首頁 探索 說明
登入
vimacs
/
openconnect
關註 1
讚好 0
複刻 0
Files 問題管理 0 合併請求 0 Wiki
分支: h3c
分支列表 標籤列表
openconnect
/
www
/
hip.xml

hip.xml 4.2 KB
永久連結 文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990 
  1. <PAGE>
    2. 

  2. 	<INCLUDE file="inc/header.tmpl" />
    3. 

  3. 

  4. 	<VAR match="VAR_SEL_FEATURES" replace="selected" />
    5. 

  5. 	<VAR match="VAR_SEL_FEATURE_HIP" replace="selected" />
    6. 

  6. 	<PARSE file="menu1.xml" />
    7. 

  7. 	<PARSE file="menu2-features.xml" />
    8. 

  8. 

  9. 	<INCLUDE file="inc/content.tmpl" />
    10. 

  10. 

  11. <h1>PAN GlobalProtect HIP</h1>
    12. 

  12. 

  13. <p>The HIP ('Host Integrity Protection') mechanism is a security
    14. 

  14. scanner for the <a href="globalprotect.html">PAN GlobalProtect</a>
    15. 

  15. VPNs, in the same vein as <a href="csd.html">Cisco's CSD</a> and <a
    16. 

  16. href="juniper.html">Juniper's Host Checker (tncc.jar)</a>.</p>
    17. 

  17. 

  18. <h2>How it works</h2>
    19. 

  19. 

  20. <p>It is somewhat <i>less</i> intrusive than CSD or TNCC, because it
    21. 

  21. does not appear to work by downloading a trojan binary from the VPN
    22. 

  22. server. Instead, it runs a HIP report generator (built-in as part of
    23. 

  23. the official GlobalProtect VPN client software), which generates an
    24. 

  24. "HIP report" XML file.</p>
    25. 

  25. 

  26. <p>HIP flow used in the official clients:</p>
    27. 

  27. <ol>
    28. 

  28.   <li>Client authenticates and fetches the tunnel configuration from the GlobalProtect gateway.</li>
    29. 

  29.   <li>Client runs HIP report generator and computes MD5 digest of report.</li>
    30. 

  30.   <li>Client checks whether a HIP report is required (<tt>/ssl-vpn/hipreportcheck.esp</tt>), including its MD5 digest and gateway-assigned IP address in the report.</li>
    31. 

  31.   <li>Gateway responds whether or not a HIP report is required (normally, it doesn't require a new one if a report with the same MD5 digest and same IP address have been submitted recently).</li>
    32. 

  32.   <li>Client uploads the complete HIP report to (<tt>/ssl-vpn/hipreport.esp</tt>).</li>
    33. 

  33.   <li>Server confirms acceptance of HIP report with a success message.</li>
    34. 

  34. </ol>
    35. 

  35. 

  36. <p>If all goes well, the client should have the expected level of
    37. 

  37. access to resources on the network after these steps are
    38. 

  38. complete. However, two things can go wrong:</p>
    39. 

  39. 

  40. <ul>
    41. 

  41.   <li>Many GlobalProtect servers report that they require HIP reports
    42. 

  42.   (#3 above), but don't actually enforce this requirement. (For this
    43. 

  43.   reason, OpenConnect does not currently fail if a HIP report is
    44. 

  44.   required but no HIP report script is provided.)</li>
    45. 

  45.   <li>Many GlobalProtect servers will claim that the HIP report was
    46. 

  46.   accepted successfully (#6 above) but silently fail to enable the
    47. 

  47.   expected network access, presumably because some aspect of the
    48. 

  48.   HIP report contents were not approved.</li>
    49. 

  49. </ul>
    50. 

  50. 

  51. <h2>HIP support in OpenConnect</h2>
    52. 

  52. 

  53. <p>OpenConnect supports HIP report generation and submission by passing the <tt>--csd-wrapper=SCRIPT</tt> argument with a shell script to generate a HIP report in the format expected by the
    54. 

  54. server. This shell script must output the HIP report to standard output and exit successfully (status code 0). The HIP script is called with the following command-line arguments:</p>
    55. 

  55. 

  56. <pre>
    57. 

  57.    --cookie: a URL-encoded string, as output by openconnect
    58. 

  58.              --authenticate --protocol=gp, which includes parameters
    59. 

  59.              --from the /ssl-vpn/login.esp response
    60. 

  60. 

  61.    --client-ip{,v6}: IPv4/6 addresses allocated by the GlobalProtect
    62. 

  62.                      VPN for this client (included in
    63. 

  63.                      /ssl-vpn/getconfig.esp response)
    64. 

  64. 

  65.    --md5: The md5 digest to encode into this HIP report. All that
    66. 

  66.           really matters is that the value in the HIP report
    67. 

  67.           submission should match the value in the HIP report check.
    68. 

  68. </pre>
    69. 

  69. 

  70. <h2>Generating/spoofing a HIP report</h2>
    71. 

  71. 

  72. <p>Two example scripts are included in the OpenConnect distribution,
    73. 

  73. in the <tt>trojans/</tt> subdirectory: <tt>hipreport.sh</tt> (which
    74. 

  74. reproduces the behavior of a GlobalProtect Windows client) and
    75. 

  75. <tt>hipreport-android.sh</tt> (a report with minimal contents
    76. 

  76. suitable for use on an Android device).</p>
    77. 

  77. 

  78. <p>Depending on how picky your GlobalProtect
    79. 

  79. VPN is, it may be necessary to spoof or alter some of the parameters
    80. 

  80. of the HIP report to match the output of one of the official
    81. 

  81. clients. In order to capture the contents of the official Windows
    82. 

  82. client's HIP reports, enable the highest logging level for the "PanGPS
    83. 

  83. Service", and then sift through the giant <tt>PanGPS.log</tt> file
    84. 

  84. (which should be in the same directory as the executables, normally
    85. 

  85. <tt>c:\Program Files\PaloAlto Networks\GlobalProtect</tt>) to find
    86. 

  86. the HIP report submission.</p>
    87. 

  87. 

  88. <INCLUDE file="inc/footer.tmpl" />
    89. 

  89. </PAGE>
    90. 

  90.