Watchguard Firebox SSL Core Bedienungsanleitung PDF herunterladen (Seite 8)

MIDWESTERN INTERMEDIATE UNIT IV – A CASE STUDY IN INTERNET SECURITY

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA 98104 www.watchguard.com

A Review of the Needs

A typical end user might state their needs as: “The ability to securely access any protected resource from

anywhere” That’s a tall order. In the event that the mobile user is borrowing a computer or on a kiosk, the VPN

solution must not depend on the ability to install software, as the user may not have permissions on the machine to

do so. When the session is over, the solution cannot leave a trace of the end user's presence or activities for

someone else to discover. A network administrator would add to this list of requirements that users should be

allowed to access no more than they need to. Management would require that the solution not be costly to deploy

or maintain. In short, mobile users require a secure, robust, flexible, economical means of accessing the home

network while away.

SECURE ACCESS CLIENT: HASSLE-FREE, UNIVERSAL ACCESS

The WatchGuard Firebox SSL VPN Gateway controls connections between end users in the field and the home

network. Network traffic destined for the home network is encapsulated in SSL by the Citrix® Secure Access client,

a lightweight client automatically downloaded to the end user's browser after authentication. Since the traffic is

encapsulated, no special Webification or custom connectors are required to support full network access. Since the

traffic is SSL, it's not susceptible to being disrupted by NAT devices or other measures that sabotage IPSec

connections. Authentication functions and the Citrix® Secure Access client distribution mechanism are hosted on

the Firebox SSL VPN Gateway's secure external Web site.

Gaining Remote Access

First time end users obtain remote access by simply accessing a secure Web URL with their browser. Once

connected, clients are prompted for their user name and password over HTTP 401 Basic, Digest, or NTLM

authentication. The Gateway then authenticates these credentials with the organization’s logon server (such as

Microsoft Active Directory, LDAP, or RADIUS), and if the credentials are correct, offers the user the choice of

connecting from “my own computer”, or “a public computer”. If “my own computer” is selected, the Citrix® Secure

Access client is downloaded to the end users machine and the connection with the client PC is established. For

subsequent connections, the Citrix® Secure Access client is run from the desktop and the authentication

performed and connection established without requiring access to the secure Web URL. If “a public computer” is

selected, the user is given limited access to the organizations corporate network via Kiosk Mode. This mode is

discussed in a later section.

Establishing the Secure Tunnel

Completing the authentication sequence establishes a secure tunnel over HTTPS (port 443 or any other configured

port on the gateway) using SSL. Once the tunnel is established, the Gateway sends configuration information to the

Citrix® Secure Access client describing the networks that can be reached over the secure connection.

Tunneling Destination Private Address Traffic Over SSL

Once authenticated and properly configured, either all network traffic, or just that network traffic destined for the

networks behind the Gateway, is captured and redirected over the secure tunnel to the Gateway's public-facing

interface (This option is known as split tunneling and is configurable on the Gateway). All IP packets, regardless of

protocol, are captured in this manner and transmitted over the secure link just like an IPSec client would, however

1 2 3 4 5 6 7 8 9 10 11 12

Keine Kommentare

Watchguard Firebox SSL Core Bedienungsanleitung Seite 8