Remote-Access VPNs: Business Productivity, Deployment, and Security Considerations



Similar documents
Cisco ASA 5500 Series SSL / IPsec VPN Edition for the Enterprise

Cisco ASA 5500 Series VPN Edition for the Enterprise

Cisco ASA 5500 Series VPN Edition

Cisco IPsec and SSL VPN Solutions Portfolio

SSL-Based Remote-Access VPN Solution

Cisco IOS SSL VPN: Router-Based Remote Access for Employees and Partners

Cisco IOS SSL VPN: Router-Based Remote Access for Employees and Partners

Licenses are not interchangeable between the ISRs and NGX Series ISRs.

IPSec or SSL VPN? Copyright 2004 Juniper Networks, Inc. 1

The Cisco ASA 5500 as a Superior Firewall Solution

Why Switch from IPSec to SSL VPN. And Four Steps to Ease Transition

Best Practices for Outdoor Wireless Security

Cisco ASA 5500 Series Content Security Edition for the Enterprise

Cisco ASA 5500 Series Business Edition

Permeo Technologies WHITE PAPER. HIPAA Compliancy and Secure Remote Access: Challenges and Solutions

Cisco ASA 5500 Series Anti-X Edition for the Enterprise

PRODUCT CATEGORY BROCHURE

Cisco ASA 5500 Series SSL/IPsec VPN Edition

Cisco IOS SSL VPN: Router-Based Remote Access for Employees and Partners

Deploying Firewalls Throughout Your Organization

Virtual Private Networks Secured Connectivity for the Distributed Organization

SSL VPN Technical Primer

Cisco Cisco 3845 X X X X X X X X X X X X X X X X X X

Cisco ASA 5500 Series Content Security Edition for the Enterprise

Cisco Secure Remote Access Cisco ASA 5500 Series SSL/IPsec VPN Edition

SSL VPN vs. IPSec VPN

Internet Content Provider Safeguards Customer Networks and Services

Best Practices for Secure Remote Access. Aventail Technical White Paper

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Integrated Services Router with the "AIM-VPN/SSL" Module

Integrated Services Router with the "AIM-VPN/SSL" Module

INTRODUCING KERIO WINROUTE FIREWALL

Network protection and UTM Buyers Guide

Chapter 1 The Principles of Auditing 1

Cisco IPsec and SSL VPN Solutions Portfolio

Cisco ASA 5500 Series Firewall Edition for the Enterprise

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data

Cisco Virtualization Experience Infrastructure: Secure the Virtual Desktop

Cisco ASA 5500 Series Firewall Edition for the Enterprise

SSL VPN Client Installation Guide Version 9

Cisco ASA 5500 Series IPS Edition for the Enterprise

PRODUCT CATEGORY BROCHURE. Juniper Networks SA Series

VPN_2: Deploying Cisco ASA VPN Solutions

Clean VPN Approach to Secure Remote Access for the SMB

Aventail White Paper. Comparing Secure Remote Access Options: IPSec VPNs vs. SSL VPNs

What the Experts Say

Using Entrust certificates with VPN

Cisco IWAN and Akamai Intelligent Platform : Maximize Your WAN Investment

NAC at the endpoint: control your network through device compliance

Cisco Adaptive Security Appliances and Citrix NetScaler Gateway citrix.com

Cisco Certified Security Professional (CCSP)

Astaro Gateway Software Applications

SECURE ACCESS TO THE VIRTUAL DATA CENTER

SA Series SSL VPN Virtual Appliances

MOBILITY & INTERCONNECTIVITY. Features SECURITY OF INFORMATION TECHNOLOGIES

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000

Professional Integrated SSL-VPN Appliance for Small and Medium-sized businesses

Rolling Out New SSL VPN Service

Deploy secure, corporate access for mobile device users with the Junos Pulse Mobile Security Suite

SSECMGT: CManaging Enterprise Security with Cisco Security Manager v4.x

Mobile workforce management software solutions. Empowering the evolving workforce with an end-to-end framework

CISCO REMOTE ACCESS VPN SOLUTIONS

SSL VPN 1H03 Magic Quadrant Evaluation Criteria

IPS AIM for Cisco Integrated Services Routers

WHITEPAPER IPSEC VPN Vs. SSL VPN

Cisco Advanced Services for Network Security

Cisco IOS Advanced Firewall

Clean VPN Approach to Secure Remote Access

Deploying Cisco ASA VPN Solutions Exam.

