Application Note Secure Enterprise Guest Access August 2004

Transcription

1 Application Note Secure Enterprise Guest Access August 2004 Introduction More and more enterprises recognize the need to provide easy, hassle-free high speed internet access to people visiting their offices, without decreasing the security of their own Local Area Network. Examples of guests in need for a broadband Internet connection are Suppliers, Consultants, Sales managers and Employees from other branch offices. Guests want to send and check their s, load the latest information from their file servers or search in their databases for order intake and delivery, thus making their time at your office more productive. This requires enterprise networks to provide a new class of access called Enterprise Guest Access. Enterprise Guest Access Networks present unique problems and the family of Nomadix Access Gateways provide excellent solutions to these problems, making provisioning of enterprise guest access simple and secure. Enterprise Guest Access Networks are similar to Public Access Networks in places like coffee shops in that they face the same technological challenges as are faced by public access networks. Unlike Public Access Networks however, Enterprise Guest Access Networks require unprecedented security. Enterprise networks that provide guest access to visiting customers and partners are exposed to an ever-changing user base that is typically unknown by the network administrator. Without the Nomadix gateways, provisioning access may require reconfiguring the PC s settings to match the LAN IP and proxy settings. This raises a concern about unwanted attacks, which makes network security a concern for all users on the network and the network administrator. Depending upon the size of the area and the number of simultaneous guests expected; Nomadix provides the NSE on a complete family of Access Gateways. For larger deployments Universal Subscriber Gateway (USG II) For mid-sized deployments HotSpot Gateway (HSG) For SME size deployments AG-2000w (Gateway + Access Point) Up to 2000 users Up to 150 users Up to 50 users Page 1 of 10

2 This document presents an overview of Guest Access Networks in an enterprise environment. It details the Nomadix advantage in such deployments. It suggests sample architectures for deployment of Guest Access Networks using a Nomadix Access Gateway and common technologies like virtual LANs and access control lists while keeping the corporate network secure. Overview While guests like to get connected during their visit to your corporate facilities there are many reasons why network administrators and IT managers do not want to enable guests to access their networks. Their main concerns are: It consumes a lot of valuable IT resources for configuring visitor notebooks for access, configuring access points or switches, configuring firewalls etc It can be a security risk since a guest can compromise confidential corporate data even without knowing it or can infect the network with a virus/worm. There could be legal issues as a guest can download or post illegal content without you knowing it. There could be bandwidth issues as a visiting user can consume a big chunk of the bandwidth available there by denying access to your internal resources. There could be connectivity problems associated with configurations on the visitor s computer. These could be the SMTP setting to send s, DNS and proxy server settings etc. All of these concerns can be solved by using the Nomadix Access Gateways. These gateways are the brains behind offering a corporate guest access service and take care of everything from security, service provisioning, subscriber management and safeguarding your native networks. The following sections explain how IT managers can provision a Guest Access Network without reducing the overall security of their private corporate LAN. It also explains how guest s notebook PCs can be connected to the internet without a need to change their configurations like IP settings or web proxy settings. With guests connected to high speed internet they can be productive while visiting your offices. This note is also suited to build Hot-Spot sites where the local staff wants to use the broadband connection in a secure way for corporate use in addition to providing public access. Examples of Hot-Spot sites that can benefit are Hotels, Internet Cafes and Restaurants. The Nomadix Experience In a Nomadix enabled network, once connected to the Guest Access Network, the user starts the browser and is redirected to a Portal Page using the Nomadix Home Page Redirection functionality. On this portal page, the user can enter his/her Username/password provided by the enterprise (using the Hot-Spot Manager) or by a roaming partner (like PicoPoint). With the patented Dynamic Address Translation and Transparent Proxy features, Nomadix gateways support true plug and play. This guarantees that any client computer Page 2 of 10

3 with any configuration gets access to the network without having to reconfigure the IP, DNS, Gateway and Proxy settings. With these features even client computers with statically configured IP addresses are provisioned access on to the network. Nomadix gateways support different methods to authenticate users in an automatic fashion. UAM, 802.1x and Smart Clients can be used seamlessly. UAM Universal Access Method (Web Based authentications) Username and Password (local or RADIUS based) Credit Card XML 802.1x Using the different EAP standards. (RADIUS based) EAP (Extensible Authentication Protocol) Methods o EAP-MD5 UN/PW based authentication o EAP-SIM SIM card based authentication (such as used by GSM carriers) o EAP-TLS Certificate based authentication (such as used by SSL) EAP-TTLS Tunneled TLS supports mutual authentication and UN/PW passed authentication inside of TLS tunnel o PEAP Protected EAP, layered on EAP to provide Mutual Authentication and guard against Man-In-The-Middle attacks using TLS Smart clients Gric, Boingo, IPass After Authentication, customers can connect securely to the internet using the Nomadix features like bandwidth management per user, IP packet forwarding, inat and Session Rate Limitation. These Nomadix features are developed for access in the enterprise environment and public spaces. Nomadix Bandwidth control Up and Down The Bandwidth Management feature enables network administrators to limit bandwidth usage on a per device (MAC Address/User) basis. This ensures every user has a quality experience by placing a bandwidth ceiling (limit) on each device accessing the network. The bandwidth for each device can be defined asymmetrically for both upstream and downstream data transmissions. The Nomadix platform can also manage the WAN Link traffic providing complete bandwidth management through the edge of the network. The Bandwidth Management feature shapes traffic going through the WAN interface of the gateway to prevent its over-utilization. Using this feature the bandwidth available for public guest can be limited thereby ensuring that the corporate network always has enough bandwidth. Nomadix Session Rate limitation (SRL) Session Rate Limiting (SRL) allows administrators to throttle the number of sessions any one user can form over a given time period. If the computer exceeds this limit, all the traffic generated from that computer is dropped until the configured time interval is reached. Most of the computers infected by viruses generally try to form a large number of sessions. With this feature, the gateway essentially safeguards the network by limiting the number of sessions that can be created per user. This feature can be further enhanced by automating the process of inserting up to a certain number of violating MAC addresses into the MAC filtering table thereby blacklisting destructive clients and preventing any more drain on valuable system resources. Page 3 of 10

