Remote Access to Applications: A Technical Deep-dive into Intelligent Application Gateway 2007

(1)

Remote Access to Applications:

A Technical Deep-dive into Intelligent

Application Gateway 2007

Lee Wei Shun

[email protected]

Technical Support Specialist

Celestix Networks Pte Ltd

(2)

Session Objectives And Takeaways

Session Objectives:

Outline security requirements for comprehensive,

extranet, remote access (for employees, partners,

vendors, contractors and even customers).

Understand the benefits of the IAG platform in such

deployments.

Takeaways

A variety of security and functionality concerns are at

play when implementing extranet remote access.

(3)

Agenda

What is IAG?

Extranet Scenarios

Security Concerns

Functionality Concerns

User XP Demo

Admin XP Demo

Feature Re-Cap

(4)

What is the Internet Application Gateway?

“The comprehensive, secure remote access gateway that

provides secure socket layer (SSL)-based application access

(5)

A comprehensive line of business security

products that helps you gain greater

protection through deep integration

and simplified management

Edge

Client and Server OS

Server Applications

(6)

ISA and IAG – Good… Better… Best…

Forefront Edge Security and Access products, Internet Security and Acceleration (ISA)

Server 2006 and the Intelligent Application Gateway (IAG) 2007, provide enhanced

network edge protection and application-centric, policy-based access to corporate IT

infrastructure.

Secure Remote

(7)

Intelligent Application Gateway

Solutions

(8)

Insurance Company

Access for agents:

Collaboration

Email

Create Quotes

Manager Customer Accounts

Access for Customers

(9)

Movie Studio

Remote Access for contractors

Production people accessing:

Scripts, resources, production reports

Time management applications

Budget and expense tracking

Remote Access for Employees

Time Sheet

Messaging

Collaboration

HR Portal

(10)

Large Beverage

Manufacturer

Remote Access for employees

Messaging and collaboration

Remote Access for distributors

and logistics

Order tracking

(11)

Security Concerns

Authentication -

Who are you?

Strong Authentication –

Are you really him/her?

Authorization –

What can you access?

Transport Security –

Can they hear?

Application Security –

Should you be doing that?

End Point Security –

From there?

Information Safeguard –

Should this be left around?

(12)

Functionality Concerns

Easily publish web and non-web (client/server)

applications.

Easy User Experience:

No client or thin client installation

Single point of access/entry

Single sign on

Self-Help (Remediation)

Password Management

(13)

(14)

(15)

(16)

Demo Environment

(17)

Features of IAG 2007

Comprehensive End-point detection

Integrated Application Firewall

Application Intelligence

User-Specific Portals

Single Sign-On

Access policy and control

Group Authorization

Attachment Wiper

SSL-VPN Tunneling

(18)

End Point Detection

Out of the box support for over

70 variables of detection including:

Antivirus

Antimalware

Personal Firewall

Desktop Search/Index Utilities

And much more…

Easy to configure GUI that allows

simple management of policies.

Extended GUI for manual editing and

modification of policies.

(19)

Integrated Application

Firewall

Deep application-level filtering assessed

through application behavior

knowledge

prevents exploits

that cause

unexpected application responses

Blocks

potentially malicious traffic using

positive- and negative-logic rules that

identify errant commands and syntax

Out-of-the-box positive-logic

policy

enforcement

for supported applications

Reduces the immediacy of server

software patches (

protection

from

zero-day attacks)

(20)

Application Intelligence –

Security and Access Management

Access Policies

Allow/deny functions within application

Uploads or downloads disabled.

Access to management features restricted

Session Cleanup Agent

Clears application specific cache (e.g. Citrix Cache, SharePoint Offline

folder)

Protecting the Network Session

Ignore background polling command for timeout calculation (e.g.

check for new email), adds secure logoff button where absent, e.g.

(21)

Application Intelligence – Policy

Mgmt

Out-Of-The-Box Configuration

Built in support for most popular applications, end point clients and policies

Easy, default driven configurations

Initial implementation in less than an hour

Example:

Configure multiple methods of authentication and filtering for Outlook

Web Access, iNotes or SharePoint though simple GUI.

Wizard-Driven Customization

Tighten white-list and append end point client policies through wizards

Robust authentication and user-experience options directly from GUI

Example: Large Investment Banking Company -

Allow printing through

Citrix/Terminal Services only from corporate issued/approved laptops.

