openconnect vpn
play

Openconnect VPN Nikos Mavrogiannopoulos Security Technologies Red - PowerPoint PPT Presentation

Feb 08, 2023 •328 likes •737 views

Openconnect VPN Nikos Mavrogiannopoulos Security Technologies Red Hat February, 2016 VPN story The server Future plans VPN story 3/17/13 3 Red Hat VPN story T ask Setup a VPN service to inter-connect router devices

  1. Openconnect VPN Nikos Mavrogiannopoulos Security Technologies Red Hat February, 2016

  2. ● VPN story ● The server ● Future plans

  3. VPN story 3/17/13 3 Red Hat

  4. VPN story • T ask – Setup a VPN service to inter-connect router devices 3/17/13 4 Red Hat

  5. VPN story 3/17/13 5 Red Hat

  6. VPN story 3/17/13 6 Red Hat

  7. VPN story 3/17/13 7 Red Hat

  8. VPN story • Requirements: – Simple setup for users 3/17/13 8 Red Hat

  9. VPN story • Requirements: – Standards based solution 3/17/13 9 Red Hat

  10. VPN story • Requirements: – The administrator should be able to view who is connected on every moment 3/17/13 10 Red Hat

  11. VPN story • Requirements: – The administrator should be able to disconnect and block access to users 3/17/13 11 Red Hat

  12. VPN story • Solution: – Based on OpenVPN and lots of custom scripts 3/17/13 12 Red Hat

  13. VPN story • Solution: – Based on OpenVPN and lots of custom scripts 3/17/13 13 Red Hat

  14. VPN story • Requirements: Involved configuration files for – Simple setup for users client setup, TCP/UDP had to be selected by user – Standards based solution – The administrator should be able to view who is connected on every moment – The administrator should be able to disconnect and block access to users 3/17/13 14 Red Hat

  15. VPN story • Requirements: Was using TLS for key – Simple setup for users exchange; everything else was custom – Standards based solution – The administrator should be able to view who is connected on every moment – The administrator should be able to disconnect and block access to users 3/17/13 15 Red Hat

  16. VPN story No support; lots • Requirements: of custom scripts – Simple setup for users – Standards based solution – The administrator should be able to view who is connected on every moment – The administrator should be able to disconnect and block access to users 3/17/13 16 Red Hat

  17. VPN story • Requirements: – Simple setup for users – Standards based solution – The administrator should be able to view who is connected on every moment – The administrator should be able to disconnect and block access to users No support 3/17/13 17 Red Hat

  18. VPN story • AnyConnect VPN 3/17/13 18 Red Hat

  19. VPN story • CISCO AnyConnect VPN – A proprietary VPN implementation based on standard protocols – A VPN channel established over an HTTPS session (TLS 1.x) – Supports dual TCP/UDP; UDP via a pre-draft DTLS version – Open-source compatible client → openconnect ● Implements a compatible protocol we call “Openconnect protocol” 3/17/13 20 Red Hat

  20. VPN story • CISCO AnyConnect VPN – A proprietary VPN implementation based on standard protocols – A VPN channel established over an HTTPS session (TLS 1.x) – Supports dual TCP/UDP; UDP via a pre-draft DTLS version – Open-source compatible client → openconnect Standards compliant VPN ● Implements a compatible protocol we call “Openconnect protocol” 3/17/13 21 Red Hat

  21. History • OpenConnect doesn't need any user confjguration # openconnect server.example.com:443 POST https://server.example.com/ Attempting to connect to server 127.0.0.1:443 SSL negotiation with server.example.com Connected to HTTPS on server.example.com XML POST enabled Please enter your username Username:test POST https://server.example.com/auth Please enter your password. Password: POST https://server.example.com/auth Got CONNECT response: HTTP/1.1 200 CONNECTED CSTP connected. DPD 90, Keepalive 32400 Connected tun0 as 192.168.1.191, using SSL Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(RSA)-(AES-128-GCM). 3/17/13 22 Red Hat

  22. History • OpenConnect doesn't need any user confjguration # openconnect server.example.com:443 POST https://server.example.com/ Attempting to connect to server 127.0.0.1:443 SSL negotiation with server.example.com Connected to HTTPS on server.example.com XML POST enabled Please enter your username Username:test POST https://server.example.com/auth Simple user setup Please enter your password. Password: POST https://server.example.com/auth Got CONNECT response: HTTP/1.1 200 CONNECTED CSTP connected. DPD 90, Keepalive 32400 Connected tun0 as 192.168.1.191, using SSL Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(RSA)-(AES-128-GCM). 3/17/13 23 Red Hat

  23. VPN story • Requirements: – Simple setup for users – Standards based solution – The administrator should be able to view who is connected on every moment – The administrator should be able to disconnect and block access to users 3/17/13 24 Red Hat

  24. VPN story • Requirements: – Simple setup for users – Standards based solution – The administrator should be able to view who is connected on every moment – The administrator should be able to disconnect and block access to users – The server should isolate users between them – The server should operate under the least possible privilege 3/17/13 25 Red Hat

  25. The server 3/17/13 26 Red Hat

  26. The server • Openconnect server: started in 2013 • T oday the server interoperates with both openconnect and Anyconnect clients – Is available for Linux and *BSD systems 3/17/13 27 Red Hat

  27. The server • Features: – Supports for password (fjle, PAM, radius), certifjcate or Kerberos authentication – Supports setting resource limits per client or groups of clients (e.g., cgroups, bandwidth) – Processing scales with the number of CPUs – Supports LZS, LZ4 compression – Supports TLS 1.2, DTLS 1.2 and AES-GCM – Supports online user management 3/17/13 28 Red Hat

  28. The server • Features: – Privilege separation between main server and worker processes ● Isolation of worker processes (using seccomp) – Isolated software security module handles PAM/radius and keys 3/17/13 29 Red Hat

  29. The server • Features: – Privilege separation between main server and worker processes ● Isolation of worker processes (using seccomp) – Isolated software security module handles PAM/radius and keys User isolation + Least privilege 3/17/13 30 Red Hat

  30. The server • occtl: Control tool to administer the server and view clients 3/17/13 31 Red Hat

  31. The server 3/17/13 32 Red Hat

  32. The server 3/17/13 33 Red Hat

  33. The server User overview 3/17/13 34 Red Hat

  34. The server 3/17/13 35 Red Hat

  35. The server 3/17/13 36 Red Hat

  36. The server User disconnect/block 3/17/13 37 Red Hat

  37. VPN story • Requirements: – Simple setup for users – Standards based solution – The administrator should be able to view who is connected on every moment – The administrator should be able to disconnect and block access to users – The server should isolate users between them – The server should operate under the least possible privilege 3/17/13 38 Red Hat

  38. Future plans 3/17/13 39 Red Hat

  39. Future plans • Extend and simplify the openconnect protocol – e.g., drop legacy pre-DTLS 1.0 support – Publish and standardize on an SSL/VPN protocol • Improve performance by utilizing an in-kernel TLS/DTLS stack 3/17/13 40 Red Hat

  40. Questions ● www.infradead.org/openconnect ● www.infradead.org/ocserv 3/17/13 41 Red Hat

Recommend

More recommend