Presentation is loading. Please wait.

Presentation is loading. Please wait.

End to End Security Westcon / Juniper 5 daagse Pieter van Dijk Dennis de Leest.

Published byBarbara Masker Modified over 10 years ago

Similar presentations

Presentation on theme: "End to End Security Westcon / Juniper 5 daagse Pieter van Dijk Dennis de Leest."— Presentation transcript:

1 End to End Security Westcon / Juniper 5 daagse Pieter van Dijk Dennis de Leest

2 2 Copyright © 2009 Juniper Networks, Inc. www.juniper.net AGENDA Alles ??? Hmmm.. - LAN - Wan - Datacenter - Demo Hoe bouwen we dat met OPEN standaarden …….

3 3 Copyright © 2009 Juniper Networks, Inc. www.juniper.net MULTI-YEAR TRENDS IN THE ENTERPRISE Mega Data Centers (thousands) Clients (billions) Global High-Performance Network Campus Branch Home Mobile Workforce Globalization Data/App Consolidation The Distributed Enterprise

4 4 Copyright © 2009 Juniper Networks, Inc. www.juniper.net NAC USE CASES Guest Networking Internet Are You One of Us? Yes No "Main" Network Endpoint Baselining Patches? Antivirus? Firewall? Identity-Aware Network NAC IAM Monitoring/Containment Backbone LANs

5 5 Copyright © 2009 Juniper Networks, Inc. www.juniper.net IDENTITY AWARE NETWORKING Subset of Applications Mission-Critical Applications Guest Network Sales Finance HR Sales Finance Employees HR

6 6 Copyright © 2009 Juniper Networks, Inc. www.juniper.net WHAT IS UAC  Authentication and Authorization  AAA Integration, Active Directory, LDAP  Endpoint Posture Assessment  Enforce Windows patch assessment and remediation  Enforce antivirus, personal firewall, etc.  Built in anti-malware and anti-spyware  Role and Identity-based Access Control  With EX Series switches (Layer 2)  With ScreenOS, SRX Series, J Series routers (Layer 3)  With IDP Series (Layer 7: Application-based)

7 7 Copyright © 2009 Juniper Networks, Inc. www.juniper.net STANDARDS-BASED, IDENTITY-AWARE ACCESS CONTROL AND NETWORK SECURITY

8 8 Copyright © 2009 Juniper Networks, Inc. www.juniper.net INDUSTRY RECOGNITION “Juniper’s Unified Access Control (UAC) is the most complete NAC solution and scored highest in Current Offering” The Forrester Wave™: Network Access Control, Q3 2008 The Forrester Market Research Report, Q4 2009 2009 ‘Best NAC’ Gold Award

9 9 Copyright © 2009 Juniper Networks, Inc. www.juniper.net UAC FOR SECURE GUEST ACCESS Easy to use – just a few simple steps  Provision delegated administration (to receptionist or any other authorized corporate sponsor)  Delegated administration enables creation of guest user accounts with simple username and password  Guest users connect to any Ethernet jack or via wireless in the corporate offices  Guest users are able to access the Internet  Bases level and depth of access on guest type, identity, and role Mike Fratto | InformationWeek Analytics | 2008 NAC Survey 58% 57% 47% 44% 42% 30% Guests Employee, remote access Employee, wireless LAN Contractors/ outsourced labor Unmanageable devices Employee, wired LAN Note: Percentages based on a rating of 4 to 5 on a five-point scale where 1 is “low” and 5 is “High” LAN Threat by Users

10 10 Copyright © 2009 Juniper Networks, Inc. www.juniper.net FULLY COORDINATED SECURITY INFRASTRUCTURE 802.1X NAC Enterprise-Wide Access Control Application Level Enforcement Management and Visibility Identity Aware Security UAC “Nerve Center” Proven Endpoint Control

11 11 Copyright © 2009 Juniper Networks, Inc. www.juniper.net CENTRAL POLICY COORDINATION Seamless AAA integration Comprehensive endpoint integrity  Automatic and manual remediation  Dynamic updates Dynamic, market-leading antispyware/antimalware check Standards-based (TNC, 802.1X, RADIUS,…) Unmatched scale, resilient HA Enterprise-wide management Security hardened IC Series IDP Series SA Series Firewall STRM Series 802.1X Switches & APs EX Series SRX Series UAC “Nerve Center”

