New Tends in VPN Security

VPN New Security PG 1

New Trends in VPN Security

James Forbes, CISSP, CNANortel Networks

Nevada Security SymposiumMay 2004


Agenda

• Primary Applications• Risks, Exposures and Countermeasures• SSL and IPSec VPNs• Emerging Technologies for VPN Security• Hybrid IPSec / SSL Appliances• Securing Wireless Networks


Primary Applications for VPN Technology

• WAN – Using VPN technology to create virtual connections over a public infrastructure– Replacement for Frame Relay and Point to Point– Small Office– Home Office

• RAS– Telecommuters with IPSec client– Telecommuters using SSL– Mobile users

• Extranets– Customers– Partners– Contractors


VPN in the WAN

FT1/T1

Small Office / Branch Office

Premium TeleworkerHQ, Data Center

T1/E1, T3/E3

Leased Line

CablexdslDial

ISDN*

Frame Relay

ATM

Internet

VPNRoutingFirewall

RoutingWAN Access

FirewallVPN

RoutingWAN AccessFirewall, VPN

OE

Internet

OC-3/STM-1Gig-E*

SOHO Unauthorized WAP


Firewall User Authentication:End-point Security for Site-to-Site VPNs

• Provides user authentication for– Branch office tunnel traffic– Firewall or router traffic (non-tunneled)

• Adds control at the user level for access to secure resources

– Tunnel is secure, but…

– Who is coming through the tunnel?

– What secure resources do they have access to?

• Simple browser interface for users

• SSL enabled

• Support of many authentication mechanisms

– Radius

– LDAP

– Tokens

– etc

Authentication for tunneled traffic

Authentication Server

PC 3Server B Server C

HT

TP

S F

WU

A

PC 2Server APC 1

HT

TP

S F

WU

AF

WU

A S

essi

on

Internet

Bran

ch O

fficeF

WU

A S

ession

Authentication for non-tunneled traffic


VPN Remote Access

Internet

HQ, Data Center

IPSec and SSLCombo Gateway

PDA with IPSec Client Corporate Laptop

With IPSec Client

Internet Cafe / KioskSSL VPN

Personal ComputerWith IPSec Client

Wireless IP PhoneCorporate LaptopSSL VPN

•Split Tunneling•Viruses / Worms / Trojans•Unauthorized Systems•Where has it been?•What’s being left on the system?


VPN Remote Access—Split Tunneling

Internet

HQ, Data Center

VPN Tunnel

http://www.yahoo.com

10.0.0.0 / 8

Host Route Table0.0.0.0 if110.0.0.0/8 VPN


Internet

HQ, Data Center

VPN Remote Access—Home Computer

VPN Tunnel

Personal Computer Previously Infected With Virus Connects to

Corporate Intranet With IPSec or SSL


Internet

HQ, Data Center

IPSec and SSLCombo Gateway

Internet Cafe / KioskSSL VPN

SSL VPN Remote Access—Internet Cafe / Kiosk

VPN Tunnel

While on vacation the network administrator remembers that he forgot to update the department’s spreadsheet with all the router passwords.

From an internet cafe he downloads the spreadsheet, modifies, it and places it back on the server.

A copy of the spreadsheet was inadvertently saved on the machine.


Early Countermeasures

• Disable Split Tunneling• Filtering / Firewalling User Tunnels• Filtering / Firewalling Branch Office Tunnels• Corporate Policy Requiring Personal Firewalls• Corporate Policy Requiring Personal Anti-Virus• Corporate Policy of Only Allowing Access from Authorized Device

Issues

• Difficult to Enforce• Difficult to Maintain• Can be too Restrictive• Are Not Effective


TunnelGuard-- End-point Security for Remote Access VPNs

TunnelGuard Agent

VPN Client

Personalfirewall

Step 1: create tunnel(not open to network)

Step 2: Send SRS to agent

Step 3: verify application. Optional API call to personal firewall to pull updates from management server (through restricted tunnel)

FirewallManagement Server

Step 4: Tunnel restriction lifted, accessgranted to network

VPN Tunnel

Host Integrity Checking


Tunnel Guard SRS Builder


Tunnel Guard Software Definitions and Modules


Tunnel Guard—Rule Definition


Tunnel Guard—Rule Expressions


Host Integrity Checking For SSL and IPSec

TunnelGuard Agent

VPN Client

Personalfirewall



Step 3: verify application. Optional API call to personal firewall to pull updates from management server (through restricted tunnel)

FirewallManagement Server

Step 4: Tunnel restriction lifted, accessgranted to network

VPN Tunnel

SSL VPNSSL


Host Integrity Checking for Hardware Information

TunnelGuard Agent

VPN Client

UnauthorizedHardware



Step 3: verify hardware. Is this one of our laptops?

Step 4: Deny Access

VPN Tunnel


RAS Gateway

Traditional ApproachLower layer bulk encryption between gateway and client. Each device/ OS/version requires a unique software load.

SSL VPN ApproachApplication layer encryption between gateway and web browser. No incremental client software – a “clientless” solution!

