Total User/Kernel Context Switches: 13

Hard-ware

Accel-erator

True Random Number Generator

3DES Decrypt

SHA-1 Calculation

3DES Encrypt

SHA-1 Calculation

Conventional SSL implementation slows downs the gateway

CONFIDENTIAL


Hard-ware

Accel-rator

TSSLEngine

WebServer

HostTCP/IP

Stack

SYN

SYN+ACK

ACK

Client Hello

Server Hello, Server Certificate, Server Hello Done

Client Key Exchange, Change cipher spec, client Finish

Change cipher spec,Server Finish

Encrypted Request

Encrypted Response

Total User/Kernel Context Switches: 3

SSL Connection Establishment

NeoAccel’s TSSL Engine speeds up by saving 10 Context Switches

CONFIDENTIAL


Why TSSL?

• It was observed that other SSL VPN vendors do encryption/decryption at application layer which is normally implemented at less privileged level in an OS (Slide 3, 4). This results in slow SSL processing resulting in high latency for applications connections

• The high context switching of CPU results in slower packet processing, higher latency, less throughput and low user logins/sec.

• Because SSL processing is done at user mode (less privileged mode of OS), there is an overhead between SSL module and SSL hardware accelerator cards. This results in less output from SSL hardware accelerator cards.


TSSL Benefits

• TSSL avoids the CPU context switching for both SSL VPN Gateway and Client while handling each application connection over SSL VPN resulting in high tunnel throughput.

• TSSL helps CPU spend less time doing non-VPN related tasks and helps process VPN data faster resulting in low latency and faster user logins per second.

• TSSL enables SSL VPN Gateway and SSL VPN Client to do bulk encryption resulting in better throughput.

• TSSL reduces the communication over head between SSL VPN Gateway and SSL accelerator card resulting in maximum throughput and higher SSL transactions per second.

• TSSL helps control latency added because of SSL processing for real time traffic like VOIP and video.


Why ATCE (Dynamic Compression) ?

• Other VPN solutions have a switch like functionality for compression.

• Compression benefits are truly based on the available bandwidth and the current load on the VPN gateway. Other VPNs do not consider these factors

• A ON/OFF functionality makes compression increase more load of VPN gateway even if compression of data is not required


ATCE Benefits

• Calibrates compression benefits at regular interval of times.

• Low bandwidth connections get more compression benefits compared to higher Internet bandwidth users

• Data is compressed only if data is compressible

• Optimizes the ratio of load/bandwidth


3362

15871360

3510

460

0

500

1000

1500

2000

2500

3000

3500

4000

KBytes

No Encryption/Layer2

NoEncryption/Routed

SSL VPN-Plus (ICAA disabled)

SSL VPN-Plus ICAA SonicWALL 200

NeoAccel SSL VPN-Plus vs. SonicWALL SSLVPN 200Throughput Kbytes/ sec

Performance Comparison


DEPLOYMENTS


SSL VPN-Plus

Providing a single point of entry for all remote application needs, secure, reliable and user friendly.

Wireless/mobile user

NeoAccel SSL VPN-Plus Gateway

Private Corporate Network

A Simple SSL VPN-Plus Solution deployment


Deployment Options


Deployment Options


Deployment Options


Deployment Options


Deployment Options


COMPONENTS


Various Components’

• Gateway: Base OS• NeoAccel Hardened OS

• SSL VPN-Plus Gateway• Authentication Module

Local Database LDAP AD Radius RSA Secure ID Certificate based authentication

• Authorization Module ACL’s : Network and Application Access Control

• Auditing• End Point Security


Various Components’ Contd.

