Post on 03-Dec-2014
description
VPN New Security PG 1
New Trends in VPN Security
James Forbes, CISSP, CNANortel Networks
Nevada Security SymposiumMay 2004
VPN New Security PG 2
Agenda
• Primary Applications• Risks, Exposures and Countermeasures• SSL and IPSec VPNs• Emerging Technologies for VPN Security• Hybrid IPSec / SSL Appliances• Securing Wireless Networks
VPN New Security PG 3
Primary Applications for VPN Technology
• WAN – Using VPN technology to create virtual connections over a public infrastructure– Replacement for Frame Relay and Point to Point– Small Office– Home Office
• RAS– Telecommuters with IPSec client– Telecommuters using SSL– Mobile users
• Extranets– Customers– Partners– Contractors
VPN New Security PG 4
VPN in the WAN
FT1/T1
Small Office / Branch Office
Premium TeleworkerHQ, Data Center
T1/E1, T3/E3
Leased Line
CablexdslDial
ISDN*
Frame Relay
ATM
Internet
VPNRoutingFirewall
RoutingWAN Access
FirewallVPN
RoutingWAN AccessFirewall, VPN
OE
Internet
OC-3/STM-1Gig-E*
SOHO Unauthorized WAP
VPN New Security PG 5
Firewall User Authentication:End-point Security for Site-to-Site VPNs
• Provides user authentication for– Branch office tunnel traffic– Firewall or router traffic (non-tunneled)
• Adds control at the user level for access to secure resources
– Tunnel is secure, but…
– Who is coming through the tunnel?
– What secure resources do they have access to?
• Simple browser interface for users
• SSL enabled
• Support of many authentication mechanisms
– Radius
– LDAP
– Tokens
– etc
Authentication for tunneled traffic
Authentication Server
PC 3Server B Server C
HT
TP
S F
WU
A
PC 2Server APC 1
HT
TP
S F
WU
AF
WU
A S
essi
on
Internet
Bran
ch O
fficeF
WU
A S
ession
Authentication for non-tunneled traffic
VPN New Security PG 6
VPN Remote Access
Internet
HQ, Data Center
IPSec and SSLCombo Gateway
PDA with IPSec Client Corporate Laptop
With IPSec Client
Internet Cafe / KioskSSL VPN
Personal ComputerWith IPSec Client
Wireless IP PhoneCorporate LaptopSSL VPN
•Split Tunneling•Viruses / Worms / Trojans•Unauthorized Systems•Where has it been?•What’s being left on the system?
VPN New Security PG 7
VPN Remote Access—Split Tunneling
Internet
HQ, Data Center
VPN Tunnel
http://www.yahoo.com
10.0.0.0 / 8
Host Route Table0.0.0.0 if110.0.0.0/8 VPN
VPN New Security PG 8
Internet
HQ, Data Center
VPN Remote Access—Home Computer
VPN Tunnel
Personal Computer Previously Infected With Virus Connects to
Corporate Intranet With IPSec or SSL
VPN New Security PG 9
Internet
HQ, Data Center
IPSec and SSLCombo Gateway
Internet Cafe / KioskSSL VPN
SSL VPN Remote Access—Internet Cafe / Kiosk
VPN Tunnel
While on vacation the network administrator remembers that he forgot to update the department’s spreadsheet with all the router passwords.
From an internet cafe he downloads the spreadsheet, modifies, it and places it back on the server.
A copy of the spreadsheet was inadvertently saved on the machine.
VPN New Security PG 10
Early Countermeasures
• Disable Split Tunneling• Filtering / Firewalling User Tunnels• Filtering / Firewalling Branch Office Tunnels• Corporate Policy Requiring Personal Firewalls• Corporate Policy Requiring Personal Anti-Virus• Corporate Policy of Only Allowing Access from Authorized Device
Issues
• Difficult to Enforce• Difficult to Maintain• Can be too Restrictive• Are Not Effective
VPN New Security PG 11
TunnelGuard-- End-point Security for Remote Access VPNs
TunnelGuard Agent
VPN Client
Personalfirewall
Step 1: create tunnel(not open to network)
Step 2: Send SRS to agent
Step 3: verify application. Optional API call to personal firewall to pull updates from management server (through restricted tunnel)
FirewallManagement Server
Step 4: Tunnel restriction lifted, accessgranted to network
VPN Tunnel
Host Integrity Checking
VPN New Security PG 12
Tunnel Guard SRS Builder
VPN New Security PG 13
Tunnel Guard Software Definitions and Modules
VPN New Security PG 14
Tunnel Guard—Rule Definition
VPN New Security PG 15
Tunnel Guard—Rule Expressions
VPN New Security PG 16
Host Integrity Checking For SSL and IPSec
TunnelGuard Agent
VPN Client
Personalfirewall
Step 1: create tunnel(not open to network)
Step 2: Send SRS to agent
Step 3: verify application. Optional API call to personal firewall to pull updates from management server (through restricted tunnel)
FirewallManagement Server
Step 4: Tunnel restriction lifted, accessgranted to network
VPN Tunnel
SSL VPNSSL
VPN New Security PG 17
Host Integrity Checking for Hardware Information
TunnelGuard Agent
VPN Client
UnauthorizedHardware
Step 1: create tunnel(not open to network)
Step 2: Send SRS to agent
Step 3: verify hardware. Is this one of our laptops?
Step 4: Deny Access
VPN Tunnel
VPN New Security PG 18
RAS Gateway
Traditional ApproachLower layer bulk encryption between gateway and client. Each device/ OS/version requires a unique software load.