Readiness Assessments: Vital to Secure Mobility

Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation

Citrix Access Gateway

Mobile Devices and Malicious Code Attack Prevention

Extending Threat Protection and Control to Mobile Workers with Cloud-Based Security Services > White Paper

Cisco Unified MobilityManager Version 1.2

Cisco Small Business ISA500 Series Integrated Security Appliances

Managing Enterprise Security with Cisco Security Manager

WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise

The Internet of Things (IoT) and Industrial Networks. Guy Denis Rockwell Automation Alliance Manager Europe 2015

How Traditional Firewalls Fail Today s Networks And Why Next-Generation Firewalls Will Prevail

Providing Secure IT Management & Partnering Solution for Bendigo South East College

AVG AntiVirus. How does this benefit you?

Managing Enterprise Security with Cisco Security Manager

I d like our employees to be able to access all the files in our network that are important to them anywhere and anytime. Simply and securely.

END-TO-END SECURITY WITH SA SERIES SSL VPN APPLIANCES

Firewall and UTM Solutions Guide

SonicWALL Corporate Design System. The SonicWALL Brand Identity

Secure Remote Access Give users in office remote access anytime, anywhere

Course: Information Security Management in e-governance

Understanding VPN Technology Choices

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks

RSA Solution Brief. RSA & Juniper Networks Securing Remote Access with SSL VPNs and Strong Authentication. RSA Solution Brief

Transcription:

Remote-Access VPNs: Business Productivity, Deployment, and Security Considerations Choosing Remote-Access VPN Technologies, Securing the VPN Deployment Defining Remote-Access VPNs Remote-access VPNs allow secure access to corporate resources by establishing an encrypted tunnel across the Internet. The ubiquity of the Internet, combined with today s VPN technologies, allows organizations to cost-effectively and securely extend the reach of their networks to anyone, anyplace, anytime. VPNs have become the logical solution for remote-access connectivity for the following reasons: Provides secure communications with access rights tailored to individual users, such as employees, contractors, or partners Enhances productivity by extending corporate network and applications Reduces communications costs and increases flexibility Using Remote-Access VPNs to Improve Business Productivity Anytime, anyplace network access gives employees great flexibility regarding when and where they perform their job functions. VPNs accommodate day extenders, employees who desire network access from home after hours and weekends to perform business functions such as answering e-mail or using networked applications. Using VPN technology, employees can essentially take their office wherever they go, thus improving response times and enabling work without interruptions present in an office environment. VPNs also provide a secure solution for providing limited network access to non-employees, such as contractors or business partners. With VPNs, contractor and partner network access can be limited to the specific servers, Webpages, or files they are allowed access to, thus extending them the network access they need to contribute to business productivity without compromising network security. Technology Options: IPsec and SSL VPNs There are two primary methods for deploying remote-access VPNs: IP Security (IPsec) and Secure Sockets Layer (SSL). Each method has its advantages based on the access requirements of your users and your organization s IT processes. While many solutions only offer either IPsec or SSL, Cisco remote-access VPN solutions offer both technologies integrated on a single platform with unified management. Offering both IPsec and SSL technologies enables organizations to customize their remote-access VPN without any additional hardware or management complexity. SSL-based VPNs provide remote-access connectivity from almost any Internet-enabled location using a Web browser and its native SSL encryption. It does not require any special-purpose client software to be pre-installed on the system; this makes SSL VPNs capable of anywhere connectivity from company-managed desktops and non-company-managed desktops, such as employee-owned PCs, contractor or business partner desktops, and Internet kiosks. Any software All contents are Copyright 1992 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 6

