Automatic Hotspot Logon



Similar documents
Inspection of Encrypted HTTPS Traffic

Release Notes. NCP Secure Entry Mac Client. Major Release 2.01 Build 47 May New Features and Enhancements. Tip of the Day

GWA502 package contains: 1 Wireless-G Broadband Router 1 Power Adapter 1 Ethernet Cable 1 Manual CD 1 Quick Start Guide 1 Warranty/Registration Card

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Seamless Roaming in a Remote Access VPN Environment

Multi-Homing Dual WAN Firewall Router

GWA501 package contains: 1 Wireless-G Broadband Gateway 1 Power Adapter 1 Ethernet Cable 1 Manual CD 1 Quick Start Guide 1 Warranty/Registration Card

Chapter 4 Security and Firewall Protection

SSL SSL VPN

Lab Configuring Access Policies and DMZ Settings

PePWave Surf Series PePWave Surf Indoor Series: Surf 200, AP 200, AP 400

Brazosport College VPN Connection Installation and Setup Instructions. Draft 2 March 24, 2005

Firewall. User Manual

Sweex Wireless BroadBand Router + 4 port switch + print server

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

Release Notes. NCP Secure Entry Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3. Known Issues

8 Steps for Network Security Protection

8 Steps For Network Security Protection

Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client

Application Note Secure Enterprise Guest Access August 2004

Technical Notes TN 1 - ETG FactoryCast Gateway TSX ETG 3021 / 3022 modules. How to Setup a GPRS Connection?

Chapter 4 Customizing Your Network Settings

Chapter 8 Router and Network Management

If you have questions or find errors in the guide, please, contact us under the following address:

How To Configure A Kiwi Ip Address On A Gbk (Networking) To Be A Static Ip Address (Network) On A Ip Address From A Ipad (Netware) On An Ipad Or Ipad 2 (

Chapter 4 Firewall Protection and Content Filtering

Norton Personal Firewall for Macintosh

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

How to set up the HotSpot module with SmartConnect. Panda GateDefender 5.0

DEPLOYMENT OF I M INTOUCH (IIT) IN TYPICAL NETWORK ENVIRONMENTS. Single Computer running I m InTouch with a DSL or Cable Modem Internet Connection

FEC Secure IPSec Client

Blue Coat Security First Steps Solution for Deploying an Explicit Proxy

Setting Up Scan to SMB on TaskALFA series MFP s.

Protecting the Home Network (Firewall)

V310 Support Note Version 1.0 November, 2011

Internet Telephony PBX System. IPX-300 Series. Quick Installation Guide

Cyclope Internet Filtering Proxy

USG40HE Content Filter Customization

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Web Server XX Configuration Guide

VPN Configuration Guide. Linksys (Belkin) LRT214 / LRT224 Gigabit VPN Router

Docufide Client Installation Guide for Windows

Remote Desktop Gateway. Accessing a Campus Managed Device (Windows Only) from home.

How to Open HTTP or HTTPS traffic to a webserver behind the NetVanta 2000 Series unit (Enhanced OS)

Lab Configuring Access Policies and DMZ Settings

Configuring Security for FTP Traffic

M86 Web Filter USER GUIDE for M86 Mobile Security Client. Software Version: Document Version:

Using Remote Desktop Software with the LAN-Cell 3

HomeNet. Gateway User Guide

Quick Note 026. Using the firewall of a Digi TransPort to redirect HTTP Traffic to a proxy server. Digi International Technical Support December 2011

UIP1868P User Interface Guide

Global VPN Client Getting Started Guide

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Software Activation. high security remote access. NCP Secure Entry Client

Chapter 3 LAN Configuration

Issue 2EN. Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation

Using a VPN with CentraLine AX Systems

DEPLOYMENT GUIDE Version 1.0. Deploying F5 with the Oracle Fusion Middleware SOA Suite 11gR1

Chapter 9 Monitoring System Performance

User Manual. PePWave Surf / Surf AP Indoor Series: Surf 200, E200, AP 200, AP 400. PePWave Mesh Connector Indoor Series: MC 200, E200, 400

Initial Access and Basic IPv4 Internet Configuration

Step-by-Step Configuration

RLP Citrix Setup Guide

Configuration Notes 283

Sophos Mobile Control SaaS startup guide. Product version: 6

LTE Internet (Installed)

Endpoint Security VPN for Windows 32-bit/64-bit

Astaro User Portal: Getting Software and Certificates Astaro IPsec Client: Configuring the Client...14

Cyclope Internet Filtering Proxy. - Installation Guide -

Configuration Manual English version

Comodo MyDLP Software Version 2.0. Installation Guide Guide Version Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

