A Remote Access VPN requires Security
Secure VPN without compromises
A remote access VPN has to guarantee confidentiality, integrity and availability of information and systems. NCP's remote access VPN solution guarantees this security. It continuously protects your end devices and communication mediums from attacks by using seamlessly interacting security mechanisms.
Security levels are not static but constantly changing. To meet those changing but current threats in time, all security features have to be upgraded to cutting edge technology. NCP's software components are inexpensive due to low cost updates or upgrades.
Availability of data and systems is a further security issue in a professional VPN. The task is to avoid errors with communication mediums and to prevent downtimes of central systems.
NCP Remote Access VPN – overview of the most important security features:
- Dynamic personal firewall with "Friendly Net Detection"
- Strong authentication
- Endpoint Security – Quarantine Zone
- Parameter lock
- Line Backup
- System Availability (HA-Services)
- Enforced internet connection over company headquarters
- FIPS Inside
Dynamic Personal Firewall with Friendly Net Detection (location awareness) - optimized for remote access
This personal firewall serves to protect end devices against internet attacks, WiFi and LAN. It is a component of all NCP Secure Clients, therefore independent of the operating system and may be centrally administered (NCP Secure Enterprise Solution). PC protection takes place during system startup and automatically conforms to the prevailing remote access environment. "Friendly Net Detection" provides automatic recognition of secure and insecure networks. This means the system activates or deactivates the appropriate firewall policy without the help of the teleworker. The administrator centrally sets parameter locks, which provide further security. They prevent users from manipulating or accidentally deactivating the configuration. With this feature, even security sensitive locations like public hotspots can serve as access points to the company network. The personal firewall remains active as desired if the VPN service is deactivated.
- IP-Network Address Translationen (IP-NAT)
- Stateful Packet Inspection
- Applications-independent filter rules
- Protocol, port and address-based filter rules
- Friendly net recognition
- Automatic hotspot recognition
- Connection-dependent filter rules
- Voluminous logging options
NCP's VPN solution always supports the markets latest, high performance algorithms and key lengths, eg. elliptic curves. Fast and inexpensive, you can download software updates from the Internet.
In a VPN, it is no longer sufficient today to allow access to the company network through user-name and password. Both are easy for hackers to spy out. For this reason, NCP only uses strong authentication methods for its VPN solutions. The methods are: the integrated Advanced Authentication, OTP token (one time password), elliptic curve cryptography (ECC), digital certificates within a PKI (public key infrastructure) and biometric technologies. The one-time passwords are generated dynamically, replacing the static passwords and immediately lose their validity after use. Digital certificates dispose over a still higher degree of protection and are universally applicable as well. You can apply it as software or on a Smart Card as an X.509 v3 certificate. When required, it can be collaborated with several trust centers/certification (CA's) (multi CA-support)
Endpoint Security (NAC) - Quarantine Zone
Endpoint security - also known as Network Access Control or Network Admission Control (NAC) - means that NCP's Secure Enterprise Clients check all security relevant parameters prior to the device's access to the company network. In this way, it can handle such items as the status of the virus scanner, server information, certificate content or software status. Adherence to security directives is compulsory and may not be manipulated by the user.If a device does not comply with the policies, it is led into a designated quarantine zone within an IPsec VPN. The following options are available:
- All security directives fulfilled:
- Access to the productive network
- If only one of the security parameters is not fulfilled, then the following can be defined:
- Final destination in the quarantine zone with limited server access for software update of the remote system
- Start external applications on the remote PC
The parameter locks have two main functions: The first is to reduce the complexity of configuration possibilities. This function hides parameter folders for features which are not used, so that the user only sees the settings which are relevant for his working environment. The second function is that pre-settings can be made which the user cannot change. This avoids misconfigurations and undesired connection set ups.
The line backup secures high accessibility for the target system, even during a disturbance of the transmission path (DSL connection). Disturbances or bottlenecks in the internet can never be ruled out. Connection breaks often lead to data loss and longer queue times until the error is fixed. Both are unpleasant for the VPN carrier and associated with unanticipated higher costs (e.g. important data are untimely available. With the "line backup" feature, a disturbance is automatically switched over by a DSL or ISDN connection on an ISDN backup line (network administration is informed). The data connection persists, i.e. it can continue to work without new reporting (no session loss). After secondarily produced DSL functionality, it is automatically switched back to the higher value connection.
Enforced internet connection over company headquarters
In order to sustainably counter attacks from the internet, it can be centrally specified that the selection over a VPN tunnel to the company network and its security infrastructure must be followed.
The high-availability services of the Secure Enterprise Solution provides for the higher degree of availability of the Secure Enterprise VPN Server with their backup and load-balancing mechanisms. These services ensure that at any point in time – also in the event of a disturbance – all VPN tunnels are available to access the company network. Additional information may be found in the Data Sheet HA Services.
NCP's Secure Clients integrate cryptographic algorithms according to the international FIPS security standard. The embedded cryptographic module, containing the corresponding algorithms, is certified according to FIPS 140-2 (Certificate #1747).