Portal - Microsoft Center

Download Report

Transcript Portal - Microsoft Center

Intelligent Application Gateway
(IAG) 2007
Ronald Beekelaar
Beekelaar Consultancy
[email protected]
Introductions
Presenter – Ronald Beekelaar
MVP Windows Security
MVP Virtual Machine Technology
E-mail: [email protected]
Work
Beekelaar Consultancy
Security consultancy
Forefront, IPSec, PKI
Virtualization consultancy
Create many VM-based labs and demos
2
Agenda
History – SSL VPN
SSL VPN Connections
Web
Non-Web
“VPN”
Portal / Applications
Endpoint Policies
Authentication / Authorization
3
Intelligent Application Gateway 2007
A comprehensive line of business security
products that helps you gain greater
protection through deep integration and
simplified management
Client and Server OS
4
Server Applications
Edge
IAG - Appliance
5
IAG 2007
6
•
Supports all Applications with SSL VPN
• Web – Client/Server - File Access
• Homegrown or 3rd party
• (Citrix, IBM, Lotus, SAP, PeopleSoft…)
•
Designed for Managed and Unmanaged Users Devices
• Automatic detection of user system, software, configuration
• Access policies according to device “security state”
• Delete temp files and data traces from unmanaged locations
•
Drives Productivity with Application Intelligence
• Apply policy at granular App Feature levels
• Dynamically control application data for desired functionality
• SSO with multiple directories, protocols, and formats
• Fully customizable portal and user interface
Allow secure remote access from trusted and untrusted
client computers
All connections over TCP port 443 (SSL)
Access starts through a Web Portal
Authenticates to AD
Contains list of applications
Click each application to access
7
Web Applications
Normally uses port 80/443
Browser-based
Port/socket forwarding
Normally uses non-web ports, but is tunneled in 443
ActiveX control - browser-based
Network Connector
All protocols and all ports, but tunneled in 443
Real "VPN" - client receives new IP address
8
IAG client components check client computer security settings
Client computer is called "endpoint"
Based on endpoint state,
you define Endpoint Policies to allow:
Access to Web Portal
Example:
- Do not even ask for credentials on untrusted client computer
Access to certain applications on Web Portal
Example:
- Hide Network Connector option on untrusted client computer
Access to certain features of applications
Examples:
- Block SPS uploads
- Disallow OWA attachment
9
A Little History
The Problem:
With the growing prevalence of internet connectivity,
enterprises required platforms to provide remote
access for employees, partners and customers in a
secure way
The Solution?:
1st attempt: Dialup remote access  proving too
costly, limited user experience.
2nd attempt: Limited use of reverse proxies to publish
web based applications.
3rd attempt: IPSec VPN makes leap for user remote
access
10
IPSec VPN first developed for site to site connectivity.
Reverse Proxy
Is the …
Request
allowed?
Protocol
allowed?
Web
Server
3
Destination
allowed?
DNS
Server
4
5
2
ISA
Server
ISA Server calls this “Publishing”
11
1
6
Reverse Proxy
Web
Server
3
DNS
Server
4
5
Publishes web apps
for use from anywhere.
Handles pre-authentication,
application filtering, SSL encryption at the edge.
2
ISA
Server
1
6
However
Does not handle non-web (client/server) applications.
Does not scale when publishing numerous web
applications.
12
IPSec VPN
Internet
Remote User
Corpnet
ISA
IAS RADIUS
Quarantine
Active
Directory
Full network connectivity from authorized devices
Quarantine features available for non-compliant clients
Unmanaged clients have no access
However
Increasingly difficult to manage on a large scale given variety and complexity
of IPSec clients
Blocked by (outgoing) firewalls
13
Terminal Services Solution
Built into Windows Server.
Expandable with 3rd party solutions (Citrix and others)
Offer a complete desktop user experience or integrated
applications.
Centralized server-based solution.
Central Location
Typically limited deployments given server
computing requirements.
Branch Office
Home Office
14
Mobile Worker
In Airport
A Little History - IPSec Dominates
Introduces following limitations:
Potential security exposure by extending network
Limited functionality from firewall/NAT’ed networks
Client grows to accommodate more security functionality (virus
inspection, split tunneling control, etc.)
Client becomes difficult to roll out:
Requires administrative installation
Clashes with other IPSec and security software
Not very user friendly
Result:
Enterprises limit usage to “road warriors” and managed PCs
TCO is high and ROI limited
15
A Little History - SSL VPN is Born
Promises to offer similar functionality for:
Any user
Any location
Any application
Delivers on lower TCO
Introduces new security considerations as clients are now
unmanaged.
First wave of development is focused on connectivity.
Current wave is focused on Application Intelligence.
16
SSL VPN - Building Blocks
Applications
Web
Tunneling
Authentication
Security
Authorization
Portal
Client
SSL VPN
Gateway
Management
Simple TCP
Other non-Web
SSL VPN solution comprised of:
Tunneling – Transferring web and non-web application traffic over SSL;
Client-Side Security – Security compliance check, cache cleaning, timeouts
Authentication – User directories (e.g. Active Directory), strong authentication
support, Single-Sign-On