• Access Terminals• SSL VPN-Plus portal : Clientless access named Web

Access Terminal. Supports IE 5.0 & above, Firefox, NetScape

• SSL VPN-Plus client QAT : Browser integrated java based port forward

client. Supports Windows 2000, Windows XP, Windows Vista, Windows Server 2000 & 2003

PHAT : Network Extension client. Supports Windows 98, Windows 2000, Windows XP, Windows Vista, Windows Server 2000 & 2003, Windows Mobile, Red Hat 9.0, Red Hat EL 3, Knoppix, Debian, MAC OSX

• Management Console• Requires JRE 1.4.2 or above on administrator’s PC


Full-Range, High-Capacity Product Line

Feature SGX-800 SGX-1200 SGX-2400 SGX-4800Target Market Entry-Level Sm-Med Enterprise Enterprise Large Enterprise

Concurrent Users 50 100 2,000 10,000

Throughput 100Mbps 250 Mbps 500 Mbps 950Mbps

Operating System NHOS* NHOS NHOS NHOS

Gigabit Interfaces 4 2 2 2

High Availability Yes Yes Yes Yes

Hardware Acceleration

─ ─ √ √

Dual Power Supply ─ ─ √ √

Dual Hard Drives ─ ─ √ √

*NeoAccel Hardened Operating System


NeoAccel Management Console

Module 1


NeoAccel Management Console

The NeoAccel Management Console (NMC) is a java based administration console. To access the NMC open a web browser and enter the following path

http(s)://<ipaddress>/sslvpn-plus/nmc

Example: https://192.168.10.1/sslvpn-plus/nmc

To access the NMC from the Internet configure your firewall to allow TCP port 443 and TCP port 8090. Be sure to allow pop-up windows from the NMC URL.


Access Management Console..contd

• Management Console login:• Default power-user credentials: admin/admin


Menu Bar

The Menu Bar at the top of the browser has multiple options

•Logout•Logout of the NMC

•Refresh•To refresh the NMC screen

•Save•Save current running configuration

•Change Password•Change the admin password (recommended)

•About•Copyright information

•Help•Open Help resources


General

The landing page is the System/General which displays information suchas; Version Number, Processor Information, Memory Utilization and interfaceinformation.


Interface Configuration

The interface configuration allows the administrator to change/modify ipaddress information for each network interface adapter.

To configure the SSL VPN-Plus Gateway for single arm mode select the desired interface and check the box “Configure for Single ARM mode” and click Save.Advanced configuration allows specifying Link speed & MTU size


Route

The route menu option displays currently configured routes. To add routesto other networks select the Add button and provide the necessary information.


DNS

The DNS and Hosts Configuration sets parameter related to the SSL VPN-PlusGateway. Setting Hostname, Primary and Secondary DNS servers as well asdefining static computer hostname to IP address mappings.


NMC Administration

Ability to create multiple administrators with different access over configuration of appliance ranging from full control, restricted or read only access. 1 Full control, 8 Restricted and 8 Read only administrators can be configured.


Module 2 – SSL VPN-Plus

Module 2 focuses on creating and configuring the SSL VPN-Plus Gatewayinstance that end users will establish the tunnel with. It is possible and oftenuseful to run multiple instances or gateways on a single device. This allowsthe administrator to provide different options for user connectivity.

One example would be configuring a separate gateway for third party business partners who need tunnel connectivity. Creating a separate gateway with a singleauthentication source and other options is an effective way to plan your RemoteAccess strategy.


Gateways

The Gateways menu allows you to Add/Modify/Remove gateways and parameters. The right hand side of the screen lists the configured options.


Modify Gateway

Highlight the gateway in previous screen and select Modify. This opensa dialogue window with the General/Authentication and Advanced tabs.

Administrator can define the IP address, port, certificate and the cipher used to encrypt traffic over SSL server. A broadcast message can be optionally specified to be displayed to all end users when they get connected to VPN.


Authentication

Select the Authentication tab to change Authentication options such asEnable or Disable Authentication, prevent multiple logons with same usernameas well as prioritizing the cascaded authentication server list.Dual Authentication can be enabled wherein the end user will need to authenticate twice against two different authentication servers.


