Securing Remote Access With SSL VPNs: A Best Practice Primer Sikhi Gundu and Kartik Kumar, Juniper Networks India Pvt Ltd.

Slides:

Advertisements

Similar presentations

Encrypting Wireless Data with VPN Techniques

Advertisements

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Network Security Essentials Chapter 11

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Securing Remote Network Access FirePass ®. Business Case VirginiaCORIS is an initiative to modernize the way that offender information is managed, to.

©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Check Point Software SSL VPN Solutions Technical Overview Thorsten Schuberth Technical.

OAAIS Enterprise Information Security Security Awareness, Training & Education (SATE) Program or UCSF Campus VPN.

ISSA Presentation. Agenda Remote Access Evolution SSL VPN Drivers Why SSL VPNs Basic Deployment Security vs. IPSec The New Security Concerns Addressing.

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Chapter 12 Network Security.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

Secure Access using IAG 2007 Presented by: Brian Dunleavy - Healthcare Business Manager - Eurodata Susanna Watson – Pre Sales Technical Consultant - Eurodata.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

In this section, we'll cover one of the foundations of network security issues, It talks about VPN (Virtual Private Networks). What..,Why..,and How….?

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.

Virtual Private Network

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Managing Client Access

Course 201 – Administration, Content Inspection and SSL VPN

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Your storage on the ground; Your files in the cloud.

Chapter 2 Information Security Overview The Executive Guide to Information Security manual.

RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.

1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

Introducing Quick Heal Endpoint Security 5.2. “Quick Heal Endpoint Security 5.2 is designed to provide simple, intuitive centralized management and control.

Securing Microsoft® Exchange Server 2010

Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Network Access Technology: Secure Remote Access S Prasanna Bhaskaran.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Safeguarding OECD Information Assets Frédéric CHALLAL Head, Systems Engineering Team OECD.

Module 11: Remote Access Fundamentals

ArcGIS Server and Portal for ArcGIS An Introduction to Security

A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.

BZUPAGES.COM. What is a VPN VPN is an acronym for Virtual Private Network. A VPN provides an encrypted and secure connection "tunnel" path from a user's.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

Overview of Microsoft ISA Server. Introducing ISA Server New Product—Proxy Server In 1996, Netscape had begun to sell a web proxy product, which optimized.

Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.

SonicWALL SSL-VPN Series Easy Secure Remote Access Cafferata Cristiano SE Italia.

© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 7 Authentication Methods and Requirements.

Computer Security By Duncan Hall.

Joe Budzyn Jeff Goeke-Smith Jeff Utter. Risk Analysis  Match the technologies used with the security need  Spend time and resources covering the most.

Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.

VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.

Edge Security with Forefront Sandeep Modhvadia Security Specialist.

Why EMS? What benefit does EMS provide O365 customers Manage Mobile Productivity Increase IT ProductivitySimplify app delivery and deployment LOB Apps.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Endpoint Security VPN R75 (SecureClient Next Generation)

Barracuda SSL VPN Remote, Authenticated Access to Applications and Data.

Barracuda SSL VPN Remote, Authenticated Access to Applications and Data Version 2.6 | July 2014.

Barracuda SSL VPN Remote, Authenticated Access to Applications and Data.

Chapter 5 Electronic Commerce | Security Threats - Solution

Barracuda SSL VPN Remote, Authenticated Access to Applications and Data.

World Wide Web policy.

Secure Software Confidentiality Integrity Data Security Authentication

Securing the Network Perimeter with ISA 2004

Chapter 5 Electronic Commerce | Security Threats - Solution

Forefront Security ISA

Check Point Connectra NGX R60

K!M SAA LOGICAL SECURITY Strong Adaptive Authentication

Designing IIS Security (IIS – Internet Information Service)

Securing web applications Externally

Presentation transcript:

Securing Remote Access With SSL VPNs: A Best Practice Primer Sikhi Gundu and Kartik Kumar, Juniper Networks India Pvt Ltd

Preliminaries Target audience: IT org managers, admins; not developers/implementers Introductory/high level overview Essentially tutorial

Agenda Motivation 30000ft view of SSLVPN Technology Security with SSLVPN: Athentication Security with SSLVPN: Endpoint Integrity Security with SSLVPN: Authorization Security with SSLVPN: User Education

Agenda Motivation 30000ft view of SSLVPN Technology Security with SSLVPN: Authentication Security with SSLVPN: Endpoint Integrity Security with SSLVPN: Authorization Security with SSLVPN: User Education

Motivation Usecase Remote access for Employees, Partners & Customers Why not IPSEC Requires client software to be installed. IPSEC VPNs are good for site-to-site, not so good for clients to server is layer 3; remote access users get layer 3 access! Why SSL VPN Client less remote access (browser is the client) Easy on the IT shop (roll-out, config) Layer 4 access with notion of a " user "

Agenda Motivation 30000ft view of SSLVPN Technology Security with SSLVPN: Authentication Security with SSLVPN: Endpoint Integrity Security with SSLVPN: Authorization Security with SSLVPN: User Education

– SSLVPN device acts as a reverse proxy – SSL provides data confidentiality and integrity on the public network Enterprise Network SSLVPN basic workflow Employees with Corporate/Home Laptops SSL VPN App Server Internet https http

SSL VPN typical deployment Enterprise Network Internet Firewall Router SSL VPN Applications Server Application Server Employees with Corporate Laptops Employees with Home PCs Employees with Mobile Devices

SSLVPN – Typical End-user Flow User connects to the gateway User Authenticates SSLVPN presents portal frontending accessible resources User signs out.

