Securing

1
Securing Remote Access With SSL VPNs A Best
Practice Primer

• Sikhi Gundu and Kartik Kumar, Juniper Networks
  India Pvt Ltd

2
Preliminaries

• Target audience IT org managers, admins not
  developers/implementers
• Introductory/high level overview
• Essentially tutorial

3
Agenda

• Motivation
• 30000ft view of SSLVPN Technology
• Security with SSLVPN Athentication
• Security with SSLVPN Endpoint Integrity
• Security with SSLVPN Authorization
• Security with SSLVPN User Education

4
Agenda

• Motivation
• 30000ft view of SSLVPN Technology
• Security with SSLVPN Authentication
• Security with SSLVPN Endpoint Integrity
• Security with SSLVPN Authorization
• Security with SSLVPN User Education

5
Motivation

• Usecase
• Remote access for Employees, Partners Customers
  
• Why not IPSEC
• Requires client software to be installed.
• IPSEC VPNs are good for site-to-site, not so good
  for clients to server
• is layer 3 remote access users get layer 3
  access!
• Why SSL VPN
• Client less remote access (browser is the client)
• Easy on the IT shop (roll-out, config)
• Layer 4 access with notion of a " user "  

6
Agenda

• Motivation
• 30000ft view of SSLVPN Technology
• Security with SSLVPN Authentication
• Security with SSLVPN Endpoint Integrity
• Security with SSLVPN Authorization
• Security with SSLVPN User Education

7
SSLVPN basic workflow

• SSLVPN device acts as a reverse proxy
• SSL provides data confidentiality and integrity
  on the public network

https
http
https
http
8
SSL VPN typical deployment
Enterprise Network
9
SSLVPN Typical End-user Flow

• User connects to the gateway

• User Authenticates

• SSLVPN presents portal frontending accessible
  resources

• User signs out.

10
Essential functionality Rewriting

• Layer 4

• ltbody bgcolorffffff text000000 link0000cc
  vlink551a8b alinkff0000 onload"try!google.j.
  bdocument.f.q.focus()catch(e)if(document.ima
  ges)DanaPutSrc(new Image(),'/images/srpr/nav_logo1
  4.png',0)" gtlttextarea idcsi styledisplaynonegtlt/
  textareagtltscriptgtif(google.j.b)document.body.style
  .visibility'hidden'lt/scriptgtltiframe namewgjf
  styledisplaynone src"/dana-cached/help/empty.ht
  ml" onload"google.j.l()" onerror"google.j.e()"gtlt
  /iframegtlttextarea idwgjc styledisplaynonegtlt/tex
  tareagtlttextarea idwwcache styledisplaynonegtlt/te
  xtareagtlttextarea idcsi styledisplaynonegtlt/texta
  reagtlttextarea idhcache styledisplaynonegtlt/texta
  reagtltspan idmaingtltdiv idgheadgtltdiv idgoggtltdiv
  idgbargtltnobrgtltb classgb1gtWeblt/bgt lta
  href"https//sslvpn.mycompnay.com/,DanaInfo10.20
  4.50.40imghp?hlentabwi" onclickgbar.qs(this)
  classgb1gtImageslt/agt lta href"https//sslvpn.mycom
  pnay.com/,DanaInfo10.204.50.40?hlentabwv"
  onclickgbar.qs(this) classgb1gtVideoslt/agt lta
  href"https//sslvpn.mycompnay.com/,DanaInfo10.20
  4.50.40maps?hlentabwl" onclickgbar.qs(this)
  classgb1gtMapslt/agt lta href"https//sslvpn.mycompn
  ay.com/,DanaInfo10.204.50.40nwshp?hlentabwn"
  onclickgbar.qs(this) classgb1gtNewslt/agt lta

• ltbody bgcolorffffff text000000 link0000cc
  vlink551a8b alinkff0000 onload"try!google.j.
  bdocument.f.q.focus()catch(e)if(document.ima
  ges)new Image().src'/images/srpr/nav_logo14.png'"
  gtlttextarea idcsi styledisplaynonegtlt/textareagtlt
  scriptgtif(google.j.b)document.body.style.visibilit
  y'hidden'lt/scriptgtltiframe namewgjf
  styledisplaynone src"" onload"google.j.l()"
  onerror"google.j.e()"gtlt/iframegtlttextarea idwgjc
  styledisplaynonegtlt/textareagtlttextarea
  idwwcache styledisplaynonegtlt/textareagtlttextarea
  idcsi styledisplaynonegtlt/textareagtlttextarea
  idhcache styledisplaynonegtlt/textareagtltspan
  idmaingtltdiv idgheadgtltdiv idgoggtltdiv
  idgbargtltnobrgtltb classgb1gtWeblt/bgt lta
  href"http//10.204.50.40/imghp?hlentabwi"
  onclickgbar.qs(this) classgb1gtImageslt/agt lta
  href"http//10.204.50.40/maps?hlentabwl"
  onclickgbar.qs(this) classgb1gtMapslt/agt lta
  href"http//10.204.50.40/nwshp?hlentabwn"
  onclickgbar.qs(this) classgb1gtNewslt/agt lta
  href"http//10.204.50.40/Home.aspx?hlentabw0"
  classgb1gtArekkutlt/agt lta href"http//10.204.50.40
  /bkshp?hlentabwp"

