ION Networks. White Paper



Similar documents
How do I secure and manage an out-of-band connection to network devices?

Virtual Private Networks (VPN) Connectivity and Management Policy

November Defining the Value of MPLS VPNs

A Web Broker Architecture for Remote Access A simple and cost-effective way to remotely maintain and service industrial machinery worldwide

Building Remote Access VPNs

SSL VPN Technical Primer

Secure, Remote Access for IT Infrastructure Management

Virtual Private Networks Secured Connectivity for the Distributed Organization

Opengear Technical Note

White Paper. BD Assurity Linc Software Security. Overview

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

White Paper. SSL vs. IPSec. Streamlining Site-to-Site VPN Deployments

REDCENTRIC MANAGED FIREWALL SERVICE DEFINITION

Managed Security Services for Data

Solution Brief. Branch on Demand. Extending and Securing Access Across the Organization

Overcoming the Performance Limitations of Conventional SSL VPN April 26, 2006

Cloud Management. Overview. Cloud Managed Networks

Solution Brief. Branch on Demand. Extending and Securing Access Across the Organization

Telecom CPE Management Overview

Network Services Internet VPN

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Time Warner Cable Business Class IP VPN & Managed IP VPN User Guide

Cloud Management. Overview. Cloud Managed Networks

Why Voice Still Matters

MOBILITY & INTERCONNECTIVITY. Features SECURITY OF INFORMATION TECHNOLOGIES

Ensuring the security of your mobile business intelligence

Truffle Broadband Bonding Network Appliance

HughesNet Broadband VPN End-to-End Security Using the Cisco 87x

PRODUCTIVITY NETWORK, INC. Information Technology. VPN Overview

Building the Business Case For IP VPNs

HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R

Why Switch from IPSec to SSL VPN. And Four Steps to Ease Transition

Cisco QuickVPN Installation Tips for Windows Operating Systems

Security Technology: Firewalls and VPNs

SafeEnterprise SSL igate Managing Central Access to Resources with VPX Technology

Securely Delivering Applications Over the Internet. White Paper

Securely Deliver Remote Monitoring and Service to Critical Systems. A White Paper from the Experts in Business-Critical Continuity TM

Out-of-Band Management: the Integrated Approach to Remote IT Infrastructure Management

Secure Network Design: Designing a DMZ & VPN

IP VPN Solutions Secure, flexible networking options from a leader in IP solutions

The Hybrid Enterprise. Enhance network performance and build your hybrid WAN

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Security Considerations for DirectAccess Deployments. Whitepaper

ADAPTIVE AUTHENTICATION ADAPTER FOR JUNIPER SSL VPNS. Adaptive Authentication in Juniper SSL VPN Environments. Solution Brief

AT&T. ip vpn portfolio. integrated. IP VPN solutions. for the enterprise. Communication Systems International Incorporated

VPN. Date: 4/15/2004 By: Heena Patel

MCTS Guide to Microsoft Windows 7. Chapter 14 Remote Access

2003, Rainbow Technologies, Inc.

Objectives. Remote Connection Options. Teleworking. Connecting Teleworkers to the Corporate WAN. Providing Teleworker Services

How To Setup Cyberoam VPN Client to connect a Cyberoam for remote access using preshared key

WAN Failover Scenarios Using Digi Wireless WAN Routers

Network Management for Common Topologies How best to use LiveAction for managing WAN and campus networks

Cisco SR 520-T1 Secure Router

IPSec or SSL VPN? Copyright 2004 Juniper Networks, Inc. 1

I d like our employees to be able to access all the files in our network that are important to them anywhere and anytime. Simply and securely.

Virtual Private Networks Solutions for Secure Remote Access. White Paper

Solutions Guide. Secure Remote Access. Allied Telesis provides comprehensive solutions for secure remote access.

Configuring IPsec VPN with a FortiGate and a Cisco ASA

IP-VPN Architecture and Implementation O. Satty Joshua 13 December Abstract

Whitepaper. Controlling the Network Edge to Accommodate Increasing Demand

Secure VoIP for optimal business communication

Novell Access Manager SSL Virtual Private Network

Using Entrust certificates with VPN

Chapter 5. Data Communication And Internet Technology

SSL VPN vs. IPSec VPN

PortWise Access Management Suite

Enterprise Solutions. Solutions for Enterprise Customers Data, Voice, Security. Get Started Now: to learn more.

