Ronald Beekelaar

1
Intelligent Application Gateway(IAG) 2007

• Ronald Beekelaar
• Beekelaar Consultancy
• ronald_at_beekelaar.com

2
Introductions

• Presenter Ronald Beekelaar
• MVP Windows Security
• MVP Virtual Machine Technology
• E-mail ronald_at_beekelaar.com
• Work
• Beekelaar Consultancy
• Security consultancy
• Forefront, IPSec, PKI
• Virtualization consultancy
• Create many VM-based labs and demos

3
Agenda

• History SSL VPN
• SSL VPN Connections
• Web
• Non-Web
• VPN
• Portal / Applications
• Endpoint Policies
• Authentication / Authorization

4
Intelligent Application Gateway 2007
A comprehensive line of business security
products that helps you gain greater protection
through deep integration and simplified management
5
IAG - Appliance
6
IAG 2007

• Supports all Applications with SSL VPN
• Web Client/Server - File Access
• Homegrown or 3rd party
• (Citrix, IBM, Lotus, SAP, PeopleSoft)
• Designed for Managed and Unmanaged Users Devices
• Automatic detection of user system, software,
  configuration
• Access policies according to device security
  state
• Delete temp files and data traces from unmanaged
  locations
• Drives Productivity with Application Intelligence
• Apply policy at granular App Feature levels
• Dynamically control application data for desired
  functionality
• SSO with multiple directories, protocols, and
  formats
• Fully customizable portal and user interface

7
SSL VPN ?

• Allow secure remote access from trusted and
  untrusted client computers
• All connections over TCP port 443 (SSL)
• Access starts through a Web Portal
• Authenticates to AD
• Contains list of applications
• Click each application to access

8
Connections Types (3x)

• Web Applications
• Normally uses port 80/443
• Browser-based
• Port/socket forwarding
• Normally uses non-web ports, but is tunneled in
  443
• ActiveX control - browser-based
• Network Connector
• All protocols and all ports, but tunneled in 443
• Real "VPN" - client receives new IP address

9
Endpoint Security

• IAG client components check client computer
  security settings
• Client computer is called "endpoint"
• Based on endpoint state,you define Endpoint
  Policies to allow
• Access to Web Portal
• Example- Do not even ask for credentials on
  untrusted client computer
• Access to certain applications on Web Portal
• Example- Hide Network Connector option on
  untrusted client computer
• Access to certain features of applications
• Examples - Block SPS uploads - Disallow OWA
  attachment

10
A Little History

• The Problem
• With the growing prevalence of internet
  connectivity, enterprises required platforms to
  provide remote access for employees, partners and
  customers in a secure way
• The Solution?
• 1st attempt Dialup remote access ? proving too
  costly, limited user experience.
• 2nd attempt Limited use of reverse proxies to
  publish web based applications.
• 3rd attempt IPSec VPN makes leap for user remote
  access
• IPSec VPN first developed for site to site
  connectivity.

11
Reverse Proxy
WebServer
3
DNSServer
4
5
2
6
ISAServer
ISA Server calls this Publishing
12
Reverse Proxy

• Publishes web appsfor use from anywhere.
• Handles pre-authentication,application
  filtering, SSL encryption at the edge.
• However
• Does not handle non-web (client/server)
  applications.
• Does not scale when publishing numerous web
  applications.

13
IPSec VPN
Internet
Corpnet
ISA
IAS RADIUS
Remote User
Quarantine
Active Directory

• Full network connectivity from authorized devices
• Quarantine features available for non-compliant
  clients
• Unmanaged clients have no access
• However
• Increasingly difficult to manage on a large scale
  given variety and complexity of IPSec clients
• Blocked by (outgoing) firewalls

14
Terminal Services Solution

• Built into Windows Server.
• Expandable with 3rd party solutions (Citrix and
  others)
• Offer a complete desktop user experience or
  integrated applications.
• Centralized server-based solution.
• Typically limited deployments given
  servercomputing requirements.

15
A Little History - IPSec Dominates

• Introduces following limitations
• Potential security exposure by extending network
• Limited functionality from firewall/NATed
  networks
• Client grows to accommodate more security
  functionality (virus inspection, split tunneling
  control, etc.)
• Client becomes difficult to roll out
• Requires administrative installation
• Clashes with other IPSec and security software
• Not very user friendly
• Result
• Enterprises limit usage to road warriors and
  managed PCs
• TCO is high and ROI limited

16
A Little History - SSL VPN is Born

• Promises to offer similar functionality for
• Any user
• Any location
• Any application
• Delivers on lower TCO
• Introduces new security considerations as clients
  are now unmanaged.
• First wave of development is focused on
  connectivity.
• Current wave is focused on Application
  Intelligence.

