Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Securing Access & PCI Compliance for Your Network Juniper Networks Unified Access Control (UAC) & the Payment Card Industry (PCI) Data Security Standard (DSS)

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 2 Payment Card Industry (PCI) Data Security Standards (DSS)  Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters  Protect Cardholder Data Requirement 3: Protect stored data Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks  Maintain a Vulnerability Management Program Requirement 5: Use and regularly update AV software Requirement 6: Develop and maintain secure systems and applications  Implement Strong Access Control Measures Requirement 7: Restrict access to data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data  Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes  Maintain a policy that addresses information security Requirement 12: Maintain a policy that addresses information security The PCI DSS is a group of principles and associated requirements, around which the specific elements of the DSS are organized:

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 3 PCI DSS Requirement 1: Install and maintain a firewall configuration to protect data  UAC addresses this through its Layer 3 access control capabilities where enforcement is delivered via any Juniper firewall/VPN platform Includes ISG with IDP and SSG Can be dynamically leveraged as part of UAC to not only enforce access control policies but also to apply security policies such as deep packet inspection, antivirus and URL filtering on a per user/session basis  Juniper firewall platforms supporting Requirement 1 include: NetScreen series firewalls, Secure Services Gateway (SSG) platforms, and Integrated Services Gateway (ISG) platforms ScreenOS supports many advanced security features beyond those required by the PCI standards  Requirement 1 supplemented by the ability of: IDP to monitor traffic and control threats (1.1.5 & 1.1.6) NSM to review firewall rule sets and provide proper configurations (1.1.8 & 1.2) Secure Access SSL VPN to support secure system administration (1.2.2) 3 Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 4 PCI DSS Requirement 1: Install and maintain a firewall configuration to protect data  UAC provides granular controls and descriptions based on groups and roles (1.1.4)  In concert with Steel-Belted Radius (SBR), UAC assures adherence to documented list of services, ports (1.1.5)  UAC ensures that traffic from untrusted hosts can be denied access at Layer 2; or Layer 3 using Juniper firewalls (1.2)  At Layer 3 with Juniper firewalls, and supplemented by IDP and ISG IDP, UAC restricts connections/traffic between publicly accessible servers and system components storing cardholder data (1.3) Configure dynamic packet filtering Control wireless network traffic (via perimeter firewalls) Ensure personal firewalls are engaged on endpoint devices  Prohibits direct access between external networks and components storing cardholder data (1.4)  Juniper firewalls implement IP masquerading, preventing internal addresses from being translated/revealed (1.5)

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 5 PCI DSS Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters  Juniper’s security and access products support changing vendor defaults prior to installation through configuration (2.1)  UAC Agent addresses use of WPA technology for encryption and authentication in wireless environments (2.1.1)  UAC ensures configuration standards address known and new security vulnerabilities (2.2)  UAC – with Juniper firewalls/IDP – disables unnecessary and insecure services and protocols, and removes unneeded functionality (2.2.2, 2.2.4)  UAC ensures system parameters and policies are configured to effectively prevent misuse (2.2.3) Juniper IDP can also prevent/identify misuse where parameters are incorrectly configured

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 6 PCI DSS Requirement 3: Protect Stored Data  Juniper products provide enforcement and auditing (3.1, 3.2)  UAC can require a specific set of criteria before full credit card numbers are displayed, on a need to know basis (3.3)  UAC Agent used in conjunction with a tunneled EAP type and WPA2 with AES encryption ensures unreadable stored cardholder data (3.4)  UAC ensures encryption keys are Protected against disclosure or misuse Restricts key access Secures key storage (3.5)  UAC can implement key management processes and procedures (3.6) Key generation Secure key distribution and storage Changes and destruction of older keys  IDP can check for and log violations to Requirement 3 where credit card numbers are transmitted in clear text

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 7 PCI DSS Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks  UAC provides strong cryptography (4.1) Supports 802.1X/EAP providing robust encryption to protect cardholder data during public network transmissions  UAC Agent and/or Odyssey Access Client (OAC) supply encryption of wireless network transmissions of cardholder information (4.1.1) Furnishes required WPA/WPA2 technology  Juniper products can identify unencrypted transmissions of cardholder data across protocols (4.2) UAC, through Juniper firewalls, can re-direct questionable traffic based on policy

