Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Unified Access Control Solution Javier López –

Slides:



Advertisements
Similar presentations
Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 JUNIPER NETWORKS Moving up the Partner Program.
Advertisements

| Copyright © 2009 Juniper Networks, Inc. | 1 WX Client Rajoo Nagar PLM, WABU.
Ljubomir Ivaniš CPU d.o.o.
The System Center Family Microsoft. Mobile Device Manager 2008.
Standards Certification Education & Training Publishing Conferences & Exhibits Using Outbound IP Connections for Remote Access EXPO 2005 Chicago, IL.
Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Module 5: Configuring Access for Remote Clients and Networks.
Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Copyright © 2008 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net.
1 Configuring Virtual Private Networks for Remote Clients and Networks.
Introduction to ISA 2004 Dana Epp Microsoft Security MVP.
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Check Point Software SSL VPN Solutions Technical Overview Thorsten Schuberth Technical.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
© 2003, Cisco Systems, Inc. All rights reserved _07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.
© 2005,2006 NeoAccel Inc. Training Access Modes. © 2005,2006 NeoAccel Inc. Agenda 2. Access Terminals 6. Quick Access Terminal Client 3. SSL VPN-Plus.
CPE5021 Advanced Network Security ---Network Security and Performance--- Lecture 9 CPE5021 Advanced Network Security ---Network Security and Performance---
Virtual Private Network prepared by Rachna Agrawal Lixia Hou.
Virtual Private Networks (Tunnels). When Are VPN Tunnels Used? VPN with PPTP tunnel Used if: All routers support VPN tunnels You are using MS-CHAP or.
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.
Course 201 – Administration, Content Inspection and SSL VPN
Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 IPSec or SSL VPN? Decision Criteria.
RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.
Virtual Company Group 8 Presentation Date: June /04/2017
VPN for Sales Nokia FireWall-1 Products Complete Integrated Solution including: –CheckPoint FireWall-1 enterprise security suite –Interfaces installed.
1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.
© 2005,2006 NeoAccel Inc. Partners Presentation SSL VPN-Plus 2.0 Quick Start Guide.
Cyberoam - Unified Threat Management Unified Threat Management Cyberoam Copyright (C) 2010 Elitecore Technologies Ltd. All rights reserved. Privacy Policy.
Access Gateway Operation
Module 8: Configuring Virtual Private Network Access for Remote Clients and Networks.
1 FirePass 6.0 Sales Training. 2 Agenda FirePass 6.0 Release Highlights Packaging & Pricing Product Availability Q&A.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Welcome to the Human Network Matt Duke 11/29/06.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
StoneGate SSL VPN 1.2 Technical Overview
©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Network Access Technology: Secure Remote Access S Prasanna Bhaskaran.
Name Company A Day in the Life… A Demonstration of Application Delivery.
BZUPAGES.COM. What is a VPN VPN is an acronym for Virtual Private Network. A VPN provides an encrypted and secure connection "tunnel" path from a user's.
Module 11: Implementing ISA Server 2004 Enterprise Edition.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
One Platform, One Solution: eToken TMS 5.1 Customer Presentation November 2009.
Network Edge Protection: A Technical Deep-Dive into Internet Security & Acceleration Server
"The majority of users in a typical enterprise simply want frequent, location-independent access to a few key applications, such as , calendar and.
Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.
Microsoft Management Seminar Series SMS 2003 Change Management.
SonicWALL SSL-VPN Series Easy Secure Remote Access Cafferata Cristiano SE Italia.
Security fundamentals Topic 10 Securing the network perimeter.
© 2008 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,
verifone HQtm Estate Management Solution
Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Secure Access SSL VPN Product Line Presentation.
©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Endpoint Security VPN R75 (SecureClient Next Generation)
JUNOS PULSE Junos PULSE for Windows Junos PULSE Mobile Security Suite.
©2004 Check Point Software Technologies Ltd. Proprietary & Confidential Moving Beyond the Perimeter with Intelligent Security Alfredo Cusin Channel Mgr.
Agenda Current Network Limitations New Network Requirements About Enterasys Security Branch Office Routers Overall Enterprise Requirements Proposed Solution.
TOP 5 Reasons to Migrate IPSec VPN to SSL VPN. 1)Reduce remote access costs by eliminating client software installation, configuration, and maintenance;
Security fundamentals
Stop Those Prying Eyes Getting to Your Data
Securing the Network Perimeter with ISA 2004
Forefront Security ISA
Securing Remote Access using SSL-VPN
Server-to-Client Remote Access and DirectAccess
Goals Introduce the Windows Server 2003 family of operating systems
Check Point Connectra NGX R60
Virtual Private Network
Presentation transcript:

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Unified Access Control Solution Javier López –

2 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net  SSL VPNs Review  Unified Access Control Solution  Unified Access Control Scenarios  Live Demo AGENDA

3 Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net SSL VPNs vs. IPSec Business Partners Mobile Workers Branch Offices Home workers Data Center Internet Department Servers DMZ Finance HR Sales Customers Extranet access SSL VPN Site-to-Site IPSEC VPN Intranet access SSL VPN Employee remote access SSL VPN

4 Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Typical Custom Extranet Deployment Web server DMZ MRP/ERP API Internal Corporate LAN Web server API Web server Policy Server SW Agent Web server SW Agent Extensive Deployment Requirements:  Duplication & Migration of Servers into DMZ  Harden OS/Server Farms & Ongoing Patch Maintenance  Maintenance of public facing infrastructure  AAA Limitation to only those integrated resources  Custom API development for non-Web content UNIFIED ACCESS ENFORCEMENT:  Dynamic Authentication Policies  Expressive Role Definition & Mapping Rules  Dynamic Resource-based Authorization  Granular Auditing & Logging  Web Single Sign-On (SSO)  Password Management Integration  Multiple Hostnames & Customizable UI  Endpoint Policy Enforcement

5 Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net The Secure Access Platform in the Network MRP/ERP Intranet / Web Server Unix/NFS = Encrypted External Session = Standard Internal Session Corporate LAN Partner A Directory Store Partner B Extranet Partners Server Farms Sales & Service Telecommuters Mobile Employees

6 Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Three Access Methods for Granular Secure Access Core Access Core Client less access Web content / links Web based applications XML, Flash, JAVA Files (Webified) Telnet / SSH Terminal Emulation Secure Application Manager (JSAM and WSAM) TCP based Client / Server application access JSAM JAVA applet Cross platform WSAM Active-X control Transparently redirects application requests Per application (client process) Per host (Hostname / IP:port range) MD5 Checksum for application validation Windows 2K/XP/98 Pocket PC (Win CE ) Network Connect (NC) Network Layer tunnel Virtual adapter Static, DHCP and RADIUS based IP address assignment TCP and UDP based Client / Server application access Server Initiated applications such as VoIP, X- Windows, NetMeeting

7 Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net From the field From the LAN From a Kiosk Pre Authentication Gathers information from user, network, endpoint Dynamic Authentication Authenticate user Map user to role Roles Assignment Assign session properties for user role Resource Policy Grant access to resource as specified by policy SAM = No File = No Web Download=Yes Web Upload=No Timeout = ½ hour Host Check = Recurring Digital Cert = NO Source IP = outside Host Check = failure Authentication = Strong Mapped to Field role Resources = CRM Web-read only Outlook Web Access Digital Cert = YES Source IP = outside Host Check = success Authentication = Strong Mapped to Sales role SAM = Yes File = Yes Web Download=Yes Web Upload = Yes Timeout = 2 hours Host Check = Recurring Resources = CRM Client/Server Exchange Digital Cert = YES; Source IP = LAN; Host Check = success Authentication = PW Mapped to Office role Network Connect = Yes Timeout = 12 hours Host Check = No Resources = Full network access Step 3a: Control Access – 1 URL Same person access from 3 different locations

