Information Security in Real Business MSIT 458: Information Security

Information Security in Real Business MSIT 458: Information Security and Assurance Asian Connection and Craig

Secure Remote Access for Company XYZ Provide remote users secure access to internal corporate network resources – 1000 user company Remote users access the perimeter network from public Internet Quantity of the threats are progressing and complexity is increasing – “Bot Nets” The end-points are hard to secure and network security is a corporate standard How do we trust the remote users while verify they are secure Provide authenticated secure connection for remote users

Secure Remote Access for Company XYZ Why this problem is a general one that comes across multiple industry/education/government sectors? Globalization – Companies have operations outside the US Talent pool – No longer constrained by geographic limitations Remote users - Increase in demand for users to work remotely

Global Setup Frankfort Chicago Singapore 4

Secure Remote Access for Company XYZ Remote Users Asia - 9 countries (100 users) Europe – 10 countries (120 users) Americas – 4 countries (780 users) Security Verifications Validate virus definitions files and active monitoring Verify windows patches are current Isolate worm virus from entering corporate network

Existing State for Company XYZ Users login through the public Internet using VPN client access No Virus Checking Patch Management is not verified The user can use any computer with VPN client – no way to enforce corporate approved machines No validation for malware or bot net infected machines

Business Applications Email and SharePoint Business Intelligence Tools SAS & ETL Tools Business Data Structured Unstructured File Server Data Warehousing ERP Systems

User Landscape Remote Users Global Remote Offices DSL connections Home Users – Broadband Connections Partners Local and Off Shore – DSL / Public Internet Higher Level privileges – above guest access

Technical Solution Symantec Network Admission Control End Point Product is currently being used for Anti-Virus and Client security “Single Pane of Glass” – One Management Interface is used to manage Anti-Virus, Client Firewall, Client Intrusion Prevention System and Network Admission Control Microsoft Certificate Administration Management is built into 2008 Active Directory

Technical Solution 1. User attempts to connect to vpn.xyz.com 2. Cisco ASA validates user Certificate with Windows 2008 Certificate Server VLAN 0 VLAN 1 Certificate ASA Server Firewall 1 2 AD Symantec Endpoint Protection Internet 3 - OK Antivir us Remote employees or partners 10 Symantec Gateway Enforcer Security Patterns Network Access Control (NAC)

Technical Solution 3. If Certificate is valid, information is passed back through the Cisco ASA and the user is allowed access to VLAN0 4. Computer information is passed to the Symantec Gateway Enforcer Gateway Enforcer checks for policy information from Symantec Endpoint Protection Server VLAN 0 VLAN 1 Certificate ASA Server Firewall 1 2 AD Internet 3 - OK Remote employees or partners 11 Symantec Endpoint Protection 3 4 Symantec Gateway Enforcer 4 Antivir us Security Patterns Network Access Control (NAC)

Technical Solution 5 . Gateway Enforcer compares remote computer security with policy from Symantec Endpoint Protection - If computer is not compliant information is presented to the user on steps needed to become compliant 6. When computer is compliant access is granted to internal VLAN VLAN 0 Certificate ASA Server Firewall 1 2 AD Internet 3 - OK Remote employees or partners 12 5 – Policy Check VLAN 1 6 Symantec Endpoint Protection 3 4 Symantec Gateway Enforcer 4 Antiviru Security Patter s Network Access Control (NAC)

Technical Solution 7. Computer Connects locally to our network - Network Access Control performs policy check 8. NAC will also determine what resources local users can access VLAN 0 Certificate ASA Server Firewall 1 2 AD Internet 3 - OK Remote employees or partners 13 5 – Policy Check VLAN 1 6 Symantec Endpoint Protection 3 4 Symantec Gateway Enforcer 4 Antiviru Security s Patterns Network Access Control (NAC)

Research Findings Cisco NAC appliances are expensive There is integration with Microsoft’s Network Access Protection. (This can be utilized as we migrate to Windows 2008 and the next Desktop OS we roll-out) Uses optional dissolvable or permanent agent or scanning function Need to define how they will integrate 802.1x enforcement Symantec Uses the existing Endpoint infrastructure Uses dissolvable agent or agentless scanning option for non-Symantec endpoints. They have a separate model for 802.1x enforcement Source: Gartner Research 14

Cost Comparison Symantec One Time Cost Cisco One Time Cost On-Going Symantec On-Going Cisco 27,000 125,000 2,700 22,000 25000 46,000 2,500 9,500 5000 65,000 57,000 236,000 5,200 31,500 Hardware NAC Hardware Software Client Licensing and Microsoft SA Installation Consulting Total 15

Requirements Requirement Symantec Cisco ( 200K) Yes No Ease of Use Yes No Interoperability Yes Yes Ease of Training Yes No Warranty Yes Yes Customer Support Yes Yes

Some of the Consequences Better protection for corporate assets against: Trade secret leakage Malwares, botnets, viruses, worms, etc Ensuring proper usage of corporate resources Trade off between additional security vs. additional operational overhead Increasing IT support staff 24x7 support availability Initial time to establish connection is longer than the traditional VPN Additional complexity requiring training for nontechnical users