Watchguard Firebox SSL Core Instrukcja Użytkownika Pobierz pdf (Strona 3)

MIDWESTERN INTERMEDIATE UNIT IV – A CASE STUDY IN INTERNET SECURITY

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA 98104 www.watchguard.com

Drawbacks to Mobile IPSec VPN Solutions

1. Thick-client solutions require an organization to assume a significant support burden to aid end users with

installation, maintenance, and troubleshooting which introduces administrative headaches and high support

costs to an organization.

2. Most firewalls today use “Network Address Translation” (NAT) to manage their IP address space. NAT relies on

rewriting source and destination IP addresses on a per packet basis so that computers using private and public

IP addresses can communicate. Because the NAT code is changing the tunnel traffic, the traffic often fails

validation at the destination and is discarded. In most cases, NAT prevents the casual use of IPSec MUVPNs by

individuals who want to remotely connect to a private network from some other organization. This situation

leaves many employees with the inability to access their company network from other organizations they may

be visiting, limiting their access to information except when in a more unrestricted environment.

3. IPSec MUVPNs do not enable secure access to a private network from public computers such as kiosks. Kiosk

machines will not allow loading and configuring an IPSec client necessary for the mobile user VPN to function.

SSL VPN

Secure Socket Layer (SSL) VPN was initially developed to solve the problem of providing secure access to web

servers (such as E-commerce sites) where it was undesirable to deploy and maintain a thick client. SSL VPNs also

can be used to address the issues associated with IPSec VPNs, providing the secure access required by remote

workers and business partners over networks that are not compatible with IPSec. SSL however, has problems of its

own.

SSL VPN solutions leverage HTTPS connections providing Web portal access to a limited number of Web-enabled

applications. The SSL VPN appliances (sometimes called concentrators) do this by parsing and reconstructing the

Web application in real time as requests are serviced. By reconstructing the navigation paths, the concentrator

successfully mimics the functionality of the Web application behind it without requiring a thick client for access.

Since SSL VPNs provide a “clientless” way to access applications that are internal to an enterprise or organization’s

network (the Web browser is the client), they eliminate or reduce the administrative headaches and high support

costs of IPSec VPN clients. The limitation of this approach is that only web applications are supported, greatly

limiting the usefulness of the solution compared with IPSec MUVPN.

Client/Server Applications and SSL VPNs

Although SSL VPNs primarily work with Web-based applications, a few SSL VPN vendors have written custom

connectors to support a limited number of client/server applications. Custom connectors that are sold by SSL VPN

vendors are normally for applications that have a standard (non-customizable) client, such as Microsoft®

Outlook®. Since the Outlook 2000 Service Pack 3 (SP3) client is the same for all organizations, it's economical for

SSL VPN vendors to develop a custom connector for this application, which can be resold to customers as an add-

on. For applications that have a standardized client (such as Outlook), the custom connector approach uses the

client that is on the users’ PC and creates a protocol-mapping scheme that proxies data exchanges between the

client and server. This protocol mapping scheme is specific to the version of software client, and requires that the

IT department adapt the network environment, and each laptop to accommodate the proxy and fool the

1 2 3 4 5 6 7 8 ... 11 12

Brak uwag

Watchguard Firebox SSL Core Instrukcja Użytkownika Strona 3