secure mobility mobile connectivity with network integrity via ssl vpns & mobile clients raymond...
TRANSCRIPT
Secure Mobility
Mobile Connectivity with Network Integrity via SSL VPNs
& Mobile Clients
Raymond Cushman
Territory Manager
Great Lakes District
Secure Mobility
Millions
1996199719981999200020012002200320042005
1,400
1,200
1,000
800
600
400
200
0
SOURCE: Nokia, 1998-2000-2002
Mobile Voice Users
Internet PC Users
Mobile Internet Users
Two Mega Trends: Mobility & the Internet
3GPP
cdma2000 1xEV-DV
cdma2000 1xEV-DO
GSM
TDMA
GSM/GPRS
3G Phase 1 NetworksEvolved 3G Networks2G First Steps to 3G
WCDMA
GSM/GPRS/EDGE
3GPP2
Open interface
multiradio network
All IP
cdma2000 1xcdmaOne
G-WCDMAPDC
900 million users
130 million users
Inevitable Need for Data Speeds - Global Evolution to 3G Networks
Working on the Move
• Users want to choose
• Availability of devices and services drives need
Any time, Anywhere
Any content
Conference calls,Email, intranet,
applications
Any device
The Problem: IT Organization Perspective
• Goal: Enable business advantage• Satisfy users• Meet business objectives
• How can we accommodate:• all of the various
device & network types?• the numerous user profiles?
• How can we ensure network integrity?
• How can we keep business running?
• How can we maintain costs?
• How can we leverage current investments?
Remote Access Challenges
• Dial-up access is costly, hard to manage and doesn’t utilize the explosion of broadband links worldwide
• IPSec remote access VPNs are excellent, but can be a challenge to deploy and manage
• What about the large user base who rely on desktop systems at the office?
• How to best handle partners, suppliers and contractors?
• A new approach using a browser connected to the Internet to provide access
• Most enterprises have well-developed intranets and extranets
• Why not use the same technology that has driven e-commerce to provide access to enterprise data resources?
0
200
400
600
800
1000
Support 720 360 240
Product 120 55 15
Dial Up IPSec RASSL Remote
Access
Remote Access Annual Cost
Analysis
Source: Yankee Group, 2003
For large screens
User and device level access control from any
browser
Ideal for employees, partners & contractors
Detailed reporting
Wired
Public WiFi
Secure access via SSL
SSL Browser-based VPN
Web enabled, Email & key client -server apps
Nokia Mobile Connectivity User Solutions
Device Type
Benefits & Features
VPN Client
IPSec VPN’s Enable secure Client Server app remote access &
eliminate costs of dial-up
Cost savings with Nokia Wireless
Accelerator
Nokia Mobile VPN for Symbian
Leverage existing IPSec infrastructure to extend secure remote access to
Symbian devices
Over the air secure service provisioning via
Nokia SSM
Wired
WiFi, 3G & Accelerated GSM and
GPRS with Nokia Wireless Accelerator
Secure access via IPSec
Wireless Cellular
GSM Data, GPRS& 3G
Secure access via IPSec
Connectivity Type
IPSec VPN’s
Application Type
Any IP Application
Nokia Secure Access System (NSAS)
GroupWise Exchange
Lotus Notes
R
TN3270
SSH TELNET FTP Fileshares
Citrix Intranet
Key Product Features:
•Client Integrity Scan
•Advanced Access Control
•Session Persistence
Unit
IP130
IP350
IP380
User License
10
25
50
100
250
500
Total Cost
$3,495
$6,495
$10,995
$23,795
$35,795
$54,995
•Price includes HW/SW/SW Subscription
•Licenses are based on # of concurrent users
Raymond Cushman
NES - Territory Manager
(248) 760-5531
DMZFirewall
Internet
Secure Access System
Mobile User
PDA
Home User
What have we learned
• Why are they so successful? For the IT admin - ease of deployment (new installations in 1
or 2 hours on average) For the end user - flexibility / mobility (everyone has multiple
access devices these days, laptop, home PC, PDA) For the Exec - increased productivity, rapid response to
changes (several NSAS evals used for Executive travel access)
Rapid response for: Unplanned trips, Outages, Temporary Extranets, New Hires, New Apps
• Mobility is more than people working from home and a travelling sales force
---> changing extranet / business partners, temporary connections
---> intra-campus movement (employees aren't tied to their desks for email and document retrieval)
--> PDAs and Mobile Terminals (a special case requiring Content Rendering)
What have we learned (cont)
• New Security Concerns: With traditional VPNs, we implicitly trust the access device (corporate
issued laptop with VPN client, AV, firewall, etc) and need only authenticate the user
With SSL VPNs, we need to examine the device (scan) and the user (authentication)
Authentication: cannot put another authentication obstacle between user and information so the gateway must use common authentication methods (Radius, LDAP, DigCerts, NTLM)
Potential problem: the security team is often responsible for authentication (LDAP for instance).
Device Scanning: the scan of the system needs to be under admin control (what to look for, and what to do with results)
Flexible Client Scanning vs APIs to specific (that is, very limited) firewall and AV vendors
Access Control Granularity vs. All-or-Nothing approach of other vendors
What have we learned (cont)
Session cleanup - what to do with sensitive data on non-corporate owned devices
Cache cleanup / wipers are best effort, leave recoverable data and do not work at all if session is not properly terminated
Encrypted containers - new and better approach; if the data remains, it is not readable
Split-Tunneling - this is browser based connection only, not a full LAN-like connection that can be hijacked, so it is difficult to see how the session could be exploited (assuming the Scan has determined that the device is trustworthy)
Admins still rely on trusting your authenticated users to not do stupid or malicious things when connected
SSL gateway concerns: since users are directly interacting with the device (unlike most firewalls)
Does it use exploitable CGI scripting, ActiveX controls? Is the OS itself hardened?
What have we learned (cont)
• Concerns: Scalability of SSL based session - hardware acceleration will
be required, as is common for IPSec Robustness - HA mechanisms are still being worked out Device Agnostics - multiple browsers, multiple OS (MAC,
Unix, Linux, not just Windows based)