Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ronald Beekelaar Beekelaar Consultancy Intelligent Application Gateway (IAG) 2007.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Ronald Beekelaar Beekelaar Consultancy Intelligent Application Gateway (IAG) 2007."— Presentation transcript:

1 Ronald Beekelaar Beekelaar Consultancy ronald@beekelaar.com Intelligent Application Gateway (IAG) 2007

2 2 Introductions Presenter – Ronald Beekelaar MVP Windows Security MVP Virtual Machine Technology E-mail: ronald@beekelaar.com Work Beekelaar Consultancy Security consultancy Forefront, IPSec, PKI Virtualization consultancy Create many VM-based labs and demos

3 3 Agenda History – SSL VPN SSL VPN Connections Web Non-Web “VPN” Portal / Applications Endpoint Policies Authentication / Authorization

4 4 A comprehensive line of business security products that helps you gain greater protection through deep integration and simplified management Edge Client and Server OSServer Applications Intelligent Application Gateway 2007

5 5 IAG - Appliance

6 6 IAG 2007 Supports all Applications with SSL VPN Web – Client/Server - File Access Homegrown or 3 rd party (Citrix, IBM, Lotus, SAP, PeopleSoft…) Designed for Managed and Unmanaged Users Devices Automatic detection of user system, software, configuration Access policies according to device “security state” Delete temp files and data traces from unmanaged locations Drives Productivity with Application Intelligence Apply policy at granular App Feature levels Dynamically control application data for desired functionality SSO with multiple directories, protocols, and formats Fully customizable portal and user interface

7 7 Allow secure remote access from trusted and untrusted client computers All connections over TCP port 443 (SSL) Access starts through a Web Portal Authenticates to AD Contains list of applications Click each application to access

8 8 Web Applications Normally uses port 80/443 Browser-based Port/socket forwarding Normally uses non-web ports, but is tunneled in 443 ActiveX control - browser-based Network Connector All protocols and all ports, but tunneled in 443 Real "VPN" - client receives new IP address

9 9 IAG client components check client computer security settings Client computer is called "endpoint" Based on endpoint state, you define Endpoint Policies to allow: Access to Web Portal Example: - Do not even ask for credentials on untrusted client computer Access to certain applications on Web Portal Example: - Hide Network Connector option on untrusted client computer Access to certain features of applications Examples: - Block SPS uploads - Disallow OWA attachment

10 10 A Little History The Problem: With the growing prevalence of internet connectivity, enterprises required platforms to provide remote access for employees, partners and customers in a secure way The Solution?: 1 st attempt: Dialup remote access  proving too costly, limited user experience. 2 nd attempt: Limited use of reverse proxies to publish web based applications. 3 rd attempt: IPSec VPN makes leap for user remote access IPSec VPN first developed for site to site connectivity.

11 11 3 3 Web Server DNS Server ISA Server 5 5 4 4 2 2 6 6 1 1 Is the … Request allowed? Protocol allowed? Destination allowed? ISA Server calls this “Publishing” Reverse Proxy

12 12 3 3 Web Server DNS Server ISA Server 5 5 4 4 2 2 6 6 1 1 Reverse Proxy Publishes web apps for use from anywhere. Handles pre-authentication, application filtering, SSL encryption at the edge. However Does not handle non-web (client/server) applications. Does not scale when publishing numerous web applications.

