Wat zijn de veiligheidsrisico s van SSL- VPN verbindingen voor thuiswerk? Kennisdag Informatieveiligheid bij Gemeentebesturen en OCMW s

Wat zijn de veiligheidsrisico’s van SSLVPN verbindingen voor thuiswerk? Kennisdag Informatieveiligheid bij Gemeentebesturen en OCMW’s

Who am I ? • Wouter Vloeberghs (ing.) ◦ Implementation Consultant ICT bij Ferranti Computer Systems ◦ [email protected] ◦ CCSP – Cisco Certified Security Professional ◦ Working towards CCIE Security

Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?

Agenda • • • • • • •

Introduction to teleworking Introduction to VPN SSL VPN Introduction Security Concerns for SSL VPN Possible Attacks Market Players Recommended Reading

Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?

Introduction to teleworking

Why teleworking ? • Teleworking is becoming more and more popular ◦ For employee > > > >

Traffic avoidance Flexibility Private Life / Work balance Better concentration – higher efficiency

◦ For employer >

> > >

Cost-efficiency (less office space, travel costs) Less sickness leave Higher productivity Motivated employees

Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?

Introduction to VPN

Virtual Private Network (VPN) Overview IP security (IPsec) and Secure Socket Layer (SSL)

• Mechanism for secure communication over IP – Authenticity (unforged/trusted party) – Integrity (unaltered/tampered) – Confidentiality (unread)

• Remote Access (RA) VPN components

– Client (sw) – Termination device (high number of endpoints) VPN Tunnel

VPN Security Appliance

Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?

VPN Client or Browser

Remote Access VPN over the Internet Remote Access Client

Enterprise—Central Site

IPsec VPN -Layer 3 Microsoft Windows, Mac OS X (L2TP/IPsec) SSL “Clientless”—Layer 7

Router, Firewall and VPN Security Appliance: VPN Tunnel Termination

Firewall ADSL Telecommuter

Internet VPN

Router

Cable Mobile

Extranet Consumer-to-Business

VPN Security Appliance • •

Integrated solution for enhanced remote access Standards-based interoperability

Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?

What Are We Talking About? Secure VPN

BANK

Tunneling

Encryption Authentication* Integrity

   

   

IPsec L2TP/IPsec TLS (HTTPS/SSL) DTLS

DES 3DES AES RC4

 RSA digital certificates  Pre-Shared key

 HMAC-MD5  HMAC-SHA-1

*IKE 1st Phase, Not User Auth.

Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?

Why SSL VPN ?

Internal & External Users

Managed & Unmanaged Devices

Private Resources

Home PC

Financial Partner or Field Agent Kiosk

Web Apps

Logistics Partner

Client-Server Apps Legacy Apps

Project Manager Employee Remote Technician Employee

Third-Party Apps

Corporate Managed Laptop

Homegrown Apps

Unmanaged Partner PC

Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?

File Access

Remote Access Options •

Dialup? too costly, limited user experience

•

Reverse Proxy? Only Web apps

•

Terminal Services? Not from everywhere

•

Traditional VPN based on IPSec – most popular > > > >

•

SSL VPN • •

•

Limited functionality from firewalled or NAT’ed networks / Not very user friendly Client becomes difficult to roll out / Managed devices only Requires administrative installation Potential security exposure by extending network In office experience from anywhere Granular policy control

Next-Gen IPv6 - IPSec VPN • • •

User friendly: no more FW/NAT problems; seamless access from everywhere Built into client OSs Granular policy control

Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?

SSL VPN Introduction

Clientless  Basic web access  E-mail access  CIFS (Common Internet File System) access

Thin-Client

Client-Based

 Port redirection for only TCP applications

 Full-SSL tunnel

 Shared Applications

 Customized user screen

Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?

Deployment Example IPsec and SSL VPN Support Diverse User Populations Supply Partner Extranet Account Manager Mobile User

IP/Internet

VPN Doctor at Home Unmanaged Desktop

Software Engineer Telecommuter Clientless (L7) a browser  Partner—Few apps/servers, tight access control, no control over desktop software environment  Doctor—Occasional access, few apps, no desktop software control

Central Site

Full Network Access (L3)

 Engineer—Many servers/apps, needs native app formats, VoIP, frequent access, long connect times  Account Manager—Diverse apps, home-grown apps, always works from enterprise-managed desktop

Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?

Security Concerns

Security Concerns for SSL VPN

Supply Partner Extranet Machine

Employee at Home Unmanaged Machine Remote User Customer Managed Machine

Before SSL VPN Session

During SSL VPN Session

• Who owns the endpoint?

• Is session data protected?

• Endpoint security posture: AV, personal firewall?

• Are typed passwords protected?

• Is malware running?

• Has malware launched?

Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?

After SSL VPN Session • Browser cached intranet Web pages? • Browser stored passwords? • Downloaded files left behind?

Client Authentication / Authorization

Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?

Client Authentication / Authorization • Authenticated against: ◦ RADIUS ◦ TACACS ◦ Active Directory (AD) / Kerberos ◦ NT Domain ◦ RSA SecurID

◦ LDAP ◦ One-Time Password server (OTP)

Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?

Split Tunneling Without Split Tunneling http://www.v-ict-or.be Central Site

With Split Tunneling http://www.v-ict-or.be Central Site

VPN Appliance

VPN Appliance VPN Client

Maximum Security

VPN Client

Maximum Internet Access Performance

Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?

Endpoint Security Best Practices by Access Method

• Full Tunneling

– Consider as a remote node on network – Grant conditional access based on identity and security posture – Use Network ACLs filtering to limit access

• Clientless SSL VPN

– Grant access for specific applications only – Grant conditional access based on identity and security posture – Use Web ACL filtering to limit access – Protect against leakage of confidential data

Possible Attacks • Hardware Keyloggers

– Directly installed into the keyboard or motherboard – Cable-Extension

• Software Keyloggers

– Kernel driver – Software-Hook

• Spyware, Malware

Possible Attacks

Security is not only about technology

Secure communication Security Policy Authentication Authorisation Training

VPN (SSL/IPSec) Content filtering Data security

People • ID Management

Data • Data security

Infrastructure • Network security

Firewall IPS VPN Anti-virus/spam/malware/phishing Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?

Market

Market Players

Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?

Recommended Reading

Recommended Reading • Telework.gov ◦ http://www.telework.gov/policies_and_procedures/te lework_security/index.aspx

• SP800-46 – Guide to Enterprise Telework and Remote Access Security ◦ http://csrc.nist.gov/publications/nistpubs/800-46rev1/sp800-46r1.pdf

Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?