ZyXEL North America Tel: 714.632.0882 Fax: 714.632.0858 Email: sales@zyxel.com http://www.us.zyxel.com
Copyright 2008 ZyXEL Communications. ZyXEL is a trademark of ZyXEL Communications, Co. Reproduction in whole or part without permission is prohibited. All other trademarks are the property of their respective owners.
SSL VPNs for Small Business
Product Solution Guide- SSL VPN

0812v100PSG-SSL-VPN

Product Solution Guide

Contents

What is a SSL VPN? Why use SSL over a traditional VPN technology? Typical SSL Users Drawbacks of SSL VPNs Introducing SecuExtender Typical Scenarios Example: ZyWALL Gateway Configuration Example: Existing Gateway Configuration of ZyWALL SSL 15

What is a SSL VPN?

SSL VPNs (Secure Socket Layer Virtual Private Networks) provide access to a companys network resources to individuals who are not on their corporate network. A secure connection is made between their PC and the corporate network over a standard Internet connection. SSL VPNs differ from traditional VPN technology in that no software needs to be installed or configured on the remote computer. The drawbacks of this method are as follows: > A license must be procured for each device that needs to connect to the company network remotely. This is costly, and for larger businesses the management of these licenses can become quite a chore. > IT resources must be used to install and configure the software for each device. > Users need to know in advance that they will need remote access to the network and what device they will use for the access. > These VPN tunnels are based on the IP layer, providing limited opportunity to control individual access to network resources. The use of SSL VPN tunnels overcomes all of these issues. No additional software is required for access to the company VPN and generally there is no need for any configuration changes, all remote users need is a web browser and the web address (URL) for VPN access. The ZyXEL SSL solution, unlike many of its competitors, is based on Java (not Active-X), insuring the broadest range of device/operating system compatibility. Since applications and network shares are accessed via the web interface, it is very easy to set up user- or group-based access to resources, as well as configure various security checks based on the user or group accessing the network. The SSL appliance can be linked directly to the existing user authentication system (Active Directory, RADIUS, LDAP) to allow use of the username and groups already created on the company LAN.
Why use SSL instead of traditional VPN technology?
Most traditional VPNs use IPSec (Internet Protocol Security) to create the secure tunnel to the company network from the remote user, although some traditional VPNs may use PPTP (Point-to-Point Tunneling Protocol) or L2TP (Layer 2 Tunneling Protocol). One of the biggest challenges required when using traditional VPNs is the time and effort required to install and configure the VPN software on each device that needs remote access. Software needs to be installed and configured on each device that is going to connect back to the network, and configuring a VPN client usually needs to be done by trained IT staff, and not by the end user. In addition the VPN aggregator on the company network needs to be configured for each device that will connect to it.

Drawbacks of SSL VPNs

SSL does have a few drawbacks. One of the biggest is that the SSL VPN limits access only to corporate resources that can be shared over a web browser. This restricts users to uploading/downloading files from network shares and web-based applications such as webmail, the company Intranet site, inventory systems, etc. The other big drawback is security. The SSL Security by Token To help increase security on the SSL VPN, ZyXEL recommends the use of a One Time Password (OTP) token, such as ZyXELs ZyWALL OTP which dramatically reduces the chances of the SSL VPN being forcibly hacked, or accessed with stolen credentials. It does this by providing an additional field that must be entered when users want to access the SSL VPN. In addition to needing to provide a username and password, they must also input a 6 digit pin. The pin is generated by small battery operated token (which has a life of up to 3 years) that can be SecuExtender is designed to provide traditional VPN functionality without the traditional VPN hassles. With ZyXELs SecuExtender technology, the user can send/receive just about any type of IP based traffic over the SSL VPN Simply sign in to the SSL VPN, and download a small Java Thankfully, ZyXEL has solutions to both of those problems. applet. No configuration by the end user is necessary. provided to any users wanting to access the SSL VPN. This PIN is constantly changing, defeating any brute force attacks because of the short interval between PINs. It also reduces the risk of someone stealing network credentials to get onto the network, because they not only need to know the valid username/password, but they must have physical possession of a token.

Typical SSL Users

> Users wanting to access files to work at home > Outside sales team wanting to access the inventory or order system, or check for latest price lists > Contractors wanting to easily share files with company employees > Business partners requiring better communications
encryption itself is very safe; this is the same technology that is used to protect millions of online credit card transactions every day. Unlike traditional IPSec (and similar) VPNs, there is no special software required. Any web capable device can access the Intranet, lowering the barriers for those looking to hack into the network.

