Upload
osborn-murphy
View
227
Download
3
Tags:
Embed Size (px)
Citation preview
2 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
AGENDA
1. SSL VPN Market Overview
2. SSL VPN Use Cases
3. Access Control and AAA
4. End-to-End Security
5. Junos Pulse
6. Secure Meeting
7. Business Continuity with SSL VPN
8. Hardware, Management and High Availability
3 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
BUSINESS CHALLENGE: GRANT ACCESS VS. ENFORCE SECURITY
Maximize Productivity with Access...
Allow partner access to applications(Extranet portal)
Increase employee productivity by providing anytime, anywhere access(Intranet, E-mail, terminal services)
Customize experience and access for diverse user groups (partners, suppliers, employees)
Enable provisional workers(contractors, outsourcing)
Support myriad of devices (smartphones, laptops, kiosks)
…While Enforcing Strict Security Allow access only to necessary
applications and resources for certain users
Mitigate risks from unmanaged endpoints
Enforce consistent security policy
…And the Solution Must Achieve Positive ROI
Minimize initial CAPEX costs Lower ongoing administrative and support OPEX costs
4 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
THE SOLUTION:JUNIPER NETWORKS SA SERIES SSL VPN APPLIANCES
VoIPTeleworker
Business Partneror Customer
WirelessUser
AirportKiosk User
Mobile User –Cafe
Secure SSL access to remote users from any device or location
Easy access from Web-browsers – no client software to manage
Dynamic, granular access control to manage users and resources
Single comprehensive solution to access various application types from various devices available
SA6500
5 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
JUNIPER NETWORKS SSL VPN MARKET LEADERSHIP
Source: 3Q10 Infonetics Research Network Security Appliances and Software Report
Juniper maintains #1 market share position worldwide
Leader since SSL VPN product category inception
6 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
ANALYST PRAISE & RECOGNITION
2008 Gartner Magic Quadrant for SSL VPN
Source: Gartner (December 2010)
2010 Magic Quadrant Key Takeaways:
“Juniper has maintained the product vision, execution and overall momentum so effectively that it has held a Magic Quadrant leadership position continuously …”
“…entrenched in the Fortune 500 with a track record for large deployments.”
“Juniper is the No. 1 competitive threat cited by peer vendors…”
“Junos Pulse…is expected to pose a strong competitive advantage for Juniper SSL VPN sales.”
http://www.gartner.com/technology/media-products/reprints/juniper/vol6/article7/article7.html
7 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
JUNIPER SA SSL VPN RECOGNITION & AWARDS
AwardWinning
MarketLeading
3rd PartyCertified
Market share leader & proven solution with over 30,000 customers
8 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
SERVING ENTERPRISES AND SERVICE PROVIDERS
Service Providers Enterprise
9 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
AGENDA
1. SSL VPN Market Overview
2. SSL VPN Use Cases
3. Access Control and AAA
4. End-to-End Security
5. Junos Pulse
6. Secure Meeting
7. Business Continuity with SSL VPN
8. Hardware, Management and High Availability
10 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
Applications Server
CorporateIntranet
Employees with Corporate Laptops
Employeeswith Home PCs
Employees with Mobile Devices
#1 - REMOTE ACCESS AT LOWER OPERATING COSTS
Email Server
Firewall
Router
SA6500
Increased Productivity Anytime, anywhere access from any device No endpoint software to install or manage Easy access facilitated from common browsers
Increased Security Encrypted secure access to corporate resources Granular access control Comprehensive endpoint security enforcement
Internet
11 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
CorporateIntranet
Partners
#2 - EXTRANET PORTALS WITH GREATER SECURITY
Client/Serer Applications
Suppliers
Firewall
Customers
Router
Web Applications
SA6500
Administrative ease of use Easier management of authorized users No client software enforced on external users Access enabled from any Web-enabled device
Enforcement of corporate security policies Granular access to select applications or resources Endpoint security enforced before granting access No administrative hassle of managing users’ devices
Internet
12 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
Email Server
CorporateIntranet
Partners
Employees
#3 – BUSINESS CONTINUITY IN CASE OF EMERGENCIES
Web Applications
Firewall
Router
Applications ServerCustomers
Unplanned Events That Could Impact Business Continuity:Hurricane, Snowstorm, Strike, Virus Outbreak, Terrorist Attack
SA6500
Continued Business Operations High remote access demand during emergency Simple scalability to increased demand Sustain access for partners and customers
Increased Productivity Enable users to work from home or any location Assure employees’ safety Minimize downtime
Internet
