Secure remote connection, secure remote work
Tibor Kiss
ICTS Hungary
www.ictshungary.hu
2 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
AGENDA
1. SSL VPN Market Overview
2. SSL VPN Use Cases
3. Access Control and AAA
4. End-to-End Security
5. Junos Pulse
6. Secure Meeting
7. Business Continuity with SSL VPN
3 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
BUSINESS CHALLENGE: GRANT ACCESS VS. ENFORCE SECURITY
Maximize Productivity with Access...
Allow partner access to applications(Extranet portal)
Increase employee productivity by providing anytime, anywhere access(Intranet, E-mail, terminal services)
Customize experience and access for diverse user groups (partners, suppliers, employees)
Enable provisional workers(contractors, outsourcing)
Support myriad of devices (smartphones, laptops, kiosks)
…While Enforcing Strict SecurityAllow access only to necessary
applications and resources for certain users
Mitigate risks from unmanaged endpoints
Enforce consistent security policy
…And the Solution Must Achieve Positive ROIMinimize initial CAPEX costsLower ongoing administrative and support OPEX costs
4 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
THE SOLUTION:JUNIPER NETWORKS SSL VPN
VoIPTeleworker
Business Partneror Customer
WirelessUser
AirportKiosk User
Mobile User –Cafe
Secure SSL access to remote users from any device or location
Easy access from Web-browsers – no client software to manage
Dynamic, granular access control to manage users and resources
Single comprehensive solution to access various application types from various devices available
SA6500
7 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ANALYST PRAISE & RECOGNITION
2008 Gartner Magic Quadrant for SSL VPN
Source: Gartner (December 2010)
2010 Magic Quadrant Key Takeaways:
“Juniper has maintained the product vision, execution and overall momentum so effectively that it has held a Magic Quadrant leadership position continuously …”
“…entrenched in the Fortune 500 with a track record for large deployments.”
“Juniper is the No. 1 competitive threat cited by peer vendors…”
“Junos Pulse…is expected to pose a strong competitive advantage for Juniper SSL VPN sales.”
http://www.gartner.com/technology/media-products/reprints/juniper/vol6/article7/article7.html
11 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Applications Server
CorporateIntranet
Employees with Corporate Laptops
Employeeswith Home PCs
Employees with Mobile Devices
#1 - REMOTE ACCESS AT LOWER OPERATING COSTS
Email Server
Firewall
Router
SA6500
Increased ProductivityAnytime, anywhere access from any deviceNo endpoint software to install or manageEasy access facilitated from common browsers
Increased SecurityEncrypted secure access to corporate resourcesGranular access controlComprehensive endpoint security enforcement
Internet
12 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
CorporateIntranet
Partners
#2 - EXTRANET PORTALS WITH GREATER SECURITY
Client/Serer Applications
Suppliers
Firewall
Customers
Router
Web Applications
SA6500
Administrative ease of use Easier management of authorized users No client software enforced on external users Access enabled from any Web-enabled device
Enforcement of corporate security policies Granular access to select applications or resources Endpoint security enforced before granting access No administrative hassle of managing users’ devices
Internet
13 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Email Server
CorporateIntranet
Partners
Employees
#3 – BUSINESS CONTINUITY IN CASE OF EMERGENCIES
Web Applications
Firewall
Router
Applications ServerCustomers
Unplanned Events That Could Impact Business Continuity:Hurricane, Snowstorm, Strike, Virus Outbreak, Terrorist Attack
SA6500
Continued Business OperationsHigh remote access demand during emergencySimple scalability to increased demandSustain access for partners and customers
Increased ProductivityEnable users to work from home or any locationAssure employees’ safetyMinimize downtime
Internet
14 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
#4 – MOBILE DEVICE ACCESS
Firewall
Router
iPhone
Applications Server
CorporateIntranet
Email Server
SA6500
Improved Ease of Use, Higher ProductivityAccess from any mobile deviceActiveSync facilitates secure access to ExchangeEnforce mobile device integrity and security
Internet
16 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
DYNAMIC ACCESS METHODS BY PURPOSE
Junos Pulse or Network Connect
Secure Application Manager
Core Access
Layer 3 connectivity to corporate network; IKEv2 support for mobile devices with Junos Pulse only
Access to client/server applications such as Windows &
Java applications
Access to Web-based applications, File shares, Telnet/SSH
hosted apps, and Outlook Web Access
Supports all applications including resource intensive
applications like VoIP & streaming media
One click access to applications such as Citrix,
Microsoft Outlook, and Lotus Notes
Granular access control all the way up to the URL or file level
Recommended for remote and mobile employees only as full network
access is granted
Ideal for remote & mobile employees and partners if they have
client applications on their PCs
Ideal for remote & mobile employees and partners accessing
from unmanaged, untrusted networks
Layer 3 access to corporate network
Granular web application access control
Granular client/server application access control
Different access methods to control users’ access to resourcesDynamic access control based on user, device, network, etc.
