Q&A On SSL VPNs, Part Two: Joerg Hirschmann

This is part two in our Q&A series on SSL VPNs. Earlier this week, we shared insight from Rainer Enders, CTO, Americas at NCP engineering, on the inception of SSL VPN and its key differentiators. Q: What are the core strengths of SSL VPN, and when might enterprises choose to go with this protocol over IPsec VPN? Joerg Hirschmann: The pre-installed, SSL approach is ideal for situations in which one doesn’t require transparent connections for secure remote access. For instance, SSL VPN is an optimal solution when enterprises must grant limited access to external associates or partners needing connections only to specific applications (e.g. web-based) or administrative access to specific machines through RDP or SSH sessions. However, the ideal secure remote access solution takes a hybrid approach combining the strengths of both SSL and IPsec. Q: What about choosing to go with software solutions versus hardware appliances? Joerg Hirschmann: A software solution is the ideal fit for a virtualized central environment, whereas appliances are usually a better fit in branch offices or a smaller environment without virtualization in place. If you have any questions on VPNs, the IPsec and SSL protocols or anything else related to secure remote access, send them to editor@vpnhaus.com.   Joerg Hirschmann is CTO at NCP...

Q&A On SSL VPNs, Part One: Rainer Enders

This is part one in our Q&A series on SSL VPNs. Q: When SSL VPN followed IPsec VPN into the world of remote access, what was its initial purpose? How did it differentiate? Rainer Enders: SSL VPN was introduced to address various shortcomings of IPsec VPN, such as usability, interoperability and scalability. In particular, the IPsec client-based approach was regarded as a process that was difficult to manage from both administrators’ and users’ perspectives. When SSL was initially introduced, it was considered a client-less technology. The terminology “client-less” was created to differentiate from the IPsec client-centric approach. Obviously, SSL VPN is not client-less, as a client is still involved and is typically in the form of a web browser. Therefore, the key differentiator between the two approaches is that the SSL VPN client comes pre-installed on all OS platforms in the form of the browser, whereas IPsec VPN is separate software that, in many cases, must be installed. Q: When should companies use a browser-based SSL VPN for secure remote access? How does this differ from applications of a Thin Client SSL VPN? Rainer Enders: When deploying SSL VPN, great care must be taken to implement and secure the digital signature architecture. Web proxy and thin client SSL are restricted to certain access modes, and as such, should only be used in projects with limited scope with compliant access environments. SSL VPN should not be used for high security environments, as there are more points of attack and vulnerabilities. Rainer Enders is CTO, Americas, at NCP engineering. Stay tuned for more expert insight on SSL VPNs later this week from Joerg Hirschmann, CTO at NCP...

SearchNetworking: NCP Explains Mobile Device Management v. Enterprise Application Stores

*Editor’s Note: This column originally appeared in TechTarget’s SearchNetworking.com  By Rainer Enders, CTO, Americas, NCP engineering Both systems can enhance mobile device security at different levels. Typically, a mobile device management system provides for standard device management features such as configuration management, backup capabilities and remote wipe, along with logging and reporting. The enterprise application store provides for the capability to safely test and deploy chosen applications. As such, the company has greater control over the mobile device application environment. It can ensure the integrity and security of the applications as well as deliver a better user experience along with greater productivity. Meanwhile, enterprise application stores can be a particular advantage for heterogeneous device platforms....

Webinar: What CIOs and CTOs Need to Know About Mobile Device Security

Rainer Enders, CTO, Americas at NCP engineering, recently conducted an Execsense webinar around what CIOs and CTOs need to know about mobile device security. Rainer explains how the replacement of static access networks with mobile access networks has led to a paradigm shift in overall network security. Because mobile device protection complements infrastructure protection, enterprises must safeguard their data within hostile mobile access networks, which are made all the more vulnerable in today’s information age. Taking us further down this journey of murky data classification and the new obstacles IT leaders face with the proliferation of mobile devices and BYOD, Rainer describes what mobile-centric security strategies CIOs and CTOs should implement to ensure optimal network protection. We hope you’ll tune in to the new Execsense webinar here....

Q&A on Employee Provisioning with Joerg Hirschmann: Part 3

This is the third and final entry in our Q&A series on questions related to employee provisioning and VPNs. Last week, we addressed how provisioning can benefit an organizations’ overall security postures as well as the de-provisioning tactics necessary to mitigate security risks during employee transitions.  Question: Certain scenarios, such as short-term business partnerships, will require adaptable provisioning. How can VPN technology enable temporary and secure remote access? What are other solutions companies can use to incorporate flexibility into their workforce? Joerg Hirschmann: VPN solutions offer different access points for various types of remote access users. In general, employees will require deeper access to corporate network resources than external partners will need. For that reason, companies should deploy VPN clients to their entire workforce, depending on the necessary access requirements, whereas external partners should access the relevant applications through client-less SSL VPNs, if possible. This will allow external partners to avoid the process of deploying software and licenses. Organizations can also achieve temporary access, whether it be on-demand or limited hourly access,  by implementing a Remote Authentication Dial-In User Service (RADIUS) server. With this approach, general access limitations can be set automatically, whereas on-demand access will have to be enabled–as well as disabled–manually by an administrator. Again, process quality is important. If you have any questions that you would like answered on VPNs, remote access, network security and the like, send them to editor@vpnhaus.com.  Joerg Hirschmann is CTO at NCP...

Q&A on Employee Provisioning with Joerg Hirschmann: Part 2

This is part two in a series of questions related to employee provisioning and VPNs. Earlier this week, we addressed how enterprises can ensure that their provisioning processes benefit their overall security postures.  Question: Provisioning’s security holes become particularly apparent when remote mobile access users leave a company and enterprises try to apply a one-size-fits-all de-provisioning approach. In today’s mobile, global, 24-hour business world, what de-provisioning tactics are necessary to mitigate security risks during employee transitions? Joerg Hirschmann: The best de-provisioning approach will be one that does not rely on a singular component to keep up with an organization’s changing needs. For instance, a provisioning process should go beyond the ordinary capability of disabling an account; instead, an organization should use the scalable method of PKI (certificate based authentication), which offers an additional option to withdraw remote access permission by revoking the user’s certificate. Similar offerings are available through One-Time-Password tools, which can also disable specific tokens, for example. At the end of the day, the quality of the automated process will dictate how effective provisioning and de-provisioning will be. Stay tuned for more on employee provisioning and VPNs next week. If you have any questions that you would like answered, as related to VPNs, remote access, network security and the like, send them to editor@vpnhaus.com.  Joerg Hirschmann is CTO at NCP...