required for application access across the SSL VPN connection is dynamically downloaded on an as-needed basis, thereby minimizing desktop software maintenance. SSL VPNs provide two different types of access: clientless and full network access. Clientless access requires no specialized VPN software on the user desktop. All VPN traffic is transmitted and delivered through a standard Web browser; no other software is required or downloaded. Since all applications and network resources are accessed through a Web browser, only Webenabled and some client-server applications such as intranets, applications with Web interfaces, e-mail, calendaring, and file servers can be accessed using a clientless connection. This limited access, however, is often a perfect fit for business partners or contractors who should only have access to a very limited set of resources on the organization s network. Furthermore, delivering all connectivity through a Web browser eliminates provisioning and support issues since no specialpurpose VPN software has to be delivered to the user desktop. SSL VPN full network access enables access to virtually any application, server, or resource available on the network. Full network access is delivered through a lightweight VPN client that is dynamically downloaded to the user desktop (through a Web browser connection) upon connection to the SSL VPN gateway. This VPN client, because it is dynamically downloaded and updated without any manual software distribution or interaction from the end user, requires little or no desktop support by IT organizations, thereby minimizing deployment and operations costs. Like clientless access, full network access offers full access control customization based on the access privileges of the end user. Full network access is a natural choice for employees who need remote access to the same applications and network resources they use when in the office or for any client-server application that cannot be delivered across a Web-based clientless connection. IPsec-based VPNs are the deployment-proven remote-access technology used by most organizations today. IPsec VPN connections are established using pre-installed VPN client software on the user desktop, thus focusing it primarily on company-managed desktops. IPSecbased remote access also offers tremendous versatility and customizability through modification of the VPN client software. Using APIs in IPsec client software, organizations can control the appearance and function of the VPN client for use in applications such as unattended kiosks, integration with other desktop applications, and other special use cases. Both IPsec and SSL VPN technologies offer access to virtually any network application or resource. SSL VPNs offer additional features such as easy connectivity from non-companymanaged desktops, little or no desktop software maintenance, and user-customized Web portals upon login. Table 1 compares the two technologies. Table 1. Comparing IPsec and SSL VPN Technologies Characteristics Application and Network Resource Access End-User Access Method End-User Access Device Options Desktop Software Requirements SSL (using full network access) and IPsec VPNs offer broad access to virtually any application or network resource SSL VPNs are initiated using a Web browser IPsec VPNs are initiated using pre-installed VPN client software SSL VPN enables access from company-managed, employee-owned, contractor and business partner desktops, as well as Internet kiosks IPsec VPN enables access primarily from company-managed desktops Only a Web browser is required for SSL VPN IPsec VPN requires proprietary pre-installed client software All contents are Copyright 1992 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 2 of 5

Characteristics Desktop Software Updates Customized User Access Basic SSL VPN access can operate without any special-purpose desktop software, thus no updates are required. Full network application access is provided using software that automatically installs and updates without any user knowledge or intervention. IPsec VPNs can automatically update, but is more intrusive and requires user input SSL VPNs offer granular access policies to define what network resources a user has access to, as well as user-customized Web portals IPsec offers granular access policies, but no Web portals Which To Deploy: Choosing Between IPsec and SSL VPNs IPsec is a widely deployed technology that is well-understood by end users and has established IT deployment support processes. Many organizations find that IPsec meets the requirements of users already using the technology. But the advantages of dynamic, self-updating desktop software, ease of access for non-company-managed desktops, and highly customizable user access make SSL VPNs a compelling choice for reducing remote-access VPN operations costs and extending network access to hard-to-serve users like contractors and business partners. As such, organizations often deploy a combination of SSL and IPsec approaches. IPsec is commonly left in place for the existing installed base. SSL is deployed for new users, users with anywhere access requirements, contractors, and extranet business partners. By offering both technologies on a single platform, Cisco remote-access VPN solutions make the choice simple deploy the technology that is optimized for your deployment and operating environment. Table 2 summarizes the issues to consider when evaluating which VPN technology best fits your operating environment. Table 2. Choosing a Remote-Access VPN Technology SSL VPN IPsec VPN Anywhere Access from Non-Company-Managed Devices, such as Employee-Owned Desktops and Internet Kiosks Business Partner Access User-Customized Access Portals Minimized Desktop Support and Software Distribution Greatest Flexibility to the End-Users Greatest VPN Client Customizability Ability to Maintain Existing IT Deployment and Support Processes Remote-Access VPN Security Considerations Worms, viruses, spyware, hacking, data theft, and application abuse are considered among the greatest security challenges in today s networks. Remote-access and remote-office VPN connectivity are common points of entry for such threats, due to how VPNs are designed and deployed. For both new and existing IPsec and SSL VPN installations, VPNs are often deployed without proper endpoint and network security. Unprotected or incomplete VPN security can lead to the following network threats: Allows remote-user VPN sessions to bring malware into the main office network, causing virus outbreaks that infect other users and network servers Allows users to generate unwanted application traffic, such as peer-to-peer file sharing, into the main office network causing slow network traffic conditions and unnecessary consumption of expensive WAN bandwidth All contents are Copyright 1992 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 5

