To thrive in an increasingly competitive world, forward-thinking organizations are encouraging workforce mobility. Read this white paper by security expert Dave Piscatello, for an assessment of key attributes in a secure remote access solution and how you can benefit from replacing your IPSec VPN.
Why Replace Your IPSec forRemote AccessDavid Piscitello
To survive and thrive in an increasingly competitive world, forward-thinkingorganizations are encouraging workforce mobility and access agility-the ability forworkers to transparently access any business application everywhere: at any time,from anywhere, using any device, over any network.
Several obstacles prevent organizations from providing access agility today. Thefirst is the need to protect business applications and information from unauthorizeddisclosure and abuse, not only for the obvious business reasons but especially tocomply in a confusing, evolving, and unforgiving regulatory environment (e.g., SOX,GLB, HIPAA). To satisfy these security needs, an organization must providegranular, resource-based access based on the level of trust it can establish for agiven user, which may vary depending on access location and device.
The proliferation of devices and communications networks that workers use today toaccess business applications poses numerous obstacles. Access agility encompassesfar more than a worker connecting to the corporate network from a company-ownedlaptop, using company-installed software, over a modem connection. Workers mustaccess diverse business applications from the most convenient device available, at anytime and place, using any network. It is no longer practical to deploy secure accesssolutions that rely on resident client software. Moreover, secure access solutions mustperform well over networks that exhibit vastly different topologies, throughput, andlatency.
A final obstacle is the need to protect the organization at large from a relentless streamof malicious attacks that may originate from devices used by workers to accessbusiness applications. Viruses, worms, blended threats, SPAM, and spyware are moreprevalent today than ever before. Such attacks drain IT and network resources,threaten privacy and company reputation, and hamstring user productivity.Organizations must have solutions to block attacks from every possible point of entry,including remotely connected devices.
Today's secure remote access solutions fall short of satisfying these requirements. Infact, secure, everywhere access business objectives cannot be met until we discardexisting paradigms, and invent and adopt solutions that achieve high degrees of end-user transparency and accessibility (access agility), granular policy control, and are, bydesign, able to adapt to and accommodate new device, OS, application, and accesstechnologies.IPSec Remote Access: Too much and too hard.
IPsec is an effective solution for site-to-site Virtual Private Networking, but it is nowabundantly clear that IPsec is a severely limited solution for remote access. Adopters ofIPsec-based secure remote access must work within a world of inherent constraints,the sum of which all but eliminates it as an "everywhere access" VPN solution.
IPsec deployment is fraught with addressing complexities. The widespread use ofnetwork address translation (NAT) and private addressing will forever limit IPsecdeployment. VPN administrators cannot predict whether IPsec users will succeed inconnecting to corporate networks because they simply cannot be certain where NAT isapplied and what addresses are used in the remote network. Because the IPsecstandards offer so little help, VPN administrators must also manage internaladdressing: are addresses dynamically assigned, and from what pool? How are routingand security policies affected by such assignment? What if assignments change?Simply put, standard IPsec won't work everywhere.
IPsec has a limited authentication and authorization policy model. StandardIPsec provides mutual authentication of client and server using digital certificates andshared secret passwords. In practice, both authentication methods prove impractical.Shared secret passwords provide dangerously weak authentication and proveunmanageable in large, multi-organizational user deployments. The expense andcomplexities associated with issuing client certificates in IPsec deployment scenariosoften lead organizations to consider token- or challenge response-basedauthentication, and standard IPsec supports these poorly. Proprietary and interimsolutions exist, but are complicated and saddled with their own vulnerabilities. Theinformation IPsec VPNs use for policy definition is insufficient to satisfy theauthorization policies organization... [download for more]
