openconnect vpn
play

Openconnect VPN Nikos Mavrogiannopoulos Security Technologies Red - PowerPoint PPT Presentation

Feb 08, 2023 •328 likes •737 views

Openconnect VPN Nikos Mavrogiannopoulos Security Technologies Red Hat February, 2016 VPN story The server Future plans VPN story 3/17/13 3 Red Hat VPN story T ask Setup a VPN service to inter-connect router devices

  1. Openconnect VPN Nikos Mavrogiannopoulos Security Technologies Red Hat February, 2016

  2. ● VPN story ● The server ● Future plans

  3. VPN story 3/17/13 3 Red Hat

  4. VPN story • T ask – Setup a VPN service to inter-connect router devices 3/17/13 4 Red Hat

  5. VPN story 3/17/13 5 Red Hat

  6. VPN story 3/17/13 6 Red Hat

  7. VPN story 3/17/13 7 Red Hat

  8. VPN story • Requirements: – Simple setup for users 3/17/13 8 Red Hat

  9. VPN story • Requirements: – Standards based solution 3/17/13 9 Red Hat

  10. VPN story • Requirements: – The administrator should be able to view who is connected on every moment 3/17/13 10 Red Hat

  11. VPN story • Requirements: – The administrator should be able to disconnect and block access to users 3/17/13 11 Red Hat

  12. VPN story • Solution: – Based on OpenVPN and lots of custom scripts 3/17/13 12 Red Hat

  13. VPN story • Solution: – Based on OpenVPN and lots of custom scripts 3/17/13 13 Red Hat

  14. VPN story • Requirements: Involved configuration files for – Simple setup for users client setup, TCP/UDP had to be selected by user – Standards based solution – The administrator should be able to view who is connected on every moment – The administrator should be able to disconnect and block access to users 3/17/13 14 Red Hat

  15. VPN story • Requirements: Was using TLS for key – Simple setup for users exchange; everything else was custom – Standards based solution – The administrator should be able to view who is connected on every moment – The administrator should be able to disconnect and block access to users 3/17/13 15 Red Hat

  16. VPN story No support; lots • Requirements: of custom scripts – Simple setup for users – Standards based solution – The administrator should be able to view who is connected on every moment – The administrator should be able to disconnect and block access to users 3/17/13 16 Red Hat

  17. VPN story • Requirements: – Simple setup for users – Standards based solution – The administrator should be able to view who is connected on every moment – The administrator should be able to disconnect and block access to users No support 3/17/13 17 Red Hat

  18. VPN story • AnyConnect VPN 3/17/13 18 Red Hat

  19. VPN story • CISCO AnyConnect VPN – A proprietary VPN implementation based on standard protocols – A VPN channel established over an HTTPS session (TLS 1.x) – Supports dual TCP/UDP; UDP via a pre-draft DTLS version – Open-source compatible client → openconnect ● Implements a compatible protocol we call “Openconnect protocol” 3/17/13 20 Red Hat

  20. VPN story • CISCO AnyConnect VPN – A proprietary VPN implementation based on standard protocols – A VPN channel established over an HTTPS session (TLS 1.x) – Supports dual TCP/UDP; UDP via a pre-draft DTLS version – Open-source compatible client → openconnect Standards compliant VPN ● Implements a compatible protocol we call “Openconnect protocol” 3/17/13 21 Red Hat

  21. History • OpenConnect doesn't need any user confjguration # openconnect server.example.com:443 POST https://server.example.com/ Attempting to connect to server 127.0.0.1:443 SSL negotiation with server.example.com Connected to HTTPS on server.example.com XML POST enabled Please enter your username Username:test POST https://server.example.com/auth Please enter your password. Password: POST https://server.example.com/auth Got CONNECT response: HTTP/1.1 200 CONNECTED CSTP connected. DPD 90, Keepalive 32400 Connected tun0 as 192.168.1.191, using SSL Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(RSA)-(AES-128-GCM). 3/17/13 22 Red Hat

  22. History • OpenConnect doesn't need any user confjguration # openconnect server.example.com:443 POST https://server.example.com/ Attempting to connect to server 127.0.0.1:443 SSL negotiation with server.example.com Connected to HTTPS on server.example.com XML POST enabled Please enter your username Username:test POST https://server.example.com/auth Simple user setup Please enter your password. Password: POST https://server.example.com/auth Got CONNECT response: HTTP/1.1 200 CONNECTED CSTP connected. DPD 90, Keepalive 32400 Connected tun0 as 192.168.1.191, using SSL Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(RSA)-(AES-128-GCM). 3/17/13 23 Red Hat

