Description

Deep Credit Suit (company name)SSL VPN

Make access to business systems more secure

Minimized access

Provide fine-grained access authority control based on URL authorization, so that users can only access a limited number of pages on the same Web server, preventing illegal access users from finding SQL injection vulnerability pages; at the same time, DeepTrust provides the master-slave account binding function, which binds the SSL VPN with the account of the business system and prevents internal users from overstepping the right to access.

Simplifies the installation and use of VPNs for users

Through technological innovation, the user operating experience is greatly improved, such as providing lightweight installation packages with faster download and installation, so that users can log in to SSL VPN using new versions of various browsers without the need for other supporting software such as JAVA in a single installation; providing automatic encapsulation of security reinforcement for users using APPs without the need for application modification, so that users can connect to the SSL VPN automatically without additional operation for connecting to SSL VPN after clicking on the APP; single sign-on for mobile and PC applications, and so on. Users can connect to SSL VPN automatically after clicking the app without any additional operation of connecting to SSL VPN; single sign-on is realized for both mobile and PC apps, and so on.

compatibility

Better compatibility SSL VPN products, with mainstream operating systems and browser compatibility, good compatibility with Windows, MAC, mobile terminals and so on.

Improve system access speed

A series of optimization techniques (e.g., stream compression, stream caching, TCP protocol proxies, etc.) are used to enhance the user's system access speed and increase the user experience.

safer SSL VPN Protecting business interconnections
3.1.1 Rich authentication methods
LocalDB, LDAP/AD, Radius, third-party CAs, self-built CAs are supported in the SANGFOR SSL VPN Security Gateway.
CA, Dkey, SMS authentication (SMS cat and SMS gateway), hardware feature code, dynamic token multiple security authentication methods.
Maximizes the legitimacy of the accessing user.
3.1.2 Hybrid authentication protection mechanisms
A single authentication method is susceptible to theft. In order to further improve the security of identity authentication, DeepTrust innovatively proposes a hybrid authentication method.
Authentication, for the above mentioned username and password, CA digital certificate, LDAP/AD, Radius, Dkey, hardware features
Code, SMS authentication, and dynamic token authentication methods can be bundled for more than five factors, and these authentication methods must be
The SSL VPN system can only be accessed if both methods are satisfied. If you need several access methods for backup access options, then the DeepService
Innovative proposal or combination, for the above several authentication methods or combination, as long as through a primary authentication method can access the
to the SSL VPN system.
DeepSync SSL VPN Product White Paper Document Classification: Public
Copyright © 2012 DeepSync Technologies. www.sangfor.com.cn 6
A variety of authentication methods and a perfect authentication system enable enterprises to choose according to the appropriate level of security.
The combination of authentication methods for clients maximizes the legitimacy of access users and the high degree of corporate intranet resources
Security.
3.1.3 Dynamic authentication provides multiple assurances
The current spyware, Trojan horses and other security threats are becoming increasingly serious, the traditional password-based authentication is easy to be stolen, a
Once leaked will cause the enterprise data security risks. DeepTrust Technology uses a variety of dynamic authentication systems to eliminate this hidden
The security of SSL VPN is guaranteed when users access resources at headquarters.
 DKEY Certification
The SANGFOR SSL VPN Security Gateway uses SSL protocol encryption to establish a secure, dedicated encrypted channel in addition to the SSL protocol encryption.
In addition to the standard SSL protocol's built-in encryption algorithms, such as RC4 and RSA128bit signatures, which ensure data security, there are also
Two-factor authentication using DKEY (a USB authentication device) and protecting DKEY with a PIN code
The security of the USB DKEY. This USB DKEY can support two VPN (IPSec and SSL) systems at the same time for security and convenience.
 Driverless USBDKey
For general USBDKEY, you need to install the driver of the USB Key in the same way as the USB flash disk, but the driver of the USB Key can be installed in the same way as the USB flash disk.