Secure Remote Monitoring of the Critical System Infrastructure. An Application Note from the Experts in Business-Critical Continuity

SECURELINK.COM ENTERPRISE REMOTE SUPPORT NETWORK

GPRS / 3G Services: VPN solutions supported

Citrix Access Gateway

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

How To - Setup Cyberoam VPN Client to connect to a Cyberoam for the remote access using preshared key

Prominic Private Cloud

Virtual Private Networks

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance

Experiment # 6 Remote Access Services

GPRS and 3G Services: Connectivity Options

Opengear Application Note

Protecting systems and patient privacy

PortWise Access Management Suite

Enterprise Remote Support Network

Nominee: Barracuda Networks

Ranch Networks for Hosted Data Centers

Virtual Leased Line (VLL) for Enterprise to Branch Office Communications

DirectAccess in Windows 7 and Windows Server 2008 R2. Aydin Aslaner Senior Support Escalation Engineer Microsoft MEA Networking Team

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

IREBOX X. Firebox X Family of Security Products. Comprehensive Unified Threat Management Solutions That Scale With Your Business

Get their best. Are you talking to me?

Reliable high throughput data connections with low-cost & diverse transport technologies

Using Rsync for NAS-to-NAS Backups

The term Virtual Private Networks comes with a simple three-letter acronym VPN

Enterprise SM VOLUME 1, SECTION 4.5: WEB CONFERENCING SERVICES (WCS)

Assessing Business Continuity Solutions

Dell SonicWALL Secure Virtual Assist: Clientless remote support over SSL VPN

MITEL. NetSolutions. Flat Rate MPLS VPN

Whitepaper. StoneGate Multi-Link. Ensuring Always-on Connectivity with Significant Savings

Monitoring Hybrid Cloud Applications in VMware vcloud Air

Colt VoIP Access Colt Technology Services Group Limited. All rights reserved.

Integrating F5 Application Delivery Solutions with VMware View 4.5

Transcription:

ION Networks White Paper Examining New Options in Remote Connectivity for Managed Service Providers: Services SSL VPN vs. Traditional SSL VPN and IPSec VPN Written by: Tara Flynn Condon Steve Scrace Bill Whitney, CTO Produced by: www.ion-networks.com info@ion-networks.com +1 908.546.3900 (Office) +1 908.546.3901 (FAX) Do not reproduce without written permission from To obtain permission, e-mail presscontacts@ion-networks.com. Page 1 of 9

The Service Delivery Challenge: An Overview When service providers and remote administrators require secure, remote IP access to a network, they generally use one of two connectivity alternatives: Secure Sockets Layer Virtual Private Network (SSL VPN) or Internet Protocol Security Virtual Private Network (IPSec VPN). Either seems a logical choice, as they both provide secure access as well as encryption. However, both solutions can prove complicated for service providers. Coordinating the opening of ports, reconfiguration of firewalls, and the sharing of IP addresses and multiple passwords often requires the coordination of multiple departments within each customer. This process can prove time and resource intensive. Also, in order to offer consistently high service levels, a service provider needs to receive pertinent site data in real time. Traditional SSL VPN s one-directional connectivity (outside in) hinders a service provider s ability to offer management and monitoring services. IPSec connections, on the other hand, offer the desired two-way connectivity but, due to the costs associated with custom configuration management, are highly difficult to scale. This limits a service provider s ability to manage multiple sites for many different customers. ION recently released Services SSL VPN, a feature of its SA5600 site appliance and PRIISMS management software. Services SSL VPN offers new, remote connectivity, monitoring, and management options for service providers. Now, service providers can leverage the Internet to deliver enhanced, proactive managed services to customers of all sizes. With its uncomplicated set-up and bi-directional connectivity, Services SSL VPN marries service providers need for always-on, scalable access with customers desire for security compliance and predictable costs. How IPSec VPNs Inhibit Service Providers IPSec VPNs are Not Designed for Service Provider Access: IPSec VPNs were originally designed to provide connectivity between two offices, typically a corporate headquarters and a branch office. Essentially, the IPSec VPN served an extension of the corporate Wide Area Network (WAN), which helped companies reduce costs by centralizing technology resources. In today s highly collaborative business environment, companies must open their networks to all types of outside parties, from service providers, to vendor technicians, to consultants. Because IPSec was originally conceived to enable one-to-one connectivity between two trusted parties, opening up the network to outsiders creates both connectivity and security challenges. Costly Configurations Limit Scalability: One key requirement of IPSec VPNs is that compatible equipment is required at both ends of the tunnel. This can prove costly, as customers and services providers often have varied technical environments and would need to purchase and configure complementary hardware and software. Unfettered Network Access Opens Customers to Risk: IPSec VPNs were designed for site-to-site connectivity, often within a single corporate entity. As such, remote administrators using IPSec VPN for connectivity often have unlimited access to system resources. Due to heightened security concerns, customers are often required to have a role-based or permissions-based architecture to restrict access by service providers and remote administrators to designated systems only. Additionally, many customers require Page 2 of 9

