650 likes | 755 Views
Secure Remote Access to Business Applications SSL Technology for Web-Based Access From Any Location. Joseph Steinberg, CISSP Director of Technical Services, Whale Communications e-Financial World, Toronto, Canada November 19, 2004. What We Will Cover. Business Goals of Remote Access
E N D
Secure Remote Access to Business ApplicationsSSL Technology for Web-Based Access From Any Location Joseph Steinberg, CISSP Director of Technical Services, Whale Communications e-Financial World, Toronto, Canada November 19, 2004
What We Will Cover • Business Goals of Remote Access • Remote Access Technologies • SSL Access – What it is • SSL Access – What benefits it delivers • SSL Access – Security
Remote Access Business Goals • Improved Productivity of Work Force • Employees can perform tasks even when out of the office • People can respond faster to emergency conditions • Creates Greater Top-Line Revenue • Increased self-service and improved experience for outside parties • Increased automation for other IT systems (via web services, etc.) • Assurance of Business Continuity • Users can work remotely in case of a disaster • Fewer seats required at backup facilities • Even non-critical employees can be productive
Access for Whom • Employees/Contractors • Partners • Prospects/Customers
RA: Employees/Contractors • Keep business running 24x7 • Increase employee productivity • Business continuity & disaster recovery • Increase employee convenience • Morale booster • Maximize ROI from existing tools • In the past RA was only for this group of users
RA: Partners • Automate transactions and transfer of information • Improve efficiency • Expedite communications • Reduce mistakes • Enable business with parties requiring online interface
RA: Prospects/Customers • Create Greater Top-Line Revenue • Increased self-service and improved experience for outside parties • Increased automation for other IT systems (via web services, etc.) • Support systems • Improved customer satisfaction
Return on Investment Value of Benefits Cost of providing those benefits = Return on Investment -
What Factors Affect ROI of RA? • Who can access and from where • Scalability - Number of users who can gain access • Ubiquity - Types of machines from which they can access • Simplicity - Ease of use for end users • What can be accessed • Access - Number of systems accessible via the SSL VPN and how fully they can be used remotely • Security - Security policy denies access in many scenarios • Cost of providing access • Initial layout - purchase, installation, and configuration • Maintenance - Ease of maintenance and support of remote access users
Quick Technology Overview • Historically • Security vs. accessibility • Access from more places, but not from most places • Remote access was complicated technology = high TCO • Today • Access with security • Web browsers = access from anywhere • Solutions optimized for simplicity = yield low TCO
SSL VPN SSL Access delivers a greater ROI than other other remote access technologies because it performs better in the aforementioned areas
What is SSL VPN? SSL VPN technology allows users to remotely access applications and files from a web browser. Even non-web applications can be accessed using SSL VPN.
Typical SSL VPN Session 1. EnterURL 2. Login 3. Portal Page
Typical SSL VPN Session 4. Launch Applications Native Outlook Citrix Metaframe iNotes File Access 5. Logout
Benefits • Productivity Boost • Employees access from more locations • Cost Savings • Reduces reliance on costly IPSEC VPNs • Top Line Revenue • SharePoint can be used for more purposes • Business Continuity • Systems are accessible even if facilities are not
Why Is SSL VPN On the Rise? • Who can access and from where • Scalability: Employees, partners, customers, prospects • Ubiquity: Virtually any web connected device • Simplicity: Easy to use • What can be accessed • Access: Most business applications and systems • Security: Flexible platforms maximize secure access • Cost of providing access • Initial layout: Less expensive than alternatives • Maintenance: Easier to administer with less support
Dial Up • Employees dial up to the organization using modem lines • Older technology – before Internet mass adoption • High cost: modem pools, dial-up servers, phone lines, long distance charges • Slow connection speeds • Fiscally inefficient – normally under-utilized, maxed out during peaks • Easy target for low-tech DoS attacks • Does not provide access from anywhere in case of business recovery • A growing number of web-enabled applications are designed to leverage the Internet – why would you want to do otherwise? • Phasing out in general
IPSEC VPN • Virtual Private Network – like a long Ethernet cable • Leverages Internet for connectivity • High speed • Issues • Client-side costs: purchase and maintenance • Access available only from specific devices • Usually deployed to limited number of users • Invented before maturation of web and ubiquity of web browsers • Appropriate usage for existing implementations • Limited number of remote employees (and very limited partners) • Always accessing from specific company-owned computers • Inappropriate for • Large scale deployments • Business continuity purposes
