Wat zijn de veiligheidsrisico’s van SSLVPN verbindingen voor thuiswerk? Kennisdag Informatieveiligheid bij Gemeentebesturen en OCMW’s
Who am I ? • Wouter Vloeberghs (ing.) ◦ Implementation Consultant ICT bij Ferranti Computer Systems ◦
[email protected] ◦ CCSP – Cisco Certified Security Professional ◦ Working towards CCIE Security
Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?
Agenda • • • • • • •
Introduction to teleworking Introduction to VPN SSL VPN Introduction Security Concerns for SSL VPN Possible Attacks Market Players Recommended Reading
Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?
Introduction to teleworking
Why teleworking ? • Teleworking is becoming more and more popular ◦ For employee > > > >
Traffic avoidance Flexibility Private Life / Work balance Better concentration – higher efficiency
◦ For employer >
> > >
Cost-efficiency (less office space, travel costs) Less sickness leave Higher productivity Motivated employees
Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?
Introduction to VPN
Virtual Private Network (VPN) Overview IP security (IPsec) and Secure Socket Layer (SSL)
• Mechanism for secure communication over IP – Authenticity (unforged/trusted party) – Integrity (unaltered/tampered) – Confidentiality (unread)
• Remote Access (RA) VPN components
– Client (sw) – Termination device (high number of endpoints) VPN Tunnel
VPN Security Appliance
Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?
VPN Client or Browser
Remote Access VPN over the Internet Remote Access Client
Enterprise—Central Site
IPsec VPN -Layer 3 Microsoft Windows, Mac OS X (L2TP/IPsec) SSL “Clientless”—Layer 7
Router, Firewall and VPN Security Appliance: VPN Tunnel Termination
Firewall ADSL Telecommuter
Internet VPN
Router
Cable Mobile
Extranet Consumer-to-Business
VPN Security Appliance • •
Integrated solution for enhanced remote access Standards-based interoperability
Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?
What Are We Talking About? Secure VPN
BANK
Tunneling
Encryption Authentication* Integrity
IPsec L2TP/IPsec TLS (HTTPS/SSL) DTLS
DES 3DES AES RC4
RSA digital certificates Pre-Shared key
HMAC-MD5 HMAC-SHA-1
*IKE 1st Phase, Not User Auth.
Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?
Why SSL VPN ?
Internal & External Users
Managed & Unmanaged Devices
Private Resources
Home PC
Financial Partner or Field Agent Kiosk
Web Apps
Logistics Partner
Client-Server Apps Legacy Apps
Project Manager Employee Remote Technician Employee
Third-Party Apps
Corporate Managed Laptop
Homegrown Apps
Unmanaged Partner PC
Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?
File Access
Remote Access Options •
Dialup? too costly, limited user experience
•
Reverse Proxy? Only Web apps
•
Terminal Services? Not from everywhere
•
Traditional VPN based on IPSec – most popular > > > >
•
SSL VPN • •
•
Limited functionality from firewalled or NAT’ed networks / Not very user friendly Client becomes difficult to roll out / Managed devices only Requires administrative installation Potential security exposure by extending network In office experience from anywhere Granular policy control
Next-Gen IPv6 - IPSec VPN • • •
User friendly: no more FW/NAT problems; seamless access from everywhere Built into client OSs Granular policy control
Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?
SSL VPN Introduction
Clientless Basic web access E-mail access CIFS (Common Internet File System) access
Thin-Client
Client-Based
Port redirection for only TCP applications
Full-SSL tunnel
Shared Applications
Customized user screen
Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?
Deployment Example IPsec and SSL VPN Support Diverse User Populations Supply Partner Extranet Account Manager Mobile User
IP/Internet
VPN Doctor at Home Unmanaged Desktop
Software Engineer Telecommuter Clientless (L7) a browser Partner—Few apps/servers, tight access control, no control over desktop software environment Doctor—Occasional access, few apps, no desktop software control
Central Site
Full Network Access (L3)
Engineer—Many servers/apps, needs native app formats, VoIP, frequent access, long connect times Account Manager—Diverse apps, home-grown apps, always works from enterprise-managed desktop
Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?
Security Concerns
Security Concerns for SSL VPN
Supply Partner Extranet Machine
Employee at Home Unmanaged Machine Remote User Customer Managed Machine
Before SSL VPN Session
During SSL VPN Session
• Who owns the endpoint?
• Is session data protected?
• Endpoint security posture: AV, personal firewall?
• Are typed passwords protected?
• Is malware running?
• Has malware launched?
Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?
After SSL VPN Session • Browser cached intranet Web pages? • Browser stored passwords? • Downloaded files left behind?
Client Authentication / Authorization
Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?
Client Authentication / Authorization • Authenticated against: ◦ RADIUS ◦ TACACS ◦ Active Directory (AD) / Kerberos ◦ NT Domain ◦ RSA SecurID
◦ LDAP ◦ One-Time Password server (OTP)
Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?
Split Tunneling Without Split Tunneling http://www.v-ict-or.be Central Site
With Split Tunneling http://www.v-ict-or.be Central Site
VPN Appliance
VPN Appliance VPN Client
Maximum Security
VPN Client
Maximum Internet Access Performance
Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?
Endpoint Security Best Practices by Access Method
• Full Tunneling
– Consider as a remote node on network – Grant conditional access based on identity and security posture – Use Network ACLs filtering to limit access
• Clientless SSL VPN
– Grant access for specific applications only – Grant conditional access based on identity and security posture – Use Web ACL filtering to limit access – Protect against leakage of confidential data
Possible Attacks • Hardware Keyloggers
– Directly installed into the keyboard or motherboard – Cable-Extension
• Software Keyloggers
– Kernel driver – Software-Hook
• Spyware, Malware
Possible Attacks
Security is not only about technology
Secure communication Security Policy Authentication Authorisation Training
VPN (SSL/IPSec) Content filtering Data security
People • ID Management
Data • Data security
Infrastructure • Network security
Firewall IPS VPN Anti-virus/spam/malware/phishing Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?
Market
Market Players
Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?
Recommended Reading
Recommended Reading • Telework.gov ◦ http://www.telework.gov/policies_and_procedures/te lework_security/index.aspx
• SP800-46 – Guide to Enterprise Telework and Remote Access Security ◦ http://csrc.nist.gov/publications/nistpubs/800-46rev1/sp800-46r1.pdf
Wat zijn de veiligheidsrisico’s van SSL- VPN verbindingen voor thuiswerk?