dean ocampo, cissp, check point software manager, web security product marketing steve neville,...
TRANSCRIPT
Dean Ocampo, CISSP, Check Point SoftwareManager, Web Security Product Marketing
Steve Neville, Entrust, Inc. Sr. Manager, Identity Products & Solutions
April 5, 2006
The Remote Access Revolution: Practical Solutions for the Enterprise
© Copyright Entrust, Inc. 2005
Agenda
• The Realities of Remote Access Today
• Check Point: A Comprehensive Solution for Remote Access
• Changes in the Strong Authentication Market
• Entrust IdentityGuard—A Practical Revolution in Action
• Customer Case Study
• Conclusion & Questions
© Copyright Entrust, Inc. 2005
The Rise of Work Anywhere
• 2005 Statistics*– 45.1M Teleworkers– 26.1M 1+ day/week– Average 3.4 locations
• Drivers**– Recruiting Incentive– 2nd only to salary– Rising Gas $$
* American Interactive Consumer Survey, Dieringer Group **Robert Half International
© Copyright Entrust, Inc. 2005
The Rise of Work Anywhere
ExtranetExtranetPartnersPartners
DayDayExtendersExtenders
Part-timeTeleworkers
RoadRoadWarriorsWarriors
Full-TimeTeleworker
BranchOffices
LargeOffices
*American Interactive Consumer Survey, Dieringer Group
• 45.1M @ Home
• 24.3M @ Client/ Customer
• 20.6M @ Car
• 16.3M @ Vacation
• 15.1M @ Outside
• 7.8M @ Train/Plane
© Copyright Entrust, Inc. 2005
Add more remote users beyond current 20 percent Less technical employees Partners
Reduce remote access support costs Browser based; no client maintenance Less end user complexity
Additional access options Access from home PC, corporate PC, Internet kiosk
Add more remote users beyond current 20 percent Less technical employees Partners
Reduce remote access support costs Browser based; no client maintenance Less end user complexity
Additional access options Access from home PC, corporate PC, Internet kiosk
Work Anywhere Endpoint Diversity
Intranet• Email• Applications• FilesExtranet• Portal• Applications• Files
Extranet access•Partner computers
Day Extenders• Email• Basic applications• Home computer
Teleworkers• Email• Applications• Company computer
Mobile workers• Email• Basic applications• Company computer or public computer
© Copyright Entrust, Inc. 2005
Anywhere Challenges Security
• With IPSec you knew who was coming in
• With SSL VPN you don’t (usually)
Company-owned PC
AccessAgreement
PartnerPC
+
Company-owned PC
Employeehome PC
PartnerPC
PublicInternet kiosk
Completelyunmanaged/unsecured
Firewall,antivirus
“Spyware is no longer just an annoying pest swarming home PCs; rather, it has evolved into a serious enterprise security
threat.”– IDC Worldwide Spyware 2004-2008
Forecast and Analysis (Nov. 2004)
“Spyware is no longer just an annoying pest swarming home PCs; rather, it has evolved into a serious enterprise security
threat.”– IDC Worldwide Spyware 2004-2008
Forecast and Analysis (Nov. 2004)
© Copyright Entrust, Inc. 2005
Regulations Governing Information
Risk Management
Safeguarding Sensitive
Information
Internal Controls & Governance
Basel II
FISMA
HIPAA
EU Directive
PCI/CISP
GLBACalifornia SB
Sarbanes-Oxley
EU 8th Directive
80% of time involved in compliance is
spent on IT-related tasks (IDC)
© Copyright Entrust, Inc. 2005
Key Regulation Commonalities and Check Point Solutions
Check Point SolutionsCheck Point Solutions
Access managementAccess management
RequirementRequirement
AuthenticationAuthentication User/Pass + OPSEC partners for strong AuthenticationUser/Pass + OPSEC partners for strong Authentication
Site-to-Site IPSec VPNs, Remote Access IPSec VPNs, Remote Access SSL VPNs (VPN-1, Edge, Connectra)
Site-to-Site IPSec VPNs, Remote Access IPSec VPNs, Remote Access SSL VPNs (VPN-1, Edge, Connectra)
Malicious software protection
Malicious software protection
Integrated Intrusion Prevention and End Point Security (Integrity, Application Intelligence, Web Intelligence)
Integrated Intrusion Prevention and End Point Security (Integrity, Application Intelligence, Web Intelligence)
Incident handlingIncident handling Cross-Product Event Correlation (Eventia Analyzer)Cross-Product Event Correlation (Eventia Analyzer)
Intrusion detection and blocking
Intrusion detection and blocking
Integrated Intrusion Prevention (Application Intelligence, Web Intelligence)
Integrated Intrusion Prevention (Application Intelligence, Web Intelligence)
Transmission securityTransmission security IPSec, SSL, TLS, DES, 3DES, L2TP, etc.IPSec, SSL, TLS, DES, 3DES, L2TP, etc.
