an – excitor company
DESCRIPTION
an – Excitor company. Secure Enterprise Application Mobilization. Secure access from user. ...to applications. ...without compromising on security and usability. ... and to my PC in the office:. Solution Scenarios. Working from home Continuity of operations - PowerPoint PPT PresentationTRANSCRIPT
Page
Copyright Giritech A/S
an – Excitor company
Page
Copyright Giritech A/S
2Secure Enterprise Application Mobilization
Secure access from user... ...to applications
...without compromising on
securityand
usability
... and to my PC in the office:
Page
Copyright Giritech A/S
3Solution ScenariosWorking from homeContinuity of operationsSecure access for external contractorsWhen you travel• Without a laptop• With an iPad tablet• With your laptop
Secure access via Wireless networksSecuring the device without managing the device• G/On OS – The Bootable Option
Page
Copyright Giritech A/S
4
G/On OS:• Turns an unknown PC into a known and managed device• Boots from the G/On USB Smart Token on Wintel & Mac HW• Loads a G/On specific, hardened Linux operating system• Can only connect to the corresponding G/On Server• Provides a Linux desktop
○ Configuration of network connections (Cable/Wireless/Mobile Broadband)○ Browser (Firefox)○ Rdesktop for Remote Desktop Access through G/On○ Citrix ICA client for Citrix access through G/On○ Filezilla for FTP file upload and download via G/On○ Access to a minimum set of standard Linux tools
• An ideal, cost-effective option for many organizations:○ With a policy for access from managed devices only○ Looking for the ultimate secure solution○ For instance: Local & Federal Government, Police, Banks, Law firms, Accountants, ...
Boot of PC from G/On USB Token
Page
Copyright Giritech A/S
5
G/On is an integrated client/server enterprise software solution that givesThe right access For the right users
To the right applicationsUnder the right circumstances
User Directory
Application Servers
Windows
Mac
Linux
iPad
iPhone
The G/On Client is deployed on multiple platforms and formats and provides easy access to the applications.
See www.excitor.com for more mobile client options via integration with Excitor DME.
The G/On Gateway Server controls all access to the
application servers
= Secure Access
What G/On delivers
Page
Copyright Giritech A/S
6
Managed Application Access
Protection ofdata in transit
Device Isolation and Independence
User Authentication
Dynamic ”Firewall”
Navision
R&D Server
Servers
CRM Database
PCs
Strong 2-factor, mutual authentication –
challenge/response protocol and smart card
options
Virtual application connection keeps
devices off the network and keeps data of the device. SW on USB
with bootable options.
256-bit AES encryption. FIPS
140-2 compliant on Windows.
Single port access and only for authenticated users authorized for applications. Built-in
proxies for RDP, HTTP, SOCKS.
User menu of apps and their connection. Managed by server
side with single sign-on for Citrix, RDP and
Web apps.
G/On
G/On – an integrated solution
Internet
One single product: - Easy for IT: Install, Configure, Deploy and Manage- Easy to use: Windows, Mac, Linux, and iOS
Page
Copyright Giritech A/S
7
G/On authenticates users and creates encrypted, individually authorized, and managed connections from
application client programs to corporate IT services.
Unlike a traditional VPN giving access from everything on the device, the user launches individual client applications ”on the fly” and the G/On Server creates
the required connections as needed.
G/On is a client/server software solution implementing a managed distributed port forwarding proxy with integrated encryption, authentication and application access management.
G/On – Secure Application Access
Page
Copyright Giritech A/S
8
Encrypted connections between each application client and their application server are individually managed by the G/On Client and the G/On Server preventing network level access for the device.
Tablet device with G/On Client *)
Access to web apps is provided via separate, isolated G/On browser instances and connections managed and secured by G/On. Other native app clients connect via encrypted connections managed by G/On.
OWAWeb server
ExchangeServer
Web servers and /or other application servers
G/On Server
The G/On Server authenticates users(two factor) and manages the access to the authorized application servicesaccording to policies.
G/On Client: Application Connectivity
Corporate Network
with corporate applications
*) Works the same way on Windows, Mac, Linux, and iOS.
Added option for Intel-PCs to be booted on a locked down G/On OS to avoid malware on user device.
Page
Copyright Giritech A/S
9
The G/On Server Enforces• Multi-factor user authentication via
challenge/response protocol • 256bit AES encrypted communication• Application access policies• Connectivity by proxy only• RDP & HTTP protocol inspection• Dedicated connections for each client application• Policies based on client circumstances
The encrypted traffic from G/On clients is sent to the G/On Server on a single port (typically 443). The connection terminates on the G/On Server, is decrypted and forwarded on to the application server(s) on the proper port(s).
OWA/ExchangeServer
SharePointServer
G/On Server
G/On Server: Application Management
Corporate Network
with corporate applications
A single port (e.g. 443)
Ports 443,80
Port 3389
Terminal Server
Citrix Server
Intranet
Server
Ports 1494,80
Ports 443,80
Port 80
ERPServer
Port 2407
User Desktops
Virtual/Physical
Port 3389
Page
Copyright Giritech A/S
10G/On - A single, integrated solutionHardware token for integrated two-factor authentication and secure virtual connectivity• USB Tokens with integrated smart card and storage for the G/On Client, or• Computer User Tokens combining hardware info and software generated
keypair (available for PCs and mobile devices like iPad and iPhone)
Authentication is mutual to prevent man-in-the-middle attack• Public/private key cryptography (RSA keys), like certificates, but without the complexity of X.509 and without the need for Public Key
Infrastructure (PKI).
