ems summit – network remote access william e. ott friday august 25, 2006 1300 – 1400 edt vpn...
TRANSCRIPT
EMS Summit – Network Remote Access
William E. Ott
Friday August 25, 2006
1300 – 1400 EDT
VPN SolutionsVPN SolutionsVoice over IPVoice over IPSecure e-mail Secure e-mail
Secure CommunicationsSecure Communications
Secure Remote Access is essential if Secure Remote Access is essential if you have multiple sites or the need you have multiple sites or the need for external users to connect to for external users to connect to internal resourcesinternal resources
Voice traffic is starting to move to Voice traffic is starting to move to data circuits (VoIP) Not secure on its data circuits (VoIP) Not secure on its ownown
How do you secure e-mail traffic?How do you secure e-mail traffic?
Impediments to Remote AccessImpediments to Remote Access
CostCost AvailabilityAvailability Technical supportTechnical support
BandwidthBandwidth SecuritySecurity
Traditional Remote Network Traditional Remote Network Connectivity OptionsConnectivity Options
Network Connection Technologies• Private circuits (i.e. frame relay)
Expensive• Dialup
Slow Network Service Technologies
• telnet, ftp, ssh, http, https, proprietary Some are secure, some are not
Architecture• Remote circuits terminated directly into the
core of the enterprise network Insecure
Classical Enterprise ConnectivityClassical Enterprise Connectivity
New Requirements / New ThreatsNew Requirements / New Threats
Internet Access• For the enterprises• From our homes
The Web• Sharp increase in
Internet use• Browsers become
ubiquitous Broadband
• Fast• Economical
Internet Access• Shared infrastructure• Public exposure
The Web• Sharp increase in
Internet use• Access to content:
useful and malicious Broadband
• Remote endpoints (i.e. home PCs) always on
Access Types ConsideredAccess Types Considered
Dial-Up – Already in Dial-Up – Already in useuse
Dedicated Access Dedicated Access (T1, Frame) – (T1, Frame) – Already in useAlready in use
Network to Network to Network IPSEC VPNNetwork IPSEC VPN
Client to Network Client to Network IPSEC VPNIPSEC VPN
SSL VPNSSL VPN
Security RequirementsSecurity Requirements Define the perimeterDefine the perimeter
• A perimeter exists every place where there’s a differentiation in A perimeter exists every place where there’s a differentiation in policy or responsibilitypolicy or responsibility
Identify and authenticate remote sites and usersIdentify and authenticate remote sites and users• Consider “strong” and multi-factor authentication optionsConsider “strong” and multi-factor authentication options
Provide privacy & integrity for communicationsProvide privacy & integrity for communications• Business dataBusiness data• Authentication credentialsAuthentication credentials
Secure endpointsSecure endpoints• Apply enterprise security policy to remote endpointsApply enterprise security policy to remote endpoints
Limit exposureLimit exposure• Remote users probably don’t need to access “everything.”Remote users probably don’t need to access “everything.”
Solutions?Solutions?
Virtual Private NetworksVirtual Private Networks• IP-SecIP-Sec
Remote network accessRemote network access
• SSLSSL Remote application accessRemote application access
• SSHSSH Remote administrationRemote administration
Remote Assess: the partsRemote Assess: the parts
AssessAssess
• Diverse client baseDiverse client base
• Distributed client baseDistributed client base
• Access to applications and Access to applications and datadata
• Minimize delivery timeMinimize delivery time
• Minimize agency support Minimize agency support requirementsrequirements
• Conform to federal Conform to federal requirements including two requirements including two factor authenticationfactor authentication
• SecuritySecurity
Plan the solutionPlan the solution
IP-SecIP-Sec
TypesTypes• Site to SiteSite to Site• Remote ClientRemote Client
Security ConsiderationsSecurity Considerations• EncryptionEncryption• AuthenticationAuthentication• Split TunnelingSplit Tunneling• Client Policy EnforcementClient Policy Enforcement• Firewalls (inside and outside the VPN)Firewalls (inside and outside the VPN)
Site to Site IP-SecSite to Site IP-Sec
Client IP-SecClient IP-Sec
IP-Sec VPN Pros and ConsIP-Sec VPN Pros and Cons ProsPros
• Well suited to replace Well suited to replace private circuitsprivate circuits
• ““On the network,” user On the network,” user experienceexperience
• Extensive support for Extensive support for various encryption various encryption algorithms and algorithms and authentication optionsauthentication options
• Mature technologyMature technology
ConsCons• Quality of Service Quality of Service
dependent on shared dependent on shared network (i.e. the Internet)network (i.e. the Internet)
• Client application requiredClient application required