13 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
#4 – MOBILE DEVICE ACCESS
Firewall
Router
iPhone
Applications Server
CorporateIntranet
Email Server
SA6500
Improved Ease of Use, Higher Productivity Access from any mobile device ActiveSync facilitates secure access to Exchange Enforce mobile device integrity and security
Internet
14 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
AGENDA
1. SSL VPN Market Overview
2. SSL VPN Use Cases
3. Access Control and AAA
4. End-to-End Security
5. Junos Pulse
6. Secure Meeting
7. Business Continuity with SSL VPN
8. Hardware, Management and High Availability
15 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
DYNAMIC ACCESS METHODS BY PURPOSE
Junos Pulse or Network Connect Secure Application Manager Core Access
Layer 3 connectivity to corporate network; IKEv2 support for mobile
devices with Junos Pulse only
Access to client/server applications such as Windows & Java applications
Access to Web-based applications, File shares, Telnet/SSH hosted apps,
and Outlook Web Access
Supports all applications including resource intensive applications like
VoIP & streaming media
One click access to applications such as Citrix, Microsoft Outlook, and
Lotus Notes
Granular access control all the way up to the URL or file level
Recommended for remote and mobile employees only as full network access
is granted
Ideal for remote & mobile employees and partners if they have client
applications on their PCs
Ideal for remote & mobile employees and partners accessing from
unmanaged, untrusted networks
Layer 3 access to corporate network
Granular web application access control
Granular client/server application access control
Different access methods to control users’ access to resourcesDynamic access control based on user, device, network, etc.
16 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
CLIENTLESS ACCESS METHOD: CORE ACCESS
Broad set of supported platforms and browsers
Secure, Easy Web Application Access
Pre-defined resource policies for Sharepoint, Lotus Webmail, etc.
Support for Flash, Java applets, HTML, Javascript, DHTML, XML, etc.
Support for Hosting & delivering any Java applet
Secure File Share Access Web front-end for Windows and Unix
Files (CIFS/NFS)
Integrated E-mail Client
Secure Terminal Access Access to Telnet/SSH (VT100,
VT320…) Anywhere access with no terminal
emulation client
17 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
SECURE APPLICATION MANAGER
Full cross platform support for both Windows & Java versions
Granular access control policies for client/server applications
Access applications without provisioning full Layer 3 tunnel
Eliminates costs, complexity, and security risks of IPSec VPNs
No incremental software/hardware or customization to existing apps
WSAM – secure traffic to specific client/server applications
Supports Windows Mobile/PPC, in addition to all Windows platforms
Granular access and auditing/logging capabilities
Installer Service available for constrained user privilege machines
JSAM – supports static TCP port client/server applications
Enhanced support for MSFT MAPI, Lotus Notes, Citrix NFuse
Drive mapping through NetBIOS support
Install without advanced user privileges
18 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
LAYER 3 ACCESS METHOD:JUNOS PULSE OR NETWORK CONNECT
Full Layer 3 Access to corporate network Dynamic, Dual Transport Mode
Dynamically tries SSL in case IPSec is blocked in the network
Cross Platform Dynamic Download (Active-X or Java delivery) Launching options include – browser-based, standalone EXE, scriptable launcher and Microsoft Gina
Client-side Logging, Auditing and Diagnostics available
High Performance
Transport ModeHigh Performance
Transport Mode
High Availability
Transport ModeHigh Availability
Transport Mode
SA Series
19 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
ACCESS METHODSTERMINAL SERVICES
Seamlessly and securely access any Citrix or Windows Terminal Services deployment
Intermediate traffic via native TS support, WSAM, JSAM, Network Connect, Hosted Java Applet
Replacement for Web Interface/Nfuse
Native TS Support Granular Use Control Secure Client delivery Integrated Single Sign-on Java RDP/JICA Fallback WTS: Session Directory Citrix: Auto-client reconnect/ session reliability High-quality Java RDP applet support available Many additional reliability, usability, access control options
20 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
ACCESS METHODSVIRTUAL DESKTOP INFRASTRUCTURE (VDI)
AAA
SA SeriesRemote/Mobile User
Apps Servers
Finance ServerVMware VDI
Citrix XenDesktop
SA interoperates with VMware View Manager and Citrix XenDesktop to enable administrators to consolidate and deploy virtual desktops with SA
Allows IT administrators to configure centralized remote access policies for users who access their virtual desktops
Dynamic delivery of Citrix ICA client or VMware View client to users, including dynamic client fallback options for easy connection to their virtual desktops
