《3111 Securing The Corporate Datacenter With Citrix Access Gateway Final.ppt》由会员分享,可在线阅读,更多相关《3111 Securing The Corporate Datacenter With Citrix Access Gateway Final.ppt(37页珍藏版)》请在三一办公上搜索。
1、Securing the Corporate Data Center with Citrix Access Gateway,Tim SimmonsSr.Mgr.,Technical MarketingCitrix Systems,Inc.,Aaron CockerillDirector,Product ManagementCitrix Systems,Inc.,Agenda,Todays Model,Finance Subnet,WirelessNetwork,File Servers,Web/App Servers,Presentation Server,E-mail Servers,Dat
2、a Center,Firewall,Firewall,DMZ,Internet,IDS,Domain Services,Assumptions The Corporate Network,Trusted machines can host untrusted softwareMore mobile usersMore public access pointsMalware is increasingSplit tunnels on remote VPN connections,#1:Only trusted machines connect to the corporate network,T
3、he Malware Threat,“Although we saw a steady decline in the rate of virusesproduced from 2000 to 2004,down to a 5%year over year growth,weve seen a 20%increase in malware-related threats between 2004and 2005,and anticipate that these numbers will stay at the higherrate of growth for the immediate fut
4、ure,Vincent Gullotto,Vice President of McAfees Security Lab,Avert,Assumptions,Trusted visitorsAccess to wired connectionsRogue access points,#2:Only employees connect to thecorporate network,Assumptions,#3:Authenticated users should be trusted on the network,OSI Model,Assumptions,Applications may tr
5、ansmit sensitive data unencrypted due toUser errorConfiguration errorPoor software design,#4:Applications communicate securely on the network,Web/App Servers,Threat Summary,Untrusted machines on the networkMalware Split tunnels on VPN connections Network infrastructure is not user-awareUnencrypted s
6、ensitive data on the network,The model needs to evolve,Enclave Model,Internet,Firewall,Firewall,Firewall,File Servers,Web/App Servers,Presentation Server,E-mail Servers,Data Center,Domain Services,Firewall,Firewall,DMZ,SSL/VPN Gateway,Enclave Support Services,Data Center,User Enclave,Firewall,Intern
7、et,Enclave Model,Internet,Firewall,Firewall,Firewall,File Servers,Web/App Servers,Presentation Server,E-mail Servers,Data Center,Domain Services,Firewall,Access Gateway,WirelessAccess Points,SSL/VPN Gateway,Data Center Deployment,NetScalerLoad-Balancer,Data Center,FileShares,Web Servers,Advanced Acc
8、ess Control Servers,Access Gateways,Enterprise Resource Servers,Exchange/Notes,Citrix Presentation Server,Active DirectoryDomain,Firewall,From User Enclave Networks,Access Gateway 4.2,Access Gateway integrated with Advanced Access ControlNo more software secure gateway in AAC packageSG continues to
9、ship with Presentation ServerNew Advanced Access Control User InterfaceNavigation UI includes Presentation Server applications Support for double source authentication(e.g.AD&RSA)New Black Bezel Rename Access Gateway Enterprise to“Access Gateway and Advanced Access Control”Multi-Lingual Support,What
10、s New?,Standard AG+AAC Deployment,Firewall,Firewall,Client Device,Secure Control Channel(SOAP),Advanced Access Control,File Servers,E-mail Servers,IP PBX,Web/App Servers,Presentation Server,AG+AAC Traffic Browser-based,Firewall,AdvancedAccessControl,Firewall,File Servers,E-mail Servers,IP PBX,Web/Ap
11、p Servers,Presentation Server,AG+AAC Traffic ICA/CGP,Firewall,Firewall,File Servers,Web/App Servers,Presentation Server,E-mail Servers,IP PBX,AdvancedAccessControl,Secure Control Channel,AG+AAC Traffic-VPN,Firewall,Firewall,File Servers,Web/App Servers,Presentation Server,E-mail Servers,IP PBX,Advan
12、cedAccessControl,Secure Control Channel,SmartAccess,Advanced Endpoint Sensing,+,User Scenario,Which User,Analyze Access Scenario:Analyze endpoint to ensure connections are:Safe ensure connection will not harm corporate infrastructureTrusted analyze user,machine,and network identity to ensure the con
13、nection is being made as claimedSecure ensure malicious parties cannot attack corporate infrastructure from connecting devicesProvide an extensible architecture(via SDK)to allow customers and 3rd parties to easily create custom scans,SmartAccess:Overview,Analyze Access Scenario,Machine Identity:NetB
14、IOS nameDomain MembershipMAC addressMachine ConfigurationOperating SystemAnti-Virus SystemPersonal FirewallBrowserNetwork ZoneLogin AgentAuthentication MethodCustom Endpoint Scans,SmartAccess:Overview,Analyze Endpoint&Connection,Implement Access Control,CPS applications File&network shares(UNCs)Web
15、based emailWeb sites(URLs)Web applicationsEmail&application synchronization,Machine Identity:NetBIOS nameDomain MembershipMAC addressMachine ConfigurationOperating SystemAnti-Virus SystemPersonal FirewallBrowserNetwork ZoneLogin AgentAuthentication MethodClient Certificate QueriesCustom Endpoint Sca
16、ns,Policy Based Access Control:Situational or contextual access control based on user membership,authentication strength,device and connection to ensure IT resources are not exposed to unwarranted risk,Full download of documentsLiveEditEdit locallySave back to serverRetain in memory during editAvoid
17、 data leakage on clientPreview documents with HTMLAccess from PDAsView without application on clientAttach to emailAvoid data transmission to clientCPS ApplicationsControl available applicationsLimit local mapped drives&printing,Analyze Endpoint&Connection,Implement Access Control,Implement Resource
18、 Usage Control,CPS applications File&network shares(UNCs)Web based emailWeb sites(URLs)Web applicationsEmail&application synchronization,Machine Identity:NetBIOS nameDomain MembershipMAC addressMachine ConfigurationOperating SystemAnti-Virus SystemPersonal FirewallBrowserNetwork ZoneLogin AgentAuthe
19、ntication MethodCustom Endpoint Scans,SmartAccess:Overview,Intellectual Property Control:Manage the use of sensitive information by:controlling how information is accessed and used(CPS,HTML Preview,LiveEdit etc.)controlling what can be done with that information(download,print,save,copy,etc.)ensurin
20、g no data is left on the local machineEnable companies to log all access,SSL-VPNs,Access Methods,Full desktop experience Client-server applications Web-based applications Voice over IP Softphones,Granular Access Controls,File PreviewWeb E-mailControlled Presentation Server Access,File Download Local
21、 Edit and Save File Upload,E-mail Sync Web E-mail Full Presentation Server Access Full Presentation Server App Set,Edit in MemoryLimited Presentation Server access(read-only local drive mapping)Limited Presentation Server application setFile PreviewFile UploadE-mail SyncWeb E-mail,Public Kiosk,Intel
22、ligent Networks,Network infrastructure vendors are building“intelligent networks”Technology is still in developmentRequires a replacement of existing firewalls,switches,and routers,Citrix Access Gateway Benefits,Improved management and control,Ensure client devices are secured prior to accessHelps t
23、o reduce administrative errorsGreater visibility into network activities,Citrix Access Gateway Benefits,Improved management and controlAddress regulatory compliance,Document ProtectionStrong AuthenticationAuditing&Logging,Citrix Access Gateway Benefits,Improved management and controlAddress regulato
24、ry complianceEnhanced network policies,Adaptive policy based access controlGreater intelligence results in better defense,Citrix Access Gateway Benefits,Improved management and controlAddress regulatory complianceEnhanced network policiesAll network traffic is secure,Secure(encrypted)CommunicationsE
25、nhances Intrusion Detection Systems(UserID-IP)Restrict visitor access,Citrix Access Gateway Benefits,Improved management and controlAddress regulatory complianceEnhanced network policiesAll network traffic is secureSimplify wireless networks,Minimize complexity associated with LEAP,EAP,WEP,WPA,etc,C
26、itrix Access Gateway Benefits,Improved management and controlAddress regulatory complianceEnhanced network policiesAll network traffic is secureSimplify wireless networksMitigate threats to the network,Minimizes interconnection between computers/subnetsDivides network into manageable pieces,Cost Eff
27、ective Improvements,The Citrix Access Gateway provides a cost-effective implementation of enclavesThe technology is available today!,Before you leave,Recommended related breakout sessions:3114:Securing Remote Access with Citrix Access GatewayTuesday,October 11 11:00am-11:50am2128:Citrix Access Gatew
28、ay,the Best Way to Secure Citrix Presentation Server Tuesday,October 11 3:30-4:20pmSession surveys are available online at Tuesday,October 11(please provide feedback)Breakout session handouts are located at the Breakers Registration Desk South,Before you leave,Session surveys are available online at Tuesday,October 11(please provide feedback)Breakout session handouts are located at the Breakers Registration Desk South,Enclave Support Services,Data Center,Finance Subnet,Firewall,DHCP,Active Directory Domain,Print Services,Internet,