Presentation is loading. Please wait.

Presentation is loading. Please wait.

Course 201 – Administration, Content Inspection and SSL VPN

Published byBenjamin Hart Modified over 8 years ago

Similar presentations

Presentation on theme: "Course 201 – Administration, Content Inspection and SSL VPN"— Presentation transcript:

1 Course 201 – Administration, Content Inspection and SSL VPN
RTOL

2 Course 201 – Administration, Content Inspection and SSL VPN
Module Objectives By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Identify and configure the SSL VPN operating modes Define an SSL VPN user group Configure SSL VPN portals Configure firewall policies and authentication rules for SSL VPNs RTOL

3 Virtual Private Networks (VPN)
Course 201 – Administration, Content Inspection and SSL VPN SSL VPN Virtual Private Networks (VPN) Branch Office Corporate Office VPN VPNs use a public network to provide access to private network. Provides confidentiality and integrity of data Also provides authentication, encryption and restricted access RTOL

4 Virtual Private Networks (VPN)
Course 201 – Administration, Content Inspection and SSL VPN SSL VPN Virtual Private Networks (VPN) Branch Office Corporate Office Use public network to provide access to private network Create secure tunnel to protect data transferred between offices, or allow users to access private data from remote locations VPN RTOL

5 Course 201 – Administration, Content Inspection and SSL VPN
FortiGate VPN SSL VPN VPN IPSec VPN Typically used to secure web transactions HTTPS link created to securely transmit application data between client and server Client signs on through secure web page (SSL VPN portal) on the FortiGate device Well suited for network-based legacy applications Secure tunnel created between two host devices IPSec VPN can be configured between FortiGate unit and most third-party IPSec VPN devices or clients FortiGate supports two VPN technologies: Secure Socket Layer (SSL) VPN Typically used for secure web transaction After secure HTTP link has been established between web browser and FortiGate unit, application data is transmitted between the client and device through a secure tunnel All client traffic is encrypted and sent to the FortiGate unit Includes traffic intended for private network and Internet traffic that is normally sent unencrypted Split tunneling can be used so that only traffic for the private network is sent to the SSL VPN gateway while Internet traffic is sent through the usual unencrypted route. SSL supports sign-on to a web portal front-end from which a number applications can be accessed Allow mobile employees, contractors, business partners, and/or customers access to certain administrator-specified corporate resources. Internet Protocol Security (IPSec) VPN IPsec VPNs provide users at geographically distributed locations access to all their usual corporate network resources as if they were on the LAN. Securely provides employees around the world with always-on connectivity and access to the corporate resources Well suited for legacy applications (not web-based) IP packets are encapsulated by the VPN client and server software running on the hosts (IPSec VPN is covered in a separate module) RTOL

6 Course 201 – Administration, Content Inspection and SSL VPN
SSL VPN Web-Only Mode Connection of remote user to SSL VPN Portal (HTTPS Web Site) Tunnel created Authenticate Portal web page presented Click bookmark to access resource FortiGate SSL VPN can operate in two modes: Web-only mode The FortiGate unit provides access to selected services and resources through a web portal. Customizable and configurable HTTPS Web Site SSL proxy running on FortiGate unit is used to provides access to allowed network service and resources Resources accessed as if they were at the SSL VPN Gateway(FortiGate device) Secure connection between browser and FortiGate unit No client software required Remote computer requires a currently supported web browser Protocol access is limited to what is allowed through the web portal (HTTP, FTP, SMB, RDP, SSH, Telnet ) The FortiGate unit acts as a secure gateway and authenticates remote users as members of a user group. After successful authentication, the FortiGate unit redirects the web browser to the web portal home page and the user can access the server applications behind the FortiGate unit Click here to read more about FortiGate SSL VPN operating modes RTOL

7 Course 201 – Administration, Content Inspection and SSL VPN
SSL VPN Tunnel Mode Enter URL of SSL VPN Portal Portal web page presented Fortinet SSL VPN Client downloaded Tunnel created Authenticate Resources accessed Tunnel mode A secure SSL connection is established with the FortiGate unit to download SSL VPN client software to the browser. After client installed, the user can initiate a VPN tunnel with the FortiGate tunnel whenever the SSL connection is open Tunnel mode allows remote clients to access their local internal network as if they were locally connected to the network When the user initiates the VPN connection through the FortiGate unit , the device establishes a tunnel with the client and assigns the client a virtual IP address from range of reserved addresses. A virtual interface is created on the PC that is connecting to the SSL VPN tunnel The user is granted layer3 access to the protected network Click here to read more about FortiGate SSL VPN operating modes RTOL

