an – excitor company

Page

Copyright Giritech A/S

an – Excitor company

Page


2Secure Enterprise Application Mobilization

Secure access from user... ...to applications

...without compromising on

securityand

usability

... and to my PC in the office:

Page


3Solution ScenariosWorking from homeContinuity of operationsSecure access for external contractorsWhen you travel• Without a laptop• With an iPad tablet• With your laptop

Secure access via Wireless networksSecuring the device without managing the device• G/On OS – The Bootable Option

Page


4

G/On OS:• Turns an unknown PC into a known and managed device• Boots from the G/On USB Smart Token on Wintel & Mac HW• Loads a G/On specific, hardened Linux operating system• Can only connect to the corresponding G/On Server• Provides a Linux desktop

○ Configuration of network connections (Cable/Wireless/Mobile Broadband)○ Browser (Firefox)○ Rdesktop for Remote Desktop Access through G/On○ Citrix ICA client for Citrix access through G/On○ Filezilla for FTP file upload and download via G/On○ Access to a minimum set of standard Linux tools

• An ideal, cost-effective option for many organizations:○ With a policy for access from managed devices only○ Looking for the ultimate secure solution○ For instance: Local & Federal Government, Police, Banks, Law firms, Accountants, ...

Boot of PC from G/On USB Token

Page


5

G/On is an integrated client/server enterprise software solution that givesThe right access For the right users

To the right applicationsUnder the right circumstances

User Directory

Application Servers

Windows

Mac

Linux

iPad

iPhone

The G/On Client is deployed on multiple platforms and formats and provides easy access to the applications.

See www.excitor.com for more mobile client options via integration with Excitor DME.

The G/On Gateway Server controls all access to the

application servers

= Secure Access

What G/On delivers

http://www.excitor.com/

Page


6

Managed Application Access

Protection ofdata in transit

Device Isolation and Independence

User Authentication

Dynamic ”Firewall”

Email

Navision

R&D Server

Servers

CRM Database

PCs

Strong 2-factor, mutual authentication –

challenge/response protocol and smart card

options

Virtual application connection keeps

devices off the network and keeps data of the device. SW on USB

with bootable options.

256-bit AES encryption. FIPS

140-2 compliant on Windows.

Single port access and only for authenticated users authorized for applications. Built-in

proxies for RDP, HTTP, SOCKS.

User menu of apps and their connection. Managed by server

side with single sign-on for Citrix, RDP and

Web apps.

G/On

G/On – an integrated solution

Internet

One single product: - Easy for IT: Install, Configure, Deploy and Manage- Easy to use: Windows, Mac, Linux, and iOS

Page


7

G/On authenticates users and creates encrypted, individually authorized, and managed connections from

application client programs to corporate IT services.

Unlike a traditional VPN giving access from everything on the device, the user launches individual client applications ”on the fly” and the G/On Server creates

the required connections as needed.

G/On is a client/server software solution implementing a managed distributed port forwarding proxy with integrated encryption, authentication and application access management.

G/On – Secure Application Access

Page


8

Encrypted connections between each application client and their application server are individually managed by the G/On Client and the G/On Server preventing network level access for the device.

Tablet device with G/On Client *)

Access to web apps is provided via separate, isolated G/On browser instances and connections managed and secured by G/On. Other native app clients connect via encrypted connections managed by G/On.

OWAWeb server

ExchangeServer

Web servers and /or other application servers

G/On Server

The G/On Server authenticates users(two factor) and manages the access to the authorized application servicesaccording to policies.

G/On Client: Application Connectivity

Corporate Network

with corporate applications

*) Works the same way on Windows, Mac, Linux, and iOS.

Added option for Intel-PCs to be booted on a locked down G/On OS to avoid malware on user device.

Page


9

The G/On Server Enforces• Multi-factor user authentication via

challenge/response protocol • 256bit AES encrypted communication• Application access policies• Connectivity by proxy only• RDP & HTTP protocol inspection• Dedicated connections for each client application• Policies based on client circumstances

The encrypted traffic from G/On clients is sent to the G/On Server on a single port (typically 443). The connection terminates on the G/On Server, is decrypted and forwarded on to the application server(s) on the proper port(s).

OWA/ExchangeServer

SharePointServer

G/On Server

G/On Server: Application Management

Corporate Network

with corporate applications

A single port (e.g. 443)

Ports 443,80

Port 3389

Terminal Server

Citrix Server

Intranet

Server

Ports 1494,80

Ports 443,80

Port 80

ERPServer

Port 2407

User Desktops

Virtual/Physical

Port 3389

Page


10G/On - A single, integrated solutionHardware token for integrated two-factor authentication and secure virtual connectivity• USB Tokens with integrated smart card and storage for the G/On Client, or• Computer User Tokens combining hardware info and software generated

keypair (available for PCs and mobile devices like iPad and iPhone)

Authentication is mutual to prevent man-in-the-middle attack• Public/private key cryptography (RSA keys), like certificates, but without the complexity of X.509 and without the need for Public Key

Infrastructure (PKI).

