Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Remote Access With SSL VPNs: A Best Practice Primer Sikhi Gundu and Kartik Kumar, Juniper Networks India Pvt Ltd.

Published byCleopatra Willis Modified over 9 years ago

Similar presentations

Presentation on theme: "Securing Remote Access With SSL VPNs: A Best Practice Primer Sikhi Gundu and Kartik Kumar, Juniper Networks India Pvt Ltd."— Presentation transcript:

1 Securing Remote Access With SSL VPNs: A Best Practice Primer Sikhi Gundu and Kartik Kumar, Juniper Networks India Pvt Ltd

2 Preliminaries Target audience: IT org managers, admins; not developers/implementers Introductory/high level overview Essentially tutorial

3 Agenda Motivation 30000ft view of SSLVPN Technology Security with SSLVPN: Athentication Security with SSLVPN: Endpoint Integrity Security with SSLVPN: Authorization Security with SSLVPN: User Education

4 Agenda Motivation 30000ft view of SSLVPN Technology Security with SSLVPN: Authentication Security with SSLVPN: Endpoint Integrity Security with SSLVPN: Authorization Security with SSLVPN: User Education

5 Motivation Usecase Remote access for Employees, Partners & Customers Why not IPSEC Requires client software to be installed. IPSEC VPNs are good for site-to-site, not so good for clients to server is layer 3; remote access users get layer 3 access! Why SSL VPN Client less remote access (browser is the client) Easy on the IT shop (roll-out, config) Layer 4 access with notion of a " user "

6 Agenda Motivation 30000ft view of SSLVPN Technology Security with SSLVPN: Authentication Security with SSLVPN: Endpoint Integrity Security with SSLVPN: Authorization Security with SSLVPN: User Education

7 – SSLVPN device acts as a reverse proxy – SSL provides data confidentiality and integrity on the public network Enterprise Network SSLVPN basic workflow Employees with Corporate/Home Laptops SSL VPN App Server Internet https http

8 SSL VPN typical deployment Enterprise Network Internet Firewall Router SSL VPN Applications Server Application Server Employees with Corporate Laptops Employees with Home PCs Employees with Mobile Devices

9 SSLVPN – Typical End-user Flow User connects to the gateway User Authenticates SSLVPN presents portal frontending accessible resources User signs out.

10 Essential functionality: Rewriting if(google.j.b)document.body.style.visibility='hidden'; Web Images Videos Maps News <a if(google.j.b)document.body.style.visibility='hidden'; Web Images Maps News Arekkut <a href="http://10.204.50.40/bkshp?hl=en&tab=wp" Layer 4

11 Essential Functionality: Rewriting Contd. Layer 3  Src IP  11.13.1.1  Dst IP  12.2.2.3  Src IP  11.13.1.1  Dst IP  12.2.2.3  Src IP  12.2.2.3  Dst IP  10.2.2.4  Src IP  12.2.2.3  Dst IP  10.2.2.4 Applications Server  Src IP  10.2.2.4  Dst IP  12.2.2.3  Src IP  10.2.2.4  Dst IP  12.2.2.3  Src IP  12.2.2.3  Dst IP  11.13.1.1  Src IP  12.2.2.3  Dst IP  11.13.1.1 NAT Device Enterprise Network Internet

12 Essential functionality: Granular Access Control Policy based access control (based on identity & other factors) For ex: assign role to user; assign resources to roles Example policies: Web Access UNIX file Access Windows File Access SSO Terminal Services

13 Essential functionality: Granualar Access Control Contd… Example Role Assignments based on Location Username Login time Group Etc etc.... Fine Grained Access control SSL VPN being a layer 4 device, has an end user notion and thus Fine Grained Access control Is possible

14 Agenda Motivation 30000ft view of SSLVPN Technology Security with SSLVPN: Authentication Security with SSLVPN: Endpoint Integrity Security with SSLVPN: Authorization Security with SSLVPN: User Education

15 Security with SSL VPN: Authentication Remember: Internet-facing device! Ensure Strong Authentication Strength of Authentication Strength of a password policy – Password strength – Password expiry – Blacklisted pin dictionary Typically, device vendor would ensure protection against: Dictionary attacks Brute force attacks Denial of service attacks

16 Single factor Authentication Two factor Strong Authentication, Contd

17 Strength of Authentication Contd. Secondary Authentication Adaptive authentication

18 Strength of Authentication Contd. Secondary Authentication – Can be used where stronger auth mechanism is required. – For example : User does primary authentication to a Auth Server [could be certificate or Machine Auth] Once Primary auth succeeds, he has to authenticate again to a Secondary Auth Server [which could be AD or LDAP or radius auth] Secondary authentication combined with 2- factor, will be even more stronger, but an overkill.

