1 / 65

Joseph Steinberg, CISSP Director of Technical Services, Whale Communications

Secure Remote Access to Business Applications SSL Technology for Web-Based Access From Any Location. Joseph Steinberg, CISSP Director of Technical Services, Whale Communications e-Financial World, Toronto, Canada November 19, 2004. What We Will Cover. Business Goals of Remote Access

Download Presentation

Joseph Steinberg, CISSP Director of Technical Services, Whale Communications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Secure Remote Access to Business ApplicationsSSL Technology for Web-Based Access From Any Location Joseph Steinberg, CISSP Director of Technical Services, Whale Communications e-Financial World, Toronto, Canada November 19, 2004

  2. What We Will Cover • Business Goals of Remote Access • Remote Access Technologies • SSL Access – What it is • SSL Access – What benefits it delivers • SSL Access – Security

  3. Business Overview

  4. Remote Access Business Goals • Improved Productivity of Work Force • Employees can perform tasks even when out of the office • People can respond faster to emergency conditions • Creates Greater Top-Line Revenue • Increased self-service and improved experience for outside parties • Increased automation for other IT systems (via web services, etc.) • Assurance of Business Continuity • Users can work remotely in case of a disaster • Fewer seats required at backup facilities • Even non-critical employees can be productive

  5. Access for Whom • Employees/Contractors • Partners • Prospects/Customers

  6. RA: Employees/Contractors • Keep business running 24x7 • Increase employee productivity • Business continuity & disaster recovery • Increase employee convenience • Morale booster • Maximize ROI from existing tools • In the past RA was only for this group of users

  7. RA: Partners • Automate transactions and transfer of information • Improve efficiency • Expedite communications • Reduce mistakes • Enable business with parties requiring online interface

  8. RA: Prospects/Customers • Create Greater Top-Line Revenue • Increased self-service and improved experience for outside parties • Increased automation for other IT systems (via web services, etc.) • Support systems • Improved customer satisfaction

  9. Return on Investment Value of Benefits Cost of providing those benefits = Return on Investment -

  10. What Factors Affect ROI of RA? • Who can access and from where • Scalability - Number of users who can gain access • Ubiquity - Types of machines from which they can access • Simplicity - Ease of use for end users • What can be accessed • Access - Number of systems accessible via the SSL VPN and how fully they can be used remotely • Security - Security policy denies access in many scenarios • Cost of providing access • Initial layout - purchase, installation, and configuration • Maintenance - Ease of maintenance and support of remote access users

  11. Quick Technology Overview • Historically • Security vs. accessibility • Access from more places, but not from most places • Remote access was complicated technology = high TCO • Today • Access with security • Web browsers = access from anywhere • Solutions optimized for simplicity = yield low TCO

  12. SSL VPN SSL Access delivers a greater ROI than other other remote access technologies because it performs better in the aforementioned areas

  13. What is an SSL VPN?

  14. What is SSL VPN? SSL VPN technology allows users to remotely access applications and files from a web browser. Even non-web applications can be accessed using SSL VPN.

  15. Typical SSL VPN Session 1. EnterURL 2. Login 3. Portal Page

  16. Typical SSL VPN Session 4. Launch Applications Native Outlook Citrix Metaframe iNotes File Access 5. Logout

  17. Benefits • Productivity Boost • Employees access from more locations • Cost Savings • Reduces reliance on costly IPSEC VPNs • Top Line Revenue • SharePoint can be used for more purposes • Business Continuity • Systems are accessible even if facilities are not

  18. Why Is SSL VPN On the Rise? • Who can access and from where • Scalability: Employees, partners, customers, prospects • Ubiquity: Virtually any web connected device • Simplicity: Easy to use • What can be accessed • Access: Most business applications and systems • Security: Flexible platforms maximize secure access • Cost of providing access • Initial layout: Less expensive than alternatives • Maintenance: Easier to administer with less support

  19. Compared to Other Technologies

  20. Dial Up

  21. Dial Up • Employees dial up to the organization using modem lines • Older technology – before Internet mass adoption • High cost: modem pools, dial-up servers, phone lines, long distance charges • Slow connection speeds • Fiscally inefficient – normally under-utilized, maxed out during peaks • Easy target for low-tech DoS attacks • Does not provide access from anywhere in case of business recovery • A growing number of web-enabled applications are designed to leverage the Internet – why would you want to do otherwise? • Phasing out in general

  22. IPSEC VPN

  23. IPSEC VPN • Virtual Private Network – like a long Ethernet cable • Leverages Internet for connectivity • High speed • Issues • Client-side costs: purchase and maintenance • Access available only from specific devices • Usually deployed to limited number of users • Invented before maturation of web and ubiquity of web browsers • Appropriate usage for existing implementations • Limited number of remote employees (and very limited partners) • Always accessing from specific company-owned computers • Inappropriate for • Large scale deployments • Business continuity purposes