17 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
CLIENTLESS ACCESS METHOD: CORE ACCESS
Broad set of supported platforms and browsers
Secure, Easy Web Application Access
• Pre-defined resource policies for Sharepoint, Lotus Webmail, etc.
• Support for Flash, Java applets, HTML, Javascript, DHTML, XML, etc.
• Support for Hosting & delivering any Java applet
Secure File Share Access• Web front-end for Windows and Unix
Files (CIFS/NFS)
Integrated E-mail Client Secure Terminal Access
• Access to Telnet/SSH (VT100, VT320…)
• Anywhere access with no terminal emulation client
18 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SECURE APPLICATION MANAGER
Full cross platform support for both Windows & Java versions
Granular access control policies for client/server applications
• Access applications without provisioning full Layer 3 tunnel
• Eliminates costs, complexity, and security risks of IPSec VPNs
• No incremental software/hardware or customization to existing apps
WSAM – secure traffic to specific client/server applications
• Supports Windows Mobile/PPC, in addition to all Windows platforms
• Granular access and auditing/logging capabilities
• Installer Service available for constrained user privilege machines
JSAM – supports static TCP port client/server applications
• Enhanced support for MSFT MAPI, Lotus Notes, Citrix NFuse
• Drive mapping through NetBIOS support
• Install without advanced user privileges
19 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LAYER 3 ACCESS METHOD:JUNOS PULSE OR NETWORK CONNECT
Full Layer 3 Access to corporate network Dynamic, Dual Transport Mode
• Dynamically tries SSL in case IPSec is blocked in the network Cross Platform Dynamic Download (Active-X or Java delivery) Launching options include – browser-based, standalone EXE, scriptable launcher and Microsoft Gina
Client-side Logging, Auditing and Diagnostics available
High Performance
Transport Mode
High Availability
Transport Mode
SA Series
20 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ACCESS METHODSTERMINAL SERVICES
Seamlessly and securely access any Citrix or Windows Terminal Services deployment
• Intermediate traffic via native TS support, WSAM, JSAM, Network Connect, Hosted Java Applet
• Replacement for Web Interface/NfuseNative TS Support
Granular Use ControlSecure Client deliveryIntegrated Single Sign-onJava RDP/JICA FallbackWTS: Session DirectoryCitrix: Auto-client reconnect/ session reliabilityHigh-quality Java RDP applet support availableMany additional reliability, usability, access control options
21 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ACCESS METHODSVIRTUAL DESKTOP INFRASTRUCTURE (VDI)
AAA
SA SeriesRemote/Mobile User
Apps Servers
Finance ServerVMware VDI
Citrix XenDesktop
Juniper’s SSL VPN interoperates with VMware View Manager and Citrix XenDesktop to enable administrators to consolidate and deploy virtual desktops
Allows IT administrators to configure centralized remote access policies for users who access their virtual desktops
Dynamic delivery of Citrix ICA client or VMware View client to users, including dynamic client fallback options for easy connection to their virtual desktops
Benefits: Seamless access (single sign-on) for remote users to their virtual desktops hosted on VMware or Citrix
servers Saves users time and improves their experience accessing their virtual desktops
22 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Pre-Authentication
Gathers informationfrom user, network, endpoint
Authentication &Authorization
Authenticate user Map user to role
Role Assignment
Assign session properties for user role
Resource Policy
Applications availableto user
ACCESS PRIVILEGE MANAGEMENT1 USER / 1 URL / 3 DEVICES & LOCATIONS
•Host Check: Pass•AV RTP On•Definitions up to date
•Machine Cert: Present•Device Type: Win XPManaged
Laptop
Unmanaged (Home PC/Kiosk)
Mobile Device
•Host Check: Fail•No AV Installed•No Personal FW
•Machine Cert: None•Device Type: Mac OS
•Host Check: N/A
•Machine Cert: None•Device Type: Win Mobile 6.0
•Auth: Digital Certificate
•Role Mapping: Managed
•Auth: AD Username/ Password
•Role Mapping: Unmanaged
•Auth: Digital Certificate
•Role Mapping: Mobile
•Access Method: Network Connect•File Access: Enabled•Timeout: 2 hours•Host Check: Recurring
•Access Method: Core•SVW Enabled•File Access: Disabled•Timeout: 30 mins•Host Check: Recurring
•Access Method: WSAM, Core•File Access: Enabled•Timeout: 30 mins
•Outlook (full version)•CRM Client/Server•Intranet•Corp File Servers•Sharepoint
•Outlook Web Access (no file up/download)•CRM Web (read-only)•Intranet
•Outlook Mobile•CRM Web•Intranet•Corp File Servers
23 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
customers.company.com
employees.company.com
partners.company.com
ONE DEVICE FOR MULTIPLE GROUPSCUSTOMIZE POLICIES AND USER EXPERIENCE FOR DIVERSE USERS
“Partner” Role
“Employee” Role
“Customer” Role
SA Series
Authentication
Username/Password
Host Check
Enabled – Any AV, PFW
Access Core Clientless
Applications
MRP, Quote Tool
Authentication
Username/Password
Host Check
Enabled – Any AV, PFW
Access Core Clientless
Applications
Support Portal, Docs
Authentication
OTP or Certificate
Host Check
Enabled – Any AV, PFW
AccessCore + Network
Connect
Applications
L3 Access to Apps
24 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SEAMLESS AAA INTEGRATION
Full Integration into customer AAA infrastructure• AD, LDAP, RADIUS, Certificate, OTP, etc.
