Introduction to JMU’s SSL VPN

Mike Bayne15 September 2011

http://www.jmu.edu/computing/security/sslvpn-intro.pptx

Virtual Private Network Provides an encrypted tunnel between a

client computer and a remote network Remote termination proxies the connection

to other resources All or some traffic routed to remote network

What is a VPN?

Click icon to add picture

VPN Operation

JMU Border

VPN terminal

Gain remote access to applications and data deemed too sensitive to expose directly to the Internet◦ Student Administration system

Gain remote access to resources licensed to JMU by IP address◦ Microsoft site license◦ Online library resources

Why use the VPN?

Required a client◦ No support for new OSes◦ No support for mobile devices

Tunneled all traffic over UDP◦ All traffic had to go through JMU, even if not

destined for JMU Access required configuration on firewalls Rapidly approaching end-of-life

Old VPN: Cisco VPN

New Hotness: Juniper SA6500

http://www.juniper.net/us/en/products-services/security/sa-series/sa6500/

Support for newer OSes Support for mobile devices Uses web browser for basic access Java clients for advanced access LDAP or Active Directory authentication Access granted based upon roles

Juniper SA6500 SSL VPN

Qualified PlatformsPlatform OS: list of browsers and Java EnvironmentWindows •Windows XP Professional SP3 32 bit: Internet Explorer

7.0, 8.0, and Firefox 3.6, 4.0; Sun JRE 6•Vista Enterprise SP2 32 & 64 bit : Internet Explorer 7.0, 8.0, 9.0 and Firefox 3.6, 4.0; Sun JRE 6•Windows 7 Enterprise SP1 32 & 64 bit: Internet Explorer 8.0, 9.0 and Firefox 3.6, 4.0; Sun JRE 6

Mac •Mac OS X 10.6.4, 32 and 64 bit: Safari 5.0, Safari 5.1 Sun JRE 6•Mac OS X 10.5.8, 32 and 64 bit: Safari 4.0 Sun JRE 6

Linux •OpenSuse 11.3 , 32 bit only: Firefox 3.6, 4.0; Sun JRE 6•Ubuntu 10.04 LTS, 32 bit only: Firefox 3.6, 4.0; Sun JRE 6

Compatible PlatformsPlatform Operating System Browsers and JavaWindows Vista with Service Pack 1 or 2 on 32

bit or 64 bit platformsWindows 7 on 32bit or 64 bit platformsXP Professional SP2 or SP3 on 32 bit or 64 bit platformsXP Home Edition SP3

Internet Explorer 9.0Internet Explorer 8.0Internet Explorer 7.0Firefox 3.0 and aboveSun JRE 6 and above

Mac Mac OS X 10.6.x, 32 bit and 64 bitMac OS X 10.5.x, 32 bit and 64 bitMac OS X 10.4.x, 32 bit

Safari 3.0 and aboveSun JRE 6 and above

Linux OpenSuse 10.x and 11.x, 32 bit onlyUbuntu 9.10 and 10.x, 32 bit onlyRed Hat Enterprise Linux 5, 32 bit only

Firefox 3.0 and aboveSun JRE 6 and above

Solaris Solaris 10, 32 bit only Mozilla 2.0 and above

iPhone OS 3.0 and above with default Safari Android 2.0 and above Symbian OS 8.1 and above Windows Mobile 6.0 Standard, Classic and Professional:

Pocket IE 6.0 Windows Mobile 6.1 Standard, Classic and Professional:

Pocket IE 6.0 Windows Mobile 6.5 Standard, Classic and Professional:

Internet Explorer Mobile 6.0 Windows Mobile 5.0 based Pocket PC devices: Pocket IE 4.0 NTT I-mode phone AU/KDDI phone : Open wave Mobile Browser Vodafone phone : Open wave Mobile Browser

Compatible Mobile Devices(Web & File Browsing)

Web Connect WSAM/JSAM Network Connect Junos Pulse (Mobile clients)

SSL VPN Connection Methods

Default connection Provides access to:

◦ Web resources◦ File Access◦ Remote desktop◦ SSH access

Solution for most connections at JMU

Web Connect

Web Connect

Pre-populated Bookmarks

User-added Bookmarks

URL Entry

File Shares

Remote Access: RDP and SSH

Windows only Java program or Activex control Inserts a shim into the network stack Network access to preconfigured resources

are directed through the VPN Resources MUST be preconfigured on the

VPN

Windows Secure Application Manager (WSAM)

WSAM

WSAM

WSAM

Java based proxy Maps local port to remote destination

through the SSL VPN◦ Example: hrweb.jmu.edu:443 is mapped to local

port 8000◦ Connections to https://127.0.0.1:8000 is

forwarded to hrweb.jmu.edu:443 Either WSAM or JSAM per role, not both Not currently used at JMU

Java Secure Access Manager(JSAM)

JSAM

JSAM

JSAM

Most impact on JMU and client system Java application Behavior similar to existing Cisco VPN: all

traffic is routed through the VPN to JMU’s network

Network Connect

Network Connect

Network Connect

Network Connect

Network Connect

Network Connect for mobile devices All traffic tunneled through the VPN Untested

Junos Pulse

Junos Pulse

Junos Pulse

Invoking the Demo Gremlins

Behind the Scenes:Realms, Roles, and

Resources

Network resources that users are allowed or denied access to

Identified by host and port, subnet, URI, etc Can be specific enough to allow access to

parts of a website while denying access to others

Resources

Group of people that share similar access Role membership can be identified by LDAP

group membership or attribute Role membership can be enumerated within

the SSL VPN◦ Most roles are enumerated◦ Want to move to LDAP/AD as identity

management matures Users are often assigned multiple roles

Roles

Logical container containing authentication source and login pages

May be accessed either by a new domain name or by a new URL◦ https://student.sslvpn.jmu.edu◦ https://sslvpn.jmu.edu/student

Realms

Roles are added to a realm◦ Roles may be in more than one domain

Resources are added to roles◦ Both permit and deny resources are added◦ Default deny of access to unmentioned resource◦ Users accumulate resources from each role

they’re assigned to

How They Fit Together

Moving from enumerated roles to group/attributes in a directory

Identifying resources that don’t work with web connect and developing workarounds◦ Internal JMU applications◦ Externally licensed resources (750+ through the

library alone)

Challenges Ahead

Endpoint Security◦ Malware protection◦ Antivirus version monitoring◦ Patch management monitoring

Cache Cleaner Two-factor authentication

◦ One-time passwords◦ Certificates

Single Sign-on Restrictions to access from certain subnets Restrictions to browsers

Unused Features

Questions?