What is SSL VPN

Source: Internet
Author: User
Tags remote desktop access

SSLVPNRap remote access technical White Paper
Remote access to the internal network resources of the Office is the biggest headache for the IT departments of various companies, and this headache has been around for a long time.
Every day, thousands of network administrators receive a large number of requests to solve their network problems.VPNThe number of users who have setup problems. Quilt
Users are overwhelmed by some operations on their machines, so that the machines suddenly cannot communicate with their IPSecVPN
Connected. Is it because the NAT or firewall settings of the hotel or hotel where they are going out? These settings are always changing,
Company administrators are tired of doing these tough and thankless tasks.
In order to distinguish the firewall from the external personnel, it takes a lot of time and effort for the company's network administrator to change the firewall and internal structure settings.
For internal staffVPNConfigure the client. How to make the sales staff out of the Internet successfully implement secure remote internal access
Ask the network administrator to spend some time thinking about how to use their own computers to access email or access the company's internal services at home.
What about important data? Does the Administrator send them a CD and instruct them how to install and set it? Until now, many
The company's network administrator is still entangled in this issue. Recently, a network administrator said: "The computer is needed at the employee's home.
Install OnVPNThe client has to do too much work, so we have to send another configured power to the employee.
Brain, let it be used at home. The cost for doing so is less than the cost for guiding employees to install on their own ."
Companies need easy-to-use secure remote access connections, which looks like IPSecVPNIt's too much trouble! They cannot be light
Configure the customer or partner to securely access internal data. Our ultimate goal is to make it easy to use.
Provides high-performance secure remote data access. How should the company deal with this situation? Where is the answer?

SSLVPNRap "Remote Access"

I. SSLVPNTechnical Evolution

Evolution Process

With the migration of applications from the C/S structure to the Web, enterprises must face a new challenge:
Users can access these applications from anywhere. In the last 20 years, users and management have heard
Security reasons cannot access internal applications outside of the company. In 1970s, the concept of Remote Access
It is almost equivalent to accessing an application from a remote office location, which requires an extremely expensive WAN network and leased line.
By 1980s, a small number of users can use a modem to dial directly to the modem banks or their own PC,
However, the cost is very high and can only be used by a very limited number of people. At that time, I was just using my PC at home.
As the mainstream, remote access is not very demanding. With the advent of 1990s and the prevalence of home PC, mobile computers began
Obviously, Home Office is also emerging. Company managers and salespeople start carrying their laptops when they are on a business trip.
Brain, they need to access the company's internal information in real time, set up IPSecVPNIt can protect users' remote access. It can provide enough
But the problem is that installation and maintenance are quite troublesome. Any changes on the PCVPNIt may be a disaster.
Hard, end users have to stick to these changes because they have no choice. Even now, it's hard to find
User, hisVPNNo problem at all. From the Administrator's point of view, use IPsecVPNNot only

Install and debug the client, and adjust the network structure. Nat cannot work completely when data packets are transmitted
Normally, sometimes the connection is disconnected. Changing the firewall settings can solve this problem, but a lot of management is required.
Work. If the IT management department has full control over the network structure from the backend to the customer, the management complexity can be tolerated.
When the management department cannot be fully controlled, the management complexity will multiply. This also happens when local Nat and Firewall
Work as a partner at home or in a hotel.
Today, companies are beginning to look at whether they have chosen a suitable secure remote access system. Use IPSecVPNAnd rent
Wan lines are a good choice for users who do not change the network structure frequently. If this is not the case, the user needs
Make another choice. Now, some companies have begun to consider using the SSL protocol on the Internet without disrupting the existing network layout.
. SSL is a common method to protect encrypted transmission over the Internet.
The Intranet and external networksVPNAccess control.

