Data Sheet. NCP Secure Enterprise VPN Server Next Generation Network Access Technology

Similar documents
Data Sheet. NCP Secure Enterprise VPN Server. Next Generation Network Access Technology

How To Make A Network Secure For A Business

Data Sheet. NCP Secure Enterprise Management. Next Generation Network Access Technology

Data Sheet. NCP Secure Enterprise Client Windows. Next Generation Network Access Technology

Release Notes. NCP Secure Entry Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3. Known Issues

Release Notes. NCP Secure Entry Mac Client. Major Release 2.01 Build 47 May New Features and Enhancements. Tip of the Day

Release Notes. NCP Secure Client Juniper Edition. 1. New Features and Enhancements. 2. Problems Resolved

Release Notes. NCP Secure Enterprise VPN Server. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

1. New Features and Enhancements in Service Release 9.31 Build 104

NCP Secure Enterprise Management Next Generation Network Access Technology

Understanding the Cisco VPN Client

Service "NCPCLCFG" is not running In this case, increase the WaitForConfigService setting until the problem is circumvented

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

Authentication. Authentication in FortiOS. Single Sign-On (SSO)

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

Configuring GTA Firewalls for Remote Access

Proof of Concept Guide

Professional Integrated SSL-VPN Appliance for Small and Medium-sized businesses

How To Configure A Kiwi Ip Address On A Gbk (Networking) To Be A Static Ip Address (Network) On A Ip Address From A Ipad (Netware) On An Ipad Or Ipad 2 (

Cisco RV082 Dual WAN VPN Router Cisco Small Business Routers

TABLE OF CONTENTS NETWORK SECURITY 2...1

Gigabit SSL VPN Security Router

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

Ensuring the security of your mobile business intelligence

Citrix MetaFrame XP Security Standards and Deployment Scenarios

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

axsguard Gatekeeper IPsec XAUTH How To v1.6

ZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004

Secure remote access to your applications and data. Secure Application Access

Table of Contents. 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2

Technical Notes TN 1 - ETG FactoryCast Gateway TSX ETG 3021 / 3022 modules. How to Setup a GPRS Connection?

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

Application Note: Onsight Device VPN Configuration V1.1

This section provides a summary of using network location profiles to identify network connection types. Details include:

Case Study for Layer 3 Authentication and Encryption

Millbeck Communications. Secure Remote Access Service. Internet VPN Access to N3. VPN Client Set Up Guide Version 6.0

SVN5800 Secure Access Gateway

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

VPN. Date: 4/15/2004 By: Heena Patel

DrayTek Vigor High Performance Firewall Router. - VPN - Up to 200 concurrent tunnels. - Load Balancing & Failover between WAN ports

Chapter 5 Virtual Private Networking Using IPsec

Cisco RV 120W Wireless-N VPN Firewall

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Sophos UTM. Remote Access via SSL. Configuring UTM and Client

FortiOS Handbook - Authentication VERSION 5.2.6

VPN. VPN For BIPAC 741/743GE

A Guide to New Features in Propalms OneGate 4.0

District of Columbia Courts Attachment 1 Video Conference Bridge Infrastructure Equipment Performance Specification

VPN R Administration Guide. 15 October Classification: [Protected]

Application Note: Integrate Juniper IPSec VPN with Gemalto SA Server. October

Virtual Private Network and Remote Access Setup

How to configure VPN function on TP-LINK Routers

Ensuring the security of your mobile business intelligence

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

WatchGuard SSL v3.2 Update 1 Release Notes. Introduction. Windows 8 and 64-bit Internet Explorer Support. Supported Devices SSL 100 and 560

Virtual Private Network and Remote Access

Cisco Cisco 3845 X X X X X X X X X X X X X X X X X X

FileCloud Security FAQ

Integrated Services Router with the "AIM-VPN/SSL" Module

How to configure VPN function on TP-LINK Routers

NETASQ MIGRATING FROM V8 TO V9

Remote Access Clients for Windows

MetaFrame Presentation Server Security Standards and Deployment Scenarios Including Common Criteria Information

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Secure web transactions system

TheGreenBow VPN Client. User Guide

Configuring SSL VPN on the Cisco ISA500 Security Appliance

Cisco RV220W Network Security Firewall

Table of Contents. Cisco Cisco VPN Client FAQ

Corporate VPN Using Mikrotik Cloud Feature. By SOUMIL GUPTA BHAYA Mikortik Certified Trainer

