Embed Size (px)
Citation preview
Housekeeping Issues
• Duration: 1.25 hours +/-
• Questions & comments: early and often
Why We’re Here
• Examine a brief summary of considerations surrounding successful VPN and remote access planning, deployment and management.
• Note other perimeter security issues.
What is a VPN?
• Virtual Private Network - A network that performs private, trusted data transmissions over a public, untrusted network (e.g. the Internet).
• Usage:– Point to Point(s)– Remote Access– Hybrid
Essential VPN Definitions
• Authentication – A method of establishing identity between systems or users.
• Authorization – The right to access a network service after authentication has taken place.
• CIA – Confidentiality, Integrity, Availability – The three primary ways your (or your customer’s) information can be compromised.
More EssentialVPN Definitions (Cont.)
• Encryption – The process of converting cleartext into what appears to be random characters (a.k.a. ciphertext) – FIPS standards include DES, 3DES, AES
• Tunneling – Encapsulation of packets within other packets, primarily for transmission across public IP networks (e.g. the Internet) – i.e. IPSec, L2TP, PPTP, PPP
VPN Economic Considerations
• VPN’s can be less expensive than WAN’s and more functional and secure than modem banks.
• Often cost-benefit compared with voice over solutions.
• Decision criteria include:– Current connectivity costs– Distances– Locations– # of sites– Type & volume of traffic– Existing equipment & software
Basic VPN Connectivity Steps
• Site-to-Site– 1) Authenticate once– 2) Encapsulate an IP packet– 3) Encrypt and transmit– 4) De-crypt– 5) Un-encapsulate
• Remote Access– 1) Authenticate each time a session begins– 2) See 2 – 5 above
VPN Scaling Considerations
• Processor Cycles: number of tunnels (hence, processor cycles) is greater for remote user deployments than for a single site-to-site connection (i.e. 10 remote users require more processor cycles than 100 users across a site-to-site VPN).
• Bandwidth: depends on how the applications are deployed, but the VPN tunnel itself adds approximately 10-30% overhead.
VPN Security Considerations
• Authentication & Authorization!
• Centrally manageable firewalls at remote sites and/or users.
• Generic O/S’s vs. pre-hardened firewall/VPN device O/S’s.
• Application security.
VPN Technical Considerations• Latency > 200ms causes application errors – (often
a problem for remote users with DSL connections).• Non-standard tunneling, encryption and
hardware/software solutions can cause problems.• Meshing site-to-site(s) VPN’s for fault tolerance is
complex.• VPN access for remote users does not mean
complete network/application access.• Every O/S on remote user PC’s has its own
idiosyncrasies.
Proven VPN & Remote Access Solutions
• CheckPoint VPN-1: + Management of remote site and user security + Runs on appliances w/ hardened O/S’s (e.g. Nokia)+ Supports many authentication schemes - $
• Citrix NFUSE with Secure Gateway+ Requires only browser and authentication mechanism+ Supports many authentication schemes- Not a complete solution for site-to-site VPN
• Cisco/Altiga VPN+ VPN concentrator has easy remote client setup+ Runs on appliance w/ hardened O/S+ Supports many authentication schemes- Limited management of remote user security
Other Perimeter Security Considerations
• Mail Relay/Virus Scanning
• Intrusion Detection
• Voice Systems
• Backdoors
• Web Servers
• Vendor/Business Partners
Regulatory Considerations
• FITSAF (any departments dealing with the federal government)– http://www.cio.gov/documents/
federal_it_security_assessment_framework_112800.html
• HIPAA (health departments)– http://aspe.os.dhhs.gov/adminsimp/nprm/
seclist.htm
References• http://www.rsasecurity.com/solutions/vpn/infocenter/ Good
white papers and such• http://www.internetwk.com/VPN/default.html Internet
Week VPN site• http://www.checkpoint.com/products/security/
gateway_vpnsolutions.html Check Point VPN site• http://www.citrix.com/press/news/releases/20011030_gateway.asp Citrix Secure gateway press release• http://www.cisco.com/warp/public/779/largeent/learn/
technologies/VPNs.html Cisco VPN site