SSL VPN ApproachApplication layer encryption between gateway and web browser. No incremental client software – a “clientless” solution!
Browsers are Powerful•Secure session with SSL•Display HTML•Run Java/ActiveX Controls
Why deploy and manage tunneling software for each remote user when browser-based 128/168bit encryption capability already exists???
Do you want to bring users onto your network, or provide them with access to applications?
SSL VPN--Simplifying Remote Access
VPN New Security PG 19
SSL VPN – How it Works
SSL VPN
1
2
3
4
User establishes SSL session with the SSL VPN and enters login information
Users credentials are checked against LDAP/RADIUS/Active Directory authentication data base
User is presented with a web portal interface that lists available applications/resources
User selects file/application/Link
5
SSL VPN authorizes user and proxies request to application
VPN New Security PG 20
Authentication
John Smith 8PM - Hotel/Laptop
John Smith 11AM – Airport/Kiosk
John Smith 7AM – Home/PC
Authenticate user from any device or location:•Username/Password•X.509 Digital Certificate•RADIUS/LDAP/NTLM
VPN New Security PG 21
Granular Access Control
SSL VPN offers granular access control for increased security:•Authenticated user is assigned to a group and given access privileges
•User is authorized on a per application basis
•Portal contains only authorized applications/resources
•Client ID is maintained by session ID, source IP or cookie
John’s Web PortalJohn Smith 7AM – Home/PC
VPN New Security PG 22
Clientless Browser Mode
“http://insidesite/salesapp.html”“https://sslvpn.company.com/insidesite/salesapp.html”
•Application Address Translation dynamically adds/strips toplevel URL directory
•HTML transformation dynamically rewrites embedded links
•Protocol conversion converts http/ftp/smb >> HTTPS
•Secure session rewrite secures embedded links
http, ftp, smbHTTPS
Web Browser
VPN New Security PG 23
Enhanced Browser Mode
•Java applet executes in web browser and creates a session proxy
•SOCKS protocol is used to create a secure connection to SSL VPN
•Virtually all TCP applications can be channeled through this tunnel
•Native clients can be easily configured to use the SOCKS tunnel
Java capable Web Browser
All TCPSSL over SOCKS
VPN New Security PG 24
Transparent / Client Mode
•Winsock client is installed on managed PCs
•Client “transparently” intercepts session and channels it through the SOCKS connection
•Restricts mobility but offers granular access control and remains network agnostic
Native Clients on managed PCs
VPN New Security PG 25
SSL VPN Client Security
Concern #1: Masquerading: If a user isn’t bound to a particular device, how do I know the user hasn’t stolen a user name and password?
Solution: Token-based, or 2-factor authentication. Eg. RSA SecureID and Secure Computing SafeWord.
Concern #2: Negligence – A kiosk user is distracted by a phone call and walks away from an open session.
Solution: Auto-logoff: A countdown timer appears after a configurable period of inactivity. If not actioned to continue, session is terminated.
Concern #3: Residual Data – A patients clinical results are cached on a PC and become accessible to the next users.
Solution: Cache Cleansing: Once a session is terminated, an ActiveX control clears browser history and cached data.
Concern #4: Trust – I don’t want sensitive applications accessed from unknown PCs…period!
Solution: Dynamic Access Policies: Administrators can provide varied access depending on parameters at login. Eg. allow Email from kiosk, but no file sharing; or deny access completely!
VPN New Security PG 26
SSL VPN Client Security—Secure Virtual Desktop
•Secure Virtual Desktop•Can only copy to removable disk•All disk space used during session is wiped to DoD standards
Client Desktop
Login SSL VPN
Secure Virtual Desktop
VPN New Security PG 27
IPSec / SSL VPN Gateway
•Client/Server
•Terminal Access
•Intranet
•Webmail
Corporate OfficeInternet
VPN Gateway
SSL or IPSec Secured Session Any TCP/UDP
Remote User
•Next-generation SSL VPN Gateway appliance•Optimized for clientless deployments•On-the-fly application transformation to secure HTML•Application proxying for client/server applications•SSL and IPSec•Network-level access option: VPN Client (CVC) and MS L2TP/IPSec VPN client termination•Flexibility to configure user mix and scale as required from a single gateway
VPN New Security PG 28
HybridCentralized Security and Management for Existing WLANs
• Typical Customer Profile– Multi-vendor environment– Larger Deployments– Intelligent Overlay requirement– Wireless upgrade or extension
• Customer Benefits– Low incremental cost– Minimal disruption– Centralized security– Centralized management– Introduction of Enterprise roaming– Unauthorized AP detection– Wireless VPN capability
Corporate
Security Switch
?
Improved Productivity and Application Support
VPN New Security PG 29
WLAN Access PortWLAN Security Switch
Adaptive Solution
Flexibility•Load balancing•Plug-n-Play•Plug-n-Grow•QoS
Security•Unauthorized AP detection•Unauthorized AP containment•Unauthorized AP location
Management•Dynamic coverage (interference avoidance, hole detection and correction…)•Location Services Software•Site Survey Tool•Extensive reporting
Adaptive network & enhanced security for a better end user experience and cost reduction
New Solution Optimized for WLAN IP Telephony
VPN New Security PG 30
New Application - Wireless IP Telephony
Corporate Network
WLAN Handset
WLAN IP Telephony Manager
Manages QoS and optimizes voice performance in wireless domain
Provides a tight interface between IP handsets and 3rd party vertical applications
WLAN Application Gateway
IP Handsets
Call server
WLAN Security Switch
VPN New Security PG 31