Remote Access Description
Using a VPN helps to provide remote employees with the secure access to the corporate services and data hosted in the Selectel infrastructure. Using the FortiGate hardware firewall in Selectel, you can configure remote access to private networks of organizations based on SSL, IPsec, and L2TP over IPsec technologies using various software installed on computers, laptops, and phones of remote users, such as:
- FortiClient by Fortinet;
- Cisco client;
- by means of the operating system.
To create a VPN tunnel on the firewall, it is required that the following have already been configured (learn more about the basic setup):
- external interface through which the devices will be connected;
- internal network;
- access to the FortiGate web interface.
|SSL (Secure Sockets Layer)||A standardized technology for establishing a secure communication channel between a web server and the client’s browser. This type of communication implies that all data transferred between the server and the client remains private to everyone except these two parties. An SSL certificate is required to create an SSL connection. A common example is using SSL for secure communication between a web browser and a web server (HTTPS)|
|IPsec||A protocol suit that authenticates and encrypts the traffic between two peers. There are three common protocols:
Internet Key Exchange (IKE) — for the “handshake”, tunnel maintenance, and its shutdown;
Encapsulation Security Payload (ESP) — provides data integrity and encryption;
Authentication Header (AH) provides only data integrity, not encryption.
FortiGate only uses ESP to transmit packet payload. It does not use AH
|IKE (The Internet Key Exchange)
||The standard protocol of the IPsec group of protocols used to secure communication in VPN, that is, IKE establishes an IPsec VPN tunnel.
In order for the protocols in IPsec to secure the transmitted data, IKE establishes a logical connection between the two endpoints — a Security Association (SA).
SA defines the authentication, keys and settings that will be used to encrypt and decrypt packets
* IKE defines two phases (Phase 1 and Phase 2):
- Phase 1 is the negotiation of secure configuration communications, which happens when each endpoint in the tunnel connects and starts configuring the VPN.
Phase 1 authenticates both tunnel endpoints based on a Pre-Shared Key or digital signature (certificate); creates one bidirectional IKE SA to define a secure channel and negotiate configurations (verifying and ensuring that the same Pre-Shared Key will be used at each end of the tunnel), Diffie-Hellman key exchange to be used in Phase 2.
Once Phase 1 has established a somewhat secure chESPannel and private keys, Phase 2 begins;
- Phase 2 is the negotiation of security parameters for transmitted traffic between endpoints. Security parameters are negotiated for two unidirectional IPsec SA (do not confuse with IKE SA).
These are the SAs for Phase 2, which ESP uses to transfer data between networks.
Phase 2 doesn’t end when ESP starts. Phase 2 periodically reviews cryptography to maintain security.
Each Phase 1 can have multiple Phase 2’s, for example, if you want to use different encryption keys for each subnet whose traffic crosses the tunnel.
At the end of Phase 2, a VPN connection is established.
Comparing SSL-VPN vs IPsec-VPN
SSL is at a higher level in the network stack than IP, and therefore it usually requires more bits (more bandwidth) for SSL-VPN headers.
IPsec uses some special protocols. The main protocol is ESP, which encapsulates and encrypts UDP, RDP, HTTP, or other protocols inside an IPsec tunnel. In addition, IPsec VPN is the standard. It can interoperate with multiple providers and supports peers that are devices and gateways, not just custom FortiGate-only clients, as SSL-VPN does.
|May be between||Browser and FortiGate
FortiClient and FortiGate
|FortiClient and FortiGate
FortiGate and FortiGate
FortiGate and compliant third party IPsec VPN gateway
FortiGate and compliant third party IPsec VPN client
|Login via||HTTPS web panel on FortiGate
|IPsec client (Site-to-site does not require a client)|
|Configuration||No installation required
Simplified organization (client-to-FortiGate only, no user-configurable parameters)
Flexible organization (for different topologies, for clients or gateways)
|Category||Defined by the vendor||Standard|
|Tunnel mode||In this mode, the SSL VPN client encrypts all traffic from the remote user’s computer and sends it to FortiGate through an SSL VPN tunnel over the HTTPS channel between the user and FortiGate.
Tunnel mode supports many protocols and appls. This mode requires a standalone SSL-VPN client (FortiClient) to connect to FortiGate. FortiClient adds a virtual network adapter named fortissl to the user’s computer. This virtual adapter dynamically obtains an IP address from FortiGate each time FortiGate establishes a new VPN connection. Inside the tunnel, all traffic is encapsulated in SSL / TLS.
The main advantage of tunnel mode over web mode is that once the VPN is established, any network IP application running on the client can send traffic through the tunnel. The main disadvantage is that tunnel mode requires the installation of a VPN software client, which requires admin rights
|Web mode||This mode allows you to access the network using a web browser with built-in SSL encryption. Users are authenticated with the FortiGate SSL VPN web portal that provides access to network services and resources, including HTTP / HTTPS, Telnet, FTP, SMB / CIFS, VNC, RDP, and SSH.
The Bookmarks section of the SSL-VPN portal page contains links to all or some of the resources available to the user for access. The Quick Connection widget allows users to enter the URL or IP address of the server they want to connect to. The web-SSL-VPN user uses these two widgets to access the internal network.
The main advantage of the web mode is that it usually does not require any additional software.
This mode has the following limitations:
- all interaction with the internal network must be carried out only using the browser (via the web portal). External network apps running on the user’s computer cannot send data over VPN;
- it is a secure HTTP / HTTPS gateway mechanism that does not work to access everything, but only to a few popular protocols such as HTTP, FTP and, Windows shares
|Split mode||Tunneling mode that directs traffic only to the specified network via FortiGate. When split tunneling is enabled, only traffic destined for the private network behind the remote FortiGate is routed through the tunnel. All other traffic is sent along the usual encrypted route|
|Full mode||Tunneling mode, in which split tunneling is disabled and all IP traffic generated by the user’s computer, including Internet traffic, is routed through the SSL-VPN tunnel to FortiGate. This sets FortiGate as the default gateway for the host. You can use this method to apply security features to traffic on these remote clients, and to monitor or restrict Internet access. This increases latency and increases bandwidth usage.|