SSL VPN is a simple and secure remote tunnel access technology, which is very simple to use. SSL VPN uses public key encryption to ensure the security of data in the transmission process. It uses the direct communication between browser and server, which is convenient for users to use, and can also ensure the security of data through SSL protocol. SSL protocol uses SSL/TLS comprehensive encryption to ensure data security.
The SSL protocol can be divided into two layers in terms of its use: the first layer is the SSL recording protocol, which can provide basic data compression, encryption and other functions for data transmission; The second layer is the SSL handshake protocol, which is mainly used to detect whether the user’s account and password are correct for authentication login. Compared with IPSec VPN, SSL VPN has the characteristics of simple architecture, low operating cost, fast processing speed and high security performance, so it is widely used by enterprise users. However, the SSL protocol is developed based on the WEB and is used through the browser. Due to the diversity of computer viruses in recent years, in order to ensure the safe operation of SSL VPN, it is necessary to update the security technology of SSL VPN. ccie lab dump knowledge
Authentication method:
- LDAP authentication:
The system organization has adopted LDAP for user management. It only needs to establish the user group structure in the SSL VPN device according to the OU group structure in LDAP, and bind the corresponding OU structure for the user group. No specific users need to be established in the device. When a user submits a username and password authentication identity to SSL VPN, SSL VPN can automatically submit this authentication information to LDAP authentication, and judge whether the user is a legitimate user according to the feedback information.
- Radius Certification
Establish the corresponding user group structure in the SSL VPN device, select Radius authentication and bind the corresponding Class attribute value. When a user submits user name and password authentication information to SSL VPN, SSL VPN will send this information to the Radius server in the standard Radius protocol format, and then Radius will return the authentication result.
- CA certification
SSL VPN security gateway with built-in CA can support PKI system authentication.
- USB KEY certification
Issue the digital certificate generated by the CA center to the USB KEY, and set the PIN code for the USB KEY. The mode of “hardware storage digital certificate+PIN code” is used to provide users with a high security authentication mode.
- Hardware binding
For users who only use user name/password authentication, in order to ensure that users can log in to SSL VPN only on one or several clients, and effectively solve the problem of accidental disclosure of user accounts and data disclosure caused by account theft, they can bind the login client. Generally, client binding is implemented by IP/MAC, MAC, and IP binding.
- Dynamic token authentication
Dynamic token authentication is a two factor authentication system with advanced technology, embedded with special computing chips and synchronized with events. It is authenticated by using HMAC-SHA1 algorithm to generate six dynamic digits to perform one pass one password authentication, which conforms to OATH dynamic password calculus standard recognized by international security.
SSL VPN authentication methods are various. After a designated user logs in to the SSL VPN, he or she can access the designated application through the designated account to enhance the security of important system authentication.