Certificate Authentication

Enable Client certificate Authentication such that end user will need to provide a certificate to be able to access private network resources. CA list contains the list of CA certificates to which the client certificate can belong.Username can also be extracted from the certificate such that end user will only be allowed to enter password for username extracted from certificate used for authentication.


Portal Customization

Portal customization allows complete redesign of how the web based access is visible to user. Look & feel can be chosen from a list of Layout & Color schemes.Layout scheme allows for logo, company name or title to be defined as per the corporation.Color scheme allows for complete change in look and feel of the portal.


Advanced

The Advance tab sets parameters for Enabling Acceleration triggered Compression,Client Auto Update Notification, Endpoint Securing Agents, Virtual Keyboard, SSO, User Logging and timeout values and enabling Forced Timeout.


Active Clients

The Active Clients shows the users who are logged into the SSL VPN-Plusand information regarding the tunnel established. The administrator candisconnect a single tunnel or all tunnels by select the appropriate button.


License

The license screen shows the type of license, number of concurrent tunnelsallowed and the option to Update License.


Update License

Select the update license button and enter the Software Serial Numberprovided to you at time of installation. Click OK


Update License cont.

•Select Copy to Clipboard•Open License Server•Paste this selection into the License server and retrieve your license•Paste the new license from clipboard•Select OK


Certificates

Allows the administrator to Add/View/Remove SSL certificates for the gateway


Add Certificates

Enter the Certificate name and browse to the location where the certificateis stored. Select the Private Key to import the Servers private key as well.


View Certificate

Allows the administrator to view the contents of the SSL certificate.


Module 3 – Users/Groups

The NeoAccel SSL VPN-Plus allows granular control of users and groups.You will find that most of the power of this access control is based on groupmembership. The ability to limit access methods, apply access control policies, Provide resources to access, do cleanup as well as provide the user with a customized experience is gained by the use of Group policies.

When using an external authentication source such as RADIUS or Active Directory it is not necessary to configure users directly on the gateway provided you have selected the Group Extraction option in the configuration of the external authentication servers.

Upon presenting credentials to the PHAT client or Portal, the gateway will forward that request to the authentication server and extract the users group membership and apply configured Group Policies to that user.


Authentication Servers

The SSL VPN-Plus Gateways supports the following authentication methods

•Local Database•Active Directory with/without Group Extraction•RADIUS with/without Group Extraction•LDAP with/without Group Extraction•RSA Secure ID•Client Certificates – X.509

SSL VPN-Plus utilizes a “cascading authentication” mechanism wherebythe user credentials supplied at time of login can be validated against multipleauthentication servers. Authentication servers are bound to the Gateway instanceand not the User/Group. Order of search precedence is determined by the administrator.


Menu Section

This menu selection will allow the administrator to configure Groups, Users and Auth Servers.


List of Authentication Servers


Add Auth Server - RADIUS

•Select Server type RADIUS•Provide an alias identifier•Enter the IP address of the RADIUS server•Enter the Port listening on the server•Server timeout value in seconds•Shared secret •NAS IP Address•Retry count•Enable/Disable Group Extraction based on the Class attribute in the server

Click OK to complete the operation


Auth Servers – Active Directory

• Select Server type• Define alias identifier• Provide server ip address• Set server listening port• Set server timeout• Configure AD search base• Configure bindDN• Supply users password• Set Login attribute name• Set search filter• Enable/Disable Group

Extraction(continued next slide)


Auth Servers – Active Directory cont.

• Set Group attribute name• Sub attribute name• Click OK to add

Useful tool for extracting information from AD.

LDAP Browserhttp://www.ldapbrowser.com


Users - Local

In many cases the administrator may want to create local users for authenticationrather than using an external authentication server. One example would beallowing third party personnel to use the SSL VPN-Plus tunnel and rather thanadding this third party user to Active Directory simple configure a local user.


Groups

This screen shows a list of all Groups configured on the Gateway andallows the addition/modification or removal of Groups.


