Remote Access VPN

#network #vpn #tunneling

Remote Access VPN

Pasted image 20241101122029.png|500

Connects remote user to site
Client-to-site
- This is when we can use a VPN client, that VPN client is responsible to connect to the head end, where the VPN concentrator it's going to define how we should interact with that remote network.
- Cisco Anyconnect
- Microsoft VPN Client for Windows
- OpenVPN
Clientless
- Browser
  - Conncet to https:// Firewall - (IP address or fully qualified domain name of your firewall or VPN concentrator).
  - When you connect there is gonna have you authenticate, and when you authenticate, you'll basically be granted access to an internal portal, which can link you to internal resources.
  - This is what sometimes called an SSL VPN, and an SSL is alswo know as TLS, (two different acronyms that kind of mean the same thing). TLS is just a newer, standardized version of SSL.
  - Is not as capable as a traditional VPN client but it is very handy.

Remote Access VPN Operations

Pasted image 20241101124045.png

The user is wireless, assuming this is client based, the user opens up Cisco Anyconnect and clicks "Connect"
At that point, the user computer is going to build a connection to the firewall, and it's up to the administrator, whether I should be using IPsec or SSL. You can actually change this by department, maybe developers are on IPsec and sales persons are on SSL, based on necessities. The web based portal is really nice for just kind of steering or guiding your users into a particular type of experience. Really kind of limiting what they can do and making it easy.
Then, what will the firewall asks us to do? Authenticate.
- We would typically have Active Directory and we will point the firewall to this Active Directory, it serves as our AAA server.
- User authenticates giving user and password, the firewall goes: "I don't store that kind of stuff but Active Directory does", so it release that to AD, AD looks at and says: "User and password looks good, and I see here that you're a member of IT admins".
- AD replies to the firewall: "yes you are allowed in and here is some "member of" data."
  - Privileges and permissions are typically granted based on group.
- When the firewall sees that data, it is going to pick a policy, to tell the user how it is allowed to interact with their network, dos, dont's, protocols, time, etc.
  - Based on that policy, attributes are returned to the user:
    - IP address: "You have to have an additional IP to talk in my network"
    - Firewall Policiy: Can be pushed down to you
    - DNS: If there is a domain name server inside of the company
    - Split tunneling:
      - Split routing says: let's set up a routing table for the client.
      - Our routing table says: "If you're trying to get to any IP address that matches a certain 192.168.0.0/16 for example, use the VPN tunnel or send the traffic unencrypted"
      - "If you are going to talk to another network we want to encapsulate it in ESP and Tunneling, but if you are trying to go somewhere else that is not 192.168.0.0/16 I do not care, just send it normally".
      - Can be Enabled or Disabled:
        
        When it's enabled, it says that your traffic can go to the internet of the corporate office and at the exact same time I can open up my web browser and I can go out and browse content anywhere on the internet.
        
        The downside about this is that you can actually get hacked.

Pasted image 20241101130510.png

Example of javascript injection on a host machine connected to the corporate office with Split Tunneling enabled.
When they connect to your computer they'll get very interested in that corporate connection that you have, and then they can pivot from that one remote system into the corporate office.
If we disable Split Tunneling:
- Our route then would look like this: 0.0.0.0/0
  - The gateway of last resort is the least specific route on the internet.
  - It says: "if you've got a packet going anywhere on earth, use tunnel 0"
  - This means that even our internet traffic goes to the corporate headquarters. What do they do?
  - You could pass all that traffic through a web content engine.
    - Cisco's is called a Web Security Appliance, and it is a dedicated appliance so it just looks for HTTP, and inspecting that HTTP, that web traffic, it looks for cross site scripting, malware, data loss, etc. SO we can sanitize all our web traffic at the headquarters and only then, send that traffic out to the internet.
    - When the internet replies, it comes in our WSA or whatever type of proxy you are using, is going to sanitize that traffic, and then send it back through.
    - The downside is that everybody's internet traffic is flowing through the headquarters, that's additional bandwidth, overhead, but it gives us more security because we can control or sanitize that throughput.