Essential functionality: Rewriting if(google.j.b)document.body.style.visibility='hidden'; Web Images Videos Maps News <a if(google.j.b)document.body.style.visibility='hidden'; Web Images Maps News Arekkut <a href=" Layer 4

Essential Functionality: Rewriting Contd. Layer 3  Src IP   Dst IP   Src IP   Dst IP   Src IP   Dst IP   Src IP   Dst IP  Applications Server  Src IP   Dst IP   Src IP   Dst IP   Src IP   Dst IP   Src IP   Dst IP  NAT Device Enterprise Network Internet

Essential functionality: Granular Access Control Policy based access control (based on identity & other factors) For ex: assign role to user; assign resources to roles Example policies: Web Access UNIX file Access Windows File Access SSO Terminal Services

Essential functionality: Granualar Access Control Contd… Example Role Assignments based on Location Username Login time Group Etc etc.... Fine Grained Access control SSL VPN being a layer 4 device, has an end user notion and thus Fine Grained Access control Is possible

Agenda Motivation 30000ft view of SSLVPN Technology Security with SSLVPN: Authentication Security with SSLVPN: Endpoint Integrity Security with SSLVPN: Authorization Security with SSLVPN: User Education

Security with SSL VPN: Authentication Remember: Internet-facing device! Ensure Strong Authentication Strength of Authentication Strength of a password policy – Password strength – Password expiry – Blacklisted pin dictionary Typically, device vendor would ensure protection against: Dictionary attacks Brute force attacks Denial of service attacks

Single factor Authentication Two factor Strong Authentication, Contd

Strength of Authentication Contd. Secondary Authentication Adaptive authentication

Strength of Authentication Contd. Secondary Authentication – Can be used where stronger auth mechanism is required. – For example : User does primary authentication to a Auth Server [could be certificate or Machine Auth] Once Primary auth succeeds, he has to authenticate again to a Secondary Auth Server [which could be AD or LDAP or radius auth] Secondary authentication combined with 2- factor, will be even more stronger, but an overkill.

Agenda Motivation 30000ft view of SSLVPN Technology Security with SSLVPN: Authentication Security with SSLVPN: Endpoint Integrity Security with SSLVPN: Authorization Security with SSLVPN: User Education

Assess Endpoint’s security posture Enable this feature, most vendors provide it Enforce policy not to allow login if client not clean Makes sure that the client has – Trusted anitivirus software (eg: Norton AV 2010) – Trusted Anti-MalWare – Updated database virus signatures for the antivirus. – Availabilty of OS Patches. Ensure file system has no suspicious content or processes. Ensure file system has the content it is supposed to have; ie, not tampered with

Clean session termination Data is left behind by the session! – Browser History – Browser Cache – Saved password and forms – Keystroke loggers – Cookies Use cache cleaning functionality – Cleans up all Browser data on logout Enable virtual keyboards during authentication

Clean session termination Contd. SVW [Secure virtual workspace] – Restricted, transient shell – Created when user login-in – Destroyed on logout – Ensures no upload of dangerous content or download of critical data

Integrate with IDP Coordinated Threat control using IDP IDP SSL VPN Detects intrusion Quarantines user based on IDP instructions Informs SSL VPN

Agenda Motivation 30000ft view of SSLVPN Technology Security with SSLVPN: Authentication Security with SSLVPN: Endpoint Integrity Security with SSLVPN: Authorization Security with SSLVPN: User Education

Security with SSLVPN: Authorization Can remote users have the same level of access privilege as local users? Maybe not! Exploit RBAC to the fullest Role is a group of policies Policies govern access to resources – Web Recource Access – File Resource access [Both windows/UNIX] – Telnet/SSH Access – SSO – Terminal Services access

Role Based Access Control Contd. Vendors provide the ability to define roles as a function of several attributes For example: – Endpoint security posture – Login time – Login IP – Login Name – Directory attributes – Group – For ex: same user gets different privileges during office hours as opposed to off-hours

Agenda Motivation 30000ft view of SSLVPN Technology Security with SSLVPN: Authentication Security with SSLVPN: Endpoint Integrity Security with SSLVPN: Authorization Security with SSLVPN: User Education

Bad people: evil outsiders and disgruntled insiders Remember: internet-facing web device Vulnerable to the usual set of web attacks Injection Attacks – Most Common: Cross-site scripting Parsing and detecting malicious script Have multiple admins to verify config. – New one XSRF Cross site Request forgery Frame busting Vendor provides some form of defence; but beware your customization may open up holes!

Key is: Train your users Educate Users – Always ensure graceful exit – Don’t leave sessions unattended – Avoid logging in via Shared Computers – Don’t cache Password on browsers – Use Virtual keyboards for login

Thank you