a detailed audit report of all system activity. At worst, these security risks can inhibit a customer from working with a service provider. At best, these risks can translate into incremental and unwelcome equipment costs. How Traditional SSL VPNs Inhibit Service Providers Traditional SSL VPNs Meet Customers Security Requirements, But Not Service Providers Monitoring Needs: Traditional SSL VPN connections offer service providers sporadic access to a customer s network, typically for troubleshooting and repairs. However, because service providers cannot receive outbound traffic and alarms from a customer s network, service providers are unable to remotely monitor and manage customer devices. Traditional SSL VPN connectivity limits the service provider to reactive, break/fix services, rather than proactive, revenue-generating managed services. Scalability is Hindered by Custom Configurations: Each customer s network and security requirements are different. As such, setting up a traditional SSL VPN connection requires in-depth knowledge of each customer s unique operating environment. Considering the service provider has to manage thousands of customer sites worldwide, creating a custom configuration for each individual customer simply does not scale. Services SSL VPN Improves Service Delivery In August 2006, ION Networks released Services SSL VPN, a new element in its overall solution for secure, remote administration, management and monitoring. The original inspiration for the product came from one of ION s clients, a large, international service provider. This service provider sought a highly scalable way to boost revenue and simplify operations by delivering managed services to customers via the Internet. Services SSL VPN Simplifies Connectivity by Harnessing HTTPS to Easily Traverse Complex Enterprise Networks: Because the Services SSL VPN uses standard HTTPS ports to initiate a secure tunnel between the enterprise customer and service provider, there is no need to reconfigure firewalls or navigate through complex IT environments. As soon as ION s SA5600 appliance is placed on the customer site, it automatically establishes a connection from inside the network to the service provider s Network Operations Center (NOC). The customer sees and treats the connection just as it would an employee browsing the Internet. This makes it easy for service providers to connect to customer premise equipment using a variety of connectivity methods, including (but not limited to): broadband (ADSL/DSL/Cable modems) or leverage existing customer s Internet connectivity. Bi-Directional Connectivity via the Internet Enables Delivery of Revenue- Generating, Proactive Managed Services: Services SSL VPN is the first of its kind to create bi-directional, encrypted tunnels, which originate within the customer s network. This means service providers can have always-on, Internet connectivity to customer devices, enabling the delivery of key site data (for example, alarms and traps) in real time. As a result, the service provider can consistently monitor equipment and conduct proactive maintenance, a service option previously unavailable with traditional SSL VPN connectivity. Customers benefit from higher service levels, while service providers benefit from the additional, revenue-generating service options they can provide. Page 3 of 9

A Single Platform Means Scalability and Ease of Administration: With Services SSL VPN, there is no need for custom configurations. ION technology fits seamlessly into each customer s unique technology environment. Customers are in Control of Access, a Key Factor in Enabling Security-related Compliance: With ION s SA5600 site appliance (the host device for Services SSL VPN ), the customer can designate who may access the network, when they can access system resources, where they may access, and what they can do. A detailed audit log is dynamically produced for each session. This level of customer control (unavailable in IPSec VPNs and traditional SSL VPNs) is an essential component of a secure, compliant solution. In the competitive managed services marketplace, having awareness of, and a solution for customers security and compliance requirements can be the key differentiator between service providers and their competitors. Connectivity Method Comparison Comparing IPSec VPNs, Traditional VPNs and Services SSL VPN Feature IPSec VPN Traditional SSL VPN Services SSL VPN Bi-directional connectivity X X Site data (ex: alarms, traps) X X Strong authentication Proprietary X X Secure connectivity to customer network via ADSL, DSL, xdsl, Cable modem, Internet X X X Customer device access from any Internet connection X X Flexible equipment choices X X Ability to limit network access permissions X X Vendor Automatic NATing Dependent X Unlimited concurrent sessions Quick to deploy with no custom configurations Scalability to thousands of sites X X X Page 4 of 9

How it Works: IPSec VPN IPSec VPNs serve as a secure, point-to-point connection between two entities. The following illustrates the complexities associated with this approach: In order to set up an IPSec connection, the service provider must first coordinate with the customer s security, IT and, audit departments to outline customer-specific access and security protocols. Additionally, all parties must agree on which equipment will be used to make the IPSec connection and decide who will bear the respective costs. Due to a lack of role-based permissions, the customer may need to reconfigure its systems architecture. This would give the service provider access to designated systems, a requirement of many enterprise security policies. While IPSec offers always on, bi-directional connectivity, it requires custom configurations, as well as additional hardware and software costs. Additionally, the lack of visibility into service providers activities (audit / reporting) is likely to present security compliance issues for customers. Page 5 of 9