Often, driver compatibility issues result in the inability to log in to the SSL VPN properly, making it impossible to conduct business. In response to such a situation, the
DeepSync SSL VPN Product White Paper Document Classification: Public
Copyright © 2012 DeepSync Technologies. www.sangfor.com.cn 7
DeepTrust proposes driver-less DKey authentication, so when you use DKey to log in for the first time, you don't need to install DKey.
Enable normal login to SSL VPN without worrying about new driver compatibility issues and improve the efficiency of business access.
 SMS authentication
The rapid advancement of wireless technology has brought another great revolution to the network world, and its flexible and reliable characteristics have attracted all the
People's sight, therefore, relying on wireless communication technology SMS authentication technology also came into being. SMS authentication technology is an innovation
The authentication system is divided into two parts: the cell phone SMS terminal and the SMS authentication server. End users in the existing
Based on cell phones and PADs, the two-factor user authentication access code can be obtained through cell phone text messages to securely access the
Ask for network resources. DeepSync supports interaction with SMS cats for SMS authentication.
 SMS Gateway
In addition to SMS sending via SMS cat, DeepSync also supports SMS gateways of carriers, if your network
If you have already deployed an SMS gateway (SMS gateway for mobile, Unicom or Telecom), SZS can be combined with your SMS gateway.
Realize SMS authentication.
When a text message is not sent in time due to network latency or problems with the network operator, it completely affects the user.
which results in the business not being able to be used normally. In response to such a situation, SZS provides you with the SMS retransmission function, which enables you to
Enough to easily and quickly use SMS authentication.
 Hardware binding (HardCA)
Traditional user name and password or CA certificate authentication methods have the problem of certificate or password theft. In order to avoid the transmission of
SANGFOR SSL VPN uses the special technology of DeepSign's PC hardware feature based on the leakage defects of the unified solution.
DeepSync SSL VPN Product White Paper Document Classification: Public
Copyright © Siliconware Technology www.sangfor.com.cn 8
s Certificate Authentication System (HARDCA) to implement hardware-based authentication. The principle of this authentication is to link the user account with its
Computer hardware information (e.g., CPU, hard disk, network card, etc.) is bound, even if the user account is accidentally leaked, due to the illegal
Users are not able to use the computer that is pre-bound to this account, thus not causing unauthorized user access.
 Dynamic Token Authentication
Dynamic token is a technologically advanced two-factor strong identity authentication system, using user PIN code + dynamic token code composition
Complete user password, token code is generated from the unique seed built into the token and the current time by a pseudo-randomized algorithm that changes every minute
times and is a one-time password (the password expires immediately after use and cannot be reused). Since virtually all security
Related to passwords, stealing and cracking passwords are the most common means of password attacks, so dynamic tokens are a good solution to the above problem.
The question provides an extremely high level of security assurance for the user's use.
3.1.4 Built-in CA center provides a complete authentication system
SANGFOR SSL VPN Security Gateway has a built-in CA center, and enterprises or institutions can build their own CA centers, using
Users do not need to purchase a separate CA authentication system, which reduces investment costs for enterprises. At the same time, SANGFOR SSL VPN security is a powerful tool for organizations that need to protect themselves from the risks of unauthorized access.
The full gateway also seamlessly supports existing third-party CA certificates. The built-in CA center can support the creation of server certificates.
The CA and PIN certificates allow you to reduce investment costs while meeting your organization's large-scale use of CAs, allowing you to build
DeepSync SSL VPN Product White Paper Document Classification: Public
Copyright © Siliconware Technology www.sangfor.com.cn 9
Your own CA certification center.
3.1.5 Integration with third-party CAs
In order to establish a more complete authentication system, many enterprises have introduced CA centers to establish a more complete authentication system through CA centers.
DeepSSLVPN can better realize the combination with the authentication system of CA centers. SSLVPN is able to better realize the combination with the authentication system such as CA center, and support the package of
Including UCS-2, GBK, UTF-8, GB2312, BIG5 encoding formats, support der, crt, cer, p12, pfx,
p7b format certificates, you can also read the specified fields in the CA certificate to form an identity account binding and thus be able to work with third-party
CAs are perfectly integrated to meet the authentication requirements of large-scale users.
