Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Remote Access using SSL-VPN

Published byConsuelo Espejo Plaza Modified over 6 years ago

Similar presentations

Presentation on theme: "Securing Remote Access using SSL-VPN"— Presentation transcript:

1 Securing Remote Access using SSL-VPN
Niklas Henriksson – Systems Engineer

2 Provision by Purpose Network Connect Secure Application Manager (SAM)
Three Different Access Methods to Control Users’ Access to Resources Dynamic Access Control based on User, Device, Network, etc. Network Connect Secure Application Manager (SAM) Core Access IPSec-like experience with full network layer tunnel Supports all client applications & resource intensive applications like VoIP & streaming media Recommended for remote and mobile employees only as full network access is granted Access to client/server applications such as Windows & Java applications One click access to applications such as Citrix, Microsoft Outlook, and Lotus Notes Ideal for remote & mobile employees and partners if they have application software loaded on their PCs Access to Web-based applications, file shares, Telnet/SSH hosted apps, and Outlook Web Access Granular access control all the way up to the URL or file level Ideal for most users to access from any device on any network (corporate laptop, home PC customer or partner PC, kiosk, PDA, etc.) LAN-like L3 access to Client/Server and web apps with Network Connect Granular client/server application access control with Secure Application Manager Granular web application access control with Core Access method

3 Access Methods (Application & Resources) - Core Access -
Full cross platform/browser support Secure Web Application Access Support for widest range of web-based content and applications Sharepoint, OWA, iNotes, PDF, Flash, Java applets, HTML, Javascript, DHTML, VBScript, XML, etc. Host & deliver any Java applet Secure File Share Access Web front-end for Windows and Unix Files (CIFS/NFS) Integrated Client Secure Terminal Access Access to Telnet/SSH (VT100, VT320…) Anywhere access with no terminal emulation client

4 Access Methods (Application & Resources) - Terminal Services -
Seamlessly and securely access any Citrix or Windows Terminal Services deployment Intermediate traffic via native TS support, WSAM, JSAM, Network Connect, Hosted Java Applet Replacement for Web Interface/Nfuse Native TS Support Granular Use Control Secure Client delivery Integrated Single Sign-on Java RDP/JICA Fallback WTS: Session Directory Citrix: Auto-client reconnect/ session reliability Many additional reliability, usability, access control options

5 Access Methods (Application & Resources) - Secure Application Manager -
Full cross platform support; Windows + Java versions Granular control – users access specific client/server applications Access C/S applications without provisioning full Layer 3 tunnel Eliminates costs, complexity, and security risks associated with VPNs No incremental software/hardware or customization to existing apps WSAM – secure traffic to specific client/server applications Supports Windows Mobile/PPC, in addition to full Windows platforms Granular access and auditing/logging capabilities Installer Service available for constrained user privilege machines JSAM – supports static TCP port client/server applications Enhanced support for MSFT MAPI, Lotus Notes, Citrix NFuse Drive mapping through NetBIOS support Install without advanced user privileges

6 Access Methods (Application & Resources) - Network Connect -
High Performance Transport Mode High Performance Transport Mode X High Availability Transport Mode Full Layer 3 Access, similar to IPSec VPN Adaptive, Dual Transport Mode Initially attempts to set up high performance, IPSec transport If blocked by network, seamlessly fails over to SSL Cross Platform Dynamic Download (A|X or Java delivery) Range of options – browser launch, standalone EXE, scriptable launcher, MSFT Gina Client-side Logging, Auditing and Diagnostics

7 Seamless AAA Integration
Full Integration into customer AAA infrastructure AD, LDAP, RADIUS, Certificate, OTP, etc. Password Management Integration User self service for password management Reduced support costs, increased productivity All standard LDAP, MSFT AD Single Sign-On – Native Capabilities Leveraged across all web apps  seamless user experience Forms, Header, SAML, Cookie, Basic Auth, NTLM SAML Support – Web single sign-on, integration with I&AM platforms Standards-based Web SSO Partnerships with leading AM Vendors (CA, Oracle, RSA, etc.)

