1 / 15

Home Workers Node

Home Workers Node. How to extend Intranet security to the home. Requirements. Secure enough to be acceptable by intranet security officers intrusion denial of service Convenient enough to be acceptable by employees intranet should feel local at home full internet access. Evil spouse.

alaric
Télécharger la présentation

Home Workers Node

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Home Workers Node How to extend Intranet security to the home

  2. Requirements • Secure enough to be acceptable by intranet security officers • intrusion • denial of service • Convenient enough to be acceptable by employees • intranet should feel local at home • full internet access

  3. Evil spouse Local net Evil ISP employee e-box Access net Evil hacker ISP Internet Who cares Firewall Intranet Resource (e.g. Web) System overview Client (e.g. PC)

  4. Universe splitter • DNS requests are intercepted • Intranet names are assigned a local private range IP address • Name + IP nr. registered at guard • Packages with these addresses are forwarded to guard • Guard tunnels packages if profile allows • NAT used for Internet access

  5. ? people.ericsson.se 10.0.0.14=people.ericsson.se ? 10.0.0.14 GET ? Ab%$12AnC^6as*mS (SSL) ? 195.16.78.12 GET Logical view ? www.apple.com Client (e.g. PC) Guard DNS DNS 10.0.0.14 ! 17.254.0.91 ! ? www.apple.com 17.254.0.91 ! e-box Proxy device Guard ? 17.254.0.91 GET www. apple. com Firewall proxy people. ericsson. se Profiles

  6. Spouse attack • Only defined local clients can access guard services • Profile at firewall defines limited resource access • Auditing • Login can be strengthened by SMS login

  7. ISP attack • Eavesdropping impossible due to SSL link between guard and firewall • Denial of service can be prevented with multiple ISPs

  8. Hacker attack • Private IP range used for intranet aliases are skipped by every router • e-box does not allow remote login • No forwarding of external packets via guard • Only access is from client on local net. This requires physical access (e-box alarm system?)

  9. Guard DNS • Act as DNS server for local net • Detect requests for intranet services • Assign private IP number as alias • Inform guard of assignment • If not known, forward to system DNS • Simple package, can be written in Java (IBM has done it)

  10. Proxy device • Intercept IP packets in guard range • Push packets to Guard • Very simple Linux device driver. Many examples available • Written in C

  11. Guard • Create an SSL tunnel over the internet to the firewall • Authenticate secure • Inform firewall of private aliases • Forward packets both ways • SSL software freely available

  12. Firewall • Accept tunnels from guards • Authenticate • Forward packets if they are allowed by the profile of the e-box • Manage the profiles of the employee • Certificates • Self care Company policies • Standard solutions?

  13. Strengths • Allows any type of client • PCs • Web pads • Offers full internet access • games, LDAP, applets • Allows multiple intranets if e-box is trusted • No special cards

  14. Weaknesses • Local net is not fully secure • No standard software • New concept, requires convincing security officers

More Related