DeepSSLVPN, in conjunction with third-party CAs, can also support the setting of built-in authorization values in certificates and binding to them
account to complete the establishment of the organizational structure to achieve the effect of more perfect support for CA certificate authentication. At the same time, the DeepSSL SSL VPN
Support at least 5 different CA root certificates, as well as configure certificate binding fields and batch import/export of user certificate records.
etc., even complex digital certificate systems are well supported.
3.1.6 Integration with LDAP (AD)
As organizations grow in size and for better authentication, most of them have established LDAP (AD) services
LDAP can be used to manage people according to the internal structure of the organization.
The staffing structure of LDAP is based entirely on the internal organizational structure of the enterprise.
DeepTrust is able to link with LDAP, eliminating the need to establish users on LDAP on the SSL VPN device and directly linking the
The authenticated data is forwarded to the LDAP server for LDAP to make a judgment. If there is some special need, you can also turn the LDAP
You can choose a fixed time to synchronize the users in the device as you need.
You can also choose to synchronize in real time to ensure that the user information on LDAP and the user information on SSL VPN is maintained.
Hold synchronization.
In order to better reflect the diversity of authentication, DeepService SSL VPN provides reading the cell phone number in LDAP, which can be
Combined with SMS authentication, this enables two-factor authentication combined with LDAP.
For cases where permissions have already been assigned in LDAP, in order to maintain consistency with the permissions in LDAP, it is strongly recommended that the
Service SSL VPN supports importing the Group attribute from LDAP, so that it can inherit the privilege attribute from LDAP perfectly.
thus aligning with the permissions in LDAP.
When a large number of users are authenticated through LDAP, but there is no user information in the local SSL VPN database and the user cannot be authenticated through LDAP.
If a virtual IP is assigned, then there is no way to use the IP resources. To solve such a problem, DeepForest can read the LDAP
IP field attributes, so that virtual IPs can be assigned via LDAP, and users authenticated via LDAP can be assigned virtual IPs.
DeepSync SSL VPN Product White Paper Document Classification: Public
Copyright © 2012 DeepSync Technologies. www.sangfor.com.cn 10
Virtual IPs can be obtained to enable bi-directional access.
3.1.7 Combining with Radius
Radius, as an important element of the 3A system, is deployed by some large group companies.
The Radius server acts as a factor in authentication, and if you re-establish an authentication system on the SSL VPN, you will be able to use it.
In order to minimize the need for additional authentication schemes, SSL VPNs require
The perfect combination with Radius.
Deep Secure SSL VPN is able to read Radius group authority information, so that groups that have already been created in Radius can be read.
It can then be mapped to an SSL VPN to enable role segmentation and resource binding.
Also for diverse authentication, DeepSService SSL VPN supports reading the cell phone number attribute in Radius from the
And it can be perfectly combined with SMS authentication to realize two-factor authentication.
Similarly, in order to enable users authenticated through Radius to be assigned virtual IPs, DeepSSignature SSL VPN can
Reads the IP attribute segment in Radius, which also binds a virtual IP, enabling IP access through Radius.
Normal access to resources.
DeepSync SSL VPN Product White Paper Document Classification: Public
Copyright © Siliconware Technology www.sangfor.com.cn 11
3.1.8 Open data interfaces for secondary development
A complete authentication system has been established through SSL VPNs, for which a complete system needs to be introduced into the first
In order to continue to do the authentication on top of the three-party system, in such a situation, DeepTrust has opened up some of the databases in the SSL VPN to provide authentication services.
information, the third party can access the data information, through which the information can be based on the actual needs of secondary development.
Thus, it can be integrated with more applications.
3.1.9 Integration with other third-party authentication systems to protect up-front investments
From an industry-wide perspective, authentication systems are varied and use different data formats, and in order to protect the premise
However, as SSL VPNs are not perfect for all authentication systems, it is necessary to integrate them with the existing authentication system to minimize the investment in authentication.
certificate system can all be fully integrated, DeepTrust proposes to use DeepTrust's own Radius server as a transit from the
SANGFOR Radius can be perfectly integrated with other authentication systems, and SANGFOR Radius is highly scalable to meet the needs of your customers with the most advanced authentication systems.