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 8 PCI DSS Requirement 5: Use and regularly update AV software or programs  Juniper’s firewall integrated AV provides compliance with automated AV updates (5.1)  UAC checks devices for current running AV versions and running configuration requirements (5.2) Network access can be denied and instructions provided to manually update or automatically remediate AV, if needed; or modify device configurations  Juniper provides daily signature updates for the PCI required IDP solution

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 9 PCI DSS Requirement 6: Develop and maintain secure systems and applications  UAC: In concert with partners, ensures system components/software running updated patches or can be disallowed network access (6.1) Protects against newly discovered vulnerabilities (6.2) Additionally, Juniper’s security portal may be incorporated into the process and provide timely security notices Can detect unauthorized custom applications and blocks devices with these applications in real-time Can assist in testing security patches and system/software configuration changes prior to deployment (6.3.1) At Layer 3 with Juniper firewalls deployed, can separate development and test environments (6.3.2) Can ensure and enforce compliance with change control procedures for system/software configuration modifications (6.4) Through integration with Juniper firewalls with IDP and Juniper IDP, helps identify and stop malicious use of user IDs (6.5.2) Can quarantine a user even after network access based on device state changes (6.5.3)  Additional processes can be supported in conjunction with the enhanced capabilities of Juniper’s security solutions (6.5.4, 6.5.5) Juniper firewalls enforce policy from the network layer to the application layer with deep packet inspection NSM can be used to help assure proper work flow for change control on Juniper devices IDP provides 100% protection buffer overflow protection IDP (and DX) identify and protect against Cross-site Scripting (XSS) attacks

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 10 PCI DSS Requirement 7: Restrict access to data by business need-to-know  UAC provides granular and dynamic access control (7.1, 7.2) Policy considers user/device authentication and authorization, AV updates, running configurations and flexible policy Can be configured to support the established policy for access to data When configured at Layer 3 with Juniper firewalls, can restrict access to resources and cardholder data to only individuals whose job (role) requires access Can provide information on access to restricted systems, data stores Also, Juniper IDP can monitor and provide an information trail on access to “restricted data”

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 11 PCI DSS Requirement 8: Assign a unique ID to each person with computer access  Requirement addressed with UAC and Steel-Belted Radius® (SBR), the de facto standard AAA/RADIUS servers and appliances UAC integrates key components of SBR into Juniper Infranet Controller, its hardened, centralized policy manager  UAC Agent and OAC support: Passwords, token devices, and biometric devices (8.2) 2-factor authentication (8.3) Password encryption and management (8.4, 8.5)  SBR and/or Infranet Controller deliver proper user authentication and credentials management (8.5)  SBR can provide detailed information on user/device authentication and authorization through accounting and reporting capabilities; and on administrative access and modifications

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 12 PCI DSS Requirement 9: Restrict physical access to cardholder data  This requirement is non-network oriented  Can be supported with physical “lock and key” building infrastructure  Best monitored with recorded cameras in all locations  Biometrics used for highly sensitive data center environments

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 13 PCI DSS Requirement 10: Track and monitor all access to network resources and cardholder data  Juniper SBR provides strong audit logs and accounting data on user sessions and authorizations Network level tracking and audit logging also provided with Juniper firewalls Juniper IDP can also provide detailed application use and can provide coordinated threat prevention  Through UAC’s standards-based architecture, Juniper works with SIEM partners to provide log aggregation and event correlation SIEM products pull data from many different information systems, including UAC Policies created in this process can be pushed by UAC, making it easy to act on the new policies in the network

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 14 PCI DSS Requirement 10: Track and monitor all access to network resources and cardholder data  Supports almost any SIEM (Security Information & Event Management) vendor SIEM/SIM/SEM vendors generally collect data via one or a combination of the following mechanisms: SYSLOG, SNMP, Proprietary Agent Juniper UAC – as all of Juniper products – has been built on standards with interoperation in mind and can therefore support virtually any SIEM/SIM/SEM product  UAC’s SIEM partner include:

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 15 PCI DSS Requirement 11: Regularly test security systems and processes  UAC leverages Juniper’s IDP enabled firewalls, ISG, and Juniper IDP, leveraging Layer 7 policies, such as IDP policies or URL filtering, providing additional levels of dynamic threat management; and Host Checker is able to deliver some protection as well (11.4)  To support regular network tests, Juniper has also partnered with leading network vulnerability testing partners

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 16 PCI DSS Requirement 12: Maintain a policy that addresses information security  Juniper UAC supports flexible policy creation and maintenance to deliver robust support for PCI compliance enforcement  Juniper UAC provides information to allow well informed decisions to be made and deliver improvements in overall security and PCI compliance enforcement

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 17 Why Juniper for PCI Compliance  Depth of security capabilities for compliance Juniper is unmatched in the industry by our innovation and leadership in developing security solutions  Breadth of security solutions for compliance No other equipment provider can match the wide array of Juniper solutions to enforce a PCI compliance policy  Our Creditability as an industry leader and established company Juniper is well established as a $2 billion public company and recognized leader of “best in class” solutions

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 18 Why Juniper UAC for PCI Compliance  Comprehensive network access control and policy management/enforcement Combines user identity, device security state and location information to create session-specific access policy by user Provides granular access controls and descriptions based on groups and roles At Layer 2, provides powerful, standards-based 802.1X wired or wireless network security with strong network credential and transmitted data protection, and strong protocol support (tunneled EAP) and government-level encryption (AES with WPA2) At Layer 3, with Juniper firewalls, integrated firewall/IDP, and SSG, delivers unparalleled protection for sensitive stored information, like cardholder data  A solution you can trust, from the company you trust Integrates field-tested Juniper products – like Secure Access SSL VPN, OAC, SBR – to deliver “best of” access control products and capabilities Products used today in thousands of deployments worldwide to authenticate tens of thousands of users, secure tens of thousands of networks, and ensure the safety of millions gigabytes of transmitted or stored data Standards-based for vendor-agnostic use in heterogeneous networks Leverages the network already in place, including existing AAA/RADIUS infrastructure, any 802.1X-enabled switches or access points and/or any Juniper firewalls

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 19 Juniper PCI Compliance Solution Summary  Juniper’s innovative UAC solution – standalone or in conjunction with Juniper’s firewalls and AAA/802.1X products – provide necessary elements of PCI compliance  Differentiated by our ability to support a highly integrated PCI compliance solution Juniper’s ability to combine UAC with firewalls, wireless security, AAA/RADIUS, and other Juniper security and access products sets it apart from any PCI compliance security solution provider  Juniper works with “best-in-class” partners to enable the most robust compliance solutions available

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 20 Payment Card Industry (PCI) Data Security Standards (DSS)  Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters  Protect Cardholder Data Requirement 3: Protect stored data Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks  Maintain a Vulnerability Management Program Requirement 5: Use and regularly update AV software Requirement 6: Develop and maintain secure systems and applications  Implement Strong Access Control Measures Requirement 7: Restrict access to data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data  Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes  Maintain a policy that addresses information security Requirement 12: Maintain a policy that addresses information security The PCI DSS is a group of principles and associated requirements, around which the specific elements of the DSS are organized: Addressed by Juniper UAC Addressed by Juniper UAC Addressed by Juniper UAC Addressed by Juniper UAC Addressed by Juniper UAC Addressed by Juniper UAC Addressed by Juniper UAC Addressed by Juniper UAC N/A – Not Applicable Addressed by Juniper UAC Addressed by Juniper UAC Addressed by Juniper UAC

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 21 PCI Audit Compliance  Juniper strongly recommends adherence to the Payment Card Industry (PCI) Data Security Standard (DSS) Security Audit Procedures provided by and available from PCI ( to ensure proper compliance

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 22 Juniper Networks Unified Access Control (UAC) UAC! PCI!

