SSL VPN Fundamentals

SSL VPN Introduction

Technology Overview

  • Developed initially by Netscape
  • SSL v1 (not released, v2, v3
  • SSL v3.0 served as basis of TLS 1.0 - IETF standard
  • Cisco SSL VPN uses TLS

SSL VPN Mode

Clientless

  • No need for client installation of the PC as long as they have a supported Web Browser
  • Runs through the Browser
  • Gateway can proxy requests from the browser to internal resources (HTTP_, HTTPS_, FTP_)

Thin Client

  • Designed for those non-web based applications that have static tcp port
  • Uses Thin Client for supported protocols (such as Telnet, SSH_, RDP_, VNC_)
  • Uses Java applets/ActiveX Plugins so clients must have Java installed on their PC
  • Popup blockers can also cause problem
  • Arbitary ports can be supported through the use of smart forwarding

Thick Client

  • Requires installation of software on PC
  • Not suitable for non-managed devices
  • Requires Java/ActiveX installed for installation
  • Provides all functionality as if user was on the LAN (assuming permitted over the VPN)
  • Policies can be managed centrally

SSL VPN Connection Process

# Client initiated connection to server and requests a secure connection # Client provides a list of supported encryption/integrity algorithms (Cipher suite) # TLS server replies with a cipher/hash function it also supports # Server also sends back it’s identity in the form of a digital certificate that should be provided from a trusted CA of the client. The servers public encryption key is also sent. # Client confirms validity of certificate and generates a session key # Client encrypts session key with the services public key and sends it to server # Server decrypts session key and begins encrypted session

Terms Used