How it Works
Avaya
Loading...
Q
R
S
T
Loading...
Loading...
Secure Remote Access
User Manual
33 pgs566.81 Kb0

Avaya Secure Remote Access User Manual

Secure Remote Access Technical Solution Guide
Enabling Application, IP Telephony and Multimedia Access for Teleworkers and Road Warriors
Enterprise Solution Engineering Document Date: January 2006 Document Version: 1.0
Secure Remote Access Technical Solution Guide v1.0
Copyright © 2006 Nortel Networks
All rights reserved. January 2006 The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks.
The software described in this document is furnished under a license agreement and may be used only in accordance with the terms of that license.
Trademarks
Nortel, the Nortel logo, the Globemark, Unified Networks, PASSPORT, BayStack, Nortel Application Switch, Nortel Business Communications Manager, Nortel Communication Serv er, Nortel IP Softphone, Nortel Multimedia Communication Server, Nortel Multimedia PC Client, Nortel Multimedia Web Client, Nortel Threat Protection System, Nortel VPN Gateway, and Nortel VPN Router are trademarks of Nortel.
Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporated.
All other trademarks are the property of their respective owners.
Disclaimer
This engineering document contains the best information available at the time of publication in terms of supporting the application and engineering of Nortel products in the customer environment. They are solely for the use by Nortel customers and meant as a guide for network engineers and planners from a network engineering perspective. All information is subje ct to interpretation based on internal Nortel test methodologies, which were used to derive the various capacity and equipment performance criteria and should be reviewed with Nortel engineering primes prior to implementation in a live environment.
______________________________________________________________________________________________________
2
Secure Remote Access Technical Solution Guide v1.0
Abstract
This guide is intended to define the recommended designs and best practices for a Secure Remote Access Solution. The document provides an overview of the best design practices to implement a network capable of providing access to business applications, incl uding web applications, client-server applications, and IP Telephony and multimedia services to teleworkers and road warriors.
The intended audience for this Solution Guide is Nortel sales teams, Partner sales teams and end customers. All of these groups can benefit from understanding the common design pra ctices and recommended components for a Secure Remote Access Solution.
Revision control
No Date Version Revised by Remarks
1 10/19/05 0.1 B. Black Initial Draft
2 11/18/05 0.2 B. Black Best Practices and Other Updates
3 11/28/05 0.3 B. Black Edits based on initial feedback
4 11/29/05 0.4 B. Black Review-Ready Draft
5 01/27/06 1.0 B. Black Final
Acknowledgements
Gerardo Flores – Enterprise Solution Engineering Shangli Lu – Enterprise Solution Engineering
______________________________________________________________________________________________________
3
Secure Remote Access Technical Solution Guide v1.0
Table of contents
1. OVERVIEW......................................................................................................................................... 6
1.1 SCOPE OF SOLUTION....................................................................................................................... 6
2. SECURE REMOTE ACCESS BEST PRACTICES......................................................................... 7
2.1 KEEP IT SIMPLE!............................................................................................................................. 7
2.2 USER AUTHENTICATION................................................................................................................. 7
2.3 CLIENT ADMISSION, COMPLIANCE, AND REMEDIATION.................................................................. 8
2.4 ESTABLISH AUTHORIZATION BASED ON USER AND NETWORK CONTEXT ........................................ 8
2.5 INSPECT AND TRACK REMOTE ACCESS USER ACTIVITY ................................................................... 8
2.6 PROTECT INFORMATION AND NETWORK ACCESS............................................................................ 9
2.7 ENSURE REMOTE ACCESS AVAILABILITY........................................................................................ 9
2.8 DONT FORGET PEOPLE, PROCESS, AND POLICY.............................................................................. 9
3. SUPPORTED ACCESS MODES..................................................................................................... 10
3.1 IPSEC........................................................................................................................................... 10
3.2 SSL-VPN CLIENTLESS MODE ..................................................................................................... 10
3.3 SSL-VPN ENHANCED CLIENTLESS MODE................................................................................... 10
3.4 SSL-VPN NETDIRECT MODE ...................................................................................................... 10
4. SECURE REMOTE ACCESS DESIGN ......................................................................................... 11
4.1 SECURE REMOTE ACCESS SOLUTION TOPOLOGY ......................................................................... 12
4.1.1 Required DMZ access policies ............................................................................................... 12
4.1.2 Required internal firewall policies.......................................................................................... 13
4.1.3 Threat Protection System (intrusion prevention) integration.................................................. 13
4.2 NETWORK DESIGN ....................................................................................................................... 14
4.2.1 Security................................................................................................................................... 14
4.2.1.1 Authentication............................................................................................................................... 14
