1. The Remote Access Revolution: Practical Solutions for the Enterprise
Dean Ocampo, CISSP, Check Point Software
Manager, Web Security Product Marketing
Steve Neville, Entrust, Inc.
Sr. Manager, Identity Products & Solutions
April 5, 2006

2. Agenda The Realities of Remote Access Today
Check Point: A Comprehensive Solution for Remote Access
Changes in the Strong Authentication Market
Entrust IdentityGuard—A Practical Revolution in Action
Customer Case Study
Conclusion & Questions

3. The Rise of Work Anywhere
2005 Statistics*
45.1M Teleworkers
26.1M 1+ day/week
Average 3.4 locations
Drivers**
Recruiting Incentive
2nd only to salary
Rising Gas $$
Next let’s look at some usage stats for remote access. In a US survey of consumers, the Dierenger group attempted to asses the usage of RA in the US population. Their stats show that about 45.1M workers in the US work from home at least 1/month, about 26M of these work at home at least 1/ week. The chart on the right shows the growth of RA the last few years, reflecting the general economy and increased employment over the last few years. Actually, as the economy and employment improves, many companies are looking at teleworking as recruiting incentive and came in second only to salary as to major factors when workers consider a job. And do I need to say anything about the price of gas?
One of the most interesting stats out of this report is that these remote access users access the network from many different locations, averaging 3.4 different places they access the network when they telework.
The American Interactive Consumer Survey is the premier U.S. survey comparing consumer use of the Internet with traditional marketing channels for purchase decision making and purchasing.
* American Interactive Consumer Survey, Dieringer Group **Robert Half International

4. The Rise of Work Anywhere
Extranet
Partners
Day
Extenders
Part-time
Teleworkers
Road
Warriors
Full-Time
Teleworker
Branch
Offices
Large
Home
Client/ Customer
Car
Vacation
In fact, of these 45.1M users, 24M access from a Client or Customer site.
Read through stats- on Vacation
And this starts to get to an interesting question, with all the remote access products we now have in our portfolio, what product do we offer to a customer and when. In reality, the answer depends on how our customer needs to use it. What you see here is a break down of the major catagories of remote access user types you would see in the distributed business, essentially following categorization that the Gartner Group uses. When you look at your customers needs from this perspective, you can start seeing how they intend to use it and get a feel for what their priorities will be. This is a tool we will revisit in a few minutes.
Outside
Train/Plane
*American Interactive Consumer Survey, Dieringer Group

5. Work Anywhere Endpoint Diversity
Day Extenders
Basic applications
Home computer
Add more remote users beyond current 20 percent
Less technical employees
Partners
Reduce remote access support costs
Browser based; no client maintenance
Less end user complexity
Additional access options
Access from home PC, corporate PC, Internet kiosk
Teleworkers
Applications
Company computer
Mobile workers
Basic applications
Company computer or public computer
[Note: This slide is optional and may be omitted. Use for customers who are not familiar with SSL VPN.]
SSL VPNs are a new way to enable remote access and have emerged as the result of several business trends. First of all, browsers have become ubiquitously deployed and almost all universally support SSL encryption. Second, people who use the Web today use SSL on a regular basis for paying bills or ordering online. Third, most applications in an organization have moved away from a client/server model to a Web-based model. Given this scenario, SSL VPN gateways have emerged as a way to marry these three trends and enable secure remote access through browsers via SSL VPN as well as grant them access to internal applications.
Thus SSL VPN enables anywhere-based access, using the browser as a client secured through SSL. This has resulted in two main advantages: 1) there is no software to install for remote access and 2) a Web-based interface that is friendly and familiar even for nontechnical users. Both of these result in reduced helpdesk calls for either software issues or user interface issues.
But best of all, SSL VPNs are enabling new business trends. First, statistically speaking, typically about 20 percent of an organization’s employees have some type of remote access. With the increased reliance on online and networked applications, most organizations would like to grow the proportion of their employees with remote access beyond the core 20 percent—growing even beyond 50 percent. And SSL VPN is a great way to do that, especially as you grow the pool of remote access users, you start running across less-technical users where an easy-to-use Web-based interface is a great fit.
In addition, SSL VPN enables a new class of users: Day Extenders. A Day Extender is an employee who will check her or do some work maybe an extra hour from home or another hour on the weekend—thus extending her day. The browser-based capability of SSL VPN is a great way to enable Day Extenders in an organization, driving increased productivity without extra cost.
Intranet
Applications
Files
Extranet
Portal
Extranet access
Partner computers

