Presentation is loading. Please wait.

Presentation is loading. Please wait.

EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail.

Published byToni Willmott Modified over 9 years ago

Similar presentations

Presentation on theme: "EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail."— Presentation transcript:

1 EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail

2 Secure Communications Secure Remote Access is essential if you have multiple sites or the need for external users to connect to internal resources Secure Remote Access is essential if you have multiple sites or the need for external users to connect to internal resources Voice traffic is starting to move to data circuits (VoIP) Not secure on its own Voice traffic is starting to move to data circuits (VoIP) Not secure on its own How do you secure e-mail traffic? How do you secure e-mail traffic?

3 Impediments to Remote Access Cost Cost Availability Availability Technical support Technical support Bandwidth Bandwidth Security Security

4 Traditional Remote Network Connectivity Options Network Connection Technologies Private circuits (i.e. frame relay) Expensive Dialup Slow Network Service Technologies telnet, ftp, ssh, http, https, proprietary Some are secure, some are not Architecture Remote circuits terminated directly into the core of the enterprise network Insecure

5 Classical Enterprise Connectivity

6 New Requirements / New Threats Internet Access For the enterprises From our homes The Web Sharp increase in Internet use Browsers become ubiquitous Broadband Fast Economical Internet Access Shared infrastructure Public exposure The Web Sharp increase in Internet use Access to content: useful and malicious Broadband Remote endpoints (i.e. home PCs) always on

7 Access Types Considered Dial-Up – Already in use Dial-Up – Already in use Dedicated Access (T1, Frame) – Already in use Dedicated Access (T1, Frame) – Already in use Network to Network IPSEC VPN Network to Network IPSEC VPN Client to Network IPSEC VPN Client to Network IPSEC VPN SSL VPN SSL VPN

8 Security Requirements Define the perimeter Define the perimeter A perimeter exists every place where there’s a differentiation in policy or responsibilityA perimeter exists every place where there’s a differentiation in policy or responsibility Identify and authenticate remote sites and users Identify and authenticate remote sites and users Consider “strong” and multi-factor authentication optionsConsider “strong” and multi-factor authentication options Provide privacy & integrity for communications Provide privacy & integrity for communications Business dataBusiness data Authentication credentialsAuthentication credentials Secure endpoints Secure endpoints Apply enterprise security policy to remote endpointsApply enterprise security policy to remote endpoints Limit exposure Limit exposure Remote users probably don’t need to access “everything.”Remote users probably don’t need to access “everything.”

9 Solutions? Virtual Private Networks Virtual Private Networks IP-SecIP-Sec Remote network access Remote network access SSLSSL Remote application access Remote application access SSHSSH Remote administration Remote administration

10 Remote Assess: the parts Assess Assess Diverse client baseDiverse client base Distributed client baseDistributed client base Access to applications and dataAccess to applications and data Minimize delivery timeMinimize delivery time Minimize agency support requirementsMinimize agency support requirements Conform to federal requirements including two factor authenticationConform to federal requirements including two factor authentication SecuritySecurity

11 Plan the solution

12 IP-Sec Types Types Site to SiteSite to Site Remote ClientRemote Client Security Considerations Security Considerations EncryptionEncryption AuthenticationAuthentication Split TunnelingSplit Tunneling Client Policy EnforcementClient Policy Enforcement Firewalls (inside and outside the VPN)Firewalls (inside and outside the VPN)

13 Site to Site IP-Sec

14 Client IP-Sec

15 IP-Sec VPN Pros and Cons Pros Pros Well suited to replace private circuitsWell suited to replace private circuits “On the network,” user experience“On the network,” user experience Extensive support for various encryption algorithms and authentication optionsExtensive support for various encryption algorithms and authentication options Mature technologyMature technology Cons Cons Quality of Service dependent on shared network (i.e. the Internet)Quality of Service dependent on shared network (i.e. the Internet) Client application requiredClient application required Limited cross-vendor interoperabilityLimited cross-vendor interoperability Some configurations are not compatible with NATSome configurations are not compatible with NAT

16 Remote Office VPN Targeted at sites with > 10 users Secure (IPSec) VPN Inter-agency Alliance managed end-to-end Connectivity to Legacy applications and new inter- agency alliance portal Client premise equipment Firewall/VPN Device 1 - 10/100 Ethernet port Objective Minimize impact of new solution on legacy networks while providing flexibility of deployment

17 Firewall PC Internet Alliance Client Network Local Integration Topology Inside, DMZ, Outside Addressing Client provides single IP address for VPN Address translation Routing Changes Client routes alliance applications to VPN Firewall PC Internet Alliance Firewall PC Internet Alliance

