Network equipment hard core technology insider firewall and security gateway (12) the mystery of zero contact office

Huashan sect deployed SSL VPN, So that everyone can work remotely , It not only solves the problem of self use , It is also promoted to the whole society , During the critical period, it has won wide praise from the society .

however , Everyone generally reflects a problem ：

Even on SSL VPN in the future , Why is the Internet slower ？

original , Here's the problem ——

so , Users are connecting SSL VPN in the future , Because all traffic is sent to the company's intranet , Including going to P The traffic of the station also needs to enter the company's intranet , Then bypass the company's Internet Export , The delay is seriously increased , Affects fluency .

Why is all traffic sent to the company's intranet ？

original ,SSL VPN The implementation of the , Rely on a little secret —— Routing table .

The routing table exists in every terminal that needs to connect to the network .

Take a chestnut ：

some Linux The virtual machine has only one network card ,IP The address is 192.168.1.16, The mask is 255.255.255.0, The gateway is the default 192.168.1.1.

We knock down at the terminal route After the order , You can see , It has 3 Route table , among default Pointing to 192.168.1.1, in other words , Except for packets pointing to the same network segment , Any other next hop needs to point to this gateway .

And connected SSL VPN in the future , Things have changed ——

People often say ,SSL VPN It's a “ Tunnel ”. seeing the name of a thing one thinks of its function , Tunnels need to have entrances and exits .SSL VPN The entrance and exit of is here ——

To install H3C iNode SSL VPN Client's Windows Take computer as an example ：

Let's open it Windows In the control panel " Network settings ", We found that , Installed on iNode after , One more network device ——

actually , Running iNode VPN And connect successfully , By default, all traffic will lead here . original ,SSL VPN The working process of seems simple , There are seven steps hidden inside ——

1. Administrator in SSL VPN Create on the gateway SSL VPN AC Interface , Configure and send to SSL VPN The routing table entry of the client ;

2. The user logs in at the client SSL VPN;

3. SSL VPN After the gateway passes the authentication and authorization , Assign the virtual network card of the client IP Address , And send the routing table entry to the client ;

4. The client is set for the virtual network card IP Address , And add routing table entries , The outgoing interface of the route is the virtual network card .

5. When users access the intranet server on the client , The access request message matches the added routing table entry , The message will be sent SSL encapsulation , And send it to SSL VPN The gateway SSL VPN AC Interface .

6. SSL VPN Gateway to SSL Unpack the message , And will IP The message is forwarded to the intranet server .

7. The intranet server sends the reply message to SSL VPN gateway , SSL VPN The gateway performs SSL After encapsulation , adopt SSL VPN AC Interface sends it to the client .

We found that , In the 4 Step , It determines that all users' traffic will enter iNode VPN The virtual network adapter , That is, the entrance of the tunnel . such , Even the traffic accessing the Internet , It will also bypass the company's intranet .

that , We just need to change in this place , We can realize that God belongs to God , Caesar's to Caesar ——

stay SSL VPN When the gateway issues a route , Only send routes to the enterprise intranet , Let the traffic to the intranet go VPN Tunnel , That's all right. .

We see , The traffic is separated when entering the Internet , therefore , such SSL VPN It's also called split tunnel （ Separation tunnel ） The way .

Use Split tunnel Is that , It makes the traffic to the Internet do not need to bypass the intranet , Greatly reduce the delay , It's also reduced SSL VPN The burden of the gateway . Of course , The disadvantage is that there may be some potential safety hazards .

therefore , For customers in special industries such as finance , Need special SSL VPN Deployment way ——

Pictured , Customers in the financial industry need heterogeneous firewall networking , Between the two firewalls SSL VPN gateway . such , Outer firewall check SSL VPN Outer flow , And the inner firewall is checked again from SSL VPN The legitimacy of gateway to virtual machine .

On the basis of SSL VPN Remote office program blessing of , We believe that , The Chinese people will surely overcome all difficulties ！