17
SSL VPN - Building Blocks
Applications
Web
Authentication
Tunneling
SSL VPN Gateway
Authorization
Security
Simple TCP
Portal
Other non-Web
Management
Client

• SSL VPN solution comprised of
• Tunneling Transferring web and non-web
  application traffic over SSL
• Client-Side Security Security compliance check,
  cache cleaning, timeouts
• Authentication User directories (e.g. Active
  Directory), strong authentication support,
  Single-Sign-On
• Authorization Allow/Deny access to applications
  
• Portal User experience, GUI

18
SSL VPN Tunneling (3x)

• Web applications
• Thats easy just uses HTTPs
• Non-Web applications
• Port/socket Forwarding
• Uses SSL-Wrapper client component
• Example Terminal Server tunnel RDP in HTTPs
• Network Connector
• Full Network Access
• Uses Network Connection client component
• Client gets additional IP address

19
Demo Environment
20
Application Protection

• Access Policies
• Allow/deny functions within application(e.g.
  SharePoint attachments Upload/Download based on
  endpoint compliance)
• Application Firewall Protecting the Application
• Predefined positive logic rule sets
• Single Sign On
• Knowledge about required application login
  methods
• Session Cleanup Agent
• Clears application specific cache (e.g.
  SharePoint Offline folder)
• Protecting the Network Session
• Ignore background polling command for timeout
  calculation, adds secure logoff button where
  absent

21
Endpoint Policies

• Checks health of Endpoint Policies
• Session policy
• Endpoint certification
• Privileged endpoint
• Application policy
• Access to applications (hide or disable on
  portal)
• Access to functionality within applications
• Example Block SharePoint upload from unsafe
  client

22
Endpoint detection and application intelligence
Generic Applications
Applications Knowledge Center

• Application Aware Platform
• Application Definition Syntax/Language
• Application Modules

Web
Citrix
OWA
SharePoint
Browser Embedded
Authentication
Tunneling
Application Aware Modules
Client/Server
SSL VPN Gateway
Authorization
Security
User Experience
Specific Applications
High-Availability, Management, Logging,
Reporting, Multiple Portals
Client
Exchange/ Outlook
OWA
Devices Knowledge Center
SharePoint
Citrix
PDA ....
Linux ..
MAC .....
Windows . ...
23
Endpoint Detection

• Out of the box support for over70 variables of
  detection including
• Antivirus
• Antimalware
• Personal Firewall
• Desktop Search/Index Utilities
• And much more
• Easy to configure GUI that allowssimple
  management of policies.
• Extended GUI for manual editing andmodification
  of policies.
• Leverage Windows Shell Scripting tocreate any
  policy and inspect forany client side variable.

24
Attachment Wiper

• Clears the browsers cache upon session
  termination
• Process does not require user initiation
• Optimizers integrate logic to identify and scrub
  custom caches
• Supports custom scripts for custom file cleaning
• Removes
• Downloaded files and pages - Cookies
• AutoComplete form contents - History information
• AutoComplete URLs - Any user credentials
• Triggers
• User logoff - Browser crash
• Inactivity timeout - Browser closure
• Scheduled logoff - System shutdown
• Security Policy
• Allows for Cant Wipe Cant Download policy
• Allows fall back policy to no-cache tag
  mechanism

25
Security Concerns

• Authentication - Who are you?
• Strong Authentication Are you really him/her?
• Authorization What can you access?
• Transport Security Can they hear?
• Application Security Should you be doing that?
• End Point Security From there?
• Information Safeguard Should this be left
  around?
• Session Security How long can you do this for?

26
Single Sign-On

• No need for directory replication or repetition
• Alternative approaches require local repository
• Transparent Web authentication
• HTTP 401 request
• Static Web form
• Dynamic browser-sensitive Web form
• Integrates with
• Password change management
• User repositories

27
User Specific Portal

• Manages access of employees, partners customers
  from anywhere to corporate business applications
• More than one Portal page can be published per
  appliance
• Each is based on a unique IP and host name
• Each can present a completely unique user
  experience including look and feel,
  applications, authentication and authorization
• Extends the business beyond the borders of the
  network
• Implements corporate policies without weakening
  security
• Leveraging existing investments in software
  infrastructure and applications
• Ensures maximum functionality based on endpoint
  profile
• Based on SSL VPN access platform
• Leverages the Web browser to allow universal
  access
• Provides a broad range of connectivity options

IT Support
support.xyz.com
Employees
portal.xyz.com
Partners
extranet.xyz.com
Customers
shopping.xyz.com
28
How to Setup

• Setup appliance
• Create trunk
• Add applications
• Define endpoint policies
• Customize

29
Setup Appliance

• Unpack appliance and put into rack
• Attach external and internal network
• Define IP and DNS settings
• Add routes to internal network if needed
• Define ISA "Internal" network
• Join domain if needed
• Required for Kerberos Constrained Delegation
  (SP1)

30
Create Trunk

• Create trunk ( Web portal)
• Define IP address for Trunk
• Configure authentication server
• Import certificate for each trunk
• Create "redirect" trunk ( http to https)

31
Add Applications

• Add applications
• OWA
• SharePoint
• RDP
• VPN (network connector)
• Test access

32
Define Policies

• Define endpoint policies
• Assign to access and functions
• Test access

33
Customize

• Customize look and feel
• Change colors
• Change text on portal
• Or...
• Create advanced endpoint policies
• Define custom authentication
• Etc...

34
QA