Branch Office VPN Tunnels and Mobile VPN

Endpoint Security VPN for Mac

Create a VPN on your ipad, iphone or ipod Touch and SonicWALL NSA UTM firewall - Part 1: SonicWALL NSA Appliance

Administrator's Guide

Sophos UTM. Remote Access via IPsec. Configuring UTM and Client

Advanced Administration

Mobile Admin Security

Deploying iphone and ipad Security Overview

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

Integrated Services Router with the "AIM-VPN/SSL" Module

Introduction to the EIS Guide

ipad in Business Security

Common Remote Service Platform (crsp) Security Concept

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

Network Access Security. Lesson 10

Comparing Mobile VPN Technologies WHITE PAPER

REQUEST FOR PROPOSAL FOR SUPPLY & INSTALLATION OF Firewall. Bill of Material

SingTel VPN as a Service. Quick Start Guide

The All-in-One Support Solution. Easy & Secure. Secure Advisor

Chapter 6 Basic Virtual Private Networking

AnyConnect VPN Client FAQ

SSL SSL VPN

Chapter 8 Virtual Private Networking

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

User Authentication. FortiOS Handbook v3 for FortiOS 4.0 MR3

The BANDIT Products in Virtual Private Networks

NEFSIS DEDICATED SERVER

Chapter 4 Virtual Private Networking

Transcription:

Data Sheet NCP Secure Enterprise VPN Server Next Generation Network Access Technology Hybrid IPsec / SSL VPN gateway software Universal platform for remote access to the company network Integrated IP routing and firewall features Integration of iphone, ipad, ios, Andoid, Windows Phone/Mobile and Blackberry Fallback IPsec / HTTPS (NCP VPN Path Finder Technology ) Bandwidth management Network Access Control* FIPS inside Multi-tenancy Endpoint Security (SSL VPN) FIPS 140-2 Inside Easy Virtualization, perfect for Cloud VPN Elliptic Curve Cryptography (ECC) Multi Processor Support Universality NCP's Secure Enterprise VPN Server is a component of NCP's comprehensive VPN solution based on NCP's Next Generation Network Access Technology. The VPN gateway integrates mobile and stationary teleworker into one cross-company data network. The software can be installed on a standard PC running on Windows or Linux and can be used as central switching and monitoring tool behind a firewall in the DMZ (Demilitarized zone) or directly on the public network (Wide Area Network) or as VM Ware. In IPsec environments, NCP's Secure Enterprise VPN Server is compatible to VPN gateways of established third-party suppliers. It is a universal remote access platform that offers connectivity for all NCP clients and, what is more, for all third party VPN clients based on the IPsec standard. The solution is further based on international standards and can be smoothly integrated into already existing IT infrastructure. The modular software architecture of NCP's Secure Enterprise VPN Server offers companies a high degree of planning and investment security. It is possible to scale the number of remote users and VPN tunnels according to need. Management/Multi-tenancy Multi-tenancy or "multi company support", enables the concurrent use of a VPN gateway by several companies (resource sharing). Administrators of the connected companies are able to use a comfortable access management system to manage their respective NCP VPN clients*. The NCP Secure Enterprise Server also now contains a virtual network interface adapter, which is particularly important for cloud and Software as a Service (SaaS) provider environments. It can completely seal off data communication from the gateway operator and surrounding operating systems, and better protect it by decrypting the data, automatically forwarding it into a different VPN tunnel and re-encrypting it. In large remote access VPN networks with several VPN gateways, NCP's High Availability Services ensure high availability and consistent workload for all installed VPN gateways. Flexible user management can be executed directly via the VPN gateway or back-end systems, such as RADIUS LDAP or MS Active Directory. Integrated IP routing and firewall functionalities ensure connectivity and security for networking a branch office for example. Administrators configure and manage the NCP Secure Enterprise VPN Server via the NCP Secure Enterprise Management through plug-in or a web interface. The management feature serves for central control and monitoring of all VPN components. Integrated automatisms optimize performance, ensure transparency, security and economical efficiency of the VPN solution. Page 1 of 5

