Wat zijn de veiligheidsrisico s van SSL- VPN verbindingen voor thuiswerk? Kennisdag Informatieveiligheid bij Gemeentebesturen en OCMW s
Who am I? Wouter Vloeberghs (ing.) Implementation Consultant ICT bij Ferranti Computer Systems wv@ferranti.be CCSP Cisco Certified Security Professional Working towards CCIE Security
Agenda Introduction to teleworking Introduction to VPN SSL VPN Introduction Security Concerns for SSL VPN Possible Attacks Market Players Recommended Reading
Introduction to teleworking
Why teleworking? Teleworking is becoming more and more popular For employee > Traffic avoidance > Flexibility > Private Life / Work balance > Better concentration higher efficiency For employer > Cost-efficiency (less office space, travel costs) > Less sickness leave > Higher productivity > Motivated employees
Introduction to VPN
Virtual Private Network (VPN) Overview IP security (IPsec) and Secure Socket Layer (SSL) Mechanism for secure communication over IP Authenticity (unforged/trusted party) Integrity (unaltered/tampered) Confidentiality (unread) Remote Access (RA) VPN components Client (sw) Termination device (high number of endpoints) VPN Tunnel VPN Security Appliance VPN Client or Browser
Remote Access VPN over the Internet Remote Access Client IPsec VPN -Layer 3 Microsoft Windows, Mac OS X (L2TP/IPsec) SSL Clientless Layer 7 Enterprise Central Site Router, Firewall and VPN Security Appliance: VPN Tunnel Termination Firewall Telecommuter ADSL Internet VPN Router Mobile Cable Extranet Consumer-to-Business VPN Security Appliance Integrated solution for enhanced remote access Standards-based interoperability
What Are We Talking About? Secure VPN B A N K Tunneling Encryption Authentication* Integrity IPsec L2TP/IPsec TLS (HTTPS/SSL) DTLS DES 3DES AES RC4 RSA digital certificates Pre-Shared key *IKE 1 st Phase, Not User Auth. HMAC-MD5 HMAC-SHA-1
Why SSL VPN? Internal & External Users Financial Partner or Field Agent Logistics Partner Kiosk Managed & Unmanaged Devices Home PC Private Resources Web Apps Client-Server Apps Project Manager Employee Remote Technician Employee Corporate Managed Laptop Unmanaged Partner PC Legacy Apps Third-Party Apps Homegrown Apps File Access
Remote Access Options Dialup? too costly, limited user experience Reverse Proxy? Only Web apps Terminal Services? Not from everywhere Traditional VPN based on IPSec most popular SSL VPN > Limited functionality from firewalled or NAT ed networks / Not very user friendly > Client becomes difficult to roll out / Managed devices only > Requires administrative installation > Potential security exposure by extending network In office experience from anywhere Granular policy control Next-Gen IPv6 - IPSec VPN User friendly: no more FW/NAT problems; seamless access from everywhere Built into client OSs Granular policy control
SSL VPN Introduction Clientless Thin-Client Client-Based Basic web access E-mail access CIFS (Common Internet File System) access Customized user screen Port redirection for only TCP applications Shared Applications Full-SSL tunnel
Deployment Example IPsec and SSL VPN Support Diverse User Populations Supply Partner Extranet Central Site Account Manager Mobile User IP/Internet VPN Software Engineer Telecommuter Clientless (L7) a browser Doctor at Home Unmanaged Desktop Full Network Access (L3) Partner Few apps/servers, tight access control, no control over desktop software environment Doctor Occasional access, few apps, no desktop software control Engineer Many servers/apps, needs native app formats, VoIP, frequent access, long connect times Account Manager Diverse apps, home-grown apps, always works from enterprise-managed desktop
Security Concerns
Security Concerns for SSL VPN Supply Partner Extranet Machine Employee at Home Unmanaged Machine Remote User Customer Managed Machine Before SSL VPN Session Who owns the endpoint? Endpoint security posture: AV, personal firewall? Is malware running? During SSL VPN Session Is session data protected? Are typed passwords protected? Has malware launched? After SSL VPN Session Browser cached intranet Web pages? Browser stored passwords? Downloaded files left behind?
Client Authentication / Authorization
Client Authentication / Authorization Authenticated against: RADIUS TACACS Active Directory (AD) / Kerberos NT Domain RSA SecurID LDAP One-Time Password server (OTP)
Split Tunneling Without Split Tunneling With Split Tunneling http://www.v-ict-or.be Central Site http://www.v-ict-or.be Central Site VPN Appliance VPN Client VPN Appliance VPN Client Maximum Security Maximum Internet Access Performance
Endpoint Security Best Practices by Access Method Full Tunneling Consider as a remote node on network Grant conditional access based on identity and security posture Use Network ACLs filtering to limit access Clientless SSL VPN Grant access for specific applications only Grant conditional access based on identity and security posture Use Web ACL filtering to limit access Protect against leakage of confidential data
Possible Attacks Hardware Keyloggers Directly installed into the keyboard or motherboard Cable-Extension Software Keyloggers Kernel driver Software-Hook Spyware, Malware
Possible Attacks
Security is not only about technology
Secure communication Security Policy Authentication Authorisation Training People Data VPN (SSL/IPSec) Content filtering Data security ID Management Data security Firewall IPS VPN Anti-virus/spam/malware/phishing Infrastructure Network security
Market
Market Players
Recommended Reading
Recommended Reading Telework.gov http://www.telework.gov/policies_and_procedures/te lework_security/index.aspx SP800-46 Guide to Enterprise Telework and Remote Access Security http://csrc.nist.gov/publications/nistpubs/800-46- rev1/sp800-46r1.pdf