12 12 Copyright © 2009 Juniper Networks, Inc. www.juniper.net OPEN STANDARDS TNC open architecture for network security and access control  Suite of standards ensuring interoperability Leverages existing network infrastructure and future proofs security Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Wired Network Perimeter UAC Agent Metadata Access Point (MAP) EX Series Firewall SRX Series Wireless SA Series SCADA Great Bay Third-Party Appliances Third-Party Firewalls IC Series MAP Server MAP Clients Insightix Lumeta Hirsch Wave Third-Party DLP UAC “Nerve Center”

13 13 Copyright © 2009 Juniper Networks, Inc. www.juniper.net COMPLETE 802.1X NAC EX Series Ethernet Switch support  Identity-based QoS, bandwidth limiting, and priority scheduling  Mirror traffic to IDP Series for monitoring and logging Vendor agnostic  Supports ANY vendor’s 802.1X-compatible switches and access points Granular policy capabilities  VLANs, ACLs, QoS,… IC Series EX Series Any 802.1X Switch/AP 802.1X NAC

14 14 Copyright © 2009 Juniper Networks, Inc. www.juniper.net IDENTITY-AWARE SECURITY Enables true mobility  Eliminate ACLs – “follow the user” policies  Identity-based, secure network segmentation Supports any Juniper security policy  SRX Series Services Gateways  ScreenOS firewalls (ISG Series, SSG Series)  IDP Series for Application Layer Enforcement  J Series as Layer 3 Enforcement Points SSG Series SRX Series IDP IC Series Apps Data Finance Video Corporate Data Center Identity Aware Security

15 15 Copyright © 2009 Juniper Networks, Inc. www.juniper.net APPLICATION LEVEL ENFORCEMENT Industry’s first NAC solution to offer full Layer 2 – Layer 7 enforcement capabilities Enforces application layer policies across networks  Standalone IDP Series appliances as UAC enforcers  Control access via role/application based policies to IM, P2P, other corporate applications Identity-enabled anomaly detection and mitigation  Remote or local access  Isolate threat to specific user or device  Employs specific, configurable policy actions IDP Series EX Series IC Series Application Servers Firewalls UAC Enforcement Points 802.1X Switches/APs Application Level Enforcement

16 16 Copyright © 2009 Juniper Networks, Inc. www.juniper.net MANAGEMENT AND VISIBILITY Juniper NSM  Central management Juniper STRM Series  Strong visibility  Comprehensive reporting and analysis Comprehensive Juniper portfolio coverage Management and Visibility

17 17 Copyright © 2009 Juniper Networks, Inc. www.juniper.net ENTERPRISE-WIDE ACCESS CONTROL Federated Remote/Local Access  Single login protected network/resource access  Intelligently provisions network access  Simplifies user experience Shared, centrally managed policies Corporate Data Center Apps Finance Video Local User SA-Series Internet IC Series IF-MAP UAC Enforcer NSM Policies Enterprise-Wide Access Control

18 18 Copyright © 2009 Juniper Networks, Inc. www.juniper.net UAC SUPPORTS UNMANAGEABLE DEVICES MAC based authentication for unmanageable devices  Printers  FAX Machines  VoIP phones  HVAC Systems  Health care monitoring devices, fusion pumps, etc. Partnership with industry leaders for detection/sensor capabilities  Great Bay Beacon  Insightix

19 19 Copyright © 2009 Juniper Networks, Inc. www.juniper.net IC Series and EX Series establish VLAN, ACLs, and QoS for session UAC pushes role-based FW policies to SRX Series and application layer policies to IDP Series EX Series quarantines the user/device for automatic patch remediation Remediation successful; full network access granted User attempts to access “Finance” data, but is blocked Imagine a sales person in an office: “Sales” user logs in from un- patched device 5 4 123 BASIC NAC ENFORCEMENT Local User Patch Remediation SRX Series IDP Series IC Series Corporate Data Center Apps Data Finance Video EX Series

20 20 Copyright © 2009 Juniper Networks, Inc. www.juniper.net SA session data pushed to IC via IF- MAP UAC pushes role-based FW policies to SRX and application layer policies to IDP IDP senses attack, informs IC SA terminates user session IC removes SRX/IDP access “Sales” user’s device is quarantined for automatic patch remediation Remediation successful; full network access granted User attempts to access “Finance” data, but is blocked Imagine a sales person on the road: “Sales” user logs in from un- patched device 654 123 ENTERPRISE-WIDE ACCESS CONTROL Apps Data Finance Video Mobile User Patch Remediation SRX Series IDP Series IC Series Corporate Data Center SA Series Internet

