SLIDE 1
Openconnect VPN
Nikos Mavrogiannopoulos Security Technologies Red Hat February, 2016
- VPN story
- The server
- Future plans
Openconnect VPN Nikos Mavrogiannopoulos Security Technologies Red - - PowerPoint PPT Presentation
Openconnect VPN Nikos Mavrogiannopoulos Security Technologies Red - - PowerPoint PPT Presentation
Openconnect VPN Nikos Mavrogiannopoulos Security Technologies Red Hat February, 2016 VPN story The server Future plans VPN story 3/17/13 3 Red Hat VPN story T ask Setup a VPN service to inter-connect router devices
SLIDE 2
SLIDE 3
3/17/13 3 Red Hat
VPN story
SLIDE 4
3/17/13 4 Red Hat
VPN story
- T
ask
–
Setup a VPN service to inter-connect router devices
SLIDE 5
3/17/13 5 Red Hat
VPN story
SLIDE 6
3/17/13 6 Red Hat
VPN story
SLIDE 7
3/17/13 7 Red Hat
VPN story
SLIDE 8
3/17/13 8 Red Hat
VPN story
- Requirements:
–
Simple setup for users
SLIDE 9
3/17/13 9 Red Hat
VPN story
- Requirements:
–
Standards based solution
SLIDE 10
3/17/13 10 Red Hat
VPN story
- Requirements:
–
The administrator should be able to view who is connected on every moment
SLIDE 11
3/17/13 11 Red Hat
VPN story
- Requirements:
–
The administrator should be able to disconnect and block access to users
SLIDE 12
3/17/13 12 Red Hat
VPN story
- Solution:
–
Based on OpenVPN and lots of custom scripts
SLIDE 13
3/17/13 13 Red Hat
VPN story
- Solution:
–
Based on OpenVPN and lots of custom scripts
SLIDE 14
3/17/13 14 Red Hat
VPN story
- Requirements:
–
Simple setup for users
–
Standards based solution
–
The administrator should be able to view who is connected on every moment
–
The administrator should be able to disconnect and block access to users
Involved configuration files for client setup, TCP/UDP had to be selected by user
SLIDE 15
3/17/13 15 Red Hat
VPN story
- Requirements:
–
Simple setup for users
–
Standards based solution
–
The administrator should be able to view who is connected on every moment
–
The administrator should be able to disconnect and block access to users
Was using TLS for key exchange; everything else was custom
SLIDE 16
3/17/13 16 Red Hat
VPN story
- Requirements:
–
Simple setup for users
–
Standards based solution
–
The administrator should be able to view who is connected on every moment
–
The administrator should be able to disconnect and block access to users
No support; lots
- f custom scripts
SLIDE 17
3/17/13 17 Red Hat
VPN story
- Requirements:
–
Simple setup for users
–
Standards based solution
–
The administrator should be able to view who is connected on every moment
–
The administrator should be able to disconnect and block access to users
No support
SLIDE 18
3/17/13 18 Red Hat
VPN story
- AnyConnect VPN
SLIDE 19
3/17/13 20 Red Hat
VPN story
- CISCO AnyConnect VPN
–
A proprietary VPN implementation based on standard protocols
–
A VPN channel established over an HTTPS session (TLS 1.x)
–
Supports dual TCP/UDP; UDP via a pre-draft DTLS version
–
Open-source compatible client → openconnect
- Implements a compatible protocol we call “Openconnect protocol”
SLIDE 20
3/17/13 21 Red Hat
VPN story
- CISCO AnyConnect VPN
–
A proprietary VPN implementation based on standard protocols
–
A VPN channel established over an HTTPS session (TLS 1.x)
–
Supports dual TCP/UDP; UDP via a pre-draft DTLS version
–
Open-source compatible client → openconnect
- Implements a compatible protocol we call “Openconnect protocol”
Standards compliant VPN
SLIDE 21
3/17/13 22 Red Hat
History
- OpenConnect doesn't need any user confjguration
# openconnect server.example.com:443
POST https://server.example.com/ Attempting to connect to server 127.0.0.1:443 SSL negotiation with server.example.com Connected to HTTPS on server.example.com XML POST enabled Please enter your username Username:test POST https://server.example.com/auth Please enter your password. Password: POST https://server.example.com/auth Got CONNECT response: HTTP/1.1 200 CONNECTED CSTP connected. DPD 90, Keepalive 32400 Connected tun0 as 192.168.1.191, using SSL Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(RSA)-(AES-128-GCM).