Benefits: – Seamless access (single sign-on) for remote users to their virtual desktops hosted on VMware or
Citrix servers– Saves users time and improves their experience accessing their virtual desktops
21 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
Pre-Authentication
Gathers informationfrom user, network, endpoint
Authentication &Authorization
Authenticate user Map user to role
Role Assignment
Assign session properties for user role
Resource Policy
Applications availableto user
ACCESS PRIVILEGE MANAGEMENT1 USER / 1 URL / 3 DEVICES & LOCATIONS
•Host Check: Pass•AV RTP On•Definitions up to date
•Machine Cert: Present•Device Type: Win XPManaged
Laptop
Unmanaged (Home PC/Kiosk)
Mobile Device
•Host Check: Fail•No AV Installed•No Personal FW
•Machine Cert: None•Device Type: Mac OS
•Host Check: N/A
•Machine Cert: None•Device Type: Win Mobile 6.0
•Auth: Digital Certificate
•Role Mapping: Managed
•Auth: AD Username/ Password
•Role Mapping: Unmanaged
•Auth: Digital Certificate
•Role Mapping: Mobile
•Access Method: Network Connect•File Access: Enabled•Timeout: 2 hours•Host Check: Recurring
•Access Method: Core•SVW Enabled•File Access: Disabled•Timeout: 30 mins•Host Check: Recurring
•Access Method: WSAM, Core•File Access: Enabled•Timeout: 30 mins
•Outlook (full version)•CRM Client/Server•Intranet•Corp File Servers•Sharepoint
•Outlook Web Access (no file up/download)•CRM Web (read-only)•Intranet
•Outlook Mobile•CRM Web•Intranet•Corp File Servers
22 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
customers.company.com
employees.company.com
partners.company.com
ONE DEVICE FOR MULTIPLE GROUPSCUSTOMIZE POLICIES AND USER EXPERIENCE FOR DIVERSE USERS
“Partner” Role
“Employee” Role
“Customer” Role
SA Series
Authentication Username/Password
Host Check Enabled – Any AV, PFW
Access Core Clientless
Applications MRP, Quote Tool
Authentication Username/Password
Host Check Enabled – Any AV, PFW
Access Core Clientless
Applications Support Portal, Docs
Authentication OTP or Certificate
Host Check Enabled – Any AV, PFW
Access Core + Network Connect
Applications L3 Access to Apps
23 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
SEAMLESS AAA INTEGRATION
Full Integration into customer AAA infrastructure AD, LDAP, RADIUS, Certificate, OTP, etc.
Password Management Integration User self service for password management Reduced support costs, increased productivity All standard LDAP, MSFT AD
Single Sign-On Capabilities Seamless user experience for web applications Forms, Header, SAML, Cookie, Basic Auth, NTLM v1/v2, Kerberos
SAML Support – Web single sign-on, integration with I&AM platforms Standards-based Web SSO Partnerships with leading AM Vendors (CA, Oracle, RSA, etc.)
24 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
KERBEROS CONSTRAINED DELEGATION & SSO
Remote User
Applications
Active Directory
Step 1: User logs in with Core Access
Authentication Manager
Step 2: SA authenticates user
Step 4: SA presents auth credentials on behalf of user to AD to get Kerberos ticket
Step 5: SA enables SSO to back end apps
• Single Sign On (SSO) to backend apps using Core Access• NTLMV2• Kerberos SSO
SA SSL VPNStep 3: User tries to access application protected by KCD
25 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
PREMIER JAVA RDP APPLET- Delivers quality Java applet support for
remote desktop connections
- Partnered with Hobsoft to offer as an embedded feature of SA SSL VPN
- Integrated licensing for simple administrative deployments
- Multiple monitors support
- Enterprise-class features
- No admin rights requirements
- Cross-platform support (Windows, Mac, Linux)
- Single-source Juniper (JTAC) support
- All SA SSL VPNs will ship with 2 user concurrent license; additional support can be bought with subscription licenses Remote User
Premier Java RDP Applet Enables Windows Terminal
Server Connectivity
Internet
SA Series
Windows Terminal Servers
RDP Applet
Multiple Monitors Support with RDP
Applet
26 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
AGENDA
1. SSL VPN Market Overview
2. SSL VPN Use Cases
3. Access Control and AAA
4. End-to-End Security
5. Junos Pulse
6. Secure Meeting
7. Business Continuity with SSL VPN
8. Hardware, Management and High Availability
27 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
HOST CHECKERASSESSING THE ENDPOINT
Point-and-click policy configuration with support for hundreds of leading applications
AV, Personal Firewall, Anti-Spyware, Anti-Malware, Windows patch checks, machine certificate checks + Custom policy definition for maximum policy definition flexibility
Scan prior to and during authenticated sessions Embedded update mechanism to add new applications
with no software upgrade Devices automatically learn latest signature versions from
AV vendors Check for AV installation, real-time protection status,
definition file age
Varied remediation options to meet customer needs Custom/standard remediation, automatic remediation,
quarantine, Secure Virtual Workspace, 3rd party policy remediation, etc.