Policy managementPolicy management Unified Security Architecture (SmartCenter)Unified Security Architecture (SmartCenter)
Security AuditingSecurity Auditing Cross-Product Reporting & Monitoring (Eventia Reporter)Cross-Product Reporting & Monitoring (Eventia Reporter)
ExtranetExtranetPartnersPartners
DayDayExtendersExtenders
Part-timeTeleworkers
RoadRoadWarriorsWarriors
Full-TimeTeleworker
BranchOffices
LargeOffices
Check Point Secure Remote Access Solutions
VPN-1VPN-1
EdgeEdge
Site-to-Site
IPSec VPN
VPN-1VPN-1
Integrity Integrity SecureClientSecureClient
Remote Access
IPSec VPN
ConnectraConnectraConnectraConnectraWebWeb
PortalPortal(Clientless)(Clientless)
SSLSSLNetworkNetworkExtenderExtender
Remote Access
SSL VPN
SmartCenter SmartDefense Service
Eventia Reporter Eventia Analyzer
Strong Authentication & Entrust IdentityGuard A Practical Revolution in Action
© Copyright Entrust, Inc. 2005
The need for stronger authentication…
• Pressure to make more information available to employees anywhere, anytime
• Need to balance access with corporate and regulatory compliance (PCI, SOX, HIPAA, etc…)
? • Customer database• Sales forecasts• HR records• Etc…
© Copyright Entrust, Inc. 2005
Legislation Example:Payment Card Industry (PCI) Data Security Standard
• Payment Card Industry (PCI) Data Security Standard
• Formerly Visa CISP
• Applies to anyone who deals with cardholder data
• Audit requirements and financial penalties for non-compliance
First Data Corp. reports 85 percent of affected companies have yet to meet PCI standard requirements …
Implement Strong AccessControl Measures
© Copyright Entrust, Inc. 2005
Traditional Candidate Technologies
Pur
chas
e &
Dep
loym
ent I
nves
tmen
t
Authentication Strength
Passwords
Tokens
Smartcards
Digital Certificates
Inert Tokens
Biometrics
Authentication Only
Authentication, Encryption,Digital Signatures
IT Security Extensibility
© Copyright Entrust, Inc. 2005
The Authentication Challenge –One Size Does Not Fit All
Transaction Type
Incr
easi
ng
Req
. Fo
r S
ecu
rity
Desktop Login
Onsite Web
Remote Access (Avg. User)
Remote Access (Executives,
Sensitive Data)
Enterprise authentication
requires a range of capabilities
Incr
easin
g Auth
entic
atio
n Stre
ngth
© Copyright Entrust, Inc. 2005
Addressing the Authentication Challenge:Entrust IdentityGuard
Entrust delivers:• Multi-factor strong authentication platform
• Flexible, risk-based solution
• Easy to use and support• Inexpensive to deploy
Authentication Strength
Pu
rch
ase
& D
eplo
ymen
t C
ost
Passwords
Tokens
Smartcards
Traditi
onal
Biometrics
$
Digital Certificates
© Copyright Entrust, Inc. 2005
Range of Risk-Based Strong Authentication
• Policy-based authentication allowing single authentication layer to meet multiple business requirements
– Per transaction, per user, per application, per LOB…
Machine AuthAuthorized set of
workstations
Knowledge AuthChallenge / response
questions
Out-of-BandOne-time-passcode to mobile device or phone
Scratch Pad AuthOne-time password
list
Grid AuthGrid location challenge
and response
More
Comin
g
Soon!
