SSL VPNs - ISSA | slideum.com

SSL VPNs - ISSA

Transcript SSL VPNs - ISSA

ISSA Presentation
Agenda
• Remote Access Evolution
• SSL VPN Drivers
• Why SSL VPNs
• Basic Deployment
• Security vs. IPSec
• The New Security Concerns
• Addressing the Concerns
• What to Look for in a Vendor
The Evolution of Remote Access
Then
A service for a select few
Best effort performance and up-time
Cost center
Carrier-based
Anywhere there’s a phone line
Now
A must-have utility for all
Always up, high performing
Productivity Lever
Network independent
Anywhere
The Evolution of Remote Access
Then
A PC you support
Static Passwords
Dial-Back Modems
What’s a virus?
“They have the
Internet on
computers?”
Now
Any PC
One-Time Passwords
Device Profiling
Must address all malicious code
“I know more
about this than
you do.”
The Shift to SSL VPNs
Wireless
LAN
Users
Pocket PC
Users
Day
Extenders
Traveling
Employees
Home
Office
Users
•
Kiosk
Users
Corporate Network
Extranet
Users
Enterprises are seeing a new kind of remote access:
• Harder to manage: Access from devices outside of IT’s control
• Demanded by more users: Broader employee access, partner
access
• New devices and access points: Wireless hotspots, airport
kiosks, home PCs
The Shift to SSL VPNs
• SSL Addresses the Emerging Demands
• Impervious to NAT
• Leverages a commonly open port (443)
• Indifferent to type of network
• Does not require a client
• Supports broad application types
• Easier to support and deploy
• Intuitive User Experience
Basic SSL VPN Deployment
Like an IPSec VPN, the SSL VPN is the point of security enforcement for in-bound
users.
•
SSL VPN tied to authentication system, DNS and applications
•
Presents web resources and available shares as links to the user
•
Authenticates users, encrypts to the end node, applies granular
ACLs to the user traffic, detailed audit
•
All traffic goes over port 443, regardless of original protocol
•
Uses browser-deployed agent to handle C/S applications
Corporate Laptops
Applications
Web Apps
Client/Server
Apps
Directories
SSL VPN
Wireless Hotspots
DMZ
Legacy Apps
File Shares
Databases
Terminal
Services
SSL VPN
Appliance
Encrypted,
Authenticated, and
Authorized Traffic
via the Internet
PDAs
Home PCs
Kiosks
Mainframes
Partner Extranets
Security vs. IPSec
Security Category
Result moving to SSL VPN from
IPSec
Encryption
No change
Authentication
No change or Improved
Access Control
Improved
Perimeter Profile
Improved
Logging and Forensics
Improved
Web Security
Improved
End-Point Security
Improved
The New Security Concerns
• Access from unmanaged locations
• Sensitive data inadvertently left on device
• Sensitive data intentionally captured
• Sensitive data saved by legitimate user
• Unmanaged device is virus vector
• Unmanaged device can be hijacked
• Device Anonymity
• Difficult to tell provisioned devices from others
• Access Modulation
• Authenticating the user alone is not enough to determine
the appropriate level of access.
How the Threats Get Addressed
• Sensitive Data Inadvertently Left Behind
• Cache Clearing Technology
• Session File Encryption and Deletion
• Data Captured (Spyware, Keystroke Logger)
• Pre-auth Spyware Scan
• WholeSecurity, Zone Labs, Sygate
• Data Saved by Legitimate User
• Session File Encryption and Deletion
• Restrict Location for Certain Groups
How the Threats Get Addressed
•
SSL VPN End-Point is Virus Vector
•
A/V and PFW Policy Enforcement Built into SSL VPN
•
Adjust ACLs when A/V is absent or not updated
•
Remediate workstation when appropriate
•
Deny connection in extreme cases
How the Threats Get Addressed
• Device Anonymity
• Restrict Source Domain
• Scan Device and Registry to Identify:
• Domain Membership
• O/S
• Search for Secret File
• Look for Watermark
• Use Digital Certificate
• Restrict by O/S
How the Threats Get Addressed
• Access Modulation
• Create “3-D” Security Policy
• User
• Device
• Location
• Adjust ACLs On-The-Fly Based on Combination of Factors
Trusted Device
Device Profile: IT-Managed
 Application/Process
 Directory/File
in.xyz.seattle.com or
 Registry key
 Windows domain in.xyz.phoenix.com


Anti-Virus
Personal Firewall
Data Protection


Norton AV
Sygate
Aventail Cache Control
Aventail Secure Desktop
Semi-Trusted Device
Device Profile: Home Machine
 Application/Process
 Directory/File
…HKEY_LOCAL_MACHINE
 Registry key
\SW\Symantec\SharedDefs
 Windows domain
Norton AV
 Anti-Virus

Personal Firewall
Sygate or Zone
Data Protection
 Aventail Cache Control
 Aventail Secure Desktop
Un-Trusted Device






Application/Process
Directory/File
Registry key
Windows domain
Anti-Virus

Aventail Cache Control
Aventail Secure Desktop
Personal Firewall
Data Protection

What to Deploy with SSL VPN
• Strong (True Two-Factor) Authentication
• Dynamic A/V and Malware Scanning
• Updated Acceptable Use Policy for Employees and
Partners
• Web-Based Mail
• Logical Directory Groups
What to Look for in a Vendor
• Appropriate Scale
• Application Support
• Multiplatform Support
• Support for 3-D Security Model
• Device Scanning (Pre-Auth)
• End-Point Data Protection
• Cache Clearing
• Data Encryption and Deletion
• Application Detection
Thank You
Scott Stanton
[email protected]
www.aventail.com
PDF Files Resources
• Aventail SSL VPN Technical Primer US
• Aventail Ex-Family Product DataSheet
• Aventail IPSec VPN vs SSL VPN WP-A4
• Aventail End Point Control White Paper