NCP VPN Path Finder With its unique "NCP VPN Path Finder" NCP provides a technology that enables users to use secure remote access even behind firewalls, whose port settings generally deny IPsec communication (e.g. in hotels). Security/Strong Authentication The NCP Secure Enterprise VPN Server supports all standards for highly secure data transfer in all remote access environments. The NCP server supports strong authentication features such as one-time-password-tokens (OTP), text messages (SMS) or hard and software certificates and certificates with elliptic curve cryptography. Based on revocation lists, the server verifies the validity of certificates relative to the Certification Authority offline or online at each dial-in. The NCP Advanced Authentication integrates a Two-Factor Authentication with a One-Time Password (OTP) in the Secure Enterprise Management via SMS. Each password is created by a random number generator within the NCP Advanced Authentication Connector. Endpoint Security and Sandbox (Network Access Control = NAC**) The security status of mobile and stationary end-devices is verified prior to the device gaining access to the corporate network. All parameters are defined centrally and the teleworkers' access rights depend on their compliance to them. For IPsec VPN access, the options are "disconnect" or "continue in the quarantine zone". For an SSL VPN access, authorization to certain applications will be granted on the basis of pre-defined security levels. During the SSL VPN session all data is stored in NCP's Virtual Private Desktop (Sandbox), which is a work space that is separated from the operating system. After the SSL VPN session has been terminated, the sandbox automatically deletes all data from this container. This means, meeting the security policies is mandatory for each end-device and the user can neither avoid nor manipulate them. With NCP's Secure Client Suite teleworkers have transparent access to all network applications and features - just like in the office. This also includes Voice over IP. It is possible to assign an NCP Secure Client the same IP address at each connection setup. This IP address is a private IP address from the address range of the company. This enables identification of each teleworker through his IP address and simplifies remote administration and support for the user. With dynamic assignment of an IP address from a pool, the system reserves the address for a certain user within a defined period (lease time). In case changing IP addresses are used, the NCP Secure Enterprise VPN Server also supports Dynamic DNS (DynDNS) for reachability of the VPN gateway. NCP's SSL VPN solution offers the following options for access to the company network: Web Proxy - This module provides authorized users with secure access to internal web applications. Port Forwarding - The Thin Client provides access to Client-/Server Applications (TCP/IP). Connection to local client applications (http enabled) via port forwarding. The system automatically downloads the Thin Client to the end-device and is required for additional security options like cache protection, endpoint security and NCP's Virtual Private Desktop. PortableLAN The Fat Client offers transparent network access and has to be installed on each end device. For detailed information, please refer to the separate data sheet of the NCP SSL VPN Server. *) Only in connection with NCP's Secure Enterprise Management **) Network Access Control is a fixed part of NCP's SSL VPN Gateways. An IPsec VPN, however, requires the use of NCP's Secure Enterprise Management. IPsec and SSL Using the NCP Secure Enterprise VPN Server, companies are able to set up data connections to their company network on the basis of a IPsec and/or SSL VPN. Page 2 of 5

Technical Data IPsec VPN and SSL VPN general Operating Systems 32 bit: Windows 2003 Server, Windows 2003 R2, Windows Server 2008 Linux Kernel 2.6 as of 2.6.16 (distributions on request) 64 bit: Windows Server 2008, Windows Server 2008 R2, Windows 2012 / 2012 R2 Linux Kernel 2.6 as of 2.6.16 (distributions on request) Management Network Access Control (Endpoint Security ) Administrators configure and manage NCP's Secure Enterprise VPN Server via the NCP Secure Enterprise Management through VPN Server plug-in or a web interface. Endpoint Policy Enforcement for incoming data connections. Verification of predefined, security-relevant client parameters. Measures in the event of target/actual deviations in IPsec VPN: Disconnect or continue in the quarantine zone with instructions for action (Message box) or start of external applications (e.g. virus scanner update), logging in Log files (Please refer to the Secure Enterprise Management data sheet for more information). Measures in the event of target/ actual deviations in SSL VPN: Individual grading of access authorization to certain applications in accordance with defined security levels. Dynamic DNS (DynDNS) DDNS Network Protocols Multi-Tenancy User Administration Statistics and Logging FIPS Inside IF-MAP FIPS 140-2 Inside Client/User Authentication Processes Connection set up via Internet with dynamic IP addresses. Registration of each current IP address with an external Dynamic DNS provider. In this case the VPN tunnel is established via name assignment (prerequisite: The VPN client has to support DNS resolution - as do NCP Secure Clients) Registration of the connected VPN clients at the Domain Name Server via DDNS, reachability of the VPN client under a (permanent) name in spite of changing IP address IP, VLAN support Group capability; support of max. 256 domain groups (i.e. configuration of: authentication, forwarding, filter groups, IP pools, bandwidth limitation, etc.) Local user administration (up to 750 users); OPT server; RADIUS; LDAP, Novell NDS, MS Active Directory Services Detailed statistics, logging functionality, sending SYSLOG messages The IPsec client integrates cryptographic algorithms according to the FIPS standard. The embedded cryptographic module, containing the corresponding algorithms, is certified according to FIPS 140-2 (Certificate #1051). If you use one of the following algorithms for set-up and encryption of an IPsec connection, FIPS compatibility is always given: Diffie Hellman-Group: Group 2 or higher (DH starting from a length of 1024 Bit) Hash Algorithms: SHA1, SHA 256, SHA 384 or SHA 512 Bit Encryption algorithms: AES with 128, 192 and 256 Bit or Triple DES The overall aim of the ESUKOM Project is the design and development of a real time security solution for company networks which works on the basis of consolidating meta data. The special focus of the project is the threat resulting from mobile end-devices, e.g. smartphones. ESUKOM focuses on the integration of existing security solutions (commercial and open source) which are based on a consistent meta data format according to IF-MAP specifications of the Trusted Computing Group (TCG). The IF-MAP server of the Hannover University of Applied Science and Arts can currently be used for free-ofcharge testing. The URL is: http://trust.f4.hs-hannover.de/ OTP token, certificates (X.509 v.3): User and hardware certificates (IPsec), user name and password (XAUTH) Certificates (X.509 v.3) Server Certificates Revocation Lists Online Check It is possible to use certificates which are provided via the following interfaces: PKCS#11 interface for encryption tokens (USB and smart cards); PKCS#12 interface for private keys in soft certificates Revocation: EPRL (End-entity Public-key Certificate Revocation List, formerly CRL), CARL (Certification Authority Revocation List, formerly ARL), Automatic downloads of revocation lists from the CA at certain intervals; Online check: Checking certificates via OCSP or OCSP over http Page 3 of 5

