Securing remote access to organization’s sensitive data has always been a challenging task to IT managers. This article discusses many significant aspects of this subject including latest happenings in technology, major challenges and most importantly some points, which every organization should consider before selecting one. You can also find here major solutions available in this space.
As internet becomes ubiquitous, distributed computing environment is becoming an obvious feature of a developed organization. This distributed computing paradigm allows for a highly mobile workforce, which has created demand for technologies that enable workers to remotely access their organization’s centralized network resources. The need to secure access to enterprise applications is an ongoing battle for IT managers – and it is only getting worse in the wake of new security demands. The emergence of new regulations for laptop encryption and two-factor authentication for civilian agencies for example, has placed increasing pressure on enterprises to act on their security initiatives more quickly than ever.
Drivers for Remote Access Security
An enterprise must anticipate and plan for potential disasters. You can’t start from scratch on the day of a disaster. At that point, it’s too late. During a disaster, the inability to operate normally or provide access to critical resources can hurt revenue, damage a company’s reputation, or mar the corporate brand. This is why responsibility for the once-mundane matter of disaster planning has risen from middle management to the highest echelons of the corporate hierarchy. There are a lot of drivers for remote access, but the overarching issue is that people need access to information from anywhere, at anytime, from any device. The outdated vision of access based on specific device or location is gone. Especially in corporate scenarios, people expect to get the business intelligence they need, when they need it, and be able to use a laptop, or desktop, or kiosk, or smartphone, or even an MP3 player to get to that information. IT has to be an enabler.
Today, browsers with SSL technology inbuilt are getting irrelevant as enterprises are adopting the SSL VPN architecture at an increasing speed to enable VPN access from anywhere, anytime. Another driver for this technology is the weakness of the alternative technology, IPSec VPN, which is also less flexible than SSL VPNs, which are compatible with browsers in general. This aligns well with evolving business needs, such as increasing use of external consultants and widespread network consolidation requiring network resources sharing with partners. Businesses with employees working from remote locations also contribute to yet reason why enterprises prefer SSL VPNs.
So, the increasing mobility of workforce is one of the prime drivers of the need to securing access to remote information. It allows one to access and work on files stored on the office computer from a PC at your home and vice versa - thereby increasing productivity. The necessity of customers, partners and contractors to access to the corporate network from anywhere is making VPNs an essential IT requirement. VPNs play a crucial role in communication requirements, providing flexibility and prompt return on investment when implemented and utilized properly.
Current Major Threats
Experts believe that security is the most challenging area of concern in this space. According to Siva Columbus, Technology Specialist, VeriSign India, an organization that wants to make its private network or its internal IT systems accessible outside of its own premises will necessarily have to implement strong secure solutions. The organization clearly needs to mandate security measures such as personal firewalls, malware scanning, intrusion prevention, operating system authentication and file encryption.
|
Jatin Sachdeva, Information Security Specialist, Cisco India & SAARC |
Jatin Sachdeva, Information Security Specialist, Cisco India & SAARC, believes that the major threats related to remote access originate from the dynamic nature of endpoints. Endpoints today are not just laptops but also include a huge cross-section of mobile devices and PDAs, which are continuously exposed to the inter-web. The threat that a remote access endpoint maybe infected or is not trustworthy always exists.
Some of the major threats are also mentioned here below:
Sensitive data left in a browser's cache: Web browsers cache the various web objects that users downloaded during browsing. This caching helps browsers to improve the browsing experience. The browser cache files are physically stored on the user's computer in predefined directories. For example, the Temporary Internet Files folder is used for Internet Explorer browsers. After users finish browsing and leave the computer, the browser cache is left on the computer and can be accessed by other users who later log on to the same computer. This can be a security risk in a kiosk scenario that uses SSL VPN clientless web access. In this case, a VPN user logs in to the SSL VPN portal from a kiosk machine to access corporate resources, such as e-mail or other business applications. During the session, the user can access sensitive documents through the web browser that caches the document on a local hard drive. After the user signs off and leaves, attackers can easily use the kiosk computer and collect the browser cache to retrieve the sensitive information.
Browser histories: Similar to the browser cache, browser histories are stored by the browser to enhance the user experience. The browser histories reveal the user activities and internal web server structure. Similar to the browser cache, browser histories saved on unmanaged computers are vulnerable to data theft.
