Using untrusted Networks for Corporate Communications
Transcription
Using untrusted Networks for Corporate Communications
Using untrusted Networks for Corporate Communications September 2002 Dan Meier UBS Telecom & Network Services Agenda ! Secure Remote Access ! Mobile Computing ! Solution Engineering ! Challenges ! Visions ! Q&A T&N Dan Meier NewMax_Pres_SSS.ppt Page 1 Glo bal A U y p Ha p cce ss sers “F Mo s U e l i b Ac c s r e es s Co ntr ol ull Se cu ri t y ” T&N Dan Meier NewMax_Pres_SSS.ppt Page 2 Company Information UBS AG, biggest Swiss Bank Managed Assets Net Profit 2‘257 Milliarden CHF 6 Milliarden CHF Worldwide 70'000 employees, Switzerland 29'000 3‘200 IT employees “Biggest SW-Company" in CH IT Facts & Figures 15 Unisys Mainframes --> IBM OS/390 SSP > 4'000 Server, > 40'000 PCs and Notebooks > 700 Router, > 1'700 Switches, > 40 Firewalls T&N Dan Meier NewMax_Pres_SSS.ppt Page 3 Mobile Computing The Facts ♦ Remote Access Policy ♦ One standardised Notebook Model ♦ 4'000 Notebooks ♦ Smartcard Integration ♦ 10'000 online hours / month ♦ „Thin Clients“ / One - Click - Client ♦ Global Access Control T&N Dan Meier NewMax_Pres_SSS.ppt Page 4 Mobile Computing User Requirements Business Requirements Requirements IT Requirements Security Requirements Ease of Use Cost Effective Standards Authentication Mobile Support “Working Tool” Release Integration Smartcard Support Broadband Support Worldwide Access DMZ Integration Encryption Low Cost Charging 7 / 24 Availability High Availability Access Control 7 / 24 Support Process Integration IPSEC Standard Full Integration Investment Cost " Audit Trail Operation cost " PC Security National/Internat. Ease of use Functionality T&N Dan Meier Standards NewMax_Pres_SSS.ppt Security Page 5 Mobile Computing es The Solution Path m is Business Pro Project Evaluation a e l e R s e s Decision Engineering Test s ce ur so Re Pr o Signoff Integration Rollout ble ms Operation T&N Dan Meier NewMax_Pres_SSS.ppt Page 6 Solution Engineering Architecture International Remote Access Domain Server ProviderADFSA net Mail Intranet ADFSA Swiss ADFSA Carrier DMZ Carrier ADFSA net Domestic Remote Access Data Server SOHO Integration T&N Dan Meier NewMax_Pres_SSS.ppt Corporate Network Page 7 Solution Engineering How it works 5 1 PKI Authorisation 2 3 4 7 Internet ProviderADFSA netIPSEC / VPN Tunnel 6 Remote Access ! Establish Connection DMZ 8 ! Authenticate User ! Establish VPN Tunnel ! Provide “Restricted Access” T&N Dan Meier Corp. Network NewMax_Pres_SSS.ppt Page 8 Solution Engineering The User GUI D • One Click Client o m e • 4 step Connection Manager • Automatic Device - Recognition • Live Phonebook Update • Integrated HelpFunction T&N Dan Meier NewMax_Pres_SSS.ppt Page 9 Solution Engineering Certificate Authority CA card PIN mailer new Card Information Server Certificate Information Smartcard Setup SingleSignOn Authentication with Certificate = or Automatic Password handover PASS = Smartcards Issuer or User T&N Dan Meier NewMax_Pres_SSS.ppt Page 10 Challenges Obstacles # Resources # Time # Money # Evaluation / Implementation Qual # Technologie Edge T&N Dan Meier Reso urces ity Time NewMax_Pres_SSS.ppt Page 11 Challenges Problems Problems Engineering Engineering Phase Phase Escalation Problem Problem Reporting Reporting MSI–Problem MSI–Problem API–Problem API–Problem GINA-Problem GINA-Problem Silence Silence Time Time Cost Cost Resources Resources Escalation Escalation Weekly Weekly Conf.Calls Conf.Calls Problem Problem Tracking Tracking Dedicated Dedicated Engineers Engineers Quality T&N Dan Meier NewMax_Pres_SSS.ppt Page 12 CRL CRL IP (international) Initial Configuration DHCP PPP Ethernet Modem LAN Gateway Others Remote Access Authentication Service TCP Encryption (3DES) IP T&N Dan Meier t t t t International Access IPSEC User- DB CP VPN-1 Modul TCP VPN Protocol Soft Certificate X.509v3 PKCS#11 DH (Diffie Hellman)) Crypto Store Provider t Ethernet Access Method User Database CP FW-1 Modul ( Diffie Hellman)) CSP DH Crypto API Middleware Restricted Access Control NAT CP Secure Client (Personal Firewall) VPN Interface Smart Card X.509v3 Authentication Transport Access One Click Client (Remax 6.0) t Media Technology tt Client GUI Challenges IP (national) t PPP SWISSSWISS-Access Access Gateway DialDial-in RAS t NewMax_Pres_SSS.ppt Page 13 Visions PDA Integration PDA Client GPRS th o o t Blue Public Network nel n u T VPN / C IPSE VPN / FW Terminal Server Web Server External Access Internal Access Mail Server Synch Server Palm Calendar Server T&N Dan Meier NewMax_Pres_SSS.ppt Page 14 Summary Cos t Standa r ds T&N Dan Meier Full Sec urit Ha y Us ppy er s n io at gr te In y s a E n o i t a r e Op le ng i i b t o u M p m o C a t a D n o i t c e t o Pr NewMax_Pres_SSS.ppt Page 15 Questions & Answers [email protected] T&N Dan Meier NewMax_Pres_SSS.ppt Page 16