13 13 ActiveDirectory IPSec VPN Full network connectivity from authorized devices Quarantine features available for non-compliant clients Unmanaged clients have no access However Increasingly difficult to manage on a large scale given variety and complexity of IPSec clients Blocked by (outgoing) firewalls InternetCorpnet Remote User ISA IAS RADIUS Quarantine

14 14 Terminal Services Solution Built into Windows Server. Expandable with 3 rd party solutions (Citrix and others) Offer a complete desktop user experience or integrated applications. Centralized server-based solution. Typically limited deployments given server computing requirements. Central Location Mobile Worker In Airport Branch Office Home Office

15 15 A Little History - IPSec Dominates Introduces following limitations: Potential security exposure by extending network Limited functionality from firewall/NAT’ed networks Client grows to accommodate more security functionality (virus inspection, split tunneling control, etc.) Client becomes difficult to roll out: Requires administrative installation Clashes with other IPSec and security software Not very user friendly Result: Enterprises limit usage to “road warriors” and managed PCs TCO is high and ROI limited

16 16 A Little History - SSL VPN is Born Promises to offer similar functionality for: Any user Any location Any application Delivers on lower TCO Introduces new security considerations as clients are now unmanaged. First wave of development is focused on connectivity. Current wave is focused on Application Intelligence.

17 17 SSL VPN - Building Blocks SSL VPN solution comprised of: Tunneling – Transferring web and non-web application traffic over SSL; Client-Side Security – Security compliance check, cache cleaning, timeouts Authentication – User directories (e.g. Active Directory), strong authentication support, Single-Sign-On Authorization – Allow/Deny access to applications Portal – User experience, GUI Applications Client Web Simple TCP Other non-Web Management Authentication Authorization Portal Tunneling Security SSL VPN Gateway

18 18 SSL VPN Tunneling (3x) Web applications That’s easy – just uses HTTPs Non-Web applications Port/socket Forwarding Uses SSL-Wrapper client component Example: Terminal Server – tunnel RDP in HTTPs Network Connector Full Network Access Uses Network Connection client component Client gets additional IP address Breadth of Locations “Anywhere” level Web Proxy Port/Socket Forwarder Corporate laptop Home PC Customer/ Partner PC Internet kiosk Network Connection

19 19 Demo Environment

20 20 Application Protection Access Policies Allow/deny functions within application (e.g. SharePoint attachments Upload/Download based on endpoint compliance) Application Firewall: Protecting the Application Predefined positive logic rule sets Single Sign On Knowledge about required application login methods Session Cleanup Agent Clears application specific cache (e.g. SharePoint Offline folder) Protecting the Network Session Ignore background polling command for timeout calculation, adds secure logoff button where absent

21 21 Endpoint Policies Checks health of Endpoint Policies Session policy Endpoint certification Privileged endpoint Application policy Access to applications (hide or disable on portal) Access to functionality within applications Example: Block SharePoint upload from unsafe client

22 22 Client High-Availability, Management, Logging, Reporting, Multiple Portals Authentication Authorization User Experience Tunneling Security Applications Knowledge Center OWA Citrix SharePoint Devices Knowledge Center PDA ….... Linux …….. Windows. ………... MAC …..... Specific Applications Web Client/Server Browser Embedded Exchange/ Outlook OWA SharePoint Citrix Generic Applications Application Aware Modules SSL VPN Gateway Application Aware Platform Application Definition Syntax/Language Application Modules Endpoint detection and application intelligence

23 23 Endpoint Detection Out of the box support for over 70 variables of detection including: Antivirus Antimalware Personal Firewall Desktop Search/Index Utilities And much more… Easy to configure GUI that allows simple management of policies. Extended GUI for manual editing and modification of policies. Leverage Windows Shell Scripting to create *any* policy and inspect for *any* client side variable.

24 24 Attachment Wiper Clears the browser’s cache upon session termination Process does not require user initiation Optimizers integrate logic to identify and scrub custom caches Supports custom scripts for custom file cleaning Removes Downloaded files and pages - Cookies AutoComplete form contents - History information AutoComplete URLs - Any user credentials Triggers User logoff- Browser crash Inactivity timeout- Browser closure Scheduled logoff- System shutdown Security Policy Allows for “Can’t Wipe – Can’t Download” policy Allows fall back policy to “no-cache” tag mechanism

25 25 Security Concerns Who are you? Authentication - Who are you? Are you really him/her? Strong Authentication – Are you really him/her? What can you access? Authorization – What can you access? Can they hear? Transport Security – Can they hear? Should you be doing that? Application Security – Should you be doing that? From there? End Point Security – From there? Should this be left around? Information Safeguard – Should this be left around? How long can you do this for? Session Security – How long can you do this for?