Add Group

• Supply a Group Name

• Additional description to identify group

• Set Group Access Policies


Group - Portal

• Select Portal tab

• Enable/disable Public URL access

• Set Web App links available to this group

• Select Application list


Group – Portal cont.

• File Share list• PHAT client

package


Group – Network Extension

• Allow QAT access• Start QAT automatically• Set Client

Configuration Name• Select Tunnel mode• Define Default

Gateway for full tunnel• Set Private Network list• Add IP Pool – only necessary

if using PHAT access


Group – IP Pool (PHAT client)

Select the Add button to set the IP Pool that will be assigned to the Group.IP Pools are like DHCP addresses that are configured to provide IP Address, Netmask, DNS servers, WINS server and other options.


Group – Private Network List

Select the Private IP network that you want to allow via the tunnel. To selectmultiple subnets hold the Control key down and select then click Add.


Group – Private Network ICAA options

The administrator can enable/disable private networks from usingICAA® technology. ICAA greatly increases traffic performance but in somecases is not compatible with certain applications/protocols.

Exclude allows the administrator to direct the client computer to exclude portions of a private network subnet traffic from being sent over VPN tunnel.


Group – Logon & Logoff Scripts

Upload certain scripts to be executed when the user gets connected to VPN or at the end of users VPN session.

Scripts could be either a batch,Java or vb based.


Group – End Point Protection

The administrator can enable certain data cleanup mechanisms for set of users belonging to a group. Either Browser cache cleanup can be enabled or blocking of cut/copy/paste canbe enabled for the duration of end users session.Secure workspace can be activated such that end user will need to work inside a secure desktop and all data will be stored in a encrypted manner on end users machine,traces of which will be deleted at the end of users VPN session.


Authorization

The authorization menu selection allows the administratorTo configure Access Control Policies, Endpoint Security scansand Security Zones


Access Control Policies - ACL

This screen is a repository of configured ACL’s. These ACL’s can be appliedto Groups and Security Zones to control user access. Much like firewall rulestake caution in applying these rules.


Add Policy – Network ACL


Add Policy – Application ACL

Blacklist / Whitelist specific set of application from being executed during the VPN Session on the basis of name or MD5 of the process.

Block VPN Access to allow execution of process , but disallow any of the traffic generated by the process to be sent over VPN tunnel.


Apply Group Access Control Policy

• Select Groups• Modify• Add ACL on

General tab and set priority

• OK


Endpoint Security Policies

Endpoint Security Policies allow the administrator to define machine specificscans to validate whether the client computer meets the security policies of the company. These security scans, host validation, are pre-user authentication.

The administrator can configure scans for the following items•File•Process•Registry•Ports•Services•WMI•Certificate Template

EPS policies are evaluated in the following order of precedence

Zone=ANDPolicy=ORRule=AND


Endpoint Security Policies

The SSL VPN-Plus comes with approximately 100 pre-configured Endpoint Security checks. The administrator can create custom check byselecting the Add button.


Modify Existing Policy


Creating Process Policy

To create a Process policy use the Windows Task Manager to locatethe running process to test for and note the executable name.In this case the test will check for Skype.exe running.


Add Policy – Skype running

Select Add Rule and enter the required information


Completed Skype EPS check


EPS - File

The administrator can check for the following attributes of Files by specifyingthe File Name and full path and File Properties.


EPS - Registry

The administrator can test for the Existence of Registry entries.


EPS – Registry cont.

The above example would check to determine if the client machine isa member of the company domain


EPS – Port Status

This allows the administrator to perform a basic port scan on theClient machine to determine whether certain ports are open/closed/listening


EPS - Service

This scan detects whether the client computer has a Windows service andwhether the service is Running or Not Running.


EPS - WMI

WMI helps in reading dynamic database of Windows. Rules created using WMIare used to check for health of firewall, anti-virus, anti-spyware.