IPsec VPN and SSL VPN - dial-in management Communication Media LAN; direct operation on the WAN: Support of max. 120 ISDN B-channels (So, S2M) Line Management Point-to-Point Protocols Pool Address Management Trigger Call DPD with configurable time interval; Short Hold Mode; channel bundling (dynamic in ISDN) with freely configurable threshold value; timeout (controlled by time and charges) PPP over ISDN, PPP over GSM, PPP over PSTN, PPP over Ethernet; LCP, IPCP, MLP, CCP, PAP, CHAP, ECP Reservation of an IP address from a pool within a defined period (lease time) Direct dial of the distributed VPN gateway via ISDN, "knocking in the D-channel" IPsec VPN Virtual Private Networking Internet Society RFCs and Drafts Encryption Firewall VPN Path Finder IPsec (Layer 3 tunneling), RFC-conformant; automatic treatment of MTU size, fragmentation and reassembly; DPD; NAT-Traversal (NAT-T); IPsec modes: Tunnel Mode, Transport Mode; Seamless Rekeying; PFS. RFC 2401 2409 (IPsec), RFC 3947 (NAT-T negotiations), RFC 3948 (UDP encapsulation), IP Security Architecture, ESP, ISAKMP/Oakley, IKE, IKEv2 (incl. MOBIKE), XAUTH, IKECFG, DPD, NAT Traversal (NAT-T), UDP encapsulation, IPCOMP Symmetric processes: AES 128,192,256 bits; Blowfish 128,448 bits; Triple-DES 112,168 bits; dynam ic processes for key exchange: RSA to 4096 bits; Diffie-Hellman Groups 1,2,5,14-21, 25, 26; hash algorithm: MD5, SHA1, SHA 256, SHA 384, SHA 512 Stateful Packet Inspection; IP-NAT (Network Address Translation); port filtering; LAN adapter protection NCP Path Finder Technology: Fallback IPsec/ HTTPS (port 443) if port 500, respectively UDP encapsulation is not possible (Prerequisite: NCP Secure Enterprise VPN Server 8.0) Seamless Roaming Authentication Processes IP Address Allocation Data Compression With Seamless Roaming, the system automatically connects the VPN tunnel to a different Internet communication medium (LAN/ WiFi/ 3G/ 4G) without changing the IP address, so that the communication of the application through this tunnel is not interfered with and the application's session is not disconnected. IKE (Aggressive and Main Mode), Quick Mode; XAUTH for extended user authentication; support of certificates in a PKI: Soft certificates, smart cards, USB tokens, certificates with ECC technology; Pre-shared keys; one-time passwords and challenge response systems; RSA SecurID ready. DHCP (Dynamic Host Control Protocol) over IPsec; DNS: Selection of the central gateway with changing public IP address by querying the IP address via a DNS server; IKE config mode for dynamic assignment of a virtual address to clients from the internal address range (private IP). IPCOMP (lzs), Deflate Recommended System Requirements Computer CPU: Pentium III or higher or compatible CPU RAM: 512 MByte minimum plus 0.256 MByte per simultaneously used VPN tunnel; i.e. 64 MByte with 250 concurrently usable VPN tunnels Data Throughput (including symmetric encryption): Single Core: data throughput [MBit/s]» clock rate [MHz]/150 MHz*8.5 MBit/s. Dual Core: data throughput [MBit/s]» clock rate [MHz]/150 MHz*12.5 MBit/s. Triple Core: data throughput [MBit/s]» clock rate [MHz]/150 MHz*15.5 MBit/s. Quad Core: data throughput [MBit/s]» clock rate [MHz]/150 MHz*17.5 MBit/s. As can be seen in the approximation formula for data throughput above, a further increase in the number of CPU cores does not provide for an increase in proportion to data throughput Page 4 of 5

