psicoactivas por vía inyectable
5. Autopercepción de la salud de los usuarios de sustancias por vía inyectable. vía inyectable
Overview
This chapter describes how the Motorola SSL Mobile VPN Solution actually functions. While the information in this section will help provide a more complete understanding of the Motorola SSL Mobile VPN Solution, readers may nonetheless choose to skip ahead to the next chapter, Error!
Reference source not found., to get started right away.
How the Motorola Mobile SSL VPN Solution
Works
Figure 2 below shows the high level architecture of the device software of the Motorola Mobile SSL VPN Solution.
24 -- Using the Motorola SSL VPN Solution with MSP
As shown in Figure 2 above, the various components that make up the Motorola SSL Mobile VPN Solution are described in the following subsections.
Network Components
As shown in Figure 2 above, various network domains that comprise or are used in conjunction with the Motorola SSL Mobile VPN Solution are described in the following subsections.
Public Network
A common use of the Motorola SSL Mobile VPN Solution is to provide secure connectivity from and to entities, usually devices, on a Public Network, such as the Public Internet. A classic scenario is a WWAN-enabled device that with cellular data connectivity. Such a device often has the ability to contact Servers that are exposed onto the Public Internet, but usually cannot be contacted from the Public Internet, which is probably a good thing from a security perspective. Using the Motorola SSL Mobile VPN Solution, the device can be virtually bridged onto the
Enterprise Network in a secure manner and assigned an IP Address on that network. This allows the device to securely contact Servers in the Enterprise Network and be contacted by entities, such as Servers or Workstation PCs, on the Enterprise Network, as if it were physically on the Enterprise Network.
DMZ (De-Militarized Zone)
A DMZ is generally a security necessity when one or more Servers located on an Enterprise Network will be in any way exposed to access from a Public Network, such as the Public Internet. A DMZ is essentially a pair of Firewalls that define a special network domain that is exposed in controlled ways by carefully controlling the configuration of the Firewalls.
The Firewall between the DMZ and the Public Network is generally configured to tightly control what traffic can enter the DMZ from the Public Network and usually controls, albeit somewhat less tightly, the traffic that can exit the DMZ to the Public Network. By controlling the traffic entering the DMZ from the Public Network, many threats can be prevented before they can get started.
The Servers located in the DMZ are generally designed to be gateways between Intermediate Servers in the DMZ, such as the AirBeam Safe Gatekeeper Server, and Servers in the Enterprise Network, such as the AirBeam Safe Enterprise Server. More sensitive interfaces can be used by Intermediate Servers to bridge traffic to Servers within the Enterprise Network. By operating in the DMZ, Intermediate Servers can qualify traffic in various ways and significantly reduce risk by filtering out many threats.
The Firewall between the DMZ and the Enterprise Network is generally configured to tightly control what traffic can enter the Enterprise Network from the DMZ and usually controls, albeit somewhat less tightly, the traffic that can enter the DMZ from the Enterprise Network. By controlling the traffic entering the Enterprise Network from the DMZ, most threats that somehow get past the Intermediate Servers in the DMZ can be prevented.
Enterprise Network
The Enterprise Network is the internal Private Network of the Enterprise and is generally where all the sensitive Servers that provide Enterprise-specific services are generally located. In most cases, the AirBeam Safe Enterprise Server would be located in the Enterprise Network. Many other Servers, including the MSP Server, one or more Relay Servers, and various Application Servers will commonly also be located in the Enterprise Network.
Chapter 5 – How the Motorola SSL Mobile VPN Solution Works -- 25 In some cases, an Enterprise may have more than one level of DMZ. In such cases, there may be a DMZ just for some of the more sensitive Servers that would otherwise be located in the Enterprise Network. This might be done if there are security reasons for wanting to partially isolate such Servers from the general Enterprise Network.
Software Components
As shown in Figure 2 above, the various software components that comprise or are used in conjunction with the Motorola SSL Mobile VPN Solution are described in the following subsections.