User name and password validated against existing company directory (AD, LDAP)• Offers single sign on (SSO) experience for most applications
USB Tokens for use on any Windows, Mac and Linux device• Use any computer anywhere to get secure access to corporate applications,
office PC, desktops, Citrix, ERP, Intranets, web apps, and other services• Mobile flexibility without driver and sw installation
FIPS 140-2 compliant (Windows only) 256bit AES encrypted, virtual connections for data in transit• Each application gets its own encrypted connection
Application authorization based on AD, LDAP policies, circumstance & deviceBootable option for locked down Linux operating system on USB for full device independence and isolationEnterprise architecture for management, availability and scalability• Centralized management of policies, user tokens, and application access• Tools for managing token software, deployment and enrollment
Page
Copyright Giritech A/S
11
Challenge/Response protocol• Industry standard method• Using public/private key cryptography (RSA keys), like certificates, but without the complexity of X.509
and without the need for Public Key Infrastructure (PKI).• See http://en.wikipedia.org/wiki/Public-key_cryptography
Types of authentication Tokens:Hardware tokens with smart card
• Maximum Strength Authentication • Private key generated, stored and kept secret inside hardware• Software inside hardware token implements the Challenge/Response protocol• G/On smart card tokens: No installations, no drivers
Hardware tokens without smart card• Private key generated by user PC and linked/locked to PC or device• Software on the user PC implements the Challenge/Response protocol
Software tokens• Private key generated by user PC and stored on PC or device• Software on the user PC implements the Challenge/Response protocol
Secure authentication
Page
Copyright Giritech A/S
12
G/On integrates 2-factor, mutual authentication
• For Windows, Mac, Linux• No special drivers required
G/On MicroSmart G/On USB MicroSmart
Hardware Tokens with smart card
• Smart card based authentication tokens• Includes 2GB storage for the G/On Client
Page
Copyright Giritech A/S
13
Network MAC addresses
Authentication based on Private key stored in registry combined with network MAC-addresses and/or unique device ID.
The G/On client, the token and application clients are installed directly on the device under the user account.
The device becomes a hardware
authentication token
The convenient solution for users with personal devices
Software basedPublic/Private
key pair
+
G/On Computer User Token/Mobile Token
G/On Computer User TokenG/On Mobile Token
Page
Copyright Giritech A/S
14
Support for different security policies:
• Launch of G/On Client from user’s USB tokenUser plugs in the G/On USB Token and launches the G/On client.
• Launch of G/On Client installed on user’s deviceUser’s device is enrolled as authentication token
• Boot of PC from user’s USB tokenUser can boot a locked down Linux-based G/On operating system from the G/On USB and achieve a managed and known environment on an unknown PC
Client Side Options
Page
Copyright Giritech A/S
15
Helps the user behave responsibly, and lower the risk of accidental misuse:
• Support for AD/LDAP password change during G/On login
• Automatic disconnect after period of inactivity
• Closing of connections and programs, when the token is removed
• Closing of connections that are not to be used anymore, when a user closes the application
• Lock-2-Process between application clients and their connections though G/On
Client Side Features
Page
Copyright Giritech A/S
16
1. G/On
2. Windows Server 2003/2008
3. Fixed external IP or DNS name
4. One open port in firewall
5. Office PCs
G/On Minimum Requirements
Page
Copyright Giritech A/S
17
• One simple solution for secure access for○ All users○ All user devices○ All applications & services
• Centrally managed via policies:○ Authentication policies (the right people)○ Authorization policies (the right applications)○ Device policies (right circumstances)
• Providing:○ Security transparency○ Lower total cost of ownership○ Increased flexibility and productivity○ Positive user experience
G/On Value
Page
Copyright Giritech A/S
18
G/On helps our customers improvetheir business:
• Improve overall security
• Increase productivity
• Enhance employee satisfaction
• Reduce IT costs
G/On Benefits
Page
Copyright Giritech A/S
19
Licensing
Page
Copyright Giritech A/S
20
• Windows, Mac, Linux, and iOS clients• Integrated security • FIPS 140-2 validated 256bit AES encryption• 2-factor, mutual authentication
○ Microsoft Active Directory or local user directory on G/On Server • G/On Client connectivity on one IP address or DNS name, multiple IP Ports, and HTTP encapsulation • Includes support for transparent TCP connectivity. Customer must buy one of:
○ G/On for RDP: Access to office PC and Terminal Server farms○ G/On for Citrix: Access to Citrix farms○ G/On for Web Apps: Access to webmail, intranets, portals and other web apps○ G/On: All of the above
• Up to twenty menu actions for Client/Server applications connectivity• Field installation of G/On Client and Field Enrollment of user authentication tokens• Dynamic user menus with ”Autolaunch” capabilities• Update of G/On Client software and software packages• Logging and Reporting
G/On Standard Configuration
Additional features are optionalSee also www.excitor.com for integration with Excitor DME – Dynamic Mobile Exchange
Page
Copyright Giritech A/S
21
Server Features• Additional Gateway Servers• Multiple Client Connect IP Addresses• LDAP User Directory• Microsoft SQL Server• Additional Menu Items • Login Notification Mail• Welcome Message• Wake-on-LAN
Client Features• G/On OS
G/On 5 is Licensed By• Number of Users (includes 1 token)
○ UAL RDP○ UAL Citrix○ UAL WEB○ UAL
• Number of Tokens (additional)• Server Features• Client Features
Customer or partner receives a mail with signed *.txt license file with information on licensed features, users and tokens. License file also contains information on maintenance expiration date and – if applicaple – a license expiration date.
New license file is forwarded when customer acquires additional features, tokens, users, and maintenance.
G/On Optional Features & License
Page
Copyright Giritech A/S
22
www.giritech.com
Giritech – an Excitor Company. See also www.excitor.com
www.facebook.com/G.On.Connect
THANK YOU!