Native Web Access • Issues • Not all applications have web interfaces • Web interfaces typically do not always offer full application functionality • Security • Hackers and worms can penetrate • Ports open to internal network • Violates corporate policies • Not normally implemented
What Is an SSL VPN Gateway? • Enables remote access from web browsers • Ensures security of systems and data
Enables Access to Web Apps • Web Applications – Makes systems with internal references work • Improves upon portals for delivering web apps • Translation of internal references • http://hrserver/ https://ra.whale.com/593a1d8b2b4c20ff1b9c6254fadf/index.html • http://internal.whale.com https://ra.whale.com/1f1513043b4619c419ca6254c174/start.asp
Enables Access to C/S Apps • Client/Server Apps, Telnet, and Terminal Services • Allows them to work over SSL instead of using proprietary communications ports • Can be triggered from a link within a portal page or from the SSL VPN • Tunneling • Intercepts requests, transfers to SSL Gateway, and relays to “real server” • Translates IP numbers and ports when necessary
Enables Access to Files • File Access – Provides remote access to file repositories and home/project directories • Type 1: Explorer-like interface in web browser, all file commands performed on SSL Gateway • Type 2: Remote drive mounting – transfer file commands over SSL (like a C/S application) • Provided as separate application or within a portal
Provides User Interface • Creates simple but powerful user experience (GUI, automatic server selection, etc.) • Can leverage existing portal interfaces (e.g., SharePoint) • Avoids extraneous helpdesk calls • Flexible interface simulates normal work environments • Automatically selects each user’s servers (for email, apps, etc.) based on UserID • Single Sign On • Toolbars
Security • Organizations often recognize the benefits of remote access, but not the security issues • Many of the security issues are new with the advent of SSL VPN – and corporate security experts may not be familiar with them…
SSL Access Security Issues • Network-side • Problems created by allowing access into your infrastructure • Client-side (end point) • Problems created by allowing access from unknown devices • NEW ISSUES – Different than classical end-point security • User • Authentication, Authorization
Network-Side Security Concerns • SSL VPN relays requests from Internet • Exposure to hackers, worms, viruses, etc. • Buffer overflows - execute arbitrary code • Denial of Service or service degradation of production servers • Malformed URLs • Inappropriate access to confidential information
Network-Side Security Concerns Ports open/tunneled IPSEC disguised as SSL
Client-Side Security Concerns • Access from insecure devices • Access from secure devices
Access from Insecure Devices • Issue: sensitive data stored on access devices • Databases & files • Documents opened as email attachments • History and AutoComplete information • Cached data
Access from Insecure Devices • Issue: Users may not log off • Inappropriate parties may be able to continue sessions • Data will remain cached • Auto-refresh of Inbox, etc., may prevent SSL VPN inactivity timeouts from functioning
Access from Insecure Devices • Access devices may not conform to security policies • Personal firewalls • Anti-virus • No KAZAA, Morpheus, etc. • Some devices may not run Active/X or Java • So any security software SSL VPN sends to client won’t work
Access from Secure Devices • “Lowest Common Denominator” rules reduce productivity • Easy to say “Don’t provide access” if not compliant • But, we want to provide as much access as is safe • If we don’t provide access from insecure devices we cannot use the SSL VPN for customer access, for partner access, or as a business continuity solution. • But, reducing access to a uniform level across all machines unnecessarily curtails access from secure devices!
Network-Side Security Response • Relay appropriate level traffic • Application Firewalling
Relay Appropriate Level Traffic • From general devices • Application level, not network traffic • Intercept requests and forward accordingly • From corporate laptops, office computers, and similar devices • Full network-type communications (maybe)
Application Firewalling • Filter requests and allow only valid requests to pass • Many Web solutions available; can be optimized for specific applications • Filtering for client/server applications is complicated
Client-Side Security Response • Erase sensitive data stored on access devices • Secure Log-Off • Tier access based on device’s environment • Security and Compliance Policy
Don’t Leave Data Behind • Issue • Sensitive data stored on access devices • Solution • SSL VPN must wipe sensitive data from insecure machines • Session termination: logoff, browser crash, window closed, reboot, etc. • Wipe: temporary files, cookies, History, AutoComplete, standard system/proprietary caches, etc. • Most SSL VPN vendors provide some wiping capabilities • Third-party add-on products also available