View
219
Download
2
Embed Size (px)
Citation preview
Information Security in Real Business
Asian Connection and Craig
MSIT 458: Information Security and Assurance
Secure Remote Access for Company XYZ
• Provide remote users secure access to internal corporate network resources – 1000 user company • Remote users access the perimeter network from public
Internet• Quantity of the threats are progressing and complexity is
increasing – “Bot Nets”• The end-points are hard to secure and network security is
a corporate standard• How do we trust the remote users while verify they are
secure• Provide authenticated secure connection for remote users
Secure Remote Access for Company XYZ
• Why this problem is a general one that comes across multiple industry/education/government sectors?• Globalization – Companies have operations outside the US• Talent pool – No longer constrained by geographic
limitations• Remote users - Increase in demand for users to work
remotely
4
Global Setup
Chicago
Frankfort
Singapore
Secure Remote Access for Company XYZ
• Remote Users • Asia - 9 countries (100 users)• Europe – 10 countries (120 users)• Americas – 4 countries (780 users)
• Security Verifications• Validate virus definitions files and active monitoring• Verify windows patches are current• Isolate worm virus from entering corporate network
Existing State for Company XYZ
• Users login through the public Internet using VPN client access• No Virus Checking• Patch Management is not verified• The user can use any computer with
VPN client – no way to enforce corporate approved machines
• No validation for malware or bot net infected machines
Business Applications
• Email and SharePoint
• Business Intelligence Tools• SAS & ETL Tools
• Business Data• Structured• Unstructured• File Server• Data Warehousing• ERP Systems
User Landscape
• Remote Users• Global Remote Offices -
DSL connections• Home Users –
Broadband Connections• Partners • Local and Off Shore – DSL
/ Public Internet• Higher Level privileges –
above guest access
Technical Solution
• Symantec Network Admission Control• End Point Product is currently being used for
Anti-Virus and Client security• “Single Pane of Glass” – One Management
Interface is used to manage Anti-Virus, Client Firewall, Client Intrusion Prevention System and Network Admission Control
• Microsoft Certificate Administration• Management is built into 2008 Active Directory
10
Remote employees or partners
VLAN 0
Internet
ASA
Firewall
AD
Certificate
Server
VLAN 1
1 2
3 - OK
Symantec Endpoint Protection
Antivirus
Security Patterns
Symantec Gateway Enforcer
1. User attempts to connect to vpn.xyz.com
2. Cisco ASA validates user Certificate with Windows 2008 Certificate Server
Network Access Control (NAC)
Technical Solution
11
Remote employees or partners
VLAN 0
Internet
ASA
Firewall
AD
Certificate
Server
VLAN 1
1 2
3
3 - OK 4
Symantec Endpoint Protection
Antivirus
Security Patterns
Symantec Gateway Enforcer
4
3. If Certificate is valid, information is passed back through the Cisco ASA and the user is allowed access to VLAN0
4. Computer information is passed to the Symantec Gateway Enforcer Gateway Enforcer checks for policy information from Symantec Endpoint Protection Server
Network Access Control (NAC)
Technical Solution
12
Remote employees or partners
VLAN 0
Internet
ASA
Firewall
AD
Certificate
Server
VLAN 1
1 2
3
3 - OK 4
Symantec Endpoint Protection
Antivirus
Security Patterns
Symantec Gateway Enforcer
4
5 – Policy Check
5 . Gateway Enforcer compares remote computer security with policy from Symantec Endpoint Protection - If computer is not compliant information is presented to the user on steps needed to become compliant
6. When computer is compliant access is granted to internal VLAN
6
Network Access Control (NAC)
Technical Solution
13
Remote employees or partners
VLAN 0
Internet
ASA
Firewall
AD
Certificate
Server
VLAN 1
1 2
3
3 - OK 4
Symantec Endpoint Protection
Antivirus
Security Patterns
Symantec Gateway Enforcer
4
5 – Policy Check
7. Computer Connects locally to our network - Network Access Control performs policy check
8. NAC will also determine what resources local users can access
6
Network Access Control (NAC)
Technical Solution
14
Research Findings
• Cisco• NAC appliances are expensive• There is integration with Microsoft’s Network Access Protection. (This
can be utilized as we migrate to Windows 2008 and the next Desktop OS we roll-out)
• Uses optional dissolvable or permanent agent or scanning function• Need to define how they will integrate 802.1x enforcement
• Symantec• Uses the existing Endpoint infrastructure• Uses dissolvable agent or agentless scanning option for non-Symantec
endpoints.• They have a separate model for 802.1x enforcement
Source: Gartner Research
15
Cost ComparisonSymantec
One Time Cost
Cisco
One Time Cost
On-Going
Symantec
On-Going Cisco
Hardware
NAC Hardware $27,000 $125,000 $2,700 $22,000
Software
Client Licensing and Microsoft SA
$25000 $46,000 $2,500 $9,500
Installation
Consulting $5000 $65,000
Total $57,000 $236,000 $5,200 $31,500
Requirements
Requirement Symantec Cisco
$$$ (<200K) Yes No
Ease of Use Yes No
Interoperability Yes Yes
Ease of Training Yes No
Warranty Yes Yes
Customer Support
Yes Yes
Some of the Consequences
• Better protection for corporate assets against:• Trade secret leakage• Malwares, botnets, viruses, worms, etc
• Ensuring proper usage of corporate resources• Trade off between additional security vs. additional
operational overhead• Increasing IT support staff• 24x7 support availability• Initial time to establish connection is longer than the
traditional VPN
• Additional complexity requiring training for non-technical users