Password Management Integration• User self service for password management• Reduced support costs, increased productivity• All standard LDAP, MSFT AD
Single Sign-On Capabilities• Seamless user experience for web applications• Forms, Header, SAML, Cookie, Basic Auth, NTLM v1/v2, Kerberos
SAML Support – Web single sign-on, integration with I&AM platforms• Standards-based Web SSO• Partnerships with leading AM Vendors (CA, Oracle, RSA, etc.)
28 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
HOST CHECKERASSESSING THE ENDPOINT
Point-and-click policy configuration with support for hundreds of leading applications
• AV, Personal Firewall, Anti-Spyware, Anti-Malware, Windows patch checks, machine certificate checks + Custom policy definition for maximum policy definition flexibility
• Scan prior to and during authenticated sessions• Embedded update mechanism to add new applications with
no software upgrade• Devices automatically learn latest signature versions from
AV vendors• Check for AV installation, real-time protection status,
definition file age Varied remediation options to meet customer needs
• Custom/standard remediation, automatic remediation, quarantine, Secure Virtual Workspace, 3rd party policy remediation, etc.
Trusted Network Connect (TNC) architecture for seamless integration with all TNC compliant endpoint security products/vendors
• Leverage existing endpoint security application deployments
HC policies similar to Juniper’s UAC offering, for common endpoint security across local and remote access deployments
Host Checker- Check devices before & during session- Ensure device compliance with corporate policy - Remediate devices when needed- Cross platform support
- No Anti-Virus Installed- Personal Firewall enabled- User remediated à install anti-virus- Once installed, user granted access
- No anti-virus installed- No personal firewall - User granted minimal access
- AV Real-Time Protection running- Personal Firewall Enabled- Virus Definitions Up To Date- User granted full access
Home PC User
Corporate PC User
Airport Kiosk User
SA Series
30 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ENDPOINT SECURITY – SECURE VIRTUAL WORKSPACEDESIGNED AND OPTIMIZED FOR UNSECURE KIOSKS
Limited/Blocked I/O Access from SVW
Session Data Encrypted on-the-fly (AES)
End of Session: Secure Delete OR Persistent Session
(Encrypted)
Clipboard Operations Blocked from SVW to
Real Desktop
Real DesktopSVW
•Host Checker (Java/ActiveX) delivery •Win 2k/XP Systems (user privileges)•Admin-specified application access•DoD Cleaning/Sanitizing standard compliant•Password-protected persistent sessions•Controlled I/O Access •Configurable look/feel
Real File System
Virtual File System
• Shreds workspace data when session ends in kiosk• Prevents desktop search software from intercepting or indexing secure web traffic• Comprehensive protection of company resources when accessed from low security devices, as determined by Host Checker.
Kiosk
Thank you for your attention. Questions?
Tibor Kiss
ICTS Hungary
www.ictshungary.hu
33 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
JUNOS PULSE (FOR WINDOWS)
Dynamically provisioned client for: • Connectivity• Security• Acceleration
Support for desktops, notebooks and netbooks
Location aware and identity-enabled
Standards-based
Platform for select third party applications
Builds on Juniper’s market leading SA Series SSL VPN, UAC solution, and WXC Series technology!