SSLVPNDefinition

SSLVPNThe development of SSL is a supplement to existing SSL applications. It increases the company's access control and security levels and capabilities.
SSLVPNIt also helps enterprises that use remote access to the application system to reduce their security. From attribute
Speaking, dialing ensures relative security because the user's identity can be confirmed by a specific telephone line. Client/Server and old
VersionVPNIt also has a certain level of security protection capability, because the client software needs to be installed. However
Such security policies and attributes are undeniable. hacker intrusion, security threats, and identity fraud are on the rise. Now
Use SSLVPNSecurity features have changed, and people can access applications through browsers.
If you set SSL andVPNThe two concepts are separated. Most people know what they mean, but how many people know they are together?
What does that mean? From an academic and commercial perspective, they are often misinterpreted because they represent different meanings.
SSL protects the security of data transmitted over the Internet by means of encryption. It can be automatically applied to every browser. Here,
A digital certificate must be provided to the Web server. This digital certificate must be paid for purchase.
SSL services are relatively easy. If the application itself does not support SSL, you need to change some links.
Sequence. If there is a large amount of information, it is recommended to accelerate SSL to avoid traffic bottlenecks. Typically, SSL Acceleration Devices
Is a hot swapping device.
VPNIt is mainly used in virtual connection networks. It ensures data confidentiality and has certain access control functions. Pass
Go,VPNAlways associated with IPSec because it isVPNThe protocol used to encrypt information. IPSec runs on the network
Layer, IPSecVPNIt is mostly used to connect two networks or point-to-point connections.
We have briefly introduced SSL andVPNNow we want to know about SSL andVPNHow are they combined? A large number of theories
It can prove the uniqueness of SSL andVPNSecurity and remote access control capabilities. So far, SSLVPNYes
The simplest and safest solution for remote users to access sensitive company data. And complex IPSecVPNCompared with SSL
To achieve remote information connection. Any machine that installs the browser can use SSLVPNThis is because SSL is embedded in
In the browser, it does not need to be like the traditional IPSecVPNSimilarly, the client software must be installed for each client. This is true
A large number of machines (including household machines, work machines and clients) need to be connected to confidential company information. People
It is widely believed that it will become a new generation of secure remote access.

What is SSLVPN?

Many factors can prove that SSLVPNIt is the savior to solve the remote access problem. As more and more companies struggle to balance
Access control, security, and ease of use for users, SSLVPNThe best answer has been given. A recent infonetics Survey Report
They pointed out: "By 2003, 59% of mobile users will useVPNBy 2005, this number will rise to 74%;
Most of the added content comes from SSLVPNBecause it can avoid the trouble of Client installation and management. "
Gartner Vice President John Girard named SSL in a recent research reportVPNMade a wonderful comment:
"As a traditionVPNTo deploy their secure remote access system in a simpler and more flexible way.
Industry should consider using SSLVPNAs a new investment. Now, many enterprises have begun to use this SSL-based technology,
Simple, easy to use and cost-freeVPNThe solutions deploy their systems ."
SSLVPNThe value includes many aspects. The most important thing is to improve the access control capability, secure and easy to use, and high ROI.
Rate.
Access Control SSLVPNIt is more effective for access control because centralized user management is implemented. All remote access is performed through
SSLVPNThe console is controlled to monitor user usage more effectively.PermissionThese users may be internal staff of the company.
Work, partner or customer. All accesses are restricted at the application layer, andPermissionSubdivided into a URL or a file.
However, IPSecVPN, SecurityPermissionOnly limited to the network.

Ii. SSLVPNRap "Remote Access"

Remote Access Pass (Remote Access System)
Secure Remote Access Solution
Introduction
Remote Access Pass (remote access door system) allows you to securely access any
Windows PC.
The keyboard, mouse, and display interface changes are compressed and encrypted in a large proportion for transmission. Users who use broadband can obtain
In an immersive experience, even through dial-up connections, users will be satisfied with its amazing performance.
Remote Access Pass (Remote Access System) includes the following functions:
Remote Control: You can run an adaptive program based on any browser to access the tables in the intranet.
Application (even if the application is not web-based ).
File Transfer: Transfers files, folders, and shared directory resources between computers quickly and easily. Upload
File loading speed is equivalent to FTP.
Remote Boot: You can remotely wake up your host on the Intranet.
Java JSP: a JVM webpage that dynamically runs on any remote terminal.
Java Applet: Remote Access connections that run on any remote terminal. remote clients support almost all operating systems,
Including windows, Mac, or Unix PC.
The overall structure of remote access pass is composed of the following five parts:
Enterprise Intranet HOST: the control of the target machine in the Intranet belongs to the user, and the target computer is registered by the authorized user. In
During registration, the Remote Access Gateway generates a certificate based on the RSA algorithm to the target computer, and stores the certificate together with the private key of the target computer in the target computing.
To authenticate the relationship between the target computer and the user and establish an SSL secure channel.
Remote Terminal: On the user end, the staff must open a browser, access the public IP address of the enterprise, and enter the user name and password.
Click the target host name to connect. The remote client automatically sends an SSL-based encryption request to the app module.
APP module: listens for external connection requests and maps them to the registered target machine.
Through a remote browser, JSP dynamically runs the corresponding interaction with the Java Servlet in this module to implement authentication and file transmission. At the same time,
When a remote connection is completed, the app assigns a session task to relay. In this case, the remote terminal's Java Applet
Automatic sequential loading and running, any small or short event will be executed accurately.
Relay: Transfers encrypted data packets with a high compression ratio between a remote terminal and an Intranet host.
Admin System Management Platform: allows the enterprise administrator to easily add or remove users, set the account to be temporarily invalid or valid, and delete the target
Host and other work.
Any enterprise is most concerned with how to maintain the integrity of the enterprise network and the confidentiality of sensitive data. Internet-based mobile
Security is the most critical element when a worker expands the enterprise's network applications.
Remote Access Pass (Remote Access System) is built and developed based on key security measures, as described in this article.
Complete security
The remote access pass remote access system provided by helm systems is a very powerful, robust, and secure system.
Secure Device
Remote Access Pass (remote access door system) is a hardware work device and cannot be controlled by unauthorized general personnel.
And Management, even the display screen is not provided. Only the system administrator of an enterprise can perform management settings on the enterprise through logon.
And all operations are very simple and easy.
Secure Application Platform
Remote access pass the remote access system runs on a solid, high-quality, and reliable Linux application platform. All Remote Access
The system has passed a breakthrough test, which monitors any suspicious behavior at all times and records the system in detail.
Reliable and Scalable System Structure
The entire system structure is designed to be reliable and secure. Supporting clusters and redundancy ensures the high practicability and scalability of the system.
A large number of Image Compression and encryption/Decryption work on remote terminals and Intranet hosts, while the core module of the remote access system is mainly responsible
At the beginning of the connection, the identity of both the user and the microcomputer is verified. During the interactive session process after the remote terminal and the Intranet host are connected,
We constantly verify the authenticity of the identities of both parties and prevent external illegal intrusion. This effectively solves common network problems.
Network bottleneck issues, so that the system can get the best performance.

Protect Users' confidentiality
Helm systems knows that any enterprise is most concerned about network security. Remote Access Pass (Remote Access System)
Provides powerful security and confidentiality policies to prevent information of individual users or enterprises from being leaked.
Access user information
The system administrator of an enterprise is the only person who can manage and control the remote access pass (Remote Access System). Of course, this is permitted.
. In order to provide better technical services, they need to do some basic work that everyone knows.
Session records of remote access pass (Remote Access Pass System) will be used by enterprises to further improve the quality and performance of network services.
Analysis. The remote access system records domain names, browsers, and MIME types in interactive communication. Of course, these data are centrally reflected and recorded,
It cannot be associated with any individual or enterprise account.
Ensure transmission confidentiality
With Remote Access Pass (remote access system), the system administrator can access the abstract of the enterprise account, instead of accessing
A user can be remotely connected. In fact, although the relay of remote access pass (Remote Access Pass System) undertakes the Remote Terminal
Communication between the client and the Intranet host, but these packets are encrypted, and no one can crack the transmission information. Besides
No one except the user can have the computer remote control password that generates the key, so the session activities created by each user will not be affected by any
Security threats.

