Sun Microsystems 2005Q1 Server User Manual


 
Netlet
Chapter 2 Portal Server Secure Remote Access Architecture 43
Netlet and Application Integration
Netlet works with many third parties such as Graphon, Citrix, and pcAnywhere.
Each of these products provides secure access to the user’s Portal Desktop from a
remote machine using Netlet.
Split Tunneling
Split tunneling allows a VPN client to connect to both secure sites and non-secure
sites, without having to connect or disconnect the VPN—in this case, the
Netlet—connection. The client determines whether to send the information over
the encrypted path, or to send it by using the non-encrypted path. The concern
over split tunneling is that you could have a direct connection from the non-secure
Internet to your VPN-secured network, via the client. Turning off split tunneling
(not allowing both connections simultaneously) reduces the vulnerability of the
VPN (or in the case of Netlet) connection to Internet intrusion.
Though Portal Server does not prohibit nor shut down multiple network
connections while attached to the portal site, it does prevent unauthorized users
from “piggybacking” on other users’s sessions in the following ways:
Netlet is an application specific VPN and not a general purpose IP router.
Netlet only forwards packets that have been defined by a Netlet rule. This
differs from the standard VPN approach that gives you complete LAN access
once you’ve connected to the network.
Only an authenticated portal user can run the Netlet. No portal application can
be run until the user has been successfully authenticated, and no new
connections can be made if an authenticated session does not exist.
All access controls in place on the application side are still in effect so that an
attacker would also have to break in to the back-end application.
Every Netlet connection results in a dialog box posted by the Netlet (running
in the authenticated user’s JVM™) to the authenticated user’s display. The
dialog box asks for verification and acknowledgement to permit the new
connection. For attackers to be able to utilize a Netlet connection, attackers
would need to know that the Netlet was running, the port number it was
listening on, how to break the back-end application, and convince the user to
approve the connection.