Presentation is loading. Please wait.

Presentation is loading. Please wait.

ISSA Presentation. Agenda Remote Access Evolution SSL VPN Drivers Why SSL VPNs Basic Deployment Security vs. IPSec The New Security Concerns Addressing.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "ISSA Presentation. Agenda Remote Access Evolution SSL VPN Drivers Why SSL VPNs Basic Deployment Security vs. IPSec The New Security Concerns Addressing."— Presentation transcript:

1 ISSA Presentation

2 Agenda Remote Access Evolution SSL VPN Drivers Why SSL VPNs Basic Deployment Security vs. IPSec The New Security Concerns Addressing the Concerns What to Look for in a Vendor

3 The Evolution of Remote Access ThenNow A service for a select few A must-have utility for all Cost centerProductivity Lever Best effort performance and up-time Always up, high performing Carrier-based Network independent Anywhere there’s a phone line Anywhere

4 The Evolution of Remote Access ThenNow A PC you support Any PC Static Passwords One-Time Passwords Dial-Back Modems Device Profiling What’s a virus? Must address all malicious code “They have the Internet on computers?” “I know more about this than you do.”

5 Day Extenders Extranet Users Home Office Users Traveling Employees Kiosk Users Wireless LAN Users Pocket PC Users The Shift to SSL VPNs Enterprises are seeing a new kind of remote access: Harder to manage: Access from devices outside of IT’s control Demanded by more users: Broader employee access, partner access New devices and access points: Wireless hotspots, airport kiosks, home PCs Corporate Network

6 The Shift to SSL VPNs SSL Addresses the Emerging Demands Impervious to NAT Leverages a commonly open port (443) Indifferent to type of network Does not require a client Supports broad application types Easier to support and deploy Intuitive User Experience

7 Basic SSL VPN Deployment SSL VPN tied to authentication system, DNS and applications Presents web resources and available shares as links to the user Authenticates users, encrypts to the end node, applies granular ACLs to the user traffic, detailed audit All traffic goes over port 443, regardless of original protocol Uses browser-deployed agent to handle C/S applications Like an IPSec VPN, the SSL VPN is the point of security enforcement for in-bound users. Web Apps Client/Server Apps Legacy Apps File Shares Databases Terminal Services Mainframes SSL VPN Appliance Applications Directories DMZ SSL VPN Encrypted, Authenticated, and Authorized Traffic via the Internet Corporate Laptops Wireless Hotspots PDAs Home PCs Kiosks Partner Extranets

8 Security vs. IPSec Security Category Result moving to SSL VPN from IPSec EncryptionNo change AuthenticationNo change or Improved Access ControlImproved Perimeter ProfileImproved Logging and ForensicsImproved Web SecurityImproved End-Point SecurityImproved

9 The New Security Concerns Access from unmanaged locations Sensitive data inadvertently left on device Sensitive data intentionally captured Sensitive data saved by legitimate user Unmanaged device is virus vector Unmanaged device can be hijacked Device Anonymity Difficult to tell provisioned devices from others Access Modulation Authenticating the user alone is not enough to determine the appropriate level of access.

10 How the Threats Get Addressed Sensitive Data Inadvertently Left Behind Cache Clearing Technology Session File Encryption and Deletion Data Captured (Spyware, Keystroke Logger) Pre-auth Spyware Scan WholeSecurity, Zone Labs, Sygate Data Saved by Legitimate User Session File Encryption and Deletion Restrict Location for Certain Groups

11 How the Threats Get Addressed SSL VPN End-Point is Virus Vector A/V and PFW Policy Enforcement Built into SSL VPN Adjust ACLs when A/V is absent or not updated Remediate workstation when appropriate Deny connection in extreme cases

12 How the Threats Get Addressed Device Anonymity Restrict Source Domain Scan Device and Registry to Identify: Domain Membership O/S Search for Secret File Look for Watermark Use Digital Certificate Restrict by O/S

13 How the Threats Get Addressed Access Modulation Create “3-D” Security Policy User Device Location Adjust ACLs On-The-Fly Based on Combination of Factors   Trusted Device Application/Process Directory/File Registry key Windows domain Anti-Virus Personal Firewall Aventail Cache Control Aventail Secure Desktop Device Profile: IT-Managed in.xyz.seattle.com or in.xyz.phoenix.com Norton AV Sygate   Data Protection  Semi-Trusted Device Application/Process Directory/File Registry key Windows domain Anti-Virus Personal Firewall Aventail Cache Control Aventail Secure Desktop Device Profile: Home Machine  Norton AV   Sygate or Zone  …HKEY_LOCAL_MACHINE \SW\Symantec\SharedDefs    Un-Trusted Device Application/Process Directory/File Registry key Windows domain Anti-Virus Personal Firewall Aventail Cache Control Aventail Secure Desktop       Data Protection      

14 What to Deploy with SSL VPN Strong (True Two-Factor) Authentication Dynamic A/V and Malware Scanning Updated Acceptable Use Policy for Employees and Partners Web-Based Mail Logical Directory Groups

15 What to Look for in a Vendor Appropriate Scale Application Support Multiplatform Support Support for 3-D Security Model Device Scanning (Pre-Auth) End-Point Data Protection Cache Clearing Data Encryption and Deletion Application Detection

16 Thank You Scott Stanton sstanton@aventail.com www.aventail.com

17 PDF Files Resources Aventail SSL VPN Technical Primer US Aventail Ex-Family Product DataSheet Aventail IPSec VPN vs SSL VPN WP-A4 Aventail End Point Control White Paper

Download ppt "ISSA Presentation. Agenda Remote Access Evolution SSL VPN Drivers Why SSL VPNs Basic Deployment Security vs. IPSec The New Security Concerns Addressing."

Similar presentations

Security Features in Microsoft® Windows® XP James Noyce, Senior Consultant Security Solutions Team, Business Critical Services Microsoft Security Solutions,

Security Features in Microsoft® Windows® XP James Noyce, Senior Consultant Security Solutions Team, Business Critical Services Microsoft Security Solutions,
©2013 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Best Practices to Secure the Mobile Enterprise Macy Torrey

©2013 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Best Practices to Secure the Mobile Enterprise Macy Torrey
CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Enabling IPv6 in Corporate Intranet Networks

Enabling IPv6 in Corporate Intranet Networks
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Mike Bayne 15 September 2011

Mike Bayne 15 September 2011
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Dell SonicWALL E-Class Secure Remote Access (SRA) Overview

Dell SonicWALL E-Class Secure Remote Access (SRA) Overview
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Blue Coat Systems Securing and accelerating the Remote office Matt Bennett.

Blue Coat Systems Securing and accelerating the Remote office Matt Bennett.
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Check Point Software SSL VPN Solutions Technical Overview Thorsten Schuberth Technical.

©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Check Point Software SSL VPN Solutions Technical Overview Thorsten Schuberth Technical.

Similar presentations

Ads by Google