ISSA Motor City Chapter SSL VPNs

1
ISSA Motor City Chapter SSL VPNs
2
Agenda

• Security Trends Innovation
• Market Trends and Forecast
• SSL Risk Cost Profile
• SSL VPN Comparisons
• SSL VPN Demonstration

3
Neoteris Category Leadership

• 15 Awards
• 12 Product Reviews
• 10 Published Case Studies
• 3 Successful Security Audits

Five Star Rating
4
Security TrendsNeoteris Innovation
5
Overriding Mega-Trends

• The Internet is the Dialtone
• Enterprises Realize the Need to Provide Remote
  Access
• Virtualization of the Corporation
• Collaboration of Customers Suppliers into
  Corporate Processes
• Maximize Mobile Employee Productivity
• Web-ification of Enterprise Applications
• Security Paranoia within Enterprises

6
Evolution of Secure Access Technologies
Superior Security, No Client No LAN
customization
InstantVirtualExtranet
Increased Security Client Elimination
Custom Extranets
Leverage Low-Cost Internet Transport
Virtual Private Networks
Secure, Point-to-Point Communications
Private Networks
Time
7
Innovative Product Category

• Thin-Client Use from Any Web Browser
• No LAN Customization or DMZ deployment

Instant

• Value of Extranet w/o the Pain

Virtual

• Leverages Low-Cost Internet Transport
• Hardened Appliance Controls All Communication
• Secure Application Layer Access Control

Extranet

• Ensures System Security H/W and S/W
• Eliminates Installation Compatibility Problems
• Increased Supportability

Appliance
8
Instant Virtual Extranet Application

• Single Sign-On
• Authentication Access Control
• Dynamic Content Transformation
• Transform all links, content, addresses
• SSL Encrypt/Decrypt on External Interfaces

Telecommuter
Internal Enterprise LAN
E-mail
Intranet / Web Server
MRP/ERP
Unix/NFS
Partner
Encrypted External Session Standard Internal
Session
Mobile Employee
9
Market TrendsForecast
10
SSL-Based Access Appliances (TAM)
Ms
Infonetics Research Q3FY02
11
SSL Market Is Growing Rapidly

• We project that by 2004, 60 of corporate users
  will use SSL for remote access at least some of
  the time. John Girard, VP, Gartner Group
• By 2005/06, SSL based solutions will be the
  dominant method for remote access, with 80 of
  users utilizing SSL David Thompson, Sr.
  Research Analyst, META Group
• by CY05, we project that annual revenue for
  SSL-based remote access will hit 986M Jeff
  Wilson, Exec Dir, Infonetics Research
• Neoteris has established itself as the Instant
  Virtual Extranet leader, with its new breed of
  secure access solutions We see the IVE as an
  elegant solution to the broad challenges that
  have existed with traditional secure access
  technologies. - David Kosiur, Senior Analyst,
  Burton Group
• With Neoteris winning Fortune 100 customers,
  SSL-based technology has moved out of the early
  adopter phase. - Zeus Kerravala, VP Research,
  Yankee Group

12
Application Layer SSL VPN End-User Revenue 2002
Neoteris 34
Others 24
SafeWeb 3
Source In-Stat/MDR, April 2003
uRoam (F5) 4
Whale 6
Aspelle 10
Netilla 20
13
SSL RiskCost Profile
14
Key Success Factor Compelling Value Better ROI
Virtual Private Network
EmployeeAccess
Company Owned PC
N/A
Cap Ex
N/A
Software/Hardware Client
Deployment Configuration
N/A
Desktop / Network Support
Support
Minimal
Client Upgrades
N/A
15
Key Success Factor Compelling Value Better ROI
Custom Extranets
PartnerAccess
Servers Web, Policy, Appl.
ParnterAccess
N/A
Cap Ex
Software Web/Portal, AAA
N/A
DMZ Infrastructure
Extranet Design
N/A
3-Ds
Software Development
N/A
Deployment
N/A
16
SSL Remote Accesscompared toTraditional Remote
Access VPNs
17
What is Security?