8 Access Privilege Management – 1 URL Same person access from 3 different locations
Authentication & Authorization Authenticate user Map user to role Resource Policy Applications available to user Pre-Authentication Gathers information from user, network, endpoint Role Assignment Assign session properties for user role Host Check: Pass AV RTP On Definitions up to date Machine Cert: Present Device Type: Win XP Auth: Digital Certificate Role Mapping: Managed Access Method: Network Connect File Access: Enabled Timeout: 2 hours Host Check: Recurring Outlook (full version) CRM Client/Server Intranet Corp File Servers Sharepoint Pre-authentication information Authentication Policy Role Mapping Resource Authorization Policy Browser Type Time Place Digital Certificate Endpoint Security (Host Check) Source IP Address Interface Type Sign-in URL Permit/Deny Authentication Policy Establish authentication level Enforce authentication & password policy Based on Cert Attributes Device Attributes Network Attributes Determine session role(s) Establish session access settings Establish session UI Session Attributes User Attributes Dynamic permit/deny policy Granular resource controls (URL, file, or server) Based on: Role(s) Managed Laptop Host Check: Fail No AV Installed No Personal FW Machine Cert: None Device Type: Mac OS Auth: AD Username/ Password Role Mapping: Unmanaged Access Method: Core SVW Enabled File Access: Disabled Timeout: 30 mins Host Check: Recurring Outlook Web Access (no file up/download) CRM Web (read-only) Intranet Unmanaged (Home PC/Kiosk) Host Check: N/A Machine Cert: None Device Type: Win Mobile 6.0 Auth: Digital Certificate Role Mapping: Mobile Access Method: WSAM, Core File Access: Enabled Timeout: 30 mins Outlook Mobile CRM Web Intranet Corp File Servers Mobile Device

9 One Device for Multiple Groups Customize policies and user experience for diverse users
partners.company.com “Partner” Role Authentication Username/Password Host Check Enabled – Any AV, PFW Access Core Clientless Applications MRP, Quote Tool employees.company.com “Employee” Role Authentication OTP or Certificate Host Check Enabled – Any AV, PFW Access Core + Network Connect Applications L3 Access to Apps customers.company.com “Customer” Role Authentication Username/Password Host Check Enabled – Any AV, PFW Access Core Clientless Applications Support Portal, Docs

10 End-to-End Security

11 End-Point Security - Host Checker -
Check devices before & during session Ensure device compliance with corporate policy Remediate devices when needed Cross platform support Virus No Anti-Virus Installed Personal Firewall enabled User remediated  install anti-virus Once installed, user granted access No anti-virus installed No personal firewall User granted minimal access Home PC User Airport Kiosk Mobile User AV Real-Time Protection running Personal Firewall Enabled Virus Definitions Up To Date User granted full access Managed PC User

12 Endpoint Security - Secure Virtual Workspace -
Host Checker (Java/ActiveX) delivery Win 2k/XP Systems (user privileges) Admin-specified application access DoD Cleaning/Sanitizing standard compliant Password-protected persistent sessions Controlled I/O Access Configurable look/feel Limited/Blocked I/O Access Real Desktop SVW Clipboard Operations Blocked (Virtual  Real) Session Data Encrypted on-the-fly (AES) File System Real Virtual End of Session: Secure Delete OR Persistent Session (Encrypted)

13 System Security “Security First” approach to development
Hardened OS based on Linux variant Protection against many known attacks AES encrypted hard disk on every appliance In-Transit Data Protection Data trapping URL obfuscation Numerous 3rd party security audits Juniper Security Incident Response Team (SIRT) to quickly investigate any potential vulnerabilities

14 Typical Threat Control Challenges
Partner Intermediated traffic LAN Internet Tunneled traffic Employee No User Identity Information No way to identify user with intermediated traffic Time-consuming to identify user with tunneled traffic Identifying user is critical to mitigating impact of security threats No Identity-Based Coordinated Threat Response No ability to respond to source of threat because don’t know who user is No ability to automatically coordinate responses in both IPS and SSL VPN

15 Juniper’s Coordinated Threat Control
2 - Signaling protocol to notify SSL VPN of attack 1 - IDP detects threat and stops traffic 3 - SA identifies user & takes action on user session Partner LAN Employee Correlated Threat Information Identity Endpoint Access history Detailed traffic & threat information Coordinated Identity-Based Threat Response Manual or automatic response Response options: Terminate session Disable user account Quarantine user Supplements IDP threat prevention Comprehensive Threat Detection and Prevention Ability to detect and prevent malicious traffic Full layer 2-7 visibility into all traffic True end-to-end security

16 Secure Access 2500 Targeted to small to mid-sized businesses
Up to 100 concurrent user scalability Industry leading SSL VPN feature set such as: Comprehensive end-point security checks on devices Dynamic, granular access control to resources based on each user’s role Support for wide array of mobile devices & cross platforms

17 Secure Access 4500 Targeted to mid to large-sized businesses
Up to 1000 concurrent user scalability Industry leading SSL VPN feature set such as: Comprehensive end-point security checks on devices Dynamic, granular access control to resources based on each user’s role Support for wide array of mobile devices & cross platforms Optional hardware-based SSL acceleration module

