View
18
Download
0
Category
Preview:
DESCRIPTION
Enterprise VPN Don Kendrick, VITA Senior Manager, Security Operations August 25, 2009. This document explains the ITP’s plan to improve network security by providing agencies with single and two-factor VPN options. The presentation will cover: Overview of VPN Offerings Benefits - PowerPoint PPT Presentation
Citation preview
1
IT Infrastructure Transformation – VPN Services
Enterprise VPNDon Kendrick, VITA Senior Manager, Security Operations
August 25, 2009
2
IT Infrastructure Transformation – VPN Services
This document explains the ITP’s plan to improve network security by providing agencies with single and two-factor VPN options
The presentation will cover:
Overview of VPN Offerings
Benefits
Deployment Approach
3
IT Infrastructure Transformation – VPN Services
VPN (Virtual Private Network) offers remote agency sites and users a secure internet connection to the VITA Enterprise Network
• A VPN connects remote sites and users together by securely routing remote private networks over the Internet without the need for end-users to acquire additional hardware or software
• As part of the ongoing transformation, the IT Infrastructure Partnership will begin transitioning all legacy VPN (Virtual Private Network) users to an Enterprise VPN
• Enterprise VPN access rights that can be tailored to individual users, such as employees, contractors, and/or partners to provide the right level of access to the VITA Enterprise Network
Note: VPN offerings are subject to governing policies SEC501 and SEC511
4
IT Infrastructure Transformation – VPN Services
Security Related Benefits of VPN
• Single Point of Contact
• SOC
• Intrusion Detection
• Least Privileged
• Well-Defended
• Strong Cisco & Juniper support
5
IT Infrastructure Transformation – VPN Services
Non-Security Related Benefits of VPN
• Reduces Site Costs – Workers can work from home or other locations allowing agencies to lease smaller facilities
• Supports Telework Initiatives – Promotes the Commonwealth of Virginia’s telework initiative, helps the environment, provides the option of allowing employees to work from home or remotely, and reduces strain on the transportation infrastructure
• Supports Remote Business Meetings -- Bring services to your customers and extend geographic connectivity. Bring the power of your office to a client’s kitchen table, bedside, or work site
• Improves Productivity – Enable employees to work after hours more easily
6
IT Infrastructure Transformation – VPN Services
The ITP offers agencies single and two-factor authentication options for VPN access to the VITA Enterprise Network…
This option is recommended for medium or low security data and application access. It only requires one factor to enable network access: the ID and password.
Single-factor Authentication
This is the most secure option. It requires two-factors to enable network access: ID and password plus key fob verification.
Two-factor Authentication
…agencies can choose one, both or a combination of the two options to meet differing levels of employee data security needs
For low to medium data security needs For high data security needs
Factors Used Single = User ID and Password
Device Must be partnership-provided
Services*
All applications that were accessible by http or https prior to Enterprise VPN migration will also be available under the single factor solution
Additional Requirements
Cisco VPN client, Centrally Managed FirewallCurrent virus definitionsHigh Speed Internet Connection
Cost No additional cost
Factors UsedTwo = User ID and Password plus key fob
Device Must be partnership-provided
Services
Full range of services that are not accessible with single factor, including access to agency “killer apps”
Additional Requirements
Cisco VPN client, Centrally Managed FirewallCurrent virus definitionsHigh Speed Internet Connection
Cost TBD additional cost
*See appendix for complete list of ports supported by the single-factor solution
7
IT Infrastructure Transformation – VPN Services
Most users are upgraded to enterprise VPN during transformation
Deploy VPN Across the Full Enterprise
Deployment Approach IT Infrastructure Partnership will begin transitioning most legacy VPN (Virtual Private Network) users to the Enterprise VPN
following their agency’s messaging and network transformationsIn order for single-factor or two-factor VPN to be installed, agencies must be cross-connected to the MPLS networkSingle-factor VPN also requires a synchronized agency user base directory, with COV accounts for those receiving VPN services
Two-Factor Processes Initial request, approval, and support processesCatalog process
OtherAITRs will need to identify VPN needs within their agencies and approve all VPN requestsMigration will consist of an initial “bulk migration” to single-factor authentication at the agency sites
Post-transformation requests for single-factor VPN should be routed through the VCCC Service Desk by calling 1-866-637-8482. Token requests, a requirement for the two-factor solution, must be entered in eVA.