Introducing SecuExtender

Typical Scenarios
> Jan goes home after work, and that night while watching TV she gets inspired for a new marketing promotion. She rushes to her personal computer, logs into the company network, and types up a short treatment and saves it to the shared drive at work. > Steve is on vacation in Hawaii and gets an urgent call from the office. They are about to close a very big deal and need Steve to review the contract before they sign it. Steve left his laptop > Mike is an outside sales rep. He spends his time on the road, but needs access to the companys web based inventory and order system, as well as access to.pdf copies of promotional material that he can have printed out at Kinkos. at home to help for him to relax, but this is important. No problem, Steve is able to go to the nearby Internet Caf and pull up the document over the SSL VPN connection.

ZyWALL OTP

(One-Time Password)
ZyWALL USG Series Internet

PWR ACT

Local Database User Group1 User Group2

L SSL 10

CONSOLE

WAN 10/4 LAN/DM Z 10/100

SYS CARD

Remote Users

External Database Active Directory

130201

RADIUS
justin zyxel 130201 justin zyxel 130201
Two-Factor Authentication Server
Enter PIN code displayed on the ZyWALL OTP token

Application Diagrams

LAN Zone Firewall DMZ Zone
Employee on Home Computer Employee on Home Computer
ZyWALL UTM or Third-party firewall
WAN Email Server BI System

ZyWALL USG Series

Email Server LAN

BI System

WAN 10/100 LAN/DM Z 10/100

WAN 10/100 LAN/DM Z 10/4

Internet
LAN File Share OA, ERP System CRM System
Employee Laptop In Airport Kiosk or In Hotel Encrypted

Decrypted

Employee Laptop in Airport Kiosk or in Hotel

File Share

Encrypted
OA, ERP System CRM System

Web-based Application

Application Server (Inventory, Store.)

WAN 10/LAN/DM Z 10/3 4

ZyWALL SSL 10
Authorized Partner Authorized Customer

Firewall DMZ Zone

Remote Desktop Network Extend

Remote Desktop

Network Extend

Example: ZyWALL Gateway

- Configuring a SSL VPN with a ZyWALL Firewall Appliance Device: ZyWALL USG Series or ZyWALL 1050 OS: Windows XP / 2000 / 2003 Java: 1.6 or higher Note: Windows Vista is not currently supported. 3. Create Web Applications / Fileshares the Clients will have access to. a. Create a Web Application. Go to Object SSL Application and add a new SSL Application. Point the ZyWALL to the internal web site.

Configuration:

1. Create a user that can access the SSL VPN. Go to Object User / Group.
b. Create a Fileshare. Go to Object SSL Application and add a new SSL Application. Point the ZyWALL to a shared folder on the network. 2. Create an IP Address pool that will be handed out to the SSL VPN User. Go to Object Address.
4. Create the SSL VPN Connection. Go to VPN SSL VPN. a. Add the user that was created for the VPN Connection.
d. Select the networks that the SSL VPN will have access to.
b. Select the SSL Applications for the clients to access.
5. Allow the clients to be able to reach port 443 of the ZyWALL. Go to Firewall and add a new rule for HTTPS from WAN to ZyWALL.
c. Enable Network Extension and select the IP Pool that was created for the VPN.
6. To log into the SSL VPN, the client needs to point their web browser to HTTPS://<WAN IP> and enter their username and password, check on Log into SSL and click Login.

