List of articles

• SSL V** technology
  • IPSec defects
  • SSL V** Functional technology
    • Virtual gateway
    • WEB agent
    • File sharing
    • Port forwarding
    • Network expansion
    • Terminal security
      • Host check
      • Cache cleanup
    • Perfect log function
    • Certificate authority
    • Certificate anonymous authentication
    • Certificate challenge certification
  • SSL V** Application scenarios
    • SSL V** Application scenario analysis of single arm networking mode
    • SSLV** Application scenario analysis of dual arm networking mode
  • SSL V** Configuration steps
    • 1. Configure interface
    • 2. Configure security policy
    • 3. To configure V**DB
    • 4. Virtual gateway configuration
    • 5. Business choice

SSL V** technology

SSl The application data transmitted by the communication parties of the protocol detachment shall be encrypted , Instead of encrypting all data from one host to another .

IPSec defects

because IPSec Is a protocol based on the network layer , It's hard to cross NAT And the firewall , Especially when accessing some personal networks and public computers with strict protective measures , It often leads to blocked access . Mobile user use IPSec V** Special client software needs to be installed , Distribute... To a growing user base 、 install 、 To configure 、 Maintaining client software has overwhelmed Administrators . therefore ,IPSec V** stay Point- to-Site Not applicable to remote mobile communication .

SSL V** Functional technology

Virtual gateway

• Each virtual gateway is independently manageable , You can configure your own resources 、 user 、 authentication 、 Access control rules and administrators .
• When an enterprise has multiple departments , Different virtual gateways can be assigned to each department or user group , So as to form a completely isolated access system .

WEB agent

It will request pages from remote browsers ( use https agreement ) Forward to web The server , Then the response of the server is sent back to the end user , Provide detailed to URL Permission control , You can control the user's access to a specific page .

web The agent implements the intranet Web Secure access to resources ：

Web Agents can be implemented in two ways ：Web-Link and Web rewrite （ Default ）.

• Web-link use ActiveX Control mode , Forward the page ;
• Web The rewriting method is script rewriting , Rewrite the link on the requested page , Other web pages will not be modified .

From the business interaction process, we can see ,Web The basic implementation principle of agent function is to access remote users Web Server The process is divided into two stages . The first is remote users and NGFW Between virtual gateways HTTPS conversation , then NGFW The virtual gateway is connected with Web Server establish HTTP conversation . The virtual gateway enables remote users to access the intranet Web Server Played a rewriting role in 、 forward Web Role of request .

File sharing

File sharing implementation process

• The client initiates to the intranet file server HTTPS Format request , Send to USG A firewall ;
• USG The firewall will HTTPS The request message in format is converted to SMB Formatted message ;
• USG Firewall sends SMB Format request message to file server ;
• The file server accepts the request message , Send the request result to USG A firewall , It's using SMB message
• USG The firewall will SMB The response message is converted to HTTPS Format ;
• Will request results (HTTPS Formatted message ) Send to client .

Port forwarding

Provide rich intranet TCP Application service .

Widely supports static port TCP application ：

• Single port single server （ Such as ：Telnet,SSH,MS RDP, VNC etc. ）
• Single port multi server （ Such as ：Lotus Notes）
• Multi port multi server （ Such as ：Outlook）

Support dynamic port TCP application ：

• Dynamic port （ Such as ：FTP,Oracle）

Provide port level access control .

Implementation principle of port forwarding

Port forwarding features

• Realize the intranet TCP Extensive support for applications
• Remote desktop 、outlook、Notes、FTP etc.
• All data streams are encrypted and authenticated
• Carry out unified authorization for users 、 authentication
• Provide right TCP Application access control
• Just a standard browser , There is no need to install the client

Network expansion

• Separation mode : Users can access the remote intranet ( Through virtual network card ) And local area network ( Through the actual network card ), Cannot access Internet.
• Full routing mode : Users are only allowed to access the remote intranet ( Through virtual network card ), Cannot access Internet And local area network .
• Manual mode : Users can access the resources of a specific network segment of the remote enterprise intranet ( Through virtual network card ), For others Internet And local LAN access is not affected ( Through the actual network card ). In case of network segment conflict, the remote enterprise intranet shall be accessed first .