Single-Factor Pilots and Evaluations
Transform Top 20 Agencies
11
22
33
8
IT Infrastructure Transformation – VPN Services
Single-factor Enterprise VPN Agency Migration Process ResponsibilitiesTransformation Project ObjectiveTransformation Project Objective
Convert legacy VPN users to CESC-based single-factor VPN or add new users to this solutionConvert legacy VPN users to CESC-based single-factor VPN or add new users to this solution
PRE-MIGRATION PRE-MIGRATION
Agency
• Provide list of all people getting VPN
IT Partnership Team
• Verify data accuracy
Agency
• Provide list of all people getting VPN
IT Partnership Team
• Verify data accuracy
POST- MIGRATION POST- MIGRATION
Agency
• Sign acceptance documents
IT Partnership Team
• Add individual users as required
Agency
• Sign acceptance documents
IT Partnership Team
• Add individual users as required
DURING MIGRATION DURING MIGRATION
Agency
• Distribute job aids to users
IT Partnership Team
• Establish accounts
• Distribute Cisco VPN software to target machines
• Test connectivity
• Notify VCCC that agency has transitioned
Agency
• Distribute job aids to users
IT Partnership Team
• Establish accounts
• Distribute Cisco VPN software to target machines
• Test connectivity
• Notify VCCC that agency has transitioned
9
IT Infrastructure Transformation – VPN Services
Two-factor Enterprise VPN Agency Migration Process ResponsibilitiesTransformation Project ObjectiveTransformation Project Objective
To migrate existing agency-based two-factor users to the CESC-based system or to add new two-factor users as appropriate
To migrate existing agency-based two-factor users to the CESC-based system or to add new two-factor users as appropriate
PRE-MIGRATION PRE-MIGRATION
Agency
• Decide how many agency end-users will need two-factor authentication so that the correct number of key fobs are provided to the agency
• Identify any legacy VPN users
• Provide a list of users who need new key fobs and the key fob serial numbers from any legacy users
IT Partnership Team
• Verify data accuracy with agency personnel
Agency
• Decide how many agency end-users will need two-factor authentication so that the correct number of key fobs are provided to the agency
• Identify any legacy VPN users
• Provide a list of users who need new key fobs and the key fob serial numbers from any legacy users
IT Partnership Team
• Verify data accuracy with agency personnel
POST- MIGRATION POST- MIGRATION
Agency
• Sign acceptance documents
IT Partnership Team
• Add individual users as required
Agency
• Sign acceptance documents
IT Partnership Team
• Add individual users as required
DURING MIGRATION DURING MIGRATION
Agency
• Distribute appropriate training materials and job aids
• Provide testers to ensure correct operation
• Agency ISO distributes key fobs to end-users
IT Partnership Team
• Load key serials
• Set up user accounts
• Load Cisco VPN client on all target machines
• Test functionality
• Notify VCCC that agency has been cut over
Agency
• Distribute appropriate training materials and job aids
• Provide testers to ensure correct operation
• Agency ISO distributes key fobs to end-users
IT Partnership Team
• Load key serials
• Set up user accounts
• Load Cisco VPN client on all target machines
• Test functionality
• Notify VCCC that agency has been cut over
12
IT Infrastructure Transformation – VPN Services
The single-factor solution will allow users to access systems operating under the following ports:
permit tcp any any eq 80 permit tcp any any eq 143
permit tcp any any eq 443 permit tcp any any eq 993
permit tcp any any eq 53 permit tcp any any eq 110
permit udp any any eq 53 permit tcp any any eq 995
permit tcp any any eq 389 permit tcp any any eq 25
permit udp any any eq 389 permit udp any any eq 25
permit tcp any any eq 135 permit tcp any any eq 88
permit tcp any any eq 445 permit udp any any eq 88
permit udp any any eq 138 permit udp any any eq 123
permit tcp any any eq 139 permit tcp any any eq 123
permit udp any any eq 137
Recommended