issa presentation. agenda remote access evolution ssl vpn drivers why ssl vpns basic deployment...
Post on 19-Dec-2015
223 views
TRANSCRIPT
ISSA Presentation
Agenda
• Remote Access Evolution
• SSL VPN Drivers
• Why SSL VPNs
• Basic Deployment
• Security vs. IPSec
• The New Security Concerns
• Addressing the Concerns
• What to Look for in a Vendor
The Evolution of Remote Access
Then Now
A service for a select few A must-have utility for all
Cost center Productivity Lever
Best effort performance and up-time Always up, high performing
Carrier-based Network independent
Anywhere there’s a phone line Anywhere
The Evolution of Remote Access
Then Now
A PC you support Any PC
Static Passwords One-Time Passwords
Dial-Back Modems Device Profiling
What’s a virus? Must address all malicious code
“They have the Internet on computers?”
“I know more about this than
you do.”
Day Extenders
Extranet Users
Home OfficeUsers
Traveling Employees
Kiosk Users
Wireless LAN Users
Pocket PC Users
The Shift to SSL VPNs
• Enterprises are seeing a new kind of remote access:
• Harder to manage: Access from devices outside of IT’s control
• Demanded by more users: Broader employee access, partner access
• New devices and access points: Wireless hotspots, airport kiosks, home PCs
Corporate Network
The Shift to SSL VPNs• SSL Addresses the Emerging Demands
• Impervious to NAT
• Leverages a commonly open port (443)
• Indifferent to type of network
• Does not require a client
• Supports broad application types
• Easier to support and deploy
• Intuitive User Experience
Basic SSL VPN Deployment
• SSL VPN tied to authentication system, DNS and applications
• Presents web resources and available shares as links to the user
• Authenticates users, encrypts to the end node, applies granular ACLs to the user traffic, detailed audit
• All traffic goes over port 443, regardless of original protocol
• Uses browser-deployed agent to handle C/S applications
Like an IPSec VPN, the SSL VPN is the point of security enforcement for in-bound users.
Web Apps
Client/Server Apps
Legacy Apps
File Shares
Databases
Terminal Services
Mainframes
SSL VPN Appliance
Applications Directories
DMZ
SSL VPN
Encrypted, Authenticated, and Authorized Traffic via the
Internet
Corporate Laptops
Wireless Hotspots
PDAs
Home PCs
Kiosks
Partner Extranets
Security vs. IPSec
Security CategoryResult moving to SSL VPN from
IPSec
Encryption No change
Authentication No change or Improved
Access Control Improved
Perimeter Profile Improved
Logging and Forensics Improved
Web Security Improved
End-Point Security Improved
The New Security Concerns • Access from unmanaged locations
• Sensitive data inadvertently left on device
• Sensitive data intentionally captured
• Sensitive data saved by legitimate user
• Unmanaged device is virus vector
• Unmanaged device can be hijacked
• Device Anonymity
• Difficult to tell provisioned devices from others
• Access Modulation
• Authenticating the user alone is not enough to determine the appropriate level of access.
How the Threats Get Addressed• Sensitive Data Inadvertently Left Behind
• Cache Clearing Technology
• Session File Encryption and Deletion
• Data Captured (Spyware, Keystroke Logger)
• Pre-auth Spyware Scan
• WholeSecurity, Zone Labs, Sygate
• Data Saved by Legitimate User
• Session File Encryption and Deletion
• Restrict Location for Certain Groups
How the Threats Get Addressed• SSL VPN End-Point is Virus Vector
• A/V and PFW Policy Enforcement Built into SSL VPN
• Adjust ACLs when A/V is absent or not updated
• Remediate workstation when appropriate
• Deny connection in extreme cases
How the Threats Get Addressed• Device Anonymity
• Restrict Source Domain
• Scan Device and Registry to Identify:
• Domain Membership
• O/S
• Search for Secret File
• Look for Watermark
• Use Digital Certificate
• Restrict by O/S
How the Threats Get Addressed• Access Modulation
• Create “3-D” Security Policy
• User
• Device
• Location
• Adjust ACLs On-The-Fly Based on Combination of Factors
Trusted Device
Application/Process
Directory/File
Registry key
Windows domain
Anti-Virus
Personal Firewall
Aventail Cache Control
Aventail Secure Desktop
Device Profile: IT-Managed
in.xyz.seattle.com or in.xyz.phoenix.com
Norton AV
Sygate
Data Protection
Semi-Trusted Device
Application/Process
Directory/File
Registry key
Windows domain
Anti-Virus
Personal Firewall
Aventail Cache Control
Aventail Secure Desktop
Device Profile: Home Machine
Norton AV
Sygate or Zone
…HKEY_LOCAL_MACHINE\SW\Symantec\SharedDefs
Un-Trusted Device
Application/Process
Directory/File
Registry key
Windows domain
Anti-Virus
Personal Firewall
Aventail Cache Control
Aventail Secure Desktop
Data Protection Data Protection
What to Deploy with SSL VPN• Strong (True Two-Factor) Authentication
• Dynamic A/V and Malware Scanning
• Updated Acceptable Use Policy for Employees and Partners
• Web-Based Mail
• Logical Directory Groups
What to Look for in a Vendor• Appropriate Scale
• Application Support
• Multiplatform Support
• Support for 3-D Security Model
• Device Scanning (Pre-Auth)
• End-Point Data Protection
• Cache Clearing
• Data Encryption and Deletion
• Application Detection
Thank You
Scott [email protected]
PDF Files Resources• Aventail SSL VPN Technical Primer US
• Aventail Ex-Family Product DataSheet
• Aventail IPSec VPN vs SSL VPN WP-A4
• Aventail End Point Control White Paper