VPN SolutionsVoice over IPSecure e-mail EMS Summit Network Remote AccessWilliam E. OttFriday August 25, 2006 1300 1400 EDT

Secure CommunicationsSecure Remote Access is essential if you have multiple sites or the need for external users to connect to internal resourcesVoice traffic is starting to move to data circuits (VoIP) Not secure on its ownHow do you secure e-mail traffic?

Impediments to Remote AccessCostAvailabilityTechnical supportBandwidthSecurity

Traditional Remote Network Connectivity OptionsNetwork Connection TechnologiesPrivate circuits (i.e. frame relay)ExpensiveDialupSlowNetwork Service Technologiestelnet, ftp, ssh, http, https, proprietarySome are secure, some are notArchitectureRemote circuits terminated directly into the core of the enterprise networkInsecure

Classical Enterprise Connectivity

New Requirements / New ThreatsInternet AccessFor the enterprisesFrom our homesThe WebSharp increase in Internet useBrowsers become ubiquitousBroadbandFastEconomicalInternet AccessShared infrastructurePublic exposureThe WebSharp increase in Internet useAccess to content: useful and maliciousBroadbandRemote endpoints (i.e. home PCs) always on

Access Types ConsideredDial-Up Already in useDedicated Access (T1, Frame) Already in useNetwork to Network IPSEC VPNClient to Network IPSEC VPNSSL VPN

Security RequirementsDefine the perimeterA perimeter exists every place where theres a differentiation in policy or responsibility Identify and authenticate remote sites and usersConsider strong and multi-factor authentication options Provide privacy & integrity for communicationsBusiness dataAuthentication credentials Secure endpointsApply enterprise security policy to remote endpoints Limit exposureRemote users probably dont need to access everything.

Solutions?Virtual Private NetworksIP-SecRemote network accessSSLRemote application accessSSHRemote administration

Remote Assess: the partsAssess Diverse client base Distributed client base Access to applications and data Minimize delivery time Minimize agency support requirements Conform to federal requirements including two factor authentication Security

Plan the solution

IP-SecTypesSite to SiteRemote ClientSecurity ConsiderationsEncryptionAuthenticationSplit TunnelingClient Policy EnforcementFirewalls (inside and outside the VPN)

Site to Site IP-Sec

Client IP-Sec

IP-Sec VPN Pros and ConsProsWell suited to replace private circuits On the network, user experience Extensive support for various encryption algorithms and authentication options Mature technology

ConsQuality of Service dependent on shared network (i.e. the Internet) Client application required Limited cross-vendor interoperability Some configurations are not compatible with NAT

Remote Office VPNTargeted at sites with > 10 users Secure (IPSec) VPN Inter-agency Alliance managed end-to-endConnectivity to Legacy applications and new inter-agency alliance portal Client premise equipmentFirewall/VPN Device1 - 10/100 Ethernet port ObjectiveMinimize impact of new solution on legacy networks while providing flexibility of deployment

Local IntegrationTopologyInside, DMZ, Outside AddressingClient provides single IP address for VPNAddress translation Routing ChangesClient routes alliance applications to VPN

SSL VPNTypesRemote Client Security ConsiderationsEncryptionAuthenticationApplication publicationHTTPCitrix / MS Terminal Services / Common ServicesSSL VPN client application may be used to proxy other application types or even establish a full PPP connectionIn which case, the IP-Sec security considerations apply

SSL VPN

SSL VPN Pros and ConsProsSuper-easy access to enterprise application infrastructureAbility to publish non-web applicationsAbility to use standard web browser to access published applicationConsClient VPN onlyClient application still required for on the network experience

SSL VPNTargeted at mobile or sites with < 10 users Enrollment and Support for Multiple members Provides clientless access to alliance resourcesRequires only a browser and internet connectivity 2-factor authenticationOne-Time password token Token delivery efficiency

SSHPrimarily for remote administration Encrypted telnet and ftp Port forwarding Highly interoperable Supports nested tunnels Can be used in a bastion host architecture to provide secure remote access

Bastion Host

Architecture Best PracticesIdentity ManagementAuthenticationAuthorizationLoggingClient system policy complianceSplit tunneling (IP-Sec)

An Integrated Architecture

Remote Access SummaryBegin by determining what portions of the environment must be accessed remotely Select the secure remote access solution that meets your needs Understand the security architecture of the solution you useDevelop the appropriate architectureIntegrate the solution with other security services as necessary

Remote Access SummaryHave a broad view of how the solution will be usedPlacement of equipmentInfrastructureApplications being accessed Clearly define the process for provisioning tokens and providing user access

Voice over Internet ProtocolVoIP is growing rapidlyVoIP traffic should be secured site to site if used for sensitive informationVoIP has excellent crisis communications capabilityVoIP is often cheapest method of telephony from overseas

Email SecurityHIPAA concerns with emailEmail to wireless devicesEmail from remote or home usersEmail with vendors and clientsInternal Email between sitesIf Email isnt managed you have no control once sentMany Email options

What technologies are emergingFaster wirelessReal time videoHigh resolution cameras in phonesConvergence of data, voice, video into single devices

Questions?