The three parties carry out the docking requirements.
3.1.10 Graphic Code Verification Function
The SANGFOR SSL VPN Security Gateway provides a graphical code verification function.
It is necessary to enter the information in the picture generated by the system to realize normal login, which prevents illegal users from automatically guessing.
program to conduct the trial. The graphical CAPTCHA provided by DeepCaptcha can realize the grouping of numbers and letters through the internal calculation program
Combined, each time a different graphical captcha is transformed.
3.1.11 Soft keyboard functions
In order to improve the security of user passwords and prevent Trojan horse programs from intercepting password information entered by users, SANGFOR
The SSL VPN Security Gateway provides a soft keyboard function that allows users to use the soft keys provided on the interface when entering passwords.
disk, so that the Trojan can not use the method of intercepting the user's keyboard input to steal the password. To further increase the softkey
To ensure the security of the disk, DeepService provides the dynamic change function, i.e., each time you log in, the letter keys and number keys are different from the last time you logged in.
same, thus further securing the password.
3.1.12 Session timeout control function
To prevent users from leaving for extended periods of time without logging off, which could result in others snooping on confidential information within the SSL VPN.
The SANGFOR SSL VPN Security Gateway specifically incorporates an inactivity detection engine.
When it detects that the client has not had any traffic accessing intranet resources for a specified period of time, the SSL VPN gateway automatically
A dialog box pops up prompting the user "The SSL connection will time out and close in X seconds, should I continue or log off?" If the user is not logged out within that time, the user will be prompted to
If you do not select the appropriate action within this period, the SANGFOR SSL VPN Security Gateway automatically logs off, terminates the session and returns to the
DeepSync SSL VPN Product White Paper Document Classification: Public
Copyright © Siliconware Technology www.sangfor.com.cn 12
Login screen.
3.1.13 Comprehensive password security
For usernames and passwords established over SSL VPNs, DeepSync employs a variety of mechanisms to ensure the security of passwords
Sex.
Once the system is enabled with the anti-password violence function, after the number of consecutive password input errors by the user reaches a certain number of times, the system will be able to prevent the user from entering the password.
The system will lock the account for a period of time to prevent brute force password guessing. For locked users, you can check the locking
Users online list to unlock locked users so they can be quickly unfrozen.
Faced with a large number of users, administrators may set an initial password for each user for management convenience, but for the sake of
Password security considerations, must provide a certain password security to ensure the security of the password. Deep Security provides forced initial
The next time you log in to change your password, you can require that the password must be at least as many digits, and you can set the minimum length of the password according to your requirements.
It is also possible to set a password that must contain numbers, letters, and special symbols, thus ensuring the complexity of the password, but it cannot be required that the password
The code is the same as the user name and the password cannot be the same as the old password. For the management of the password, you can realize the timer to change the password, password
How many days before the expiration date to remind the user to change the password, through the above series of measures to ensure the security of the user's password.
3.1.14 Client Security Checks Secure Your Network from the Endpoint
When the user opens the SSL login screen through the computer's browser, the SANGFOR SSL VPN Security Gateway passes the client's
The computer security scanning function on the client's computer checks whether the computer system has been patched, whether the appropriate antivirus program is installed, etc., so as to ensure the security of the computer system.
Secure SANGFOR SSL VPN access to prevent insecure client computers from transmitting to the enterprise via SSL VPN.
Security risks arising from the industry's internal network.
SSL VPN Client Security Checks for Secure Access
3.1.15 Enhanced Network Protection - VPN Virtual Private Line Function
A virtual private line means that after a user logs into the SSL VPN, a virtual private line is formed with the internal business system.
