ZyXEL North America Tel: 714.632.0882 Fax: 714.632.0858 Email: sales@zyxel.com http://www.us.zyxel.

com

Copyright 2008 ZyXEL Communications. ZyXEL is a trademark of ZyXEL Communications, Co. Reproduction in whole or part without permission is prohibited. All other trademarks are the property of their respective owners.

SSL VPNs for Small Business

Product Solution Guide- SSL VPN

0812v100PSG-SSL-VPN

SSL VPNs for Small Business

Product Solution Guide

Contents
What is a SSL VPN? Why use SSL over a traditional VPN technology? Typical SSL Users Drawbacks of SSL VPNs Introducing SecuExtender Typical Scenarios Example: ZyWALL Gateway Configuration Example: Existing Gateway Configuration of ZyWALL SSL 10 4 4 5 5 6 7 9 9 15 15
-2-

SSL VPNs for Small Business

Product Solution Guide

What is a SSL VPN?

SSL VPNs (Secure Socket Layer Virtual Private Networks) provide access to a companys network resources to individuals who are not on their corporate network. A secure connection is made between their PC and the corporate network over a standard Internet connection. SSL VPNs differ from traditional VPN technology in that no software needs to be installed or configured on the remote computer. The drawbacks of this method are as follows: > A license must be procured for each device that needs to connect to the company network remotely. This is costly, and for larger businesses the management of these licenses can become quite a chore. > IT resources must be used to install and configure the software for each device. > Users need to know in advance that they will need remote access to the network and what device they will use for the access. > These VPN tunnels are based on the IP layer, providing limited opportunity to control individual access to network resources. The use of SSL VPN tunnels overcomes all of these issues. No additional software is required for access to the company VPN and generally there is no need for any configuration changes, all remote users need is a web browser and the web address (URL) for VPN access. The ZyXEL SSL solution, unlike many of its competitors, is based on Java (not Active-X), insuring the broadest range of device/operating system compatibility. Since applications and network shares are accessed via the web interface, it is very easy to set up user- or group-based access to resources, as well as configure various security checks based on the user or group accessing the network. The SSL appliance can be linked directly to the existing user authentication system (Active Directory, RADIUS, LDAP) to allow use of the username and groups already created on the company LAN.
-4-

Why use SSL instead of traditional VPN technology?

Most traditional VPNs use IPSec (Internet Protocol Security) to create the secure tunnel to the company network from the remote user, although some traditional VPNs may use PPTP (Point-to-Point Tunneling Protocol) or L2TP (Layer 2 Tunneling Protocol). One of the biggest challenges required when using traditional VPNs is the time and effort required to install and configure the VPN software on each device that needs remote access. Software needs to be installed and configured on each device that is going to connect back to the network, and configuring a VPN client usually needs to be done by trained IT staff, and not by the end user. In addition the VPN aggregator on the company network needs to be configured for each device that will connect to it.

SSL VPNs for Small Business

Product Solution Guide

Drawbacks of SSL VPNs

SSL does have a few drawbacks. One of the biggest is that the SSL VPN limits access only to corporate resources that can be shared over a web browser. This restricts users to uploading/downloading files from network shares and web-based applications such as webmail, the company Intranet site, inventory systems, etc. The other big drawback is security. The SSL Security by Token To help increase security on the SSL VPN, ZyXEL recommends the use of a One Time Password (OTP) token, such as ZyXELs ZyWALL OTP which dramatically reduces the chances of the SSL VPN being forcibly hacked, or accessed with stolen credentials. It does this by providing an additional field that must be entered when users want to access the SSL VPN. In addition to needing to provide a username and password, they must also input a 6 digit pin. The pin is generated by small battery operated token (which has a life of up to 3 years) that can be SecuExtender is designed to provide traditional VPN functionality without the traditional VPN hassles. With ZyXELs SecuExtender technology, the user can send/receive just about any type of IP based traffic over the SSL VPN Simply sign in to the SSL VPN, and download a small Java Thankfully, ZyXEL has solutions to both of those problems. applet. No configuration by the end user is necessary. provided to any users wanting to access the SSL VPN. This PIN is constantly changing, defeating any brute force attacks because of the short interval between PINs. It also reduces the risk of someone stealing network credentials to get onto the network, because they not only need to know the valid username/password, but they must have physical possession of a token.
-6-

Typical SSL Users

> Users wanting to access files to work at home > Outside sales team wanting to access the inventory or order system, or check for latest price lists > Contractors wanting to easily share files with company employees > Business partners requiring better communications

encryption itself is very safe; this is the same technology that is used to protect millions of online credit card transactions every day. Unlike traditional IPSec (and similar) VPNs, there is no special software required. Any web capable device can access the Intranet, lowering the barriers for those looking to hack into the network.