  23. VPN story • Requirements: – Simple setup for users – Standards based solution – The administrator should be able to view who is connected on every moment – The administrator should be able to disconnect and block access to users 3/17/13 24 Red Hat

  24. VPN story • Requirements: – Simple setup for users – Standards based solution – The administrator should be able to view who is connected on every moment – The administrator should be able to disconnect and block access to users – The server should isolate users between them – The server should operate under the least possible privilege 3/17/13 25 Red Hat

  25. The server 3/17/13 26 Red Hat

  26. The server • Openconnect server: started in 2013 • T oday the server interoperates with both openconnect and Anyconnect clients – Is available for Linux and *BSD systems 3/17/13 27 Red Hat

  27. The server • Features: – Supports for password (fjle, PAM, radius), certifjcate or Kerberos authentication – Supports setting resource limits per client or groups of clients (e.g., cgroups, bandwidth) – Processing scales with the number of CPUs – Supports LZS, LZ4 compression – Supports TLS 1.2, DTLS 1.2 and AES-GCM – Supports online user management 3/17/13 28 Red Hat

  28. The server • Features: – Privilege separation between main server and worker processes ● Isolation of worker processes (using seccomp) – Isolated software security module handles PAM/radius and keys 3/17/13 29 Red Hat

  29. The server • Features: – Privilege separation between main server and worker processes ● Isolation of worker processes (using seccomp) – Isolated software security module handles PAM/radius and keys User isolation + Least privilege 3/17/13 30 Red Hat

  30. The server • occtl: Control tool to administer the server and view clients 3/17/13 31 Red Hat

  31. The server 3/17/13 32 Red Hat

  32. The server 3/17/13 33 Red Hat

  33. The server User overview 3/17/13 34 Red Hat

  34. The server 3/17/13 35 Red Hat

  35. The server 3/17/13 36 Red Hat

  36. The server User disconnect/block 3/17/13 37 Red Hat

  37. VPN story • Requirements: – Simple setup for users – Standards based solution – The administrator should be able to view who is connected on every moment – The administrator should be able to disconnect and block access to users – The server should isolate users between them – The server should operate under the least possible privilege 3/17/13 38 Red Hat

  38. Future plans 3/17/13 39 Red Hat

  39. Future plans • Extend and simplify the openconnect protocol – e.g., drop legacy pre-DTLS 1.0 support – Publish and standardize on an SSL/VPN protocol • Improve performance by utilizing an in-kernel TLS/DTLS stack 3/17/13 40 Red Hat

  40. Questions ● www.infradead.org/openconnect ● www.infradead.org/ocserv 3/17/13 41 Red Hat

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Overview Simple camera is limiting and it is necessary to model a camera that can be moved

Overview Simple camera is limiting and it is necessary to model a camera that can be moved

General Camera Overview Simple camera is limiting and it is necessary to model a camera that can be moved We will define parameters for a camera in terms of where it is, the direction it points and the direction it considers to

390 views • 7 slides
EE 457 Unit 7d Virtual Memory 2 Virtual Memory Concept A mechanism for hiding the details of

EE 457 Unit 7d Virtual Memory 2 Virtual Memory Concept A mechanism for hiding the details of

1 EE 457 Unit 7d Virtual Memory 2 Virtual Memory Concept A mechanism for hiding the details of how much physical memory exists and how its being shared Allows the OS to Efficiently share the physical memory between several

821 views • 54 slides
Fighting Censorship with TunnelBear Internet Measurement Village - July 2, 2020 Mission driven

Fighting Censorship with TunnelBear Internet Measurement Village - July 2, 2020 Mission driven

Fighting Censorship with TunnelBear Internet Measurement Village - July 2, 2020 Mission driven development We think the Internet is a much better place when everyone can browse privately, and browse the same Internet as everyone else.

234 views • 19 slides
On the complexity of the asymmetric VPN problem Thomas Rothvo & Laura Sanit` a Institute

On the complexity of the asymmetric VPN problem Thomas Rothvo & Laura Sanit` a Institute

On the complexity of the asymmetric VPN problem Thomas Rothvo & Laura Sanit` a Institute of Mathematics EPFL, Lausanne ISMP09 Concave Cost VPN Given: Undirected graph G = ( V, E ), costs c : E Q + Outgoing traffic bound

993 views • 56 slides
BYO Server Build your own virtual server for web hosting, email, VPN, gaming and more using:

BYO Server Build your own virtual server for web hosting, email, VPN, gaming and more using:

Free Technology Workshop BYO Server Build your own virtual server for web hosting, email, VPN, gaming and more using: Organised by Steven Gordon SIIT Bangkadi Network Lab 1pm-4pm Friday 1 August 2014 http://ict.siit.tu.ac.th/moodle/ Virtual

475 views • 5 slides
Elastic Computing from Grid sites to External Clouds GIUSEPPE CODISPOTI, RICCARDO DI MARIA C.

