Add to collection(s) Add to saved
  1. No category
Uploaded by goran.6000015

Denver ISACA VPN Jan 18 2001

advertisement 
Virtual Private Network (VPN) Presentation
to the Denver ISACA
January 18, 2001
Rob Rudloff
1
Introductions
l Rob
Rudloff, CISA, CISSP
l
Senior Manager in the Denver Technology Risk
Management Practice of PricewaterhouseCoopers
l
VPN Center of Excellence Leader (1998-2000)
l
Managed Security Services Team Leader (1999-2000)
rob.rudloff@us.pwcglobal.com
720-931-7229
2
Overview
l
Virtual Private Network (VPN) Technology
l
Opportunities for the technology
l
Risks
l
Critical Success Factors
l
Implementation Methodology
l
Questions?
3
PricewaterhouseCoopers’
Information Security Framework
Threats
Business Initiatives
& Processes
Technology
Strategy & Usage
Vulnerability & Risk
Assessment
Policy
Security Model
Security Architecture
and Technical Standards
Administrative and End-User
Guidelines and Procedures
Enforcement
Processes
Monitoring
Processes
Recovery
Processes
Information Security Management Structure
4
Training and Awareness Program
Senior Management Commitment
Security Vision and Strategy
Information Security Lifecycle
Assess
Security Vision and Strategy
Technology
Strategy & Usage
Threats
Vulnerability & Risk
Assessment
Policy
Security Model
Security Architecture
and Technical Standards
Administrative and End-User
Guidelines and Procedures
Enforcement
Processes
Monitoring
Processes
Recovery
Processes
Information Security Management Structure
Implement
5
Training and Awareness Program
Maintain
Senior Management Commitment
Business Initiatives
& Processes
Design
Virtual Private Network technology
What is a VPN?
Remote Access
Solution
Unencrytped
Traffic from
Remote Clients
Connection to ISP
Encrypted Traffic
to Corporate
Network
Remote Client
VPN Server
Internal
Corporate
Network
Internet
ISP
Remote Client
Firewall
Virtual Private Network
A private connection created over
an public network (Internet), using
encryption to assist in user
authentication and data protection.
6
Remote Client
Standards
VPN Standards
IPSEC and L2TP are the emerging standards for VPN
As Windows 2000 matures the “L2TP with IPSEC”
standard will emerge
l Until Windows 2000 clients are viable, a separate software
client is required for remote access
l
l
Extranet Standards
l
l
Socks v.5
Separate client software is required
Web Based
l
l
SSL
Browser based, no extra client software is required
7
Virtual Private Network technology
l
Uses for VPN technology
– Site-to-Site
– Remote User access
– Business Partner access
– Secure Internet
– Secure Web Portal
8
Potential VPN Solutions
VPN Solutions
Unencrytped
Traffic from
Remote Clients
VPN Server
VPN Server
Internal
Corporate
Network
Remote
Organization
Internet
Firewall
Firewall
ISP
Company DEF
Company GHI
Remote Client
PKI CA/LDAP
Remote Client
9
Remote Client
Site to Site VPN
l
l
l
l
Cost Savings
Fast, strong encryption
Reliable
Ease of administration
10
Remote Access VPN
l
l
l
l
Cost Savings
Strong Authentication
Centralized Management
Scalability (connections)
11
Business to Business VPN
l
l
Standards based encryption and authentication
Strong, granular authentication to resources
12
Secure Intranet VPN
l
l
Strong Encryption, Authentication, and Access
Controls
Restricts private network traffic
13
Secure Web Portal
l
l
l
No extension of security perimeter
All connections via browser
Strong, granular access control to resources
14
VPN Options
OSI Layer
Technology
Providers
Lan-to-Lan
(trusted)
Layer 1
Switched
virtual
circuits,
frame relays
Telco, ISPs
Layer 2
PPTP,
L2TP
Microsoft,
remote
access
vendors
ü
Mobile/Re
mote
access
Business-toBusiness
(untrusted)
ü
15
Layer 3
IPSec
Layer 5
SOCKS v5,
SSL
Firewall, Web Portal,
router, VPN Extranet,
hardware
VPN
vendors
vendors
ü
ü
ü
ü
ü
VPN, Extranets, and Secure Web Portals
l
l
l
l
l
l
l
l
VPNs are used to extend the corporate network to remote locations.
VPNs focus security and functionality on the networking layer.
VPNs can be used for Extranet functionality, but are best suited for
- Site to Site,
- Remote Access,
- Intranet VPNs, and
- certain kinds of Business to Business connections.
Extranets are used to share data and hide internal network features.
Extranets focus security on data and applications, not on the
network.
Extranets are best suited for longer term business to business data
sharing arrangements.
Secure Web Portal are used to share data via a web-browser.
Secure Web Portal are best suited for sharing business data that
require only browser level access.
16
Why Do We Want VPNs?
•Pays for itself - Cost Savings on telecommunications
can pay for entire project.
•E-Business Opportunities - Integration of VPN
technology opens the door to cross business
communications possibilities.
•Compliments Infrastructure - Adds flexibility and
functionality to current infrastructure.
•Timing - Rapid pilot deployment potential to prove
concept.
17
Why Do We Want VPNs?
•Secures Communications - Secures information in
transit and centralizes security controls.
•Manageability - Central Management of Systems
decreases costs and enhances security.
