REMOTE ACCESS SSL BROWSER & CLIENT Course 4001 1
SSL SSL - Comprised of Two Components Browser Clientless Access SSL Client SSL Browser SSL Client 2
SSL Remote Access Key Features! Part of GTA s remote access solutions which includes Mobile IPSec VPN s support XAuth. PPTP L2TP! Granular Network Access and Authorization based on groups and policies.! Clientless Access for Browser.! Customizable SSL Login portal.! Customized Browser Interface based on groups! Base Licenses of 2 SSL Clients or Browser access standard.! Windows, Linux and MAC client support.! Client installer and configurations files downloaded from Remote Access Portal.! Currently only supports IPv4 connections. 3
Requirements! GB-OS 5.3 or above! Signed Certificates for SSL Client User. Firewall VPN Certificate.! SSL Client permissions to run client on host! Firewall with VPN option or built in VPN support.! Additional Remote Access Licenses for more than 2 concurrent connections. 4
Steps Browser Configuration! Configure Certificates if needed! Configure Remote Access Portal! Configure Bookmarks for Groups! Configure Groups! Configure User LDAP Radius 5
Certificates (Briefly)! SSL Client connections require both firewall and the Client have signed certificates.! GB-OS 5.3 and above supports the creation of signed certificates using a CA created on the firewall.! All firewalls updated to GB-OS 5.3 will have a CA created automatically. If no CA exists it can be created in the Certificates Section and used to create VPN and User Certificates.! For more information on Certificate management please see GB-OS Guide and VPN Option Guide. You can import Certificates from a CA for use in the browser. 6
SSL Vulnerabilities! Always keep up to date!! Recent Vulnerabilities in SSL CVE-2013-0169 SSL, TLS and DTLS Plaintext Recovery Attack VU#720951 / CVE-2014-0160 - OpenSSL Heartbeat / Heart bleed Vulnerability VU#864643 - Beast 7
SSL Browser Configuration! Remote Access Portal Configuration - [Configure -> VPN -> Remote Access -> Browser]! Allows access for to remotely access network services and download SSL Client.! Steps Enable service alternate port. This is optional however it is recommended. Create Bookmarks for. Define Group allowing access with SSL Browser Enabled. Define on firewall and place in SSL group. If using LDAP or Radius are not required. 8
SSL Browser Preferences Browser Configuration Alternate Port Field Value Description Enable Unchecked Starts the service on alternate port. Port 1443 Specifies an alternate port the service is running on. Otherwise uses administration port Authentication LDAP Unchecked Enables LDAP User Access Radius Unchecked Enables Radius User Access 9
SSL Browser Preferences Advanced Configuration Field Value Description Automatic Policies Encryption High Level of encryption to use for browsers. FIPS Disable Forces use of FIPS complaint algorithms. Timeout Sessions 10 minutes In activity timeout Valid from 5 1440 minutes Virtual Keyboard Required Requires to login with the virtual keyboard Enable Enabled Allows firewall to create automatic policy based on firewall configuration Zone ANY Specifies interface the connection is allowed on Source Address ANY_IP Specified networks allowed to connect 10
SSL Browser Preferences Advanced Configuration Field Value Description Customization Login Title User Defined Logo User Defined Allows upload of a 32x32 pixel and 100 KB or less JPEG, PNG, or GIF file Disclaimer Enable Unchecked Enables disclaimer to be displayed. Message User defined Allows for a 4095 character message Characters remaining Non editable Remaining characters in disclaimer. 11
Bookmarks Short cuts for to access common protected sites.! Bookmark Object Used to reference other bookmarks Icons browser, Document, Email, Folder, Network, Web Label What displayed to user in SSL Browser Types - http/https, ftp/ftps, CIFS(SMB) URL link to internal resource 12
Groups SSL Access is based on a Users group Field Enable Bookmarks Only Description Allows SSL Access User can only see Bookmarks Read Only May only download files Bookmarks Bookmark object for Client Enables the SSL client for user 13
Users! When defining or editing a user select the group which has SSL enabled! Groups will determine the Users permissions.! Note: If using LDAP or radius this step is not required. However, the LDAP on the Active directory server will need to be defined in the groups section with SSL enabled. 14