8 Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Breadth of Functionality Juniper SSL VPN Product Family: Functionality and Scalability to Meet Customer Needs Enterprise Size Secure Access 700 Secure Access 2000 Secure Access 4000 Secure Access 6000 Designed for: SMEs Secure remote access Includes: Network Connect Options/upgrades: conc. users Core Clientless Access Designed for: Medium enterprise Secure remote, intranet and extranet access Includes: Core Clientless Access Designed for: Medium to large enterprise Secure remote, intranet and extranet access Includes: Core Clientless Access Options/upgrades: conc. users SAMNC Secure Meeting Advanced w/ CM Cluster Pairs Options/upgrades: conc. users SAMNC Secure Meeting Advanced w/ CM Instant Virtual System SSL Acceleration Cluster Pairs Designed for: Large-global enterprise Secure remote, intranet and extranet access Includes: Core Clientless Access SSL acceleration Options/upgrades: conc. users SAMNC Secure Meeting Advanced w/ CM Instant Virtual System GBIC Multi-Unit Clusters

9 Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Web Mail Farm Intranet Web Farm Corporate Intranet 1,000’s Teachers’ Home PCs 10,000’s Students’ Home PCs Mobile User Cost Scalability  Users access from home PCs  No install, configuration or support  Only variable cost is authentication Increased Security  Unified Security Layer Across Servers  Known Hardened Security Posture  Common Auth’n & Auth’z Policies WWW Case #1: Remote Access for Students/Teachers

10 Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net ERP Application Server Corporate Intranet School A Cost Scalability  Rapidly Add/Drop Partners  No Timely Security Negotiations  No Cap Ex per Additional Partner Increased Security  Group Based Auth’z Policies  Strong Auth’n & PKI  Resource-Based Logging Unix/NFS Files School B School C Case #2: Campus Services Access

11 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net  SSL VPNs Review  Unified Access Control Solution  Unified Access Control Scenarios  Live Demo AGENDA

12 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Trend and Business Problem WAN LAN Remote Office LAN User Mobile User Day Extenders Business Partners LAN User Data Center Mission critical apps, File Servers, ERP, CRM etc Widely diverse users Unmanaged or ill managed endpoints Business critical network assets “Deadly” network and application-layer threats 11% QoQ increase in new vulnerabilities – Q2,’05 SANS Zotob took 96 hours from patch to full outbreak New threats exploit common TCP ports, requiring both host intelligence and network-based enforcement

13 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net How the Enterprise Infranet works  What Does it Do? The Enterprise Infranet couples user identity, network identity, and endpoint status with network and endpoint policies.  How Does it do it? Using a centralized policy management to push policy based on user, endpoint, network, etc to enforcement points throughout the network. Policy management is done by leveraging Dynamic Access Privilege Management (proven by #1 SSL VPN - IVE) Enforce the policies on different points throughout the network (proven by #1 FW/VPN – ScreenOS) 13 Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net

14 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Unified Access Control Solution How does it work? Infranet Agent (IA) Comprehensive enterprise integration AAA Servers Identity Stores Phase 1 Enforcers Infranet Controller (IC) Unified policy enforcement based on identity, endpoint assessment, and network IA protects authenticated endpoints from malicious/non-compliant endpoints Host Checker (J.E.D.I) Host Enforcer (with firewall policy or optional dynamic MS IPSec enforcement) MS Windows Single SignOn Agentless enforcement for Mac and Linux Enforcers – ScreenOS 5.3 capable NetScreen 5GT – NetScreen 5000 From 90 Mbps to 30 Gbps Access control decision point Automatically provisions Infranet Agent (if required) Dynamically provisions enforcement policy Integrated remediation support