19 Agenda Motivation 30000ft view of SSLVPN Technology Security with SSLVPN: Authentication Security with SSLVPN: Endpoint Integrity Security with SSLVPN: Authorization Security with SSLVPN: User Education

20 Assess Endpoint’s security posture Enable this feature, most vendors provide it Enforce policy not to allow login if client not clean Makes sure that the client has – Trusted anitivirus software (eg: Norton AV 2010) – Trusted Anti-MalWare – Updated database virus signatures for the antivirus. – Availabilty of OS Patches. Ensure file system has no suspicious content or processes. Ensure file system has the content it is supposed to have; ie, not tampered with

21 Clean session termination Data is left behind by the session! – Browser History – Browser Cache – Saved password and forms – Keystroke loggers – Cookies Use cache cleaning functionality – Cleans up all Browser data on logout Enable virtual keyboards during authentication

22 Clean session termination Contd. SVW [Secure virtual workspace] – Restricted, transient shell – Created when user login-in – Destroyed on logout – Ensures no upload of dangerous content or download of critical data

23 Integrate with IDP Coordinated Threat control using IDP IDP SSL VPN Detects intrusion Quarantines user based on IDP instructions Informs SSL VPN

24 Agenda Motivation 30000ft view of SSLVPN Technology Security with SSLVPN: Authentication Security with SSLVPN: Endpoint Integrity Security with SSLVPN: Authorization Security with SSLVPN: User Education

25 Security with SSLVPN: Authorization Can remote users have the same level of access privilege as local users? Maybe not! Exploit RBAC to the fullest Role is a group of policies Policies govern access to resources – Web Recource Access – File Resource access [Both windows/UNIX] – Telnet/SSH Access – SSO – Terminal Services access

26 Role Based Access Control Contd. Vendors provide the ability to define roles as a function of several attributes For example: – Endpoint security posture – Login time – Login IP – Login Name – Directory attributes – Group – For ex: same user gets different privileges during office hours as opposed to off-hours

27 Agenda Motivation 30000ft view of SSLVPN Technology Security with SSLVPN: Authentication Security with SSLVPN: Endpoint Integrity Security with SSLVPN: Authorization Security with SSLVPN: User Education

28 Bad people: evil outsiders and disgruntled insiders Remember: internet-facing web device Vulnerable to the usual set of web attacks Injection Attacks – Most Common: Cross-site scripting Parsing and detecting malicious script Have multiple admins to verify config. – New one XSRF Cross site Request forgery Frame busting Vendor provides some form of defence; but beware your customization may open up holes!

29 Key is: Train your users Educate Users – Always ensure graceful exit – Don’t leave sessions unattended – Avoid logging in via Shared Computers – Don’t cache Password on browsers – Use Virtual keyboards for login

30 Thank you

Download ppt "Securing Remote Access With SSL VPNs: A Best Practice Primer Sikhi Gundu and Kartik Kumar, Juniper Networks India Pvt Ltd."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Securing Remote Network Access FirePass ®. Business Case VirginiaCORIS is an initiative to modernize the way that offender information is managed, to.

Securing Remote Network Access FirePass ®. Business Case VirginiaCORIS is an initiative to modernize the way that offender information is managed, to.
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Check Point Software SSL VPN Solutions Technical Overview Thorsten Schuberth Technical.

©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Check Point Software SSL VPN Solutions Technical Overview Thorsten Schuberth Technical.
OAAIS Enterprise Information Security Security Awareness, Training & Education (SATE) Program or 415.514-3333 UCSF Campus VPN.

OAAIS Enterprise Information Security Security Awareness, Training & Education (SATE) Program or UCSF Campus VPN.
ISSA Presentation. Agenda Remote Access Evolution SSL VPN Drivers Why SSL VPNs Basic Deployment Security vs. IPSec The New Security Concerns Addressing.

ISSA Presentation. Agenda Remote Access Evolution SSL VPN Drivers Why SSL VPNs Basic Deployment Security vs. IPSec The New Security Concerns Addressing.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Chapter 12 Network Security.

Chapter 12 Network Security.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
Secure Access using IAG 2007 Presented by: Brian Dunleavy - Healthcare Business Manager - Eurodata Susanna Watson – Pre Sales Technical Consultant - Eurodata.

Secure Access using IAG 2007 Presented by: Brian Dunleavy - Healthcare Business Manager - Eurodata Susanna Watson – Pre Sales Technical Consultant - Eurodata.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
In this section, we'll cover one of the foundations of network security issues, It talks about VPN (Virtual Private Networks). What..,Why..,and How….?

In this section, we'll cover one of the foundations of network security issues, It talks about VPN (Virtual Private Networks). What..,Why..,and How….?
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Similar presentations

Ads by Google