Upload
hamilton-mack
View
13
Download
0
Embed Size (px)
DESCRIPTION
Secure Remote Access to Business Applications SSL Technology for Web-Based Access From Any Location. Joseph Steinberg, CISSP Director of Technical Services, Whale Communications e-Financial World, Toronto, Canada November 19, 2004. What We Will Cover. Business Goals of Remote Access - PowerPoint PPT Presentation
Citation preview
Joseph Steinberg, CISSP
Director of Technical Services, Whale Communications
e-Financial World, Toronto, Canada
November 19, 2004
Secure Remote Access to Business ApplicationsSSL Technology for Web-Based Access From Any Location
2
What We Will Cover
»Business Goals of Remote Access
»Remote Access Technologies
»SSL Access – What it is
»SSL Access – What benefits it delivers
»SSL Access – Security
Business Overview
4
Remote Access Business Goals
» Improved Productivity of Work Force Employees can perform tasks even when out of the office People can respond faster to emergency conditions
» Creates Greater Top-Line Revenue Increased self-service and improved experience for outside parties Increased automation for other IT systems (via web services, etc.)
» Assurance of Business Continuity Users can work remotely in case of a disaster Fewer seats required at backup facilities Even non-critical employees can be productive
5
Access for Whom
»Employees/Contractors
»Partners
»Prospects/Customers
6
RA: Employees/Contractors
»Keep business running 24x7 Increase employee productivity
Business continuity & disaster recovery
» Increase employee convenience Morale booster
»Maximize ROI from existing tools
» In the past RA was only for this group of users
7
RA: Partners
»Automate transactions and transfer of
information Improve efficiency
Expedite communications
Reduce mistakes
Enable business with parties requiring online interface
8
RA: Prospects/Customers
»Create Greater Top-Line Revenue Increased self-service and improved experience for
outside parties
Increased automation for other IT systems (via web
services, etc.)
Support systems
Improved customer satisfaction
9
Value of Benefits
Cost of providing those benefits
= Return on Investment
Return on Investment
-
10
What Factors Affect ROI of RA?
» Who can access and from where Scalability - Number of users who can gain access Ubiquity - Types of machines from which they can access Simplicity - Ease of use for end users
» What can be accessed Access - Number of systems accessible via the SSL VPN and how fully
they can be used remotely Security - Security policy denies access in many scenarios
» Cost of providing access Initial layout - purchase, installation, and configuration Maintenance - Ease of maintenance and support of remote access users
11
Quick Technology Overview
»Historically Security vs. accessibility
Access from more places, but not from most places
Remote access was complicated technology = high TCO
»Today Access with security
Web browsers = access from anywhere
Solutions optimized for simplicity = yield low TCO
12
SSL Access delivers a greater ROI than other
other remote access technologies because it
performs better in the aforementioned areas
SSL VPN
What is an SSL VPN?
14
SSL VPN technology allows users to remotely
access applications and files from a web
browser. Even non-web applications can be
accessed using SSL VPN.
What is SSL VPN?
15
2. Login
1. Enter URL
3. Portal Page
Typical SSL VPN Session
16
4. Launch Applications
5. Logout
Native Outlook
Citrix Metaframe
iNotes
File Access
Typical SSL VPN Session
17
Benefits
»Productivity Boost Employees access from more locations
»Cost Savings Reduces reliance on costly IPSEC VPNs
»Top Line Revenue SharePoint can be used for more purposes
»Business Continuity Systems are accessible even if facilities are not
18
» Who can access and from where Scalability: Employees, partners, customers, prospects
Ubiquity: Virtually any web connected device
Simplicity: Easy to use
» What can be accessed Access: Most business applications and systems
Security: Flexible platforms maximize secure access
» Cost of providing access Initial layout: Less expensive than alternatives
Maintenance: Easier to administer with less support
Why Is SSL VPN On the Rise?
Compared to Other Technologies
20
Dial Up
21
» Employees dial up to the organization using modem lines
» Older technology – before Internet mass adoption High cost: modem pools, dial-up servers, phone lines, long distance charges
Slow connection speeds
Fiscally inefficient – normally under-utilized, maxed out during peaks
Easy target for low-tech DoS attacks
Does not provide access from anywhere in case of business recovery
A growing number of web-enabled applications are designed to leverage the Internet – why would you want to do otherwise?