34 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SECURE ACCESS FROM MOBILE DEVICES
Junos Pulse for mobile devices enables smartphone and mobile device access to email, Web, and corporate applications
WebApps
CorporateApps
App
licat
ions
More Applications on More Devices Over Time
37 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
JUNOS PULSE MOBILE SECURITY SUITE
Comprehensive Smartphone Device Management and Security Solution• Antivirus• Firewall• Anti-Spam• Loss/Theft Protection• Device Monitoring/Control
Sold with SSL VPN or as standalone
Requires Junos Pulse Mobile Security Gateway • Secure, hosted deployment
42 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
RECENT UNPLANNED EVENTS - IMPACTING THE GLOBAL BUSINESS
Asia Quake Disaster (Dec 04)
Recent examples:Snowstorms in US (Jan. 2011)
Japan Earthquake (March 2011)
Pakistani Earthquake (Oct 05)
Bird Flu Outbreaks?
MTA Strike in NYC (Dec 05)
Bird Flu Outbreaks?
PandemicH1N1 VirusAvian/Bird FluSARS Natural EarthquakesHurricanesOtherTerror attacksWinter storms
Disastrous Events
Social Distancing
Geographical isolationQuarantines
Maintain productivity Sustain partnershipsContinue to deliver exceptional
service to customers and partners with online collaboration
Meet government mandates for Disaster Recovery and compliance
Business Continuity Challenges
43 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
JUNIPER NETWORKS ICE FOR BUSINESS CONTINUITY
Juniper Networks ICE delivers • Proven market-leading SSL VPN • Easy deployments• Instant activation • Investment protection• Affordable risk protection
Peak Demand
Num
ber
of R
emot
e U
sers
Time
Average usage
Unplanned event
What will you do when your non-remote users need access?
Meeting the peak in demand for remote access in the event of a disaster
45 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
INTRODUCING MAG SERIES JUNOS PULSE GATEWAYS
3rd Party Applications/VM’s - futureApplication Acceleration (WX) - future
MAG6611 Junos Pulse Gateway
SSL VPNNAC
Next Generation Purpose-built Gateways Supporting
Junos Pulse Gateway – Single Gateway! Single Client!• Single, designed gateway to run SSL VPN & NAC • Integrated with Junos Pulse client• 4 models to meet needs of companies of all sizes• Smaller form factor • Lower power consumption• Common access licensing • Investment protection
SSL VPN Module
NACModule
Orderable Now!
46 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
MAG SERIES MODELS FOR ALL ENTERPRISE SIZES
MAG6611—2U high chassis modular configuration supports up to four service modules
Optional management module.Typical deployment up to 40,000 SSL VPN users or 60,000 NAC users
MAG6610—1U high chassis modular configuration supports up to two service modules
Optional management module. Typical deployment up to 20,000 SSL VPN users or 30,000 NAC users
MAG4610—Single application engine, fixed HW config. 1U, ½-width (may be deployed side-by-side in 1U rack space).
Typical deployment up to 1000 SSL VPN users or 5000 NAC users
MAG2600—Single application engine, fixed HW config. 1U high, 30W power consumption. Typical deployment up to 100 SSL VPN users or 200 guest access users
More details on MAG Series can be found here:Intranet: http://www-int.jnpr.net/sltbg/marketing/products/mag_series/ Partner Center: https://www.juniper.net/partners/partner_center/common/products/sales_kits/kit_mag.jsp Juniper.net: http://www.juniper.net/us/en/products-services/security/mag-series/
47 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Bre
adth
of F
unct
ion
ality
JUNIPER SSL VPN LEGACY PRODUCT FAMILY
Enterprise Size
SA2500
SA4500SA6500
Designed for: Medium enterpriseSecure remote, intranet and extranet accessIncludes: Core Clientless Access
Designed for: Medium to large enterpriseSecure remote, intranet and extranet accessIncludes: Core Clientless Access
Options/upgrades:•10-100 conc. users•Secure Meeting•Cluster Pairs•EES•NSM
Options/upgrades:•50-1000 conc. users•Secure Meeting•SSL Acceleration•Cluster Pairs•EES•NSM
Designed for: Large enterprises & SPsSecure remote, intranet and extranet accessIncludes: Core Clientless AccessSSL accelerationHot swap drives, fans
Options/upgrades:•Up to 30K conc. users•Secure Meeting•4-port SFP card•2nd power supply or DC power supply
•Multi-Unit Clusters•EES•NSM
Common Criteria EAL3+ certified:http://www.dsd.gov.au/infosec/evaluation_services/epl/network_security/juniper_networks_SAF.html
48 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SSL VPN VIRTUAL APPLIANCES OVERVIEW
Designed for large-scale service provider deployments that want to offer managed SSL VPN services
Runs on various hardware platforms & configurations (typically blade servers) using VMware
