ronald beekelaar beekelaar consultancy [email protected] intelligent application gateway (iag)...
Post on 19-Dec-2015
215 views
TRANSCRIPT
2
Introductions
Presenter – Ronald Beekelaar
MVP Windows Security
MVP Virtual Machine Technology
E-mail: [email protected]
Work
Beekelaar ConsultancySecurity consultancy
Forefront, IPSec, PKI
Virtualization consultancy
Create many VM-based labs and demos
3
Agenda
History – SSL VPN
SSL VPN Connections
Web
Non-Web
“VPN”
Portal / Applications
Endpoint Policies
Authentication / Authorization
4
A comprehensive line of business
security products that helps you gain
greater protection through deep
integration and simplified management
EdgeClient and Server OS Server Applications
Intelligent Application Gateway 2007
5
IAG - Appliance
6
IAG 2007
• Supports all Applications with SSL VPN• Web – Client/Server - File Access• Homegrown or 3rd party
• (Citrix, IBM, Lotus, SAP, PeopleSoft…)
• Designed for Managed and Unmanaged Users Devices• Automatic detection of user system, software, configuration• Access policies according to device “security state”• Delete temp files and data traces from unmanaged locations
• Drives Productivity with Application Intelligence• Apply policy at granular App Feature levels• Dynamically control application data for desired functionality• SSO with multiple directories, protocols, and formats• Fully customizable portal and user interface
7
Allow secure remote access from trusted and untrusted client computers
All connections over TCP port 443 (SSL)
Access starts through a Web Portal
Authenticates to AD
Contains list of applicationsClick each application to access
8
Web ApplicationsNormally uses port 80/443
Browser-based
Port/socket forwardingNormally uses non-web ports, but is tunneled in 443
ActiveX control - browser-based
Network ConnectorAll protocols and all ports, but tunneled in 443
Real "VPN" - client receives new IP address
9
IAG client components check client computer security settingsClient computer is called "endpoint"
Based on endpoint state,you define Endpoint Policies to allow:
Access to Web PortalExample:- Do not even ask for credentials on untrusted client computer
Access to certain applications on Web PortalExample:- Hide Network Connector option on untrusted client computer
Access to certain features of applicationsExamples: - Block SPS uploads - Disallow OWA attachment
10
A Little History
The Problem:
With the growing prevalence of internet connectivity, enterprises required platforms to provide remote access for employees, partners and customers in a secure way
The Solution?:
1st attempt: Dialup remote access proving too costly, limited user experience.2nd attempt: Limited use of reverse proxies to publish web based applications.3rd attempt: IPSec VPN makes leap for user remote access
IPSec VPN first developed for site to site connectivity.
11
33
WebServerWeb
Server
DNSServerDNS
Server
ISAServer
ISAServer
55
44
22
66
11
Is the …
Request allowed?
Protocol allowed?
Destination allowed?
ISA Server calls this “Publishing”ISA Server calls this “Publishing”
Reverse Proxy
12
33
WebServerWeb
Server
DNSServerDNS
Server
ISAServer
ISAServer
55
44
22
66
11
Reverse Proxy
Publishes web appsfor use from anywhere.
Handles pre-authentication,application filtering, SSL encryption at the edge.
However
Does not handle non-web (client/server) applications.
Does not scale when publishing numerous web applications.
13
Active Active DirectoryDirectory
IPSec VPN
Full network connectivity from authorized devices
Quarantine features available for non-compliant clientsUnmanaged clients have no access
HoweverIncreasingly difficult to manage on a large scale given variety and complexity of IPSec clients
Blocked by (outgoing) firewalls
InternetInternet CorpnetCorpnet
Remote UserRemote User ISAISA IAS IAS RADIUSRADIUS
QuarantineQuarantine
14
Terminal Services Solution
Built into Windows Server.
Expandable with 3rd party solutions (Citrix and others)
Offer a complete desktop user experience or integrated applications.
Centralized server-based solution.
Typically limited deployments given servercomputing requirements.
Central LocationCentral Location
Mobile WorkerMobile WorkerIn AirportIn Airport
Branch OfficeBranch Office
Home OfficeHome Office
15
A Little History - IPSec Dominates
Introduces following limitations:
Potential security exposure by extending network
Limited functionality from firewall/NAT’ed networks
Client grows to accommodate more security functionality (virus inspection, split tunneling control, etc.)
Client becomes difficult to roll out:Requires administrative installation
Clashes with other IPSec and security software
Not very user friendly
Result:
Enterprises limit usage to “road warriors” and managed PCs
TCO is high and ROI limited
16
A Little History - SSL VPN is Born
Promises to offer similar functionality for:Any user
Any location
Any application
Delivers on lower TCO
Introduces new security considerations as clients are now unmanaged.
First wave of development is focused on connectivity.
Current wave is focused on Application Intelligence.
