Joseph Steinberg, CISSP

Director of Technical Services, Whale Communications

e-Financial World, Toronto, Canada

November 19, 2004

Secure Remote Access to Business ApplicationsSSL Technology for Web-Based Access From Any Location

2

What We Will Cover

»Business Goals of Remote Access

»Remote Access Technologies

»SSL Access – What it is

»SSL Access – What benefits it delivers

»SSL Access – Security

Business Overview

4

Remote Access Business Goals

» Improved Productivity of Work Force Employees can perform tasks even when out of the office People can respond faster to emergency conditions

» Creates Greater Top-Line Revenue Increased self-service and improved experience for outside parties Increased automation for other IT systems (via web services, etc.)

» Assurance of Business Continuity Users can work remotely in case of a disaster Fewer seats required at backup facilities Even non-critical employees can be productive

5

Access for Whom

»Employees/Contractors

»Partners

»Prospects/Customers

6

RA: Employees/Contractors

»Keep business running 24x7 Increase employee productivity

Business continuity & disaster recovery

» Increase employee convenience Morale booster

»Maximize ROI from existing tools

» In the past RA was only for this group of users

7

RA: Partners

»Automate transactions and transfer of

information Improve efficiency

Expedite communications

Reduce mistakes

Enable business with parties requiring online interface

8

RA: Prospects/Customers

»Create Greater Top-Line Revenue Increased self-service and improved experience for

outside parties

Increased automation for other IT systems (via web

services, etc.)

Support systems

Improved customer satisfaction

9

Value of Benefits

Cost of providing those benefits

= Return on Investment

Return on Investment

-

10

What Factors Affect ROI of RA?

» Who can access and from where Scalability - Number of users who can gain access Ubiquity - Types of machines from which they can access Simplicity - Ease of use for end users

» What can be accessed Access - Number of systems accessible via the SSL VPN and how fully

they can be used remotely Security - Security policy denies access in many scenarios

» Cost of providing access Initial layout - purchase, installation, and configuration Maintenance - Ease of maintenance and support of remote access users

11

Quick Technology Overview

»Historically Security vs. accessibility

Access from more places, but not from most places

Remote access was complicated technology = high TCO

»Today Access with security

Web browsers = access from anywhere

Solutions optimized for simplicity = yield low TCO

12

SSL Access delivers a greater ROI than other

other remote access technologies because it

performs better in the aforementioned areas

SSL VPN

What is an SSL VPN?

14

SSL VPN technology allows users to remotely

access applications and files from a web

browser. Even non-web applications can be

accessed using SSL VPN.

What is SSL VPN?

15

2. Login

1. Enter URL

3. Portal Page

Typical SSL VPN Session

16

4. Launch Applications

5. Logout

Native Outlook

Citrix Metaframe

iNotes

File Access

Typical SSL VPN Session

17

Benefits

»Productivity Boost Employees access from more locations

»Cost Savings Reduces reliance on costly IPSEC VPNs

»Top Line Revenue SharePoint can be used for more purposes

»Business Continuity Systems are accessible even if facilities are not

18

» Who can access and from where Scalability: Employees, partners, customers, prospects

Ubiquity: Virtually any web connected device

Simplicity: Easy to use

» What can be accessed Access: Most business applications and systems

Security: Flexible platforms maximize secure access

» Cost of providing access Initial layout: Less expensive than alternatives

Maintenance: Easier to administer with less support

Why Is SSL VPN On the Rise?

Compared to Other Technologies

20

Dial Up

21

» Employees dial up to the organization using modem lines

» Older technology – before Internet mass adoption High cost: modem pools, dial-up servers, phone lines, long distance charges

Slow connection speeds

Fiscally inefficient – normally under-utilized, maxed out during peaks

Easy target for low-tech DoS attacks

Does not provide access from anywhere in case of business recovery

A growing number of web-enabled applications are designed to leverage the Internet – why would you want to do otherwise?

» Phasing out in general

Dial Up

22

IPSEC VPN

23

» Virtual Private Network – like a long Ethernet cable Leverages Internet for connectivity

High speed

» Issues Client-side costs: purchase and maintenance

Access available only from specific devices Usually deployed to limited number of users

» Invented before maturation of web and ubiquity of web browsers

» Appropriate usage for existing implementations Limited number of remote employees (and very limited partners)

Always accessing from specific company-owned computers

» Inappropriate for

Large scale deployments

Business continuity purposes

IPSEC VPN

Why Not Simple Web Access?