Trusted Network Connect (TNC) architecture for seamless integration with all TNC compliant endpoint security products/vendors
Leverage existing endpoint security application deployments
HC policies similar to Juniper’s UAC offering, for common endpoint security across local and remote access deployments
Host Checker- Check devices before & during session- Ensure device compliance with corporate policy - Remediate devices when needed- Cross platform support
- No Anti-Virus Installed- Personal Firewall enabled- User remediated install anti-virus- Once installed, user granted access
- No anti-virus installed- No personal firewall - User granted minimal access
- AV Real-Time Protection running- Personal Firewall Enabled- Virus Definitions Up To Date- User granted full access
Home PC User
Corporate PC User
Airport Kiosk User
SA Series
28 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
ENDPOINT SECURITY – SECURE VIRTUAL WORKSPACEDESIGNED AND OPTIMIZED FOR UNSECURE KIOSKS
Limited/Blocked I/O Access from SVW
Session Data Encrypted on-the-fly (AES)
End of Session: Secure Delete OR Persistent Session
(Encrypted)
Clipboard Operations Blocked from SVW to
Real Desktop
Real Desktop SVW
•Host Checker (Java/ActiveX) delivery •Win 2k/XP Systems (user privileges)•Admin-specified application access•DoD Cleaning/Sanitizing standard compliant•Password-protected persistent sessions•Controlled I/O Access •Configurable look/feel
Real File System
Virtual File System
• Shreds workspace data when session ends in kiosk• Prevents desktop search software from intercepting or indexing secure web traffic• Comprehensive protection of company resources when accessed from low security devices, as determined by Host Checker.
Kiosk
29 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
SYSTEM SECURITY
“Security First” approach to development Hardened OS based on Linux variant Protection against many known attacks AES encrypted hard disk on every appliance
In-Transit Data Protection Data trapping URL obfuscation
Numerous 3rd party security audits Juniper Security Incident Response Team (SIRT) to quickly investigate any potential vulnerabilities
30 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
AGENDA
1. SSL VPN Market Overview
2. SSL VPN Use Cases
3. Access Control and AAA
4. End-to-End Security
5. Junos Pulse
6. Secure Meeting
7. Business Continuity with SSL VPN
8. Hardware, Management and High Availability
31 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
JUNOS PULSE (FOR WINDOWS)
Dynamically provisioned client for: Connectivity Security Acceleration
Support for desktops, notebooks and netbooks
Location aware and identity-enabled
Standards-based
Platform for select third party applications
Builds on Juniper’s market leading SA Series SSL VPN, UAC solution, and WXC Series technology!
32 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
SECURE ACCESS FROM MOBILE DEVICES
Junos Pulse for mobile devices enables smartphone and mobile device access to email, Web, and corporate applications
EmailEmail
WebAppsWebApps
CorporateApps
CorporateApps
App
licat
ions
More Applications on More Devices Over Time
33 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
JUNOS PULSE MOBILE SECURITY SUITE
Comprehensive Smartphone Device Management and Security Solution
Antivirus Firewall Anti-Spam Loss/Theft Protection Device Monitoring/Control
Sold with SA Series SSL VPN or as standalone
Requires Junos Pulse Mobile Security Gateway
Secure, hosted deployment
34 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
AGENDA
1. SSL VPN Market Overview
2. SSL VPN Use Cases
3. Access Control and AAA
4. End-to-End Security
5. Junos Pulse
6. Secure Meeting
7. Business Continuity with SSL VPN
8. Hardware, Management and High Availability
35 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
SECURE MEETINGINSTANT ONLINE COLLABORATION
Easy to Use Web Conferencing Share desktop/applications Group and private chat No training required
Easy to Deploy and Maintain No pre-installed software required Web-based, cross platform Personalized meeting URLs for users
https://meeting.company.com/ meeting/johndoe
Affordable – No usage/service fees Secure
Fully encrypted/secured traffic using SSL
No peer-to-peer backdoor User credentials protected Policy flexibility to meet
authentication requirements
Instant or scheduled online collaboration
36 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
SECURE MEETINGREMOTE HELPDESK FUNCTIONALITY
Reduce desktop/application support costs by speeding time to issue resolution
Significant cost savings over phone-based troubleshooting Improve helpdesk/technician productivity
Fast, easy setup with automatic setting configuration: Dynamic client delivery, cross-platform support Automatic desktop sharing/remote control request Secure Chatting disabled
Help DeskEmployee
Remote assistance to any user with no software installation
SA Series
37 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
AGENDA
1. SSL VPN Market Overview
2. SSL VPN Use Cases
3. Access Control and AAA
4. End-to-End Security
5. Junos Pulse
6. Secure Meeting
7. Business Continuity with SSL VPN
8. Hardware, Management and High Availability
38 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
RECENT UNPLANNED EVENTS - IMPACTING THE GLOBAL BUSINESS
Asia Quake Disaster (Dec 04)
Recent examples:Volcanic Ash Event (April ‘10)Snowstorms in US (Feb ‘10)
Pakistani Earthquake (Oct 05)
Bird Flu Outbreaks?
