17
ISSA Presentation

ISSA Presentation. Agenda Remote Access Evolution SSL VPN Drivers Why SSL VPNs Basic Deployment Security vs. IPSec The New Security Concerns Addressing

  • View
    223

  • Download
    1

Embed Size (px)

Citation preview

Page 1: ISSA Presentation. Agenda Remote Access Evolution SSL VPN Drivers Why SSL VPNs Basic Deployment Security vs. IPSec The New Security Concerns Addressing

ISSA Presentation

Page 2: ISSA Presentation. Agenda Remote Access Evolution SSL VPN Drivers Why SSL VPNs Basic Deployment Security vs. IPSec The New Security Concerns Addressing

Agenda

• Remote Access Evolution

• SSL VPN Drivers

• Why SSL VPNs

• Basic Deployment

• Security vs. IPSec

• The New Security Concerns

• Addressing the Concerns

• What to Look for in a Vendor

Page 3: ISSA Presentation. Agenda Remote Access Evolution SSL VPN Drivers Why SSL VPNs Basic Deployment Security vs. IPSec The New Security Concerns Addressing

The Evolution of Remote Access

Then Now

A service for a select few A must-have utility for all

Cost center Productivity Lever

Best effort performance and up-time Always up, high performing

Carrier-based Network independent

Anywhere there’s a phone line Anywhere

Page 4: ISSA Presentation. Agenda Remote Access Evolution SSL VPN Drivers Why SSL VPNs Basic Deployment Security vs. IPSec The New Security Concerns Addressing

The Evolution of Remote Access

Then Now

A PC you support Any PC

Static Passwords One-Time Passwords

Dial-Back Modems Device Profiling

What’s a virus? Must address all malicious code

“They have the Internet on computers?”

“I know more about this than

you do.”

Page 5: ISSA Presentation. Agenda Remote Access Evolution SSL VPN Drivers Why SSL VPNs Basic Deployment Security vs. IPSec The New Security Concerns Addressing

Day Extenders

Extranet Users

Home OfficeUsers

Traveling Employees

Kiosk Users

Wireless LAN Users

Pocket PC Users

The Shift to SSL VPNs

• Enterprises are seeing a new kind of remote access:

• Harder to manage: Access from devices outside of IT’s control

• Demanded by more users: Broader employee access, partner access

• New devices and access points: Wireless hotspots, airport kiosks, home PCs

Corporate Network

Page 6: ISSA Presentation. Agenda Remote Access Evolution SSL VPN Drivers Why SSL VPNs Basic Deployment Security vs. IPSec The New Security Concerns Addressing

The Shift to SSL VPNs• SSL Addresses the Emerging Demands

• Impervious to NAT

• Leverages a commonly open port (443)

• Indifferent to type of network

• Does not require a client

• Supports broad application types

• Easier to support and deploy

• Intuitive User Experience

Page 7: ISSA Presentation. Agenda Remote Access Evolution SSL VPN Drivers Why SSL VPNs Basic Deployment Security vs. IPSec The New Security Concerns Addressing

Basic SSL VPN Deployment

• SSL VPN tied to authentication system, DNS and applications

• Presents web resources and available shares as links to the user

• Authenticates users, encrypts to the end node, applies granular ACLs to the user traffic, detailed audit

• All traffic goes over port 443, regardless of original protocol

• Uses browser-deployed agent to handle C/S applications

Like an IPSec VPN, the SSL VPN is the point of security enforcement for in-bound users.

Web Apps

Client/Server Apps

Legacy Apps

File Shares

Databases

Terminal Services

Mainframes

SSL VPN Appliance

Applications Directories

DMZ

SSL VPN

Encrypted, Authenticated, and Authorized Traffic via the

Internet

Corporate Laptops

Wireless Hotspots

PDAs

Home PCs

Kiosks

Partner Extranets

Page 8: ISSA Presentation. Agenda Remote Access Evolution SSL VPN Drivers Why SSL VPNs Basic Deployment Security vs. IPSec The New Security Concerns Addressing

Security vs. IPSec

Security CategoryResult moving to SSL VPN from

IPSec

Encryption No change

Authentication No change or Improved

Access Control Improved

Perimeter Profile Improved

Logging and Forensics Improved

Web Security Improved

End-Point Security Improved

Page 9: ISSA Presentation. Agenda Remote Access Evolution SSL VPN Drivers Why SSL VPNs Basic Deployment Security vs. IPSec The New Security Concerns Addressing

The New Security Concerns • Access from unmanaged locations

• Sensitive data inadvertently left on device

• Sensitive data intentionally captured

• Sensitive data saved by legitimate user

• Unmanaged device is virus vector

• Unmanaged device can be hijacked

• Device Anonymity

• Difficult to tell provisioned devices from others

• Access Modulation

• Authenticating the user alone is not enough to determine the appropriate level of access.

