Secure Mobility - Grand Rapids ISSA

Download Report

Transcript Secure Mobility - Grand Rapids ISSA

Secure Mobility
Mobile Connectivity
with Network Integrity via SSL VPNs &
Mobile Clients
Raymond Cushman
Territory Manager
Great Lakes District
Secure Mobility
Two Mega Trends: Mobility & the Internet
Millions
1,400
1,200
1,000
Mobile Voice Users
Mobile
Internet Users
800
600
Internet PC
Users
400
200
0
1996 1997 1998 1999 2000 2001 2002 2003 2004 2005
SOURCE: Nokia, 1998-2000-2002
Inevitable Need for Data Speeds Global Evolution to 3G Networks
Open interface
multiradio
network
GSM/GPRS/EDGE
TDMA
GSM
All IP
GSM/GPRS
WCDMA
PDC
G-WCDMA
3GPP
900 million users
cdmaOne
cdma2000 1x
cdma2000 1xEV-DO
130 million users
2G
cdma2000 1xEV-DV
First Steps to 3G
3G Phase 1 Networks
3GPP2
Evolved 3G Networks
Working on the Move
Conference calls,
Email, intranet,
applications
Any content
Any time, Anywhere
Any device
• Users want to choose
• Availability of devices
and services drives need
The Problem: IT Organization Perspective
• Goal: Enable business advantage
• Satisfy users
• Meet business objectives
• How can we accommodate:
• all of the various
device & network types?
• the numerous user profiles?
• How can we ensure network integrity?
• How can we keep business running?
• How can we maintain costs?
• How can we
leverage current investments?
Remote Access Challenges
• Dial-up access is costly, hard to manage and
doesn’t utilize the explosion of broadband links
worldwide
• IPSec remote access VPNs are excellent, but
can be a challenge to deploy and manage
• What about the large user base who rely on
desktop systems at the office?
• How to best handle partners, suppliers and
contractors?
• A new approach using a browser connected to
the Internet to provide access
• Most enterprises have well-developed
intranets and extranets
• Why not use the same technology that has
driven e-commerce to provide access to
enterprise data resources?
Remote Access
Annual Cost
Analysis
1000
800
600
400
200
0
Support
Product
Dial Up
IPSec RA
SSL Remote
Access
720
120
360
55
240
15
Source: Yankee Group, 2003
Nokia Mobile Connectivity User Solutions
IPSec VPN’s
SSL Browser-based
VPN
Device
Type
VPN Client
Benefits &
Features
IPSec VPN’s Enable
secure Client Server
app remote access &
eliminate costs of dialup
Leverage existing IPSec
infrastructure to extend
secure remote access to
Symbian devices
Cost savings with Nokia
Wireless Accelerator
Over the air secure service
provisioning via Nokia SSM
Application
Type
Connectivity
Type
Nokia Mobile VPN for
Symbian
Any IP Application
For large screens
User and device level
access control from any
browser
Ideal for employees,
partners & contractors
Detailed reporting
Web enabled, Email
& key client -server apps
Wired
Wireless Cellular
Wired
WiFi, 3G & Accelerated
GSM and GPRS with
Nokia Wireless
Accelerator
GSM Data, GPRS
& 3G
Public WiFi
Secure access via
IPSec
Secure access via
IPSec
Secure access via
SSL
Nokia Secure Access
System (NSAS)
PDA
Mobile
User
Home
User
Internet
Key Product Features:
•Client Integrity Scan
•Advanced Access Control
R
•Session Persistence
Firewall
GroupWise
Exchange
Lotus Notes
TN3270
Secure Access System
SSH
TELNET
FTP
Fileshares
Unit
User License
Total Cost
IP130
10
$3,495
25
$6,495
•Price includes HW/SW/SW Subscription
50
$10,995
•Licenses are based on # of concurrent users
100
$23,795
250
$35,795
500
$54,995
IP350
IP380
Citrix
Intranet
Raymond Cushman
NES - Territory Manager
(248) 760-5531
What have we learned
• Why are they so successful?
 For the IT admin - ease of deployment (new installations in 1
or 2 hours on average)
 For the end user - flexibility / mobility (everyone has multiple
access devices these days, laptop, home PC, PDA)
 For the Exec - increased productivity, rapid response to
changes (several NSAS evals used for Executive travel
access)
 Rapid response for: Unplanned trips, Outages, Temporary
Extranets, New Hires, New Apps
• Mobility is more than people working from home and a travelling
sales force

---> changing extranet / business partners, temporary
connections

---> intra-campus movement (employees aren't tied to
their desks for email and document retrieval)

--> PDAs and Mobile Terminals (a special case requiring
Content Rendering)
What have we learned (cont)
• New Security Concerns:
 With traditional VPNs, we implicitly trust the access device (corporate
issued laptop with VPN client, AV, firewall, etc) and need only
authenticate the user
 With SSL VPNs, we need to examine the device (scan) and the user
(authentication)
 Authentication: cannot put another authentication obstacle between
user and information so the gateway must use common
authentication methods (Radius, LDAP, DigCerts, NTLM)
 Potential problem: the security team is often responsible for
authentication (LDAP for instance).
 Device Scanning: the scan of the system needs to be under admin
control (what to look for, and what to do with results)
 Flexible Client Scanning vs APIs to specific (that is, very limited)
firewall and AV vendors
 Access Control Granularity vs. All-or-Nothing approach of other
vendors
What have we learned (cont)
 Session cleanup - what to do with sensitive data on non-corporate
owned devices
 Cache cleanup / wipers are best effort, leave recoverable data and do
not work at all if session is not properly terminated
 Encrypted containers - new and better approach; if the data remains,
it is not readable
 Split-Tunneling - this is browser based connection only, not a full
LAN-like connection that can be hijacked, so it is difficult to see how
the session could be exploited (assuming the Scan has determined
that the device is trustworthy)
 Admins still rely on trusting your authenticated users to not do stupid
or malicious things when connected
 SSL gateway concerns: since users are directly interacting with the
device (unlike most firewalls)
 Does it use exploitable CGI scripting, ActiveX controls?
 Is the OS itself hardened?
What have we learned (cont)
• Concerns:
 Scalability of SSL based session - hardware acceleration will
be required, as is common for IPSec
 Robustness - HA mechanisms are still being worked out
 Device Agnostics - multiple browsers, multiple OS (MAC,
Unix, Linux, not just Windows based)