• In network communications, security usually
  includes some combination of
• Encryption
• Key Exchange
• Establish Authentication/Trust
• Generate/exchange public/private key pairs

18
Two Approaches to Secure Remote Access

• One approach is create a secure network tunnel
• VPN encapsulation like IPSec, PPTP, L2TP
• Another approach is to create secure application
  layer communication
• SSL integration directly into the server and the
  client

VPNs
Encryption and key exchanges are comparable Means
of connection is NOT
19
Secure Socket Layer (SSL)

• VPNs use IPSec (or other network-layerencapsulati
  on protocol, like L2TP or PPTP)
• We use SSL the world-wide standard for secure
  Web transmissions
• Newest version is technically calledTLS (but
  almost no one really usesthe new name)
• SSL transactions are designated by
• HTTPs protocol
• lock icon
• SSL vs. IPSec
• SSL is a universal standard today
• IPSec and the other encapsulating protocols are
  an emerging standard
• SSL secures Web communications
• SSL is an application layer connection
• IPSec secures network communications
• IPSec is a network layer connection

20
IPSec and SSL

• Network layer connection
• IPSec encryption
• Any TCP ports flow over tunnel
• Usually done with a hardware gateway on the LAN
  and a hardware or software client

IPSec Design Goal low level secure network
connectivity
Tunnel/transportapplications
IPSec Gateway
Gateway

• Application layer connection
• SSL or TLS encryption
• Specific port is open (easier to secure)
• Usually done in application software (included
  with all standard Web browsers and e-mail
  applications)

SSL Design Goal Secure application-to-applicatio
n connectivity
Specific Protocol
Port443
Port443
Client
Server
21
IPSec and SSL
TCP/IP
OSI
Application
Application
HTTP, FTP, POP
Presentation
Sessions
SSL/TLS
TCP, UDP
Transport
Transport
IPSec
IP
Internet Protocol
Network
Network
Data Link
Physical
SSL and TLS are easier to use than IPSec because
there is no complex user setup. Microsoft
22
Security stack

• SMTP

DNS
HTTP


SSL
UDP
TCP

• IPSec

IP
23
VPN Security
Security experts and industry analysts agree that
corporate firewalls help keep intruders at bay
and VPNs safely encase information as it flows
between the main office and the home office. The
trouble lies in the ability of an intruder to
ride through that tunnel piggybacking on an
entrusted user.
24
SSL vs IPSec

• IPSec and SSL are conceptually very similar
  IPSec can be thought of as SSL, only more so. SSL
  can be used to secure any traffic over TCP, but
  IPSec can be used to secure any traffic that goes
  over IP, including UDP
• -Eric Rescorla
• SSL and TLS
• Is the more so worth of cost?
• Does the more so represent an exposure?

• Endpoint authn
• Reqfor clients in IPSec
• Optional in SSL.
• Reqd by IVE
• Intermediaries/NAT
• IPSec has problems
• SSL unaffected
• OS changes
• IPSec reqs TCP/IP stack changes
• SSL does not
• SSL with no app changes is the win/win

25
SSL vs IPSec (what they say)

• Applications are not SSL-enabled
• SSL VPNs work with SSL-enabled clients
• Secures non-SSL applications on the fly
• No new development effort.
• SSL only works for Web, files, and email
• Solutions support messaging, client-server,
  telnet/ssh
• SSL is too easy to use
• Not a fair criticism. Difficult solutions are
• Not used
• Circumvented
• Costly to support.
• Strict access limits can be implemented through
  X.509 certificates, IP address filtering, are
  resource-level authorization policies that are
  still easy to use.
• SSL allows split tunneling
• SSL access not prone to network layer exposures
• SSL allows cipher downgrades
• IVE can block SSL 2.0 or weak encryption
• IPSec has this same problem (56-bit DES client)