Secure Remote Access Technical Solution Guide Enabling Application, IP Telephony and Multimedia Access for Teleworkers and Road Warriors Enterprise Solution Engineering Document Date: January 2006 Document Version: 1.
Secure Remote Access Technical Solution Guide v1.0 Copyright © 2006 Nortel Networks All rights reserved. January 2006 The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document.
Secure Remote Access Technical Solution Guide v1.0 Abstract This guide is intended to define the recommended designs and best practices for a Secure Remote Access Solution. The document provides an overview of the best design practices to implement a network capable of providing access to business applications, including web applications, client-server applications, and IP Telephony and multimedia services to teleworkers and road warriors.
Secure Remote Access Technical Solution Guide v1.0 Table of contents 1. OVERVIEW......................................................................................................................................... 6 1.1 2. SCOPE OF SOLUTION....................................................................................................................... 6 SECURE REMOTE ACCESS BEST PRACTICES......................................................................... 7 2.1 2.2 2.3 2.4 2.5 2.6 2.
Secure Remote Access Technical Solution Guide 5.3 v1.0 SECURITY CERTIFICATIONS ..........................................................................................................
Secure Remote Access Technical Solution Guide 1. v1.0 Overview Today’s enterprise network must support a growing number of mobile workers who require access to a broad range of information and applications. These workers include full-time teleworkers who use remote access as the primary connection to the network and services. There is also a growing number of occasional teleworkers.
Secure Remote Access Technical Solution Guide 2. v1.0 Secure Remote Access best practices Following best practices in designing and deploying a remote access solution lowers cost of ownership and dramatically lowers the risk of common security incidents, such as unauthorized access, theft of information, hacking, denial of service and propagation of threats such as worms and viruses. Nortel solutions fully support these best practices. 2.
Secure Remote Access Technical Solution Guide v1.0 system. The mechanism must be tied to a process that alerts system administrators of failed logon attempts and requires follow-up with appropriate action. Define a procedure to reset expired or locked-out passwords that requires providing additional private information that is only known to valid users. 2.
Secure Remote Access Technical Solution Guide v1.0 Access control violations Endpoint compliance-check violations When providing web-based access, the VPN Gateway will proxy all information requests through a single, common internal IP address. In this case, configure the gateway to embed user information such as the username in HTTP headers to allow per-user tracking through internal IDS and web application servers.
Secure Remote Access Technical Solution Guide 3. v1.0 Supported access modes The VPN Gateway portfolio provides several different access modes. These access modes can be used concurrently by different users or groups. They can be served from the same public IP address or separated as desired. Each mode has advantages and disadvantages in terms of application support flexibility, compatibility, and security. 3.
Secure Remote Access Technical Solution Guide v1.0 application and has an optimized FastPath mode for UDP-based traffic, such as the real-time protocol (RTP) used to carry VoIP traffic. NetDirect has some specific browser and platform requirements, depending on the version of VPN Gateway software used. In addition, NetDirect may require the user to have Administrator rights on the client PC. Figure 1: Sample SSL-VPN portal 4.
Secure Remote Access Technical Solution Guide 4.1 v1.0 Secure Remote Access Solution topology Figure 2 on page 13 depicts a basic topology for a non-resilient solution. Connecting clients can be anywhere on the global Internet. When using IPsec, clients launch a software client, which connects to the VPN Gateway after resolving the public domain name system (DNS) name. When using SSL-VPN, a browser is used to connect to the Gateway through a URL such as https://sslvpn.example.com.
Secure Remote Access Technical Solution Guide v1.0 Figure 2: Secure Remote Access Solution topology 4.1.2 Required internal firewall policies The VPN Gateway must have restricted access to intranet resources through the DMZ internal firewall. The security policy on this DMZ internal firewall is completely dependent on the applications and services provided by the remote access solution.
Secure Remote Access Technical Solution Guide v1.0 the case of compromised or infected endpoints, an in-line intrusion prevention system (IPS) can detect and block known threats and act as a second line of defense to block unauthorized traffic. Place the IDS/IPS sensor on the trusted side of the VPN Gateway so that visibility to clear-text (non-encrypted) traffic is possible.
Secure Remote Access Technical Solution Guide v1.0 Design Recommendation: Use single-sign-on capabilities but restrict servers and domains to which the VPN Gateway passes credentials, to prevent password stealing from non-approved hosts. When using token-based two-factor authentication systems that use a one-time password, the credentials cannot be reused for applications that also require OTP authentication.
Secure Remote Access Technical Solution Guide v1.0 Design recommendation: Map your VPN users into a small set of groups and use those groups to control network access and portal application links. 4.2.1.2.2 Access control The Nortel VPN Gateway allows fine-grained control of which intranet resources can be accessed by users.
Secure Remote Access Technical Solution Guide v1.0 Required operating system type, version and service pack level: Checking for baseline client operating system type, version, and service pack level assures compatibility and prevents older, potentially vulnerable systems from connecting. You can also check for specific patches when known vulnerabilities have been addressed by software patches.