Recommended VPN clients / compatibility NCP Secure Entry Clients NCP Secure Enterprise Clients Third Party VPN Clients Windows 32/64, Mac OS, Windows Mobile, Android Windows 32/64, Mac OS, Windows Mobile, Android, Windows CE, Linux, Symbian ios SSL-VPN Protocols Web Proxy Secure Remote File Access* Port Forwarding NCP Virtual Private Desktop Cache Protection for Internet Explorer 7, 8 and 9 PortableLAN Single Sign-on SSLv1, SSLv2, TLSv1 (Application Layer Tunneling) Access to internal web applications and Microsoft network drives via a web interface. Prerequisites for the end device: SSL-capable web browser with Java Script functionality Upload and download, creating and deleting directories, approximately corresponds to the functionalities of the File Explorer under Windows. Prerequisites for the end-device: See Web Proxy Access to client/server applications (TCP/IP), Prerequisites for the end-device: SSL-capable web-browser with Java Script functionality, Java Runtime Environment (>= V5.0) or ActiveX, SSL Thin Client for Windows 7(32/64 Bit), Windows Vista (32/64 Bit), Windows XP (32/64 Bit) and Linux The Virtual Private Desktop is a work space which is disconnected from the basic operating system and only temporarily available during one SSL VPN session. Any application which the user starts in this work space, is disconnected from the operating system and the virtual private desktop stores the application data in an AES-encrypted container, for example attachments to emails. After the SSL VPN session has been terminated, the sandbox automatically deletes all data from this container. All transmitted data will be automatically deleted from the end-device after disconnect. Prerequisites for the end-device: SSL-capable web-browser with Java Script functionality, Java Runtime Environment (>= V5.0), SSL Thin Client for Windows 7 (32/64 Bit), Windows Vista (32/64 Bit), Windows XP (32/64 Bit) Transparent access to the corporate network. Prerequisites for the end-device: SSL-capable web-browser with Java Script functionality, Java Runtime Environment (>= V5.0) or ActiveX control, PortableLAN Client for Windows 7 (32/64 Bit), Windows Vista (32/64-Bit), Windows XP (32/64 Bit) Single sign-on is used in all those cases in which the web server logon requires the same access data as the SSL VPN Client. It is possible to centrally manage user ID and password via Active Directory, RADIUS or LDAP. Depending on the application, you can distinguish between single sign-on with HTTP authentication (Basic (RFC2617), HTTP Digest (RFC2617) and NTLM (Microsoft)) and single sign-on according to the post-form method. Single Sign-on has been tested with Web applications like Outlook Web Access (OWA) 2003, 2007 and 2010, RDP Client and CITRIX Web interface 4.5, 5.1. Single Sign-on with Port Forwarding is only supported by applications that are able to accept parameter (like user ID and password) in their command line. Recommended System Requirements* Number of Concurrent Users Computer 1-100 Concurrent User CPU: Intel Dual Core 1,83 GHz or comparable x86 Processor, 1024 MB RAM 200+ Concurrent User CPU: Intel Dual Core 1,83 GHz or comparable x86 Processor, 1024 MB RAM *) depends on the type of end-device. Mobile end-devices like Tablet PCs (using IOS or Android), Smartphones, PDAs and others have some restrictions. **) The given values are recommended values that are strongly influenced by user attitudes / applications. If there are many simultaneous data transfers (data uploads and downloads) to calculate, we recommend raising the above given memory values by a factor of 1.5. Page 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information