EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN...
-
Upload
toni-willmott -
Category
Documents
-
view
214 -
download
1
Transcript of EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN...
![Page 1: EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649c985503460f94954def/html5/thumbnails/1.jpg)
EMS Summit – Network Remote Access
William E. Ott
Friday August 25, 2006
1300 – 1400 EDT
VPN SolutionsVPN SolutionsVoice over IPVoice over IPSecure e-mail Secure e-mail
![Page 2: EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649c985503460f94954def/html5/thumbnails/2.jpg)
Secure CommunicationsSecure Communications
Secure Remote Access is essential if Secure Remote Access is essential if you have multiple sites or the need you have multiple sites or the need for external users to connect to for external users to connect to internal resourcesinternal resources
Voice traffic is starting to move to Voice traffic is starting to move to data circuits (VoIP) Not secure on its data circuits (VoIP) Not secure on its ownown
How do you secure e-mail traffic?How do you secure e-mail traffic?
![Page 3: EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649c985503460f94954def/html5/thumbnails/3.jpg)
Impediments to Remote AccessImpediments to Remote Access
CostCost AvailabilityAvailability Technical supportTechnical support
BandwidthBandwidth SecuritySecurity
![Page 4: EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649c985503460f94954def/html5/thumbnails/4.jpg)
Traditional Remote Network Traditional Remote Network Connectivity OptionsConnectivity Options
Network Connection Technologies• Private circuits (i.e. frame relay)
Expensive• Dialup
Slow Network Service Technologies
• telnet, ftp, ssh, http, https, proprietary Some are secure, some are not
Architecture• Remote circuits terminated directly into the
core of the enterprise network Insecure
![Page 5: EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649c985503460f94954def/html5/thumbnails/5.jpg)
Classical Enterprise ConnectivityClassical Enterprise Connectivity
![Page 6: EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649c985503460f94954def/html5/thumbnails/6.jpg)
New Requirements / New ThreatsNew Requirements / New Threats
Internet Access• For the enterprises• From our homes
The Web• Sharp increase in
Internet use• Browsers become
ubiquitous Broadband
• Fast• Economical
Internet Access• Shared infrastructure• Public exposure
The Web• Sharp increase in
Internet use• Access to content:
useful and malicious Broadband
• Remote endpoints (i.e. home PCs) always on
![Page 7: EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649c985503460f94954def/html5/thumbnails/7.jpg)
Access Types ConsideredAccess Types Considered
Dial-Up – Already in Dial-Up – Already in useuse
Dedicated Access Dedicated Access (T1, Frame) – (T1, Frame) – Already in useAlready in use
Network to Network to Network IPSEC VPNNetwork IPSEC VPN
Client to Network Client to Network IPSEC VPNIPSEC VPN
SSL VPNSSL VPN
![Page 8: EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649c985503460f94954def/html5/thumbnails/8.jpg)
Security RequirementsSecurity Requirements Define the perimeterDefine the perimeter
• A perimeter exists every place where there’s a differentiation in A perimeter exists every place where there’s a differentiation in policy or responsibilitypolicy or responsibility
Identify and authenticate remote sites and usersIdentify and authenticate remote sites and users• Consider “strong” and multi-factor authentication optionsConsider “strong” and multi-factor authentication options
Provide privacy & integrity for communicationsProvide privacy & integrity for communications• Business dataBusiness data• Authentication credentialsAuthentication credentials
Secure endpointsSecure endpoints• Apply enterprise security policy to remote endpointsApply enterprise security policy to remote endpoints
Limit exposureLimit exposure• Remote users probably don’t need to access “everything.”Remote users probably don’t need to access “everything.”
![Page 9: EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649c985503460f94954def/html5/thumbnails/9.jpg)
Solutions?Solutions?
