Guide to SSL Vpns
Total Page:16
File Type:pdf, Size:1020Kb
Special Publication 800-113 Guide to SSL VPNs Recommendations of the National Institute of Standards and Technology Sheila Frankel Paul Hoffman Angela Orebaugh Richard Park NIST Special Publication 800-113 Guide to SSL VPNs Recommendations of the National Institute of Standards and Technology Sheila Frankel Paul Hoffman Angela Orebaugh Richard Park C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 July 2008 U.S. Department of Commerce Carlos M. Gutierrez, Secretary National Institute of Standards and Technology James M. Turner, Deputy Director GUIDE TO SSL VPNS Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology Special Publication 800-113 Natl. Inst. Stand. Technol. Spec. Publ. 800-113, 87 pages (July 2008) Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessa rily the best available for the purpose. ii GUIDE TO SSL VPNS Acknowledgements The authors, Sheila Frankel of the National Institute of Standards and Technology (NIST), Paul Hoffman of the Virtual Private Network Consortium (VPNC), and Angela Orebaugh and Richard Park of Booz Allen Hamilton, wish to thank their colleagues who reviewed drafts of this document and contributed to its technical content, especially Elaine Barker, Jim St. Pierre and Tim Polk of NIST. The authors would like to acknowledge Tim Grance and Karen Scarfone of NIST for their keen and insightful assistance throughout the development of the document. The authors particularly want to thank Guy Snyder, Darren Hartman and Thang Phan of ICSA Labs for their careful review and valuable contributions to improving the quality of this publication. The authors would also like to express their thanks to Mike Hillhouse of Juniper Networks and Mahesh Jethanandani of Cisco for their worthwhile comments and suggestions. iii GUIDE TO SSL VPNS Table of Contents Executive Summary..............................................................................................................ES-1 1. Introduction ......................................................................................................................1-1 1.1 Authority...................................................................................................................1-1 1.2 Purpose and Scope .................................................................................................1-1 1.3 Audience ..................................................................................................................1-1 1.4 Document Structure .................................................................................................1-1 2. Network and Transport Layer Security ..........................................................................2-1 2.1 The Need for Network and Transport Layer Security...............................................2-1 2.2 Virtual Private Networking (VPN).............................................................................2-4 2.2.1 SSL Portal VPNs ..........................................................................................2-5 2.2.2 SSL Tunnel VPNs.........................................................................................2-5 2.2.3 Administering SSL VPNs..............................................................................2-5 2.3 Summary..................................................................................................................2-6 3. SSL VPN Fundamentals ..................................................................................................3-1 3.1 SSL VPN Architecture..............................................................................................3-1 3.2 SSL VPN Functions .................................................................................................3-2 3.3 SSL VPN Features and Security Services...............................................................3-3 3.3.1 Manageability ...............................................................................................3-4 3.3.2 High Availability and Scalability ....................................................................3-4 3.3.3 Portal Customization ....................................................................................3-5 3.3.4 Authentication...............................................................................................3-5 3.3.5 Encryption and Integrity Protection...............................................................3-6 3.3.6 Access Control .............................................................................................3-6 3.3.7 Endpoint Security Controls ...........................................................................3-8 3.3.8 Intrusion Prevention......................................................................................3-9 3.4 SSL Protocol Basics ................................................................................................3-9 3.4.1 Versions of SSL and TLS .............................................................................3-9 3.4.2 Cryptography Used in SSL Sessions .........................................................3-10 3.4.3 Authentication Used for Identifying SSL Servers........................................3-10 3.5 SSL VPN Challenges.............................................................................................3-11 3.6 Summary................................................................................................................3-12 4. SSL VPN Planning and Implementation.........................................................................4-1 4.1 Identify Requirements ..............................................................................................4-1 4.2 SSL VPNs and FIPS 140-2 Approval.......................................................................4-2 4.2.1 Versions of SSL............................................................................................4-3 4.2.2 Key Establishment Used by SSL..................................................................4-3 4.2.3 Hash Functions Used by SSL.......................................................................4-4 4.2.4 SSL Encryption.............................................................................................4-4 4.2.5 Certificates Used During SSL Negotiations..................................................4-4 4.3 Design the Solution..................................................................................................4-5 4.3.1 Design the Access Control Policy.................................................................4-6 4.3.2 Design the Endpoint Security Policy.............................................................4-9 4.3.3 Select the Authentication Methods .............................................................4-11 4.3.4 Design the Architecture ..............................................................................4-12 iv GUIDE TO SSL VPNS 4.3.5 Cryptography Policy and FIPS Compliance ...............................................4-23 4.3.6 Other Design Decisions..............................................................................4-23 4.3.7 Summary of Design Decisions ...................................................................4-24 4.4 Implement and Test Prototype...............................................................................4-25 4.4.1 Application and Client Interoperability ........................................................4-27 4.5 Deploy the Solution................................................................................................4-28 4.6 Manage the Solution ..............................................................................................4-29 4.7 Summary................................................................................................................4-30 5. SSL VPN Recommended Practices ................................................................................5-1 6. Alternatives to SSL VPNs................................................................................................6-1 6.1 Data Link Layer VPN Protocols ...............................................................................6-1 6.2 Network Layer VPN Protocols .................................................................................6-2