18 SSL VPN Types Remote Client Security Considerations Encryption Authentication Application publication HTTP Citrix / MS Terminal Services / Common Services SSL VPN client application may be used to proxy other application types or even establish a full PPP connection In which case, the IP-Sec security considerations apply

19 SSL VPN

20 SSL VPN Pros and Cons Pros Pros Super-easy access to enterprise application infrastructureSuper-easy access to enterprise application infrastructure Ability to “publish” non-web applicationsAbility to “publish” non-web applications Ability to use standard web browser to access published applicationAbility to use standard web browser to access published application Cons Cons Client VPN onlyClient VPN only Client application still required for “on the network” experienceClient application still required for “on the network” experience

21 SSL VPN Targeted at mobile or sites with < 10 users Targeted at mobile or sites with < 10 users Enrollment and Support for Multiple members Enrollment and Support for Multiple members Provides clientless access to alliance resources Provides clientless access to alliance resources Requires only a browser and internet connectivityRequires only a browser and internet connectivity 2-factor authentication 2-factor authentication One-Time password tokenOne-Time password token Token delivery efficiency Token delivery efficiency

22 SSH Primarily for remote administration Encrypted “telnet” and “ftp” Port forwarding Highly interoperable Supports nested tunnels Can be used in a bastion host architecture to provide secure remote access

23 Bastion Host

24 Architecture Best Practices Identity Management Identity Management Authentication Authentication Authorization Authorization Logging Logging Client system policy compliance Client system policy compliance Split tunneling (IP-Sec) Split tunneling (IP-Sec)

25 An Integrated Architecture

26 Remote Access Summary Begin by determining what portions of the environment must be accessed remotely Select the secure remote access solution that meets your needs Understand the security architecture of the solution you use Develop the appropriate architecture Integrate the solution with other security services as necessary

27 Remote Access Summary Have a broad view of how the solution will be used Have a broad view of how the solution will be used Placement of equipmentPlacement of equipment InfrastructureInfrastructure Applications being accessedApplications being accessed Clearly define the process for provisioning tokens and providing user access Clearly define the process for provisioning tokens and providing user access

28 Voice over Internet Protocol VoIP is growing rapidly VoIP is growing rapidly VoIP traffic should be secured site to site if used for sensitive information VoIP traffic should be secured site to site if used for sensitive information VoIP has excellent crisis communications capability VoIP has excellent crisis communications capability VoIP is often cheapest method of telephony from overseas VoIP is often cheapest method of telephony from overseas

29 Email Security HIPAA concerns with email HIPAA concerns with email Email to wireless devices Email to wireless devices Email from remote or home users Email from remote or home users Email with vendors and clients Email with vendors and clients Internal Email between sites Internal Email between sites If Email isn’t ‘managed’ you have no control once sent If Email isn’t ‘managed’ you have no control once sent Many Email options Many Email options

30 What technologies are emerging Faster wireless Faster wireless Real time video Real time video High resolution cameras in phones High resolution cameras in phones Convergence of data, voice, video into single devices Convergence of data, voice, video into single devices

31 Questions?

32

Download ppt "EMS Summit – Network Remote Access William E. Ott Friday August 25, 2006 1300 – 1400 EDT VPN Solutions Voice over IP Secure e-mail."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Building a Wide Area Public Safety Network Technologies Used, Lessons Learned EMS Summit October 2, 2003 William E. Ott, MS, Paramedic.

Building a Wide Area Public Safety Network Technologies Used, Lessons Learned EMS Summit October 2, 2003 William E. Ott, MS, Paramedic.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Standards Certification Education & Training Publishing Conferences & Exhibits Using Outbound IP Connections for Remote Access EXPO 2005 Chicago, IL.

Standards Certification Education & Training Publishing Conferences & Exhibits Using Outbound IP Connections for Remote Access EXPO 2005 Chicago, IL.
Mike Bayne 15 September 2011

Mike Bayne 15 September 2011
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Module CSY3021 Network Planning and Programming RD-CSY3021-08/09 1.

Module CSY3021 Network Planning and Programming RD-CSY /09 1.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
The Remote Workplace Designing, deploying, and supporting the remote workplace environment Presented by: John Milhoan Information Technology Cooperative,

The Remote Workplace Designing, deploying, and supporting the remote workplace environment Presented by: John Milhoan Information Technology Cooperative,
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Evaluation of an internet protocol security based virtual private network solution Thesis written by Arto Laukka at TeliaSonera Finland Oyj SupervisorProfessor.

Evaluation of an internet protocol security based virtual private network solution Thesis written by Arto Laukka at TeliaSonera Finland Oyj SupervisorProfessor.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Similar presentations

Ads by Google