How it Works: Traditional SSL VPN Connection Because a traditional SSL VPN connection is initiated by the service provider (outside in), collaboration is required on both the part of the service provider and the customer. The following illustrates the complexities associated with this approach: First, the service provider must collaborate with the customer s security team to agree on access protocols. Then, the service provider must coordinate with the customer s information technology team to open the appropriate ports. Finally, this connection must be evaluated by a team of auditors to ensure compliance with security policies. This process slows the installation and taxes both service provider and customer resources. Additionally, the reconfiguration of security systems (for example, firewalls) will most likely be in direct conflict with customers security policies. At the end of the set-up process, the service provider only has one-way connectivity. This means that, despite the investment in time and resources, the service provider only has the ability to offer break/fix services, not real-time monitoring of customer devices. Page 6 of 9

How it Works: Services SSL VPN Connection With Services SSL VPN, connections initiate within the customer network (inside out). These connections are controlled and monitored by the customer via an ION SA5600 site appliance, which is located at the customer site. Once the ION appliance is installed at the customer site, it automatically generates a Services SSL VPN tunnel from inside the customer s network to the service provider s NOC. Now the service provider has instantaneous, bi-directional connectivity via the Internet without having to navigate through the network or change security policies. The customer views this new connection just as it would an employee browsing the Internet. The illustration below demonstrates the solution elements and benefits: Service providers can connect to the customer site via a variety of connectivity methods, including (but not limited to): ADSL/DSL, Internet, IP, or dial-up. After signing in by using an embedded, two-factor authentication token, the service provider is directed to the select device(s) via an encrypted Services SSL VPN tunnel. Meeting Customers Security Requirements: Key Services SSL VPN Differentiators Control Using the management features available in the SA5600 site appliance, the customer can precisely control: Who may access network devices Where they can go in the network When they are able to access network resources What they can do with each device Audit & Visibility With the SA5600 site appliance s built-in reporting function, customers have complete, real-time visibility into all activities on the network. This helps customers to meet stringent security and compliance requirements. Page 7 of 9

Key Services SSL VPN Solution Elements Required Administrative Access Point ION SA5600 Site Appliance The ION SA5600 is an administrative site appliance used by service providers and owners of distributed networks for both in-band and out-of-band secure access to a variety of devices. Management Software ION PRIISMS - Secure Administrative Gateway ION PRIISMS is a secure web-based application that provides centralized control over the security and administrative access policies of distributed and complex network device environments. Network administrators can configure, troubleshoot and manage consolidated or geographically dispersed critical infrastructure devices, in-band or out-of-band, remotely or from a central NOC. Recommended Tokens ION ST520 Soft Token ION s free, single-use tokens with multi-factor authentication eliminate the use of passwords, which can be easily compromised. The ION ST520 employs strong two-factor, triple-des, challenge/response authentication and is compatible with Microsoft Windows platforms, RIM Blackberry devices, and PalmOS PDAs. Page 8 of 9

Services SSL VPN : Benefits Service Providers Offer more revenue-generating services by expanding services portfolio to include proactive monitoring and management services via the Internet using ION s bi-directional Services SSL VPN. Manage thousands of sites worldwide, each with highly varying security and connectivity requirements. Get customers up and running quickly by offering a scalable, easy-to-install connectivity solution. Easily access customer premise equipment in sites all over the world via the Internet without having to navigate through customer networks or change security policies. Receive instant problem notification via real-time alarm delivery. Meet customer security policies by offering a solution that complies with security regulations and offers full audit capabilities. Differentiate yourself from competitors by proactively addressing customers security requirements and offering an easy, cost-effective solution. Customers Easily enable and control access for all service providers and remote administrators, using a single device. Comply with security requirements by having complete control of, and visibility into, a service provider s activities. At any given time, see who logged in, when they logged in, where they went, and what they did. Protect information assets via strong authentication and AES encryption. About (OTCBB: IONN.OB) is the most trusted name in remote administrative management and secure access technology. ION s suite of tools enables service providers, government and military agencies, and corporate IT resources to remotely manage, monitor, and secure critical voice and data networks. More than half of the world s top telecommunications firms rely on ION technology to ensure quality service for their customers. With over 50,000 devices deployed worldwide, ION s products are currently in use in over 35 countries. For more information, visit or call 800.722.8986 (US), +1 908.546.3900 (International). Page 9 of 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information