All Apollo Anywhere Clients are supplied with a serial number within which is an encoded MAC address, a globally unique identifier used to identify a network node. When a configured Anywhere Client attempts to connect to a PAS the server checks the client’s MAC address for uniqueness. The Anywhere Client attempting a login will only be granted access to the next stage if the MAC address is unique to the PAS.
The MAC address is hashed with a number of other fixed and variable values to create the unique validation for the session before the user levels credentials are submitted. If the server has another client session using the same MAC address or session details, then both sessions will be terminated. This avoids duplicate MAC or serial number use and provides a basis for client identification. The MAC address allocated to the Anywhere Client can be identified through the Customer Care application.
By using the MAC address as a means of identification Apollo provides early warning and detection of black-listed clients prior to any authentication layer processes occurring. This provides an extra layer of access control that is difficult to circumvent.
Assuming the PAS successfully registers the Anywhere Client and a positive user-level authentication takes place, an IP address is issued . This IP address is then assigned by the Anywhere Client to the Windows IP stack through its built-in DHCP server.
A secure Layer 2 VPN tunnel using L2TP (Layer 2 Tunneling Protocol) is then established between the Anywhere Client and the PAS. Apollo uses this L2TP tunnel to transfer all IP packets between the Anywhere Client and PAS. Packets from the Anywhere Client enter the LAN on UDP port 1701 with a destination address of the PAS. This information can be used as an access control parameter on any WAN firewall.
Apollo deploys AES 256 encryption algorithms in order to ensure the confidentiality of all data transferred, including in-band control and authentication data. Due to the IP encapsulation applied by the L2TP protocol, all user application data, including port numbers and IP address, is encrypted.
An observer monitoring the data communications path will be blocked from reading messages and will fail to perform traffic analysis because all routing information from the internal private network is encrypted. All that will be visible to an observer are the IP addresses issued to the remote device’s network interfaces by the wide area network providers and the IP address(es) assigned to the NIC(s) on the Apollo PAS external facing interfaces.
Apollo’s user-authentication process uses EAP (Extensible Authentication Protocol) in conjunction with the TLS (Transport Layer Security) protocol. Together these protocols provide a means for mutual authentication between the Anywhere Client and the PAS authentication server using digital certificates. Because authentication is conducted immediately after the L2TP encrypted tunnel has been established, none of the authentication packets are transferred in plain text Learn More
Apollo employs an extremely efficient and high performance AES 256 VPN dynamic tunnel that adds security to data moving across any wide area network. It works with NAT and PAT environments and does not fail in out of coverage situations. Dynamic session keys ensure the highest level of security. Apollo is able to manage split tunnel authentication supporting sessions over multiple simultaneous bonded bearers Learn More