Browser cookies: A cookie is a text-only string sent by a web server to a web browser. The cookie can reside in the browser's memory or be stored on a local hard drive. A cookie is often used for purposes such as authentication, tracking, and personalization, such as site preference. Depending on their usage and content, cookies could contain sensitive information about users. Similar to a browser cache, cookies saved on unmanaged computers are vulnerable to data theft.
Brower-saved forms and user passwords: Similarly, browser-saved forms and user passwords are vulnerable to data theft and password theft.
Documents on unmanaged computers: More generally, documents and other types of sensitive data left on the unmanaged computers are vulnerable to data theft. For example, it is common for a VPN user to temporarily download a sensitive document to the local computer for reading or editing and later forget to delete the sensitive document before logging off. Furthermore, even if the user deletes the files before the VPN logoff, it is fairly easy for attackers to recover the deleted files by using common file-recovery utilities that are readily available on the Internet.
Data theft and password theft using keystroke loggers or other Trojan horse programs: In the SSL VPN web-based clientless mode, users can access corporate resources from an already compromised computer that contains malware. For example, loggers that are preinstalled by the attackers can capture user input, such as e-mail IDs and passwords, and take screen shots of the e-mails.
Latest Happenings
The increased penetration of handheld access devices including notebook PCs and remote workers has boosted the demand for remote access technologies. Remote access technology has evolved dramatically over the past decade. New mobile devices and business solutions, offered in new combinations—that weren’t even on the radar for enterprise IT a few years ago—are announced in the industry nearly every day. Broadband access to the Internet has become an expected standard, at work, at home and everywhere in between. Traditional desktop PCs are being replaced by laptops, PDAs and smartphones, all mobilized with sophisticated wireless and cellular connectivity. The rise in VoIP has turned phone calls into data resources and transformed telephony into yet another network access methodology.
This fundamental technological shift has sparked a remote access revolution across the enterprise, reflected in a sharp increase in teleworker use cases worldwide. Partners, vendors and consultants play an increasingly vital a role in daily operations. Increasingly, traditional network boundaries are disappearing. “The office” no longer has anything to do with any specific physical location. Executives expect full access to the same application and file resources whether their laptop is at headquarters or in a hotel suite on the other side of the world.
Accountants require secure access to financials on a remote data site mainframe from satellite field offices via the Internet. Sales teams now take their virtual office on the road with them using a host of mobile small form factor devices and also demands access to corporate resources from public kiosks at multiple hotels, airports and convention centers. Business partners, vendors and consultants, often collaborating in cross-functional teams, require access to “internal” enterprise resources across the extranet from end point locations behind their “external” firewalls. Remote teleworkers in all business capacities connect to business applications and files via WiFi hotspots at their home or neighborhood cafes. Experts believe that the latest shift in the space that is becoming increasingly popular is the movement from IPSec VPN to SSL VPN. In contrast to the traditional Internet Protocol Security (IPSec) VPN, an SSL VPN does not require the installation of specialized client software on the end user's computer. It's used to give remote users with access to Web applications, client/server applications and internal network connections. Thus, we see SSL VPN taking over IPSec VPN.
|
Shubhomoy Biswas, Country Director, India and SAARC, SonicWALL |
Shubhomoy Biswas, Country Director, India and SAARC, SonicWALL believes that Fundamental Changes in Remote Access has happened due to three reasons and those are increased teleworking, proliferation of mobile devices and ubiquity of broadband. Jatin Sachdeva believes that to accommodate the dynamic nature of endpoints, the biggest shift is from IPsec to SSL as the remote access technology of choice. SSL allows for both a dynamically downloadable thin client as well as clientless access and has significant number of options to decide levels of access based not only on the user authentication but also on the type of remote access device and its posture.
Jatin also believes that the biggest paradigm shift in remote access security space will be the operating system of the remote access endpoint becoming very unpredictable due to the huge variety of devices and their operating systems. The amount of control on the endpoint OS would be minimal and the only presence would be a thin connection client or a browser. This would bring in a mix of always-on VPN endpoints as well as browser based VPN endpoints and most controls/intelligence will lie with the network and work closely with the SSL VPN head end. Acknowledging the same, Valan.S, CISSP, Systems Engineer, Fortinet, also says that SSL VPN technology will probably supersede IPSec as the preferred remote VPN access solution for employees and also for business partners and external service providers. He also says that the latest shifts in this space include the integration of the SSL VPN solution with perimeter security to consolidate further the number of appliances or products that customer have to install, maintain, and manage. SSL VPN technology is a technology success story, disrupting the eco-balance of the well-established IPSec VPN industry and creating a new secure remote-access business model.
|
Valan.S, CISSP, Systems Engineer, Fortinet |
Some of the important shifts:
The Impact on Access Control
Mobile trends in technology and business operations have accelerated the replacement of traditional network nodes from IT-managed hard-cabled desktops to wireless laptops and mobile devices. Even when these devices are issued by IT, It is increasingly hard for IT to control what users do with access devices and to limit ways in which users expose these devices to threats that can impact the security of enterprise resources.
