[转载]Secure Socket Tunneling Protocol
文章作者:Ricky M. Magalhaes信息来源:邪恶八进制信息安全团队([url]www.eviloctal.com[/url])
原始出处:[url]http://windowsecurity.com/articles/Secure-Socket-Tunneling-Protocol.html[/url]
The article will give a clear understanding of SSTP and compare standard VPN vs SSTP VPN. The article will also cover the advantages of utilizing both SSTP and VPN simultaneously and what the benefits of using SSTP will be.
VPN
Virtual private network, also referred to as VPN, is a network that is constructed with the use of public wires to join nodes, enabling the user to create networks for the transfer of data. The systems use encryption and various other security measures to ensure that the data is not intercepted by unauthorized users. For years VPN has been used successfully but has recently become problematic due to the increase in the number of organizations encouraging roaming user access. Alternative measures have been looked at to enable this type of access. Many organizations have begun to utilize IPSec and SSL VPN as an alternative. The other new alternative being SSTP, also referred to as ‘Microsoft’s SSL VPN’.
Problems with typical VPN
VPNs typically use an encrypted tunnel that keeps the tunneled data confidential. By doing this when the tunnel routes through typical NATed paths the VPN tunnel stops working. VPNs typically connect a node to an endpoint. It may happen that both the node and the endpoint have the same internal LAN address and, if NAT is involved, all sorts of complications can arise.
SSL VPN
Secure Socket Layer, also referred to as SSL, uses a cryptographic system that uses two keys to encrypt data, the public and private key. The public key is known to everyone and the private only to the recipient. Through this SSL a secure connection between a client and a server is created. SSL VPN allows users to establish secure remote-access from virtually any internet connected web browser, unlike with VPN. The hurdle of unstable connectivity is removed. With SSL VPN an entire session is secured, whereas with only SSL this is not accomplished.
SSTP
Secure socket tunneling protocol, also referred to as SSTP, is by definition an application-layer protocol. It is designed to employ a synchronous communication in a back and forth motion between two programs. It allows many application endpoints over one network connection, between peer nodes, thereby enabling efficient usage of the communication resources that are available to that network.
SSTP protocol is based on SSL instead of PPTP or IPSec and uses TCP Port 443 for relaying SSTP traffic. Although it is closely related to SSL, a direct comparison can not be made between SSL and SSTP as SSTP is only a tunneling protocol unlike SSL. Many reasons exist for choosing SSL and not IPSec as the basis for SSTP. IPSec is directed at supporting site- to-site VPN connectivity and thus SSL was a better base for SSTP development, as it supports roaming. Other reasons for not basing it on IPSec are:
It does not force strong authentication,
User clients are a must have,
Differences exist in the quality and coding of user clients from vendor to vendor,
Non-IP protocols are not supported by default,
Because IPSec was developed for site to site secure connections, it is likely to present problems for remote users attempting to connect from a location with a limited number of IP addresses.
SSL VPN proved to be a more compatible basis for the development of SSTP
SSL VPN addresses these issues and more. Unlike basic SSL, SSL VPN secures an entire session. No static IPs are required, and a client is unnecessary in most cases. Since connections are made via a browser over the Internet, the default connection protocol is TCP/IP. Clients connecting via SSL VPN can be presented with a desktop for accessing network resources. Transparent to the user, traffic from their laptop can be restricted to specific resources based on business defined criteria.
SSTP - an extension of VPN
The development of SSTP was brought about by the lack of capability of VPN. The main shortcoming of VPN is its unstable connectivity. This is a consequence of its insufficient coverage areas. SSTP increases the coverage area of VPN connection ubiquitously, rendering this problem no more. SSTP establishes a connection over secure HTTPS; this allows clients to securely access networks behind NAT routers, firewalls and web proxies, without the concern for typical port blocking issues.
SSTP is not designed for site to site VPN connections but is intended to be used for client to site VPN connections.
The success of SSTP can be found in the following features:
SSTP uses HTTPS to establish a secure connection
The SSTP (VPN) tunnel will function over Secure-HTTP. The problems with VPN connections based on the Point-to-Point Tunneling Protocol (PPTP) or Layer 2 Tunneling Protocol (L2TP) will be eliminated. Web proxies, firewalls and Network Address Translation (NAT) routers located on the path between clients and servers will no longer block VPN connections.
Typical port blocking is decreased
Blocking issues involving connections in relation to PPTP GRE port blocking or L2TP ESP port blocking via a firewall or NAT router preventing the client from reaching the server will no longer be a problem as ubiquitous connectivity is achieved. Clients will be able to connect from anywhere on the internet.