Network expansion implementation process

Packet encapsulation process

Reliable transmission mode

Fast transfer mode

Terminal security

Host check

Terminal security is to deploy a software on the host requesting access to the intranet , Check the security status of the terminal host through the software . It mainly includes : Host check 、 Cache cleanup .

Host check : Check whether the host used by the user to access intranet resources meets the security requirements .

The host check policy includes the following check items :

• Antivirus software check
• Firewall check
• Registry check
• Document inspection
• Port check
• Process check
• Operating system check

Cache cleanup

USG When the user accesses the virtual gateway , Remove the terminal by necessary means . Access traces on ( For example, the generated temporary file 、Cookie etc. ), To prevent leaks , Put an end to potential safety hazards .

Clean up the area ：

• Internet The temporary file
• The password saved automatically by the browser
• Cookie Record
• Browser access history
• Recycle bin and list of recently opened documents
• Specify a file or folder

Perfect log function

• Log query
• Log export
• Virtual gateway administrator log
• User logs
• system log

Certificate authority

Certificate anonymous authentication

NGFW Verify the user's identity only by verifying the user's client certificate

1. The user is in SSLV** Select the certificate in the gateway login interface , The client will send the client certificate to the gateway .

2. The gateway will send the client certificate and its own reference CA The name of the certificate is sent to the certificate module .

3. The certificate module will be based on the CA Certificate check whether the client certificate is trusted , And return the result to the gateway

• If the gateway refers to CA The certificate is the same as the client certificate CA Issued by the agency , And the client certificate is within the validity period , Then the certificate module considers the client certificate to be trusted , User authentication passed , Carry on 4.
• If the certificate module considers that the client certificate is not trusted , User authentication failed , execute 5.

4. The gateway extracts the user name from the client certificate according to the user filter field .

• The gateway will find the user's role from its role authorization list to confirm the user's business permission

5. The gateway returns the authentication result to the client

Users who pass the authentication can log in SSLV** Gateway Interface , Use with corresponding business permission SSL V** Business .

Users who fail to pass the authentication will see on the client “ Your certificate verification is illegal , Please provide legal certificates ”.

Certificate challenge certification

Certificate challenge authentication refers to the combination of verifying client certificates with local authentication or server authentication .

certificate + Local user name and password certificate + Server authentication

SSL V** Application scenarios

SSL V** Application scenario analysis of single arm networking mode

In network planning ,SVN The interface of IP For the intranet IP Address , This address needs to be able to be routed to all the servers being accessed . The firewall needs to be configured nat server, take SVN The address of is mapped to a public network of the firewall IP. On . You can also map only some ports , Such as 443. If the Internet user has management SVN The needs of , You also need to map SSH、Telnet Wait for the port .

SSLV** Application scenario analysis of dual arm networking mode

• In this kind of networking environment ,SVN Use two different network ports to connect the external network and the internal network , In this networking mode , With clear intranet 、 Internet concept ; No additional configuration is required , The external network interface corresponds to the virtual gateway IP, Intranet port configuration intranet management IP.
• Virtual gateway IP You don't have to go through NAT transformation , As long as Internet users can access this virtual gateway IP address . Internal and external network interfaces have no specific physical interfaces , Any physical interface can be used as an intranet or extranet interface .
• The router and switch in the figure are connected . This is because some applications in the customer network may not need to go through SSL encryption , Instead, access the Internet directly through the firewall . At this time, you need to switch and router . Configure policy routing on , Need to establish SSLV** The traffic is forwarded to SVN On , Ordinary applications access the Internet directly through the firewall .

SSL V** Configuration steps

1. Configure interface

2. Configure security policy

• release Untrust To L ocal Safety zone SSL V** Traffic .
• release Local To Trust Business flow in the security area .

3. To configure V**DB

4. Virtual gateway configuration

5. Business choice

ensp Castrate the firewall

Publisher ： Full stack programmer stack length , Reprint please indicate the source ：https://javaforall.cn/100119.html Link to the original text ：https://javaforall.cn