Enables theft of sensitive information, such as downloaded customer data, from a VPN user desktop Enables hackers to hijack remote-access VPN sessions, providing the hacker access to the network as if they were a legitimate user To combat these threats, the user desktop and the VPN gateway that the user connects to must be properly secured as part of the VPN deployment. User desktops should have endpoint security measures such as data security for data and files generated or downloaded during the VPN session, anti-spyware, antivirus, and personal firewall. The VPN gateway should offer integrated firewall, antivirus, anti-spyware, and intrusion prevention. Alternatively, if the VPN gateway does not provide these security functions, separate security equipment can be deployed adjacent to the VPN gateway to provide appropriate protection. Cisco remote-access VPN solutions offer threat-protected VPN services with full firewall, antivirus, anti-spyware, intrusion prevention, application control, and full endpoint security capabilities. These security services are integrated into the VPN platform, delivering a threat-protected VPN solution without any additional equipment, design, deployment, or operational complexity. Steps to Securing the Remote-Access VPN Technologies required for mitigating malware such as worms, viruses, and spyware and for preventing application abuse, data theft, and hacking exist in the security infrastructure of many organizations networks. In most cases, however, they are not deployed in such a way that they can protect the remote-access VPN, due to the native encryption of VPN traffic. While additional security equipment may be purchased and installed to protect the VPN, the most cost-effective and operationally efficient method of securing remote-access VPN traffic is to look for VPN gateways that offer native malware mitigation and application firewall services as an integrated part of the product (Figure 1). Figure 1. Securing the Remote-Access VPN External Security Equipment or Security Services Integrated on the VPN Gateway All contents are Copyright 1992 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 5

Cisco Remote-Access VPN Solutions Cisco Systems offers a variety of remote-access VPN solutions customized for small, mediumsized, and large organizations. Available on the Cisco ASA 5500 Series VPN Edition and Cisco integrated services routers, Cisco remote-access solution features include Web-based clientless access and full network access without pre-installed desktop VPN software, threat-protected VPN to guard against malware and hackers, cost-effective pricing with no hidden "per-feature" licenses, and single-device solutions for both SSL and IPSec-based VPNs that deliver robust remote access and site-to-site VPN services from a single platform. The Cisco ASA 5500 Series Security Appliance is Cisco's most advanced SSL VPN solution, delivering concurrent user scalability from 10 to 10,000 sessions per device and tens of thousands of sessions per cluster through integrated load balancing. Converging VPN services with comprehensive threat defense technologies, the ASA 5500 Series delivers highly customizable remote network access while providing fully secured connectivity. Cisco Integrated Services Routers enable organizations to use their existing router deployment to provide full tunnel SSL VPN capabilities to as many as 200 concurrent users. Integrating security, industry-leading routing, and converged data, voice, and wireless with Cisco IOS SSL VPN provides a highly manageable and cost-effective network solution for small and medium-sized businesses and organizations. Acknowledgements This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/) Next Steps To learn more about remote-access VPNs or to find the solution that best fits your organizational processes and access requirements, please visit http://www.cisco.com/go/sslvpn, contact Cisco at All contents are Copyright 1992 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 5

800 553-NETS or 408 526-4000, or locate a Cisco VPN/Security Specialized Partner at http://tools.cisco.com/wwchannels/locatr/jsp/partner_locator.jsp?page=partner_withincountry_cont ent. Printed in USA C11-360982-02 02/08 All contents are Copyright 1992 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 6 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information