Watchguard Firebox SSL Core Manual do Utilizador descarregar pdf (Página 5)

MIDWESTERN INTERMEDIATE UNIT IV – A CASE STUDY IN INTERNET SECURITY

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA 98104 www.watchguard.com

is on the home network, it is routed to the Exchange server. However, if it is not on the home network, it is

routed to the SSL VPN loopback address that is running on the PC (they accomplish this by specifying a

loopback address like 127.0.0.1 as the IP address for the Exchange server).

Alternatively, some SSL VPN vendors will avoid loopback connectors by pointing PCs outside the private

network directly at the SSL VPN server, however this also requires a split DNS entry (namely for PCs outside

the network to resolve to the public SSL VPN server).

Each PC that uses the SSL VPN to access the application will have to change the server name on the client

to point to the new, split DNS entry (at the time of SSL VPN configuration) or to the application connector,

which is part of the SSL VPN Server.

2. Application performance - When a PC client is accessing the server application over an SSL VPN, the

performance of the application is significantly reduced. This is due to the protocol conversions that have to

take place between the PC client and the SSL VPN client and then between the SSL VPN server and the

application. Of course, the opposite protocol conversions have to happen on the return trip of information

from the application to the application client.

For example, an Outlook client would normally use a MAPI protocol to communicate with an Exchange

server. When an SSL VPN is introduced, the Outlook client still communicates via MAPI to the SSL VPN

client. The SSL VPN client converts this information into a custom protocol that it uses to communicate with

the SSL VPN server. The SSL VPN server then has to convert this custom protocol back into a MAPI protocol

that the Exchange server is expecting. The reverse set of protocol conversions happen on the return trip of

information from the Exchange server to the Outlook client.

3. Application upgrades - Most upgrades to an application require a corresponding upgrade to the SSL VPN.

SSL VPNs are sensitive to changes in client server communications protocols. When an application upgrade

brings a change in how that application communicates, the SSL VPN that provides access to remote users

must adapt to that change.

Returning to the Outlook example: If an organization upgrades the Exchange server from version 5.5 to

2000, the MAPI protocol used between the Outlook client and the Exchange server changes. Since the SSL

VPN client and server convert this specific MAPI protocol to the proprietary SSL VPN protocol, the

corresponding protocol conversion of the SSL VPN server has to be upgraded. Furthermore, if the MAPI

protocol between Outlook and the Exchange server is changed during a Service Pack upgrade (such as SP3

to SP4); the SSL VPN will also have to be upgraded.

4. Long implementation time and high cost - Webification is a professional services exercise to provide browser

access to a client/server application just so it can be accessed through an SSL VPN.

An SSL VPN Professional Services organization will create an ActiveX, Java applet, or HTML representation of

the application that runs in the PC’s Web browser. This process will require an implementation of a Web

1 2 3 4 5 6 7 8 9 10 11 12

Sem comentários

Watchguard Firebox SSL Core Manual do Utilizador Página 5