Ronald Beekelaar - PowerPoint PPT Presentation

1 / 34

About This Presentation

Title:

Ronald Beekelaar

Description:

Knowledge about required application login methods. Session Cleanup Agent ... Allows fall back policy to 'no-cache' tag mechanism. 25. Security Concerns ... – PowerPoint PPT presentation

Number of Views:73

Avg rating:3.0/5.0

Slides: 35

Provided by: downloadM

Category:

more less

Transcript and Presenter's Notes

Title: Ronald Beekelaar

1
Intelligent Application Gateway(IAG) 2007

Ronald Beekelaar
Beekelaar Consultancy
ronald_at_beekelaar.com

2
Introductions

Presenter Ronald Beekelaar
MVP Windows Security
MVP Virtual Machine Technology
E-mail ronald_at_beekelaar.com
Work
Beekelaar Consultancy
Security consultancy
Forefront, IPSec, PKI
Virtualization consultancy
Create many VM-based labs and demos

3
Agenda

History SSL VPN
SSL VPN Connections
Web
Non-Web
VPN
Portal / Applications
Endpoint Policies
Authentication / Authorization

4
Intelligent Application Gateway 2007
A comprehensive line of business security
products that helps you gain greater protection
through deep integration and simplified management
5
IAG - Appliance
6
IAG 2007

Supports all Applications with SSL VPN
Web Client/Server - File Access
Homegrown or 3rd party
(Citrix, IBM, Lotus, SAP, PeopleSoft)
Designed for Managed and Unmanaged Users Devices
Automatic detection of user system, software,
configuration
Access policies according to device security
state
Delete temp files and data traces from unmanaged
locations
Drives Productivity with Application Intelligence
Apply policy at granular App Feature levels
Dynamically control application data for desired
functionality
SSO with multiple directories, protocols, and
formats
Fully customizable portal and user interface

7
SSL VPN ?

Allow secure remote access from trusted and
untrusted client computers
All connections over TCP port 443 (SSL)
Access starts through a Web Portal
Authenticates to AD
Contains list of applications
Click each application to access

8
Connections Types (3x)

Web Applications
Normally uses port 80/443
Browser-based
Port/socket forwarding
Normally uses non-web ports, but is tunneled in
443
ActiveX control - browser-based
Network Connector
All protocols and all ports, but tunneled in 443
Real "VPN" - client receives new IP address

9
Endpoint Security

IAG client components check client computer
security settings
Client computer is called "endpoint"
Based on endpoint state,you define Endpoint
Policies to allow
Access to Web Portal
Example- Do not even ask for credentials on
untrusted client computer
Access to certain applications on Web Portal
Example- Hide Network Connector option on
untrusted client computer
Access to certain features of applications
Examples - Block SPS uploads - Disallow OWA
attachment

10
A Little History

The Problem
With the growing prevalence of internet
connectivity, enterprises required platforms to
provide remote access for employees, partners and
customers in a secure way
The Solution?
1st attempt Dialup remote access ? proving too
costly, limited user experience.
2nd attempt Limited use of reverse proxies to
publish web based applications.
3rd attempt IPSec VPN makes leap for user remote
access
IPSec VPN first developed for site to site
connectivity.

11
Reverse Proxy
WebServer
3
DNSServer
4
5
2
6
ISAServer
ISA Server calls this Publishing
12
Reverse Proxy

Publishes web appsfor use from anywhere.
Handles pre-authentication,application
filtering, SSL encryption at the edge.
However
Does not handle non-web (client/server)
applications.
Does not scale when publishing numerous web
applications.

13
IPSec VPN
Internet
Corpnet
ISA
IAS RADIUS
Remote User
Quarantine
Active Directory

Full network connectivity from authorized devices
Quarantine features available for non-compliant
clients
Unmanaged clients have no access
However
Increasingly difficult to manage on a large scale
given variety and complexity of IPSec clients
Blocked by (outgoing) firewalls

14
Terminal Services Solution

Built into Windows Server.
Expandable with 3rd party solutions (Citrix and
others)
Offer a complete desktop user experience or
integrated applications.
Centralized server-based solution.
Typically limited deployments given
servercomputing requirements.

