舍得的 2007-12-4 18:39
Juniper: Tips for Telework
Tips for telework
By Abby Tang
Solutions Marketing Manager
Juniper Networks Asia
Pacific
[b]Introduction[/b]
Telenetworking, or telework, refers to working away from the office using
remote access networking technology. It can mean working from home (also called
telecommuting) and working ‘mobile’ such as from a hotel room or airport lounge.
Along with extranet access, which is remote access provided to partners or
vendors outside of the organization, telework enables the ‘extended enterprise’
concept of a distributed organization with geographically diverse resources and
staff.
[img]http://www.itmatters.com.ph/photos/abby.jpg[/img]
While telework can increase productivity, save costs and keep your business
running during emergencies, many organizations have experienced problems with
providing remote access solutions, typically those based on IPSec technology.
These problems include end-user frustration, high deployment costs, and
expensive ongoing support. IPSec-based access is also susceptible to
sophisticated and increasingly frequent cyber-attacks.
Virtual private networking (VPN) using Secure Sockets Layer (SSL) technology
offers an excellent alternative to an IPSec-based VPN solution. SSL VPNs address
the needs of diverse audiences that access administrator-specified corporate
resources from anywhere in the world, over a standard Internet connection, even
as access methods and users’ circumstances change.
Check out these 10 guidelines for effective telework using an SSL VPN.
[b]Step 1: Use Standard Web Browsers[/b]
By using only standard Web browsers (such as Firefox or Internet Explorer),
administrators eliminate the need to install a VPN client application on every
end-user device used for remote access. Unlike IPSec networking, where a full
software client must be loaded on each device, SSL VPN remote access is
client-less, saving cost and aggravation for both IT staff members and
end-users. Where a thin-client is needed for more sophisticated access, it can
be dynamically downloaded for the session. Best of all, this process is fully
automatic and transparent to end-users.
[b]Step 2: Set Up End-point Security[/b]
An SSL VPN appliance can also automatically perform a pre-authentication
assessment of end-user network and system attributes. This ensures a secure
environment before user credentials are exchanged. Where available, this "Host
Checker" feature can ascertain the security posture of the end-user device and
search for specific files and running processes, as well as registry settings,
on the connecting system. Checks can also require or restrict the connection to
specific network ports, verify the source IP address, and validate the presence
of digital certificates.
[b]Step 3: Configure Access Privilege Management[/b]
Define users’ access to applications and information resources -- with
sufficient granularity. Dynamic access privilege management can be determined
for each session and should be based on user identity, the type of connecting
device, administrator-defined Host Checker security controls, and network trust
levels. The result is best mapped to a granular resource access control policy
that specifically includes the URL, server, and application or file. This level
of control over application access is not only strong security, but also
supports regulatory compliance efforts by creating logs for auditing.
[b]Step 4: Deliver Access to Multiple Types of Applications[/b]
With quality SSL VPN solutions, users are not limited to Web-enabled
applications only but also have remote access to non-Web applications and
information. These include traditional client/server applications such as MS
Outlook, IBM Lotus Notes, MSTS and Citrix ICA. End users can use these familiar
applications without the retraining required for Web-based variants.
[b]Step 5: Deliver Network Level Access to Those Who Need It[/b]
While an SSL VPN does not require software pre-installation, not all
solutions allow network level access. Where available, this type of access
provides the same level of network flexibility as traditional IPSec VPN
connections, but without the burden of IPSec client maintenance or potential
network snags, such as NAT issues.
Ideally, a dynamic lightweight client applet based on Java or ActiveX is
automatically downloaded after login to the remote machine. The applet would run
during the session without any user involvement or even awareness, and should be
supported on a wide range of user platforms, including Macintosh, Windows, and
Linux.
[b]Step 6: Tie Into the Existing User Authentication System[/b]
Your SSL VPN should interoperate with your existing user authentication and
PKI system. Whether your organization is using LDAP, RADIUS, NT Domains, ACE,
Unix NIS, or a local user database, the remote access solution should utilize
existing systems for user authentication and authorization and ensure higher
security.