4.2.1.2 Authorization................................................................................................................................ 15
4.2.1.3 Endpoint compliance..................................................................................................................... 16
4.2.1.4 Audit and accounting.................................................................................................................... 17
4.2.1.5 VPN Gateway clustering............................................................................................................... 18
4.2.1.6 Application Switch load-balancing .............................................................................................. .18
4.2.2 Application access .................................................................................................................. 19
4.2.2.1 Clientless Mode.............................................................................................................................19
4.2.2.2 Enhanced Clientless Mode for client/server..................................................................................20
4.2.2.3 NetDirect....................................................................................................................................... 20
4.2.3 IP Telephony and multimedia................................................................................................. 21
4.2.3.1 Considerations for IP Telephony...................................................................................................21
4.2.3.2 VPN Router 200 Series and small office/home office (SOHO) IP set solution.............................21
4.2.4 Network management............................................................................................................. 22
4.2.5 Converged applications and clients ........................................................................................ 22
4.2.5.1 Small IP Telephony platforms – Business Communications Manager.......................................... 22
4.2.5.2 Enterprise IP Telephony platforms................................................................................................23
4.2.5.3 IP Phones/IP Softphone 2050/Mobile Voice Client 2050............................................................. 28
4.2.5.4 Multimedia Communication Server 5100..................................................................................... 28
4.2.5.5 Unified Messaging........................................................................................................................ 30
4.2.5.6 Wireless VoIP............................................................................................................................... 30
5. SECURE REMOTE ACCESS SOLUTION SUMMARY.............................................................. 32
5.1 PERFORMANCE AND SCALABILITY ............................................................................................... 32
5.2 INTEROPERABILITY WITH OTHER PRODUCTS ................................................................................ 32
______________________________________________________________________________________________________
4
Secure Remote Access Technical Solution Guide v1.0
5.3 SECURITY CERTIFICATIONS.......................................................................................................... 32
______________________________________________________________________________________________________
5
Secure Remote Access Technical Solution Guide v1.0
1. Overview
Today’s enterprise network must support a growing number of mobile workers who require access to a broad range of information and applications. These worke rs include full-time teleworkers who use remote access as the primary connection to the network and service s. There is also a growing number of occasional teleworkers. Another key user category is the road warrior, who improves productivity by engaging customers and business partners out of the office but must stay connected. As organizations recognize the benefits of IP Telephony and multimedia solutions, including intelligent call routing, network presence, application integration, and network convergence, they demand that these benefits be available beyond the traditional boundaries of the enterprise network. This Technical Solution Guide provides a prescription for meeting this requirement while providing the network and information security that must accompany such a solution.
This guide provides a list of best practices for Secure Remote Access that reduce security exposure and lower cost of operation. It provides information about solution design, deployment, and network integration to maximize the benefits to your organization.
1.1 Scope of solution
This document describes the infrastructure components required to desi gn a Secure Remote Access solution. This document highlights the Nortel recommended designs and best practices for implementing a converged solution. While it is impossible to include every design scenario, this document discusses the most prevalent situations encountered within the enterprise. The following highlights the components covered within these designs:
Virtual Private Network Gateway:
Nortel VPN Gateway 3050 Nortel VPN Gateway 3070 Nortel VPN Router 221/251
Server load balancing for resiliency and scalability:
Nortel Application Switch 2424 Nortel Application Switch 3408
Intrusion detection and prevention (optional but recommended):
Nortel Threat Protection System
Communication Servers and Clients:
Nortel Multimedia Communication Server 5100 Nortel Communication Server 1000 Nortel Business Communications Manager 50/200/400 Nortel Multimedia PC Client Nortel Multimedia Web Client Nortel IP Softphone 2050
______________________________________________________________________________________________________
6
Secure Remote Access Technical Solution Guide v1.0
2. Secure Remote Access best practices
Following best practices in designing and deploying a remote access solution lowers cost of ownership and dramatically lowers the risk of common security incidents, such as unauthorized access, theft of information, hacking, denial of service and propagation of threats such as worms and viruses. Nortel solutions fully support these best practices.