VPN Client
The VPN Client is a software component that resides on a device and handles the device-side establishment and communications associated with the secure tunnel connection.
When using the Motorola SSL Mobile VPN Solution, the VPN Client is installed as an MSP Package and configured by applying Settings Objects of the Settings Class
Network.WVPN.Motorola.SSL. The VPN Client can be configured to connect to one or two Server components, depending on the requirements and overall system design.
AirBeam Safe Enterprise Server
The AirBeam Safe Enterprise Server is a software component that resides on a Server, usually safely within an Enterprise Network. The AirBeam Safe Enterprise Server handles the Server- side encryption, authentication, compression and session management. The AirBeam Safe Enterprise Server also acts as the termination point for secure tunnel connections from VPN Clients.
Note:
The AirBeam Safe Enterprise Server can act alone, without an AirBeam Safe Gatekeeper Server, but this would require that the AirBeam Safe Enterprise Server be directly exposed to the
contacting devices. This would generally mean that the AirBeam Safe Enterprise Server would need to reside in the DMZ. While this can be done, it is generally considered a less secure solution than would result if an AirBeam Safe Gatekeeper Server were also used.
AirBeam Safe Gatekeeper Server
The AirBeam Safe Gatekeeper Server is an optional software component that must reside on a Server that is separate from the AirBeam Safe Enterprise Server. The AirBeam Safe Gatekeeper Server helps increase security by reducing the “attack surface” of the overall solution. The Gatekeeper is not a mandatory component, but can help to achieve a more stringent level of security.
When used, the AirBeam Safe Gatekeeper Server acts as the termination point for secure tunnel connections from VPN Clients and hence would generally need to be located in the DMZ. This allows the AirBeam Safe Enterprise Server to be more safely located within the Enterprise Network instead of in the DMZ. By separating the tunnel termination from the authentication, the risk is reduced since the more sensitive authentication is more tightly protected.
Use of the AirBeam Safe Gatekeeper Server can also simplify Firewall configuration and can be used to enable load balancing, by directing traffic to one of several AirBeam Safe Enterprise Servers.
26 -- Using the Motorola SSL VPN Solution with MSP
Other Enterprise Server(s)
While they are not a part of the Motorola SSL Mobile VPN Solution, there will often be other Enterprise Servers within the Enterprise Network where the AirBeam Safe Enterprise Server is located. The MSP Server and one or more Relay Servers might be amongst these. Also, various other Application Servers that might be utilized by the same devices could be amongst these. A key thing to understand is that the Motorola SSL Mobile VPN Solution can potentially server as a common pathway to all these Servers.
VPN Connection
To establish a secure connection, the VPN Client must be configured to contact one or more AirBeam Safe Enterprise Servers or AirBeam Safe Gatekeeper Servers. If AirBeam Safe Gatekeeper Server(s) are used, then the VPN Client will be configured to contact the IP
Address(es) or network name(s) of one or two AirBeam Safe Gatekeeper Server(s). If AirBeam Safe Gatekeeper Server(s) are not used, then the VPN Client will be configured to contact the IP Address(es) or network name(s) of one or two AirBeam Safe Enterprise Server(s).
Server Certificate Verification (Mandatory)
When the VPN Client contacts the AirBeam Safe Enterprise Server or AirBeam Safe Gatekeeper Server, the Server sends its Server Certificate to the Client to prove its identity. The Client verifies the identity of the Server using the following process:
1. Verify that the issuer of the Server Certificate is trusted by the Client.
2. Verify that the Server Certificate is not expired and is suitable for the intended purpose. 3. Verify that the common name of the subject of the Server Certificate matches the IP
Address or network name at which the Client contacted that Server.
Note:
Server verification by the VPN Client is optional but highly recommended. If all the above checks pass, then the VPN Client has successfully verified the identity of the Server and the connection can proceed.
