Next: 4 HAT: Hypertext Address Up: The awayWEB Virtual VPN Previous: 2 VPN Limits: In
To overcome many of the short-comings of client side VPN solutions, the awayWEB systems utilises standard web browser technologies. The use of a web browser as a VPN client has a number of key advantages:
Internet browsers are not specifically designed for security applications. The awayWEB system provides a number of security and privacy management features to protect the user and their sensitive information. The awayWEB system addresses browser privacy and security issues including :
During any given Internet session using a standard browser (e.g. Internet Explorer or Netscape) a concise history of pages visited is stored within the browser. Therefore anyone could obtain valuable information by inspecting the browser history after a user has closed their Internet session. The awayWEB system ensures that the names of the web pages visited using awayWEB are not retrievable once the session is completed.
Using a standard browser a cached copy of page content may be stored on the local machine. Therefore users may inadvertently leave sensitive corporate information on machines that they have used to browse the corporate network. Using the awayWEB system, the browser is automatically requested not to save copies of any information in the cache, regardless of the application or user settings.
Many environments, such as Internet cafés, should be considered ``hostile environments''. It is not unusual to discover that machines within these environments have had malicious software installed that looks for user names and passwords, and upon discovery sends them to a potential attacker. Using the awayWEB system, users within these ``hostile environments'' are protected from this type of attack (Section 3.4)
Almost all browsers support the Secure Socket Layer (SSL) standard. This standard is used extensively throughout the Internet to secure e-commerce transactions such as Internet Banking and Credit Card payments. The awayWEB system utilises SSL to ensure communications with the remote user remain private and secure.
AwayWEB is compatible with SSL web server security certificates (X.509v3) from all major certificate authorities, such as Verisign, Thawte, Entrust.net and Equifax. The use of X.509v3 certificates signed by recognised certificate authorities gives the users a high level of assurance that they are connecting securely to the appropriate corporate network.
AwayWEB supports full strength 128 bit encryption and is additionally compatible with Verisign 'SGC'/Global certificates.
In the potentially ``hostile environment'' of the open Internet, the traditional username and password method of user authentication becomes dangerously ineffective. Passwords are easily stolen, copied or guessed by would-be intruders. The wide availability and usage of 'untrusted' public clients, such those found in airport lounge kiosks and Internet cafes makes the intruders life even simpler. Commonly available keyboard 'sniffing' software allows an intruder to easily steal network logon passwords entered into PC's in an Internet cafe.
To address this, awayWEB utilises 'two-factor authentication'. This is a system which ensures greater security than the traditional password by requiring two forms of identification. This is sometimes referred to as ``has and knows'', i.e. the user 'has' a physical object (such as a token) and the user 'knows' something (such as a pin-code to access the token). An example where this system is already widely used is for ATM transactions, which require both a bank card and a PIN for authorisation.
The awayWEB system supports a range of 'two-factor' authentication methods such as:
Hand-held authenticator tokens can be used with any computer system without requiring new software or additional hardware or peripherals to be installed or configured.
Each passcode provided by these tokens is valid only for a single use within a short period of time. Therefore a stolen password is useless, and it is impossible for users to write down or record their password in in-appropriate locations.
With these devices it becomes difficult for users to misuse their login name and passwords. Unlike traditional login names and passwords, tokens must be used with their associated pin codes. This high level identity assurance can also offer an aspect of 'non-repudiation'.
The awayWEB system leverages existing investment in infrastructure, policies and support arrangements by accessing the existing authorisation infrastructure. Once users are authenticated, the permissions and privileges granted to each user are controlled using a central authorisation policy and authorisation database.
The awayWEB system uses the standard LDAP protocol to access a directory of users and their associated group memberships. AwayWEB works with:
The awayWEB system records an audit trail of every intranet action taken by each remote user. The use of strong, two-factor authentication means that each user can be held accountable for the actions logged against their identity. In the event that an intranet system is mis-used, the awayWEB gateway provides a strong independent audit-trail of all activity.
As a minimum the audit trail records the following information, for each HTTP request processed:
