What Is an SSL Proxy?
SSL VPN refers to a new VPN technology that uses the SSL protocol to achieve remote access. It includes: server authentication, client authentication, data integrity on the SSL link, and data confidentiality on the SSL link. [1]
- The so-called SSL VPN means that the user uses the built-in Secure Socket Layer packet processing function of the browser, uses the browser to connect to the company's internal SSL VPN server through the SSL VPN gateway, and then redirects the user through network packets Applications can be executed on remote computers to read company internal server data. It uses the standard secure socket layer SSL to encrypt the data packets in transit, thereby protecting the data security at the application layer. High-quality SSL VPN solutions ensure secure global access for businesses. The SSL VPN gateway plays an irreplaceable role in the connection between the client and the server.
- SSLVPN is the simplest and most secure solution for remote users to access sensitive company data. Compared with complicated IPSecVPN, SSL realizes remote information communication through a relatively simple method. Any machine with a browser can use SSLVPN, because SSL is embedded in the browser, it does not need to install client software for each client like traditional IPSecVPN.
- The SSL protocol is mainly composed of an SSL handshake protocol and an SSL record protocol. Together, they provide authentication, encryption, and tamper-resistant functions for application access connections.
- The SSL handshake protocol is similar to the IKE (Internet Key Exchange Protocol) protocol in the IPSEC protocol system. It is mainly used for mutual authentication between clients and servers. The MAC (MessageAuthenticationCode) algorithm and negotiation encryption algorithm are mainly used for SSL Record the encryption and authentication keys generated and used in the protocol.
- The SSL record protocol provides the most basic security services for various application protocols, and
- SSL VPN is a simple and secure remote tunnel access technology that is very simple to use. SSL VPN uses public key encryption to ensure the security of data during transmission. It uses a method of direct communication between the browser and the server, which is convenient for users and can also ensure data security through the SSL protocol. The SSL protocol uses SSL / TLS integrated encryption to ensure data security. The SSL protocol can be divided into two layers in terms of its use: the first layer is the SSL recording protocol, which can provide basic data compression and encryption functions for data transmission; the second layer is the SSL handshake protocol, which is mainly used for Check whether the user's account password is correct and perform authentication login. Compared with IPSec VPN, SSL VPN has the characteristics of simple structure, low operating cost, fast processing speed, and high security performance, so it is used on a large scale among enterprise users. However, the SSL protocol is developed based on the Web and is used by browsers. Due to the diversity of computer viruses in recent years, in order to ensure the secure operation of SSL VPN, it is necessary to update the security technology of SSLVPN. [3]
- 1.LDAP authentication
- The system organization has adopted LDAP for user management. It only needs to establish the user group structure in the SSL VPN device according to the OU group structure in LDAP, and bind the corresponding OU structure to the user group. There is no need to create specific users in the device. When a user submits the username and password authentication identity to the SSL VPN, the SSL VPN can automatically submit this authentication information to the LDAP authentication, and determine whether the user is a legitimate user based on the feedback information. When a user passes LDAP authentication, the SSL VPN device returns the OU value of the user through LDAP, and automatically assigns the user to the user group bound to the OU. At this point, the user has all the attributes of the user group for authentication, policy, and authorization.
- 2.Radius certification
- Radius has been used in the system organization to implement user authentication management, and the corresponding user group structure has been established in the SSL VPN device. Radius authentication has been selected and bound to the corresponding Class attribute value. When a user submits username and password authentication information to the SSL VPN, the SSL VPN will send an authentication request to the Radius server in the standard Radius protocol format, and then Radius will return the authentication result. If the Radius authentication is passed, the Class group attribute will be carried in the data packet returned to the SSL VPN. The SSL VPN will give the user the corresponding authentication, policy, and authorization attributes according to the user group bound to the attribute. If Radius authentication fails, SSL VPN will refuse the user to log in.
- 3.CA certification
- SSL VPN security gateway with built-in CA, can support
- There are many different types of SSL VPN gateway access networks, which also leads to differences in SSL VPN networking modes. Common modes include single-arm and dual-arm modes.
- 1) One-arm mode. The so-called one-arm mode refers to using the SSL VPN gateway as one
- The SSLVPN gateway is located at the edge of the corporate network. It is between the corporate server and remote users and controls the communication between the two. SSLVPN uses a standard Secure Sockets Layer (SSL) to encrypt data packets in transit, and protects data security at the application layer.
- Between continuously expanding Internet Web sites, wireless hotspots and clients, remote offices, hotels, traditional trading halls and other places, SSLVPN overcomes the shortcomings of IPSecVPN, users can easily implement security and ease of use, no client installation and simple configuration Remote access.
- The most common entry for SSLVPN is the web page, and its basic operation process:
- 1. Login to the URL of the VPN (usually HTTPS), which opens in the browser;
- 2. Enter the user identity information. The identity information includes a random combination of user name, digital certificate (such as USB-Key), static password, and dynamic password to ensure the authenticity and confidentiality of the identity;
- 3. Select the service type. The WEB proxy is the easiest to use. At the same time, the WEB proxy can control the most granular SSLVPN applications and can accurately guide any link.
- 4. The fine-grained granularity of port mapping is second only to WEB proxy. It uses TCP port mapping (principle similar to NAT internal server application) to provide users with TCP remote access services, but it requires specific server corresponding SSLVPN client program assistance;
- 5. The IP connection is relatively poor in granularity in SSLVPN, but it has been widely used. It implements similar characteristics to L2TP. The server can give each client a VPN address so that it can directly access the internal server, but it It also needs the help of a special SSLVPN client program like port mapping;
- 6. SSLVPN is at the TCP layer, so it can perform rich business control, such as behavior audit, can record all operations of each user, and provide effective statistical data for better management of VPN;
- 7. When the user exits the SSLVPN login page, all the above secure sessions will be released. [2]