Introducing SecuExtender

SSL VPNs for Small Business

Product Solution Guide

Typical Scenarios
> Jan goes home after work, and that night while watching TV she gets inspired for a new marketing promotion. She rushes to her personal computer, logs into the company network, and types up a short treatment and saves it to the shared drive at work. > Steve is on vacation in Hawaii and gets an urgent call from the office. They are about to close a very big deal and need Steve to review the contract before they sign it. Steve left his laptop > Mike is an outside sales rep. He spends his time on the road, but needs access to the companys web based inventory and order system, as well as access to .pdf copies of promotional material that he can have printed out at Kinkos. at home to help for him to relax, but this is important. No problem, Steve is able to go to the nearby Internet Caf and pull up the document over the SSL VPN connection.
ZyWALL OTP
(One-Time Password)

ZyWALL USG Series Internet

ZyWAL
PWR ACT

Local Database User Group1 User Group2

L SSL 10

RESET

CONSOLE

WAN 10/100 1 2 3 4 LAN/DM Z 10/100

SYS CARD

Remote Users
External Database Active Directory
130201

RADIUS
justin zyxel 130201 justin zyxel 130201

LDAP

Two-Factor Authentication Server

Enter PIN code displayed on the ZyWALL OTP token

Application Diagrams
LAN Zone Firewall DMZ Zone
Employee on Home Computer Employee on Home Computer

ZyWALL UTM or Third-party firewall

WAN Email Server BI System

ZyWALL USG Series

WAN
PWR

Email Server LAN

BI System

ZyWAL

ACT

L 5

RESET

WAN 10/100 LAN/DM 1 2 3 4 Z 10/100

SYS CARD

PWR

ZyWAL

ACT

L 5

RESET

WAN 10/100 LAN/DM 1 2 Z 10/100 3 4

SYS CARD

Internet
LAN File Share OA, ERP System CRM System

Internet
Employee Laptop In Airport Kiosk or In Hotel Encrypted

DMZ

Decrypted
WAN

Employee Laptop in Airport Kiosk or in Hotel

File Share

Encrypted

Decrypted

OA, ERP System CRM System

Web-based Application
ZyWAL
PWR ACT

Application Server (Inventory, Store..)

L SSL 10

RESET

CONSOLE

WAN 10/100 1 2 3 4 LAN/DM Z 10/100

SYS CARD

Web-based Application

Application Server (Inventory, Store..)

ZyWALL SSL 10
Authorized Partner Authorized Customer

Firewall DMZ Zone

Authorized Partner Authorized Customer

Remote Desktop Network Extend

Remote Desktop

Network Extend

-8-

SSL VPNs for Small Business

Product Solution Guide

Example: ZyWALL Gateway

- Configuring a SSL VPN with a ZyWALL Firewall Appliance Device: ZyWALL USG Series or ZyWALL 1050 OS: Windows XP / 2000 / 2003 Java: 1.6 or higher Note: Windows Vista is not currently supported. 3. Create Web Applications / Fileshares the Clients will have access to. a. Create a Web Application. Go to Object SSL Application and add a new SSL Application. Point the ZyWALL to the internal web site.

Configuration:
1. Create a user that can access the SSL VPN. Go to Object User / Group.

b. Create a Fileshare. Go to Object SSL Application and add a new SSL Application. Point the ZyWALL to a shared folder on the network. 2. Create an IP Address pool that will be handed out to the SSL VPN User. Go to Object Address.

-10-

SSL VPNs for Small Business

Product Solution Guide

4. Create the SSL VPN Connection. Go to VPN SSL VPN. a. Add the user that was created for the VPN Connection.

d. Select the networks that the SSL VPN will have access to.

b. Select the SSL Applications for the clients to access.

5. Allow the clients to be able to reach port 443 of the ZyWALL. Go to Firewall and add a new rule for HTTPS from WAN to ZyWALL.

c. Enable Network Extension and select the IP Pool that was created for the VPN.

-12-

SSL VPNs for Small Business

Product Solution Guide

6. To log into the SSL VPN, the client needs to point their web browser to HTTPS://<WAN IP> and enter their username and password, check on Log into SSL and click Login.

Topology

Internet

NAT Firewall 192.168.1.33 192.168.1.34

SSL 10 192.168.2.33 192.168.1.35

Switch

Computer A

Computer B

Configuration
-14-

SSL VPNs for Small Business

Product Solution Guide

Example: Existing Gateway

- Configuring an SSL Tunnel using a ZyWALL SSL10 and a pre-existing firewall device 2. Create a user account. This will be used at the login screen of the ZyWALL SSL 10. Go to User/Group. 1. Connect an Ethernet cable from the NAT Firewall (LAN or DMZ) to the WAN of the ZyWALL SSL 10 2. Port Forward 443 and 8443* to the WAN IP of the SSL 10 (192.168.1.33) 3. Create firewall exceptions from WAN to (LAN or DMZ) a. Source: Any b. Destination: WAN IP of the SSL 10 (192.168.1.33) c. Port 443 and 8443 4. Create a static route from LAN of the NAT Firewall to the LAN of the SSL 10 ** a. Destination IP: Starting LAN IP of the SSL 10 (192.168.2.1) b. Destination Subnet: Subnet Mask of the LAN of the SSL 10 (255.255.255.0) c. Gateway IP: WAN IP of the SSL 10 (192.168.1.33) d. Metric: 2 3. Create an IP address pool to be handed out to the end users. Go to Object Remote User IP. * Port 8443 is for remote management, this port is optional. ** Static Route is used for Computer A and Computer B to pass data to each other. If there is not a secondary LAN or this is not required, do not add the static route.

Configuration of ZyWALL SSL 10

1. Set a static IP address that is in the same subnet as the LAN of the Firewall on the WAN of the ZyWALL SSL 10. Go to System WAN.

-16-

SSL VPNs for Small Business

Product Solution Guide

4. Setup the VPN network the clients are to have access too. Go to Object VPN Network and enter in the subnet of the LAN network of the NAT Firewall..

6. If NAT and SPI firewall is enabled (System WAN) you must create an access policy for the user. Go to SSL Access Control and setup when the client can have access to the VPN Network.

5. Setup a policy to enable the authenticated users to have access to the VPN network. Go to SSL. a. Select which user accounts to have access.

b. Select which VPN network the authenticated user to have access too and which IP address pool the user is going to use.

-18-