•Scalability - Design to scale to thousands of users
plus site to site and business connections.
•Adds resilience to network - efficient service to
customers and suppliers.
•Productivity - Increase efficiency &
productivity of users, customers, and business
partners.
18
Potential VPN Solutions
Business To
Customer
CUSTOMER
VPN Solutions
UnencrytpedINTERNATIONAL
Traffic from DIVISION
Remote Clients
INTN’L
MARKETING
Internal
Corporate
Network
INTN’L SALES
Intra-Company
ACCOUNTING
INFORMATION
SYSTEMS
HUMANVPN Server
RESOURCES
VPN Server
RESEARCH &
Internet
DEVELOPMENT
LEGAL/REGS.
DEPT.
CALL
CENTER
EXECUTIVE
SEARCH
FIRM
CFO’s
OFFICE
COMMERCIAL
BANK
BOARD OF
DIRECTORS
Remote
Organization
GOVERNMENT
Firewall
CUSTOMER
Firewall
SERVICE
SALES
MARKETING
Company DEF
Business
Company
GHI
To
Business
CAPITAL
MARKETS
DISTRIBUTION
ISP
Remote Client
PKI CA/LDAP
SUPPLIERS
MANUFACTURING
SHIPPING
Business To
Consumer
WAREHOUSE
Remote Client
19
Remote Client
Strategic
Types of Cybercrime Reported
Computer Virus (64%)
None (25%)
Telecom/unauthorized entry (13%)
Denial of service (11%)
Data/System integrity loss (11%)
Information loss (11%)
Trojan horse (8%)
Manipulate software applications (6%)
Illicit / illegal materials (5%)
Fraud (5%)
Theft of data, trade secrets, etc. (5%)
Manipulate systems programs (4%)
1999 Information Week Global Security Survey conducted by PricewaterhouseCoopers
20
Information, Integrity And Value…
Internal and External Control Structures
Upstream
Suppliers
EDI
E-Commerce
Downstream
Data
DataSystems
Systems
Interfaces
Data Feeds
Linked Systems
Interfaces
Data Feeds
Customers
EDI
E-Commerce
IT Infrastructure
External
Controls
Interfaces
Data Feeds
Internal
Controls
Non-Linked
Suppliers
Interfaces
Data Feeds
Business
Processes
Business Processes and
Enterprise Security
Internal
Controls
Interfaces
Data Feeds
Non-Linked
Suppliers
…are achieved through a convergence of efficient systems
and effective internal and external controls.
21
External
Controls
What are my Strategic Risks?
l
Missed Opportunity
l
Strategic Vision
l
Resources
l
Security and Controls
l
Customer Trust
l
Infrastructure
l
Technical Issues
22
What are my Technical Risks?
VPN Solutions
Unencrytped
Traffic from
Remote Clients
VPN Server
VPN Server
Internal
Corporate
Network
Internet
Remote
Organization
Firewall
Firewall
ISP
Company DEF
Company GHI
Remote Client
Remote Client
23
Remote Client
What are my Technical Risks?
l
Authentication
l
Encryption
l
Access Control
l
Configuration
l
Accountability
l
Monitoring
l
Fault Tolerance
l
Recoverability
24
What are my Technical Risks?
l
Authentication Mechanisms
– Smart Cards
– Tokens
– Digital Certificates
– Username and Password
l
Encryption
– Data Protection
– Data Integrity
– Non-Repudiation
25
What are my Technical Risks?
l
Access Controls
– Directory Services
– VPN Controls
– Routers and Firewalls
– Systems and Applications
l
Configuration
– Proper Initial Configuration
– Proper Maintenance
– Lack of Policies, Procedures, and Requirements
26
What are my Technical Risks?
l
Accountability
– Logs
– Digital Signatures
– Non-Repudiation
l
Monitoring
– Regular Review of Logs
– Intrusion Detection Systems
–
–
–
Network
Host
Hybrid
– Process Monitoring
27
What are my Technical Risks?
l
Fault Tolerance (Operational Resiliency)
– Automatic Standby
– Fail-over Controls
l
Recoverability
– Business Continuity Planning
– Disaster Recovery
– Incident Response
– Emergency Response
28
Security Controls
Preventive
Detective
Confidentiality
Integrity
Availability
29
Corrective
Critical Success Factors
l
Clear Strategic Direction
l
Executive Sponsorship
l
Appropriate Resources
l
Business Unit Pilot & Champion
l
Clear Measurable Success Criteria
l
Aggressive/Achievable Milestones
l
Appropriate Security and Controls
l
Design for the Enterprise and Implement for the Business
30
VPN Implementation Methodology
l
l
l
l
l
l
l
l
l
l
l
Develop a Corporate Strategy
Determine Business Uses
Determine Business Drivers
Develop Organizational Support
Business Requirements Assessment
Technical Requirements Assessment
Planning & Design
Proof of Concept
Pilot Implementation
Pilot Acceptance
Implementation
31
Questions?
Questions?
32
Speaker Contact Information
Rob Rudloff
Office: 720-931-7229
Cell: 303-478-4184
rob.rudloff@us.pwcglobal.com
33
Related documents
Peplink SpeedFusion
Peplink SpeedFusion
remote_access_applications
remote_access_applications
Establishment of the VPN connection with the
Establishment of the VPN connection with the
Download
advertisement