4 Nomadix SMTP Redirection Many people have referred to as the killer application of the Internet. Most people connect to the internet to send and receive s. In an increasingly mobile business climate, using over broadband connections while travelling can be problematic due to the SMTP settings on the client computers. The SMTP redirection feature of the NSE recognizes attempts to send SMTP mail and redirects the outgoing mail to an available SMTP server maintained by the local ISP. Since the request to send the outgoing mail now comes from a local address, the local SMTP server allows the mail to be sent. Guest network users can send using the local SMTP server, even though their normal mail server would reject their requests. The recipient of the message is unaware that a surrogate SMTP server was utilized. To the recipient, the message looks completely normal and it can be responded to like any other message. Nomadix inat- VPN Plug and Play The benefits of inat can be summarized as follows: Dramatically increases the reusability of costly public IP addresses while forming concurrent VPN connections. Improves the success rate of VPN connectivity by mis-configured users, thus reducing customer support costs and boosting customer satisfaction. Maintains the security benefits of traditional address-translation technologies while enabling secure VPN connections for mobile workers to access corporate resources from a Public-access location. Dynamically adjusts the mode of address translation during the user s session depending on the packet type. Supports users with static private (e.g x.x) or public (different subnet) IP addresses without any client IP setting changes. Packet Filter Blocks traffic based on a specific Web address (DNS or IP address). In the future this will also be able to block traffic based on type of application ( , FTP, Web browser, etc.), which is specified by port number thereby acting like a screening router. A Nomadix gateway is the ideal solution for all these scenarios and creates the ideal work environment for all guests who want easy to use and secure access to the internet without putting a burden on your own IT staff. Page 4 of 10

5 Sample Network Architectures The following section provides details on how technologies such as Virtual LANs (VLANs) and Firewalls are used to ensure security when used in conjunction with a Nomadix Access Gateways. Set-up #1 Guest access to the Public Internet Access in lobby/meeting room of the Enterprise sharing the existing Internet Connection The following diagram shows an example of the enterprise network architecture that could be deployed where the Nomadix gateway is connected to an available (unused) Ethernet interface of the internet router in order to separate the traffic of the guests from the closed enterprise network data. This separation can be done via VLAN s, access lists or firewall implementations. Most of the currently shipping Cisco routers do support all of these security implementations. Access list support is also included in the various ADSL and broadband routers as supplied by D-Link, Linksys, Allied Telesyn and Zyxel. Solution 1: The easy to deploy solution would be to use the Nomadix AG2000w (+) connected to the router. Access to the enterprise network from the guest access is prohibited using access control lists on the router. Figure 1 Page 5 of 10

6 Solution 2: The Nomadix AG2000w (+) uses a predefined VLAN to connect directly to the existing router. By using a VLAN switch, segregation of the traffic can be done at layer 2 and this gives a higher degree of security. Guest and enterprise traffic are on separate VLAN s and broadcast domains. Figure 2 Page 6 of 10

7 Solution 3: Another possibility is to connect the router to an available (not used) trunk port of a VLAN switch. The Nomadix Gateway is then also connected to the switch. The Nomadix gateway and the enterprise LAN are on separate VLAN s. In this setup traffic from the enterprise LAN is secured in an effective way at Layer 2. Figure 3 Page 7 of 10

8 Set-up #2 Guest access to the Public Internet Access in lobby/meeting room of the Enterprise using a separate Internet Connection In this scenario, the Nomadix Gateway is connected to the Internet using separate WAN connections. VLANS can be used on the subscriber side to segregate traffic. Again, in this setup traffic from the enterprise LAN is secured in an effective way at Layer 2. Figure 4 Page 8 of 10

9 Set-up #3 Public Internet Access in many locations of the Enterprise Third scenario is the combination of the Nomadix HSG/USG Gateway and third party access points that support VLANs in combination with multiple SSID s. A combination of public and private wireless VLANs are supported on the same network. Figure 5 The enterprise wireless users can transparently use 802.1x authentication in addition to UAM (Universal Access Method) for the guest users. Page 9 of 10

10 Guest User Experience Step 1: Guest selects the SSID of the Guest Access Network. Step 2: Guest opens browser and is redirected to the configured Portal Page. Step 3: Guest logs in by entering the username and password provided by the enterprise or the roaming partner. Step 4: Guest is connected to the internet. Summary Enterprises can provide secure Guest Access in an easy to use, transparent way that does not take up valuable IT time and resources by using the Nomadix Gateways. The network can be protected by the use of VLANs and their ability to logically separate traffic within that network. In addition, the local guest network is protected from external attacks by the use of Plug And Play (DAT), Session Rate Limitation and Bandwidth Control. With features like SMTP Redirect and inat (VPN plug and Play) the Nomadix Access Gateways guarantee a seamless and complete experience to the guest user. Page 10 of 10