DeepSync SSL VPN Product White Paper Document Classification: Public
Copyright © Siliconware Technology www.sangfor.com.cn 13
You will no longer be able to access network resources outside the virtual private line. Once a user has enabled the virtual private line function, on the one hand, the external network on the
Insecurity on the client side can no longer pose a threat to the VPN system, and it also prevents insecurity on the client side from creating a threat to the VPN system.
The possibility of leakage of confidentiality, to avoid security risks caused by the client, to ensure the security of the internal business system.
3.1.16 Zero-trace access features to avoid security breaches
SANGFOR SSL VPN automatically removes cookies, temporary files, etc. left behind in the client's computer after the user terminates access.
The information on the end computer, realize "zero trace" access, to avoid security risks.
3.1.17 True SSL protocol encrypted transmission
SSL VPNs rely on the SSL protocol (RFC2246) embedded in various browsers. It is a secure and reliable protocol
agreement, including the following three agreements:
Handshake protocol: clients and servers identify each other -Negotiates encryption algorithms and keys -It provides connection security with
Three features Identity authentication, achieved for at least one party, can be two-way authentication Negotiated shared key is secure
The intermediary is not in a position to know that the consultation process is reliable.
Logging Protocol: The SSL logging protocol is built on top of reliable transport protocols such as TCP and provides connection security.
There are two features Confidentiality, using symmetric encryption algorithms Integrity, using HMAC algorithms Used to encapsulate high-level protocols
Warning Protocol: This protocol is used to indicate every time when an error has occurred or when a session between two hosts is in progress.
standby
The SSL protocol data interaction proceeds as follows:
DeepSync SSL VPN Product White Paper Document Classification: Public
Copyright © 2012 DeepSync Technologies. www.sangfor.com.cn 14
It is the security of the SSL protocol that has led to its widespread use in online banking. The real SSL
A VPN must encapsulate all data above the IP layer through the SSL protocol.
If the TCP data is simply encapsulated, or if the IPSEC VPN is modified to forward the data to the
Port 443, which is not a true SSL VPN, can be identified by using the standard HTTP flow
Testing tools such as Loadrunner, Web bench, Avalanche, etc. or through packet capturing tools such as Wireshark, Sniffer.
A true SSL VPN is one that can do SSL mapping and SSL load testing, but the average customer doesn't have the ability to do that.
This test condition, therefore, it is recommended to purchase a product model approved by the National Cryptography Administration when selecting an SSL VPN, in order to
and products that have been tested and approved by the Ministry of Public Security and have been granted a VPN sales license.
3.1.18 Support for national commercial cryptographic standards
Data encryption is an important security link in the information security system. With the continuous development of science and technology, the commonly used commercial secret
Code algorithms (e.g. DES, RSA, MD5, etc.) have been confirmed to be crackable. If there is a shortcoming in cryptography, the security device is useless.
True network security can only be realized by using relatively secure cryptographic algorithms. Therefore, the National Cryptography Administration has introduced a new
Cryptographic algorithms (SM1, SM2, SM3, SM4) and require relevant units to choose domestic commercial cryptographic standards. SSL
VPN supports common international commercial cryptographic algorithms, and also supports domestic commercial cryptographic standards stipulated by the State Secrets Bureau.
The face protects the user's business security.
3.1.19 Access rights control function provides the most detailed rights management
SANGFOR SSL VPN provides granularity down to the individual URL and application level with its unique role management feature.
Privilege Segmentation. Access authorizations are assigned by setting different roles for different users, and a user can be given multiple roles to fit the
Fit into a variety of complex organizational structures. Role-based access restrictions provide strong security for enterprise networks. Through behavioral tracking
tracking engine, administrators can also view all access logs for remote access users.
DeepSync SSL VPN Product White Paper Document Classification: Public
Copyright © Siliconware Technology www.sangfor.com.cn 15
SANGFOR SSL VPN has a variety of built-in user and resource management options, either self-created users or from a third party.
It supports third-party authentication such as LDAP/AD, RADIUS, etc., and can be imported according to the user, user group, public account, private account, and private account.
