Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Secure Mobility Mobile Connectivity with Network Integrity via SSL VPNs & Mobile Clients Raymond Cushman Territory Manager Great Lakes District Secure Mobility Two Mega Trends: Mobility & the Internet Millions 1,400 1,200 1,000 Mobile Voice Users Mobile Internet Users 800 600 Internet PC Users 400 200 0 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 SOURCE: Nokia, 1998-2000-2002 Inevitable Need for Data Speeds Global Evolution to 3G Networks Open interface multiradio network GSM/GPRS/EDGE TDMA GSM All IP GSM/GPRS WCDMA PDC G-WCDMA 3GPP 900 million users cdmaOne cdma2000 1x cdma2000 1xEV-DO 130 million users 2G cdma2000 1xEV-DV First Steps to 3G 3G Phase 1 Networks 3GPP2 Evolved 3G Networks Working on the Move Conference calls, Email, intranet, applications Any content Any time, Anywhere Any device • Users want to choose • Availability of devices and services drives need The Problem: IT Organization Perspective • Goal: Enable business advantage • Satisfy users • Meet business objectives • How can we accommodate: • all of the various device & network types? • the numerous user profiles? • How can we ensure network integrity? • How can we keep business running? • How can we maintain costs? • How can we leverage current investments? Remote Access Challenges • Dial-up access is costly, hard to manage and doesn’t utilize the explosion of broadband links worldwide • IPSec remote access VPNs are excellent, but can be a challenge to deploy and manage • What about the large user base who rely on desktop systems at the office? • How to best handle partners, suppliers and contractors? • A new approach using a browser connected to the Internet to provide access • Most enterprises have well-developed intranets and extranets • Why not use the same technology that has driven e-commerce to provide access to enterprise data resources? Remote Access Annual Cost Analysis 1000 800 600 400 200 0 Support Product Dial Up IPSec RA SSL Remote Access 720 120 360 55 240 15 Source: Yankee Group, 2003 Nokia Mobile Connectivity User Solutions IPSec VPN’s SSL Browser-based VPN Device Type VPN Client Benefits & Features IPSec VPN’s Enable secure Client Server app remote access & eliminate costs of dialup Leverage existing IPSec infrastructure to extend secure remote access to Symbian devices Cost savings with Nokia Wireless Accelerator Over the air secure service provisioning via Nokia SSM Application Type Connectivity Type Nokia Mobile VPN for Symbian Any IP Application For large screens User and device level access control from any browser Ideal for employees, partners & contractors Detailed reporting Web enabled, Email & key client -server apps Wired Wireless Cellular Wired WiFi, 3G & Accelerated GSM and GPRS with Nokia Wireless Accelerator GSM Data, GPRS & 3G Public WiFi Secure access via IPSec Secure access via IPSec Secure access via SSL Nokia Secure Access System (NSAS) PDA Mobile User Home User Internet Key Product Features: •Client Integrity Scan •Advanced Access Control R •Session Persistence Firewall GroupWise Exchange Lotus Notes TN3270 Secure Access System SSH TELNET FTP Fileshares Unit User License Total Cost IP130 10 $3,495 25 $6,495 •Price includes HW/SW/SW Subscription 50 $10,995 •Licenses are based on # of concurrent users 100 $23,795 250 $35,795 500 $54,995 IP350 IP380 Citrix Intranet Raymond Cushman NES - Territory Manager (248) 760-5531 What have we learned • Why are they so successful? For the IT admin - ease of deployment (new installations in 1 or 2 hours on average) For the end user - flexibility / mobility (everyone has multiple access devices these days, laptop, home PC, PDA) For the Exec - increased productivity, rapid response to changes (several NSAS evals used for Executive travel access) Rapid response for: Unplanned trips, Outages, Temporary Extranets, New Hires, New Apps • Mobility is more than people working from home and a travelling sales force ---> changing extranet / business partners, temporary connections ---> intra-campus movement (employees aren't tied to their desks for email and document retrieval) --> PDAs and Mobile Terminals (a special case requiring Content Rendering) What have we learned (cont) • New Security Concerns: With traditional VPNs, we implicitly trust the access device (corporate issued laptop with VPN client, AV, firewall, etc) and need only authenticate the user With SSL VPNs, we need to examine the device (scan) and the user (authentication) Authentication: cannot put another authentication obstacle between user and information so the gateway must use common authentication methods (Radius, LDAP, DigCerts, NTLM) Potential problem: the security team is often responsible for authentication (LDAP for instance). Device Scanning: the scan of the system needs to be under admin control (what to look for, and what to do with results) Flexible Client Scanning vs APIs to specific (that is, very limited) firewall and AV vendors Access Control Granularity vs. All-or-Nothing approach of other vendors What have we learned (cont) Session cleanup - what to do with sensitive data on non-corporate owned devices Cache cleanup / wipers are best effort, leave recoverable data and do not work at all if session is not properly terminated Encrypted containers - new and better approach; if the data remains, it is not readable Split-Tunneling - this is browser based connection only, not a full LAN-like connection that can be hijacked, so it is difficult to see how the session could be exploited (assuming the Scan has determined that the device is trustworthy) Admins still rely on trusting your authenticated users to not do stupid or malicious things when connected SSL gateway concerns: since users are directly interacting with the device (unlike most firewalls) Does it use exploitable CGI scripting, ActiveX controls? Is the OS itself hardened? What have we learned (cont) • Concerns: Scalability of SSL based session - hardware acceleration will be required, as is common for IPSec Robustness - HA mechanisms are still being worked out Device Agnostics - multiple browsers, multiple OS (MAC, Unix, Linux, not just Windows based)