Security Management Policy
Remote Access Pass (Remote Access System) provides a secure system management platform for enterprise system administrators.
Manage access by legal staff and prevent unauthorized connections.
Secure Operation Interface

The online system management platform does not need to install any client software, but can be managed through an intranet computer using a browser. Once
If the remote access pass (Remote Access System) is installed and deployed in an enterprise, the system administrator of the Enterprise will receive detailed instructions for use.
Remote Access Pass (Remote Access System) is verified based on the X.509 digital signature system. The Administrator identity must also pass the username/password
Code. After the connection is established, all transmission management is performed based on the encrypted SSL protocol to protect the enterprise and individual machines
Password is not disclosed or modified.
Add new user
Only the System Administrator is authorized to add new users. The administrator can easily add new users through the system management platform.
Operation. The system sends an email to each new user, which contains a temporary random password. Then, change the password.
The password is converted into a new large number password and stored in the database through a series of irreversible algorithms such as MD5 for authentication. This method is very suitable for enterprises.
Extensive network deployment, while maintaining rigorous Enterprise Authentication management.
Disable and delete user accounts
The system management platform can also be used to check the activity status of individuals or groups, and temporarily disable or permanently delete user accounts. For
To the affected users, the system will automatically send an email to indicate that the account has been disabled or deleted. After that, the users of these accounts,
Their access requests are rejected.