Uses subscription licensing to assign licenses to virtual appliances to fulfill SP’s needs
• Licenses installed on a license server and then licenses assigned at various levels to virtual appliances
• License amounts easily adjusted as needs change
Includes similar feature set of hardware-based SA Series models such as…
• Junos Pulse• Host Checker• Cross-platform support (Windows, Mac, Linux, various
mobile phones including iPhone, Windows Mobile, Android, Symbian)
Virtual appliances running on
blade servers in SP data
center
49 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Bre
adth
of F
unct
ion
ality
JUNIPER SSL VPN FIPS PRODUCT LINE
Agency Size
Designed for: Medium to large government agenciesFinancial & healthcare verticalsSecure remote, intranet and extranet accessIncludes: FIPS 140-2 Level 3 Certified HSMTamper evident labelsCore Clientless Access
Options/Upgrades•Supports 50-1000 concurrent users•Secure Meeting•Cluster Pairs•EES•NSM
Options/Upgrades•Up to 3.5K concurrent users on one unit; up to 10K in four-unit cluster
•Secure Meeting•4-port SFP card•2nd power supply or DC power supply•Multi-Unit Clusters or Cluster Pairs•EES•NSM
SA4500 FIPS SA6500 FIPS
Designed for: Large government agenciesSecure remote, intranet and extranet accessIncludes: FIPS 140-2 Level 3 Certified HSMTamper evident labelsCore Clientless AccessSSL accelerationHot swap drives, fans
Common Criteria EAL3+ certified:http://www.dsd.gov.au/infosec/evaluation_services/epl/network_security/juniper_networks_SAF.html
50 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LICENSE OPTIONS Common Access License
• Same user license SKU can either be used for SSL VPN or NAC user sessions • Saves customers the trouble & money from ordering different licenses for SSL VPN &
NAC
Secure Meeting License
ICE (In Case of Emergency) License• Includes the following features:
• Baseline• Secure Meeting
Enhanced Endpoint Security (EES) License
Java RDP Applet License
51 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SYSTEM MANAGEMENT Granular Role-based administration
• Leverages leading AAA framework used for user sessions• Assign tasks to appropriate groups (helpdesk, security, operations, etc.)
Config Import/Export • Make offline config changes and import• Configuration backup/archiving
Push Configuration• Push full or partial configurations to other devices
Granular logging and log filtering• Analysis, compliance, and auditing requirements
Advanced troubleshooting tools for quick issue resolution• Policy trace, session recording, system snapshot, etc.
NSM (Network & Security Manager)• Centralized management software to configure, update, and monitor SA Series
appliances within a single device/cluster or across a global cluster deployment DMI (Device Management Interface)
• Standard Juniper interface to configure Juniper products including SA Series
52 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
CLUSTERING/HIGH AVAILABILITY Native Clustering
• SA2500, SA4500 à Cluster Pairs• SA6500 à Multi-unit clusters
Stateful system peering• System state and configuration settings• User profile and personalized configuration• User session synch (users don’t have to login again in failover scenario)
Active/Passive configuration for seamless failover Active/Active configuration for increased throughput and failover Enterprise and Service Provider Value
• Ensured reliability of critical access infrastructure• Seamless failover, no loss of productivity• Expansive user scalability via replication• Management efficiency via central administration interface
User Record Synchronization• Synchronization of user records such as user bookmarks across distributed non-
clustered appliances• Ease of experience for users who often travel from one region to another
53 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
•Flexible to meet ANY enterprise remote access need with unparalleled depth
•Junos Pulse unified endpoint client for VPN, NAC, and WAN Optimization
•Battle tested – more enterprise deployments than any other SSL VPN solution
•Available in both physical and virtual appliance form factors
•Standards-based•Highly Scalable Solution/3rd Party Validation via Ixia •Deepest device and application support•Industry’s only coordinated NAC/Remote Access
solution
JUNIPER SSL VPN vs. COMPETITION
COMPETITION
55 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
THE GOVERNMENT ARENA
Terrorist Attacks Physical Cyberspace
Pandemics H1N1 virus
National Security Privacy of data
Cost containment Operational Efficiency
Continuity of OperationsTelework MandateClinger-Cohen ActPaperwork Elimination ActNational Strategy to Secure
CyberSpaceHIPAA
Key Concerns Key Initiatives