Secure Mobility Mobile Connectivity with Network Integrity via SSL VPNs & Mobile Clients Raymond Cushman Territory Manager Great Lakes District

Secure Mobility

Millions ,400 1,200 1, SOURCE: Nokia, Mobile Voice Users Internet PC Users Mobile Internet Users Two Mega Trends: Mobility & the Internet

3GPP cdma2000 1xEV-DV cdma2000 1xEV-DO GSMTDMAGSM/GPRS 3G Phase 1 NetworksEvolved 3G Networks 2G First Steps to 3G WCDMA GSM/GPRS/EDGE 3GPP2 Open interface multiradio network All IP cdma2000 1xcdmaOne G-WCDMA PDC 900 million users 130 million users Inevitable Need for Data Speeds - Global Evolution to 3G Networks

Working on the Move Users want to choose Availability of devices and services drives need Any time, Anywhere Any content Conference calls, , intranet, applications Any device

The Problem: IT Organization Perspective Goal: Enable business advantage Satisfy users Meet business objectives How can we accommodate: all of the various device & network types? the numerous user profiles? How can we ensure network integrity? How can we keep business running? How can we maintain costs? How can we leverage current investments?

Remote Access Challenges Dial-up access is costly, hard to manage and doesn’t utilize the explosion of broadband links worldwide IPSec remote access VPNs are excellent, but can be a challenge to deploy and manage What about the large user base who rely on desktop systems at the office? How to best handle partners, suppliers and contractors? A new approach using a browser connected to the Internet to provide access Most enterprises have well-developed intranets and extranets Why not use the same technology that has driven e-commerce to provide access to enterprise data resources? Remote Access Annual Cost Analysis Source: Yankee Group, 2003

For large screens User and device level access control from any browser Ideal for employees, partners & contractors Detailed reporting Wired Public WiFi Secure access via SSL SSL Browser-based VPN Web enabled, & key client -server apps Nokia Mobile Connectivity User Solutions Device Type Benefits & Features VPN Client IPSec VPN’s Enable secure Client Server app remote access & eliminate costs of dial- up Cost savings with Nokia Wireless Accelerator Nokia Mobile VPN for Symbian Leverage existing IPSec infrastructure to extend secure remote access to Symbian devices Over the air secure service provisioning via Nokia SSM Wired WiFi, 3G & Accelerated GSM and GPRS with Nokia Wireless Accelerator Secure access via IPSec Wireless Cellular GSM Data, GPRS & 3G Secure access via IPSec Connectivity Type IPSec VPN’s Application Type Any IP Application

Nokia Secure Access System (NSAS) GroupWise Exchange Lotus Notes R TN3270 SSH TELNET FTP Fileshares Citrix Intranet Key Product Features: Client Integrity Scan Advanced Access Control Session Persistence Unit IP130 IP350 IP380 User License Total Cost $3,495 $6,495 $10,995 $23,795 $35,795 $54,995 Price includes HW/SW/SW Subscription Licenses are based on # of concurrent users Raymond Cushman NES - Territory Manager (248) DMZ Firewall Internet Secure Access System Mobile User PDA Home User

What have we learned Why are they so successful?  For the IT admin - ease of deployment (new installations in 1 or 2 hours on average)  For the end user - flexibility / mobility (everyone has multiple access devices these days, laptop, home PC, PDA)  For the Exec - increased productivity, rapid response to changes (several NSAS evals used for Executive travel access)  Rapid response for: Unplanned trips, Outages, Temporary Extranets, New Hires, New Apps Mobility is more than people working from home and a travelling sales force  ---> changing extranet / business partners, temporary connections  ---> intra-campus movement (employees aren't tied to their desks for and document retrieval)  --> PDAs and Mobile Terminals (a special case requiring Content Rendering)

What have we learned (cont) New Security Concerns:  With traditional VPNs, we implicitly trust the access device (corporate issued laptop with VPN client, AV, firewall, etc) and need only authenticate the user  With SSL VPNs, we need to examine the device (scan) and the user (authentication)  Authentication: cannot put another authentication obstacle between user and information so the gateway must use common authentication methods (Radius, LDAP, DigCerts, NTLM)  Potential problem: the security team is often responsible for authentication (LDAP for instance).  Device Scanning: the scan of the system needs to be under admin control (what to look for, and what to do with results)  Flexible Client Scanning vs APIs to specific (that is, very limited) firewall and AV vendors  Access Control Granularity vs. All-or-Nothing approach of other vendors

What have we learned (cont)  Session cleanup - what to do with sensitive data on non-corporate owned devices  Cache cleanup / wipers are best effort, leave recoverable data and do not work at all if session is not properly terminated  Encrypted containers - new and better approach; if the data remains, it is not readable  Split-Tunneling - this is browser based connection only, not a full LAN-like connection that can be hijacked, so it is difficult to see how the session could be exploited (assuming the Scan has determined that the device is trustworthy)  Admins still rely on trusting your authenticated users to not do stupid or malicious things when connected  SSL gateway concerns: since users are directly interacting with the device (unlike most firewalls)  Does it use exploitable CGI scripting, ActiveX controls?  Is the OS itself hardened?

What have we learned (cont) Concerns:  Scalability of SSL based session - hardware acceleration will be required, as is common for IPSec  Robustness - HA mechanisms are still being worked out  Device Agnostics - multiple browsers, multiple OS (MAC, Unix, Linux, not just Windows based)