Authorization – Allow/Deny access to applications
Portal – User experience, GUI
17
SSL VPN Tunneling (3x)
Web applications
That’s easy – just uses HTTPs
Breadth of
Locations
“Anywhere” level
Non-Web applications
Port/socket Forwarding
Internet
kiosk
Uses SSL-Wrapper client component
Customer/
Partner PC
Example: Terminal Server – tunnel RDP in HTTPs
Home
PC
Network Connector
Full Network Access
Uses Network Connection client component
Client gets additional IP address
18
Corporate
laptop
Web
Proxy
Port/Socket Network
Forwarder Connection
Demo Environment
19
Application Protection
Access Policies
Allow/deny functions within application
(e.g. SharePoint attachments Upload/Download based on endpoint
compliance)
Application Firewall: Protecting the Application
Predefined positive logic rule sets
Single Sign On
Knowledge about required application login methods
Session Cleanup Agent
Clears application specific cache (e.g. SharePoint Offline folder)
Protecting the Network Session
Ignore background polling command for timeout calculation, adds secure
logoff button where absent
20
Endpoint Policies
Checks health of Endpoint Policies
Session policy
Endpoint certification
Privileged endpoint
Application policy
Access to applications (hide or disable on portal)
Access to functionality within applications
Example: Block SharePoint upload from unsafe client
21
Endpoint detection and application intelligence
Applications
Knowledge Center
Generic
Applications
•Application Aware Platform
•Application Definition Syntax/Language
•Application Modules
Web
SharePoint
Browser
Embedded
Tunneling
Authentication
Security
Authorization
User
Experience
Application
SSL VPN
Gateway
Aware
Modules
High-Availability, Management,
Logging, Reporting, Multiple Portals
Client
Client/Server
Specific
Applications
Exchange/
Outlook
OWA
Devices
Knowledge Center
Citrix
Windows
. ………...
22
SharePoint
Endpoint Detection
Out of the box support for over
70 variables of detection including:
Antivirus
Antimalware
Personal Firewall
Desktop Search/Index Utilities
And much more…
Easy to configure GUI that allows
simple management of policies.
Extended GUI for manual editing and
modification of policies.
Leverage Windows Shell Scripting to
create *any* policy and inspect for
*any* client side variable.
23
Attachment Wiper
Clears the browser’s cache upon session termination
Process does not require user initiation
Optimizers integrate logic to identify and scrub custom caches
Supports custom scripts for custom file cleaning
Removes
Downloaded files and pages - Cookies
AutoComplete form contents - History information
AutoComplete URLs
- Any user credentials
Triggers
User logoff
- Browser crash
Inactivity timeout
- Browser closure
Scheduled logoff
- System shutdown
Security Policy
Allows for “Can’t Wipe – Can’t Download” policy
Allows fall back policy to “no-cache” tag mechanism
24
Security Concerns
Authentication - Who are you?
Strong Authentication – Are you really him/her?
Authorization – What can you access?
Transport Security – Can they hear?
Application Security – Should you be doing that?
End Point Security – From there?
Information Safeguard – Should this be left around?
Session Security – How long can you do this for?
25
Single Sign-On
No need for directory replication or repetition
Alternative approaches require local repository
Transparent Web authentication
HTTP 401 request
Static Web form
Dynamic browser-sensitive Web form
Integrates with …
Password change management
User repositories
26
User Specific Portal
27
Manages access of employees, partners & customers from anywhere to corporate
business applications
More than one Portal page can be published per appliance
Each is based on a unique IP and host name
Each can present a completely unique user experience; including look and feel,
IT Support Center
applications, authentication and authorization
Username: Employee Portal
Extends the business beyond the borders
Password:
Partner Extranet
Username:
of the network
Token:
Password:
Username: e-Commerce
Token:
Implements corporate policies
Password:
Username:
without weakening security
Password:
Leveraging existing investments in
software infrastructure and applications
Ensures maximum functionality based
on endpoint profile
IT Support
support.xyz.com
Based on SSL VPN access platform
Employees
portal.xyz.com
Leverages the Web browser
Partners
to allow universal access
extranet.xyz.com
Customers
shopping.xyz.com
Provides a broad range
of connectivity options
How to Setup
Setup appliance
Create trunk
Add applications
Define endpoint policies
Customize
28
Setup Appliance
Unpack appliance and put into rack
Attach external and internal network
Define IP and DNS settings
Add routes to internal network if needed
Define ISA "Internal" network
Join domain if needed
Required for Kerberos Constrained Delegation (SP1)
29
Create Trunk
Create trunk (= Web portal)
Define IP address for Trunk
Configure authentication server
Import certificate for each trunk
Create "redirect" trunk (= http to https)
30
Add Applications
Add applications
OWA
SharePoint
RDP
VPN (network connector)
Test access
31
Define Policies
Define endpoint policies
Assign to access and functions
Test access
32
Customize
Customize look and feel
Change colors
Change text on portal
Or...
Create advanced endpoint policies
Define custom authentication
Etc...
33
34