1 / 32

VPN Solutions Voice over IP Secure e-mail

EMS Summit – Network Remote Access. VPN Solutions Voice over IP Secure e-mail. William E. Ott Friday August 25, 2006 1300 – 1400 EDT. Secure Communications. Secure Remote Access is essential if you have multiple sites or the need for external users to connect to internal resources

israel
Télécharger la présentation

VPN Solutions Voice over IP Secure e-mail

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EMS Summit – Network Remote Access VPN Solutions Voice over IP Secure e-mail William E. Ott Friday August 25, 2006 1300 – 1400 EDT

  2. Secure Communications • Secure Remote Access is essential if you have multiple sites or the need for external users to connect to internal resources • Voice traffic is starting to move to data circuits (VoIP) Not secure on its own • How do you secure e-mail traffic?

  3. Cost Availability Technical support Bandwidth Security Impediments to Remote Access

  4. Traditional Remote Network Connectivity Options • Network Connection Technologies • Private circuits (i.e. frame relay) • Expensive • Dialup • Slow • Network Service Technologies • telnet, ftp, ssh, http, https, proprietary • Some are secure, some are not • Architecture • Remote circuits terminated directly into the core of the enterprise network • Insecure

  5. Classical Enterprise Connectivity

  6. Internet Access For the enterprises From our homes The Web Sharp increase in Internet use Browsers become ubiquitous Broadband Fast Economical Internet Access Shared infrastructure Public exposure The Web Sharp increase in Internet use Access to content: useful and malicious Broadband Remote endpoints (i.e. home PCs) always on New Requirements / New Threats

  7. Access Types Considered • Dial-Up – Already in use • Dedicated Access (T1, Frame) – Already in use • Network to Network IPSEC VPN • Client to Network IPSEC VPN • SSL VPN

  8. Security Requirements • Define the perimeter • A perimeter exists every place where there’s a differentiation in policy or responsibility • Identify and authenticate remote sites and users • Consider “strong” and multi-factor authentication options • Provide privacy & integrity for communications • Business data • Authentication credentials • Secure endpoints • Apply enterprise security policy to remote endpoints • Limit exposure • Remote users probably don’t need to access “everything.”

  9. Solutions? • Virtual Private Networks • IP-Sec • Remote network access • SSL • Remote application access • SSH • Remote administration

  10. Remote Assess: the parts • Assess • Diverse client base • Distributed client base • Access to applications and data • Minimize delivery time • Minimize agency support requirements • Conform to federal requirements including two factor authentication • Security

  11. Plan the solution

  12. IP-Sec • Types • Site to Site • Remote Client • Security Considerations • Encryption • Authentication • Split Tunneling • Client Policy Enforcement • Firewalls (inside and outside the VPN)

  13. Site to Site IP-Sec

  14. Client IP-Sec

  15. Pros Well suited to replace private circuits “On the network,” user experience Extensive support for various encryption algorithms and authentication options Mature technology Cons Quality of Service dependent on shared network (i.e. the Internet) Client application required Limited cross-vendor interoperability Some configurations are not compatible with NAT IP-Sec VPN Pros and Cons

  16. Remote Office VPN • Targeted at sites with > 10 users • Secure (IPSec) VPN • Inter-agency Alliance managed end-to-end • Connectivity to Legacy applications and new inter-agency alliance portal • Client premise equipment • Firewall/VPN Device • 1 - 10/100 Ethernet port • Objective • Minimize impact of new solution on legacy networks while providing flexibility of deployment

  17. PC PC Alliance PC PC PC PC Client Network Firewall Firewall Firewall Alliance Alliance Internet Internet Internet Local Integration • Topology • Inside, DMZ, Outside • Addressing • Client provides single IP address for VPN • Address translation • Routing Changes • Client routes alliance applications to VPN

  18. SSL VPN • Types • Remote Client • Security Considerations • Encryption • Authentication • Application publication • HTTP • Citrix / MS Terminal Services / Common Services • SSL VPN client application may be used to proxy other application types or even establish a full PPP connection • In which case, the IP-Sec security considerations apply

  19. SSL VPN

  20. Pros Super-easy access to enterprise application infrastructure Ability to “publish” non-web applications Ability to use standard web browser to access published application Cons Client VPN only Client application still required for “on the network” experience SSL VPN Pros and Cons

  21. SSL VPN • Targeted at mobile or sites with < 10 users • Enrollment and Support for Multiple members • Provides clientless access to alliance resources • Requires only a browser and internet connectivity • 2-factor authentication • One-Time password token • Token delivery efficiency

  22. SSH • Primarily for remote administration • Encrypted “telnet” and “ftp” • Port forwarding • Highly interoperable • Supports nested tunnels • Can be used in a bastion host architecture to provide secure remote access

  23. Bastion Host

  24. Architecture Best Practices • Identity Management • Authentication • Authorization • Logging • Client system policy compliance • Split tunneling (IP-Sec)

  25. An Integrated Architecture

  26. Remote Access Summary • Begin by determining what portions of the environment must be accessed remotely • Select the secure remote access solution that meets your needs • Understand the security architecture of the solution you use • Develop the appropriate architecture • Integrate the solution with other security services as necessary

  27. Remote Access Summary • Have a broad view of how the solution will be used • Placement of equipment • Infrastructure • Applications being accessed • Clearly define the process for provisioning tokens and providing user access

  28. Voice over Internet Protocol • VoIP is growing rapidly • VoIP traffic should be secured site to site if used for sensitive information • VoIP has excellent crisis communications capability • VoIP is often cheapest method of telephony from overseas

  29. Email Security • HIPAA concerns with email • Email to wireless devices • Email from remote or home users • Email with vendors and clients • Internal Email between sites • If Email isn’t ‘managed’ you have no control once sent • Many Email options

  30. What technologies are emerging • Faster wireless • Real time video • High resolution cameras in phones • Convergence of data, voice, video into single devices

  31. Questions?

More Related