Westermo RedFox Series User Manual

Page 847

Advertising
background image

Westermo OS Management Guide

Version 4.17.0-0

or server is used for the SSL VPN session.

36.1.4.3

TLS Authentication Settings

WeOS supports an optional extra authentication of the SSL (TLS) tunnel by using
something called “TLS Authentication”. This is an extra signature and encryp-
tion step performed with a static fixed key. This is done on all control packets
for the tunnel, but not for the tunnelled data going through the tunnel (this data
is encrypted already with the negotiated ciphers and keys). All control packets,
including initial communication, received by the SSL VPN server will be checked
and decrypted by this mechanism, and packets that does not match will be dis-
carded immediately.

This extra authentication step makes an SSL VPN server less sensitive to DDOS
attacks, especially when combined with using the UDP protocol for the tunnel.
The server side software will not waste temporary memory by allocating connec-
tion data structures (TLS contexts, security associations, etc.) for bad incoming
calls.

Using TLS Authentication and UDP together makes the VPN server to be com-
pletely quiet if (an attacker’s) packets arrive and are not signed by the correct
key. Port scanning utilities will not detect the server in this mode.

TLS Authentication works for TCP as well, and has some of the benefits similar to
the UDP mode, but the server network stack need to reply to the incoming TCP
SYN packet to get a connection before it can determine if the key is valid. A port
scanning utility will therefore be able to detect a server in TCP mode, and a heavy
DDOS attack may potentially fill up all available connection slots on the server
(socket memory/file descriptors).

TLS Authentication requires that a special OpenVPN Static key is imported into
the system. The exact same key must be used on both ends of the tunnel for it
to connect.

An OpenVPN static key can be generated with a computer with OpenVPN in-
stalled. Below is an example command line when using Linux:

Example

linux:~/> openvpn --genkey --secret ta-example.key

To import the key, use the “cert” command. For details about the certificate store
and operations, see

chapter 7.2.6

.

➞ 2015 Westermo Teleindustri AB

847

Advertising
This manual is related to the following products:

Wolverine Series, Falcon Series, Viper Series

Popular Brands
Popular manuals