8 Course 201 – Administration, Content Inspection and SSL VPN
User Groups Paris Chicago London User groups provide access to firewall policies that require SSL VPN access. Select type of SSL VPN portal: Web-only mode Tunnel mode Full access Firewall user group Allow SSL-VPN Access RTOL

9 Course 201 – Administration, Content Inspection and SSL VPN
Authentication Username and Password (one factor) FortiToken (two factor) + RTOL

10 Course 201 – Administration, Content Inspection and SSL VPN
Portals Paris Chicago London Web access Tunnel access Full access The portal is the web page displayed when member logs into SSL VPN. Widgets are included in the portal to provide various functions: For example, bookmarks Software download option for tunnel mode Three portal options: Web-only portal Tunnel mode portal Full access portal Both modes on one page By default, the SSL VPN gateway listens to port In an actual deployment, use port 443 as this port is typically open on Firewalls. Go to System > Admin > Settings to change SSL VPN login port from to 443 RTOL

11 SSL VPN Server Certificate
Course 201 – Administration, Content Inspection and SSL VPN SSL VPN SSL VPN Server Certificate Certificate presented to client initiating SSL VPN session FortiGate device uses a self-signed certificate by default Use certificates issued by trusted Certificate Authority to avoid web browser security warnings RTOL

12 Encryption Key Algorithm
Course 201 – Administration, Content Inspection and SSL VPN SSL VPN Encryption Key Algorithm Level of encryption used for SSL VPN connections High, Default, Low The default setting is RC4 (128 bits) and higher If set to High, SSL VPN connections with clients that cannot meet this standard will fail RTOL

13 SSL VPN Web-only Mode Configuration
Course 201 – Administration, Content Inspection and SSL VPN SSL VPN SSL VPN Web-only Mode Configuration Enable SSL VPN on the FortiGate unit Create an SSL VPN user group and set SSL VPN portal type to web-access Add users to SSL VPN user group Create an SSL VPN firewall policy Edit authentication rule in firewall policy to add SSL VPN user groups and required protocols RTOL

14 SSL VPN Tunnel Mode Configuration
Course 201 – Administration, Content Inspection and SSL VPN SSL VPN SSL VPN Tunnel Mode Configuration Enable SSL VPN and select IP Pool Create an SSL VPN user group and set SSL VPN portal type: tunnel-access or full-access Create a static route Destination = the IP Pool Device = ssl.root Add users to SSL VPN user group Create an SSL VPN firewall policy to authenticate the users Add SSL VPN user groups and required protocols Create at least one additional firewall policy Source = sslvpn tunnel interface Destination = the internal network Action is ACCEPT RTOL RTOL 14

15 Course 201 – Administration, Content Inspection and SSL VPN
Web Portal Interface Web page displayed when client logs into SSL VPN Includes widgets to access functionality on the portal (such as bookmarks and connection tools) Software download option for tunnel mode Default SSL VPN web portal page is accessible at: IP address>:10443 (port 443 can be used in actual deployments as this port is typically open on firewalls) RTOL

16 Full-Access Web Portal Interface
Course 201 – Administration, Content Inspection and SSL VPN SSL VPN Full-Access Web Portal Interface RTOL

17 Tunnel Mode Split-Tunneling
Course 201 – Administration, Content Inspection and SSL VPN SSL VPN Tunnel Mode Split-Tunneling Only traffic destined for the tunnel IP range network will be routed over the SSL VPN If access to another inside network is desired, the client will need to create a static route pointing to their own SSL VPN interface Associated firewall policies must exist RTOL

18 Client Integrity Checking
Course 201 – Administration, Content Inspection and SSL VPN SSL VPN Client Integrity Checking SSL VPN gateway checks client system Detects client protection applications (for example, antivirus and personal firewall) Determines state of applications (active/inactive, current version number and signature updates) Examples include Cisco Network Admission Control (NAC), MS Network Access Protection (NAP), Trusted Computing Group’s (TCG) Trusted Network Connect RTOL

19 Client Integrity Checking
Course 201 – Administration, Content Inspection and SSL VPN SSL VPN Client Integrity Checking RTOL

