Secure Remote Access Technical Solution Guide v1.0
______________________________________________________________________________________________________
14
the case of compromised or infected endpoints, an in-line intrusion prevention system (IPS) can
detect and block known threats and act as a second line of defense to block unauthorized traffic.
Place the IDS/IPS sensor on the trusted side of the VPN Gateway so that visibility to clear-text
(non-encrypted) traffic is possible. Figure 2 shows the Nortel TPS 2150-IS in-line intrusion sensor
configured in the path between the trusted interface of the VPN Gateway and the DMZ internal
firewall.
Design recommendation: Deploy IDS/IDP sensors on the trusted side of the VPN Gateway to
allow security inspection of clear-text traffic and provide visibility to threats from connecting
remote access clients.
4.2 Network design
This section addresses network design including Security, Application Access, IP
Telephony/Multimedia, Network Management and client considerations.
4.2.1 Security
This section addresses specific security recommendations and considerations beyond those
discussed in section 4.1.1, related to DMZ policies and network topology.
4.2.1.1 Authentication
The choice of authentication method is often dictated by existing network directory and
application infrastructure. Supported options include local, RADIUS, LDAP (including Microsoft
Active Directory), NTLM, SiteMinder, RSA ClearTrust, RSA SecurID or Client SSL Certificate.
Ideally, your IT infrastructure will have a single authoritative authentication source and you can
base VPN authentication on this same system. Require strong two-factor authentication if VPN
clients will connect from non-managed or shared client devices.
In addition to the product documentation, you can find a number of Technical Tip guides related
to authentication, including RADIUS, LDAP, NTLM and certificate-based AAA, at the Nortel
customer support portal at www.nortel.com/cs
in the VPN Gateway 3050 documentation area.
Design Recommendation: Use a network-based authentication system that is also used by
your IT infrastructure. Require strong two-factor authentication for VPN clients connecting from
non-managed or shared client devices.
4.2.1.1.1 Single sign-on
Users connect to the VPN to access applications. Often these applications implement their own
authentication and authorization mechanism. To simplify user access and reduce the need for
multiple, redundant logons, the SSL-VPN provides a variety of single-sign-on capabilities. For
web-based and file-sharing applications, you can configure the VPN portal links to automatically
provide reusable credentials to internal applications. You can do this for applications that support:
HTML form-based logon, such as Microsoft Outlook Web Access
Standard HTTP authentication
Authentication through custom HTTP headers
You must restrict the use of single-sign-on (SSO) and credential passing to known application
servers and domains to prevent non-approved systems from presenting a web authentication
request and acquiring user credentials. Therefore, only identify approved applications as
authorized SSO domains in the SSL-VPN configuration.
(92 paginas)
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comentarios a estos manuales