SSTP will be built into Longhorn server
SSTP Client will be built into Windows Vista SP1
SSTP won't require retraining issues as the end-user VPN controls remain unchanged. The SSTP based VPN tunnel plugs directly into current interfaces for Microsoft VPN client and server software.
Full support for IPv6. SSTP VPN tunnel can be established across IPv6 internet.
It uses integrated network access protection support for client health-check.
Strong integration into MS RRAS client and server, with two factor authentication capabilities.
Increases the VPN coverage from just a few points to almost any internet connection.
SSL encapsulation for traversal over port 443.
Can be controlled and managed using application layer firewalls like ISA server.
Full network VPN solution, not just an application tunnel for one application.
Integration in NAP.
Policy integration and configuration possible to help with client health checks.
Single session created for the SSL tunnel.
Application independent.
Stronger forced authentication than IPSec
Support for non IP protocols, this is a major improvement over IPSec.
No need to buy expensive, hard to configure hardware firewalls that do not support Active directory integration and integrated two factor authentication.
[attach]5797[/attach]
How SSTP based VPN connection works in seven steps
The SSTP client needs internet connectivity. Once this internet connectivity is verified by the protocol, a TCP connection is established to the server on port 443.
SSL negotiation now takes place on top of the already established TCP connection whereby the server certificate is validated. If the certificate is valid, the connection is established, if not the connection is torn down.
The client sends an HTTPS request on top of the encrypted SSL session to the server.
The client now sends SSTP control packets within the HTTPS session. This in turn establishes the SSTP state machine on both sides for control purposes, both sides now intiate the PPP layer communication.
PPP negotiation using SSTP over HTTPS now takes place at both ends. The client is now required to authenticate to the server.
The session now binds to the IP interface on both sides and an IP address assigned for routing of traffic.
Traffic can now traverse the connection being either IP traffic or otherwise.
Microsoft is confident that this protocol will help alleviate VPN connection issues, The RRAS team are now readying RRAS for SSTP integration and the protocol will be part of the solution going forward. The only prerequisite at present is that the client runs Vista and Longhorn server. The feature set provided by this little protocol is both rich and flexible and the protocol will enhance the user and administrator experience. I predict that devices will start to incorporate this protocol into the stack for secure communication and the headaches of NAT will soon be forgotten as we move into a 443/SSL incorporated solution.
Conclusion
