Ronald Beekelaar

Beekelaar Consultancy

ronald@beekelaar.com

Intelligent Application Gateway(IAG) 2007

2

Introductions

Presenter – Ronald Beekelaar

MVP Windows Security

MVP Virtual Machine Technology

E-mail: ronald@beekelaar.com

Work

Beekelaar ConsultancySecurity consultancy

Forefront, IPSec, PKI

Virtualization consultancy

Create many VM-based labs and demos

3

Agenda

History – SSL VPN

SSL VPN Connections

Web

Non-Web

“VPN”

Portal / Applications

Endpoint Policies

Authentication / Authorization

4

A comprehensive line of business

security products that helps you gain

greater protection through deep

integration and simplified management

EdgeClient and Server OS Server Applications

Intelligent Application Gateway 2007

5

IAG - Appliance

6

IAG 2007

• Supports all Applications with SSL VPN• Web – Client/Server - File Access• Homegrown or 3rd party

• (Citrix, IBM, Lotus, SAP, PeopleSoft…)

• Designed for Managed and Unmanaged Users Devices• Automatic detection of user system, software, configuration• Access policies according to device “security state”• Delete temp files and data traces from unmanaged locations

• Drives Productivity with Application Intelligence• Apply policy at granular App Feature levels• Dynamically control application data for desired functionality• SSO with multiple directories, protocols, and formats• Fully customizable portal and user interface

7

Allow secure remote access from trusted and untrusted client computers

All connections over TCP port 443 (SSL)

Access starts through a Web Portal

Authenticates to AD

Contains list of applicationsClick each application to access

8

Web ApplicationsNormally uses port 80/443

Browser-based

Port/socket forwardingNormally uses non-web ports, but is tunneled in 443

ActiveX control - browser-based

Network ConnectorAll protocols and all ports, but tunneled in 443

Real "VPN" - client receives new IP address

9

IAG client components check client computer security settingsClient computer is called "endpoint"

Based on endpoint state,you define Endpoint Policies to allow:

Access to Web PortalExample:- Do not even ask for credentials on untrusted client computer

Access to certain applications on Web PortalExample:- Hide Network Connector option on untrusted client computer

Access to certain features of applicationsExamples: - Block SPS uploads - Disallow OWA attachment

10

A Little History

The Problem:

With the growing prevalence of internet connectivity, enterprises required platforms to provide remote access for employees, partners and customers in a secure way

The Solution?:

1st attempt: Dialup remote access proving too costly, limited user experience.2nd attempt: Limited use of reverse proxies to publish web based applications.3rd attempt: IPSec VPN makes leap for user remote access

IPSec VPN first developed for site to site connectivity.

11

33

WebServerWeb

Server

DNSServerDNS

Server

ISAServer

ISAServer

55

44

22

66

11

Is the …

Request allowed?

Protocol allowed?

Destination allowed?

ISA Server calls this “Publishing”ISA Server calls this “Publishing”

Reverse Proxy

12

33

WebServerWeb

Server

DNSServerDNS

Server

ISAServer

ISAServer

55

44

22

66

11

Reverse Proxy

Publishes web appsfor use from anywhere.

Handles pre-authentication,application filtering, SSL encryption at the edge.

However

Does not handle non-web (client/server) applications.

Does not scale when publishing numerous web applications.

13

Active Active DirectoryDirectory

IPSec VPN

Full network connectivity from authorized devices

Quarantine features available for non-compliant clientsUnmanaged clients have no access

HoweverIncreasingly difficult to manage on a large scale given variety and complexity of IPSec clients

Blocked by (outgoing) firewalls

InternetInternet CorpnetCorpnet

Remote UserRemote User ISAISA IAS IAS RADIUSRADIUS

QuarantineQuarantine

14

Terminal Services Solution

Built into Windows Server.

Expandable with 3rd party solutions (Citrix and others)

Offer a complete desktop user experience or integrated applications.

Centralized server-based solution.

Typically limited deployments given servercomputing requirements.

Central LocationCentral Location

Mobile WorkerMobile WorkerIn AirportIn Airport

Branch OfficeBranch Office

Home OfficeHome Office

15

A Little History - IPSec Dominates

Introduces following limitations:

Potential security exposure by extending network

Limited functionality from firewall/NAT’ed networks

Client grows to accommodate more security functionality (virus inspection, split tunneling control, etc.)

Client becomes difficult to roll out:Requires administrative installation

Clashes with other IPSec and security software

Not very user friendly

Result:

Enterprises limit usage to “road warriors” and managed PCs

TCO is high and ROI limited

16

A Little History - SSL VPN is Born

Promises to offer similar functionality for:Any user

Any location

Any application

Delivers on lower TCO

Introduces new security considerations as clients are now unmanaged.

First wave of development is focused on connectivity.

Current wave is focused on Application Intelligence.

