Remote access
IT Solutions that WorkSM
Overview
Allowing employees to work from home or while on the road as many cost saving benefits. Additionally, allowing business partners to access certain application on your network is an important function in the supply chain mechanism. In the healthcare, providers often wish to securely access the health records or practice management software remotely for some work in the evening or early morning.
But is this secure? Is there a chance an eavesdropper will intercept the connection? How can you be assured that my remote teleworkers access securely and are not themselves injecting viruses and Trojans in your systems?
There are serious reasons you should be concerned as each day, regulations governing the protection of privacy across numerous industries are coming in force. Aside from the serious liability and penalties that may accrue, the damage to an organizations reputation may be irreparable.
The solution to this problem is not unique to any one industry, be it healthcare, financial services, insurance or eCommerce. We need to distinguish between permanent and on-demand remote access .
Permanent Remote Access
The applications for a Permanent Remote Access solution may be a remote office, partner site, or a tele-worker that often works from home or a fixed remote location. The solution that works the best and is most secure is to install a VPN capable Firewall/Router at the remote location, establish an IPSEC tunnel and configure the business and firewall rules that govern to which assets this connection as rights to use. We also recommend that when installing in the home the firewall/router is properly configured to isolate the home users 'family' traffic from that of the traffic destined for the corporate network. The same can be said for partner networks.
We have several cost effective solutions that we have tested, deployed and support, so please contact us for further information.
On Demand Remote Access
There are primarily two distinct methods for on-demand remote access. One involves a 'secure client' running on the endpoint device and a secure firewall/router at the host location (typically where your servers are located), while the other uses a 'remote access appliance' at the host site and a standard browser on the endpoint device for access. We will briefly discuss each:
Secure Client Solutions
Secure clients solutions work by establishing highly encrypted VPN tunnel between the endpoint (remote device like a laptop) and the host firewall. Once established, traffic to and from the host site is transmitted in an encrypted manner. The endpoint appears as if it is locally connected to the host just like it would appear if it was directly connected in the office. There are a few technical nuances in configuration that need to be considered when deploying this schema which can have a major bearing on the security of this type of solution.
We have deployed countless solutions using this method so please contact us to learn how we can help you.
Remote Access Appliance
The remote access appliance includes support for the aforementioned client solution if desired, but offers a significant level of control and other features. Foremost amongst them is the ability to use a standard browser to access host applications and the ability to control which applications each user can access. This is a big difference: whereas the secure client VPN makes the endpoint/users a node on the host's local LAN, the VPN appliance, only allows a user to access certain authorized applications. They cannot even see nor access other non-authorized resources. This greatly reduces the risk of data breach and attacks.
Another important feature of the VPN appliance is the enforcement of endpoint policies before a connection can occur. Endpoint Security enforces access restrictions based upon customizable policies such as Anti-virus, anti-spyware and firewall status. If the endpoint does not a up-to-date antivirus signatures, for example, access is not granted. Often in such cases as denied access, the user is presented with a link to 'fix' the problem, such as the link for the site where they can update their anti-virus signatures in our example.
The VPN Appliance solution offers several other technical security measures that 'hide' the underlying network to would-be intruders, thereby denying several avenues of typical hacker access.
IT Solutions that WorkSM
Client Access Solutions
All that is needed for the Secure Client Access solution is secure firewall/router which was discussed in the firewall/router section here. To recap, both the Cyberoam and Fortinet routers are excellent and support this solution. The Cyberoam firewall appliance has a mini SSL VPN module which offers some of SSL VPN appliance features of their SSL VPN Appliance (below). We call it "SSL VPN Lite" and while it does have some benefits, it is not substitute for a full blown SSL VPN Appliance.
SSL VPN Appliance Solution
We currently support the Cyberoam and Juniper line of SSL VPN appliances. Both offer excellent security. Please contact us to discuss which appliance best fits your needs.