SSTP is a great addition to the VPN toolkit to enable users to remotely and securely connect to the corporate network. Blocking of remote access and NAT issues seem to be forgotten when using this protocol and the technology is stable, well documented and working. This is a great product and it is very welcome in this time of remote access. 标题:安全套隧道协议
本文将让大家明确认识SSTP和比较标准的VPN与SSTP VPN。还包括了利用SSTP和VPN的同时,SSTP有什么样的优势。
VPN
虚拟专用网,即VPN,是一个利用公共电线加入节点建立起来的,使用户利用它来传播数据的网络。该系统采用加密和其他各项安全措施,以确保个人资料不被未经授权的用户拦截。VPN已经成功使用了很多年,但最近由于太多企业组织鼓励漫游用户上网,使得它已经成为比较严重的问题。大家一直都在寻找替代的方法,以使用这一通道。很多组织已经开始使用IPSec和SSL VPN作为替代措施。另外,有新的措施开始使用SSTP,也称为微软的SSL VPN。
典型的VPN问题
VPN通常使用加密隧道来保护数据。这样做的话,当传输线通过NAT时,VPN隧道就会停止工作。典型的VPN连接一个节点到终点。也有可能节点和端点有相同的内部网地址,如果有NAT的参与,各种现象都会发生。
SSL VPN
安全套层,即SSL,是利用一种密码系统来工作的。这个系统利用两个密码进行加密,公钥和私钥。公钥是大家都知道的,私钥只有接收人知道。通过SSL,客户和服务器就安全连接起来了。SSL VPN允许用户建立可靠的远端与网络浏览器连接起来,这一点和VPN不同。不存在跨站的不稳定性。使用完整的SSL VPN是很安全的,而这一点,仅仅SSL是做不到的。
SSTP
安全套接隧道协议,也称为sstp,从定义上看,是一个应用层协议。它采用同步通信,在两个端点间来回。它使得很多的末端在同行的节点里不只一个网络连接点,从而有效地使用网络通信资源。
sstp议定书是基于SSL而不是pptp或者ipsec,并使用TCP端口443转播sstp.虽然与SSL密切相关, 直接比较,无法区分SSL和sstp。与SSL不同,sstp只是一个通道协议.有许多理由选择来SSL而不是IPSec来作为sstp的依据.ipsec是针对支持站点到站点间的VPN连接,因此,从SSTP的发展来看,SSL协议是一个较好的基础,同时它也支持国际漫游。另外,不基于IPSec的一些理由是:
它不强行认证
必须是用户代理
在用户代理与卖方之间存在质量和编码的差异
不能履行非IP协议,
由于IPsec是为了站与站间安全连接而开发的,对远程用户来说,它可能在试图连接一个指定的有限用户的IP地址情况下存在一些问题。
SSL VPN被认定是一个更符合SSTP发展的基础。
SSL VPN解决了不只这些问题,还有很多。与基本的SSL不同,SSL VPN能够保证整个部分的安全。不需要静态的IP,大多数情况下也不需要代理人。在通过一个浏览器连接到网络后,默认的连接协议是TCP/IP。代理人通过SSL VPN连接的话,就可以得到一个网络资源平台。对用户透明,基于商业领域的标准,在他们那一端就能对特别的资源进行限制。
SSTP-VPN的延伸
能力有限的VPN给SSTP带来了发展。VPN主要的缺点是连接不稳定,这是它覆盖范围小导致的不足之处。SSTP增大了VPN连接线路的覆盖范围,解决了这一问题。SSTP通过安全的HTTPS建立了一个连接,这使客户能够安全地进入网络,通过NAT路由器,防火墙及代理服务器,不用在意典型的端口阻塞问题。
SSTP并不是为站到站VPN连接而设的,而是打算为客户做站点VPN连接的。
SSTP的成功主要归结于以下一些特征:
SSTP用HTTPS来建立安全连接
SSTP(VPN)通道功能较HTTP更加安全。基于点对点通道协议(PPTP)或第2层通道协议(L2TP)的VPN连接问题将被终止。网站代理,防火墙,网络地址翻译(NAT)通道位于客户与服务器之间架设的道上,而不再架设VPN连接。
典型的通道口堵塞减少
阻塞问题涉及pptp GRE通道口堵塞或L2TP esp通道口阻断的连接问题,当连接无所不在时,透过防火墙或NAT路由器以防止代理接到服务器不再是个问题。代理能从任何地方连接到互联网。
SSTP将被建进Longhorn服务器里
SSTP代理将被建进Windows Vista SP1
VPN终端用户的管制不变,SSTP不再需要试验。基于VPN隧道的SSTP直接插入微软VPN客户和服务器软件的当前接口。
对IPV6的全面支持。SSTP VPN通道可以在全国范围建立IPv6互联网。
它利用集成网络接入来保护支持客户的安全检查。
极大地融入了MS RRAS客户和服务器,具有两个因素认证能力。
增加VPN的覆盖范围,从那么几点到几乎所有的网络连接。
SSL封装包括了端口443。
可以利用类似ISA服务器的应用层的防火墙控制和管理。
全网的VPN解决方案,不只是一个应用隧道,而是集成NAP。
政策整合,并可能配置对客户安全有帮助的检查。
单一部分是为SSL隧道而开发的。
可以独立使用。
与IPSec相比,强迫认证。
支持非IP协议,这是比IPSec强的主要改进。
不需要很昂贵,很难配置硬件防火墙以至于不支持动态目录集成,综合两因素认证。
图1.1:sstp连接原理
[attach]933[/attach]
基于VPN的SSTP连接工作在7个步骤中如何进行
SSTP客户需要网络连接。一旦该因特网连通,TCP就与服务器上的端口443连接。
SSL谈判发生在已建立的TCP连接上,使服务器认证。如果证书有效,建立连接。如果无效,连接中断。
客户在上面的加密SSL协议上发送HTTPS请求给服务器。
然后客户发送HTTPS中的SSTP控制包。反过来在控制方两边都建立了SSTP,还连接了PPP(公私)层。
现在,在端点两方,PPP协商使用SSTP多过HTTPS。客户需要在服务器上得到认证。
现在,此协议绑到IP接口两端,还分配到了一个IP地址。
此时通道核心连接是IP或其他的。
微软相信,这个协议将有助于缓解VPN的连接问题, 在rras团队正在为SSTP一体化准备RRAS,协议成为解决问题的一部分。目前唯一的前提是客户运行VISTA或Longhorn。这个小协议提供的特征集丰富且灵活,协议也加强了用户和管理员的经验。我预测,该装置将开始把这一协议纳入堆栈安全通信,并且,头疼的NAT将很快就会被人们遗忘,因为我们进入443/ssl方案.
结论
SSTP是除了VPN之外的一个伟大的工具。它使用户能够远程安全地连接到公司网. 在使用协议书和稳定的技术时,貌似没有了阻塞远端存取和NAT问题而变成有案可查地工作.。这真是一个伟大的产品,在远程访问的时候非常受欢迎。
页:
[1]