6. Anywhere Challenges Security
With IPSec you knew who was coming in
With SSL VPN you don’t (usually)
Firewall,
antivirus +
“Spyware is no longer just an annoying pest swarming home PCs; rather, it has evolved into a serious enterprise security threat.”
– IDC Worldwide Spyware Forecast and Analysis (Nov. 2004)
Company-
owned PC
Partner PC
Access
Agreement
The tremendous advantage of SSL VPN is that the corporation can now be accessed from anywhere, but it is also the most significant challenge for IT organizations.
Let’s take the IPSec model as an example. IPSec is the current “gold standard” for remote access and used by many organizations. There are several inherent security advantages to IPSec:
As there is software to install, you generally knew what endpoint PCs had the software (corporate-owned PCs, for example)
Most good IPSec clients come with security controls included with the software and thus provide good security. For example, the Check Point SecureClient enables a personal firewall, as well as configuration checking in the client.
For third-party PCs, due to software installation, you had the opportunity to negotiate and require an access agreement that could help mitigate risks through policy.
In summary, IPSec gave you a good, controllable access model with good security controls.
With SSL VPN, there is a new variable—and that is the Everywhere Endpoint. Given that the anywhere browser is the access client, your model now has a nearly infinite number of variations on where a user could enter your network, and this includes:
Corporate-owned PC
Employee PC with security software
Employee PC shared with the family and little security
Friend’s PCs
Business center PCs
Public Internet kiosk
Endpoints now run the full gamut from secure to totally unsecured PCs.
Company-
owned PC
Employee
home PC
Partner PC
Public
Internet kiosk
Completely
unmanaged/unsecured

7. Regulations Governing Information
HIPAA
Safeguarding Sensitive Information
Basel II
Risk Management
EU Directive
PCI/CISP
FISMA
California SB
GLBA
While some regulations have grown in houses of government, others in agencies or industry associations…they all share some common objectives – all are oriented, in one way or another, toward ensuring the integrity, accuracy, and confidentiality of information and in security of supporting systems, infrastructure and processes.
In general, regulations can be categorized according to 3 motivations: risk management, safeguarding of information and strengthening internal controls. Regulations come at this from different angles, and include IT and non-IT components. IT components include the management and protection of information and infrastructure and tools for enabling or facilitating the non-it specific tasks. IT activities play a critical role in compliance – whereas IT activities account for about 20% of the total number of compliance related tasks, 80% of time involved in compliance is spent on IT-related tasks (IDC)
IDC Quote: “Through the utilization of good IT control architecture, strong policies, and a technology solution capable of managing, maintaining, and reporting on the status of enterprise compliance, enterprises could significantly reduce the number of man-days required for supporting the compliance system”
80% of time involved in compliance is spent on IT-related tasks (IDC)
Sarbanes-Oxley
EU 8th Directive
Internal Controls & Governance

8. Key Regulation Commonalities and Check Point Solutions
Requirement
Check Point Solutions
Access management
Site-to-Site IPSec VPNs, Remote Access IPSec VPNs, Remote Access SSL VPNs (VPN-1, Edge, Connectra)
Transmission security
IPSec, SSL, TLS, DES, 3DES, L2TP, etc.
Authentication
User/Pass + OPSEC partners for strong Authentication
Policy management
Unified Security Architecture (SmartCenter)
Malicious software protection
Integrated Intrusion Prevention and End Point Security (Integrity, Application Intelligence, Web Intelligence)
Access Management—an integral starting point of all regulations, access management refers to the ability to limit, control, and manage the authorization (permission) and access by stakeholders—employees, partners, others external—to corporate network, resources and data. Access management is so central that without it a company is practically guaranteeing noncompliance with existing regulations.
Different regulations describe access control specifications differently, but each contain the core principles of requiring policies, procedures and technologies for protecting the access to vital corporate resources, use of authorization and effective monitoring of authorization privileges and of access attempts.
Authentication—it is not enough to assign and limit access to different resources and data. It is crucial to ensure that the person or entity gaining access is who they say they are. Without authentication, hackers and intruders can exploit this limitation.
When you look at some of the key regulations like SOX, HIPAA, and GLBA, there are common requirements among them revolving around providing reasonable and appropriate access controls. As it pertains to endpoint security—Check Point Integrity can be used as a solid endpoint solution to help address access control requirements.
Integrity offers desktop/laptop protection against malware while providing extensive policy enforcement controls and management tools that can be easily leveraged to ensure and illustrate robust access controls to comply across the key regulations.
Ask your customer:
Do you want to make sure that hacker tools like spyware, keystroke loggers, and Trojan horses can't be used to steal sensitive or valuable information about your company's financials, customer records, and other key information?
Integrity ensures policy compliance out and provides encryption and digital certificate authentication for data transmission. These features will help you provide the endpoint security controls necessary to protect and preserve the integrity of data and maintain a level of privacy for your customers, which is a requirement of the regulations.
Integrity's application control and Program Advisor service stops spyware, keystroke loggers, and other hacker tools preemptively, safeguarding sensitive and valuable enterprise information, which can be leveraged to ensure compliance with HIPAA, SOX, and GLBA.
Integrity provides the protection at the desktop and mitigates the risk of major data loss caused by hackers, worms, spyware, and other threats that evade reactive, signature-based products.
Question your customers on their endpoint security strategy and sell Integrity to provide the protection against malware and fulfill their compliance needs.
Intrusion detection and blocking
Integrated Intrusion Prevention (Application Intelligence, Web Intelligence)
Security Auditing
Cross-Product Reporting & Monitoring (Eventia Reporter)
Incident handling
Cross-Product Event Correlation (Eventia Analyzer)