Cyberoam SSL VPN Appliance
Click Here for the Cyberoam SSL VPN Datasheet
| FEATURES | DESCRIPTION |
| Application Support | Application Support allows access to virtually any application, including all TCP, 802.11x and UDP applications, Microsoft Outlook, FTP, Citrix and Microsoft Terminal Servers. Even custom or proprietary applications and protocols are supported by the Cyberoam SSL VPN. |
| Secure Firewall Traversal | Secure Firewall Traversal of TCP/UDP allows local desktops to access UDP-based remote data services, without segregating the network, exposing UDP port ranges to hackers, using routable IP addresses, or publishing internal routes externally. Cyberoam SSL VPN works alongside existing firewalls, and NAT devices. |
| Authentication and Authorization Architecture | Authentication and Authorization Architecture supports different group access policies via leading protocols (LDAP, Active Directory, RADIUS, and more). |
| Centralized Access Control | Centralized Access Control manages granular access control by source, destination, domain name, user group, port, host, or network, thereby increasing security and dramatically simplifying firewall configuration. |
| Single Mode Connectivity | Single Mode Connectivity enables remote access to any application, including web-enabled and legacy applications, through a simple interface with the look and feel of the user's native desktop. |
| Load Balancing and High Availability | Load Balancing and High Availability automatically distributes application network traffic among multiple VPN Servers with integrated failover to available servers. |
| SSL VPN Application Access | SSL VPN users may access applications from a standard portal interface or directly from their desktop, for an IPSec-like "in office" experience. |
| Clientless Browser-based Access | Clientless Browser-based Access provides secure remote access to applications through web browser. No clients to install or maintain. |
| Endpoint Security | Clientless Browser-based Access provides secure remote access to applications through web browser. No clients to install or maintain. |
Juniper SA Series Appliance
Click Here for the Juniper SA Series Datasheet
| FEATURES | FEATURE DESCRIPTION | BENEFITS |
| Cross-platform support | Ability for any platform to gain access to resources such as Windows, Mac, Linux, or various mobile devices including iPhone, Windows Mobile, Symbian, and Android. | Provides flexibility in allowing users to access corporate resources from any type of device using any type of operating system. |
| Junos Pulse | Single, integrated remote access client that can also provide LAN access control, WAN acceleration, and dynamic VPN features to remote users, in conjunction with Juniper Networks Unified Access Control, WXC Series Application Acceleration Platforms, and SRX Series Services Gateways | Pulse replaces the need to deploy and maintain multiple, separate clients for different functionalities such as VPN, LAN access control, and WAN acceleration. By seamlessly integrating all of these functions into one single, easy to use client, administrators can save on client management and deployment costs to end users. |
| Clientless core Web access | Access to web-based applications, including complex JavaScript, XML, or Flash-based applications and Java applets that require a socket connection, as well as standards-based email like Outlook Web Access (OWA), Windows, and UNIX file share, telnet/SSH hosted applications, terminal emulation, Sharepoint, and others. | Provides the most easily accessible form of application and resource access from a variety of end user machines, including handheld devices; enables extremely granular security control options; completelyclientless approach using only a Web browser. |
| Secure Application Manager (SAM) | A lightweight Java or Windows-based download enabling access to client/server applications. | Enables access to client/server applications using just a Web browser; also provides native access to terminal server applications without the need for a preinstalled client. |
| Network Connect (NC) | Provides complete network-layer connectivity via an automatically provisioned, cross-platform download; Windows Logon/GINA integration for domain single sign-on (SSO); installer services to mitigate need for admin rights. | Users only need a Web browser. Network Connect transparently selects between two possible transport methods to automatically deliver the highest performance possible for every network environment. When used with Juniper Installer Services, no admin rights are needed to install, run, and upgrade Network Connect; optional standalone installation is available as well. |
| Host Checker | Client computers can be checked both prior to and during a session to verify an acceptable device security posture requiring installed/running endpoint security applications (antivirus, firewall, other). Also supports custom-built checks including verifying ports opened/closed, checking files/processes and validating their authenticity with Message Digest 5 (MD5) hash checksums, verifying registry settings, machine certificates, and more. Includes cache cleaner that erases all proxy downloads and temp files at logout. | Verifies/ensures that endpoint devices meet corporate security policy requirements before granting access, remediating devices, and quarantining users when necessary. Also, ensures that no potentially sensitive data is left behind on the endpoint device. |
| Resource authorization | Provides extremely granular access control to the URL, server, or file level for different roles of users. | Allows administrators to tailor security policies to specific groups, providing access only to essential data. |
| Granular auditing and logging | Can be configured to the per-user, per-resource, per-event level for security purposes as well as capacity planning. | Provides fine-grained auditing and logging capabilities in a clear, easy to understand format. |
| UAC-SA Federation | Seamlessly provision SA Series user sessions into Juniper Networks Unified Access Control upon login, or as an alternative, provision UAC sessions into the SA Series. Users need to authenticate only one time to get access in these types of environments. | Provides users—whether remote or local—seamless access with a single login to corporate resources that are protected by access control policies from UAC or the SA Series. Simplifies the end user experience. |
| High availability options | Clustering options for performance scalability to handle the most demanding usage scenarios. | Provides redundancy and seamless failover in the rare case of a system failure. |
| Web-based single sign-on | Allows users to access other applications or resources that are protected by another access management system without reentering login credentials. | Alleviates the need for end users to enter and maintain multiple sets of credentials for web-based and Microsoft applications. |
| VDI (Virtual Desktop infrastructure) support | Allows interoperability with VMware View Manager and Citrix XenDesktop to enable administrators to deploy virtual desktops with SA Series appliances. | Provides seamless remote user access to virtual desktops hosted on VMware or Citrix servers. Provides dynamic delivery of the Citrix ICA client or the VMware View client, including dynamic client fallback options to allow users to easily connect to their virtual desktops. |
| In Case of Emergency (ICE) | Provides licenses for a large number of additional users on an SA Series SSL VPN Appliance for a limited time when a disaster or epidemic occurs. | Enables a company to continue business operations by maintaining productivity, sustaining partnerships, and delivering continued services to customers when the unexpected happens. |
| Anti-malware support with Enhanced Endpoint Security | Dynamically download Webroot's market-leading anti-malware software to enforce endpoint security on devices which may not be corporate assigned computers being used for network access. | Protects endpoints from infection in real time from malware and thereby protects corporate resources from harm during network access. |
| Juniper Networks Network and Security Manager | Intuitive centralized UI for configuring, updating, and monitoring SA Series appliances within a single device/cluster or across a global cluster deployment. | Enables companies to conveniently manage, configure,and maintain SA Series appliances and other Juniper devices from one central location. |
We just don't talk about IT, we get IT done.SM