[b]Step 7: Configure for "Always On" High Availability (HA)[/b]
High Availability (HA) is essential to ensure seamless failover with minimal
downtime. Check that the SSL VPN solution offers HA capability at reasonable
cost and overhead.
[b]Step 8: Configure Event Logging[/b]
Configure event logging to support business and security objectives. Events,
user-access and administrator activity all generate highly granular logs that
are stored locally, and can be sent out in SYSLOG format. User connections
should be fully logged and provide both access and usage information for
security, system provisioning and compliance auditing.
[b]Step 9: Customize User Interfaces (Optional)[/b]
Based on the specific user group or role, customisable sign-on Web pages
provide an individualized look and feel. Also, specific features and functions
can be made available or kept hidden from the user on the customised page. With
this functionality, a single investment in an SSL VPN can be leveraged across
various departments, tailored for specific team requirements. This customized
user interface capability is especially useful for extranet applications.
[b]Step 10: Configure Role-based Delegation[/b]
Your SSL VPN solution should support administrative separation, allowing the
main administrator to delegate system control of access policy configurations
and settings, giving team leaders direct ownership where it makes sense.
Role-based delegation can also support the leveraging of a single device across
various groups and is especially useful for extranet applications, offering
flexibility and enhancing cost effectiveness.
[b]Additional Steps for Higher Performance[/b]
Once an organization has followed these 10 easy steps and implemented a
secure telework environment, it can then take additional steps towards a
coordinated threat control posture around critical assets and optimisation of
WAN connectivity.
[b]Step 11: Implement Coordinated Threat Control[/b]
The increased need for remote access must be balanced with steps to ensure
valuable resources and assets are protected from intentional or unintentional
attacks, including viruses, Trojans, worms, and Spyware. A common way of adding
security to a remote access deployment is to use Intrusion Prevention and
Detection (IDP) technologies. But simply deploying IDP behind a SSL VPN may be
inadequate. When malicious traffic is detected in such an instance, it can be
difficult to correlate the malicious tunneled traffic to a specific user.
Your SSL VPN should allow the IDP solution to tie the session identity of the
SSL VPN with threat detection capabilities to effectively identify, stop, and
remediate both network and application-level threats within remote access
traffic.
In this configuration, when intrusion detects a threat or any traffic that
breaks an administrator-configured rule, the IDP system signals the SSL VPN
appliance which then uses the information to identify the user session that is
the source of undesired traffic. It can then take action, including terminating
the user session, disabling the user’s account or mapping the user into a
quarantine role.
[b]Step 12: Optimize Web Application Connections[/b]
Because remote linkages will not likely have as much bandwidth as the
enterprise’s internal LAN, application acceleration platforms can drastically
reduce the time to access applications and boost web application usability and
acceptance —especially for remote and branch office users.
While an acceleration solution deployed to bolster a telework environment can
provide impressive speed boosts, ideally it should also specifically accelerate
SSL traffic for even more performance gains.
Abby Tang is Enterprise Solution Marketing Manager for Asia Pacific. She is
responsible for all enterprise strategic marketing planning for Juniper
Networks, Inc. in Asia including Japan. Before she joined NetScreen
Technologies, acquired by Juniper Networks in April 2004, Abby was the Product
Manager for Asia Pacific at Network Associates. She was the primary spokesperson
for three years in Asia Pacific. She has been instrumental in providing insight
and perspective about Internet security outbreak events such as Melissa,
Distributed Denial of Service (DdoS), LoveLetter, CodeRed, and Nimda on major
news networks and prints that include CNN, CNET, China Entertainment TV, Phoenix
TV and South China Morning Post. Prior moving to Asia, Abby was a software
developer and researcher at Network Associates Laboratory in Los Angeles,
California. In this position, she was responsible for a large number of firewall
proxy and authentication development projects. Working in advance security
research, Abby has gained extensive experience in security policy, intrusion
detection systems, firewalls, encryption and authentication.
yinghui-08 2008-1-9 20:49
这个看起来好困难呢,我还是觉得中文的比较好呢~~~~~