9. Check Point Secure Remote Access Solutions
SmartCenter
SmartDefense Service
Eventia Reporter
Eventia Analyzer
Extranet
Partners
Day
Extenders
Part-time
Teleworkers
Road
Warriors
Full-Time
Teleworker
Branch
Offices
Large
VPN-1
Edge
Site-to-Site
IPSec VPN
Integrity
SecureClient
Remote Access
IPSec VPN
Connectra
Web
Portal
(Clientless)
SSL
Network
Extender
Remote Access
SSL VPN
And in the end, we now can present our customers with a comprehensive suite of solutions unified under a single security architecture. The customer can focus on their business needs and select the product that matches there needs the best. As we move down the distributed business, each needs progressily changs from fixed connectivity for Intranet VPN and branch office, down to the highly variable and mobile day extender and partner users.
And for each of these needs, Check Point has solutions. From Edge which can connect branches and some remote workers. To ISC for teleworkers, with integrated endpoint security to protect company owned PCs. To SSL Network Extender and Connectra which is great for some teleworkers, daty extenders and Partners. And this all falls under the USA which presents the network as a single entity:
SmartCenter management, SmartDefense service to update the infrastructure, Eventia Reporter to check its health, and Analyzer to keep a vigilant eye on the network.

10. Strong Authentication & Entrust IdentityGuard
A Practical Revolution in Action

11. The need for stronger authentication…?
Customer database
Sales forecasts
HR records
Etc…
Pressure to make more information available to employees anywhere, anytime
Need to balance access with corporate and regulatory compliance (PCI, SOX, HIPAA, etc…)

12. Payment Card Industry (PCI) Data Security Standard Formerly Visa CISP
Legislation Example: Payment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard
Formerly Visa CISP
Applies to anyone who deals with cardholder data
Audit requirements and financial penalties for non-compliance
First Data Corp. reports 85 percent of affected companies have yet to meet PCI standard requirements …

13. Implement Strong Access
Control Measures

14. Traditional Candidate Technologies
Biometrics
Smartcards
IT Security Extensibility
Tokens
Purchase & Deployment Investment
Authentication Only
Digital Certificates
Authentication, Encryption, Digital Signatures
Inert Tokens
Passwords
Authentication Strength

15. The Authentication Challenge – One Size Does Not Fit All
Remote Access (Executives, Sensitive Data)
Enterprise authentication requires a range of capabilities
Remote Access (Avg. User)
Increasing Authentication Strength
Increasing Req. For Security
Desktop Login
Onsite Web
Transaction Type

16. Addressing the Authentication Challenge: Entrust IdentityGuard$
Entrust delivers:
Multi-factor strong authentication platform
Flexible, risk-based solution
Easy to use and support
Inexpensive to deploy
Biometrics
Smartcards
Tokens
Traditional
Purchase & Deployment Cost
Digital Certificates
Passwords
Authentication Strength