25

Web Access

26

» Issues Not all applications have web interfaces

Web interfaces typically do not always offer full application functionality

Security Hackers and worms can penetrate

Ports open to internal network

Violates corporate policies

»Not normally implemented

Native Web Access

So what does an SSL VPN actually do?

28

SSL VPN Technology

29

»Enables remote access from web browsers

»Ensures security of systems and data

What Is an SSL VPN Gateway?

30

» Web Applications – Makes systems with internal references work

» Improves upon portals for delivering web apps

» Translation of internal references http://hrserver/

https://ra.whale.com/593a1d8b2b4c20ff1b9c6254fadf/index.html

http://internal.whale.com ttps:::r :w l : om:::h a ha ecf1513043b4619c419ca6254c174/start.asp

Enables Access to Web Apps

31

» Client/Server Apps, Telnet, and Terminal Services Allows them to work over SSL instead of using proprietary

communications ports

Can be triggered from a link within a portal page or from the

SSL VPN

» Tunneling Intercepts requests, transfers to SSL Gateway, and relays to

“real server”

Translates IP numbers and ports when necessary

Enables Access to C/S Apps

32

»File Access – Provides remote access to file repositories and home/project directories Type 1: Explorer-like interface in web browser, all file commands

performed on SSL Gateway

Type 2: Remote drive mounting – transfer file commands over SSL (like a C/S application)

»Provided as separate application or within a portal

Enables Access to Files

33

» Creates simple but powerful user experience (GUI,

automatic server selection, etc.)

» Can leverage existing portal interfaces (e.g.,

SharePoint) Avoids extraneous helpdesk calls

Flexible interface simulates normal work environments

Automatically selects each user’s servers (for email, apps, etc.)

based on UserID

Single Sign On

Toolbars

Provides User Interface

Security Concerns

35

»Organizations often recognize the benefits of

remote access, but not the security issues

»Many of the security issues are new with the

advent of SSL VPN – and corporate security

experts may not be familiar with them…

Security

36

» Network-side Problems created by allowing access into your infrastructure

» Client-side (end point) Problems created by allowing access from unknown devices

NEW ISSUES – Different than classical end-point security

» User Authentication, Authorization

SSL Access Security Issues

37

»SSL VPN relays requests from Internet

»Exposure to hackers, worms, viruses, etc. Buffer overflows - execute arbitrary code

Denial of Service or service degradation of production

servers

Malformed URLs

Inappropriate access to confidential information

Network-Side Security Concerns

38

Network-Side Security Concerns

Ports open/tunneled

IPSEC disguised as SSL

39

»Access from insecure devices

»Access from secure devices

Client-Side Security Concerns

40

» Issue: sensitive data stored on access devices Databases & files

Documents opened as email attachments

History and AutoComplete information

Cached data

Access from Insecure Devices

41

» Issue: Users may not log off Inappropriate parties may be able to continue sessions

Data will remain cached

Auto-refresh of Inbox, etc., may prevent SSL VPN

inactivity timeouts from functioning

Access from Insecure Devices

42

» Access devices may not conform to security

policies Personal firewalls

Anti-virus

No KAZAA, Morpheus, etc.

» Some devices may not run Active/X or Java So any security software SSL VPN sends to client won’t work

Access from Insecure Devices

43

» “Lowest Common Denominator” rules reduce productivity Easy to say “Don’t provide access” if not compliant

But, we want to provide as much access as is safe

If we don’t provide access from insecure devices we cannot use the SSL VPN for customer access, for partner access, or as a business continuity solution.

But, reducing access to a uniform level across all machines unnecessarily curtails access from secure devices!