Client Certificate Verification (Optional)
Optionally, the AirBeam Safe Enterprise Server or AirBeam Safe Gatekeeper Server can be configured to require that the VPN Client prove its identity to the Server through the use of a Client Certificate. If this option has been configured, then the Server will request the VPN Client to send its Client Certificate and the Server will verify it using the following process:
1. Verify that the issuer of the Client Certificate is trusted by the Server.
2. Verify that the Client Certificate is not expired and is suitable for the intended purpose. 3. Verify that the Client Certificate is not currently being used by any other Client that is
connected to the same AirBeam Safe Enterprise Server or AirBeam Safe Gatekeeper Server.
Secure Tunnel Establishment
Once the VPN Client has verified the Server and the Server has optionally verified the VPN Client, a Secure Tunnel can be established. This proceeds according to the standard rules for TLS (Transport Layer Security) which in brief follows the following process:
Chapter 5 – How the Motorola SSL Mobile VPN Solution Works -- 27 1. The VPN Client creates a random Session Key, encrypts it using the Public Key
associated with the Server Certificate, and sends the encrypted Session Key to the Server.
2. The Server decrypts the encrypted Session Key using its Private Key.
3. The VPN Client and the Server now have the same Session Key which is used to encrypt and decrypt all further data traffic, thus permitting a secure tunnel to be established. If the VPN Client connects to an AirBeam Safe Gatekeeper Server, then a second secure tunnel is opened between the VPN Client and the AirBeam Safe Enterprise Server over the connection that is maintained from the AirBeam Safe Enterprise Server to the AirBeam Safe Gatekeeper Server. The establishment of this second tunnel follows a process similar to the above. Once the second secure tunnel is established, the first secure tunnel is dropped.
Client Authentication
Once a secure tunnel has been established from the VPN Client to the AirBeam Safe Enterprise Server, the Server determines what mode of authentication has been configured and requests the VPN Client to authenticate accordingly. The VPN Client responds over the secure tunnel with the required authentication credentials and the AirBeam Safe Enterprise Server proceeds to validate those credentials. If authentication succeeds, the connection can proceed. If authentication fails, then the connection is rejected. Depending on the type(s) of authentication requested,
Session Establishment or Reconnection
Once the VPN Client has successfully been authenticated by the AirBeam Safe Enterprise Server, the Server determines if that VPN Client was in the middle of a session. If the VPN Client was in the middle of a session, then the Server re-connects that session and data transfer for that session continues where it left off. If the VPN Client was not in the middle of a session, then the Server establishes a new session with that VPN Client.
Virtual IP Address Assignment
As part of the establishment of any new session, the AirBeam Safe Enterprise Server acquires a suitable IP Address for the new session based on the IP Address assignment configured in the Server. This could be done by the Server issuing a request to an existing DHCP Server on behalf of the VPN Client or by the Server allocating an IP Address from a Client IP Address pool(s) configured for the Server.
Note:
When IP Addresses are allocated from IP Address pool, it may take some time after a VPN Client disconnects before the AirBeam Safe Enterprise Server can re-use that IP Address. If an IP Address pool has “just enough” IP Addresses, and if VPN Clients frequently disconnect, then some re-connections may be delayed due to a temporary unavailability of IP Addresses.
28 -- Using the Motorola SSL VPN Solution with MSP
Virtual NIC
The VPN Client software sets up a Virtual NIC (Network Interface Card) within the device that captures all outgoing traffic, compresses and encrypts it, and sends it the AirBeam Safe
Enterprise Server over the physical network adapter that is currently in use. The Virtual NIC will be assigned the Virtual IP Address assigned to session with the VPN Client by the Server. If the physical network connection is temporarily lost (e.g. device suspend, signal loss, adapter switch etc.), the Virtual NIC will remain enabled and operative, although data will be buffered and network operations may block when the available buffers become full. This approach minimizes the effect on network applications, allowing their logical network sessions to be kept active and hence providing an “always-on” user experience,