1 / 17

ISSA Presentation

ISSA Presentation. Agenda. Remote Access Evolution SSL VPN Drivers Why SSL VPNs Basic Deployment Security vs. IPSec The New Security Concerns Addressing the Concerns What to Look for in a Vendor. A must-have utility for all. A service for a select few. Always up, high performing.

joben
Download Presentation

ISSA Presentation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ISSA Presentation

  2. Agenda • Remote Access Evolution • SSL VPN Drivers • Why SSL VPNs • Basic Deployment • Security vs. IPSec • The New Security Concerns • Addressing the Concerns • What to Look for in a Vendor

  3. A must-have utility for all A service for a select few Always up, high performing Best effort performance and up-time Cost center Productivity Lever Carrier-based Network independent Anywhere there’s a phone line Anywhere The Evolution of Remote Access Then Now

  4. The Evolution of Remote Access Then Now Any PC A PC you support Static Passwords One-Time Passwords Dial-Back Modems Device Profiling What’s a virus? Must address all malicious code “I know more about this than you do.” “They have the Internet on computers?”

  5. Pocket PC Users Wireless LAN Users Day Extenders Traveling Employees Kiosk Users Home OfficeUsers Extranet Users The Shift to SSL VPNs • Enterprises are seeing a new kind of remote access: • Harder to manage: Access from devices outside of IT’s control • Demanded by more users: Broader employee access, partner access • New devices and access points: Wireless hotspots, airport kiosks, home PCs Corporate Network

  6. The Shift to SSL VPNs • SSL Addresses the Emerging Demands • Impervious to NAT • Leverages a commonly open port (443) • Indifferent to type of network • Does not require a client • Supports broad application types • Easier to support and deploy • Intuitive User Experience

  7. Basic SSL VPN Deployment Like an IPSec VPN, the SSL VPN is the point of security enforcement for in-bound users. • SSL VPN tied to authentication system, DNS and applications • Presents web resources and available shares as links to the user • Authenticates users, encrypts to the end node, applies granular ACLs to the user traffic, detailed audit • All traffic goes over port 443, regardless of original protocol • Uses browser-deployed agent to handle C/S applications Corporate Laptops SSL VPN Directories Applications Wireless Hotspots Web Apps Client/Server Apps Legacy Apps File Shares Databases Terminal Services Mainframes DMZ PDAs Encrypted, Authenticated, and Authorized Traffic via the Internet SSL VPN Appliance Home PCs Kiosks Partner Extranets

  8. Security vs. IPSec

  9. The New Security Concerns • Access from unmanaged locations • Sensitive data inadvertently left on device • Sensitive data intentionally captured • Sensitive data saved by legitimate user • Unmanaged device is virus vector • Unmanaged device can be hijacked • Device Anonymity • Difficult to tell provisioned devices from others • Access Modulation • Authenticating the user alone is not enough to determine the appropriate level of access.

  10. How the Threats Get Addressed • Sensitive Data Inadvertently Left Behind • Cache Clearing Technology • Session File Encryption and Deletion • Data Captured (Spyware, Keystroke Logger) • Pre-auth Spyware Scan • WholeSecurity, Zone Labs, Sygate • Data Saved by Legitimate User • Session File Encryption and Deletion • Restrict Location for Certain Groups

  11. How the Threats Get Addressed • SSL VPN End-Point is Virus Vector • A/V and PFW Policy Enforcement Built into SSL VPN • Adjust ACLs when A/V is absent or not updated • Remediate workstation when appropriate • Deny connection in extreme cases

  12. How the Threats Get Addressed • Device Anonymity • Restrict Source Domain • Scan Device and Registry to Identify: • Domain Membership • O/S • Search for Secret File • Look for Watermark • Use Digital Certificate • Restrict by O/S

  13. How the Threats Get Addressed • Access Modulation • Create “3-D” Security Policy • User • Device • Location • Adjust ACLs On-The-Fly Based on Combination of Factors Trusted Device Semi-Trusted Device Un-Trusted Device Device Profile: IT-Managed Device Profile: Home Machine    • Application/Process • Directory/File • Registry key • Windows domain • Anti-Virus • Personal Firewall • Aventail Cache Control • Aventail Secure Desktop • Application/Process • Directory/File • Registry key • Windows domain • Anti-Virus • Personal Firewall • Aventail Cache Control • Aventail Secure Desktop • Application/Process • Directory/File • Registry key • Windows domain • Anti-Virus • Personal Firewall • Aventail Cache Control • Aventail Secure Desktop    …HKEY_LOCAL_MACHINE\SW\Symantec\SharedDefs    in.xyz.seattle.com or in.xyz.phoenix.com       Norton AV Norton AV    Sygate Sygate or Zone Data Protection Data Protection Data Protection      

  14. What to Deploy with SSL VPN • Strong (True Two-Factor) Authentication • Dynamic A/V and Malware Scanning • Updated Acceptable Use Policy for Employees and Partners • Web-Based Mail • Logical Directory Groups

  15. What to Look for in a Vendor • Appropriate Scale • Application Support • Multiplatform Support • Support for 3-D Security Model • Device Scanning (Pre-Auth) • End-Point Data Protection • Cache Clearing • Data Encryption and Deletion • Application Detection

  16. Thank You Scott Stantonsstanton@aventail.comwww.aventail.com

  17. PDF Files Resources • Aventail SSL VPN Technical Primer US • Aventail Ex-Family Product DataSheet • Aventail IPSec VPN vs SSL VPN WP-A4 • Aventail End Point Control White Paper

More Related