For example, an end user might use the same mobile computing device at home as in the office, use a personally-owned device for business purposes, or use a corporate-owned device for personal purposes.
The Convergence of Local and Remote Access
In many ways, local access is now treated more like remote access and vice versa. Local user access must be as tightly secured as if they were remote and remote user access must be as simple and comprehensive as if they were local. Policy can dictate that instead of gaining network-wide access, local users are restricted to only authorized resources. However, policy can also widen access for remote users to a broader set of collaborative business tools.
As more types of users work from multiple locations, demand for remote access is on the rise, while demand for local-only access has fallen off. Hard-wired LAN access is being outmoded by ubiquitous high-speed connectivity over wireless networks and the Internet. Data centers are becoming virtualized, providing fluid access to resources from anywhere. Today, IT must assume that all users are potentially remote and that all end points are potentially unsafe. But IT must also assume that your users will demand full access to all their business resources from any location using whatever device they have at hand.
With the convergence of local/remote access, rather than striving for a secure network, IT should focus on establishing secure communications to network resources. The traditional network perimeter must be tightly concentrated into a resource perimeter around the back office systems of the application data center. In effect, enterprise IT data centers will increasingly resemble e-commerce innovators providing Internet-based, globally-accessible services. Local/remote access evolves into universal access.
Think and Pick Up
Before selecting a remote access security solution, organizations should follow a thorough information risk assessments. Organizations should think carefully about what kinds of sensitive and personal data they are making available remotely and who they are granting access to. Remote access to any personal data should be over an encrypted connection protected by a username/ID and password. Users who are given full, unrestricted access to an organization’s management information system should do so over an encrypted connection and use two-factor authentication. Organizations should ensure that users are aware of the need to keep their sign-on credentials secure. This is particularly important when users access systems from a shared computer. For example, users should make sure they sign off when they have ended their session. Users should not save passwords, if offered this option by their browser. Users should ensure that unauthorized users are not able to use their credentials to gain authorized access, for example, another family member at home who may use a shared computer.
A secure remote access solution should offer adequate options for dynamically downloadable client (with an option for IPsec/SSL) as well as browser based clientless SSL. Cisco believes that It should work with a wide array of endpoints and mobile devices and have dynamic access policies to determine levels of access based on user auth and endpoint type and posture. The solution should also have intelligent network based mobile user security options to be able to perform intelligent split tunneling as well as protect the end-user from malicious websites. Finally the solution should offer a vast array of options around session persistence/timeouts and integrate with the backend user database of your choice.
Fortinet feels that as the blended threatscape becomes a real and present danger with cybercrime getting sophisticated, companies are forced to add on additional layers of security at VPN termination points to properly protect the mission-critical assets on internal networks. Intrusion prevention systems (IPS), gateway antivirus with antispyware (AV), antispam (AS), web content filtering (WCF) and traffic shaping technologies are all used to ensure that blended threats and access to undesirable content is blocked and legitimate traffic is secured and assured from point-to-point.
VeriSign strongly advices its customers to provide a layered security approach towards securing SSL-VPN access using EV_SSL certificates and use of strong authentication to prevent unauthorized access.. An EV-SSL certificate proactively prevents unassuming corporate users from revealing their enterprise id and password to a phished site. EV-SSL certificates provide a visual identity with the address bar turning green and the name of the enterprise shown as the legal owner of the site.
Strong Authentication enables a use of additional factor of authentication apart from the enterprise user’s user-id and password. They take either a certificate that is installed in the enterprise user’s laptop or uses a One Time Password generated from a token. The tokens are software based and are available on the mobile supporting all leading enterprise handsets such as blackberry, iphone, and Nokia communicator.
Here are some pointers for enterprises considering the deployment of SSL VPN:
Identify Remote Access Requirements.
The first phase of the process involves identifying the current and future requirements for remote access and determining how they can best be met by an SSL VPN implementation.