Users can be managed in a variety of ways, such as with an account. Administrators can manage users according to roles, Web resources, C/S resources, IP resources, and other rights.
Limit division method, assigning detailed access rights control to remote access users.
At the same time, SANGFOR SSL VPN integrates user concurrency limitation, public account concurrency limitation and user traffic limitation.
This ensures that users use VPN resources appropriately. Moreover, the intuitive management diagram in the SSL VPN gateway
The real-time monitoring status bar of the GUI allows you to monitor user access in real time and observe the entire VPN.
The operational status of the system.
3.1.20 Well-established logging system
The SANGFOR SSL VPN gateway provides four levels of operation logs: debug, information, alarm, and error, to help
Management diagnostic system. It also provides user access record auditing and reporting to record and track user behavior.
Due to the limited storage space of the VPN gateway, SANGFOR SSL VPN also provides a separate log center. The log center can be accessed through the
Third-party log center, administrators can follow the pie charts, bar charts, graphs and other ways to display the number of times the service has been accessed.
The number of users logged in and the number of alarms are visualized and can be printed and exported directly.
The SANGFOR SSL VPN Security Gateway's rich log center provides network administrators and decision makers with detailed information about VPN resources.
Fine utilization provides the most effective data support.
3.1.21 Rich log information
With SANGFOR SSL VPN's independent third-party logging server, users can follow system logs and user logs.
DeepSync SSL VPN Product White Paper Document Classification: Public
Copyright © Siliconware Technology www.sangfor.com.cn 16
The logs are queried in two categories. The administrator can query the logs within a specified time range and the level of the logs such as: error, alarm,
Information, debugging and process types are queried.
At the same time, the administrator can follow the pie chart, bar graph, curve graph and other display methods of the number of visits to the service, the number of rejected
The number of extinctions, the number of user logins, the number of alarms, etc. are visualized and can be printed and exported directly.SANGFOR SSL
The rich log center of the VPN security gateway can analyze the detailed usage of enterprise VPN resources for network management.
The most effective data support is provided to the staff and decision makers.
3.1.22 Powerful real-time monitoring capabilities
Through the remote monitoring platform, administrators can monitor user access in real time and observe SSL VPN security in real time.
The gateway's operation. With SSL VPN's rich system logs, you can locate faults and perform remote maintenance in a timely manner.
Through the web interface, administrators can also view the status of each online user at any time, and can interrupt suspicious sessions at any time.
Convenient and fast. SMS notification of alarms can also be realized to notify end-users in time.
3.1.23 Sandbox technology - secure desktop
Many business systems lack information leakage prevention tools, and users are free to keep copies and related information locally, as well as to
The data can be transferred to other computers or networks, resulting in the leakage of information systems. In addition to the active leakage, hit by a wooden
Horses and viruses, or hacked passive leakage behavior may also bring huge losses for the enterprise, especially for some on the number of
DeepSync SSL VPN Product White Paper Document Classification: Public
Copyright © Siliconware Technology www.sangfor.com.cn 17
According to the higher security requirements of organizations and occasions, such as banks, funds, securities and other financial institutions, involving important research and development of confidentiality of the first
situations such as three-party access, in particular the need for a sound information protection program, which should not come at the expense of efficiency.
It is best not to need to change the original user's office habits, so as to realize the information leakage protection without affecting the business.
Work.
SSLVPN from DeepSync Technology uses sandbox technology to provide secure desktop functionality that can effectively protect data
The secure desktop can be set by the administrator to target resources and users in a forceful manner. Secure Desktop can be set by the administrator to enforce the security of resources and users.
When Secure Desktop is enabled, the client will automatically use virtualization technology to generate a closed virtual work environment.
--Secure Desktop. The Secure Desktop will display exactly the same as the default desktop. In the Secure Desktop, all operations are fully virtualized, the
Processes within the secure desktop and processes outside the secure desktop are isolated from other endpoints on the local network or Internet network.
The ends are isolated, so that a completely information-isolated working environment can be formed to achieve the effect of preventing information leakage. Letter of credit
The information cannot be transferred out of the Secure Desktop, and after the Secure Desktop is logged out, all operations, temporary use, or connections in the Secure Desktop will not be transferred out of the Secure Desktop.