User name and password validated against existing company directory (AD, LDAP)• Offers single sign on (SSO) experience for most applications

USB Tokens for use on any Windows, Mac and Linux device• Use any computer anywhere to get secure access to corporate applications,

office PC, desktops, Citrix, ERP, Intranets, web apps, and other services• Mobile flexibility without driver and sw installation

FIPS 140-2 compliant (Windows only) 256bit AES encrypted, virtual connections for data in transit• Each application gets its own encrypted connection

Application authorization based on AD, LDAP policies, circumstance & deviceBootable option for locked down Linux operating system on USB for full device independence and isolationEnterprise architecture for management, availability and scalability• Centralized management of policies, user tokens, and application access• Tools for managing token software, deployment and enrollment

Page


11

Challenge/Response protocol• Industry standard method• Using public/private key cryptography (RSA keys), like certificates, but without the complexity of X.509

and without the need for Public Key Infrastructure (PKI).• See http://en.wikipedia.org/wiki/Public-key_cryptography

Types of authentication Tokens:Hardware tokens with smart card

• Maximum Strength Authentication • Private key generated, stored and kept secret inside hardware• Software inside hardware token implements the Challenge/Response protocol• G/On smart card tokens: No installations, no drivers

Hardware tokens without smart card• Private key generated by user PC and linked/locked to PC or device• Software on the user PC implements the Challenge/Response protocol

Software tokens• Private key generated by user PC and stored on PC or device• Software on the user PC implements the Challenge/Response protocol

Secure authentication

http://en.wikipedia.org/wiki/Public-key_cryptography

Page


12

G/On integrates 2-factor, mutual authentication

• For Windows, Mac, Linux• No special drivers required

G/On MicroSmart G/On USB MicroSmart

Hardware Tokens with smart card

• Smart card based authentication tokens• Includes 2GB storage for the G/On Client

Page


13

Network MAC addresses

Authentication based on Private key stored in registry combined with network MAC-addresses and/or unique device ID.

The G/On client, the token and application clients are installed directly on the device under the user account.

The device becomes a hardware

authentication token

The convenient solution for users with personal devices

Software basedPublic/Private

key pair

+

G/On Computer User Token/Mobile Token

G/On Computer User TokenG/On Mobile Token

Page


14

Support for different security policies:

• Launch of G/On Client from user’s USB tokenUser plugs in the G/On USB Token and launches the G/On client.

• Launch of G/On Client installed on user’s deviceUser’s device is enrolled as authentication token

• Boot of PC from user’s USB tokenUser can boot a locked down Linux-based G/On operating system from the G/On USB and achieve a managed and known environment on an unknown PC

Client Side Options

Page


15

Helps the user behave responsibly, and lower the risk of accidental misuse:

• Support for AD/LDAP password change during G/On login

• Automatic disconnect after period of inactivity

• Closing of connections and programs, when the token is removed

• Closing of connections that are not to be used anymore, when a user closes the application

• Lock-2-Process between application clients and their connections though G/On

Client Side Features

Page


16

1. G/On

2. Windows Server 2003/2008

3. Fixed external IP or DNS name

4. One open port in firewall

5. Office PCs

G/On Minimum Requirements

Page


17

• One simple solution for secure access for○ All users○ All user devices○ All applications & services

• Centrally managed via policies:○ Authentication policies (the right people)○ Authorization policies (the right applications)○ Device policies (right circumstances)

• Providing:○ Security transparency○ Lower total cost of ownership○ Increased flexibility and productivity○ Positive user experience

G/On Value

Page


18

G/On helps our customers improvetheir business:

• Improve overall security

• Increase productivity

• Enhance employee satisfaction

• Reduce IT costs

G/On Benefits

Page


19

Licensing

Page


20

• Windows, Mac, Linux, and iOS clients• Integrated security • FIPS 140-2 validated 256bit AES encryption• 2-factor, mutual authentication

○ Microsoft Active Directory or local user directory on G/On Server • G/On Client connectivity on one IP address or DNS name, multiple IP Ports, and HTTP encapsulation • Includes support for transparent TCP connectivity. Customer must buy one of:

○ G/On for RDP: Access to office PC and Terminal Server farms○ G/On for Citrix: Access to Citrix farms○ G/On for Web Apps: Access to webmail, intranets, portals and other web apps○ G/On: All of the above

• Up to twenty menu actions for Client/Server applications connectivity• Field installation of G/On Client and Field Enrollment of user authentication tokens• Dynamic user menus with ”Autolaunch” capabilities• Update of G/On Client software and software packages• Logging and Reporting

G/On Standard Configuration

Additional features are optionalSee also www.excitor.com for integration with Excitor DME – Dynamic Mobile Exchange

http://www.excitor.com/

Page


21

Server Features• Additional Gateway Servers• Multiple Client Connect IP Addresses• LDAP User Directory• Microsoft SQL Server• Additional Menu Items • Login Notification Mail• Welcome Message• Wake-on-LAN

Client Features• G/On OS

G/On 5 is Licensed By• Number of Users (includes 1 token)

○ UAL RDP○ UAL Citrix○ UAL WEB○ UAL

• Number of Tokens (additional)• Server Features• Client Features

Customer or partner receives a mail with signed *.txt license file with information on licensed features, users and tokens. License file also contains information on maintenance expiration date and – if applicaple – a license expiration date.

New license file is forwarded when customer acquires additional features, tokens, users, and maintenance.

G/On Optional Features & License

Page


22

www.giritech.com

Giritech – an Excitor Company. See also www.excitor.com

www.facebook.com/G.On.Connect

THANK YOU!

an – excitor company

Documents

gon client

easy access

citrix access

laptopsecure access

givesthe right access

gon specific

single port access

gon gateway server