Virtual Private NetworksVirtual Private Networks• IP-SecIP-Sec
Remote network accessRemote network access
• SSLSSL Remote application accessRemote application access
• SSHSSH Remote administrationRemote administration
![Page 10: EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649c985503460f94954def/html5/thumbnails/10.jpg)
Remote Assess: the partsRemote Assess: the parts
AssessAssess
• Diverse client baseDiverse client base
• Distributed client baseDistributed client base
• Access to applications and Access to applications and datadata
• Minimize delivery timeMinimize delivery time
• Minimize agency support Minimize agency support requirementsrequirements
• Conform to federal Conform to federal requirements including two requirements including two factor authenticationfactor authentication
• SecuritySecurity
![Page 11: EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649c985503460f94954def/html5/thumbnails/11.jpg)
Plan the solutionPlan the solution
![Page 12: EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649c985503460f94954def/html5/thumbnails/12.jpg)
IP-SecIP-Sec
TypesTypes• Site to SiteSite to Site• Remote ClientRemote Client
Security ConsiderationsSecurity Considerations• EncryptionEncryption• AuthenticationAuthentication• Split TunnelingSplit Tunneling• Client Policy EnforcementClient Policy Enforcement• Firewalls (inside and outside the VPN)Firewalls (inside and outside the VPN)
![Page 13: EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649c985503460f94954def/html5/thumbnails/13.jpg)
Site to Site IP-SecSite to Site IP-Sec
![Page 14: EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649c985503460f94954def/html5/thumbnails/14.jpg)
Client IP-SecClient IP-Sec
![Page 15: EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649c985503460f94954def/html5/thumbnails/15.jpg)
IP-Sec VPN Pros and ConsIP-Sec VPN Pros and Cons ProsPros
• Well suited to replace Well suited to replace private circuitsprivate circuits
• ““On the network,” user On the network,” user experienceexperience
• Extensive support for Extensive support for various encryption various encryption algorithms and algorithms and authentication optionsauthentication options
• Mature technologyMature technology
ConsCons• Quality of Service Quality of Service
dependent on shared dependent on shared network (i.e. the Internet)network (i.e. the Internet)
• Client application requiredClient application required
• Limited cross-vendor Limited cross-vendor interoperabilityinteroperability
• Some configurations are Some configurations are not compatible with NATnot compatible with NAT
![Page 16: EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649c985503460f94954def/html5/thumbnails/16.jpg)
Remote Office VPNRemote Office VPN
Targeted at sites with > 10 users
Secure (IPSec) VPN • Inter-agency Alliance managed
end-to-end• Connectivity to Legacy applications
and new inter-agency alliance portal
Client premise equipment• Firewall/VPN Device• 1 - 10/100 Ethernet port
Objective• Minimize impact of new solution on
legacy networks while providing flexibility of deployment
![Page 17: EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649c985503460f94954def/html5/thumbnails/17.jpg)
Firewall
PC PC
Internet
Alliance
ClientNetwork
Local IntegrationLocal Integration
Topology• Inside, DMZ, Outside
Addressing• Client provides single
IP address for VPN• Address translation
Routing Changes• Client routes alliance
applications to VPN
Firewall
PC PC
Internet
AllianceFirewall
PC PC
Internet
Alliance
![Page 18: EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649c985503460f94954def/html5/thumbnails/18.jpg)
SSL VPNSSL VPN
Types• Remote Client
Security Considerations• Encryption• Authentication• Application publication
HTTP Citrix / MS Terminal Services / Common Services
• SSL VPN client application may be used to proxy other application types or even establish a full PPP connection
In which case, the IP-Sec security considerations apply
![Page 19: EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649c985503460f94954def/html5/thumbnails/19.jpg)
SSL VPNSSL VPN
![Page 20: EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649c985503460f94954def/html5/thumbnails/20.jpg)
SSL VPN Pros and ConsSSL VPN Pros and Cons
ProsPros• Super-easy access to Super-easy access to
enterprise application enterprise application infrastructureinfrastructure
• Ability to “publish” Ability to “publish” non-web applicationsnon-web applications
• Ability to use Ability to use standard web standard web browser to access browser to access published applicationpublished application
ConsCons• Client VPN onlyClient VPN only• Client application Client application