15 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Juniper Networks Infranet Controllers IC 4000 Supports up to 3000 concurrent endpoints per appliance High Availability/Scalability Cluster pairs IC 6000 Supports up to 25,000 concurrent endpoints per appliance High Availability/Scalability Multi-unit clusters Unique hardware features Hot swappable, field upgradeable power supply Field upgradeable hard disk Hot swappable fans

16 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Infranet Agent Dynamically provisioned endpoint assessment and policy enforcement agent No pre-installed client software Lightweight (<1Mb) Host Checker (J.E.D.I) for endpoint assessment Native Functionality APIs for leveraging third party endpoint solutions Pre login and post login endpoint assessment for compliance enforcement during entire duration of user session Host Enforcer Dynamic role based firewall policy Optional dynamic MS IPSec enforcement MS Windows Single SignOn Agentless enforcement for Mac and Linux Endpoint Assessment but no IPsec

17 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Phase One Infranet Enforcers Phase 1 incorporates Juniper FW/VPN platforms Screen OS 5.3 Software upgrade required 75Mbps to 30Gbps for wire speed policy enforcement in LAN Network security policy enforcement DOS Protection Deep Packet Inspection Anti Virus Capabilities Content Management Logging and Auditing SEM, NSM Integration HSC NetScreen 5 Series NetScreen 204 & 208NetScreen 25 & 50 NetScreen 5200 & 5400 ISG Series NetScreen 500

18 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Data Center Mission critical apps, File Servers, ERP, CRM etc AAA Servers Identity Stores 1.Endpoint: Assess, Authenticate,Remediate, Contain & Self-Protect Enterprise Infranet Service Control Layer Deployment Scenarios Enterprise Infranet Controller (IC) 3. Authorize, Enforce & Log 2. Trusted XPort (IE) Enterprise Infranet Agent (IA) J.E.D.I. APIs Native or 3 rd Party Host Compliance Trusted Xport Self-Defense Mobile Worker Bus. Partner Infranet Enforcer (IE) (IE) 3. Authorize, Enforce & Log

19 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net  SSL VPNs Review  Unified Access Control Solution  Unified Access Control Scenarios  Live Demo AGENDA

20 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Server Front End Deployment Scenario Data Center Mission critical apps, File Servers, ERP, CRM etc AAA Servers Identity Stores Network Services (DNS, DHCP) Enterprise Infranet Controller (IC6000) Infranet Enforcer (IE) Users

21 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net WAN Gateway Deployment Scenario Data Center Mission critical apps, File Servers, ERP, CRM etc AAA Servers Identity Stores Network Services (DNS, DHCP) Enterprise Infranet Controller (IC4000) Infranet Enforcer (IE) Users

22 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Distributed Enterprise Data Center Mission critical apps, File Servers, ERP, CRM etc AAA Servers Identity Stores Network Services (DNS, DHCP) Enterprise Infranet Controller (IC6000) Infranet Enforcer (IE) Users Branch OfficeCorporate Office Infranet Enforcer (IE) Site to Site VPN AAA Servers Identity Stores Network Services (DNS, DHCP)

23 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Campus – Wired Deployment Scenario Data Center Mission critical apps, File Servers, ERP, CRM etc AAA Servers Identity Stores Enterprise Infranet Controller (IC6000) GigE Users Infranet Enforcer

24 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Data Center Mission critical apps, File Servers, ERP, CRM etc AAA Servers Identity Stores Campus – Wireless Deployment Scenario Enterprise Infranet Controller (IC4000) Infranet Enforcer (IE) Generic AP GigE

25 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net  SSL VPNs Review  Unified Access Control Solution  Unified Access Control Scenarios  Live Demo AGENDA

26 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Demo Network architecture Infranet Agent (IA) Local Auth Server Enforcer NS-25 Infranet Controller (IC-4000) / Untrust Zone Enforcer 5GT

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 27 Thank You

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.