Topology

NAT Firewall 192.168.1.33 192.168.1.34
SSL 10 192.168.2.33 192.168.1.35

Switch

Computer A

Computer B

Configuration
Example: Existing Gateway
- Configuring an SSL Tunnel using a ZyWALL SSL10 and a pre-existing firewall device 2. Create a user account. This will be used at the login screen of the ZyWALL SSL 10. Go to User/Group. 1. Connect an Ethernet cable from the NAT Firewall (LAN or DMZ) to the WAN of the ZyWALL SSL 10 2. Port Forward 443 and 8443* to the WAN IP of the SSL 10 (192.168.1.33) 3. Create firewall exceptions from WAN to (LAN or DMZ) a. Source: Any b. Destination: WAN IP of the SSL 10 (192.168.1.33) c. Port 443 and 8443 4. Create a static route from LAN of the NAT Firewall to the LAN of the SSL 10 ** a. Destination IP: Starting LAN IP of the SSL 10 (192.168.2.1) b. Destination Subnet: Subnet Mask of the LAN of the SSL 10 (255.255.255.0) c. Gateway IP: WAN IP of the SSL 10 (192.168.1.33) d. Metric: 2 3. Create an IP address pool to be handed out to the end users. Go to Object Remote User IP. * Port 8443 is for remote management, this port is optional. ** Static Route is used for Computer A and Computer B to pass data to each other. If there is not a secondary LAN or this is not required, do not add the static route.

Configuration of ZyWALL SSL 10
1. Set a static IP address that is in the same subnet as the LAN of the Firewall on the WAN of the ZyWALL SSL 10. Go to System WAN.
4. Setup the VPN network the clients are to have access too. Go to Object VPN Network and enter in the subnet of the LAN network of the NAT Firewall.
6. If NAT and SPI firewall is enabled (System WAN) you must create an access policy for the user. Go to SSL Access Control and setup when the client can have access to the VPN Network.
5. Setup a policy to enable the authenticated users to have access to the VPN network. Go to SSL. a. Select which user accounts to have access.
b. Select which VPN network the authenticated user to have access too and which IP address pool the user is going to use.

ZyWALL

Quick Info. Guide
ZyWALL USG Series Feature Matrix

Infrastructure Security

ZyWALL USG 2000 ZyWALL USG 1000 ZyWALL USG 300 ZyWALL USG 200 ZyWALL USG 100

Graphic

System Firewall Throughput VPN Throughput (AES) UTM Throughput (AV+IDP+Firewall) Unlimited User Licenses Sessions Max. Concurrent IPSec VPN Tunnels Max. Concurrent SSL VPN Users Physical Port Customizable Zone Networking Routing/NAT/SUA Mode Bridge Mode Mix Mode (Routing+Bridge) VLAN Tagging (802.1q) Wireless Card Support 3G Support Security Firewall IPsec VPN SSL VPN Content Filtering Anti-SPAM Anti-Virus IDS/IDP IM/P2P Management Bandwidth Management User-aware Management High Availability Device HA VPN HA Multiple WANs for Load Balancing Auto Fail-over, Fail-back Dial Backup Redundant Power Module Authentication Method Local Database Radius LDAP Microsoft AD ZyWALL OTP Management WebGUI (HTTP and HTTPS) Command Line Vantage CNM Vantage Report
Note: *1: With SEM-DUAL/SEM-VPN module

*3 *3 *3

2,000 Mbps 500 Mbps*Mbps*2
350 Mbps 150 Mbps 100 Mbps
200 Mbps 100 Mbps 48 Mbps

150 Mbps 75 Mbps 24 Mbps

100 Mbps 50 Mbps 24 Mbps
1,000,000 2,(6) 10/100/1000 GbE (2) Dual-Personality GbE (SFP/RJ45)

500,000 1,(250*3)

60,10 (25*3)
40,x LAN/DMZ, 2 x WAN, 1 x OPT (All GbE)
20,x LAN/DMZ, 2 x WAN (All GbE)

(5) 10/100/1000 GbE

(7) 10/100/1000 GbE
*2: With SEM-DUAL/SEM-UTM module
*3: Available In future firmware release

ZyWALL Feature Matrix

Home Office/SOHO

ZyWALL 2 Plus ZyWALL 2WG

ZyWALL SSL 10
System Firewall Throughput VPN Throughput (AES) UTM Throughput (AV+IDP+Firewall) Unlimited User Licenses Sessions Max. Concurrent IPSec VPN tunnels Max. Concurrent SSL VPN users Wireless Physical Port Customizable Zone WAN Type Ethernet 3G (Optional) Networking Routing/NAT/SUA Mode Bridge Mode Mix Mode (Routing+Bridge) VLAN Tagging (802.1q) Security Firewall IPsec VPN SSL VPN Content Filtering Anti-SPAM Anti-Virus IDS/IDP IM/P2P Bandwidth Management User-aware Management High Availability Device HA VPN HA Multiple WANs for Load Balancing Auto Fail-over, Fail-back Dial Backup Authentication Method Local database Radius LDAP Microsoft AD ZyWALL OTP Management WebGUI (HTTP and HTTPS) Command Line Vantage CNM Vantage Report
Note: *1: Available In future firmware release

