1 / 43

Introduction to JMU’s SSL VPN

Introduction to JMU’s SSL VPN. Mike Bayne 15 September 2011 http:// www.jmu.edu/computing/security/sslvpn-intro.pptx. What is a VPN?. Virtual Private Network Provides an encrypted tunnel between a client computer and a remote network

geordi
Télécharger la présentation

Introduction to JMU’s SSL VPN

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to JMU’s SSL VPN Mike Bayne 15 September 2011 http://www.jmu.edu/computing/security/sslvpn-intro.pptx

  2. What is a VPN? • Virtual Private Network • Provides an encrypted tunnel between a client computer and a remote network • Remote termination proxies the connection to other resources • All or some traffic routed to remote network

  3. VPN terminal JMU Border VPN Operation

  4. Why use the VPN? • Gain remote access to applications and data deemed too sensitive to expose directly to the Internet • Student Administration system • Gain remote access to resources licensed to JMU by IP address • Microsoft site license • Online library resources

  5. Old VPN: Cisco VPN • Required a client • No support for new OSes • No support for mobile devices • Tunneled all traffic over UDP • All traffic had to go through JMU, even if not destined for JMU • Access required configuration on firewalls • Rapidly approaching end-of-life

  6. New Hotness: Juniper SA6500 http://www.juniper.net/us/en/products-services/security/sa-series/sa6500/

  7. Juniper SA6500 SSL VPN • Support for newer OSes • Support for mobile devices • Uses web browser for basic access • Java clients for advanced access • LDAP or Active Directory authentication • Access granted based upon roles

  8. Qualified Platforms

  9. Compatible Platforms

  10. Compatible Mobile Devices(Web & File Browsing) • iPhone OS 3.0 and above with default Safari • Android 2.0 and above • SymbianOS 8.1 and above • Windows Mobile 6.0 Standard, Classic and Professional: Pocket IE 6.0 • Windows Mobile 6.1 Standard, Classic and Professional: Pocket IE 6.0 • Windows Mobile 6.5 Standard, Classic and Professional: Internet Explorer Mobile 6.0 • Windows Mobile 5.0 based Pocket PC devices: Pocket IE 4.0 • NTT I-mode phone • AU/KDDI phone : Open wave Mobile Browser • Vodafone phone : Open wave Mobile Browser

  11. SSL VPN Connection Methods • Web Connect • WSAM/JSAM • Network Connect • Junos Pulse (Mobile clients)

  12. Web Connect • Default connection • Provides access to: • Web resources • File Access • Remote desktop • SSH access • Solution for most connections at JMU

  13. Web Connect

  14. Pre-populated Bookmarks

  15. User-added Bookmarks

  16. URL Entry

  17. File Shares

  18. Remote Access: RDP and SSH

  19. Windows Secure Application Manager (WSAM) • Windows only • Java program or Activex control • Inserts a shim into the network stack • Network access to preconfigured resources are directed through the VPN • Resources MUST be preconfigured on the VPN

  20. WSAM

  21. WSAM

  22. WSAM

  23. Java Secure Access Manager(JSAM) • Java based proxy • Maps local port to remote destination through the SSL VPN • Example: hrweb.jmu.edu:443 is mapped to local port 8000 • Connections to https://127.0.0.1:8000 is forwarded to hrweb.jmu.edu:443 • Either WSAM or JSAM per role, not both • Not currently used at JMU

  24. JSAM

  25. JSAM

  26. JSAM

  27. Network Connect • Most impact on JMU and client system • Java application • Behavior similar to existing Cisco VPN: all traffic is routed through the VPN to JMU’s network

  28. Network Connect

  29. Network Connect

  30. Network Connect

  31. Network Connect

  32. Junos Pulse • Network Connect for mobile devices • All traffic tunneled through the VPN • Untested

  33. Junos Pulse

  34. Junos Pulse

  35. Invoking the Demo Gremlins

  36. Behind the Scenes:Realms, Roles, and Resources

  37. Resources • Network resources that users are allowed or denied access to • Identified by host and port, subnet, URI, etc • Can be specific enough to allow access to parts of a website while denying access to others

  38. Roles • Group of people that share similar access • Role membership can be identified by LDAP group membership or attribute • Role membership can be enumerated within the SSL VPN • Most roles are enumerated • Want to move to LDAP/AD as identity management matures • Users are often assigned multiple roles

  39. Realms • Logical container containing authentication source and login pages • May be accessed either by a new domain name or by a new URL • https://student.sslvpn.jmu.edu • https://sslvpn.jmu.edu/student

  40. How They Fit Together • Roles are added to a realm • Roles may be in more than one domain • Resources are added to roles • Both permit and deny resources are added • Default deny of access to unmentioned resource • Users accumulate resources from each role they’re assigned to

  41. Challenges Ahead • Moving from enumerated roles to group/attributes in a directory • Identifying resources that don’t work with web connect and developing workarounds • Internal JMU applications • Externally licensed resources (750+ through the library alone)

  42. Unused Features • Endpoint Security • Malware protection • Antivirus version monitoring • Patch management monitoring • Cache Cleaner • Two-factor authentication • One-time passwords • Certificates • Single Sign-on • Restrictions to access from certain subnets • Restrictions to browsers

  43. Questions?

More Related