20 Client Integrity Checking
Course 201 – Administration, Content Inspection and SSL VPN SSL VPN Client Integrity Checking Relies on external vendors to ensure client integrity (not implemented by all SSL VPN vendors) Requires administrators to determine appropriate version/signature versions and policy Easily outdated, limiting the protection provided RTOL

21 Course 201 – Administration, Content Inspection and SSL VPN
SSL VPN Group The SSL VPN group will be created with full-access and appropriate users selected The SSL VPN Active X control only needs to be downloaded once RTOL

22 SSL VPN Tunnel Mode Connection
Course 201 – Administration, Content Inspection and SSL VPN SSL VPN SSL VPN Tunnel Mode Connection A new network connection called fortissl is created The connection obtains a virtual IP address This virtual adapter becomes the preferred default route if split tunneling is disabled The web portal page will display the status of the SSL VPN client ActiveX control The portal web page must remain open for the tunnel to function RTOL

23 SSL VPN Client Port Forward
Course 201 – Administration, Content Inspection and SSL VPN SSL VPN SSL VPN Client Port Forward Port Forward Mode extends applications supported by Web Application Mode Application Types: PortForward: for generic port forward application Citrix: for Citrix server web interface access RDPNative: for Microsoft Windows native RDP client over port forward Configured though the CLI using: config vpn ssl web portal edit “SSL Access” set allow-access citrix rdpnative portforward end RTOL

24 SSL VPN Client Port Forward
Course 201 – Administration, Content Inspection and SSL VPN SSL VPN SSL VPN Client Port Forward RTOL

25 Course 201 – Administration, Content Inspection and SSL VPN
SSL VPN IPv6 Support RTOL

26 SSL-VPN Policy De-Authentication
Firewall policy authentication session is associated with SSL VPN tunnel session Forces expiration of firewall policy authentication session when associated SSL VPN tunnel session is ended by user Prevents reuse of authenticated SSL VPN firewall policies (not yet expired) by a different user after the initial user terminates their SSL VPN tunnel session SSL-VPN policy de-authentication prevents access to unexpired authentication sessions associated with ended SSL VPN sessions. Prevents the following problem from occurring: User A connects to an SSL VPN tunnel and authenticates User A performs some tasks and disconnects User A’s firewall policy authentication session is still active ( default timeout: 15 minutes) User B connects to SSL VPN tunnel before expiration of User A’s firewall policy authentication session User B accesses User A’s resources without authenticating RTOL

27 Course 201 – Administration, Content Inspection and SSL VPN
SSL VPN Access Modes Web Mode No client software required (web browser only) Reverse proxy rewriting of HTTP, HTTPS, FTP, SAMBA (CIFS) Java applets for RDP, VNC, TELNET, SSH Tunnel Mode Uses FortiGate-specific client downloaded to PC (ActiveX or Java applet) Requires admin/root privilege to install layer-3 tunnel adaptor Port Forward Mode Java applet works as a local proxy to intercept specific TCP port traffic then encrypt in SSL Downloaded to client PC and installed without admin/root privileges Client App must point to Java applet RTOL

28 Course 201 – Administration, Content Inspection and SSL VPN
Labs Lab - SSL VPN Configuring SSL VPN for Web Access Using the SSL VPN for RDP Access Configuring the SSL VPN Tunnel Mode with Split Tunneling Click here for step-by-step instructions on completing this lab RTOL

29 Course 201 – Administration, Content Inspection and SSL VPN
Student Resources Click here to view the list of resources used in this module RTOL

Download ppt "Course 201 – Administration, Content Inspection and SSL VPN"

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Network Security.

Network Security.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.
WAN Optimization. Module Objectives By the end of this module participants will be able to: Describe the factors that can impact the performance of applications.

WAN Optimization. Module Objectives By the end of this module participants will be able to: Describe the factors that can impact the performance of applications.
Cisco Confidential 1 © 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential 1 © 2011 Cisco and/or its affiliates. All rights reserved.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
© 2005,2006 NeoAccel Inc. Training Access Modes. © 2005,2006 NeoAccel Inc. Agenda 2. Access Terminals 6. Quick Access Terminal Client 3. SSL VPN-Plus.

© 2005,2006 NeoAccel Inc. Training Access Modes. © 2005,2006 NeoAccel Inc. Agenda 2. Access Terminals 6. Quick Access Terminal Client 3. SSL VPN-Plus.
NetComm Wireless VPN Functionality Feature Spotlight.

NetComm Wireless VPN Functionality Feature Spotlight.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

Similar presentations

Ads by Google