User Authentication and Access Privilege Management
Effectively managing the VPN users and their access privileges is the core consideration in any remote access VPN design. There are mainly two aspects:
- A scalable and secure solution to authenticate users
- Decisions on what access privilege to grant to the users based on various user and security attributes
Many organizations migrate from the existing IPsec-based remote access VPN solutions to SSL VPN, whereas other organizations simply add SSL VPNs to their existing remote access VPN. The good news is that SSL VPNs fit well into the existing authentication infrastructure.
User Authentication
Although this section focuses on user authentication, first step back to have a quick look at the big picture. AAA stands for authentication (which defines who you are), authorization (which defines what you are allowed to do), and accounting (which provides a record of what you did). User authentication is a key step in an SSL VPN solution. Aside from validating users' credentials, user authentication allows an SSL VPN gateway to assign the user to a policy group. The assignment is made by using a user's organization group information, which is derived during the authentication phase, along with other attributes, such as endpoint security posture and time of day. The policy group defines the authorization privileges of the users.
Choice of Authentication Servers
You have a wide variety of identity technologies to choose from for authenticating users. The common choices are passwords, RADIUS, TACACS+, one-time password (OTP) systems, public-key infrastructure (PKI), smart cards, and so on. For remote access VPN authentication, a two-factor OTP system provides the strongest security and manageability combination. It is also common for small- to medium-sized companies to leverage existing user directory infrastructure such as Lightweight Directory Access Protocol (LDAP), Windows NTLM, or Windows XP/2000 Active Directory for VPN user authentication. To use this, you need to apply and enforce strong password policies because the strength of the security relies on those policies.
The design of the AAA system can vary depending on the size of your network and the disparity of access methods. For an SSL VPN device, the choices of authentication servers fall mainly into two categories:
- A dedicated AAA server running RADIUS: The AAA server is the interface between the SSL VPN appliance and the identity servers, such as corporate LDAP servers or OTP systems. Cisco Secure ACS is an example of this type of AAA server. The SSL VPN appliance communicates with the AAA server using the RADIUS protocol. Often, the AAA server sends a query to the external identity databases for identity authentication, and returns the authentication result to the SSL VPN appliance. The AAA server can speak different protocol languages with various identity databases such as LDAP, SecureID, and Windows Active Directory. An advanced AAA server, such as Cisco Secure ACS, can also retrieve additional user attributes from the external user identity servers, such as the users' roles in the organization or the users' password expiration information. All these user attributes can be used later in the authorization phase to determine the access privilege.
- An SSL VPN appliance communicating directly with the identity server: In this case, the SSL VPN appliance needs to be able to communicate with various types of identity servers, such as LDAP, OTP systems, or Windows domain controllers. This becomes fairly common because most current SSL VPN vendors support multiple types of authentication servers. This mode is most common to small- to medium-sized companies that do not have disparate access methods, and hence have no need to have a central root AAA system.
When you choose to use this method, pay attention to what additional information the SSL VPN appliance can retrieve from the authentication servers, other than the results of the user authentication. For the later authorization phase, it is often useful for the SSL VPN appliance to also be able to get the users' organizational information. Enabling the SSL VPN appliance with this additional capability requires more integration between the SSL VPN appliance and the authentication server.
AAA Server Scalability and High Availability
The scalability and availability of the AAA server directly affect the availability of your VPN network and the user experience.
For a small- to medium-sized VPN network, it is relatively easy to address this design issue. Because the number of the VPN users is relatively small, the scalability of the AAA server is less of an issue. Also, because small to medium deployment normally does not have dispersed Internet VPN access, the AAA servers normally reside on a local network, and network delay and resiliency are not problematic. You should have a backup or secondary AAA server to provide local high availability. Most SSL VPN appliances support checking a secondary AAA server in case the primary server is not available.
For a medium to large enterprise network, the scalability and resiliency of the AAA systems are important and need to be carefully designed. For a remote access VPN deployment, you probably need to integrate your authentication requirements with the AAA infrastructure that is already in place to support other access methods.
Some good design guidelines for deploying a Cisco Secure Access Control Server (ACS) have been documented in the white paper "Guidelines for Placing ACS in the Network," which can be found at http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a0080092567.shtml. In this white paper, the general design recommendations documented for scalability, resiliency, and device placement should apply to most AAA server deployments.
The following sections briefly highlight the important factors that need to be considered.
AAA Server Scalability
When you consider AAA server scalability, keep the following points in mind:
- The maximum number of users supported by the AAA server.