Design the Secure Remote Access Solution.
The second phase involves all aspects of designing an SSL VPN solution. The design elements are grouped into five categories: access control, endpoint security, authentication methods, architecture, and cryptography policy.
Implement and conduct Proof of Concept (POC).
The next phase involves implementing and conducting a proof of concept in a test environment. The primary goals are to evaluate all aspects of the solution including authentication, application compatibility, management, logging, performance, security of the implementation, design and layout of the VPN portal, and default settings.
SSL VPN Integration with other security features like firewall, antivirus, IPSec and SSL VPN, network IPS, anti-spam, and now application control, SSL inspection, WAN optimization, data loss prevention, and more fine-grained Web filtering would help to improve the overall security posture of the organization.
Easy to deploy – Let all users access the VPN from a Web portal page from the company Web site or other URL that everyone knows. The solution should also be easy to use and easy to manage, since a disaster is not the time for extensive training.
Choose an open, flexible solution
The first step is to make effective use of network security products already in place. Individual network defenses like firewalls, SSL VPN gateways and intrusion prevention and intrusion detection systems (IPS/IDS), as well as other security software and appliances, need to interoperate with the selected network access control solution. The goal is to make sure that access control and network defenses are aligned on policy, and reference the same information.
Interoperability works both ways: the access control solutions take input from security devices to assess the instantaneous threat environment and identify events, and they enforce their response through these same devices, for example by restricting access to threatened network segments, applications, data sources, or by restricting or blocking actions of suspect individuals or devices. The best of them offer policies and templates that work across multiple network access methods and with different network security products to speed implementation and simplify management.
• Quickly scalable – Allow IT staff to scale the remote access quickly to accommodate a spike in VPN traffic. With a disaster, all users could now be remote, and the solution should have adequate capacity plus failover capability to ensure no downtime.
• Access to all applications – For successful remote access, during an emergency or not, users must be able to access all appropriate network resources, including Webbased applications, file shares, client/server applications, Windows Terminal Services, etc. A solution that supports Web conferencing and VoIP is also important during an emergency, since traditional phone systems may not be working.
• Highest Level of Security – Don’t sacrifice privacy or security to maintain business as usual. By placing an SSL VPN at the perimeter of the data center and leveraging its policy controls, enterprises can closely control who accesses which information and block unauthorized access. Establish all access controls beforehand, so when a disaster strikes, the security policies are in place.
• Ensure Compliance – Keeping a clear audit trail of who is accessing which information could become even more important during a disaster. An SSL VPN can provide granular access controls to ensure only authorized users can access resources and provide auditing and reporting of that access.
Future
Business and network evolution has increased the number and severity of network, application, and data risks from errors and attacks made by authorized insiders, including outsourcers. Traditional access controls and point products can leave gaps in coverage, and raise risks of "access inflation" and precarious workarounds when network and access management grows too complex. Cisco says that while SSL may soon be becoming the de-facto standard for remote access, the future lies in mobile user security and there will be an increasing number of innovations and partnerships around protection of the remote access user, whether they use a browser or a thin-client for SSL access.
Fortinet sees that High speed internet connections from home, hotels, and conference centers would further fuel the need for anytime anywhere access. Security controls required to address these emerging security trends including the need to secure increasingly consumer centric, virtualized and consolidated technology environments, must provide better integration on both a software and hardware level and provide complete coverage of threats and improved scalability. Customers would look at consolidating network security with new technologies including WAN optimization, application control, data leakage prevention, and SSL inspection. These new security functions would address the latest cyber threats as well as Web 2.0 applications usage.
Verisign believes that the adoption of VPNs has been vast and swift; and as technology advances, this trend will only increase. The technology is expected to grow at a healthy rate. Advancements like SSL VPN solutions offer a flexible and highly secure way to extend network resources to virtually any remote user with access to the Internet and a web browser. It is expected that large organizations such as banks, ISPs, e-businesses, BPOs and e-traders will drive this technology in the recent years to come. These organizations have a large mobile workforce that needs remote connectivity.