17. Range of Risk-Based Strong Authentication
Policy-based authentication allowing single authentication layer to meet multiple business requirements
Per transaction, per user, per application, per LOB…
Out-of-Band
One-time-passcode to mobile device or phone
Machine Auth
Authorized set of workstations
Grid Auth
Grid location challenge and response
Provide a range of risk-based authentication options
Range of transparent and two-factor authentication methods
Allow for cost & risk matching of authenticator to customer type (retail banking, retail brokerage, small business)
Allow for use across channels
Authenticate when required (and only when required)
Allow authentication for given transaction risk
Don’t punish customers for multiple transactions
Key Point: Range that can be deployed independently or in conjunction with one another
Grid Authentication: Authentication grids themselves can be readily deployed on simple, plastic cards or in conjunction with existing statements or ATM or credit cards. This puts the authentication capability in the hands of users using the same distribution channels that exist today. In addition, day-to-day use is eased by the simple form factor which makes the grid easy to carry – allowing it to be kept in the user’s wallet or purse where it is readily accessible.
In terms of the authentication itself, the row/column look up format is largely intuitive, drawing from user experience in games such as bingo or battleship as well as the use of maps. In fact, independent usability testing has shown 94% unaided authentication success across a broad range of user ages and backgrounds.
Machine Authentication: While leveraging the computer being used to conduct the online session, this method of authentication does not require deployment of software or hardware. Instead, by transparently capturing a fingerprint of that hardware, it can be used to compare against the computers being used in future web sessions – all transparently to the user. Further, the process for registering new computers is easily achieved by leveraging one of the other Entrust IdentityGuard strong authentication methods. For example, to register a new computer, a user could answer select challenge questions from the knowledge-based authentication method.
Knowledge Authentication: Without the need to deploy any physical authenticator to the user, knowledge-based authentication provides an easy to use method of strong authentication, as it draws on information the user knows. Enrolment is a one-time process where shared secrets to be used in questions are captured and from that point, users need only answer these questions. Techniques such as allowing users to choose the questions and ensuring answers are not punctuation or case sensitive help to ensure successful completion.
Scratch Pad Authentication: This method of authentication involves generating lists of one-time-passcodes that are printed on plain paper or in a scratch pad format. Each passcode is used once only at transaction time. This method (in general) is deployed primarily in central Europe today through home-grown applications, enabling organizations to leverage a commercial product like Entrust IdentityGuard to not only support a familiar authentication method, but also have an authentication platform in place to extend to new options.
Out-of-Band: Like device authentication, this method leverages hardware that is already in the hands of the end user. Whether it is a mobile or fixed phone, personal digital assistant or an account on a computer, this method allows the user to securely receive out-of-band one time passwords in a convenient way. Out-of-band authentication layered on top of, for example, machine authentication, can help address concerns about man-in-the-middle attacks.
More Coming Soon!
Knowledge Auth
Challenge / response questions
Scratch Pad Auth
One-time password list

18. Extensible Across the Enterprise
Microsoft Windows Desktops
AnyUser
******
Remote Access: IP-SEC & SSL VPN, RAS, Citrix
Extranet (including Microsoft Outlook Web Access)

19. Entrust IdentityGuard: Platform Summary
Multi-factor authentication platform
Range of authenticators
Based on FIPS-validated cryptography
Stand-alone or layered
Easy to use and support
Easy to use options
No software or hardware to deploy
Inexpensive to deploy
Fraction of the cost of traditional options
Seamless integration with leading remote access vendors

20. Check Point & Entrust IdentityGuard Certified Integration
VPN-1 NGX
Radius
IP-SEC User
Internet
Radius
SSL User
Standard Radius Server
Radius
Check Point
Connectra NGX
Repository
LDAP / Active Directory
Database

21. Customer Case Study: Large US Financial Service Provider$
Customer Challenge:
Required cost-effective option for strong authentication to replace expensive RSA tokens
Absolute requirement for rapid integration with current Check Point VPN-1 for remote access
Need to fit within existing and new network topology
Solution:
Certified integration of Entrust IdentityGuard with Check Point VPN-1
Leveraging grid authentication option

22. Customer Case Study: Large US Financial Service Provider$
Key Customer Success Criteria:
Certified integration (OPSEC certified, Entrust Ready)
Initial & ongoing cost—fraction of the cost of RSA tokens, allowing for initial full replacement and plan to expand to many new users, still at a lower TCO!
Ease of integration—configuration only integration via Radius (Microsoft IAS)
Check Point
VPN-1 NGX
Microsoft IAS
IP-SEC User
Internet
Radius
Radius
MS Active Directory

23. Why Entrust & Check Point? We are Security Specialists…
Check Point- 100% of the Fortune 100
Check Point- 98% of the Fortune 500
Check Point- ~ 100,000 Customers
Entrust- #12 of 600+ security software companies
Entrust- Industry pioneer and leader, with 500 employees and 90 patents
Entrust- Best in class service and support, and integration with leading technology vendors

24. Check Point & Entrust: A Remote Access Revolution
Combined solution delivers:
Integrated security for diverse, anywhere access
Strong VPN and Authentication Partnership
Easy to use and support multi-factor authentication
Inexpensive to deploy

25. The Remote Access Revolution: Practical Solutions for the Enterprise
Thank You!
The Remote Access Revolution: Practical Solutions for the Enterprise
Dean Ocampo, CISSP, Check Point Software
Manager, Web Security Product Marketing
Steve Neville, Entrust, Inc.
Sr. Manager, Identity Products & Solutions
April 5, 2006