If you can't read please download the document
Upload
israel
View
53
Download
0
Tags:
Embed Size (px)
DESCRIPTION
EMS Summit – Network Remote Access. VPN Solutions Voice over IP Secure e-mail. William E. Ott Friday August 25, 2006 1300 – 1400 EDT. Secure Communications. Secure Remote Access is essential if you have multiple sites or the need for external users to connect to internal resources - PowerPoint PPT Presentation
Citation preview
VPN SolutionsVoice over IPSecure e-mail EMS Summit Network Remote AccessWilliam E. OttFriday August 25, 2006 1300 1400 EDT
Secure CommunicationsSecure Remote Access is essential if you have multiple sites or the need for external users to connect to internal resourcesVoice traffic is starting to move to data circuits (VoIP) Not secure on its ownHow do you secure e-mail traffic?
Impediments to Remote AccessCostAvailabilityTechnical supportBandwidthSecurity
Traditional Remote Network Connectivity OptionsNetwork Connection TechnologiesPrivate circuits (i.e. frame relay)ExpensiveDialupSlowNetwork Service Technologiestelnet, ftp, ssh, http, https, proprietarySome are secure, some are notArchitectureRemote circuits terminated directly into the core of the enterprise networkInsecure
Classical Enterprise Connectivity
New Requirements / New ThreatsInternet AccessFor the enterprisesFrom our homesThe WebSharp increase in Internet useBrowsers become ubiquitousBroadbandFastEconomicalInternet AccessShared infrastructurePublic exposureThe WebSharp increase in Internet useAccess to content: useful and maliciousBroadbandRemote endpoints (i.e. home PCs) always on
Access Types ConsideredDial-Up Already in useDedicated Access (T1, Frame) Already in useNetwork to Network IPSEC VPNClient to Network IPSEC VPNSSL VPN
Security RequirementsDefine the perimeterA perimeter exists every place where theres a differentiation in policy or responsibility Identify and authenticate remote sites and usersConsider strong and multi-factor authentication options Provide privacy & integrity for communicationsBusiness dataAuthentication credentials Secure endpointsApply enterprise security policy to remote endpoints Limit exposureRemote users probably dont need to access everything.
Solutions?Virtual Private NetworksIP-SecRemote network accessSSLRemote application accessSSHRemote administration
Remote Assess: the partsAssess Diverse client base Distributed client base Access to applications and data Minimize delivery time Minimize agency support requirements Conform to federal requirements including two factor authentication Security
Plan the solution
IP-SecTypesSite to SiteRemote ClientSecurity ConsiderationsEncryptionAuthenticationSplit TunnelingClient Policy EnforcementFirewalls (inside and outside the VPN)
Site to Site IP-Sec
Client IP-Sec
IP-Sec VPN Pros and ConsProsWell suited to replace private circuits On the network, user experience Extensive support for various encryption algorithms and authentication options Mature technology
ConsQuality of Service dependent on shared network (i.e. the Internet) Client application required Limited cross-vendor interoperability Some configurations are not compatible with NAT
Remote Office VPNTargeted at sites with > 10 users Secure (IPSec) VPN Inter-agency Alliance managed end-to-endConnectivity to Legacy applications and new inter-agency alliance portal Client premise equipmentFirewall/VPN Device1 - 10/100 Ethernet port ObjectiveMinimize impact of new solution on legacy networks while providing flexibility of deployment
Local IntegrationTopologyInside, DMZ, Outside AddressingClient provides single IP address for VPNAddress translation Routing ChangesClient routes alliance applications to VPN
SSL VPNTypesRemote Client Security ConsiderationsEncryptionAuthenticationApplication publicationHTTPCitrix / MS Terminal Services / Common ServicesSSL VPN client application may be used to proxy other application types or even establish a full PPP connectionIn which case, the IP-Sec security considerations apply
SSL VPN
SSL VPN Pros and ConsProsSuper-easy access to enterprise application infrastructureAbility to publish non-web applicationsAbility to use standard web browser to access published applicationConsClient VPN onlyClient application still required for on the network experience
SSL VPNTargeted at mobile or sites with < 10 users Enrollment and Support for Multiple members Provides clientless access to alliance resourcesRequires only a browser and internet connectivity 2-factor authenticationOne-Time password token Token delivery efficiency
SSHPrimarily for remote administration Encrypted telnet and ftp Port forwarding Highly interoperable Supports nested tunnels Can be used in a bastion host architecture to provide secure remote access
Bastion Host
Architecture Best PracticesIdentity ManagementAuthenticationAuthorizationLoggingClient system policy complianceSplit tunneling (IP-Sec)
An Integrated Architecture
Remote Access SummaryBegin by determining what portions of the environment must be accessed remotely Select the secure remote access solution that meets your needs Understand the security architecture of the solution you useDevelop the appropriate architectureIntegrate the solution with other security services as necessary
Remote Access SummaryHave a broad view of how the solution will be usedPlacement of equipmentInfrastructureApplications being accessed Clearly define the process for provisioning tokens and providing user access
Voice over Internet ProtocolVoIP is growing rapidlyVoIP traffic should be secured site to site if used for sensitive informationVoIP has excellent crisis communications capabilityVoIP is often cheapest method of telephony from overseas
Email SecurityHIPAA concerns with emailEmail to wireless devicesEmail from remote or home usersEmail with vendors and clientsInternal Email between sitesIf Email isnt managed you have no control once sentMany Email options
What technologies are emergingFaster wirelessReal time videoHigh resolution cameras in phonesConvergence of data, voice, video into single devices
Questions?