table of Contents
- 1. BACKGROUND Mobile access requirements
- 1.1 high-value data assets
- 1.2 critical business systems
- (1) OA system
- (2) CRM System
- (3) personnel, financial system
- (4) research and development, market management
- 1.3 Secure Access Description
- 2. The mobile access security features
- (1) Authentication
- (2) the terminal security
- Endpoint security risks and hazards
- Endpoint security risks and solutions
- Demand configuration according to the scene
- (3) safety authority
- (4) transport security
- (5) conduct retrospective
- 3. The mobile access typical scenes
1. BACKGROUND Mobile access requirements
1.1 high-value data assets
Once the lifeblood of the company leaked, disastrous
cases :
Target Corporation leak information:
➢ Hackers steal 40 million credit and debit card information
➢7000 million users of data leakage
➢ 1.1 million users affected.
Losses:
➢ huge compensation:
compensation visa, MasterCard totaling $ 206 million compensation for 110 million users approximately $ 200 million
➢ damage to business: the Group's profit slump, low-cost pharmaceuticals business were forced to transfer to a competitor
➢ executives leave: former Group CIO and former CEO forced to leave
The same situation, the country also occur:
1. a large number of buy site for leaking information to the opponent losses, leading industry reshuffle
2. A large number of financial companies due to P2P data tampering and destruction and the collapse of hackers
1.2 critical business systems
The primary target for hackers cited four key business systems
(1) OA system
Office automation system
Involves the daily office collaboration, approval and other processes;
hacker attacks one of the goals;
for more information easy invasion.
(2) CRM System
Customer Relationship Management System
Contact information involving a large number of customers, orders, etc.;
hacker attack one of the main goals;
for long-term customer data theft, malicious competition for profit.
(3) personnel, financial system
Personnel management / financial management system
Involving employee information, such as fund management companies;
hacker attack one of the main goals;
for transaction exchange earnings in the black market production.
(4) research and development, market management
Product development, market strategy management system
Involving new products and new markets such as directions;
hacker attack one of the main goals;
by the rival trading contributed to targeted attacks.
1.3 Secure Access Description
Ensure secure access:
legitimate users and terminals, legitimate authority and behavior, full encryption of data transmission, the whole record back
Secure Access link encryption is not equal to
1.3.1 Comparison mainstream remote access
Internet-based access | Advantages: Flexible and convenient, they can always access; weaknesses: poor user experience and security; |
---|---|
Based on dedicated access | Advantages: reliability, speed good experience good; disadvantage: expensive and inflexible; apply to specific industries; |
VPN-based access | Advantages: Good safe, convenient flexibility, they can always access; speed, user experience is good affordable disadvantage: a single investment is higher than the other two methods |
VPN technology comparison
SSL VPN | IPSec VPN |
---|---|
Technical principle: Application Layer | Network layer |
Deployment: Centralized deployment | Couplet deployment (multi-deployment) |
Terminal usability: ease of use and strong, end-use browser access | Ease of use is poor, or the client terminal needs mounting apparatus |
Management Difficulty: only need to manage headquarters | Headquarters and branch points need to manage |
The main application scenarios: remote access personal | Internet branch |
Based on the above comparison:
the SSL is mainly used for the VPN remote access to the company internal terminal mobile office, IPSec VPN main headquarters for the branch multipoint network interconnection network branch achieved headquarters
Secure Access - needs end to end security protection
In response to these problems, increase the technological means to enhance the hacking costs in all aspects of
Authentication | Increase authentication methods, increase the cost of hacker phishing |
---|---|
Endpoint Security | Increasing the safety monitor and a terminal control mechanism, increase the cost hackers control terminal springboard |
Transport Security | Increase more secure encryption algorithm to improve the hacks cost data |
Application security permissions | Increasing the fine-grained permission control mechanisms to enhance the hacker attack to expand the range of costs |
Retrospective audit | Access behavior retroactive increase hacker attacks hidden costs |
2. The mobile access security features
(1) Authentication
Username Password
the RADIUS
the LDAP
CA certification
dynamic token
Ukey certification
pocket assistant
SMS authentication
hardware signature eight kinds of authentication methods combined with random or
(2) the terminal security
Endpoint security risks and hazards
Endpoint security risks and solutions
Demand configuration according to the scene
(3) safety authority
More fine-grained, smaller sphere of influence
Security access system should have full authority executive functions
users need to focus on fine-grained level of control
(4) transport security
The latest encryption algorithms continue to support
users based on business importance of the demand configuration
(5) conduct retrospective
Once a security incident, the attack must quickly locate the source of risk is the VPN users
Record access user access behavior to ensure that user access process visualization, traceability
For the above requirements, the corresponding products SANGFOR SSL VPN SINFOR
3. The mobile access typical scenes
(1) secure access to core business systems
Scenario: increased access to core business systems security
There is a problem: the business system authentication methods vulnerable to counterfeit access restrictions is not clear, easy to be a springboard for attacks launched by hackers
Solution: Increase the user authentication system complexity strictly limited access
(2) dual network logical isolation
Scenario: multiple sets of logical network isolation
There is a problem: the same terminal simultaneously in two networks vulnerable to hackers, a springboard to launch attacks
Solution: Use SSL VPN network set up in the middle of two "green"
(3) third-party users secure access
Scenario: third-party partners / operation and maintenance personnel access access / maintenance business systems
There is a problem: access terminal system, browser version and diverse access terminals in addition to the security state of uncontrollable operation and maintenance personnel, IT user access level is generally not high
Solution: VPN provides easier installation, use of the environment to access terminal rigorous security check system for issuing business, unified operation and maintenance
Typical Applications: Government Industry Bureau of enterprises set table third party operators co-operating room access large corporate partners ordering system
(4) Mobile Office
Scenario: travel, home users connected to the corporate headquarters office
There is a problem: the network security status uncontrolled data transmission easily be monitored
Solution: Increase the user authentication system complexity strictly limited access