Secure Remote Access Technical Solution Guide 4.2.1.5 v1.0 VPN Gateway clustering The Nortel VPN Gateway provides built-in support for clustering multiple Gateways. Up to 255 devices can participate in a cluster.
Secure Remote Access Technical Solution Guide v1.0 Figure 3: Active/active HA solution See the VPN Gateway BBI Application Guide or CLI Application Guide for configuration information about DNS round robin integration, clustering, and Nortel Application Switch integration.
Secure Remote Access Technical Solution Guide v1.0 Design recommendation: When possible, use Clientless Mode for application access. 4.2.2.2 Enhanced Clientless Mode for client/server Enhanced Clientless Mode uses Java applets to enable client/server communication. These applets are automatically launched by preconfigured portal links on the SSL-VPN. The following enhanced clientless features are provided: 4.2.2.2.
Secure Remote Access Technical Solution Guide v1.0 is controlled by the MCS Client as part of a home office or small office configuration, you can use inverse split tunneling to direct all traffic through the VPN Gateway, except a specified local subnet used for IP communication between the MCS Client and the IP Phone. 4.2.3 IP Telephony and multimedia 4.2.3.
Secure Remote Access Technical Solution Guide v1.0 For complete information about this solution, see the CS 1000-C200 VoIP Solution and Configuration Guide in the VPN Router 200 Series section of the Nortel customer support portal at www.nortel.com/cs. 4.2.4 Network management The primary element management solution for the VPN Gateway is the browser based interface (BBI) or command line interface (CLI).
Secure Remote Access Technical Solution Guide v1.0 an extensive range of communications applications – call center, unified messaging, VPN, auto attendant, wireless telephony – all accessed by simply entering a key code.
Secure Remote Access Technical Solution Guide ¾ ¾ v1.0 Nortel Remote Media Gateway portfolio Media Gateway 1000B Survivable Remote Gateway portfolio Survivable Remote Gateway 50 (built on BCM 50 platform) Survivable Remote Gateway 1.0 (built on BCM 200 and BCM 400 platforms) Remote Gateway 9100 Series Remote Gateway 9115 Remote Gateway 9150 Nortel Optivity Telephony Manager (OTM) 4.2.5.2.
Secure Remote Access Technical Solution Guide v1.0 ¾ Redundant Gatekeepers, Gateways and Client Proxies ¾ WAN Gateway survivability ¾ Uses Media Gateway 1000S (up to four per system) to provide local access to TDM devices such as RAN/Music, Conference/Tones, analog/digital lines and analog/digital trunks. ¾ Seamless network integration, simplified management, greater flexibility in deployment, and reduced support costs 4.2.5.2.1.
Secure Remote Access Technical Solution Guide 4.2.5.2.2 v1.0 Nortel Communication Server 1000 Element Management CS 1000 Series system management is performed using the Nortel Optivity Telephony Manager along with Element Manager.
Secure Remote Access Technical Solution Guide v1.0 cards in the MG 1000T Core and all cards in up to four MG 1000T Expansions. The MG 1000T supports Media Cards, Digital PSTN Interface Cards (E1, T1, ISDN), Analog Trunk Cards, Service Cards and DECT Mobility Cards. 4.2.5.2.4 Nortel Remote Gateway Nortel offers a wide variety of remote gateway solutions that extend enterprise communications to teleworkers and remote offices.
Secure Remote Access Technical Solution Guide v1.0 circuit-switched telephone lines. With each Nortel Remote Gateway solution, the remote workers have full access to the corporate telephone network just as if working at the main corporate site.
Secure Remote Access Technical Solution Guide v1.0 Nortel MCS 5100 is seamlessly deployed alongside an enterprise’s current network infrastructure, enriching the enterprise user’s communications experience and providing new SIP multimedia applications. The Nortel MCS 5100 supports an impressive suite of integrated multimedia capabilities that allow users to enjoy a feature-rich multimedia experience.
Secure Remote Access Technical Solution Guide v1.0 from your PC and the Nortel Multimedia Clients. The Multimedia Client applications provide a wealth of powerful communications features, from traditional telephone service to advanced multimedia communications such as video calling, instant messaging, call screening, real-time call disposition, conferencing, file sharing, and white boarding.
Secure Remote Access Technical Solution Guide v1.0 IP desk phone. The Nortel WLAN IP Telephony Handset is one of the components of the Nortel WLAN IP Telephony Solution. Refer to the Voice over Wireless LAN Technical Solution Guide for a detailed overview of the entire wireless LAN solution.
Secure Remote Access Technical Solution Guide 5. v1.0 Secure Remote Access Solution summary The Secure Remote Access Solution presented in this guide shows the components, features, and functionality available when implementing a Nortel solution. Nortel is uniquely positioned to provide a secure, resilient infrastructure capable of supporting a wide range of converged applications including data, multimedia, and voice applications.
Secure Remote Access Technical Solution Guide v1.0 Contact us For product support and sales information, visit the Nortel web site at: www.nortel.com In North America, dial toll-free 1-800-4Nortel, outside North America dial 987-288-3700.