• Limited cross-vendor Limited cross-vendor interoperabilityinteroperability
• Some configurations are Some configurations are not compatible with NATnot compatible with NAT
Remote Office VPNRemote Office VPN
Targeted at sites with > 10 users
Secure (IPSec) VPN • Inter-agency Alliance managed
end-to-end• Connectivity to Legacy applications
and new inter-agency alliance portal
Client premise equipment• Firewall/VPN Device• 1 - 10/100 Ethernet port
Objective• Minimize impact of new solution on
legacy networks while providing flexibility of deployment
Firewall
PC PC
Internet
Alliance
ClientNetwork
Local IntegrationLocal Integration
Topology• Inside, DMZ, Outside
Addressing• Client provides single
IP address for VPN• Address translation
Routing Changes• Client routes alliance
applications to VPN
Firewall
PC PC
Internet
AllianceFirewall
PC PC
Internet
Alliance
SSL VPNSSL VPN
Types• Remote Client
Security Considerations• Encryption• Authentication• Application publication
HTTP Citrix / MS Terminal Services / Common Services
• SSL VPN client application may be used to proxy other application types or even establish a full PPP connection
In which case, the IP-Sec security considerations apply
SSL VPNSSL VPN
SSL VPN Pros and ConsSSL VPN Pros and Cons
ProsPros• Super-easy access to Super-easy access to
enterprise application enterprise application infrastructureinfrastructure
• Ability to “publish” Ability to “publish” non-web applicationsnon-web applications
• Ability to use Ability to use standard web standard web browser to access browser to access published applicationpublished application
ConsCons• Client VPN onlyClient VPN only• Client application Client application
still required for “on still required for “on the network” the network” experienceexperience
SSL VPNSSL VPN
Targeted at mobile or sites Targeted at mobile or sites with < 10 userswith < 10 users
Enrollment and Support for Enrollment and Support for Multiple membersMultiple members
Provides clientless access Provides clientless access to alliance resourcesto alliance resources• Requires only a browser and Requires only a browser and
internet connectivityinternet connectivity
2-factor authentication2-factor authentication• One-Time password tokenOne-Time password token
Token delivery efficiencyToken delivery efficiency
SSHSSH
Primarily for remote administration
Encrypted “telnet” and “ftp”
Port forwarding
Highly interoperable
Supports nested tunnels
Can be used in a bastion host architecture to provide secure remote access
Bastion HostBastion Host
Architecture Best PracticesArchitecture Best Practices
Identity ManagementIdentity Management AuthenticationAuthentication AuthorizationAuthorization LoggingLogging Client system policy complianceClient system policy compliance Split tunneling (IP-Sec)Split tunneling (IP-Sec)
An Integrated ArchitectureAn Integrated Architecture
Remote Access SummaryRemote Access Summary
Begin by determining what portions of the environment must be accessed remotely
Select the secure remote access solution that meets your needs
Understand the security architecture of the solution you use• Develop the appropriate architecture• Integrate the solution with other security services
as necessary
Remote Access Summary
Have a broad view of how the solution will be Have a broad view of how the solution will be usedused• Placement of equipmentPlacement of equipment• InfrastructureInfrastructure• Applications being accessedApplications being accessed
Clearly define the process for provisioning tokens Clearly define the process for provisioning tokens and providing user accessand providing user access
Voice over Internet ProtocolVoice over Internet Protocol
VoIP is growing rapidlyVoIP is growing rapidly VoIP traffic should be secured site to VoIP traffic should be secured site to
site if used for sensitive informationsite if used for sensitive information VoIP has excellent crisis VoIP has excellent crisis
communications capabilitycommunications capability VoIP is often cheapest method of VoIP is often cheapest method of
telephony from overseastelephony from overseas
Email SecurityEmail Security
HIPAA concerns with emailHIPAA concerns with email Email to wireless devicesEmail to wireless devices Email from remote or home usersEmail from remote or home users Email with vendors and clientsEmail with vendors and clients Internal Email between sitesInternal Email between sites If Email isn’t ‘managed’ you have no If Email isn’t ‘managed’ you have no
control once sentcontrol once sent Many Email optionsMany Email options
What technologies are emergingWhat technologies are emerging
Faster wirelessFaster wireless Real time videoReal time video High resolution cameras in phonesHigh resolution cameras in phones Convergence of data, voice, video Convergence of data, voice, video
into single devicesinto single devices
Questions?Questions?