1 / 30

Securing Remote Access With SSL VPNs: A Best Practice Primer

Securing Remote Access With SSL VPNs: A Best Practice Primer. Sikhi Gundu and Kartik Kumar, Juniper Networks India Pvt Ltd. Preliminaries. Target audience: IT org managers, admins; not developers/implementers Introductory/high level overview Essentially tutorial. Agenda. Motivation

alden-ortiz
Download Presentation

Securing Remote Access With SSL VPNs: A Best Practice Primer

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing Remote Access With SSL VPNs: A Best Practice Primer Sikhi Gundu and Kartik Kumar, Juniper Networks India Pvt Ltd

  2. Preliminaries • Target audience: IT org managers, admins; not developers/implementers • Introductory/high level overview • Essentially tutorial

  3. Agenda • Motivation • 30000ft view of SSLVPN Technology • Security with SSLVPN: Athentication • Security with SSLVPN: Endpoint Integrity • Security with SSLVPN: Authorization • Security with SSLVPN: User Education

  4. Agenda Motivation 30000ft view of SSLVPN Technology Security with SSLVPN: Authentication Security with SSLVPN: Endpoint Integrity Security with SSLVPN: Authorization Security with SSLVPN: User Education

  5. Motivation • Usecase • Remote access for Employees, Partners & Customers • Why not IPSEC • Requires client software to be installed. • IPSEC VPNs are good for site-to-site, not so good for clients to server • is layer 3; remote access users get layer 3 access! • Why SSL VPN • Client less remote access (browser is the client) • Easy on the IT shop (roll-out, config) • Layer 4 access with notion of a " user "  

  6. Agenda Motivation 30000ft view of SSLVPN Technology Security with SSLVPN: Authentication Security with SSLVPN: Endpoint Integrity Security with SSLVPN: Authorization Security with SSLVPN: User Education

  7. SSL VPN Internet App Server Employees with Corporate/Home Laptops Enterprise Network SSLVPN basic workflow • SSLVPN device acts as a reverse proxy • SSL provides data confidentiality and integrity on the public network https http https http

  8. SSL VPN Employees with Corporate Laptops Employees with Mobile Devices Employees with Home PCs Application Server Firewall Internet Router Applications Server SSL VPN typical deployment Enterprise Network

  9. SSLVPN – Typical End-user Flow User connects to the gateway User Authenticates SSLVPN presents portal frontending accessible resources User signs out.

  10. Essential functionality: Rewriting Layer 4 <body bgcolor=#ffffff text=#000000 link=#0000cc vlink=#551a8b alink=#ff0000 onload="try{!google.j.b&&document.f.q.focus()}catch(e){};if(document.images)DanaPutSrc(new Image(),'/images/srpr/nav_logo14.png',0)" ><textarea id=csi style=display:none></textarea><script>if(google.j.b)document.body.style.visibility='hidden';</script><iframe name=wgjf style=display:none src="/dana-cached/help/empty.html" onload="google.j.l()" onerror="google.j.e()"></iframe><textarea id=wgjc style=display:none></textarea><textarea id=wwcache style=display:none></textarea><textarea id=csi style=display:none></textarea><textarea id=hcache style=display:none></textarea><span id=main><div id=ghead><div id=gog><div id=gbar><nobr><b class=gb1>Web</b> <a href="https://sslvpn.mycompnay.com/,DanaInfo=10.204.50.40+imghp?hl=en&tab=wi" onclick=gbar.qs(this) class=gb1>Images</a> <a href="https://sslvpn.mycompnay.com/,DanaInfo=10.204.50.40+?hl=en&tab=wv" onclick=gbar.qs(this) class=gb1>Videos</a> <a href="https://sslvpn.mycompnay.com/,DanaInfo=10.204.50.40+maps?hl=en&tab=wl" onclick=gbar.qs(this) class=gb1>Maps</a> <a href="https://sslvpn.mycompnay.com/,DanaInfo=10.204.50.40+nwshp?hl=en&tab=wn" onclick=gbar.qs(this) class=gb1>News</a> <a <body bgcolor=#ffffff text=#000000 link=#0000cc vlink=#551a8b alink=#ff0000 onload="try{!google.j.b&&document.f.q.focus()}catch(e){};if(document.images)new Image().src='/images/srpr/nav_logo14.png'" ><textarea id=csi style=display:none></textarea><script>if(google.j.b)document.body.style.visibility='hidden';</script><iframe name=wgjf style=display:none src="" onload="google.j.l()" onerror="google.j.e()"></iframe><textarea id=wgjc style=display:none></textarea><textarea id=wwcache style=display:none></textarea><textarea id=csi style=display:none></textarea><textarea id=hcache style=display:none></textarea><span id=main><div id=ghead><div id=gog><div id=gbar><nobr><b class=gb1>Web</b> <a href="http://10.204.50.40/imghp?hl=en&tab=wi" onclick=gbar.qs(this) class=gb1>Images</a> <a href="http://10.204.50.40/maps?hl=en&tab=wl" onclick=gbar.qs(this) class=gb1>Maps</a> <a href="http://10.204.50.40/nwshp?hl=en&tab=wn" onclick=gbar.qs(this) class=gb1>News</a> <a href="http://10.204.50.40/Home.aspx?hl=en&tab=w0" class=gb1>Arekkut</a> <a href="http://10.204.50.40/bkshp?hl=en&tab=wp"