Network setup and troubleshooting

Elluminate Live! Access Guide. Page 1 of 7

User Manual. Page 2 of 38

IBM Remote Lab Platform Citrix Setup Guide

Chapter 1 Configuring Internet Connectivity

RAPID BROADBAND INSTALLATION RAPID BROADBAND SUPPORT CONTACT DETAILS. AND TROUBLESHOOTING GUIDE. Tel:

Chapter 4 Firewall Protection and Content Filtering

Verizon Remote Access User Guide

2. Manage the power of the target device

Implementing Network Address Translation and Port Redirection in epipe

Section 12 MUST BE COMPLETED BY: 4/22

USER GUIDE WWPass Security for Windows Logon

SSL Web Proxy. Generally to access an internal web server which is behind a NAT router, you have the following two methods:

High Speed Internet, Welcome Kit. If your apartment is served by Ethernet: How do I connect to the network if not using a router?:

Data Sheet. NCP Secure Enterprise Client Windows. Next Generation Network Access Technology

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Securing the Small Business Network. Keeping up with the changing threat landscape

SonicWALL PCI 1.1 Implementation Guide

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

SSL VPN Service. Once you have installed the AnyConnect Secure Mobility Client, this document is available by clicking on the Help icon on the client.

Kaseya Server Instal ation User Guide June 6, 2008

PrintFleet Enterprise 2.2 Security Overview

Firewall Firewall August, 2003

Transcription:

WHITE PAPER: for VPN Setup Features of the integrated, dynamic NCP Personal Firewall Solution

Table of Contents 1. Insecure mobile computing via Wi-Fi networks (hotspots)...1 1.1 Basic hotspot functionality... 1 1.2 Risks and problems... 1 1.3 Alternative approaches with residual risks... 2 2. The NCP solution automatic hotspot logon...2 2.1 Dynamic adaption of firewall rules for hotspot logon... 3 2.2 Operating the automatic hotspot logon... 5 3. Additional information about the NCP Personal Firewall...6 3.1 Outline - all features of the integrated NCP Personal Firewall... 6 4. Scenarios and comparison dedicated Personal Firewall and the integrated universal NCP solution...8

1. Insecure mobile computing via Wi-Fi networks (hotspots) Today mobile business is an established working method in modern enterprises. The use of notebooks and handhelds increases the productivity and flexibility of mobile employees and this contributes to the success of the business. Particularly public networks (GSM, 3G) and broadband wireless networks like wireless LANs (Wi-Fi networks) are used in addition to communication mediums like ISDN, the analog telephone network and xdsl. Hotspots, i.e. Wi-Fi networks that are installed in public places, like railway stations, airports, trade show facilities and hotels, provide access to the Internet. Like all wireless networks, Wi-Fi networks particularly threaten security, since the air interface provides an easy target. For this reason, mobile teleworkers find themselves in an extremely insecure environment where they have to deal with security issues on their own. The teleworker does not only have to protect an existing data connection to the corporate network, but also prevent security gaps before and during connection set-up. 1.1 Basic hotspot functionality Providers operate hotspots, i.e. Wi-Fi networks, make them available to the general public and charge a fee for the use of this network. Public Wi-Fi networks serve as broadband access networks to the Internet or to the corporate network. If a mobile employee wants to establish a connection to the corporate network, he has to logon to the hotspot, first. This is usually done via a web browser where the user enters his user ID. Based on this ID, the user gains access to the network. Furthermore, payment is made or invoicing arrangements are specified on the basis of this ID. 1.2 Risks and problems Basically any user with an appropriately configured PC can access public Wi-Fi networks. In order to do so, he usually gets an IP address, provided he knows the SSID (Service Set Identifier) of the Wi-Fi network. Data security or a safeguard protecting the end device against attacks is not provided for by the Wi-Fi operator, i.e. every user has to take care of security measures himself. Specifically the following security issues are involved: 1. Safeguarding confidentiality Sensitive information should not be accessible to third parties during transmission. 2. Safeguarding the PC at the hotspot At all times, the PC workstation has to be shielded against attacks from within the Wi-Fi network, (i.e. other Wi-Fi participants) and against attacks from the Internet. 1