© Copyright Entrust, Inc. 2005
Extensible Across the Enterprise
Extranet (including Microsoft
Outlook Web Access)
Microsoft Windows Desktops
AnyUser
******
Remote Access: IP-SEC & SSL VPN,
RAS, Citrix
© Copyright Entrust, Inc. 2005
Entrust IdentityGuard:Platform Summary
• Multi-factor authentication platform– Range of authenticators – Based on FIPS-validated cryptography– Stand-alone or layered
• Easy to use and support– Easy to use options – No software or hardware to deploy
• Inexpensive to deploy– Fraction of the cost of traditional options– Seamless integration with leading remote
access vendorshttp://www.entrust.com/cost-meter/
© Copyright Entrust, Inc. 2005
Check Point & Entrust IdentityGuard Certified Integration
SSL User
Repository
IP-SEC User
Check PointVPN-1 NGX
LDAP / Active DirectoryDatabase
Check PointConnectra NGX
Internet
Radius
RadiusStandard
Radius Server
Radius
© Copyright Entrust, Inc. 2005
Customer Case Study:Large US Financial Service Provider
Customer Challenge: • Required cost-effective option for strong authentication to
replace expensive RSA tokens
• Absolute requirement for rapid integration with current Check Point VPN-1 for remote access
• Need to fit within existing and new network topology
Solution:• Certified integration of Entrust IdentityGuard with Check Point
VPN-1
• Leveraging grid authentication option
$
© Copyright Entrust, Inc. 2005
Customer Case Study:Large US Financial Service Provider
Key Customer Success Criteria:
• Certified integration (OPSEC certified, Entrust Ready)
• Initial & ongoing cost—fraction of the cost of RSA tokens, allowing for initial full replacement and plan to expand to many new users, still at a lower TCO!
• Ease of integration—configuration only integration via Radius (Microsoft IAS)
MS Active Directory
IP-SEC User
Check PointVPN-1 NGX
Internet
Radius
Microsoft IAS
Radius
$
© Copyright Entrust, Inc. 2005
Why Entrust & Check Point?We are Security Specialists…
• Check Point- 100% of the Fortune 100
• Check Point- 98% of the Fortune 500
• Check Point- ~ 100,000 Customers
• Entrust- #12 of 600+ security software companies
• Entrust- Industry pioneer and leader, with 500 employees and 90 patents
• Entrust- Best in class service and support, and integration with leading technology vendors
© Copyright Entrust, Inc. 2005
Combined solution delivers:• Integrated security for
diverse, anywhere access• Strong VPN and
Authentication Partnership• Easy to use and support
multi-factor authentication• Inexpensive to deploy Authentication Strength
Pu
rch
ase
& D
ep
loym
en
t C
os
tPasswords
One-Time-Password Tokens
Smartcards
Biometrics
$
Authentication Strength
Pu
rch
ase
& D
ep
loym
en
t C
os
tPasswords
One-Time-Password Tokens
Smartcards
Biometrics
$
Check Point & Entrust:A Remote Access Revolution
Dean Ocampo, CISSP, Check Point SoftwareManager, Web Security Product Marketing
Steve Neville, Entrust, Inc.Sr. Manager, Identity Products & Solutions
April 5, 2006
The Remote Access Revolution: Practical Solutions for the Enterprise
Thank You!