- The number of authentication requests per second the AAA server can handle.
- The type of database. For an internal user database on the AAA server itself, check its scalability to find out how many local users can be defined.
AAA Server High Availability and Resiliency
When you consider AAA server high availability (HA) and resiliency, keep the following points in mind:
- Consider a local secondary AAA server.
- For dispersed network access and VPN geographic HA design, consider placing a AAA server at each location that has business-critical impact.
- Incorporate a robust AAA server database synchronization mechanism.
Resource Access Privilege Management
After user authentication, the remote access VPN device should be able to authorize the user with resource access privileges based on the user's attributes. As described earlier, because of the ubiquity of the SSL VPN, its design needs to ensure the integrity of the endpoint. Hence the resource authorization also goes beyond the standard user attributes to include other security attributes. The following is a list of attributes that can be used to determine resource access privilege:
- Sign-in URL: For an SSL VPN device that offers different sign-in URLs to different groups of users, the sign-in URL can be used to decide the type of resource this group of users is entitled to.
- User's digital certificate: The organization information in the user's certificates can be used to map users to corresponding roles that allow different resource access.
- The result of endpoint security assessment: This point is discussed in more detail within the context of the security considerations. In essence, the posture of the endpoint can be used as a dynamic factor to decide users' access privilege to sensitive corporate resources.
- Time of day.
- Browser types.
- User attributes: These are the typical user attributes in the user identity database. For example, the marketing group in the LDAP database can be mapped to an internal marketing group in the SSL VPN.
Some of these attributes, such as endpoint security posture and users' IP addresses, are collected prior to user authentication. Some of the attributes, such as endpoint security posture, should be periodically reevaluated during the user session to dynamically determine the user's access privileges based on the most current situation.
To clarify these concepts, we give an example of how an SSL VPN system can use some of these attributes to perform dynamic access privilege management. In this case study, a salesperson attempts to access corporate resources using an SSL VPN. Depending on the result of the endpoint assessment, the salesperson is granted different levels of resource access.
Scenario 1: Salesperson Accesses the VPN from a Kiosk Computer at a Sales Conference
- Step 1 The salesperson initiates the VPN request by entering https://vpn.companyxyz.com into the browser.
- Step 2 Upon receiving the access request, the SSL VPN appliance collects some user attributes and performs the endpoint security checking. The results are as follows:
- IP address = Outside
- Client digital certificate = Not present
- Proper antivirus client installed and enabled = No
- Step 3 Based on the results in Step 2, the SSL VPN chooses an authentication method for the user and performs user authentication:
- Authentication method = Strong, OTP
- Step 4 After successful user authentication, the SSL VPN appliance also retrieves the user's organization information through a separate authorization step:
- User's organization group = Sales
- Step 5 Based on the user attributes so far, the SSL VPN appliance maps the user to a VPN group or role:
- VPN role = sales_insecure
- Step 6 The sales_insecure role decides the user access privilege:
- User privilege = Web access only
- Session timeout = 30 minutes
- Periodic security checking = Yes
- Require secure desktop = Yes
- Note: The secure desktop can be launched much earlier at the preauthentication phase based on the IP address attribute. This way, the user password entered into the client browser can be protected from software such as keystroke loggers.
- Step 7 The salesperson logs in and starts to access the bookmarked web applications, such as OWA. More granular application-level access control can be applied at this phase.
Scenario 2: The Same Salesperson Accesses the VPN from a Corporate-Owned Laptop at Home
- Step 1 The salesperson initiates the VPN request by entering https://vpn.companyxyz.com into the browser.
- Step 2 Upon receiving the access request, the SSL VPN appliance collects some user attributes and performs the endpoint security checking. The results are as follows:
- IP address = Outside
- Client digital certificate = Yes
- Proper antivirus client installed and enabled = Yes
- Step 3 Based on the results in Step 2, the SSL VPN chooses an authentication method for the user and performs user authentication:
- Authentication method = Strong, OTP
- Step 4 After successful user authentication, the SSL VPN appliance also retrieves the user's organization information through a separate authorization step:
- User's organization group = Sales
- Step 5 Based on the user attributes so far, the SSL VPN maps the user to a VPN group or role:
- VPN role = sales_secure
- Step 6 The sales_secure role decides the user access privilege:
- User privilege = Tunnel client
- Session timeout = 12 hours
- Periodic security checking = Yes
- Require secure desktop = No
- Step 7 The salesperson logs in and starts to access the corporate network using the tunnel client mode. Additional granular IP-based access control can be applied at this phase.