Browsers are Powerful•Secure session with SSL•Display HTML•Run Java/ActiveX Controls

Why deploy and manage tunneling software for each remote user when browser-based 128/168bit encryption capability already exists???

Do you want to bring users onto your network, or provide them with access to applications?

SSL VPN--Simplifying Remote Access


SSL VPN – How it Works

SSL VPN

1

2

3

4

User establishes SSL session with the SSL VPN and enters login information

Users credentials are checked against LDAP/RADIUS/Active Directory authentication data base

User is presented with a web portal interface that lists available applications/resources

User selects file/application/Link

5

SSL VPN authorizes user and proxies request to application


Authentication

John Smith 8PM - Hotel/Laptop

John Smith 11AM – Airport/Kiosk

John Smith 7AM – Home/PC

Authenticate user from any device or location:•Username/Password•X.509 Digital Certificate•RADIUS/LDAP/NTLM


Granular Access Control

SSL VPN offers granular access control for increased security:•Authenticated user is assigned to a group and given access privileges

•User is authorized on a per application basis

•Portal contains only authorized applications/resources

•Client ID is maintained by session ID, source IP or cookie

John’s Web PortalJohn Smith 7AM – Home/PC


Clientless Browser Mode

“http://insidesite/salesapp.html”“https://sslvpn.company.com/insidesite/salesapp.html”

•Application Address Translation dynamically adds/strips toplevel URL directory

•HTML transformation dynamically rewrites embedded links

•Protocol conversion converts http/ftp/smb >> HTTPS

•Secure session rewrite secures embedded links

http, ftp, smbHTTPS

Web Browser


Enhanced Browser Mode

•Java applet executes in web browser and creates a session proxy

•SOCKS protocol is used to create a secure connection to SSL VPN

•Virtually all TCP applications can be channeled through this tunnel

•Native clients can be easily configured to use the SOCKS tunnel

Java capable Web Browser

All TCPSSL over SOCKS


Transparent / Client Mode

•Winsock client is installed on managed PCs

•Client “transparently” intercepts session and channels it through the SOCKS connection

•Restricts mobility but offers granular access control and remains network agnostic

Native Clients on managed PCs


SSL VPN Client Security

Concern #1: Masquerading: If a user isn’t bound to a particular device, how do I know the user hasn’t stolen a user name and password?

Solution: Token-based, or 2-factor authentication. Eg. RSA SecureID and Secure Computing SafeWord.

Concern #2: Negligence – A kiosk user is distracted by a phone call and walks away from an open session.

Solution: Auto-logoff: A countdown timer appears after a configurable period of inactivity. If not actioned to continue, session is terminated.

Concern #3: Residual Data – A patients clinical results are cached on a PC and become accessible to the next users.

Solution: Cache Cleansing: Once a session is terminated, an ActiveX control clears browser history and cached data.

Concern #4: Trust – I don’t want sensitive applications accessed from unknown PCs…period!

Solution: Dynamic Access Policies: Administrators can provide varied access depending on parameters at login. Eg. allow Email from kiosk, but no file sharing; or deny access completely!


SSL VPN Client Security—Secure Virtual Desktop

•Secure Virtual Desktop•Can only copy to removable disk•All disk space used during session is wiped to DoD standards

Client Desktop

Login SSL VPN

Secure Virtual Desktop


IPSec / SSL VPN Gateway

•eMail

•Client/Server

•Terminal Access

•Intranet

•Webmail

Corporate OfficeInternet

VPN Gateway

SSL or IPSec Secured Session Any TCP/UDP

Remote User

•Next-generation SSL VPN Gateway appliance•Optimized for clientless deployments•On-the-fly application transformation to secure HTML•Application proxying for client/server applications•SSL and IPSec•Network-level access option: VPN Client (CVC) and MS L2TP/IPSec VPN client termination•Flexibility to configure user mix and scale as required from a single gateway


HybridCentralized Security and Management for Existing WLANs

• Typical Customer Profile– Multi-vendor environment– Larger Deployments– Intelligent Overlay requirement– Wireless upgrade or extension

• Customer Benefits– Low incremental cost– Minimal disruption– Centralized security– Centralized management– Introduction of Enterprise roaming– Unauthorized AP detection– Wireless VPN capability

Corporate

Security Switch

?

Improved Productivity and Application Support


WLAN Access PortWLAN Security Switch

Adaptive Solution

Flexibility•Load balancing•Plug-n-Play•Plug-n-Grow•QoS

Security•Unauthorized AP detection•Unauthorized AP containment•Unauthorized AP location

Management•Dynamic coverage (interference avoidance, hole detection and correction…)•Location Services Software•Site Survey Tool•Extensive reporting

Adaptive network & enhanced security for a better end user experience and cost reduction

New Solution Optimized for WLAN IP Telephony


New Application - Wireless IP Telephony

Corporate Network

WLAN Handset

WLAN IP Telephony Manager

Manages QoS and optimizes voice performance in wireless domain

Provides a tight interface between IP handsets and 3rd party vertical applications

WLAN Application Gateway

IP Handsets

Call server

WLAN Security Switch

New Tends in VPN Security

Documents

Transcript of New Tends in VPN Security