  24. Why Not Simple Web Access?

  25. Web Access

  26. Native Web Access • Issues • Not all applications have web interfaces • Web interfaces typically do not always offer full application functionality • Security • Hackers and worms can penetrate • Ports open to internal network • Violates corporate policies • Not normally implemented

  27. So what does an SSL VPN actually do?

  28. SSL VPN Technology

  29. What Is an SSL VPN Gateway? • Enables remote access from web browsers • Ensures security of systems and data

  30. Enables Access to Web Apps • Web Applications – Makes systems with internal references work • Improves upon portals for delivering web apps • Translation of internal references • http://hrserver/ https://ra.whale.com/593a1d8b2b4c20ff1b9c6254fadf/index.html • http://internal.whale.com  https://ra.whale.com/1f1513043b4619c419ca6254c174/start.asp

  31. Enables Access to C/S Apps • Client/Server Apps, Telnet, and Terminal Services • Allows them to work over SSL instead of using proprietary communications ports • Can be triggered from a link within a portal page or from the SSL VPN • Tunneling • Intercepts requests, transfers to SSL Gateway, and relays to “real server” • Translates IP numbers and ports when necessary

  32. Enables Access to Files • File Access – Provides remote access to file repositories and home/project directories • Type 1: Explorer-like interface in web browser, all file commands performed on SSL Gateway • Type 2: Remote drive mounting – transfer file commands over SSL (like a C/S application) • Provided as separate application or within a portal

  33. Provides User Interface • Creates simple but powerful user experience (GUI, automatic server selection, etc.) • Can leverage existing portal interfaces (e.g., SharePoint) • Avoids extraneous helpdesk calls • Flexible interface simulates normal work environments • Automatically selects each user’s servers (for email, apps, etc.) based on UserID • Single Sign On • Toolbars

  34. Security Concerns

  35. Security • Organizations often recognize the benefits of remote access, but not the security issues • Many of the security issues are new with the advent of SSL VPN – and corporate security experts may not be familiar with them…

  36. SSL Access Security Issues • Network-side • Problems created by allowing access into your infrastructure • Client-side (end point) • Problems created by allowing access from unknown devices • NEW ISSUES – Different than classical end-point security • User • Authentication, Authorization

  37. Network-Side Security Concerns • SSL VPN relays requests from Internet • Exposure to hackers, worms, viruses, etc. • Buffer overflows - execute arbitrary code • Denial of Service or service degradation of production servers • Malformed URLs • Inappropriate access to confidential information

  38. Network-Side Security Concerns Ports open/tunneled IPSEC disguised as SSL

  39. Client-Side Security Concerns • Access from insecure devices • Access from secure devices

  40. Access from Insecure Devices • Issue: sensitive data stored on access devices • Databases & files • Documents opened as email attachments • History and AutoComplete information • Cached data

  41. Access from Insecure Devices • Issue: Users may not log off • Inappropriate parties may be able to continue sessions • Data will remain cached • Auto-refresh of Inbox, etc., may prevent SSL VPN inactivity timeouts from functioning

  42. Access from Insecure Devices • Access devices may not conform to security policies • Personal firewalls • Anti-virus • No KAZAA, Morpheus, etc. • Some devices may not run Active/X or Java • So any security software SSL VPN sends to client won’t work

  43. Access from Secure Devices • “Lowest Common Denominator” rules reduce productivity • Easy to say “Don’t provide access” if not compliant • But, we want to provide as much access as is safe • If we don’t provide access from insecure devices we cannot use the SSL VPN for customer access, for partner access, or as a business continuity solution. • But, reducing access to a uniform level across all machines unnecessarily curtails access from secure devices!

  44. Ensuring Security

  45. Network-Side Security Response • Relay appropriate level traffic • Application Firewalling

  46. Relay Appropriate Level Traffic • From general devices • Application level, not network traffic • Intercept requests and forward accordingly • From corporate laptops, office computers, and similar devices • Full network-type communications (maybe)

  47. Application Firewalling • Filter requests and allow only valid requests to pass • Many Web solutions available; can be optimized for specific applications • Filtering for client/server applications is complicated

  48. Application Firewalling (OWA 2K)

  49. Client-Side Security Response • Erase sensitive data stored on access devices • Secure Log-Off • Tier access based on device’s environment • Security and Compliance Policy

  50. Don’t Leave Data Behind • Issue • Sensitive data stored on access devices • Solution • SSL VPN must wipe sensitive data from insecure machines • Session termination: logoff, browser crash, window closed, reboot, etc. • Wipe: temporary files, cookies, History, AutoComplete, standard system/proprietary caches, etc. • Most SSL VPN vendors provide some wiping capabilities • Third-party add-on products also available

More Related