Shulou(Shulou.com)06/01 Report--

Only to find out that V/P/N will be blocked. The following three asterisks represent this.

Advantages:

The most direct advantage is that it does not need a client and can be connected directly through the web interface (if you use the corresponding features in the web interface, it will help you install the corresponding plug-ins) / technical advantages: it is encapsulated in more than 4 layers of TCP/IP and is not affected by NAT

Applicable scenarios:

Point-to-site (point to site) requires only a public network IP address / port on one end and a private network address on the other. The actual scenario: employees on business trips visit the company's intranet resources.

Restrictions need to be made according to different users. Multiple virtual gateways of SSL- × × can be used to achieve access isolation.

Session establishment process of SSL- × ×

First established:

The initial establishment requires the use of 13 message interactions. It has been established, and only six packets are needed for session recovery: establishing again reduces link overhead.

The functions provided by SSL- × ×

Web Agent:

A. there are two modes for web agents: web rewriting / web link

I. web proxy: provides encryption function: can encrypt the real URL to be accessed into garbled code, thus hiding the internal real URL, providing a security / adaptation terminal: the page can be rewritten to adapt to classes such as Android / computer terminals, etc.

ii. Web link: it is just a simple proxy forwarding function without any other processing. The advantage is that its forwarding processing speed is faster than that of web rewriting.

The main function of the Web agent is to provide the ability of × × end users to access internal web sites.

File sharing: based on my shallow understanding, it provides a simple file protocol conversion function in the file sharing business: SSL- * × server converts the HTTPS request sent by the client into SMB protocol request message (corresponding to windows system) / NFS protocol request message (corresponding to Linux system) to the file sharing server, thus realizing the function of accessing remote files on the web interface.

Port proxy: Port proxy simply means that the server will assign the client a set port (such as X) corresponding to the IP to be forwarded. When the client wants to access the IP and port, a private header will be added locally after processing, and then sent to the server. The server will unpack and decrypt it and send it to the private server.

Port proxy can implement application services based on TCP protocol.

Classes such as SSH/Telnet/ remote Desktop requirements that use static ports, and classes that use dynamic ports such as FTP passive mode / Oracle

The following is a schematic diagram:

Network expansion:

The expansion of the network is great. It is equivalent to giving you a subnet IP, so that you can access all the resources of the intranet through the established SSL- × × tunnel (at this time, the terminal is equivalent to a host of the intranet).

Its packet forwarding path is actually as follows: first, a packet destined for the subnet is matched to the virtual network card, which is encapsulated and encrypted after it is received, and then forwarded to the local actual network card, which is forwarded out according to the routing table (at this time, the packet layer 3 is IP layer, and one segment of layer 3 IP layer in more than 4 layer SSL encapsulation is intranet IP). In fact, this is already the regular × × package mode: nested multi-layer and three-layer.

The following is a schematic diagram:

i. Starting the network extension function triggers the following actions: ii. A SSL tunnel is established between the remote user and the virtual gateway. iii. The remote user's local PC automatically generates a virtual network card. The virtual gateway randomly selects an IP address from the address pool and assigns it to the virtual network card of the remote user, which is used for communication between the remote user and the intranet Server of the enterprise. With the private network IP address, remote users can access intranet IP resources as easily as intranet users. iv. The virtual gateway sends routing information to the Server of the intranet to the remote user.

The virtual gateway sends different routing information to remote users according to the configuration in the network expansion service.

v. The remote user sends a service request message to the Server of the intranet, which reaches the virtual gateway through the SSL × × tunnel.

vi. After receiving the message, the virtual gateway unencapsulates the message and sends the unencapsulated service request message to the intranet Server.

vii. The intranet Server responds to the business requests of remote users.

viii. After the response message arrives at the virtual gateway, it enters the SSL × × tunnel.

After receiving the service response message, the remote user unencapsulates it and takes out the service response message.

There are actually three modes of network expansion:

i. Full routing mode: all packets go to the virtual network card and are forwarded by the virtual gateway

ii. Separation mode: data packets that are not in the same network segment as the local network card all go to the virtual network card and are assigned a virtual IP, which results in that the local resources in the same network segment as the actual network card cannot be accessed: because the virtual IP is assigned, the local subnet has no backhaul routing; the peer subnet can be accessed.

iii. Manual mode: manually determine which subnets go to the virtual network card, while others still go to the local actual network card

At present, this is my understanding of Huawei's SSL-. It should be enough for the current deployment on the current network. After all, this article is only an introduction, and the materials I refer to are also Huawei NA level materials. SSL- × × is more deployed in the existing network. If it is really a project / existing network deployment, it would be better for you to learn.

It is important to note that this article is not the actual deployment procedure, but is biased towards the principle. As for the actual deployment. I do have experience in actual deployment to see if there are any spectator needs. If so, I will do it again. After all, the documents given by Huawei can be used as most templates (I think it should be better than my standard. )

PS: this article is based on Huawei's USG6000 series of firewalls; screenshots are from Huawei's product documentation and PPT of educational institutions.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.