Copyright © 2007 Stonesoft Corp. All rights reserved.Slide 1 October 4, 2015 StoneGate SSL VPN 1.2 Technical Overview

Copyright © 2007 Stonesoft Corp. All rights reserved.Slide 1

April 21, 2023

StoneGate SSL VPN 1.2Technical Overview

Copyright © 2007 - 2008 Stonesoft Corp. All rights reserved.Slide 2

Contents

• Introduction• New features, technology overview and StoneGate SSL VPN appliances

• The Six A’s• Assessment, authentication, authorization, access, auditing and abolishment

• Administration• Administration and GUI overview


Contents

• Introduction• The Six A’s• Administration

• New features in version 1.2• Technology overview• High availability• StoneGate SSL VPN appliances


New features since version 1.1

• SMC integration• Logs and monitoring integration

• Server Pool Monitoring Agent• Support for load balancing using mirrored pairs and StoneGate firewall

• Sginfo• SSL VPN gateway includes the sginfo command to collect diagnostics information for support


Integration with StoneGate Management Center

• SSL VPN gateways can be centrally monitored and controlled with StoneGate Management Center

• Logs can be browsed and managed with Log Browser and log data management tools


Technology Overview

• Remote access solution independent from client and location • Traffic tunneled through SSL/TLS using a single port (TCP/443)• Technology based on PortWise SSL VPN

• 500+ customers and over 8 million users worldwide

Client Server

TCP/443


High Availability

• StoneGate SSL VPN 1.2 offers high availability• Two nodes can be joined together as primary and secondary• After the initial setup all configurations are done through the primary node• If one node fails, user sessions continue using the other• Requires an external load balancer, such as StoneGate Firewall’s server pool feature. SSL VPN gateway includes the server pool monitoring agent.


StoneGate SSL VPN Appliances

• Stand-alone SSL VPN appliances• Operating system hardened for SSL VPN use• No additional security patches needed• Remotely upgradeable• HA pair configuration possibility• Centralized logging and monitoring with StoneGate SMC

SSL-6000for thousands of users

SSL-2000For hundreds of users


The Six A’s


• Assessment• Authentication• Authorization• Access• Auditing• Abolishment


1. Assessment

• Inspection of user device (e.g. Windows) before it connects to the corporate network

• Check for firewall

• Real-time scans for continuous integrity checking• Access client security

• Only approved applications can be used for VPN connections

• Protects from incoming (non-VPN) connections

• Assessment checks can be based on• Existence of named files, registry entries• File checksums


2. Authentication

• Integrates with external directory services (e.g., Microsoft Active Directory)• 15 different authentication methods

• Authentication method can be chosen for each resource separately

• Single sign-on for transparent authentication to multiple systems• Support for identity federation

• User authentication across multiple IT systems or even organizations• Based on SAML 2.0 standard• Supports Microsoft ADFS


Examples of integrated authentication methods

• Mobile Text• One-time password (OTP) distributed via SMS

• Web• Java applet or ActiveX component is launched prompting the password• Password is hashed and encrypted before it is returned

• Challenge• Response is generated with Mobile ID software using PIN• OTP: Seed + PIN + Challenge

• Synchronized• Response is generated with Mobile ID software using PIN• OTP synchronized between the client and server

• Password• Static password authentication


Additional Authentication Methods

• SafeWorld• SecurID• LDAP• Active Directory• User Certificate• NTLM & NTLM v2• Basic

• General RADIUS• Extended User Bind• Form Based Authentication• Windows Integrated Login• BankID• BankID Signer


3. Authorization

• Accessible resources defined with granular access rules• IP address of incoming client• Client device• Authentication method(s)• Date and time restrictions• User group memberships

• Resources are typically applications• Web-enabled applications• Files accessible from the Web• Client-server applications accessed through tunnels


4. Access

• SSL VPN gateway proxies all the traffic between clients and servers• Clientless SSL VPN for Web resources• Full TCP and UDP tunneling using automatically downloaded (Java or ActiveX) access client

• Static tunnels (localhost:port is forwarded to a destination through SSL tunnel)• Dynamic tunnels (<real destination>:port is forwarded through SSL tunnel to a destination)

• Dynamic tunnels with native Windows client only

• Preconfigured tunnels for common applications, such as Windows file shares


Supported Access Client Platforms

• Microsoft Windows XP Home, XP Pro, 2003 Server, Vista Enterprise, Vista Business, Home, Premium

• Sun Java Runtime Environment 1.1.8 or later• ActiveX client

• Apple Mac OS X 10.3.9 and 10.4 (Tiger)• Safari 1.3.2 (Mac OS X 10.3.9)• Safari 2.0.4 (Mac OS X 10.4.7)• Mozilla Firefox 2.0

• Red Hat Enterprise Linux 5.0• Sun Java Runtime Environment 1.1.8 or later

• SUSE Linux Enterprise Server 10• Sun Java Runtime Environment 1.1.8 or later


5. Auditing

• Consolidated and comprehensive audit• SOX, Gramm-Leach-Bliley, HIPAA, Basel II, and 21 CFR Part 11 Permanent, central and time-consistent trail of all identity and access activities across the enterprise

• Gathers deep device assessment, authentication, authorization and access information in one place

• Real-time and historical reporting• Extensive VPN, authentication, policy, EPI, EPP, system and performance reports • Report export to Excel and Crystal Reports


6. Abolishment

• Session clean-up removes ALL traces of access from the end-point on completion of the session

• Cookies• URL history• Cached pages• Registry entries • Downloaded components

• Available on Windows


Administration


• Administration overview• Initial system and network configuration• SSL VPN configuration• Application portal


Administration Overview

• Web-based configuration for all the administrating tasks

• Dedicated Ethernet console with fixed IP address (192.168.100.1)

• Delegated management• Real-time alerts

• Email and SMS notification channels


Initial System and Network Configuration

• Web interface for OS level configuration• Remote upgrades• Services (including SSH for remote shell)• Network interfaces• Routes• DNS• System time

• HTTPS port 10000


SSL VPN Configuration

• Wizard-driven for all SSL VPN configuration

• HTTPS port 8443


Application Portal

• Fully customizable Web portal for

• Web resources• Tunnel sets• External sites

• Multi-domain support• Different portals with single SSL VPN gateway


[email protected]

Documents

Copyright © 2007 Stonesoft Corp. All rights reserved.Slide 1 October 4, 2015 StoneGate SSL VPN 1.2 Technical Overview