18 Secure Access 6500 Targeted to large enterprises and service providers
Up to 10,000 concurrent user scalability on single unit Up to 30,000 concurrent user cluster scalability on four-unit cluster Includes the optional components previously found on SA 6000 SP (memory upgrade, hot swappable fans & drives) Dual, mirrored hot swappable SATA hard drives Dual, hot swappable fans SATA – Serial Advanced Technology Attachment

19 Breadth of Functionality
Juniper SSL VPN Product Family Functionality and Scalability to Meet Customer Needs Options/upgrades: 10-25 conc. users Core Clientless Access Options/upgrades: conc. users Secure Meeting Cluster Pairs Options/upgrades: conc. users Secure Meeting Instant Virtual System SSL Acceleration Cluster Pairs Options/upgrades: Up to 30,000 conc. users Secure Meeting Instant Virtual System 4-port SFP card 2nd power supply or DC power supply Multi-Unit Clusters Secure Access 6500 Secure Access 4500 Secure Access 2500 Breadth of Functionality Designed for: Large enterprises & SPs Secure remote, intranet and extranet access Includes: Core Clientless Access SAMNC Advanced with Central Manager SSL acceleration Hot swap drives, fans Designed for: Medium to large enterprise Secure remote, intranet and extranet access Includes: Core Clientless Access SAMNC Advanced with Central Manager Secure Access 700 Designed for: Medium enterprise Secure remote, intranet and extranet access Includes: Core Clientless Access SAMNC Advanced with Central Manager Designed for: SMEs Secure remote access Includes: Network Connect Enterprise Size

20 System Management Granular Role-based administration Central Manager
Leverages leading AAA framework used for user sessions Assign tasks to appropriate groups (helpdesk, security, operations, etc.) Central Manager Manage/maintain all clustered devices from a single console Config Import/Export Make offline config changes and import Configuration backup/archiving Push Configuration Push full or partial configurations to other devices Granular logging and log filtering Analysis, compliance, and auditing requirements Advanced troubleshooting tools for quick issue resolution Policy trace, session recording, system snapshot, etc.

21 Clustering/High Availability
Native Clustering SA2500, SA4500  Cluster Pairs SA6500  Multi-unit clusters Stateful system peering System state and configuration settings User profile and personalized configuration User session synch (users don’t have to login again in failover scenario) Active/Passive configuration for seamless failover Active/Active configuration for increased throughput and failover Enterprise and Service Provider Value Ensured reliability of critical access infrastructure Seamless failover, no loss of productivity Expansive user scalability via replication Management efficiency via central administration interface

22 Questions?

23 Copyright © 2008 Juniper Networks, Inc.
23

Download ppt "Securing Remote Access using SSL-VPN"

Similar presentations

| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net 1 WX Client Rajoo Nagar PLM, WABU.

| Copyright © 2009 Juniper Networks, Inc. | 1 WX Client Rajoo Nagar PLM, WABU.
Ljubomir Ivaniš CPU d.o.o.

Ljubomir Ivaniš CPU d.o.o.
2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.

2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Copyright © 2008 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net.

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Copyright © 2008 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net.
SA Series SSL VPN Appliances Product Line Presentation

SA Series SSL VPN Appliances Product Line Presentation
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Securing Remote Network Access FirePass ®. Business Case VirginiaCORIS is an initiative to modernize the way that offender information is managed, to.

Securing Remote Network Access FirePass ®. Business Case VirginiaCORIS is an initiative to modernize the way that offender information is managed, to.
Module 3 Windows Server 2008 Branch Office Scenario.

Module 3 Windows Server 2008 Branch Office Scenario.
January 23-26, 2007 Ft. Lauderdale, Florida IP Communications, Secure – By Design Roger W. Farnsworth.

January 23-26, 2007 Ft. Lauderdale, Florida IP Communications, Secure – By Design Roger W. Farnsworth.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.

1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Endpoint Security Current portfolio and looking forward October 2010.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Endpoint Security Current portfolio and looking forward October 2010.
© 2005,2006 NeoAccel Inc. Training Access Modes. © 2005,2006 NeoAccel Inc. Agenda 2. Access Terminals 6. Quick Access Terminal Client 3. SSL VPN-Plus.

© 2005,2006 NeoAccel Inc. Training Access Modes. © 2005,2006 NeoAccel Inc. Agenda 2. Access Terminals 6. Quick Access Terminal Client 3. SSL VPN-Plus.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Introducing Kerio Control Unified Threat Management Solution Release date: June 1, 2010 Kerio Technologies, Inc.

Introducing Kerio Control Unified Threat Management Solution Release date: June 1, 2010 Kerio Technologies, Inc.
Managing Client Access

Managing Client Access
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN

Similar presentations

Ads by Google