Secure installation service
The software installation and Upgrade Procedures of remote access pass (Remote Access Pass) are designed from the perspective of Enterprise Security.
Digital Signature Application Software
Users in the Intranet can use the "register computer" operation to automatically download host service programs. During the registration process
Generate a certificate based on the RSA algorithm to the target computer, and store the certificate together with the private key of the target computer in the target computer to authenticate
The user's relationship and establish an SSL secure channel. The registration program of the Intranet host is required, and the client does not need to install any software.
All remote access pass applications are digitally signed and automatically updated and upgraded.
Level. All installation and upgrade processes must undergo signature verification to prevent those disguised as valid Remote Access Pass (remote
Access System) software's "Trojan Horse" program.
The client does not have any security parameter settings. The system only verifies the user's login name, account password, and computer remote control password. This is
The parameter settings to prevent user errors. Therefore, each user must protect their passwords safely.
Firewall compatibility
Remote Access Pass (Remote Access System) is firewall friendly. It only uses port 80 and port 443 of HTTP/tcp for access. Because
These ports are enabled for most firewalls to communicate with the Internet. You do not need
Set bypass access or make any changes to the firewall settings of the headquarters, branch offices, and remote office sites.
Many other solutions require the target host to have a public IP address. The remote access pass remote access door system is different.
The Network Master opportunity sends the "upcall" command to the app module at a fixed interval to check the connection request. This makes the Remote Access System
Fully compatible with the firewall, dynamic IP address, and NAT/PAT settings of various application proxies. Therefore, enterprises can easily and easily
Remote Access Pass (remote access system) for control and management.
Protect Computer Access
The target host in the enterprise intranet must register with the remote access system to establish a remote connection. The registration program must be physical before the target host
It does not support remote deployment, which also prevents "placement" of the Trojan program.
Only authorized users can register their computers. As the computer owner, he must use the authorized user name, temporary
Login Password, and then start the management of their own computer, including registering the target host, changing the temporary password and building a computer remote control password.
Protect confidential data
Remote Access Pass (Remote Access System) forms a high-compression encryption package for data transmission, which ensures data security and
It does not sacrifice performance. All transmission applications between the client and the target machine, such as screen images, file transmission, keyboard/mouse Transmission
All are encrypted Based on the secure SSL protocol.
When each valid connection is initially established, the remote access system allocates a random 32-digit random number at a time. Through this random number system
The uniqueness of the current connection can be determined to prevent hackers from using Replay Technology for attacks or adding legal connections.
For third-party attackers, the encrypted binary data makes it extremely challenging to modify information packets or guess encryption keys through transmission analysis.
Difficulty.
Access protected by strict Authentication
The confidentiality of remote access pass (Remote Access Pass) is based on strict and powerful verification. Remote Access
Each part of the pass (remote access system), including the app module, admin management platform, relay, remote terminal, and Intranet host
By the same strict verification, only the verification is passed can be added to secure enterprise resources.
Complex password for long string combination
Remote access pass the remote access system requires that each set password can contain letters and numbers and be case sensitive. Password settings
The longer and more complex the configuration, the stronger the protection.
Multi-level nested Password
When you enter the logon password, the remote access system uses the password technology to protect sensitive data. The entered passwords are displayed in ciphertext.
Remote Access Pass (Remote Access System) uses multiple nested passwords to ensure its security. The app module uses digital signatures for itself
Verification. it digitally signs all Java programs and system software. Remote user authentication is encrypted using the MD5 Algorithm
Account name/Password Logon. When an intranet host registers with the app, the Remote Access Gateway generates a certificate based on the RSA algorithm to the target computer, together
The private key of the target computer is stored in the target computer to authenticate the relationship between the target computer and the user and establish an SSL Secure Channel.
End-to-End Verification
When a remote terminal establishes a connection with an intranet host, they also use the user's password (computer remote control password) to protect data
You can use a remote control password to digitally sign this key code. Data Packets between the remote terminal and the Intranet host
Encryption and decryption. This key protects mutual authentication based on the signature information of the Trib-DES algorithm.
As long as the user securely protects his password, only the user can establish a connection with the Intranet host.
Timeout setting
Remote visitors may leave a public PC or an unattended home PC without logging out. Remote Access Pass
The timeout setting function is used to reduce the risk. If your session remains in the terminated state for 15 minutes,
The remote user account will automatically log out of the remote access pass (remote access system.
Remote terminals are left blank
The remote terminal only uses the browser and dynamically runs Java JVM. When the user exits the application or closes the browser, the session will be cleared.
Remote terminals do not leave any trace of users.
System-level access control
Remote Access Pass (Remote Access System) provides a system-level Remote Access Control Technology, allowing users to more effectively control enterprise local areas.
Network resources. The remote user of the remote access system enters his Windows logon password, and then he obtains the file authorized by the enterprise.
Level, owner, and domain level licensePermission. In other words, remote users do not have other paths to access the enterprise intranet.
Some desktop applications are under the management and control of the existing LAN.
Provide monitoring access to the company
Through the remote access pass (Remote Access Pass System) system management platform, enterprises can record connection conditions and maintain session logs,
This is all for security, statistics, and review purposes.
The system administrator of an enterprise can view activity and historical session records. Including user name, host name, Client IP address, session
The START/End Time, session usage time, and session type.
The admin management platform of the remote access system can also be used to collect various required data, including the number of users, session statistics,
Session Access time. Standard Statistical reports can be used to analyze "unconventional access" modes, including exceptional long sessions,
Unexpected Client IP address, code for abnormal shutdown, etc. This information is very helpful for fault diagnosis and troubleshooting.
System Administrators can only access this information within the limits, and only perform necessary basic work.

Remote Intranet web server access

Summary
SSLVPNThe role of rap: Provides secure remote access services and protects users' secrets with actual actions; constantly improves enterprise-level structure
Security and remote access control tools; uses multi-level authentication and advanced encryption technology to protect the security of interactive remote sessions. Most
The final result is that remote access pass is a powerful, secure, and reliable Remote Access solution.

SSL outside ChinaVPNTechnical advantages and disadvantages

1. Most foreign products have been tested in foreign markets and are basically mature products, but there are some to catch up with SSLVPNThis
A trendy concept of pseudo SSLVPNProduct
2. Foreign SSLVPNOther products except whale communications Use reverse proxy technology to handle internal
HTML webpage, so many special applications are not supported
3. Many foreign products are not strictly client-less products, and dynamic download plug-ins or
Acticex and other methods bring security risks, and the technology is also relatively simple, easy to implement
4. Foreign SSLVPNGenerally, Remote Desktop Access is not supported.
5. Foreign SSLVPNCurrently, the product supports a wide range of applications, such as email, Lotus, exhange, FTP, telnet,
And other applications are currently supported

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.