24 Mbps 24 Mbps

24 Mbps

3,000 5

4 x LAN, 1 x WAN

4 x LAN/DMZ, 1 x WAN
Maintain Control: Unified Security Gateway helps you win the battle
Challenges that may Drain Your IT Resource
1. Secure Connectivity With the nature, scale and risks associated with significant deployments of new networking technologies, organizations must evaluate solutions to build up a safer infrastructure to secure online transactions. Infrastructure should be tailored to meet operation requirements for expanding remote sites as well as mobile teleworkers.
2. Proactive Protection Malicious virus, worm, exploits could cripple corporate networks and halt business transactions. In addition to severe financial loss, you also risk leakage of confidential information. Your network is bombarded with massive amounts of junk mail (spam). Without intelligent detection and proactive blocking, users have to go through the tedious and time-consuming task of filtering through their email, reducing productivity.
3. Policy Compliance With numerous file-sharing peer-to-peer (P2P) and Instant Messaging (IM) applications, it is easy for company employees to share files and chat online during work hours. File sharing not only compromises network safety with the sharing of questionable files, but may also violate copyright laws and create legal hassles.
4. Network Resilience Broken ISP links, hardware and software failure on the gateway, dead VPN tunnels - these are severe challenges IT staff face when designing the network infrastructure. We need to take fault tolerance of the network path into consideration when designing a network infrastructure for nonstop operations.
ZyWALL USG Series Advantages
The ZyWALL USG series is a high performance, deep packet inspection security solution for small business to enterprise. It embodies a Stateful Packet Inspection (SPI) firewall, Anti-Virus, Intrusion Detection and Prevention (IDP), Content Filtering, Anti-Spam, and VPN (IPSec/SSL/L2TP) in one box. This multilayered security safeguards your organizations customer and company records, intellectual property, and critical resources from external and internal threats.

1. Leading, High Performance UTM Solution
ZyWALL USG series deploys hardware-acceleration technology in one box. Powered by high-performance SecuASIC technology and a hardware-based encryption accelerator, the ZyWALL USG series delivers leading high performance and multi-layer threat protection for small business to enterprises. All ZyWALL USG series support Gigabit Ethernet interfaces.
2. Robust Hybrid VPN (IPSec and SSL)
The ZyWALL USG series can provide secure access from remote locations to corporate resources through the Internet for organizations of any size. Using IPSec VPN companies can secure connections to branch offices, partners, and headquarters. Road warriors and telecommuters can use SSL or L2TP VPN to securely access the company network without having to install VPN software.

3. Managing IM/P2P Abuse

For increasing network efficiency and business productivity, the IM/P2P application needs to be well managed. The ZyWALL USG series support Application Patrol which controls who can use IM and P2P applications like MSN and BitTorrent, and even who can use specific features within an application.
4. Non-Stop Internet Access with Multiple WAN and 3G as backup
The ZyWALL USG not only supports multiple WAN ports but also supports USB 3G or PCMCIA 3G card. This enables it to provide active-active load sharing or active-passive failover configuration to deliver highly reliable network connectivity. To minimize the impact of single-point failures, the ZyWALL USG series support device HA (High Availability) to assure network availability.
5. ICSA Firewall, IPSec, Antivirus Certification
With ICSA certified SPI Firewall, Anti-Virus and IPSec VPN, the ZyWALL USG series enables organizations to take complete control of their network infrastructure and provide the most up-to-date protection against the network threats.
6. Comprehensive Report System
ZyWALL USG series build-in report system which offers a comprehensive set of real-time and historical reports, including firewall, virus and intrusion attacks, bandwidth usage, web site usage, and user activity. Furthermore, with the web-based reporting system, Vantage Report (VRPT), administrators can easily collect traffic data and analyze a distributed network, so organizations are aware of suspicious activity and to ensure increase business productivity.

ZyXEL North America Tel: 800.255.4101
For more product information, visit us on the web at www.us.ZyXEL.com

0808v100qig-Security

Copyright 2008 ZyXEL Communications Corp. All rights reserved. ZyXEL, ZyXEL logo are registered trademarks of ZyXEL Communications Corp. All other brands, product names, or trademarks mentioned are the property of their respective owners. All specifications are subject to change without notice.