EMS Summit – Network Remote Access William E. Ott Friday August 25, – 1400 EDT VPN Solutions Voice over IP Secure
Secure Communications Secure Remote Access is essential if you have multiple sites or the need for external users to connect to internal resources Secure Remote Access is essential if you have multiple sites or the need for external users to connect to internal resources Voice traffic is starting to move to data circuits (VoIP) Not secure on its own Voice traffic is starting to move to data circuits (VoIP) Not secure on its own How do you secure traffic? How do you secure traffic?
Impediments to Remote Access Cost Cost Availability Availability Technical support Technical support Bandwidth Bandwidth Security Security
Traditional Remote Network Connectivity Options Network Connection Technologies Private circuits (i.e. frame relay) Expensive Dialup Slow Network Service Technologies telnet, ftp, ssh, http, https, proprietary Some are secure, some are not Architecture Remote circuits terminated directly into the core of the enterprise network Insecure
Classical Enterprise Connectivity
New Requirements / New Threats Internet Access For the enterprises From our homes The Web Sharp increase in Internet use Browsers become ubiquitous Broadband Fast Economical Internet Access Shared infrastructure Public exposure The Web Sharp increase in Internet use Access to content: useful and malicious Broadband Remote endpoints (i.e. home PCs) always on
Access Types Considered Dial-Up – Already in use Dial-Up – Already in use Dedicated Access (T1, Frame) – Already in use Dedicated Access (T1, Frame) – Already in use Network to Network IPSEC VPN Network to Network IPSEC VPN Client to Network IPSEC VPN Client to Network IPSEC VPN SSL VPN SSL VPN
Security Requirements Define the perimeter Define the perimeter A perimeter exists every place where there’s a differentiation in policy or responsibilityA perimeter exists every place where there’s a differentiation in policy or responsibility Identify and authenticate remote sites and users Identify and authenticate remote sites and users Consider “strong” and multi-factor authentication optionsConsider “strong” and multi-factor authentication options Provide privacy & integrity for communications Provide privacy & integrity for communications Business dataBusiness data Authentication credentialsAuthentication credentials Secure endpoints Secure endpoints Apply enterprise security policy to remote endpointsApply enterprise security policy to remote endpoints Limit exposure Limit exposure Remote users probably don’t need to access “everything.”Remote users probably don’t need to access “everything.”
Solutions? Virtual Private Networks Virtual Private Networks IP-SecIP-Sec Remote network access Remote network access SSLSSL Remote application access Remote application access SSHSSH Remote administration Remote administration
Remote Assess: the parts Assess Assess Diverse client baseDiverse client base Distributed client baseDistributed client base Access to applications and dataAccess to applications and data Minimize delivery timeMinimize delivery time Minimize agency support requirementsMinimize agency support requirements Conform to federal requirements including two factor authenticationConform to federal requirements including two factor authentication SecuritySecurity
Plan the solution
IP-Sec Types Types Site to SiteSite to Site Remote ClientRemote Client Security Considerations Security Considerations EncryptionEncryption AuthenticationAuthentication Split TunnelingSplit Tunneling Client Policy EnforcementClient Policy Enforcement Firewalls (inside and outside the VPN)Firewalls (inside and outside the VPN)
Site to Site IP-Sec
Client IP-Sec
IP-Sec VPN Pros and Cons Pros Pros Well suited to replace private circuitsWell suited to replace private circuits “On the network,” user experience“On the network,” user experience Extensive support for various encryption algorithms and authentication optionsExtensive support for various encryption algorithms and authentication options Mature technologyMature technology Cons Cons Quality of Service dependent on shared network (i.e. the Internet)Quality of Service dependent on shared network (i.e. the Internet) Client application requiredClient application required Limited cross-vendor interoperabilityLimited cross-vendor interoperability Some configurations are not compatible with NATSome configurations are not compatible with NAT
Remote Office VPN Targeted at sites with > 10 users Secure (IPSec) VPN Inter-agency Alliance managed end-to-end Connectivity to Legacy applications and new inter- agency alliance portal Client premise equipment Firewall/VPN Device /100 Ethernet port Objective Minimize impact of new solution on legacy networks while providing flexibility of deployment
Firewall PC Internet Alliance Client Network Local Integration Topology Inside, DMZ, Outside Addressing Client provides single IP address for VPN Address translation Routing Changes Client routes alliance applications to VPN Firewall PC Internet Alliance Firewall PC Internet Alliance
SSL VPN Types Remote Client Security Considerations Encryption Authentication Application publication HTTP Citrix / MS Terminal Services / Common Services SSL VPN client application may be used to proxy other application types or even establish a full PPP connection In which case, the IP-Sec security considerations apply
SSL VPN
SSL VPN Pros and Cons Pros Pros Super-easy access to enterprise application infrastructureSuper-easy access to enterprise application infrastructure Ability to “publish” non-web applicationsAbility to “publish” non-web applications Ability to use standard web browser to access published applicationAbility to use standard web browser to access published application Cons Cons Client VPN onlyClient VPN only Client application still required for “on the network” experienceClient application still required for “on the network” experience
SSL VPN Targeted at mobile or sites with < 10 users Targeted at mobile or sites with < 10 users Enrollment and Support for Multiple members Enrollment and Support for Multiple members Provides clientless access to alliance resources Provides clientless access to alliance resources Requires only a browser and internet connectivityRequires only a browser and internet connectivity 2-factor authentication 2-factor authentication One-Time password tokenOne-Time password token Token delivery efficiency Token delivery efficiency
SSH Primarily for remote administration Encrypted “telnet” and “ftp” Port forwarding Highly interoperable Supports nested tunnels Can be used in a bastion host architecture to provide secure remote access
Bastion Host
Architecture Best Practices Identity Management Identity Management Authentication Authentication Authorization Authorization Logging Logging Client system policy compliance Client system policy compliance Split tunneling (IP-Sec) Split tunneling (IP-Sec)
An Integrated Architecture
Remote Access Summary Begin by determining what portions of the environment must be accessed remotely Select the secure remote access solution that meets your needs Understand the security architecture of the solution you use Develop the appropriate architecture Integrate the solution with other security services as necessary
Remote Access Summary Have a broad view of how the solution will be used Have a broad view of how the solution will be used Placement of equipmentPlacement of equipment InfrastructureInfrastructure Applications being accessedApplications being accessed Clearly define the process for provisioning tokens and providing user access Clearly define the process for provisioning tokens and providing user access
Voice over Internet Protocol VoIP is growing rapidly VoIP is growing rapidly VoIP traffic should be secured site to site if used for sensitive information VoIP traffic should be secured site to site if used for sensitive information VoIP has excellent crisis communications capability VoIP has excellent crisis communications capability VoIP is often cheapest method of telephony from overseas VoIP is often cheapest method of telephony from overseas
Security HIPAA concerns with HIPAA concerns with to wireless devices to wireless devices from remote or home users from remote or home users with vendors and clients with vendors and clients Internal between sites Internal between sites If isn’t ‘managed’ you have no control once sent If isn’t ‘managed’ you have no control once sent Many options Many options
What technologies are emerging Faster wireless Faster wireless Real time video Real time video High resolution cameras in phones High resolution cameras in phones Convergence of data, voice, video into single devices Convergence of data, voice, video into single devices
Questions?