|
To survive and thrive in an increasingly competitive world, forward-thinking organizations are encouraging workforce mobility and access agility-the ability for workers to transparently access any business application everywhere: at any time, from anywhere, using any device, over any network.
Several obstacles prevent organizations from providing access agility today. The first is the need to protect business applications and information from unauthorized disclosure and abuse, not only for the obvious business reasons but especially to comply in a confusing, evolving, and unforgiving regulatory environment (e.g., SOX, GLB, HIPAA). To satisfy these security needs, an organization must provide granular, resource-based access based on the level of trust it can establish for a given user, which may vary depending on access location and device.
The proliferation of devices and communications networks that workers use today to access business applications poses numerous obstacles. Access agility encompasses far more than a worker connecting to the corporate network from a company-owned laptop, using company-installed software, over a modem connection. Workers must access diverse business applications from the most convenient device available, at any time and place, using any network. It is no longer practical to deploy secure access solutions that rely on resident client software. Moreover, secure access solutions must perform well over networks that exhibit vastly different topologies, throughput, and latency.
A final obstacle is the need to protect the organization at large from a relentless stream of malicious attacks that may originate from devices used by workers to access business applications. Viruses, worms, blended threats, SPAM, and spyware are more prevalent today than ever before. Such attacks drain IT and network resources, threaten privacy and company reputation, and hamstring user productivity.
Organizations must have solutions to block attacks from every possible point of entry, including remotely connected devices.
Today's secure remote access solutions fall short of satisfying these requirements. In fact, secure, everywhere access business objectives cannot be met until we discard existing paradigms, and invent and adopt solutions that achieve high degrees of end-user transparency and accessibility (access agility), granular policy control, and are, by design, able to adapt to and accommodate new device, OS, application, and access technologies.
IPSec Remote Access: Too much and too hard?
IPsec is an effective solution for site-to-site Virtual Private Networking, but it is now abundantly clear that IPsec is a severely limited solution for remote access. Adopters of IPsec-based secure remote access must work within a world of inherent constraints, the sum of which all but eliminates it as an "everywhere access" VPN solution.
IPsec deployment is fraught with addressing complexities. The widespread use of network address translation (NAT) and private addressing will forever limit IPsec deployment. VPN administrators cannot predict whether IPsec users will succeed in connecting to corporate networks because they simply cannot be certain where NAT is applied and what addresses are used in the remote network. Because the IPsec standards offer so little help, VPN administrators must also manage internal addressing: are addresses dynamically assigned, and from what pool? How are routing and security policies affected by such assignment? What if assignments change? Simply put, standard IPsec won't work everywhere.
IPsec has a limited authentication and authorization policy model. Standard IPsec provides mutual authentication of client and server using digital certificates and shared secret passwords. In practice, both authentication methods prove impractical. Shared secret passwords provide dangerously weak authentication and prove unmanageable in large, multi-organizational user deployments. The expense and complexities associated with issuing client certificates in IPsec deployment scenarios often lead organizations to consider token- or challenge response-based authentication, and standard IPsec supports these poorly. Proprietary and interim solutions exist, but are complicated and saddled with their own vulnerabilities. The information IPsec VPNs use for policy definition is insufficient to satisfy the authorization policies organizations desire or are obliged to define in today's regulated environments. To compensate, organizations must create complicated, user-, group-, or constituency-specific policies to limit user access.
IPsec perpetuates an obsolete security model. IPsec creates an IP- or network-level tunnel (connection) between a client computer and a VPN security gateway. This means that every remote user is directly connected to part of-or the entire-trusted network of an organization at that network's perimeter.
|