Access from Secure Devices

Ensuring Security

45

»Relay appropriate level traffic

»Application Firewalling

Network-Side Security Response

46

»From general devices Application level, not network traffic

Intercept requests and forward accordingly

»From corporate laptops, office computers,

and similar devices Full network-type communications (maybe)

Relay Appropriate Level Traffic

47

»Filter requests and allow only valid requests to

pass

»Many Web solutions available; can be optimized

for specific applications

»Filtering for client/server applications is

complicated

Application Firewalling

48

Application Firewalling (OWA 2K)

49

»Erase sensitive data stored on access devices

»Secure Log-Off

»Tier access based on device’s environment

»Security and Compliance Policy

Client-Side Security Response

50

» Issue Sensitive data stored on access devices

» Solution SSL VPN must wipe sensitive data from insecure machines

Session termination: logoff, browser crash, window closed, reboot, etc.

Wipe: temporary files, cookies, History, AutoComplete, standard

system/proprietary caches, etc.

Most SSL VPN vendors provide some wiping capabilities

Third-party add-on products also available

Don’t Leave Data Behind

51

» Issue Users might not log off

» Solution

Triple-tier session termination User logoff

Inactivity timeout

Forced periodic re-authentication

Timeout mechanism must ignore auto-refresh requests

Timeout mechanism should warn users shortly before termination

Log Off & Session Termination

52

» Issue

Insecure access devices vs. lowest common denominator

» Solution

Provide maximum secure access based on machine used

for access Can include many granular rules

Even rules within an application

Especially important in portal environments

Tiered Access

53

Security: Flexibility

Employees – Access to web-based email via SSL VPN

Functions

Where

Allow File/ Attachment Upload

Allow File/ Attachment Download

Allow Printing Require up-to-date Antivirus

Require Personal Firewall

Require Cache Cleaning

Corporate Laptop

Yes Yes Yes Yes Yes No

Home Computer

Only with Antivirus

Only with cache wiper and personal

FW

Yes Yes No Yes

Internet Café Only with Antivirus

Only with cache wiper

No No No No

54

» Issue Some machines may not run Active/X, Java, or other

executables

»Solution This situation will be one level in the policy scheme

Executables

55

» Determining which policies apply Can SSL VPN detect/install end point security software?

Client side environment (anti-virus and signatures, personal

firewall, patches up to date, registry settings, other software

installed, etc.)

Presence of client certificate

Type of authentication used

e.g., more access if SecurID than just username and password

IP address of endpoint (vulnerable to spoofing)

Security Policies & Compliance

56

» Clearly SSL Endpoint security is different than earlier

“endpoint security concerns” such as IPSEC We allow access even when devices are insecure

Need to clear data from device, terminate abandoned sessions

quickly, etc.

» It is essential that the right problems are addressed Cannot use older endpoint security technologies to solve today’s

challenges

Important Note

Application Level Communications

58

» Delivering remote access access by tunneling network

level information is relatively simple, but . . Completely bypasses firewall’s low-level security system

Partners and other outside parties should not be connected to your

networks

Limits number of devices from which access can be achieved – and

reduces value of investing in a web-optimized portal product

Similar limitations to those of IPSEC VPN – not suitable for

Business Continuity or for access by large numbers of users

Why Not Network-Level Access?

59

SSL VPN with Tunneling

60

SSL VPN at Application Level

61

» To maintain security and offer access for everyone

from any device Communications must be application level

» Communications Network – Technical functions upon which business functionality

resides, set standards

Application – Actual business functions, no standards

But Not So Simple . . .

62

» Translate business concepts to application functions

» Address security requirements that vary by business function (within an application)

» Addresses application individualism Lack of conformity to protocols Proprietary caches JavaScript building links Auto-refresh requests Agnostic “application level intelligence” won’t work Must understand how application works

Link Abstract Business Concepts

63

» Internal systems increasingly powerful and complex as

new generations of applications are implemented

» Increasingly difficult for SSL VPNs to offer remote access

at the application level without sophisticated application

awareness technology

Issues: Worsening Over Time

64

»Split within the SSL VPN market Simple SSL VPNs – heavy reliance on tunneling,

employees only

Robust SSL VPN / Access Platforms Able to support access at the application level, access for

employees, customers, partners, etc.

Works best with web-optimized portals

Trends

Thank You

Joseph Steinberg, CISSP

Whale Communications

400 Kelby Street, 15th Floor, Fort Lee, NJ 07024

joseph@whale-com.com

+1-201-947-9177