15
A Little History - IPSec Dominates

Introduces following limitations
Potential security exposure by extending network
Limited functionality from firewall/NATed
networks
Client grows to accommodate more security
functionality (virus inspection, split tunneling
control, etc.)
Client becomes difficult to roll out
Requires administrative installation
Clashes with other IPSec and security software
Not very user friendly
Result
Enterprises limit usage to road warriors and
managed PCs
TCO is high and ROI limited

16
A Little History - SSL VPN is Born

Promises to offer similar functionality for
Any user
Any location
Any application
Delivers on lower TCO
Introduces new security considerations as clients
are now unmanaged.
First wave of development is focused on
connectivity.
Current wave is focused on Application
Intelligence.

17
SSL VPN - Building Blocks
Applications
Web
Authentication
Tunneling
SSL VPN Gateway
Authorization
Security
Simple TCP
Portal
Other non-Web
Management
Client

SSL VPN solution comprised of
Tunneling Transferring web and non-web
application traffic over SSL
Client-Side Security Security compliance check,
cache cleaning, timeouts
Authentication User directories (e.g. Active
Directory), strong authentication support,
Single-Sign-On
Authorization Allow/Deny access to applications
Portal User experience, GUI

18
SSL VPN Tunneling (3x)

Web applications
Thats easy just uses HTTPs
Non-Web applications
Port/socket Forwarding
Uses SSL-Wrapper client component
Example Terminal Server tunnel RDP in HTTPs
Network Connector
Full Network Access
Uses Network Connection client component
Client gets additional IP address

19
Demo Environment
20
Application Protection

Access Policies
Allow/deny functions within application(e.g.
SharePoint attachments Upload/Download based on
endpoint compliance)
Application Firewall Protecting the Application
Predefined positive logic rule sets
Single Sign On
Knowledge about required application login
methods
Session Cleanup Agent
Clears application specific cache (e.g.
SharePoint Offline folder)
Protecting the Network Session
Ignore background polling command for timeout
calculation, adds secure logoff button where
absent

21
Endpoint Policies

Checks health of Endpoint Policies
Session policy
Endpoint certification
Privileged endpoint
Application policy
Access to applications (hide or disable on
portal)
Access to functionality within applications
Example Block SharePoint upload from unsafe
client

22
Endpoint detection and application intelligence
Generic Applications
Applications Knowledge Center

Application Aware Platform
Application Definition Syntax/Language
Application Modules

Web
Citrix
OWA
SharePoint
Browser Embedded
Authentication
Tunneling
Application Aware Modules
Client/Server
SSL VPN Gateway
Authorization
Security
User Experience
Specific Applications
High-Availability, Management, Logging,
Reporting, Multiple Portals
Client
Exchange/ Outlook
OWA
Devices Knowledge Center
SharePoint
Citrix
PDA ....
Linux ..
MAC .....
Windows . ...
23
Endpoint Detection

Out of the box support for over70 variables of
detection including
Antivirus
Antimalware
Personal Firewall
Desktop Search/Index Utilities
And much more
Easy to configure GUI that allowssimple
management of policies.
Extended GUI for manual editing andmodification
of policies.
Leverage Windows Shell Scripting tocreate any
policy and inspect forany client side variable.

24
Attachment Wiper

Clears the browsers cache upon session
termination
Process does not require user initiation
Optimizers integrate logic to identify and scrub
custom caches
Supports custom scripts for custom file cleaning
Removes
Downloaded files and pages - Cookies
AutoComplete form contents - History information
AutoComplete URLs - Any user credentials
Triggers
User logoff - Browser crash
Inactivity timeout - Browser closure
Scheduled logoff - System shutdown
Security Policy
Allows for Cant Wipe Cant Download policy
Allows fall back policy to no-cache tag
mechanism

25
Security Concerns

Authentication - Who are you?
Strong Authentication Are you really him/her?
Authorization What can you access?
Transport Security Can they hear?
Application Security Should you be doing that?
End Point Security From there?
Information Safeguard Should this be left
around?
Session Security How long can you do this for?

26
Single Sign-On

No need for directory replication or repetition
Alternative approaches require local repository
Transparent Web authentication
HTTP 401 request
Static Web form
Dynamic browser-sensitive Web form
Integrates with
Password change management
User repositories

27
User Specific Portal

Manages access of employees, partners customers
from anywhere to corporate business applications
More than one Portal page can be published per
appliance
Each is based on a unique IP and host name
Each can present a completely unique user
experience including look and feel,
applications, authentication and authorization
Extends the business beyond the borders of the
network
Implements corporate policies without weakening
security
Leveraging existing investments in software
infrastructure and applications
Ensures maximum functionality based on endpoint
profile
Based on SSL VPN access platform
Leverages the Web browser to allow universal
access
Provides a broad range of connectivity options