Elastic Computing from Grid sites to External Clouds GIUSEPPE CODISPOTI, RICCARDO DI MARIA C.

Elastic Computing from Grid sites to External Clouds GIUSEPPE CODISPOTI, RICCARDO DI MARIA C. AIFTIMIEI, D. BONACORSI, P. CALLIGOLA, V. CIASCHINI, A. COSTANTINI, S. DAL PRA, D. DEGIRO LA MO, C. GRANDI, D. MICHELOT TO, M . PANELLA, G. PECO, V.

767 views • 17 slides
J.Hrivnac 2.0 AGDD - VRML - X3D <Transform translation="5 6 7"> Transform {

J.Hrivnac 2.0 AGDD - VRML - X3D <Transform translation="5 6 7"> Transform {

J.Hrivnac 2.0 AGDD - VRML - X3D <Transform translation="5 6 7"> Transform { <box <Shape DEF="Example"> translation 5 6 7 name="Example" <Box size = "1 2 3"/> children [

407 views • 9 slides
Introduction to Geant4 Visualization Introduction to Geant4 Visualization HepRep/WIRED Joseph

Introduction to Geant4 Visualization Introduction to Geant4 Visualization HepRep/WIRED Joseph

Introduction to Geant Visualization Geant4 Workshop October 2003 Introduction to Geant4 Visualization Introduction to Geant4 Visualization HepRep/WIRED Joseph Perl SLAC Computing Services DAWN OpenGL Joseph Perl 1 Introduction to Geant

476 views • 35 slides
Introduction Introduction Steve Seitz Steve Seitz Carnegie Mellon University Carnegie Mellon

Introduction Introduction Steve Seitz Steve Seitz Carnegie Mellon University Carnegie Mellon

SIGGRAPH 99 Course on SIGGRAPH 99 Course on 3D Photography 3D Photography http http:// ://www www. .cs cs. .cmu cmu. .edu edu/~ /~seitz seitz/course/3DPhoto. /course/3DPhoto.html html Introduction Introduction Steve Seitz Steve

661 views • 6 slides
Computer Graphics (CS 543) Computer Graphics (CS 543) Lecture 7 (Part 3): Hierarchical 3D Models

Computer Graphics (CS 543) Computer Graphics (CS 543) Lecture 7 (Part 3): Hierarchical 3D Models

Computer Graphics (CS 543) Computer Graphics (CS 543) Lecture 7 (Part 3): Hierarchical 3D Models Prof Emmanuel Agu Computer Science Dept. Worcester Polytechnic Institute (WPI) I Instance Transformation t T f ti Start with unique object (a

311 views • 30 slides
Automatically Generating Virtual Guided Tours Tsai-Yen Li, Jyh-Ming Lien, Shih-Yen Chiu, and

Automatically Generating Virtual Guided Tours Tsai-Yen Li, Jyh-Ming Lien, Shih-Yen Chiu, and

Automatically Generating Virtual Guided Tours Tsai-Yen Li, Jyh-Ming Lien, Shih-Yen Chiu, and Tzong-Hann Yu Computer Science Department National Chengchi University Taipei, Taiwan, R.O.C. Email: {li, s8415, s8433, s8410}@cs.nccu.edu.tw

361 views • 14 slides
1 Agenda Agenda Agenda 1 Classical Columns 2 2 Digital Columns Digital Columns 3

1 Agenda Agenda Agenda 1 Classical Columns 2 2 Digital Columns Digital Columns 3

1 1 Agenda Agenda Agenda 1 Classical Columns 2 2 Digital Columns Digital Columns 3 Cylindrical Screens 4 Interactive Columns 5 Discussion 2 2 1. CLASSICAL COLUMNS 3 3 4 4 5 5 2. DIGITAL COLUMNS 6 6 DIGITAL COLUMNS

871 views • 48 slides
Meshes CS418 Computer Graphics John C. Hart Simple Meshes Cylinder ( x , y , z ) = (cos q

Meshes CS418 Computer Graphics John C. Hart Simple Meshes Cylinder ( x , y , z ) = (cos q

Meshes CS418 Computer Graphics John C. Hart Simple Meshes Cylinder ( x , y , z ) = (cos q , sin q , z ) Cone ( x , y , z ) = (| z| cos q , | z| sin q , z ) Sphere ( x , y , z ) = (cos f cos q , cos f sin q , sin f ) Torus

344 views • 15 slides
World Generators Output Systems Applications A.A. 2018-2019 2/83

