Remote Access Issues
Download
Report
Transcript Remote Access Issues
EMS Summit – Network Remote Access
VPN Solutions
Voice over IP
Secure e-mail
William E. Ott
Friday August 25, 2006
1300 – 1400 EDT
Secure Communications
Secure Remote Access is essential if
you have multiple sites or the need
for external users to connect to
internal resources
Voice traffic is starting to move to
data circuits (VoIP) Not secure on
its own
How do you secure e-mail traffic?
Impediments to Remote Access
Cost
Availability
Technical support
Bandwidth
Security
Traditional Remote Network
Connectivity Options
Network Connection Technologies
• Private circuits (i.e. frame relay)
Expensive
• Dialup
Slow
Network Service Technologies
• telnet, ftp, ssh, http, https, proprietary
Some are secure, some are not
Architecture
• Remote circuits terminated directly into the
core of the enterprise network
Insecure
Classical Enterprise Connectivity
New Requirements / New Threats
Internet Access
• Shared infrastructure
• Public exposure
• For the enterprises
• From our homes
The Web
Broadband
• Fast
• Economical
The Web
• Sharp increase in
Internet use
• Access to content:
useful and malicious
• Sharp increase in
Internet use
• Browsers become
ubiquitous
Internet Access
Broadband
• Remote endpoints
(i.e. home PCs)
always on
Access Types Considered
Dial-Up – Already
in use
Dedicated Access
(T1, Frame) –
Already in use
Network to
Network IPSEC
VPN
Client to Network
IPSEC VPN
SSL VPN
Security Requirements
Define the perimeter
• A perimeter exists every place where there’s a differentiation in
policy or responsibility
Identify and authenticate remote sites and users
• Consider “strong” and multi-factor authentication options
Provide privacy & integrity for communications
• Business data
• Authentication credentials
Secure endpoints
• Apply enterprise security policy to remote endpoints
Limit exposure
• Remote users probably don’t need to access “everything.”
Solutions?
Virtual Private Networks
• IP-Sec
Remote network access
• SSL
Remote application access
• SSH
Remote administration
Remote Assess: the parts
Assess
• Diverse client base
• Distributed client base
• Access to applications and
data
• Minimize delivery time
• Minimize agency support
requirements
• Conform to federal
requirements including
two factor authentication
• Security
Plan the solution
IP-Sec
Types
• Site to Site
• Remote Client
Security Considerations
• Encryption
• Authentication
• Split Tunneling
• Client Policy Enforcement
• Firewalls (inside and outside the VPN)
Site to Site IP-Sec
Client IP-Sec
IP-Sec VPN Pros and Cons
Pros
• Well suited to replace
private circuits
• “On the network,” user
experience
• Extensive support for
various encryption
algorithms and
authentication options
• Mature technology
Cons
• Quality of Service
dependent on shared
network (i.e. the
Internet)
• Client application
required
• Limited cross-vendor
interoperability
• Some configurations are
not compatible with NAT
Remote Office VPN
Targeted at sites with > 10
users
Secure (IPSec) VPN
• Inter-agency Alliance managed
end-to-end
• Connectivity to Legacy
applications and new interagency alliance portal
Client premise equipment
• Firewall/VPN Device
• 1 - 10/100 Ethernet port
Objective
• Minimize impact of new solution
on legacy networks while
providing flexibility of
deployment
Local Integration
Topology
• Inside, DMZ, Outside
Addressing
• Client provides single
IP address for VPN
• Address translation
Routing Changes
• Client routes alliance
applications to VPN
PC
PC
PC
PC
PC
PC
Alliance
Firewall
Alliance
Firewall
Firewall Client
Network
Alliance
Internet
Internet
SSL VPN
Types
• Remote Client
Security Considerations
• Encryption
• Authentication
• Application publication
HTTP
Citrix / MS Terminal Services / Common Services
• SSL VPN client application may be used to proxy other
application types or even establish a full PPP connection
In which case, the IP-Sec security considerations apply
SSL VPN
SSL VPN Pros and Cons
Pros
• Super-easy access
to enterprise
application
infrastructure
• Ability to “publish”
non-web
applications
• Ability to use
standard web
browser to access
published
application
Cons
• Client VPN only
• Client application
still required for “on
the network”
experience
SSL VPN
Targeted at mobile or sites
with < 10 users
Enrollment and Support
for Multiple members
Provides clientless access
to alliance resources
• Requires only a browser and
internet connectivity
2-factor authentication
• One-Time password token
Token delivery efficiency
SSH
Primarily for remote administration
Encrypted “telnet” and “ftp”
Port forwarding
Highly interoperable
Supports nested tunnels
Can be used in a bastion host architecture to
provide secure remote access
Bastion Host
Architecture Best Practices
Identity Management
Authentication
Authorization
Logging
Client system policy compliance
Split tunneling (IP-Sec)
An Integrated Architecture
Remote Access Summary
Begin by determining what portions of the
environment must be accessed remotely
Select the secure remote access solution that meets
your needs
Understand the security architecture of the solution
you use
• Develop the appropriate architecture
• Integrate the solution with other security services
as necessary
Remote Access Summary
Have a broad view of how the solution will be
used
• Placement of equipment
• Infrastructure
• Applications being accessed
Clearly define the process for provisioning tokens
and providing user access
Voice over Internet Protocol
VoIP is growing rapidly
VoIP traffic should be secured site to
site if used for sensitive information
VoIP has excellent crisis
communications capability
VoIP is often cheapest method of
telephony from overseas
Email Security
HIPAA concerns with email
Email to wireless devices
Email from remote or home users
Email with vendors and clients
Internal Email between sites
If Email isn’t ‘managed’ you have no
control once sent
Many Email options
What technologies are emerging
Faster wireless
Real time video
High resolution cameras in phones
Convergence of data, voice, video
into single devices
Questions?