Proven security mechanisms protect confidentiality: VPN tunneling and data encryption. In addition, the PC is protected by a personal firewall with Stateful Packet Inspection. If this function is not available, the user should refrain from mobile computing. The actual security risk is due to the fact that logon at the hotspot operator has to be executed via browser outside of the protected area of a VPN. This means: During logon, the end device is not protected. Normally this does not comply with the corporate policy, which usually forbids direct surfing on the Internet and only allows certain protocols. For this reason, a firewall solution on the end device that really offers comprehensive protection has to secure the critical phases during logon and logoff at the hotspot. 1.3 Alternative approaches with residual risks In order to ensure full functionality at any hotspot, firewall rules for http or https are set by the administrator. Alternatively a rule can be configured in a way that opens the ports for http or https for only a certain time window (e.g. 2 minutes). In both cases, the security risk is due to the fact that the user surfs the Internet without the protection of a VPN tunnel and the end device might become infected. During the temporary opening of the firewall there is danger of intentional misuse on behalf of the user, who could trigger the time window several times. In another scenario, the user changes the firewall rules himself. This need-dependent opening of the personal firewall, however, carries the risk of incorrect configurations. In this case, the user has to know precisely which changes have to be made at the respective location. This means that the quality of the applied security level is only determined by two factors: the security consciousness of the user and his technical expertise. 2. The NCP solution automatic hotspot logon NCP has integrated the personal firewall into the Secure Client software, in order to protect the remote client against any kinds of attack in all phases of the connection set-up in Wi-Fi networks and hotspots. Throughout the whole process of connection set-up, the user does not need to interfere. Intelligent automated processes provide secure hotspot logon. Administrators and users can rely on the security of their end devices and data at all times. There are two approaches: Dynamic adaption of firewall rules for hotspot logon Script-based hotspot logon 2

Only the first approach is outlined in this document. The second approach, the script-based hotspot logon is explained in the NCP Secure Client s manual. 2.1 Dynamic adaption of firewall rules for hotspot logon If a user is within receiving range of a public Wi-Fi, he selects the menu option Hotspot logon. The NCP Secure Client then automatically searches for the hotspot and opens the website for the logon procedure in the standard browser. If the standard browser has a set proxy server, the user has to deactivate it in some cases. The following alternative, however, is recommended: For protection against manipulation an alternative browser and its HASH value can be defined in the Secure Client s hotspot settings (Figure 1). Additional measures (operating system file rights) further increase security. Figure 1: Hotspot configuration This browser can be modified to suit the requirements of a hotspot; e.g. no proxy server, no address bar, as well as Java and Java Script being deactivated so that hotspot logon is the only possibility. Figure 3 shows such a modified browser, which in this case is based on Firefox portable. After successfully entering the access data and activation by the operator, the VPN connection to the corporate headquarters for example can be established, and the user can communicate with the same security he has at an office workstation. To keep the PC invulnerable at all times, the firewall dynamically releases the ports for http or https for hotspot logon or logoff. 3

Invulnerability is secured since an HTTP request is initiated to a specified home page. Depending on the necessary communication, the required firewall rules are created dynamically. This is true for the first eight addresses that are addressed by the hotspot logon application within the first 60 seconds. This is necessary because hotspot logon servers frequently download graphic files from various other servers. The dynamic rejects data packets that have not been requested. In this manner the system guarantees that a public Wi-Fi network is only used for the VPN connection to the central data network and that there is no direct Internet access. Automatic firewall rules in detail After clicking the menu item Hotspot Logon, the monitor dynamically generates the following rules for IP addresses. These rules remain in effect until the user either clicks hotspot logon once more or the system is restarted (necessary for logoff). At hotspots with redirect support: IP address of the NCP web server or the URL that has been entered at the hotspot logon menu item (necessary for the Internet online test) (source port: 1024-65535; destination port: 0-65535) Server IP address from the redirect (source port: 1024-65535; destination port: 0-65535) The first 8 IP addresses that are addressed within the first 60 seconds of the application (source port1024-65535; destination port: 0-65535) At hotspots without redirect support: IP address of the NCP web server or the URL that has been entered at the hotspot logon menu item (necessary for the Internet online test) (source port: 1024-65535; destination port: 0-65535) The first 8 IP addresses that are addressed within the first 60 seconds of the application (source port: 1024-65535; destination port: 0-65535) Configuration of the home page Example: If no website has been entered the default setting is http://www.ncp.de/hotspot/hotspot_de.html for German and http://www.ncp.de/hotspot/hotspot_en.html for English. If you wish to configure a home page, the following automatism is applied: 4