17
SSL VPN - Building Blocks
SSL VPN solution comprised of:
Tunneling – Transferring web and non-web application traffic over SSL;
Client-Side Security – Security compliance check, cache cleaning, timeouts
Authentication – User directories (e.g. Active Directory), strong authentication support, Single-Sign-On
Authorization – Allow/Deny access to applications
Portal – User experience, GUI
Applications
Client
Web
Simple TCP
Other non-WebManagement
Authentication
Authorization
Portal
Tunneling
Security SSL VPN Gateway
18
SSL VPN Tunneling (3x)
Web applications
That’s easy – just uses HTTPs
Non-Web applications
Port/socket Forwarding
Uses SSL-Wrapper client component
Example: Terminal Server – tunnel RDP in HTTPs
Network Connector
Full Network Access
Uses Network Connection client component
Client gets additional IP address
Breadth of Locations
“Anywhere” level
Web Proxy
Port/Socket Forwarder
Corporate laptop
Home PC
Customer/
Partner PC
Internet kiosk
Network Connection
19
Demo Environment
20
Application Protection
Access Policies
Allow/deny functions within application(e.g. SharePoint attachments Upload/Download based on endpoint compliance)
Application Firewall: Protecting the Application
Predefined positive logic rule sets
Single Sign On
Knowledge about required application login methods
Session Cleanup Agent
Clears application specific cache (e.g. SharePoint Offline folder)
Protecting the Network Session
Ignore background polling command for timeout calculation, adds secure logoff button where absent
21
Endpoint Policies
Checks health of Endpoint Policies
Session policy
Endpoint certification
Privileged endpoint
Application policy
Access to applications (hide or disable on portal)
Access to functionality within applicationsExample: Block SharePoint upload from unsafe client
22
ClientHigh-Availability, Management, Logging, Reporting, Multiple Portals
Authentication
Authorization
User Experience
Tunneling
Security
Applications Knowledge Center
OWACitrix
SharePoint
Devices Knowledge Center
PDA…....
Linux……..
Windows. ………...
MAC….....
Specific Applications
Web
Client/Server
Browser Embedded
Exchange/ Outlook
OWA
SharePointCitrix
Generic Applications
Application
Aware
Modules
SSL VPN Gateway
•Application Aware Platform •Application Definition Syntax/Language•Application Modules
Endpoint detection and application intelligence
23
Endpoint Detection
Out of the box support for over70 variables of detection including:
Antivirus
Antimalware
Personal Firewall
Desktop Search/Index Utilities
And much more…Easy to configure GUI that allowssimple management of policies.
Extended GUI for manual editing andmodification of policies.
Leverage Windows Shell Scripting tocreate *any* policy and inspect for*any* client side variable.
24
Attachment Wiper
Clears the browser’s cache upon session termination
Process does not require user initiation
Optimizers integrate logic to identify and scrub custom caches
Supports custom scripts for custom file cleaning
Removes
Downloaded files and pages - Cookies
AutoComplete form contents - History information
AutoComplete URLs - Any user credentials
Triggers
User logoff - Browser crash
Inactivity timeout - Browser closure
Scheduled logoff - System shutdown
Security Policy
Allows for “Can’t Wipe – Can’t Download” policy
Allows fall back policy to “no-cache” tag mechanism
25
Security Concerns
Authentication - Who are you?Who are you?
Strong Authentication – Are you really him/her?Are you really him/her?
Authorization – What can you access?What can you access?
Transport Security – Can they hear?Can they hear?
Application Security – Should you be doing that?Should you be doing that?
End Point Security – From there?From there?
Information Safeguard – Should this be left around?Should this be left around?
Session Security – How long can you do this for?How long can you do this for?
26
Single Sign-On
No need for directory replication or repetition
Alternative approaches require local repository
Transparent Web authentication
HTTP 401 request
Static Web form
Dynamic browser-sensitive Web form
Integrates with …
Password change management
User repositories
27
User Specific Portal
Manages access of employees, partners & customers from anywhere to corporate business applications
More than one Portal page can be published per appliance
Each is based on a unique IP and host name
Each can present a completely unique user experience; including look and feel, applications, authentication and authorization
Extends the business beyond the borders of the network
Implements corporate policies without weakening security
Leveraging existing investments in software infrastructure and applications
Ensures maximum functionality based on endpoint profile
Based on SSL VPN access platform
Leverages the Web browser to allow universal access
Provides a broad range of connectivity options
IT Support
Partners
Employees
Customers
IT Support Center
Username:Password:Token:
Employee Portal
Username:Password: Token:
Partner Extranet
Username:Password:
e-Commerce
Username:Password:
support.xyz.com
portal.xyz.com
extranet.xyz.com
shopping.xyz.com
28
How to Setup
Setup appliance
Create trunk
Add applications
Define endpoint policies
Customize
29
Setup Appliance
Unpack appliance and put into rack
Attach external and internal network
Define IP and DNS settings
Add routes to internal network if needed
Define ISA "Internal" network
Join domain if needed
Required for Kerberos Constrained Delegation (SP1)
30
Create Trunk
Create trunk (= Web portal)
Define IP address for Trunk
Configure authentication server
Import certificate for each trunk
Create "redirect" trunk (= http to https)
31
Add Applications
Add applications
OWA
SharePoint
RDP
VPN (network connector)
Test access
32
Define Policies
Define endpoint policies
Assign to access and functions
Test access
33
Customize
Customize look and feel
Change colors
Change text on portal
Or...
Create advanced endpoint policies
Define custom authentication
Etc...
34