Logging into The Remote Access Portal Login using the host name or IP address of the firewall on the specified port. Users bookmarks and browser configuration will be displayed. -Browser All predefined links and Browser if enabled. -Client downloads for installers and configuration policy. 15
Example of SSL Page! Browser tool bar -Allows user to easily and quickly return to the SSL Browser page.! Easy to use file tool bar allows easy navigation and uploading and downloading files 16
SSL Client Configuration! Configures properties for SSL Client connections.! Steps Enable SSL Browser service alternate port. This is optional however it is recommended. The Remote Access Portal is used to download client installers and configuration. Create Bookmarks for, if required. Define Groups allowing access with SSL enabled for browser and clients. Define on firewall and place in SSL group. Configured SSL Client [Configure -> VPN -> Remote Access -> SSL -> Client]. Configure SSL Security Policies - [Configure -> Security Policies -> Policy Editor -> SSL Client]. 17
SSL Client Configuration Field Value Description Enable Disabled Start SSL Client service Port 1194 Port service listens on Accessible Networks Client DHCP Networks Default is Object <FW Networks Local> Default is <Pool SSL> Default network is 192.168.72.0/24 Local networks for the SSL VPN IP address ranges assigned to the client s when connecting Domain User Defined Domain Assigned to client Name Servers IP Address User Defined DNS servers assigned to client Wins Server IP Address User Defined WINS servers assigned to client 18
SSL Client Configuration Advanced Field Value Description Automatic Policies Enabled Allows firewall to create needed security policies to allow client to connections Encryption Object AES-192, sha-1, grp2 Encryption for VPN FIPS Unchecked Forces use of FIPS compliant algorithms. Lifetime 480 minutes Re-key time Allow Duplicate CN Unchecked Allows duplicate certificates Over ride host name blank Uses host name from [ Network -> Interfaces -> Settings] Used when alias on firewall is used for the SSL Client Redirect Client Gateway Uncheck Forces all remote connections via VPN UDP Unchecked Uses UDP instead of TCP for client Compression Checked Enables or disables compression Verbose Logging Unchecked Increases SSL Logging for debug 19
TUN Adapter & Routing Table When SSL Client service is started it will automatically add on the firewall and tun0 interface and IP address. 20
SSL Security Policies SSL Security Policies control access for the client through the firewall. Filter on Source and destination IP Time Service And Group Configure these policies based on the corporate security 21
Downloading the Client! Client configuration file and installers are downloaded via the firewall SSL Browser interface.! Installers Windows: GTA SSL Client MAC: Tunnelblick SSL client. Linux: OpenVPN.! SSL VPN client installation guide is also available via the firewall. 22
Install Instructions! Run installer for your specific OS.! Unzip or uncompress the configuration files in the directory you installed the client in. 23
Connecting with the Client Open client using your method described for your OS and authenticate. Windows select the SSL Client icon on desktop MAC - Run Tunnelblick. Once tunnelblick is started an icon will appear at the top of the screen. Linux use either command line options to Network Manager (If installed) to open connection.! See client installation guides for detailed instructions. 24
Windows Client 25
Using Client"! Once client is open and connected the firewall will assign an IP Address from the SSL Pool to the client and push routes to the client for the local networks to the client.! After client is completely connected it will work very similar to the IPSec VPN. Access based on policies. 26
Active Sessions Log Files Mar 31 15:58:15 pri=5 msg="close inbound, SSL" type=ssl proto=53/udp src=192.168.211.2 srcport=49957 user="david Brooks" dst=10.10.1.9 dstport=53 rule=4 duration=22 sent=71 rcvd=136 pkts_sent=1 pkts_rcvd=1 27