» Phasing out in general
Dial Up
22
IPSEC VPN
23
» Virtual Private Network – like a long Ethernet cable Leverages Internet for connectivity
High speed
» Issues Client-side costs: purchase and maintenance
Access available only from specific devices Usually deployed to limited number of users
» Invented before maturation of web and ubiquity of web browsers
» Appropriate usage for existing implementations Limited number of remote employees (and very limited partners)
Always accessing from specific company-owned computers
» Inappropriate for
Large scale deployments
Business continuity purposes
IPSEC VPN
Why Not Simple Web Access?
25
Web Access
26
» Issues Not all applications have web interfaces
Web interfaces typically do not always offer full application functionality
Security Hackers and worms can penetrate
Ports open to internal network
Violates corporate policies
»Not normally implemented
Native Web Access
So what does an SSL VPN actually do?
28
SSL VPN Technology
29
»Enables remote access from web browsers
»Ensures security of systems and data
What Is an SSL VPN Gateway?
30
» Web Applications – Makes systems with internal references work
» Improves upon portals for delivering web apps
» Translation of internal references http://hrserver/
https://ra.whale.com/593a1d8b2b4c20ff1b9c6254fadf/index.html
http://internal.whale.com ttps:::r :w l : om:::h a ha ecf1513043b4619c419ca6254c174/start.asp
Enables Access to Web Apps
31
» Client/Server Apps, Telnet, and Terminal Services Allows them to work over SSL instead of using proprietary
communications ports
Can be triggered from a link within a portal page or from the
SSL VPN
» Tunneling Intercepts requests, transfers to SSL Gateway, and relays to
“real server”
Translates IP numbers and ports when necessary
Enables Access to C/S Apps
32
»File Access – Provides remote access to file repositories and home/project directories Type 1: Explorer-like interface in web browser, all file commands
performed on SSL Gateway
Type 2: Remote drive mounting – transfer file commands over SSL (like a C/S application)
»Provided as separate application or within a portal
Enables Access to Files
33
» Creates simple but powerful user experience (GUI,
automatic server selection, etc.)
» Can leverage existing portal interfaces (e.g.,
SharePoint) Avoids extraneous helpdesk calls
Flexible interface simulates normal work environments
Automatically selects each user’s servers (for email, apps, etc.)
based on UserID
Single Sign On
Toolbars
Provides User Interface
Security Concerns
35
»Organizations often recognize the benefits of
remote access, but not the security issues
»Many of the security issues are new with the
advent of SSL VPN – and corporate security
experts may not be familiar with them…
Security
36
» Network-side Problems created by allowing access into your infrastructure
» Client-side (end point) Problems created by allowing access from unknown devices
NEW ISSUES – Different than classical end-point security
» User Authentication, Authorization
SSL Access Security Issues
37
»SSL VPN relays requests from Internet
»Exposure to hackers, worms, viruses, etc. Buffer overflows - execute arbitrary code
Denial of Service or service degradation of production
servers
Malformed URLs
Inappropriate access to confidential information
Network-Side Security Concerns
38
Network-Side Security Concerns
Ports open/tunneled
IPSEC disguised as SSL
39
»Access from insecure devices
»Access from secure devices
Client-Side Security Concerns
40
» Issue: sensitive data stored on access devices Databases & files
Documents opened as email attachments
History and AutoComplete information
Cached data
Access from Insecure Devices
41
» Issue: Users may not log off Inappropriate parties may be able to continue sessions
Data will remain cached
Auto-refresh of Inbox, etc., may prevent SSL VPN
inactivity timeouts from functioning
Access from Insecure Devices
42
» Access devices may not conform to security
policies Personal firewalls
Anti-virus
No KAZAA, Morpheus, etc.
» Some devices may not run Active/X or Java So any security software SSL VPN sends to client won’t work
Access from Insecure Devices
43
» “Lowest Common Denominator” rules reduce productivity Easy to say “Don’t provide access” if not compliant
But, we want to provide as much access as is safe
If we don’t provide access from insecure devices we cannot use the SSL VPN for customer access, for partner access, or as a business continuity solution.
But, reducing access to a uniform level across all machines unnecessarily curtails access from secure devices!