Received data are deleted without leaving any traces.
Secure desktops can work with SSLVPN's own user authentication, transmission encryption, authorized access and other technologies to provide
Supply customers with more complete security network solutions.
3.1.24 Integrated Enterprise Stateful Firewalls
Unlike most SSL VPNs, the SANGFOR SSL VPN gateway integrates a high-performance enterprise-grade stateful firewall.
Only port 443 is open to the outside world, which can effectively protect the internal server from all kinds of attacks from the Internet. Built-in anti-DOS
DeepSync SSL VPN Product White Paper Document Classification: Public
Copyright © 2012 DeepSync Technologies. www.sangfor.com.cn 18
attack function, not only can effectively prevent DOS attacks from the external network, for the DOS attack launched by the intranet computer.
SSL VPN security gateways can also be defended.
The SANGFOR SSL VPN Security Gateway integrates an enterprise-class stateful inspection firewall. In addition to having an enterprise-class firewall
The wall has basic functions such as: administrator privilege classification, URL filtering, NAT function, access monitoring, Internet control,
In addition to user authentication, flow control, QOS, DHCP service, and automatic dialing, there are built-in high, medium, low, and customizable features.
The SANGFOR SSL VPN Security Gateway has 4 security levels, which can be flexibly configured by users according to their needs. In addition, the SANGFOR SSL VPN Security Gateway is uniquely designed to provide a flexible and secure environment.
The virtual test function creates a virtual test environment for firewall rules for administrators. Through the visualization interface, administrators can test the
Various security setting rules are tested, thus eliminating security vulnerabilities caused by human configuration errors.
As HTTPS servers, all SSL VPNs are equally exposed to DOS threats. So most SSL VPNs
All devices need a front firewall to protect their security. SANGFOR SSL VPN is a firewall itself, with integrated
A means of defense against attacks such as DOS.
For DOS attacks from the outside, the basic principle of DOS defense is as follows: simulate the application layer's response to DOS at the network layer.
The attacking host initiates an answer, and since the DOS attacking host is unable to complete the handshake three times, an incomplete request can be recognized.
This avoids sending the attack to the SSL VPN application. For real SYNs, the SYN is completed at the network layer 3
After a handshake, the requesting client is simulated to send the SYN request to the application layer. This SYN proxy approach allows the
Normal SSL VPN remote access passes smoothly through the firewall to the internal server, while DOS attacks are rejected.
The SANGFOR SSL VPN Security Gateway not only defends against DOS attacks from outside the network, but also protects against attacks from inside the network.
The SSL VPN security gateway can also defend against DOS attacks. Administrators can set up the SANGFOR SSL VPN security gateway in the SANGFOR SSL VPN Security Gateway.
A list of intranet segments is added to the full gateway, and if a connection request is detected from a computer within this list, it is considered to be a
legitimate users; if it comes from an IP address outside this list, it is considered an attack. This is a good example of how to deal with the common practice of spoofing the source IP address
It will be an effective preventive measure for the initiators of DOS attacks.
At the same time, the SANGFOR SSL VPN Security Gateway can limit the number of IP addresses that can be sent within one minute to each IP address on the internal LAN.
Maximum number of TCP connections started and maximum number of SYN packets sent (values can be customized based on the number of computers on the intranet), blocking
Stopping a virus or Trojan horse infecting some computers on the LAN and initiating a large number of connection requests to the outside world, resulting in the organization's
Network bandwidth exhaustion, gateway device paralyzed and downtime, etc. occur. Once an attack is detected, the SANGFOR SSL VPN
The security gateway can immediately block the attacking hosts, thus effectively blocking the attack initiated by computers within the enterprise LAN in a timely manner.
DOS attack behavior, to avoid the enterprise employees in the Internet accidentally infected with viruses and cause DOS attacks to the enterprise to bring
The risk of legal disputes, damage to reputation, and other risks.