EPS – Certificate Template

This scan helps to do a water mark check of the end users machine to identify a corporate issues machine


Security Zones

Once the administrator has configured EPS policies, upon the client computerestablishing a tunnel and prior to authentication, the results of the EPS scan willdetermine Zone membership. SSL VPN-Plus ships with 5 pre-configured Zonesand the ability to create up to 40 different security zones.

Membership of a particular zone starts at the Highest level and based upon Pass/Failof the EPS policies will traverse downward into lower zones where ACL’s may beapplied to limit resource access.

Zones allow the administrator to over-ride Group policies and control access basedupon the validation of the client computer.

In general one should never add an allow policy to a Security Zone with the exception of the Quarantine Zone.


Zones


EPS – Modify Zone

Allows the modification of EPS checks for particular Zone.


EPS – Modify Zone with ACL

This example denies RDP based on the client be placed in Semi-Trusted Zone.


EPS Upgrade

Periodic synchronization with Global EPS Upgrade server to update factory default list of policies with new releases of firewalls, anti-virus etc and security patches, servicepacks of windows.


Module 5 – Network Extension

Network Extension provides end users with variousparameters for PHAT client access as well as QAT.


Dynamic IP Address – IP Pool

• Functions like DHCP

• Create multiple pools for assignment to groups


Create Dynamic IP Address Config

Set a name, IP Range, Netmask, Primary and Second DNS, DNS suffixAnd if necessary WINS server and select OK


Private Network Lists

• Define private network resources that users tunnels will access

• Set multiple subnets/hosts for use by Groups


Create Private Network Profile

Set Name, Private Network, Netmask, Gateway if necessary and Portsif desired.


Client Configuration Lists

• Set client configuration options that apply to both PHAT and QAT


Add Client Configuration

The Client Configuration allows the administrator to define various parametersto be applied. These parameters are then applied at the Group level to control such features as Show Endpoint Security Details, Idle Timeouts use DHCP for IP assignment and other parameters.


Installation Package Configuration PHAT

• Create PHAT packages to be delivered to end users.

• Create multiple PHAT packages and assign based on Group membership


Add Installation Package

Set various client options for use with the PHAT client.


Module 6 - PortalThe Portal selection allows the administrator to customize web based links that are presented to users upon successful login. The Layout and Colors selections allows the branding of the web based portal to your companies needs including logo and colors.


Module 6 - Portal

List of Resources that are made available to Groups.


Module 6 - Portal

Create Web Application which provides a quick link for users to accessinternal or external websites.


Module 6 - Portal

Configures Thin Applications such as Telnet, RDP, VNC and SSH whichallow the Groups to use integrated Java based applets.


Module 6 - Portal

Defines web based File Access for CIFS files servers or shared directories.


Module 6 - Portal

Allows the administrator to change the Login and Portal pages logos, titles and PHAT client banner.


Module 6 - Portal

Modifies the web portal color scheme to meet your needs


Module 7 - Firewall


Add Filter Rule


Add Port Mapping


Module 8 - Tools


Ping


ARP


System Date/Time

Allows the administrator to set date and time or synchronize with an external NTP resource


Miscellaneous

Allows the import and export of the current configuration and other options. Pay special attention to the Client Upgrade URL.


Reboot / Shutdown

Allows the administrator to Reboot the Gateway or gracefully Shutdown the gateway


Module 9 - Logs


Logs - User Settings

Enable logging for the appliance wherein logs could either be stored on the appliance locally or be sent to an external syslog server periodically


Logs - User Settings

Logs can be viewed on the system by selecting View Logs. The logs are refreshed every 10 seconds.


Logs - Reporting

Generate log reports within a specific period of time and apply certain filters to pin point specific logs. These logs can either be viewed over NMC, exported and stored in CSV format in a Excel sheet or printed over printer.


Logs - Statistics

View, save or print statistics on a daily or a weekly basis. Statistics can be used by administrators administrator for statistical analysis or usage of appliance


Thank You.

Documents

© 2005-09 NeoAccel, Inc. SSL VPN-Plus Training SSL VPN-Plus