2.1 Keep it simple!
Complexity is the enemy of security and should be avoided in a Secure Remote Access design. Determine which set of applications each group of users needs. This application set will be small for most users, and typically includes:
Web access to e-mail Access to a common web portal (News and Frequently Accessed Information) Phone directory IP Telephony and multimedia Web access to voice mail, such as Nortel CallPilot Employee tools such as expense vouchering/purchasing/timesheets Key line-of-business applications based on employee role
The number of unique roles or groups of users is also typically small and might not directly map to the concept of organizational departments. For many deployments, providing access to less than a dozen key applications maximizes the benefit of remote access while allowing strict access control and tracking.
2.2 User authentication
The first step in granting access is user authentication: establishing that a remote user has the appropriate credentials to connect to the network.
Use a network-based external authentication system that is common to your network and application environment. Users should not have different sets of IDs and passwords for remote access. A common authentication system simplifies user management and authorization control, as well as providing a framework for single sign-on or reduced sign-on capability.
When possible, use a two-factor authentication system that implements a one-time-password (OTP) scheme. These systems are compatible with existing authentication systems and prevent unauthorized access based on password guessing or theft. Two-factor authentication schemes are a key requirement when allowing access from public devices, such as shared PCs a nd Internet kiosks. You can also restrict remote access to less sensitive applications if users do not present two-factor-based credentials.
When two-factor authentication is not used, prevent password guessing by requiring passwords that are at least eight characters long and use a mix of letters, numbers, and punctuation. Set these passwords to expire at regular intervals, and prohibit reuse of the past five passwords.
Employ a preauthentication scan of the client system to detect crimeware or malware, such as keyloggers, to prevent theft of access credentials.
Employ a mechanism for Password Guess Lockout to disable an account upon successive failed logon attempts. You can do this through configuration of your network-based authentication
______________________________________________________________________________________________________
7
Secure Remote Access Technical Solution Guide v1.0
system. The mechanism must be tied to a process that alerts system administrators of failed logon attempts and requires follow-up with appropriate action.
Define a procedure to reset expired or locked-out passwords that requires providing additional private information that is only known to valid users.
2.3 Client admission, compliance, and remediation
In addition to user authentication, check the security policy compliance of endpoints, such as PCs, laptops, and other devices connecting to your network, before they are admitted. Establish a minimal set of criteria that includes:
Antivirus protection and signature updates Personal firewall to protect PCs while connecting through the Internet Antispyware to detect and remove software that collects personal information Required operating system type, version, and service pack level
You can also use this minimal set of requirements to distinguish managed devices from sha re d PCs such as Internet kiosks and home computers. In the case of non-compliance, you can deny access or provide access to a minimal set of controlled web applications based on the security sensitivity of your environment. You may also wish to provide a remediation portal for non­compliant devices with access to softw are updates, patches, and other tools.
2.4 Establish authorization based on user and network context
Employ the security concept of least privilege – only allow access to the minimal set of applications and network subnets required for each group of remote access users. In general, remote access users do not need full IP access to all parts of your network, including desktop subnets and all application servers. Use per-group access controls as a baseline for limiting access. Augment this baseline with additional rules to allow or deny access based on:
Authentication strength (client-certificate use, simple password or OTP/two-factor) Device type (managed or non-managed/shared) Source IP address (applicable for home-based teleworkers with static IP assignments) Results of endpoint compliance scanning Access type (such as web-only access or full IP access through virtual network adaptors)
2.5 Inspect and track remote access user activity
After users are granted access, it is critical to continually monitor and log activity. Check endpoint compliance periodically to determine if rogue software successfully disabled security software during a session.
Ensure that key security and information access related events are logged to a centralized event manager, such as a syslog server or security event/incident collector. Examples of items to track include:
Successful and failed logon attempts, including source address and username Session start and stop times IP assignment of private addresses with correlation to username
______________________________________________________________________________________________________
8
Secure Remote Access Technical Solution Guide v1.0
Access control violations Endpoint compliance-check violations
When providing web-based access, the VPN Gateway will proxy all information requests through a single, common internal IP address. In this case, configure the gateway to embed user information such as the username in HTTP headers to allow per-user tracking through intern al IDS and web application servers.
Ensure that the topology you use for remote access deployment allows security inspection of non-encrypted traffic. This requires placing internal firewalls and intrusion detection and prevention (IDP) systems on the trusted side of the VPN Gateway so that remote user traffic can be inspected and blocked accordingly.