  11. Src IP • 11.13.1.1 • Dst IP • 12.2.2.3 • Src IP • 12.2.2.3 • Dst IP • 10.2.2.4 • Src IP • 10.2.2.4 • Dst IP • 12.2.2.3 • Src IP • 12.2.2.3 • Dst IP • 11.13.1.1 Essential Functionality: Rewriting Contd. • Layer 3 Applications Server NAT Device Internet Enterprise Network

  12. Essential functionality: Granular Access Control • Policy based access control (based on identity & other factors) • For ex: assign role to user; assign resources to roles • Example policies: • Web Access • UNIX file Access • Windows File Access • SSO • Terminal Services

  13. Essential functionality: Granualar Access Control Contd… • Example Role Assignments based on • Location • Username • Login time • Group • Etc etc.... Fine Grained Access control • SSL VPN being a layer 4 device, has an end user notion and thus Fine Grained Access control Is possible

  14. Agenda Motivation 30000ft view of SSLVPN Technology Security with SSLVPN: Authentication Security with SSLVPN: Endpoint Integrity Security with SSLVPN: Authorization Security with SSLVPN: User Education

  15. Security with SSL VPN: Authentication • Remember: Internet-facing device! • Ensure Strong Authentication • Strength of Authentication • Strength of a password policy • Password strength • Password expiry • Blacklisted pin dictionary • Typically, device vendor would ensure protection against: • Dictionary attacks • Brute force attacks • Denial of service attacks

  16. Strong Authentication, Contd • Single factor Authentication • Two factor

  17. Strength of Authentication Contd. • Secondary Authentication • Adaptive authentication

  18. Strength of Authentication Contd. • Secondary Authentication • Can be used where stronger auth mechanism is required. • For example : • User does primary authentication to a Auth Server [could be certificate or Machine Auth] • Once Primary auth succeeds, he has to authenticate again to a Secondary Auth Server [which could be AD or LDAP or radius auth] • Secondary authentication combined with 2-factor, will be even more stronger, but an overkill.

  19. Agenda Motivation 30000ft view of SSLVPN Technology Security with SSLVPN: Authentication Security with SSLVPN: Endpoint Integrity Security with SSLVPN: Authorization Security with SSLVPN: User Education

  20. Assess Endpoint’s security posture • Enable this feature, most vendors provide it • Enforce policy not to allow login if client not clean • Makes sure that the client has • Trusted anitivirus software (eg: Norton AV 2010) • Trusted Anti-MalWare • Updated database virus signatures for the antivirus. • Availabilty of OS Patches. • Ensure file system has no suspicious content or processes. • Ensure file system has the content it is supposed to have; ie, not tampered with

  21. Clean session termination • Data is left behind by the session! • Browser History • Browser Cache • Saved password and forms • Keystroke loggers • Cookies • Use cache cleaning functionality • Cleans up all Browser data on logout • Enable virtual keyboards during authentication

  22. Clean session termination Contd. • SVW [Secure virtual workspace] • Restricted, transient shell • Created when user login-in • Destroyed on logout • Ensures no upload of dangerous content or download of critical data

  23. Integrate with IDP • Coordinated Threat control using IDP SSL VPN Detects intrusion Informs SSL VPN IDP Quarantines user based on IDP instructions

  24. Agenda Motivation 30000ft view of SSLVPN Technology Security with SSLVPN: Authentication Security with SSLVPN: Endpoint Integrity Security with SSLVPN: Authorization Security with SSLVPN: User Education

  25. Security with SSLVPN: Authorization • Can remote users have the same level of access privilege as local users? Maybe not! • Exploit RBAC to the fullest • Role is a group of policies • Policies govern access to resources • Web Recource Access • File Resource access [Both windows/UNIX] • Telnet/SSH Access • SSO • Terminal Services access

  26. Role Based Access Control Contd. • Vendors provide the ability to define roles as a function of several attributes • For example: • Endpoint security posture • Login time • Login IP • Login Name • Directory attributes • Group • For ex: same user gets different privileges during office hours as opposed to off-hours

  27. Agenda Motivation 30000ft view of SSLVPN Technology Security with SSLVPN: Authentication Security with SSLVPN: Endpoint Integrity Security with SSLVPN: Authorization Security with SSLVPN: User Education

  28. Bad people: evil outsiders and disgruntled insiders • Remember: internet-facing web device • Vulnerable to the usual set of web attacks • Injection Attacks • Most Common: Cross-site scripting • Parsing and detecting malicious script • Have multiple admins to verify config. • New one XSRF • Cross site Request forgery • Frame busting • Vendor provides some form of defence; but beware your customization may open up holes!

  29. Key is: Train your users • Educate Users • Always ensure graceful exit • Don’t leave sessions unattended • Avoid logging in via Shared Computers • Don’t cache Password on browsers • Use Virtual keyboards for login

  30. Thank you

More Related