26 26 Single Sign-On No need for directory replication or repetition Alternative approaches require local repository Transparent Web authentication HTTP 401 request Static Web form Dynamic browser-sensitive Web form Integrates with … Password change management User repositories

27 27 User Specific Portal Manages access of employees, partners & customers from anywhere to corporate business applications More than one Portal page can be published per appliance Each is based on a unique IP and host name Each can present a completely unique user experience; including look and feel, applications, authentication and authorization Extends the business beyond the borders of the network Implements corporate policies without weakening security Leveraging existing investments in software infrastructure and applications Ensures maximum functionality based on endpoint profile Based on SSL VPN access platform Leverages the Web browser to allow universal access Provides a broad range of connectivity options IT Support Partners Employees Customers IT Support Center Username: Password: Token: Employee Portal Username: Password: Token: Partner Extranet Username: Password: e-Commerce Username: Password: support.xyz.com portal.xyz.com extranet.xyz.com shopping.xyz.com

28 28 How to Setup Setup appliance Create trunk Add applications Define endpoint policies Customize

29 29 Setup Appliance Unpack appliance and put into rack Attach external and internal network Define IP and DNS settings Add routes to internal network if needed Define ISA "Internal" network Join domain if needed Required for Kerberos Constrained Delegation (SP1)

30 30 Create Trunk Create trunk (= Web portal) Define IP address for Trunk Configure authentication server Import certificate for each trunk Create "redirect" trunk (= http to https)

31 31 Add Applications Add applications OWA SharePoint RDP VPN (network connector) Test access

32 32 Define Policies Define endpoint policies Assign to access and functions Test access

33 33 Customize Customize look and feel Change colors Change text on portal Or... Create advanced endpoint policies Define custom authentication Etc...

34 34

Download ppt "Ronald Beekelaar Beekelaar Consultancy Intelligent Application Gateway (IAG) 2007."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Secure Lync mobile Authentication

Secure Lync mobile Authentication
SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Securing Remote Network Access FirePass ®. Business Case VirginiaCORIS is an initiative to modernize the way that offender information is managed, to.

Securing Remote Network Access FirePass ®. Business Case VirginiaCORIS is an initiative to modernize the way that offender information is managed, to.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Module 3 Windows Server 2008 Branch Office Scenario.

Module 3 Windows Server 2008 Branch Office Scenario.
Introduction to ISA 2004 Dana Epp Microsoft Security MVP.

Introduction to ISA 2004 Dana Epp Microsoft Security MVP.
Ronald Beekelaar Beekelaar Consultancy Forefront Overview.

Ronald Beekelaar Beekelaar Consultancy Forefront Overview.
Ronald Beekelaar Beekelaar Consultancy Forefront Overview.

Ronald Beekelaar Beekelaar Consultancy Forefront Overview.
Secure Access using IAG 2007 Presented by: Brian Dunleavy - Healthcare Business Manager - Eurodata Susanna Watson – Pre Sales Technical Consultant - Eurodata.

Secure Access using IAG 2007 Presented by: Brian Dunleavy - Healthcare Business Manager - Eurodata Susanna Watson – Pre Sales Technical Consultant - Eurodata.
1 SharePoint Momentum 17K+ Customers, 100M Licenses Leader in Gartner ® Magic Quadrants, Forrester Wave TM Continued Platform and Application Innovation.

1 SharePoint Momentum 17K+ Customers, 100M Licenses Leader in Gartner ® Magic Quadrants, Forrester Wave TM Continued Platform and Application Innovation.
Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.

Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.

1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Winter 2005-2006 Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.

Winter Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.

Similar presentations

Ads by Google