2.6 Protect information and network access
There are a number of techniques you can employ to ensure that information and network access are protected, even in the case of forgetful or careless end users. Examples include:
Enable idle timeouts to close a remote access session after a period of inactivity. This
limits unauthorized access if a user walks away from an active session.
Enable session timeouts to limit the total session time allowed. Use a cache wiper to remove any residual data left behind during a session. Disable split tunneling. Split tunneling allows non-remote access traffic, such as web
access to Internet sites, to bypass the VPN connection. If a connected PC is compromised and a hacker connects through a backdoor, the hacker will have access to internal resources during an active session. To limit the possibility of this type of attack, disable split tunneling. Note that this will not prevent reverse-connecting Trojan horses and backdoors unless the protocol ports used are blocked by your access control lists and DMZ security policies. Use endpoint security checking, including malware detection, to disallow connections from hosts infected with those threats.
2.7 Ensure remote access availability
Provide a resilient and highly available solution by using an active/active deployment with redundant VPN Gateways. Depending on the size of your network and criticality of remote access, you may wish to employ both local redundancy through clustering and geographical redundancy with a multisite VPN Gateway deployment.
2.8 Don’t forget people, process, and policy
These best practices are related to deployment options for a Virtual Private Network. Such a solution needs to reflect company policies and procedures, including:
Information security policy Audit logging and data retention policy Appropriate legislative compliance policies
In addition to the technology to support Secure Remote Access, it is critical to establish operating procedures and security policy elements specific to remote users and clients.
Education and training of end users also plays a key role in protecting information and securing access to the network.
______________________________________________________________________________________________________
9
Secure Remote Access Technical Solution Guide v1.0
3. Supported access modes
The VPN Gateway portfolio provides several different access modes. These access modes can be used concurrently by different users or groups. They can be served from the same public IP address or separated as desired. Each mode has advantages and disadvantages in terms of application support flexibility, compatibility, and security.
3.1 IPsec
IPsec delivers network level access to the intranet through a preinstalled software client that provides a virtual network adapter to the client operating system. All applications and protocols are supported, and the end user experience is comparable to that of a LAN connected user. Access controls configured on the VPN Gateway limit which subnets the client can access. Endpoint security for IPsec access is provided by an installed version of the TunnelGuard agent.
IPsec strengths include broad application support and the fact that it is a proven, time-tested technology for Secure Remote Access.
IPsec weaknesses include the fact that the client must be installed on each connecting device and the fact that some networks may block the protocol ports used by IPsec. This can be an issue for traveling employees that spend time in corporate intranets managed by external parties, such as customers or business partners.
3.2 SSL-VPN Clientless Mode
SSL-VPN Clientless Mode allows any web browser to be used as a VPN client. It provides access to a portal with links to web-based applications (see Figure 1 for a sample SSL-VPN portal).
The advantages of SSL-VPN Clientless Mode include ubiquitous access, including home P Cs, Internet kiosks and shared or public PCs. No software installation is required. A Java Virtual Machine is required to provide endpoint compliance checking through an applet-based version of TunnelGuard. Another benefit of SSL-VPN Clientless Mode is that it provides a highly restricted access mode, with all web requests proxied by the VPN Gateway. This provides a high level of granular access control, including URL path checking on a per-group basis.
SSL-VPN Clientless Mode cannot provide access to non-web applications.
3.3 SSL-VPN Enhanced Clientless Mode
SSL-VPN Enhanced Clientless Mode extends the Clientless Mode through Java applets that enable client-server application communication. This mode provides access to many client-server applications, such as e-mail clients, including Microsoft Outlook, and remote access applications, such as Windows Terminal Server or Citrix.
SSL-VPN Enhanced Clientless Mode cannot provide access to complex applications that do not support Network Address Translation (NAT) or that use dynamic ports. An example of a complex application is Voice over IP (VoIP).
3.4 SSL-VPN NetDirect Mode
NetDirect Mode provides full network level access through a virtual adapter. A browser-based applet version of NetDirect is available, as well as a preinstalled client version. NetDirect was developed to provide IPsec-like access without the limitations of IPsec, such as the requirement for preinstallation and issues with NAT and firewall traversal. NetDirect supports any IP
______________________________________________________________________________________________________
10
Loading...
+ 23 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use