17

SSL VPN - Building Blocks

SSL VPN solution comprised of:

Tunneling – Transferring web and non-web application traffic over SSL;

Client-Side Security – Security compliance check, cache cleaning, timeouts

Authentication – User directories (e.g. Active Directory), strong authentication support, Single-Sign-On

Authorization – Allow/Deny access to applications

Portal – User experience, GUI

Applications

Client

Web

Simple TCP

Other non-WebManagement

Authentication

Authorization

Portal

Tunneling

Security SSL VPN Gateway

18

SSL VPN Tunneling (3x)

Web applications

That’s easy – just uses HTTPs

Non-Web applications

Port/socket Forwarding

Uses SSL-Wrapper client component

Example: Terminal Server – tunnel RDP in HTTPs

Network Connector

Full Network Access

Uses Network Connection client component

Client gets additional IP address

Breadth of Locations

“Anywhere” level

Web Proxy

Port/Socket Forwarder

Corporate laptop

Home PC

Customer/

Partner PC

Internet kiosk

Network Connection

19

Demo Environment

20

Application Protection

Access Policies

Allow/deny functions within application(e.g. SharePoint attachments Upload/Download based on endpoint compliance)

Application Firewall: Protecting the Application

Predefined positive logic rule sets

Single Sign On

Knowledge about required application login methods

Session Cleanup Agent

Clears application specific cache (e.g. SharePoint Offline folder)

Protecting the Network Session

Ignore background polling command for timeout calculation, adds secure logoff button where absent

21

Endpoint Policies

Checks health of Endpoint Policies

Session policy

Endpoint certification

Privileged endpoint

Application policy

Access to applications (hide or disable on portal)

Access to functionality within applicationsExample: Block SharePoint upload from unsafe client

22

ClientHigh-Availability, Management, Logging, Reporting, Multiple Portals

Authentication

Authorization

User Experience

Tunneling

Security

Applications Knowledge Center

OWACitrix

SharePoint

Devices Knowledge Center

PDA…....

Linux……..

Windows. ………...

MAC….....

Specific Applications

Web

Client/Server

Browser Embedded

Exchange/ Outlook

OWA

SharePointCitrix

Generic Applications

Application

Aware

Modules

SSL VPN Gateway

•Application Aware Platform •Application Definition Syntax/Language•Application Modules

Endpoint detection and application intelligence

23

Endpoint Detection

Out of the box support for over70 variables of detection including:

Antivirus

Antimalware

Personal Firewall

Desktop Search/Index Utilities

And much more…Easy to configure GUI that allowssimple management of policies.

Extended GUI for manual editing andmodification of policies.

Leverage Windows Shell Scripting tocreate *any* policy and inspect for*any* client side variable.

24

Attachment Wiper

Clears the browser’s cache upon session termination

Process does not require user initiation

Optimizers integrate logic to identify and scrub custom caches

Supports custom scripts for custom file cleaning

Removes

Downloaded files and pages - Cookies

AutoComplete form contents - History information

AutoComplete URLs - Any user credentials

Triggers

User logoff - Browser crash

Inactivity timeout - Browser closure

Scheduled logoff - System shutdown

Security Policy

Allows for “Can’t Wipe – Can’t Download” policy

Allows fall back policy to “no-cache” tag mechanism

25

Security Concerns

Authentication - Who are you?Who are you?

Strong Authentication – Are you really him/her?Are you really him/her?

Authorization – What can you access?What can you access?

Transport Security – Can they hear?Can they hear?

Application Security – Should you be doing that?Should you be doing that?

End Point Security – From there?From there?

Information Safeguard – Should this be left around?Should this be left around?

Session Security – How long can you do this for?How long can you do this for?

26

Single Sign-On

No need for directory replication or repetition

Alternative approaches require local repository

Transparent Web authentication

HTTP 401 request

Static Web form

Dynamic browser-sensitive Web form

Integrates with …

Password change management

User repositories

27

User Specific Portal

Manages access of employees, partners & customers from anywhere to corporate business applications

More than one Portal page can be published per appliance

Each is based on a unique IP and host name

Each can present a completely unique user experience; including look and feel, applications, authentication and authorization

Extends the business beyond the borders of the network

Implements corporate policies without weakening security

Leveraging existing investments in software infrastructure and applications

Ensures maximum functionality based on endpoint profile

Based on SSL VPN access platform

Leverages the Web browser to allow universal access

Provides a broad range of connectivity options

IT Support

Partners

Employees

Customers

IT Support Center

Username:Password:Token:

Employee Portal

Username:Password: Token:

Partner Extranet

Username:Password:

e-Commerce

Username:Password:

support.xyz.com

portal.xyz.com

extranet.xyz.com

shopping.xyz.com

28

How to Setup

Setup appliance

Create trunk

Add applications

Define endpoint policies

Customize

29

Setup Appliance

Unpack appliance and put into rack

Attach external and internal network

Define IP and DNS settings

Add routes to internal network if needed

Define ISA "Internal" network

Join domain if needed

Required for Kerberos Constrained Delegation (SP1)

30

Create Trunk

Create trunk (= Web portal)

Define IP address for Trunk

Configure authentication server

Import certificate for each trunk

Create "redirect" trunk (= http to https)

31

Add Applications

Add applications

OWA

SharePoint

RDP

VPN (network connector)

Test access

32

Define Policies

Define endpoint policies

Assign to access and functions

Test access

33

Customize

Customize look and feel

Change colors

Change text on portal

Or...

Create advanced endpoint policies

Define custom authentication

Etc...

34