Box Item
Some of the available solutions in this space:
 Citrix SSL Access Gateway
Citrix’s SmartAccess technology means that when a user connects, the system collects data to determine how the user is attempting to access the educational resources. SmartAccess policies provide a fine level of policy-based control over actions users can take with applications, files, web content, printing and email attachments. It extends access by allowing users to access network file shares, web email and internal websites from devices that are locked down and do not permit the downloading of software. It supports a wide variety of platforms including Windows 2000 Professional, Windows XP, Windows Vista, Linux and numerous small form-factor devices. |
Intelligent Application Gateway 2007 and UAG
The Intelligent Application Gateway 2007 (IAG 2007) is for organizations that look for the highest level of security for remote access connections. In contrast to the ISA or TMG firewall, the IAG 2007 SSL VPN gateway is a single purpose device: a remote access gateway for inbound connections to network services. While the ISA and TMG firewalls can provide the same or superior level of security for inbound connections to network services as any other firewall on the market today, IAG 2007 provides the highest level of security possible for incoming connections to Web and non-Web services.
IAG includes a number of software modules, known as Application Optimizers, which confer a very high level of protection for remote access to Web services. The Application Optimizers enable IAG to perform deep application layer inspection for the Web services it publishes. IAG's deep application layer inspection employs both positive and negative logic filtering. Positive logic filtering enables IAG to allow only known-good communications to the published Web service, while negative logic filters block known bad connections.
The next version of the IAG, known as the Unified Access Gateway, will continue to build on the strong application layer intelligence included with IAG and will add more secure remote access options. The most interesting of these is support for Microsoft’s new Direct Access remote connectivity option, which will enable users located anywhere in the world to transparently connect to the corporate network, including domain connectivity. |
Check Point SSL VPN 
The clientless SSL VPN requires no specialised software to be downloaded on the user’s device. All VPN traffic is transmitted and delivered through a standard web browser and its native SSL encryption. The Check Point SSL VPN provides secure remote access, endpoint security and integrated intrusion prevention. Remote educational users can access a range of enterprise applications. Check Point also supports SSL Network Extender Application Mode where the client is based on an ActiveX or Java applet and a transparent proxy mechanism, which provides a solution for secure remote access to corporate resources through most TCP/IP applications, including non-web applications. |
VASCO SSL VPN
SSL VPN technology provides secure access for remote users without the requirement of a pre-installed client. SSL VPN provides an additional level of protection through complete content inspection, which ensures the integrity of customers’ VPN traffic. Solutions may utilise either CSIA-certified SSL VPN or CSIA-certified IPSec VPN technology. VASCO and Fortinet offers both a secure IPSec client and clientless SSL VPN for hotspot access in areas where IPSec may be blocked by a firewall. The VASCO token provides the two-factor authentication so users can establish secure sessions. |
RSA SSL VPN
Used in combination with RSA SecurID authenticators, the RSA SecurID Appliance is designed to validate the identities of users by requiring the user to present a PIN along with their token code before granting access to sensitive network resources. Each user is assigned a unique RSA SecurID authenticator which generates a random code every 60 seconds. The RSA SecurID Appliance validates the user’s PIN and token code, confirming the user’s identity. |
OpenVPN SSL
OpenVPN accommodates two-factor authentication and a wide range of configurations, including remote access, site-to-site VPNs and Wi-Fi security, and provides enterprise-scale remote access solutions with load balancing, failover and fine-grained access controls. OpenVPN implements OSI layer 2 or 3 secure network extensions using the industry-standard Transport Layer Security (TLS)/Secure Sockets Layer (SSL) protocol and allows a user or user group specific access control policies by using firewall rules applied to the VPN virtual interface. OpenVPN’s drawback is that it is not a web application proxy and does not operate through a web browser. |
SonicWALL SSL VPN
SonicWALL SSL VPNs deliver a vast set of features and benefits that make them the easiest to use and control. Easy-to-use means you get immediate return on your investment by allowing your workforce to be productive anywhere, anytime. Easy-to-control means you can reduce your IT overhead and total cost of ownership. And you can ease your mind knowing you’ve applied the one of the industry’s best remote access security technology, integrating three comprehensive steps:
-
Detect the security of an end point at user login and/or at administrator-defined intervals
-
Protect resources with granular policy based on that user and end point
-
Connect the user effortlessly to authorized resources
SonicWALL SSL VPN appliances integrate seamlessly into any network topology and can be easily deployed alongside any third-party firewall as a secure remote access solution. This enables IT administrators to leverage the existing network infrastructure without the need to purchase additional hardware. When deployed alongside an NSA, PRO or TZ appliance, you gain enhanced security and Unified Threat Management (UTM) protection. |
|
—By: ‘InfoSecurity’ Bureau. |
