Title: ISSA Motor City Chapter SSL VPNs
1ISSA Motor City Chapter SSL VPNs
2Agenda
- Security Trends Innovation
- Market Trends and Forecast
- SSL Risk Cost Profile
- SSL VPN Comparisons
- SSL VPN Demonstration
3Neoteris Category Leadership
- 15 Awards
- 12 Product Reviews
- 10 Published Case Studies
- 3 Successful Security Audits
Five Star Rating
4Security TrendsNeoteris Innovation
5Overriding Mega-Trends
- The Internet is the Dialtone
- Enterprises Realize the Need to Provide Remote
Access - Virtualization of the Corporation
- Collaboration of Customers Suppliers into
Corporate Processes - Maximize Mobile Employee Productivity
- Web-ification of Enterprise Applications
- Security Paranoia within Enterprises
6Evolution of Secure Access Technologies
Superior Security, No Client No LAN
customization
InstantVirtualExtranet
Increased Security Client Elimination
Custom Extranets
Leverage Low-Cost Internet Transport
Virtual Private Networks
Secure, Point-to-Point Communications
Private Networks
Time
7Innovative Product Category
- Thin-Client Use from Any Web Browser
- No LAN Customization or DMZ deployment
Instant
- Value of Extranet w/o the Pain
Virtual
- Leverages Low-Cost Internet Transport
- Hardened Appliance Controls All Communication
- Secure Application Layer Access Control
Extranet
- Ensures System Security H/W and S/W
- Eliminates Installation Compatibility Problems
- Increased Supportability
Appliance
8Instant Virtual Extranet Application
- Single Sign-On
- Authentication Access Control
- Dynamic Content Transformation
- Transform all links, content, addresses
- SSL Encrypt/Decrypt on External Interfaces
Telecommuter
Internal Enterprise LAN
E-mail
Intranet / Web Server
MRP/ERP
Unix/NFS
Partner
Encrypted External Session Standard Internal
Session
Mobile Employee
9Market TrendsForecast
10SSL-Based Access Appliances (TAM)
Ms
Infonetics Research Q3FY02
11SSL Market Is Growing Rapidly
- We project that by 2004, 60 of corporate users
will use SSL for remote access at least some of
the time. John Girard, VP, Gartner Group - By 2005/06, SSL based solutions will be the
dominant method for remote access, with 80 of
users utilizing SSL David Thompson, Sr.
Research Analyst, META Group - by CY05, we project that annual revenue for
SSL-based remote access will hit 986M Jeff
Wilson, Exec Dir, Infonetics Research - Neoteris has established itself as the Instant
Virtual Extranet leader, with its new breed of
secure access solutions We see the IVE as an
elegant solution to the broad challenges that
have existed with traditional secure access
technologies. - David Kosiur, Senior Analyst,
Burton Group - With Neoteris winning Fortune 100 customers,
SSL-based technology has moved out of the early
adopter phase. - Zeus Kerravala, VP Research,
Yankee Group
12Application Layer SSL VPN End-User Revenue 2002
Neoteris 34
Others 24
SafeWeb 3
Source In-Stat/MDR, April 2003
uRoam (F5) 4
Whale 6
Aspelle 10
Netilla 20
13SSL RiskCost Profile
14Key Success Factor Compelling Value Better ROI
Virtual Private Network
EmployeeAccess
Company Owned PC
N/A
Cap Ex
N/A
Software/Hardware Client
Deployment Configuration
N/A
Desktop / Network Support
Support
Minimal
Client Upgrades
N/A
15Key Success Factor Compelling Value Better ROI
Custom Extranets
PartnerAccess
Servers Web, Policy, Appl.
ParnterAccess
N/A
Cap Ex
Software Web/Portal, AAA
N/A
DMZ Infrastructure
Extranet Design
N/A
3-Ds
Software Development
N/A
Deployment
N/A
16SSL Remote Accesscompared toTraditional Remote
Access VPNs
17What is Security?
- In network communications, security usually
includes some combination of - Encryption
- Key Exchange
- Establish Authentication/Trust
- Generate/exchange public/private key pairs
18Two Approaches to Secure Remote Access
- One approach is create a secure network tunnel
- VPN encapsulation like IPSec, PPTP, L2TP
- Another approach is to create secure application
layer communication - SSL integration directly into the server and the
client
VPNs
Encryption and key exchanges are comparable Means
of connection is NOT
19Secure Socket Layer (SSL)
- VPNs use IPSec (or other network-layerencapsulati
on protocol, like L2TP or PPTP) - We use SSL the world-wide standard for secure
Web transmissions - Newest version is technically calledTLS (but
almost no one really usesthe new name) - SSL transactions are designated by
- HTTPs protocol
- lock icon
- SSL vs. IPSec
- SSL is a universal standard today
- IPSec and the other encapsulating protocols are
an emerging standard - SSL secures Web communications
- SSL is an application layer connection
- IPSec secures network communications
- IPSec is a network layer connection
20IPSec and SSL
- Network layer connection
- IPSec encryption
- Any TCP ports flow over tunnel
- Usually done with a hardware gateway on the LAN
and a hardware or software client
IPSec Design Goal low level secure network
connectivity
Tunnel/transportapplications
IPSec Gateway
Gateway
- Application layer connection
- SSL or TLS encryption
- Specific port is open (easier to secure)
- Usually done in application software (included
with all standard Web browsers and e-mail
applications)
SSL Design Goal Secure application-to-applicatio
n connectivity
Specific Protocol
Port443
Port443
Client
Server
21IPSec and SSL
TCP/IP
OSI
Application
Application
HTTP, FTP, POP
Presentation
Sessions
SSL/TLS
TCP, UDP
Transport
Transport
IPSec
IP
Internet Protocol
Network
Network
Data Link
Physical
SSL and TLS are easier to use than IPSec because
there is no complex user setup. Microsoft
22Security stack
DNS
HTTP
SSL
UDP
TCP
IP
23VPN Security
Security experts and industry analysts agree that
corporate firewalls help keep intruders at bay
and VPNs safely encase information as it flows
between the main office and the home office. The
trouble lies in the ability of an intruder to
ride through that tunnel piggybacking on an
entrusted user.
24SSL vs IPSec
- IPSec and SSL are conceptually very similar
IPSec can be thought of as SSL, only more so. SSL
can be used to secure any traffic over TCP, but
IPSec can be used to secure any traffic that goes
over IP, including UDP - -Eric Rescorla
- SSL and TLS
- Is the more so worth of cost?
- Does the more so represent an exposure?
- Endpoint authn
- Reqfor clients in IPSec
- Optional in SSL.
- Reqd by IVE
- Intermediaries/NAT
- IPSec has problems
- SSL unaffected
- OS changes
- IPSec reqs TCP/IP stack changes
- SSL does not
- SSL with no app changes is the win/win
25SSL vs IPSec (what they say)
- Applications are not SSL-enabled
- SSL VPNs work with SSL-enabled clients
- Secures non-SSL applications on the fly
- No new development effort.
- SSL only works for Web, files, and email
- Solutions support messaging, client-server,
telnet/ssh - SSL is too easy to use
- Not a fair criticism. Difficult solutions are
- Not used
- Circumvented
- Costly to support.
- Strict access limits can be implemented through
X.509 certificates, IP address filtering, are
resource-level authorization policies that are
still easy to use. - SSL allows split tunneling
- SSL access not prone to network layer exposures
- SSL allows cipher downgrades
- IVE can block SSL 2.0 or weak encryption
- IPSec has this same problem (56-bit DES client)