MTA Strike in NYC (Dec 05)
Bird Flu Outbreaks?
Pandemic
H1N1 VirusAvian/Bird FluSARS
Natural EarthquakesHurricanesOtherTerror attacksWinter storms
Disastrous Events
Social Distancing
Geographical isolationQuarantines
Maintain productivity Sustain partnerships Continue to deliver exceptional
service to customers and partners with online collaboration
Meet government mandates for Disaster Recovery and compliance
Business Continuity Challenges
39 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
JUNIPER NETWORKS ICE FOR BUSINESS CONTINUITY
Juniper Networks ICE delivers Proven market-leading SSL
VPN Easy deployments Instant activation Investment protection Affordable risk protection
Peak Demand
Nu
mb
er
of
Re
mo
te U
sers
Time
Average usage
Unplanned event
What will you do when your non-remote users need access?
Meeting the peak in demand for remote access in the event of a disaster
40 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
AGENDA
1. SSL VPN Market Overview
2. SSL VPN Use Cases
3. Access Control and AAA
4. End-to-End Security
5. Junos Pulse
6. Secure Meeting
7. Business Continuity with SSL VPN
8. Hardware, Management and High Availability
41 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
Bre
ad
th o
f F
un
ctio
na
lity
JUNIPER SSL VPN PRODUCT FAMILY FUNCTIONALITY AND SCALABILITY TO MEET CUSTOMER NEEDS
Enterprise Size
SA700
SA2500
SA4500SA6500
Designed for: SMEs Secure remote accessIncludes: Network Connect
Options/upgrades:• 10-25 conc. users• Core Clientless
Access• Network & Security
Manager (NSM)
Designed for: Medium enterpriseSecure remote, intranet and extranet accessIncludes: Core Clientless Access
Designed for: Medium to large enterpriseSecure remote, intranet and extranet accessIncludes: Core Clientless Access
Options/upgrades:• 25-100 conc. users• Secure Meeting• Cluster Pairs• EES• NSM
Options/upgrades:• 50-1000 conc. users• Secure Meeting• Instant Virtual System• SSL Acceleration• Cluster Pairs• EES• NSM
Designed for: Large enterprises & SPsSecure remote, intranet and extranet accessIncludes: Core Clientless AccessSSL accelerationHot swap drives, fans
Options/upgrades:• Up to 30K conc. users• Secure Meeting• Instant Virtual System• 4-port SFP card• 2nd power supply or
DC power supply• Multi-Unit Clusters• EES• NSM
All models are Common Criteria EAL3+ certified:http://www.dsd.gov.au/infosec/evaluation_services/epl/network_security/juniper_networks_SAF.html
42 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
CLUSTERING/HIGH AVAILABILITY Native Clustering
SA2500, SA4500 Cluster Pairs SA6500 Multi-unit clusters
Stateful system peering System state and configuration settings User profile and personalized configuration User session synch (users don’t have to login again in failover scenario)
Active/Passive configuration for seamless failover Active/Active configuration for increased throughput and failover Enterprise and Service Provider Value
Ensured reliability of critical access infrastructure Seamless failover, no loss of productivity Expansive user scalability via replication Management efficiency via central administration interface
User Record Synchronization Synchronization of user records such as user bookmarks across distributed non-
clustered SA Series appliances Ease of experience for users who often travel from one region to another