Access from Secure Devices
Ensuring Security
45
»Relay appropriate level traffic
»Application Firewalling
Network-Side Security Response
46
»From general devices Application level, not network traffic
Intercept requests and forward accordingly
»From corporate laptops, office computers,
and similar devices Full network-type communications (maybe)
Relay Appropriate Level Traffic
47
»Filter requests and allow only valid requests to
pass
»Many Web solutions available; can be optimized
for specific applications
»Filtering for client/server applications is
complicated
Application Firewalling
48
Application Firewalling (OWA 2K)
49
»Erase sensitive data stored on access devices
»Secure Log-Off
»Tier access based on device’s environment
»Security and Compliance Policy
Client-Side Security Response
50
» Issue Sensitive data stored on access devices
» Solution SSL VPN must wipe sensitive data from insecure machines
Session termination: logoff, browser crash, window closed, reboot, etc.
Wipe: temporary files, cookies, History, AutoComplete, standard
system/proprietary caches, etc.
Most SSL VPN vendors provide some wiping capabilities
Third-party add-on products also available
Don’t Leave Data Behind
51
» Issue Users might not log off
» Solution
Triple-tier session termination User logoff
Inactivity timeout
Forced periodic re-authentication
Timeout mechanism must ignore auto-refresh requests
Timeout mechanism should warn users shortly before termination
Log Off & Session Termination
52
» Issue
Insecure access devices vs. lowest common denominator
» Solution
Provide maximum secure access based on machine used
for access Can include many granular rules
Even rules within an application
Especially important in portal environments
Tiered Access
53
Security: Flexibility
Employees – Access to web-based email via SSL VPN
Functions
Where
Allow File/ Attachment Upload
Allow File/ Attachment Download
Allow Printing Require up-to-date Antivirus
Require Personal Firewall
Require Cache Cleaning
Corporate Laptop
Yes Yes Yes Yes Yes No
Home Computer
Only with Antivirus
Only with cache wiper and personal
FW
Yes Yes No Yes
Internet Café Only with Antivirus
Only with cache wiper
No No No No
54
» Issue Some machines may not run Active/X, Java, or other
executables
»Solution This situation will be one level in the policy scheme
Executables
55
» Determining which policies apply Can SSL VPN detect/install end point security software?
Client side environment (anti-virus and signatures, personal
firewall, patches up to date, registry settings, other software
installed, etc.)
Presence of client certificate
Type of authentication used
e.g., more access if SecurID than just username and password
IP address of endpoint (vulnerable to spoofing)
Security Policies & Compliance
56
» Clearly SSL Endpoint security is different than earlier
“endpoint security concerns” such as IPSEC We allow access even when devices are insecure
Need to clear data from device, terminate abandoned sessions
quickly, etc.
» It is essential that the right problems are addressed Cannot use older endpoint security technologies to solve today’s
challenges
Important Note
Application Level Communications
58
» Delivering remote access access by tunneling network
level information is relatively simple, but . . Completely bypasses firewall’s low-level security system
Partners and other outside parties should not be connected to your
networks
Limits number of devices from which access can be achieved – and
reduces value of investing in a web-optimized portal product
Similar limitations to those of IPSEC VPN – not suitable for
Business Continuity or for access by large numbers of users
Why Not Network-Level Access?
59
SSL VPN with Tunneling
60
SSL VPN at Application Level
61
» To maintain security and offer access for everyone
from any device Communications must be application level
» Communications Network – Technical functions upon which business functionality
resides, set standards
Application – Actual business functions, no standards
But Not So Simple . . .
62
» Translate business concepts to application functions
» Address security requirements that vary by business function (within an application)
» Addresses application individualism Lack of conformity to protocols Proprietary caches JavaScript building links Auto-refresh requests Agnostic “application level intelligence” won’t work Must understand how application works
Link Abstract Business Concepts
63
» Internal systems increasingly powerful and complex as
new generations of applications are implemented
» Increasingly difficult for SSL VPNs to offer remote access
at the application level without sophisticated application
awareness technology
Issues: Worsening Over Time
64
»Split within the SSL VPN market Simple SSL VPNs – heavy reliance on tunneling,
employees only
Robust SSL VPN / Access Platforms Able to support access at the application level, access for
employees, customers, partners, etc.
Works best with web-optimized portals
Trends
Thank You
Joseph Steinberg, CISSP
Whale Communications
400 Kelby Street, 15th Floor, Fort Lee, NJ 07024
+1-201-947-9177