320 likes | 554 Views
EMS Summit – Network Remote Access. VPN Solutions Voice over IP Secure e-mail. William E. Ott Friday August 25, 2006 1300 – 1400 EDT. Secure Communications. Secure Remote Access is essential if you have multiple sites or the need for external users to connect to internal resources
E N D
EMS Summit – Network Remote Access VPN Solutions Voice over IP Secure e-mail William E. Ott Friday August 25, 2006 1300 – 1400 EDT
Secure Communications • Secure Remote Access is essential if you have multiple sites or the need for external users to connect to internal resources • Voice traffic is starting to move to data circuits (VoIP) Not secure on its own • How do you secure e-mail traffic?
Cost Availability Technical support Bandwidth Security Impediments to Remote Access
Traditional Remote Network Connectivity Options • Network Connection Technologies • Private circuits (i.e. frame relay) • Expensive • Dialup • Slow • Network Service Technologies • telnet, ftp, ssh, http, https, proprietary • Some are secure, some are not • Architecture • Remote circuits terminated directly into the core of the enterprise network • Insecure
Internet Access For the enterprises From our homes The Web Sharp increase in Internet use Browsers become ubiquitous Broadband Fast Economical Internet Access Shared infrastructure Public exposure The Web Sharp increase in Internet use Access to content: useful and malicious Broadband Remote endpoints (i.e. home PCs) always on New Requirements / New Threats
Access Types Considered • Dial-Up – Already in use • Dedicated Access (T1, Frame) – Already in use • Network to Network IPSEC VPN • Client to Network IPSEC VPN • SSL VPN
Security Requirements • Define the perimeter • A perimeter exists every place where there’s a differentiation in policy or responsibility • Identify and authenticate remote sites and users • Consider “strong” and multi-factor authentication options • Provide privacy & integrity for communications • Business data • Authentication credentials • Secure endpoints • Apply enterprise security policy to remote endpoints • Limit exposure • Remote users probably don’t need to access “everything.”
Solutions? • Virtual Private Networks • IP-Sec • Remote network access • SSL • Remote application access • SSH • Remote administration
Remote Assess: the parts • Assess • Diverse client base • Distributed client base • Access to applications and data • Minimize delivery time • Minimize agency support requirements • Conform to federal requirements including two factor authentication • Security
IP-Sec • Types • Site to Site • Remote Client • Security Considerations • Encryption • Authentication • Split Tunneling • Client Policy Enforcement • Firewalls (inside and outside the VPN)
Pros Well suited to replace private circuits “On the network,” user experience Extensive support for various encryption algorithms and authentication options Mature technology Cons Quality of Service dependent on shared network (i.e. the Internet) Client application required Limited cross-vendor interoperability Some configurations are not compatible with NAT IP-Sec VPN Pros and Cons
Remote Office VPN • Targeted at sites with > 10 users • Secure (IPSec) VPN • Inter-agency Alliance managed end-to-end • Connectivity to Legacy applications and new inter-agency alliance portal • Client premise equipment • Firewall/VPN Device • 1 - 10/100 Ethernet port • Objective • Minimize impact of new solution on legacy networks while providing flexibility of deployment
PC PC Alliance PC PC PC PC Client Network Firewall Firewall Firewall Alliance Alliance Internet Internet Internet Local Integration • Topology • Inside, DMZ, Outside • Addressing • Client provides single IP address for VPN • Address translation • Routing Changes • Client routes alliance applications to VPN
SSL VPN • Types • Remote Client • Security Considerations • Encryption • Authentication • Application publication • HTTP • Citrix / MS Terminal Services / Common Services • SSL VPN client application may be used to proxy other application types or even establish a full PPP connection • In which case, the IP-Sec security considerations apply
Pros Super-easy access to enterprise application infrastructure Ability to “publish” non-web applications Ability to use standard web browser to access published application Cons Client VPN only Client application still required for “on the network” experience SSL VPN Pros and Cons
SSL VPN • Targeted at mobile or sites with < 10 users • Enrollment and Support for Multiple members • Provides clientless access to alliance resources • Requires only a browser and internet connectivity • 2-factor authentication • One-Time password token • Token delivery efficiency
SSH • Primarily for remote administration • Encrypted “telnet” and “ftp” • Port forwarding • Highly interoperable • Supports nested tunnels • Can be used in a bastion host architecture to provide secure remote access
Architecture Best Practices • Identity Management • Authentication • Authorization • Logging • Client system policy compliance • Split tunneling (IP-Sec)
Remote Access Summary • Begin by determining what portions of the environment must be accessed remotely • Select the secure remote access solution that meets your needs • Understand the security architecture of the solution you use • Develop the appropriate architecture • Integrate the solution with other security services as necessary
Remote Access Summary • Have a broad view of how the solution will be used • Placement of equipment • Infrastructure • Applications being accessed • Clearly define the process for provisioning tokens and providing user access
Voice over Internet Protocol • VoIP is growing rapidly • VoIP traffic should be secured site to site if used for sensitive information • VoIP has excellent crisis communications capability • VoIP is often cheapest method of telephony from overseas
Email Security • HIPAA concerns with email • Email to wireless devices • Email from remote or home users • Email with vendors and clients • Internal Email between sites • If Email isn’t ‘managed’ you have no control once sent • Many Email options
What technologies are emerging • Faster wireless • Real time video • High resolution cameras in phones • Convergence of data, voice, video into single devices