Secure Remote Access - PowerPoint PPT Presentation

1 / 11
About This Presentation
Title:

Secure Remote Access

Description:

Malware Prevention. Personal Firewall ... Multiple instances of security software for disk encryption, network encryption, ... domain management tools may be ... – PowerPoint PPT presentation

Number of Views:1055
Avg rating:3.0/5.0
Slides: 12
Provided by: mike351
Category:

less

Transcript and Presenter's Notes

Title: Secure Remote Access


1
Secure Remote Access
For telecommuters and roaming users
  • Craig McGregor
  • Security Specialist
  • The Treasury

2
Secure Remote Access Requirements
  • Authentication (Knock, knock, whos there?)
  • Access to the laptop
  • Access to your network
  • Physical Security
  • Lost or mislaid laptops
  • Unauthorised Access to a laptop
  • Network Security
  • Network-based attacks/intrusions
  • Information confidentiality
  • Malware Protection
  • Management/Low support cost
  • Ease of Use

3
Authentication
  • Authentication is needed to
  • Prevent unauthorised access to the laptop
  • Prevent unauthorised access to your network
  • The Authentication Scheme needs to
  • Be easy and seamless to the user
  • Use multiple factors to prevent capture and
    replay of credentials (e.g. key-logging of
    passwords)
  • Prevent man-in-the-middle attacks
  • Rainbow iKey cryptographic tokens

4
Physical Security
  • Laptops contain your agencys information
  • Try and keep as little information on the laptop
    as possible - Dont use a laptop as a mass
    file-store
  • Make it difficult to obtain information even with
    physical access to the laptop Boot time
    authentication
  • Media could be removed and read from elsewhere
    Disk Encryption
  • Procedures Citrix WinMagic Rainbow Crypto
    Tokens

5
Disk Encryption Implementation Choices
  • Disk vs File Encryption
  • File Encryption
  • Choose a file, decrypt, use, encrypt, secure
    erase unencrypted file
  • Disk Encryption
  • Encrypts and decrypts all files (including
    temporary files) on the fly. This process is
    extremely transparent to the end user.
  • Issues for pooled resources
  • If laptop L is encrypted with user As key then
    users B,C,D cannot use the laptop.
  • Use a device access key rather than a user
    authentication key
  • Master Keys
  • If a user loses their key, or is not present can
    IT Support read the disk?
  • Encrypt the disk encryption key using the users
    key and a key owned by IT Support staff

6
Network Security
  • Your Agencys information travels over the
    Internet.
  • Make sure that nobody can watch it go past
    Prevent unauthorised access to your information
    resources.
  • Packet sniffing Session encryption e.g. IPSEC
    or SSL
  • Man-in-the-middle
  • Authenticate both the Server and the client!
  • Capture-and-replay Network Attack Prevention
  • Protect the client system
  • Disable unneeded services
  • Use a personal firewall to only allow access from
    applications that should be using the
    network/internet
  • Agency owned systems versus staff owned (or
    internet café) systems
  • Filter traffic from the client to your network
    it should only be trying to access expected
    services!
  • E.g. CodeRed, MSBlaster, SQLSlammer!
  • Cisco VPN Client Rainbow Crypto Token
    ZoneAlarm

7
Malware Prevention
  • Personal Firewall
  • Use a personal firewall that authenticates which
    applications connect to the internet or your
    network this prevents rogue software from
    spreading over the network
  • Anti-virus
  • Prevents detected Malicious Software from
    executing on the laptop
  • Does it update automagically?
  • System Resources
  • Multiple instances of security software for disk
    encryption, network encryption, authentication,
    firewall, anti-virus... Is this a DoS attack in
    itself?
  • ZoneAlarm McAfee WinMagic Cisco VPN ..
    RAM

8
Management and Support
  • Managing and supporting LAN clients and Remote
    clients can be very different
  • Physical access to hardware
  • Access to bandwidth for downloading patches
  • Login scripts and domain management tools may be
    unavailable
  • Thin-client one update for all users
  • The biggest support headache
  • Getting roaming connected to the internet

9
Ease of Use and End-User Awareness
  • A Secure Remote Access System needs to be
    really easy to use so that
  • End Users use it and not circumvent it!
  • E.g. Choose to use WebMail instead of secure
    Remote Access connections
  • Make it intuitive
  • Dont rely on all end users to read the
    documentation
  • If possible train/demo the system before they
    leave

10
New Days and Other Ways?
  • PDAs, SmartPhones
  • Key-based computing http//key-computing.com/exhan
    ge_edition.asp
  • Xkey addresses the challenges traditionally
    associated with work from non-company-issued
    computers. Information on Xkey is encrypted
    (128-bit AES) in case the device is lost or
    stolen. All communications to and from the
    Exchange server are encrypted (128-bit SSL).
  • Keystroke recorders are neutralized.
  • Unintentional traces of work are wiped clean.
  • Certificates (X.509) can be stored on Xkey and
    used for 2-factor authentication.
  • Bootable CDs
  • Virtualisation

11
Questions and More Information?
  • More information can be found from
  • WinMagic SecureDoc
  • http//www.winmagic.com
  • sylvia_at_winmagic.com
  • Cisco VPN Clients and Concentrators
  • http//www.cisco.com/warp/public/44/jump/vpn_devic
    es.shtml
  • Rainbow Technologies
  • www.safenet-inc.com/products/ikey/ikey2000.asp
  • Common Criteria
  • www.commoncriteriaportal.org
  • An excellent article on laptop security
  • http//www.networkcomputing.com/1320/1320f43.html
  • Or you can contact me
  • craig.mcgregor_at_treasury.govt.nz
Write a Comment
User Comments (0)
About PowerShow.com