Configured home page http://www.ncp.de http://www.ncp.de/ http://www.ncp.de/hotspot.de modified home page for autom. http request http://www.ncp.de/hotspot_en.html http://www.ncp.de/hotspot_en.html no modification 2.2 Operating the automatic hotspot logon If the user is within range of a hotspot, he opens the menu option Hotspot Logon in the Connection menu of the NCP Secure Client Monitor and starts hotspot logon by clicking the left mouse button (Figure 2). Then the system automatically calls the configured browser and opens the logon page of the hotspot operator (Figure 3). Figure 3: Browser with the logo page of the hotspot operator Figure 2: Select hotspot logon For public access with web logon, it is a prerequisite that the accessing system uses a redirect to the logon site of the hotspot provider. This redirect emulates the logon site. Now the user can enter his access information and after a successful logon, he can establish a VPN connection to his corporate headquarters using the NCP Secure Client. Direct communication with the Internet, which means bypassing the VPN tunnel, is impossible due to the previously described dynamic firewall rules. As explained before, the integrated Personal Firewall of the NCP Secure Client defines the rules according to the specific situation. Please note that proxy settings that may have been entered have to be adapted or deactivated for logon via the standard browser at the hotspot. If hotspot logon has not been executed by the NCP Secure Client, a corresponding message is 5

displayed (Figure 4). In such a case, please determine whether there is a general problem with this hotspot operator and the mechanisms implemented. Please contact the NCP support (info-2@ncp.de) if necessary. Figure 4: Hotspot logon not possible 3. Additional information about the NCP Personal Firewall The personal firewall is a fixed component of the NCP Secure Client. All firewall mechanisms are optimized for Remote Access applications and are activated when the computer boots. This means that in contrast to VPN solutions with autonomous firewall the teleworkstation is already protected against attacks before the user actually accesses the VPN. The personal firewall also offers complete protection of the end device even if the client software is deactivated. All firewall rules can be centrally specified by the administrator and compliance with these rules can be forced. In this case, the prerequisite is the central NCP Secure Enterprise Management system, which is used to configure the Secure Enterprise Client. All configurations can be locked, which means the user cannot modify them. 3.1 Outline - all features of the integrated NCP Personal Firewall IP Network Address Translation (IP-NAT) IP-NAT hides the internal client address so that it is not vulnerable from outside. Stateful Packet Inspection Rules for data transfer are specified, i.e. all outgoing and incoming data packets have to correspond to filter rules that have been previously determined. Each incoming data packet is checked, based on the defined characteristics, and is rejected in the event of non-compliance. This means: The computer is shielded according to the rules that have been created and the set-up of undesired connections is prevented. Application-dependent filter rules It is possible to define filter rules that can only be used in connection with a certain application. A typical example is a filter rule that is only used by the Internet Explorer and only allows surfing via port 80. 6

Filter rules based on protocol, port and address As a default, filter rules are defined via ports and IP addresses. However, it is possible to set an additional filter for protocols. Friendly net detection Defined filter rules are automatically activated depending on the network environment, where the teleworker is located, e.g. LAN of the company or Wi-Fi at hotspots. Public, unfriendly networks call for different rules than friendly networks. The software automatically identifies the type of network by analyzing one or several of the following factors: Current network address IP address of the DHCP server MAC address of the DHCP server Automatically according to the FND server (see FND whitepaper) Automatic hotspot logon Automatic hotspot logon is an intelligent mechanism for secure activation of network access via the browser to public Wi-Fi networks. The system blocks any additional data transfer, i.e. the user protected in this phase of the connection set-up. Connection-dependent filter rules Extensive logging options e.g. Protocol on/off Rejected data traffic Permitted data traffic 7

4. Scenarios and comparison dedicated Personal Firewall and the integrated universal NCP solution Scenario 1 Scenario 2 Scenario 3 Scenario 4 VPN Client installed installed installed installed Personal Firewall not installed installed (only outgoing connections are permitted) installed (only communication in the VPN tunnel) integrated Competition Competition Competition NCP Secure Client Activities Hotspot logon yes yes no yes Surfing in the Internet yes yes no yes VPN connection to corporate headquarters Protection against attacks from within the Wi-Fi Protection against attacks from the Internet Protection from viruses, worms, external dialers Firewall rules adapt themselves dynamically to the target network yes yes no yes no yes yes yes no yes yes yes no no yes yes no no no yes Firewall is protected from user manipulation no no no yes even in spite of administrator rights users may have Firewall starts when booting Firewall remains active after deactivation of the VPN service no no no yes no no no yes NCP engineering GmbH Dombuehler Strasse 2 90449 Nuremberg Phone: +49 911 99 68-0 Fax: +49 911 99 68-299 NCP engineering, Inc. 444 Castro Street, Suite 711 Mountain View, CA 94041 Phone: +1 (650) 316-6273 Fax: +1 (650) 251-4155 www.ncp-e.com Copyright 2010 NCP engineering, All rights reserved Copyright 2011 NCP February engineering 2011

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information