11
Essential Functionality Rewriting Contd.

• Layer 3

Applications Server
NAT Device
Internet
Enterprise Network
12
Essential functionality Granular Access Control

• Policy based access control (based on identity
  other factors)
• For ex assign role to user assign resources to
  roles
• Example policies
• Web Access
• UNIX file Access
• Windows File Access
• SSO
• Terminal Services

13
Essential functionality Granualar
Access Control Contd

• Example Role Assignments based on
• Location
• Username
• Login time
• Group
• Etc etc.... Fine Grained Access control
• SSL VPN being a layer 4 device, has an end user
  notion and thus Fine Grained Access control Is
  possible

14
Agenda

• Motivation
• 30000ft view of SSLVPN Technology
• Security with SSLVPN Authentication
• Security with SSLVPN Endpoint Integrity
• Security with SSLVPN Authorization
• Security with SSLVPN User Education

15
Security with SSL VPN Authentication

• Remember Internet-facing device!
• Ensure Strong Authentication
• Strength of Authentication
• Strength of a password policy
• Password strength
• Password expiry
• Blacklisted pin dictionary
• Typically, device vendor would ensure protection
  against
• Dictionary attacks
• Brute force attacks
• Denial of service attacks

16
Strong Authentication, Contd

• Single factor Authentication
• Two factor

17
Strength of Authentication Contd.

• Secondary Authentication
• Adaptive authentication

18
Strength of Authentication Contd.

• Secondary Authentication
• Can be used where stronger auth mechanism is
  required.
• For example
• User does primary authentication to a Auth Server
  could be certificate or Machine Auth
• Once Primary auth succeeds, he has to
  authenticate again to a Secondary Auth Server
  which could be AD or LDAP or radius auth
• Secondary authentication combined with 2-factor,
  will be even more stronger, but an overkill.

19
Agenda

• Motivation
• 30000ft view of SSLVPN Technology
• Security with SSLVPN Authentication
• Security with SSLVPN Endpoint Integrity
• Security with SSLVPN Authorization
• Security with SSLVPN User Education

20
Assess Endpoints security posture

• Enable this feature, most vendors provide it
• Enforce policy not to allow login if client not
  clean
• Makes sure that the client has
• Trusted anitivirus software (eg Norton AV 2010)
• Trusted Anti-MalWare
• Updated database virus signatures for the
  antivirus.
• Availabilty of OS Patches.
• Ensure file system has no suspicious content or
  processes.
• Ensure file system has the content it is supposed
  to have ie, not tampered with

21
Clean session termination

• Data is left behind by the session!
• Browser History
• Browser Cache
• Saved password and forms
• Keystroke loggers
• Cookies
• Use cache cleaning functionality
• Cleans up all Browser data on logout
• Enable virtual keyboards during authentication

22
Clean session termination Contd.

• SVW Secure virtual workspace
• Restricted, transient shell
• Created when user login-in
• Destroyed on logout
• Ensures no upload of dangerous content or
  download of critical data

23
Integrate with IDP

• Coordinated Threat control using IDP

SSL VPN
Detects intrusion
Informs SSL VPN
IDP
Quarantines user based on IDP instructions
24
Agenda

• Motivation
• 30000ft view of SSLVPN Technology
• Security with SSLVPN Authentication
• Security with SSLVPN Endpoint Integrity
• Security with SSLVPN Authorization
• Security with SSLVPN User Education

25
Security with SSLVPN Authorization

• Can remote users have the same level of access
  privilege as local users? Maybe not!
• Exploit RBAC to the fullest
• Role is a group of policies
• Policies govern access to resources
• Web Recource Access
• File Resource access Both windows/UNIX
• Telnet/SSH Access
• SSO
• Terminal Services access

26
Role Based Access Control Contd.

• Vendors provide the ability to define roles as a
  function of several attributes
• For example
• Endpoint security posture
• Login time
• Login IP
• Login Name
• Directory attributes
• Group
• For ex same user gets different privileges
  during office hours as opposed to off-hours

27
Agenda

• Motivation
• 30000ft view of SSLVPN Technology
• Security with SSLVPN Authentication
• Security with SSLVPN Endpoint Integrity
• Security with SSLVPN Authorization
• Security with SSLVPN User Education

28
Bad people evil outsiders and disgruntled
insiders

• Remember internet-facing web device
• Vulnerable to the usual set of web attacks
• Injection Attacks
• Most Common Cross-site scripting
• Parsing and detecting malicious script
• Have multiple admins to verify config.
• New one XSRF
• Cross site Request forgery
• Frame busting
• Vendor provides some form of defence but beware
  your customization may open up holes!

29
Key is Train your users

• Educate Users
• Always ensure graceful exit
• Dont leave sessions unattended
• Avoid logging in via Shared Computers
• Dont cache Password on browsers
• Use Virtual keyboards for login

30

• Thank you