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 23 Access Control Issues Mobile devices transiting the LAN perimeter Widely diverse users Unmanaged or ill-managed endpoints Mission critical network assets Access Increases Explosive growth of vulnerabilities Patch-to-outbreak time getting shorter New breed of threats can come in with “permitted” users and traffic Secure & Resilient Network Experience Decreases INCREASED THREAT VOLUME FASTER OUTBREAKS MORE TARGETS CARELESS USERS MALICIOUS ATTACKERS

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 24 Mobile Employees, Guests, Contractors… = Access Control Issues! Guest Contractor Employee on the road Employee at home Network Internet

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 25 Trends in Access Control  More mobile workforce  More employees working from home  Greater use of contractors  Increased number of vendors and guests  Partners ALL requiring access to your LAN and your critical, sensitive network resources and applications over a variety of devices and platforms!

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 26 Network Access Control Network access control (NAC) solution  Provides appropriate network delivery based on identity and policy compliance Handles access by employees, contractors, guests  Validates identity, endpoint health, and location  Flexibility to handle priorities while evolving to meet new needs  Non-disruptive  Leverages existing infrastructure investment Network access control must be a key component of any/every network today!

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 27 Why Network Access Control Is SO Important  Dynamic Network Boundaries – Location Complication Mobile workforce Wireless networks Contractors Partners Diversity of endpoints  Sophisticated Attacks Zero-Day exploits Rapid infection speed Targeted attacks (crimeware) Rootkits, botnets, zombies and back doors  Harder to control/ more demanding applications IM/VoIP/VoD Unenforceable policy  The Grey Network The network you don’t know you have!  The Usual Suspects Bad people More $$$$ for attackers Extortion, identity theft, bank fraud, espionage,… Endpoints being targeted, used as “Trojan horses” Careless people Accidental agents of catastrophe

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 28 Juniper Networks Unified Access Control  A comprehensive network access control solution that: Combines user identity, device security state and location information for session-specific access policy by user Is standards-based, vendor-agnostic, and leverages existing network investments Is based on field-tested components being used today in thousands of deployments worldwide  Addresses access control issues Allows for incremental investment Works with existing heterogeneous network infrastructures Works for all key access control use cases – guests, contractors and employees (local, remote, and/or mobile)

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 29 Juniper Networks Unified Access Control  Every component built on field-tested, widely deployed devices, including features from: Juniper’s Secure Access SSL VPN with its legacy of dynamic endpoint assessment and seamless interaction with the AAA backbone Juniper Networks Odyssey Access Client (OAC), the market- leading 802.1X supplicant Juniper Networks Steel-Belted Radius (SBR), the de facto standard in RADIUS servers

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 30 Juniper Networks UAC v2.0 UAC Agent AAA AAA Servers Identity Stores Firewall Enforcers Central Policy Manager Endpoint profiling, user auth, endpoint policy Dynamic Role Provisioning User access to protected resources Protected Resource User admission to network resources with SBR with OAC  Controls access for guests, contractors, employees  Enforces policy at: Layer 2 – Uses 802.1X infrastructure (switches, APs) Layers 3 – 7 – Overlay using Juniper firewalls Both Layer 2, Layers 3 – 7 – For maximum granularity  Vendor-agnostic Interoperates with any 802.1X infrastructure, wired or wireless  Standards-based 802.1X and Trusted Network Connect open standards 802.1X

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 31 Flexible, Standards-based Access Control Data Center Campus HQ Wired/ Wireless Branch Office Internet Mitigate threats with user and endpoint validation prior to wireless access Gain visibility & control for user/device access to network, resources & applications Centralized validation Distributed enforcement Standards based enforcement in heterogeneous switching/access point networks Flexible solution to support access control in distributed networks Control access to internet, campus & data center resources Applications

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 32 Summary – Juniper Networks UAC Solution Does what you need/want it to do Pre- AND post authentication security checks Enforces policies at Layer 2, Layers 3 – 7, and/or both Network admission AND network access control Easy, self-service remediation Supports top use cases – guests, contractors and employees Cross platform Managed, unmanaged and unmanageable devices Ideal for phased deployments Layer 3 – Layer 7 overlay satisfies immediate needs Roll 802.1X-based infrastructure (from any vendor) when you choose Both solutions in one appliance! Standards-based – 802.1X & TNC Solid investment protection All components field tested, industry proven

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 33 Thank You