World Generators Output Systems Applications A.A. 2018-2019 2/83

Introduction to Virtual Reality Part II Alberto Borghese Applied Intelligent Systems Laboratory (AIS-Lab) Department of Computer Science University of Milano A.A. 2018-2019 1/83 http:\\borghese.di.unimi.it\ Content Introduction

420 views • 41 slides
Visualising and profiling CP models: is the Holy Grail in sight? Maria Garcia de la Banda -

Visualising and profiling CP models: is the Holy Grail in sight? Maria Garcia de la Banda -

Visualising and profiling CP models: is the Holy Grail in sight? Maria Garcia de la Banda - PTGH 2017 Evolution in profiling/visualistion for constraint programming We are here? 2 A bit of history (definitely NOT exhaustive)

903 views • 40 slides
Pseudotriangulations: A Survey and Recent Results G unter Rote, Freie Universit at Berlin

Pseudotriangulations: A Survey and Recent Results G unter Rote, Freie Universit at Berlin

1 Pseudotriangulations: A Survey and Recent Results G unter Rote, Freie Universit at Berlin Journ ees de G eometrie Algorithmique, September 2003, Giens Part I: 0. Introduction, definitions, basic properties 1. Planar Laman graphs

1.37k views • 104 slides
John W. Sarkela jsarkela@exobox.com sarkela@home.com A Production Quality Smalltalk System

John W. Sarkela jsarkela@exobox.com sarkela@home.com A Production Quality Smalltalk System

John W. Sarkela jsarkela@exobox.com sarkela@home.com A Production Quality Smalltalk System for the masses Extend the Spirit of Camp Smalltalk Derived from the original Apple Smalltalk-80 license. Self hosting VM VM written in

228 views • 12 slides
Analy&cal ultracentrifuga&on and hydrodynamic modeling Olwyn

Analy&cal ultracentrifuga&on and hydrodynamic modeling Olwyn

Analy&cal ultracentrifuga&on and hydrodynamic modeling Olwyn Byron School of Life Sciences College of Medical, Veterinary and Life Sciences University

1.33k views • 108 slides
DLMF: SPECIAL FUNCTIONS IN THE 21ST CENTURY Adri B. Olde Daalhuis Maxwell Institute and School

DLMF: SPECIAL FUNCTIONS IN THE 21ST CENTURY Adri B. Olde Daalhuis Maxwell Institute and School

DLMF: SPECIAL FUNCTIONS IN THE 21ST CENTURY Adri B. Olde Daalhuis Maxwell Institute and School of Mathematics, University of Edinburgh, UK I V N E U R S E I H T Y T O H F G R E U D B I N THE DLMF What led to its

1.41k views • 86 slides
Introduzione alla Realt Virtuale Parte II Alberto Borghese Renato Mainetti Applied

Introduzione alla Realt Virtuale Parte II Alberto Borghese Renato Mainetti Applied

Introduzione alla Realt Virtuale Parte II Alberto Borghese Renato Mainetti Applied Intelligent Systems Laboratory (AIS-Lab) Department of Computer Science University of Milano A.A. 2015-2016 1/84 http:\\borghese.di.unimi.it\ Sommario

663 views • 42 slides
Software Installation, release 5.2 http://cern.ch/geant4 The full set of lecture notes of this

Software Installation, release 5.2 http://cern.ch/geant4 The full set of lecture notes of this

Software Installation, release 5.2 http://cern.ch/geant4 The full set of lecture notes of this Geant4 Course is available at http://www.ge.infn.it/geant4/events/nss2003/geant4course.html Outline Outline Supported platforms & compilers

432 views • 15 slides
Outline Introduction Related Work Problem Description and Simplifications System

Outline Introduction Related Work Problem Description and Simplifications System

2001/7/7 Generating Customizable Guided Tours For Networked Virtual Environments Tsai-Yen Li, Lien-Kai Gan, and Chien-Fu Su

460 views • 9 slides
Producing media content for the browsers using GPAC Romain Bouqueau (GPAC Licensing) Cyril

Producing media content for the browsers using GPAC Romain Bouqueau (GPAC Licensing) Cyril

Producing media content for the browsers using GPAC Romain Bouqueau (GPAC Licensing) Cyril Concolato (Telecom ParisTech) 1 GPAC - FOSDEM 2015 Web & Media Web Browsers are more and more capable of playing media data Either simply

171 views • 16 slides
1 Main problem Digital Transformation as Demassification Two interrelated aspects of

1 Main problem Digital Transformation as Demassification Two interrelated aspects of

Analog Experiences in Digital Transformation Introduction Who am I? Andreas Lund Department of Informatics, Ume University Tools, Interactive Institute AB alund@informatik.umu.se Research interest(s) How does

266 views • 8 slides

More recommend