Remote Access Solutions Option GB-250 10 User GB-250 e or 25 GB-300 GB-850/820 GB-2100 GB-2500 GB-Ware IPSEC Tunnels Optional Included Included Included Included Included Included Mobile IPSec/ PPTP/L2TP Optional Included - 2 Included - 2 Included - 2 Included - 2 Included - 2 Included - 2 SSL Browser Optional Included - 2 Included - 2 Included - 2 Included - 2 Included - 2 Included - 2 SSL Client Optional Included - 2 Included - 2 Included - 2 Included - 2 Included - 2 Included - 2 Number of IPSec Tunnels and Mobile Users connected are based on each product. SSL Browser Portal is customizable with corporate logo, Greeting and Disclaimer.. 28
Licenses! Remote Access Licenses (5.3 and above) Any firewall with VPN Option will have enabled SSL Browser and Client, IPSec client, L2TP client and PPTP client! SSL Browser Default SSL Licenses is 2 concurrent Browser connections are not counted with the SSL Client or other VPN connections. Client Default SSL Licenses is 2 concurrent Client licenses are not counted with Browser or other VPN connections.! IPSec, PPTP, and L2TP Note: L2TP and PPT supported in v5.4 Default Licenses is 2 concurrent connections. Any combination of IPSec, PPTP, or L2TP will count toward the concurrent user licenses. Example Firewall has base 2 concurrent connections. IPsec client connects - 1 connection L2TP client connects - 1 connection Total: 2 connections IPsec client connects - 1 connection PPTP client connects - 1 connection Total: 2 connections L2TP client connects - 1 connection PPTP client connects - 1 connection Total: 2 connections 29
Trouble Shooting/Logs! After updating Certificates or re-start the SSL Service.! Compromised Address Attempt -! Feb 12 10:26:00 pri=4 msg="ssl: 217.170.99.174:42942 WARNING: Bad encapsulated packet length from peer (18245), which must be > 0 and <= 1560 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attemping restart...]" type=mgmt! User missing SSL Certificate: Error: Unable to create SSL Client configuration bundle! Client Login Failure - Wed Sep 16 15:59:53 2009 AUTH: Received AUTH _ FAILED control message! Firewall log for login failure Jan 20 09:12:08 pri=3 msg="ssl: 199.120.225.20:5369 Authentication failure, user(fwadmin)" type=mgmt Jan 20 09:12:08 pri=6 msg="ssl: 199.120.225.20:5369 Authentication attempt, user(fwadmin)" type=mgmt Jan 20 09:11:53 pri=5 msg="auth: Remote user login" user="fwadmin" src=199.120.225.20 srcport=5077 dst=199.120.225.75 dstport=1443! Host Locked Out May 9 09:01:04 pri=4 msg="wwwadmin: Locked out, remote access denied" type=mgmt src=199.120.225.20 srcport=49373 dst=199.120.225.80 dstport=1443 30
Best Practices!! Set up a Syslog service to log all SSL and firewall activity.! Keep GB-OS up to date with the latest patch releases. GTA incorporates the latest SSL updates in firewall GB-OS releases.! Require all hosts connecting to the firewall to have the latest OS patches as well as anti-virus, malware and spyware protection.!! SSL Browser! Use bookmarks in all cases. Only allow network browsing when absolutely necessary and restrict to administrative if possible.! Force Use of the virtual keyboards for all SSL Browser logins.! When possible, use GBAuth to authenticate before connecting to the SSL Browser. Change the SSL Browser default port to a different port number.! When possible, do not reference external non-trusted sites in SSL Browser or on internal web sites connected to via the SSL Browser.!! SSL Client! Use the options for Redirect Client Gateway when all clients connect. This prevents connections to other sites when the SSL Client is connected.! When possible, use GBAuth to authenticate before allowing access with SSL Client.! Change SSL Client default port to a different port number.!! SSL Client Security Polices should use:! Source and destination networks in policies.! Restricted access to required ports and services.! Group based policies for access. 31
Additional Information! Tunnel Blick - http://code.google.com/p/tunnelblick/! Open VPN - http://openvpn.net/! GTA Documentation - http://www.gta.com/support/documents/! FIPS - http://www.openssl.org/docs/fips/fipsnotes.html! FIPS-140-2 information: http://csrc.nist.gov/publications/fips/ fips140-2/fips1402.pdf 32
If you require additional assistance or have additional questions please contact GTA Technical Support. Email: support @gta.com Phone: 1.407.482.6925 Skype: gta_support Free User Support http://forum.gta.com 33