SLIDE 22
3/17/13 23 Red Hat
History
- OpenConnect doesn't need any user confjguration
# openconnect server.example.com:443
POST https://server.example.com/ Attempting to connect to server 127.0.0.1:443 SSL negotiation with server.example.com Connected to HTTPS on server.example.com XML POST enabled Please enter your username Username:test POST https://server.example.com/auth Please enter your password. Password: POST https://server.example.com/auth Got CONNECT response: HTTP/1.1 200 CONNECTED CSTP connected. DPD 90, Keepalive 32400 Connected tun0 as 192.168.1.191, using SSL Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(RSA)-(AES-128-GCM).
Simple user setup
SLIDE 23
3/17/13 24 Red Hat
VPN story
- Requirements:
–
Simple setup for users
–
Standards based solution
–
The administrator should be able to view who is connected on every moment
–
The administrator should be able to disconnect and block access to users
SLIDE 24
3/17/13 25 Red Hat
VPN story
- Requirements:
–
Simple setup for users
–
Standards based solution
–
The administrator should be able to view who is connected on every moment
–
The administrator should be able to disconnect and block access to users
–
The server should isolate users between them
–
The server should operate under the least possible privilege
SLIDE 25
3/17/13 26 Red Hat
The server
SLIDE 26
3/17/13 27 Red Hat
The server
- Openconnect server: started in 2013
- T
- day the server interoperates with both openconnect and Anyconnect clients
–
Is available for Linux and *BSD systems
SLIDE 27
3/17/13 28 Red Hat
The server
- Features:
–
Supports for password (fjle, PAM, radius), certifjcate or Kerberos authentication
–
Supports setting resource limits per client or groups of clients (e.g., cgroups, bandwidth)
–
Processing scales with the number of CPUs
–
Supports LZS, LZ4 compression
–
Supports TLS 1.2, DTLS 1.2 and AES-GCM
–
Supports online user management
SLIDE 28
3/17/13 29 Red Hat
The server
- Features:
–
Privilege separation between main server and worker processes
- Isolation of worker processes (using seccomp)
–
Isolated software security module handles PAM/radius and keys
SLIDE 29
3/17/13 30 Red Hat
The server
- Features:
–
Privilege separation between main server and worker processes
- Isolation of worker processes (using seccomp)
–
Isolated software security module handles PAM/radius and keys
User isolation + Least privilege
SLIDE 30
3/17/13 31 Red Hat
The server
- occtl: Control tool to administer the server and view clients
SLIDE 31
3/17/13 32 Red Hat
The server
SLIDE 32
3/17/13 33 Red Hat
The server
SLIDE 33
3/17/13 34 Red Hat
The server
User overview
SLIDE 34
3/17/13 35 Red Hat
The server
SLIDE 35
3/17/13 36 Red Hat
The server
SLIDE 36
3/17/13 37 Red Hat
The server
User disconnect/block
SLIDE 37
3/17/13 38 Red Hat
VPN story
- Requirements:
–
Simple setup for users
–
Standards based solution
–
The administrator should be able to view who is connected on every moment
–
The administrator should be able to disconnect and block access to users
–
The server should isolate users between them
–
The server should operate under the least possible privilege
SLIDE 38
3/17/13 39 Red Hat
Future plans
SLIDE 39
3/17/13 40 Red Hat
Future plans
- Extend and simplify the openconnect protocol
–
e.g., drop legacy pre-DTLS 1.0 support
–
Publish and standardize on an SSL/VPN protocol
- Improve performance by utilizing an in-kernel TLS/DTLS stack
SLIDE 40
3/17/13 41 Red Hat
Questions
- www.infradead.org/openconnect
- www.infradead.org/ocserv