enterprise vpn don kendrick, vita senior manager, security operations august 25, 2009

1

IT Infrastructure Transformation – VPN Services

Enterprise VPNDon Kendrick, VITA Senior Manager, Security Operations

August 25, 2009

2


This document explains the ITP’s plan to improve network security by providing agencies with single and two-factor VPN options

The presentation will cover:

Overview of VPN Offerings

Benefits

Deployment Approach

3


VPN (Virtual Private Network) offers remote agency sites and users a secure internet connection to the VITA Enterprise Network

• A VPN connects remote sites and users together by securely routing remote private networks over the Internet without the need for end-users to acquire additional hardware or software

• As part of the ongoing transformation, the IT Infrastructure Partnership will begin transitioning all legacy VPN (Virtual Private Network) users to an Enterprise VPN

• Enterprise VPN access rights that can be tailored to individual users, such as employees, contractors, and/or partners to provide the right level of access to the VITA Enterprise Network

Note: VPN offerings are subject to governing policies SEC501 and SEC511

4


Security Related Benefits of VPN

• Single Point of Contact

• SOC

• Intrusion Detection

• Least Privileged

• Well-Defended

• Strong Cisco & Juniper support

5


Non-Security Related Benefits of VPN

• Reduces Site Costs – Workers can work from home or other locations allowing agencies to lease smaller facilities

• Supports Telework Initiatives – Promotes the Commonwealth of Virginia’s telework initiative, helps the environment, provides the option of allowing employees to work from home or remotely, and reduces strain on the transportation infrastructure

• Supports Remote Business Meetings -- Bring services to your customers and extend geographic connectivity. Bring the power of your office to a client’s kitchen table, bedside, or work site

• Improves Productivity – Enable employees to work after hours more easily

6


The ITP offers agencies single and two-factor authentication options for VPN access to the VITA Enterprise Network…

This option is recommended for medium or low security data and application access. It only requires one factor to enable network access: the ID and password.

Single-factor Authentication

This is the most secure option. It requires two-factors to enable network access: ID and password plus key fob verification.

Two-factor Authentication

…agencies can choose one, both or a combination of the two options to meet differing levels of employee data security needs

For low to medium data security needs For high data security needs

Factors Used Single = User ID and Password

Device Must be partnership-provided

Services*

All applications that were accessible by http or https prior to Enterprise VPN migration will also be available under the single factor solution

Additional Requirements

Cisco VPN client, Centrally Managed FirewallCurrent virus definitionsHigh Speed Internet Connection

Cost No additional cost

Factors UsedTwo = User ID and Password plus key fob

Device Must be partnership-provided

Services

Full range of services that are not accessible with single factor, including access to agency “killer apps”

Additional Requirements

Cisco VPN client, Centrally Managed FirewallCurrent virus definitionsHigh Speed Internet Connection

Cost TBD additional cost

*See appendix for complete list of ports supported by the single-factor solution

7


Most users are upgraded to enterprise VPN during transformation

Deploy VPN Across the Full Enterprise

Deployment Approach IT Infrastructure Partnership will begin transitioning most legacy VPN (Virtual Private Network) users to the Enterprise VPN

following their agency’s messaging and network transformationsIn order for single-factor or two-factor VPN to be installed, agencies must be cross-connected to the MPLS networkSingle-factor VPN also requires a synchronized agency user base directory, with COV accounts for those receiving VPN services

Two-Factor Processes Initial request, approval, and support processesCatalog process

OtherAITRs will need to identify VPN needs within their agencies and approve all VPN requestsMigration will consist of an initial “bulk migration” to single-factor authentication at the agency sites

Post-transformation requests for single-factor VPN should be routed through the VCCC Service Desk by calling 1-866-637-8482. Token requests, a requirement for the two-factor solution, must be entered in eVA.

Single-Factor Pilots and Evaluations

Transform Top 20 Agencies

11

22

33

8


Single-factor Enterprise VPN Agency Migration Process ResponsibilitiesTransformation Project ObjectiveTransformation Project Objective

Convert legacy VPN users to CESC-based single-factor VPN or add new users to this solutionConvert legacy VPN users to CESC-based single-factor VPN or add new users to this solution

PRE-MIGRATION PRE-MIGRATION

Agency

• Provide list of all people getting VPN

IT Partnership Team

• Verify data accuracy

Agency

• Provide list of all people getting VPN

IT Partnership Team

• Verify data accuracy

POST- MIGRATION POST- MIGRATION

Agency

• Sign acceptance documents

IT Partnership Team

• Add individual users as required

Agency


IT Partnership Team


DURING MIGRATION DURING MIGRATION

Agency

• Distribute job aids to users

IT Partnership Team

• Establish accounts

• Distribute Cisco VPN software to target machines

• Test connectivity

• Notify VCCC that agency has transitioned

Agency

• Distribute job aids to users

IT Partnership Team

• Establish accounts

• Distribute Cisco VPN software to target machines

• Test connectivity

• Notify VCCC that agency has transitioned

9


Two-factor Enterprise VPN Agency Migration Process ResponsibilitiesTransformation Project ObjectiveTransformation Project Objective

To migrate existing agency-based two-factor users to the CESC-based system or to add new two-factor users as appropriate

To migrate existing agency-based two-factor users to the CESC-based system or to add new two-factor users as appropriate

PRE-MIGRATION PRE-MIGRATION

Agency

• Decide how many agency end-users will need two-factor authentication so that the correct number of key fobs are provided to the agency

• Identify any legacy VPN users

• Provide a list of users who need new key fobs and the key fob serial numbers from any legacy users

IT Partnership Team

• Verify data accuracy with agency personnel

Agency

• Decide how many agency end-users will need two-factor authentication so that the correct number of key fobs are provided to the agency

• Identify any legacy VPN users

• Provide a list of users who need new key fobs and the key fob serial numbers from any legacy users

IT Partnership Team

• Verify data accuracy with agency personnel

POST- MIGRATION POST- MIGRATION

Agency


IT Partnership Team


Agency


IT Partnership Team


DURING MIGRATION DURING MIGRATION

Agency

• Distribute appropriate training materials and job aids

• Provide testers to ensure correct operation

• Agency ISO distributes key fobs to end-users

IT Partnership Team

• Load key serials

• Set up user accounts

• Load Cisco VPN client on all target machines

• Test functionality

• Notify VCCC that agency has been cut over

Agency

• Distribute appropriate training materials and job aids

• Provide testers to ensure correct operation

• Agency ISO distributes key fobs to end-users

IT Partnership Team

• Load key serials

• Set up user accounts

• Load Cisco VPN client on all target machines

• Test functionality

• Notify VCCC that agency has been cut over

10


Questions?

11


Appendix

12


The single-factor solution will allow users to access systems operating under the following ports:

permit tcp any any eq 80 permit tcp any any eq 143



permit udp any any eq 53 permit tcp any any eq 995


permit udp any any eq 389 permit udp any any eq 25


permit tcp any any eq 445 permit udp any any eq 88

permit udp any any eq 138 permit udp any any eq 123


permit udp any any eq 137

enterprise vpn don kendrick, vita senior manager, security operations august 25, 2009

Documents