Fully Customized Configuration

Surgical removal/alterations of application features or behavior

Easily upgrade-able and portable

Use of XML

ASP/.net

Example: Large Beverage Company

– Disallow any access or mention of

(22)

User-Specific Portals

IT Support Center

Username:

Password:

Token:

Employee Portal

Username:

Password:

Token:

Partner Extranet

Username:

Password:

e-Commerce

Username:

Password:

support.xyz.com

portal.xyz.com

extranet.xyz.com

shopping.xyz.com

Manages access of employees, partners &

customers from anywhere to corporate

business applications

Multiple Portal pages per appliance

Each based on unique IP and hostnames

Present a completely unique user experience;

including look and feel, applications,

authentication and authorization

• Extends the business beyond the borders

of the network

Implement secure corporate policies

Leverages existing investments in software

infrastructure and applications

(23)

Single Sign-On

No need for directory replication

or repetition

Alternative approaches require

local repository

Transparent Web authentication

HTTP 401 request

Static Web form

Dynamic browser-sensitive Web form

Integrates with …

Password change management

User repositories

(24)

Access Policy and Control

Provide controlled access to application areas, operations

through policy definitions

Can allow or block application functions including

Document download / upload

Document check out / check in

Edit document / properties

Delete

Works at both the client and server

Example: e-mail attachment forwarding

Problem

(25)

Group Authorization

Group authorization can be tied

to each individual application

Simple to use search feature

allows the administrator to

select individual users or groups

from multiple repositories for

authorization

Users and or groups can

be authorized for “Allow”,

“View” or “Deny” to any

individual application

(26)

Attachment Wiper™

Clears the browser’s cache upon session termination

Process does not require user initiation

Optimizers integrate logic to identify and scrub custom caches

Supports custom scripts for custom file cleaning

Removes



Downloaded files and pages

_

Cookies



AutoComplete form contents

_

History information



AutoComplete URLs

_

Any user credentials

Triggers



User logoff

_

Browser crash

(27)

SSL VPN Tunneling

Port Forwarding

Application usages:

MS Terminal; Citrix; Telnet; SSH; SAP Client; Native Drive Mapping etc

Technology: Simply TCP Relay; HTTP proxy; HTTP redirect

Socket Forwarding

Application usages:

Native Outlook ; IP-based applications ; clustered terminal services;

notes cluster etc

Technology: “SOCKS-ify” complex applications

Network Connector

Application usages:

Any IP (TCP/UDP/ICMP) applications; In/Out Directions

Technology: Full Network Access (Virtual Client Driver)

(28)

(29)

Why choose an appliance?

Hardware comes pre-loaded, pre-configured, and

pre-tested with IAG

Pre-Hardened for reduced attack surface

Easy to purchase, set up, and deploy

Out-of-box configuration tools and Web-based

administration

Ready to deploy - 10 CALs already included free!

Simple roll-back to factory defaults or last

known-good version from front panel

(30)

(31)

(32)

Celestix Networks is a leading manufacturer of

managed security appliances since 1999

Worldwide headquarters in Singapore. Offices

in Fremont - California, London, Dallas &

Denver -Colorado. Expanding global

presence in the Americas, Europe and Asia

Pacific

Network Security focus

Management team from McAfee, Nortel.

Technology and security-centric culture

Growing portfolio of security appliances for

Microsoft perimeter defense including

Microsoft Internet Security & Acceleration

(ISA) Server 2006 and Intelligent

(33)

Celestix Scorpio-X

Hardware

WSA3000

WSA4000

WSA6000

Microsoft’s IAG 2007 /

Win 2K3 Server

Celestix SlingSHOT

Appliance Engine

Celestix Scorpio X Appliance Hardware Platform

Sleek, dependable appliance platform used by thousands

of Microsoft-based security appliance deployments

Optimized and configured in the factory for SSL VPN usage

Microsoft’s Windows Server 2003

Pre-installed and Pre-hardened

Microsoft’s Intelligent Application Gateway (IAG) 2007

Clean SSL VPN implementation for Internet traversal

Celestix SlingSHOT (Appliance Software Engine)

Browser-based remote access to enterprise resources

Simplifies initial setup, configuration and maintenance

Provides mechanism for OS, IAG, ISA and Celestix s/w

updates

(34)

• Unpack unit and mount

• Plug in network cables

• Power up and boot

• Configure the LAN IP

address via LCD/jog dial

• Browse to the Web UI

• Step through the Quick

Setup

• Configure a certificate

• Generate keys and

password for the IAG app

• Set policies and configure

(35)

(36)

Celestix Contact Information

For more information, contact Celestix sales:

Americas:

[email protected]

or 510-668-0700 x251

Europe:

[email protected]

or +44-0-1635-278550

Asia Pacific:

[email protected]

or +65-6781-0700 x251

Celestix WSA demonstration website:

https://wsademo.celestix.com:10000

User: administrator

Password: [Celest1x]

(37)

More Resources:

• Download the Virtual PC Demo today!

http://www.microsoft.com/forefront/edgesecurity/trial.mspx

• Where to buy an Appliance:

http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx

• Contact the IAG Team at:

–

[email protected]

• Partners:

–

Enroll as a Security Software Advisor—FREE, online, takes less

than 5 minutes

• Earn up to 30% when you recommend and deploy Forefront

security SKUs. (Don’t miss out on money you earned!)

• https://partner.microsoft.com/securitysoftwareadvisor

(38)