Page 10: ISSA Presentation. Agenda Remote Access Evolution SSL VPN Drivers Why SSL VPNs Basic Deployment Security vs. IPSec The New Security Concerns Addressing

How the Threats Get Addressed• Sensitive Data Inadvertently Left Behind

• Cache Clearing Technology

• Session File Encryption and Deletion

• Data Captured (Spyware, Keystroke Logger)

• Pre-auth Spyware Scan

• WholeSecurity, Zone Labs, Sygate

• Data Saved by Legitimate User

• Session File Encryption and Deletion

• Restrict Location for Certain Groups

Page 11: ISSA Presentation. Agenda Remote Access Evolution SSL VPN Drivers Why SSL VPNs Basic Deployment Security vs. IPSec The New Security Concerns Addressing

How the Threats Get Addressed• SSL VPN End-Point is Virus Vector

• A/V and PFW Policy Enforcement Built into SSL VPN

• Adjust ACLs when A/V is absent or not updated

• Remediate workstation when appropriate

• Deny connection in extreme cases

Page 12: ISSA Presentation. Agenda Remote Access Evolution SSL VPN Drivers Why SSL VPNs Basic Deployment Security vs. IPSec The New Security Concerns Addressing

How the Threats Get Addressed• Device Anonymity

• Restrict Source Domain

• Scan Device and Registry to Identify:

• Domain Membership

• O/S

• Search for Secret File

• Look for Watermark

• Use Digital Certificate

• Restrict by O/S

Page 13: ISSA Presentation. Agenda Remote Access Evolution SSL VPN Drivers Why SSL VPNs Basic Deployment Security vs. IPSec The New Security Concerns Addressing

How the Threats Get Addressed• Access Modulation

• Create “3-D” Security Policy

• User

• Device

• Location

• Adjust ACLs On-The-Fly Based on Combination of Factors

Trusted Device

Application/Process

Directory/File

Registry key

Windows domain

Anti-Virus

Personal Firewall

Aventail Cache Control

Aventail Secure Desktop

Device Profile: IT-Managed

in.xyz.seattle.com or in.xyz.phoenix.com

Norton AV

Sygate

Data Protection

Semi-Trusted Device

Application/Process

Directory/File

Registry key

Windows domain

Anti-Virus

Personal Firewall

Aventail Cache Control

Aventail Secure Desktop

Device Profile: Home Machine

Norton AV

Sygate or Zone

…HKEY_LOCAL_MACHINE\SW\Symantec\SharedDefs

Un-Trusted Device

Application/Process

Directory/File

Registry key

Windows domain

Anti-Virus

Personal Firewall

Aventail Cache Control

Aventail Secure Desktop

Data Protection Data Protection

Page 14: ISSA Presentation. Agenda Remote Access Evolution SSL VPN Drivers Why SSL VPNs Basic Deployment Security vs. IPSec The New Security Concerns Addressing

What to Deploy with SSL VPN• Strong (True Two-Factor) Authentication

• Dynamic A/V and Malware Scanning

• Updated Acceptable Use Policy for Employees and Partners

• Web-Based Mail

• Logical Directory Groups

Page 15: ISSA Presentation. Agenda Remote Access Evolution SSL VPN Drivers Why SSL VPNs Basic Deployment Security vs. IPSec The New Security Concerns Addressing

What to Look for in a Vendor• Appropriate Scale

• Application Support

• Multiplatform Support

• Support for 3-D Security Model

• Device Scanning (Pre-Auth)

• End-Point Data Protection

• Cache Clearing

• Data Encryption and Deletion

• Application Detection

Page 16: ISSA Presentation. Agenda Remote Access Evolution SSL VPN Drivers Why SSL VPNs Basic Deployment Security vs. IPSec The New Security Concerns Addressing

Thank You

Scott [email protected]

Page 17: ISSA Presentation. Agenda Remote Access Evolution SSL VPN Drivers Why SSL VPNs Basic Deployment Security vs. IPSec The New Security Concerns Addressing

PDF Files Resources• Aventail SSL VPN Technical Primer US

• Aventail Ex-Family Product DataSheet

• Aventail IPSec VPN vs SSL VPN WP-A4

• Aventail End Point Control White Paper