still required for “on still required for “on the network” the network” experienceexperience
![Page 21: EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649c985503460f94954def/html5/thumbnails/21.jpg)
SSL VPNSSL VPN
Targeted at mobile or sites Targeted at mobile or sites with < 10 userswith < 10 users
Enrollment and Support for Enrollment and Support for Multiple membersMultiple members
Provides clientless access Provides clientless access to alliance resourcesto alliance resources• Requires only a browser and Requires only a browser and
internet connectivityinternet connectivity
2-factor authentication2-factor authentication• One-Time password tokenOne-Time password token
Token delivery efficiencyToken delivery efficiency
![Page 22: EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649c985503460f94954def/html5/thumbnails/22.jpg)
SSHSSH
Primarily for remote administration
Encrypted “telnet” and “ftp”
Port forwarding
Highly interoperable
Supports nested tunnels
Can be used in a bastion host architecture to provide secure remote access
![Page 23: EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649c985503460f94954def/html5/thumbnails/23.jpg)
Bastion HostBastion Host
![Page 24: EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649c985503460f94954def/html5/thumbnails/24.jpg)
Architecture Best PracticesArchitecture Best Practices
Identity ManagementIdentity Management AuthenticationAuthentication AuthorizationAuthorization LoggingLogging Client system policy complianceClient system policy compliance Split tunneling (IP-Sec)Split tunneling (IP-Sec)
![Page 25: EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649c985503460f94954def/html5/thumbnails/25.jpg)
An Integrated ArchitectureAn Integrated Architecture
![Page 26: EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649c985503460f94954def/html5/thumbnails/26.jpg)
Remote Access SummaryRemote Access Summary
Begin by determining what portions of the environment must be accessed remotely
Select the secure remote access solution that meets your needs
Understand the security architecture of the solution you use• Develop the appropriate architecture• Integrate the solution with other security services
as necessary
![Page 27: EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649c985503460f94954def/html5/thumbnails/27.jpg)
Remote Access Summary
Have a broad view of how the solution will be Have a broad view of how the solution will be usedused• Placement of equipmentPlacement of equipment• InfrastructureInfrastructure• Applications being accessedApplications being accessed
Clearly define the process for provisioning tokens Clearly define the process for provisioning tokens and providing user accessand providing user access
![Page 28: EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649c985503460f94954def/html5/thumbnails/28.jpg)
Voice over Internet ProtocolVoice over Internet Protocol
VoIP is growing rapidlyVoIP is growing rapidly VoIP traffic should be secured site to VoIP traffic should be secured site to
site if used for sensitive informationsite if used for sensitive information VoIP has excellent crisis VoIP has excellent crisis
communications capabilitycommunications capability VoIP is often cheapest method of VoIP is often cheapest method of
telephony from overseastelephony from overseas
![Page 29: EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649c985503460f94954def/html5/thumbnails/29.jpg)
Email SecurityEmail Security
HIPAA concerns with emailHIPAA concerns with email Email to wireless devicesEmail to wireless devices Email from remote or home usersEmail from remote or home users Email with vendors and clientsEmail with vendors and clients Internal Email between sitesInternal Email between sites If Email isn’t ‘managed’ you have no If Email isn’t ‘managed’ you have no
control once sentcontrol once sent Many Email optionsMany Email options
![Page 30: EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649c985503460f94954def/html5/thumbnails/30.jpg)
What technologies are emergingWhat technologies are emerging
Faster wirelessFaster wireless Real time videoReal time video High resolution cameras in phonesHigh resolution cameras in phones Convergence of data, voice, video Convergence of data, voice, video
into single devicesinto single devices
![Page 31: EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649c985503460f94954def/html5/thumbnails/31.jpg)
Questions?Questions?
![Page 32: EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.](https://reader034.fdocuments.in/reader034/viewer/2022051618/56649c985503460f94954def/html5/thumbnails/32.jpg)