21 21 Copyright © 2009 Juniper Networks, Inc. www.juniper.net DATA CENTER IDP Series IC Series UAC quarantines the user until P2P application is shut down STRM Series correlates log files from numerous devices; Generates standardized reports Once connected, employee attempts to file share via P2P application, contrary to acceptable use policies IDP Series detects/blocks inappropriate L7 traffic and asks UAC to identify the culprit User disables P2P app and is connected to the finance application Imagine a broker accessing finance applications: Employee/endpoint meet security policies CAMPUS 654 123 APPLICATION LEVEL ENFORCEMENT

22 Client technology (windows based)

23 23 Copyright © 2009 Juniper Networks, Inc. www.juniper.net JUNOS PULSE FOR WINDOWS Builds on Juniper’s market leading SA Series SSL VPN, UAC solution, and WXC Series technology! Dynamically provisioned software client (Junos Pulse) for:  Connectivity  Security  Acceleration  Collaboration Integrated multi-service gateways to terminate/control client Location awareness and session migration deliver anytime/anywhere access automatically, without user intervention Identity-enabled Standards-based, future-proofing network investments Integration platform for select 3 rd party apps Integrated multi-service network client delivering anytime/anywhere/everywhere connectivity, security, and acceleration with a simplified user experience

24 24 Copyright © 2009 Juniper Networks, Inc. www.juniper.net SMART LOCATION BASED VPN AND LAN ACCESS For notebooks and netbooks:  Location Awareness – Seamless access as the user moves from remote access to LAN access  Pulse Client auto discovers High Speed/Low Latency connections  Seamless session migration – No need to re-authenticate Branch Office/Locations/Campus Remote Location (Hotel, Partner, etc.) Remote Users/Telecommuters WXC Series SA Series HQ IC Series (UAC) Mobile Users

25 25 Copyright © 2009 Juniper Networks, Inc. www.juniper.net LAN Data Center NY Engineering Server Finance Server SSL VPN UAC SRX Data Center Tokyo Engineering Server Finance Server Corporate Network SSL VPN UAC SRX IF-MAP User: Adam Role: Finance Head Quarters User: Adam Role: Finance Remote Site SSL VPN REMOTE GLOBAL IDENTITY AWARE NETWORKING Adam in Finance attempts to access the Engineering Servers in the NY data center from his wired desktop at HQ, but access is denied. Adam is only allowed access to the Finance Server based on his credentials and access policies. Adam is now remote in Asia and attempts to access the Tokyo data center remotely from his mobile device. The same access policies applied to Adam when at HQ follow him anywhere and anytime he attempts network access. Client technology (mobile based)

26 26 Copyright © 2009 Juniper Networks, Inc. www.juniper.net BENELUX 61 % Access work networks every day without employer’s knowledge 61 % Access work networks every day without employer’s knowledge 18 % Own a smartphone (5% own a tablet 7% own both) 18 % Own a smartphone (5% own a tablet 7% own both) 39 % Mix business and personal use on their mobile device 39 % Mix business and personal use on their mobile device 46 % Would like to have parental controls on their mobile device 46 % Would like to have parental controls on their mobile device 29 % Access personal financial information from their mobile device 29 % Access personal financial information from their mobile device 12 % Have shared personal financial information via email or text 12 % Have shared personal financial information via email or text 48 % Password protect their smartphone 48 % Password protect their smartphone 49 % Are concerned about identity theft resulting from smartphone use 49 % Are concerned about identity theft resulting from smartphone use 3 % Unfamiliar with security settings on mobile devices 3 % Unfamiliar with security settings on mobile devices 3 % Rely on corporate IT department to maintain mobile device security 3 % Rely on corporate IT department to maintain mobile device security 74 % Regard mobile security as a High or Top-Priority 74 % Regard mobile security as a High or Top-Priority 41 % Are concerned they will lose their mobile device and info 41 % Are concerned they will lose their mobile device and info All data Juniper Networks Global Smartphone Security Study October 2010 except * Canalys estimates and forecasts, August 2010 * 32.3 % CAGR Smartphone units by 2012 * 32.3 % CAGR Smartphone units by 2012 * 9 Million Smartphone Units 2010 * 9 Million Smartphone Units 2010

27 27 Copyright © 2009 Juniper Networks, Inc. www.juniper.net WHAT IS JUNOS PULSE? Junos Pulse for Mobile Devices consists of 2 components  Software clients (some Juniper developed, some native to handset OSs) on various mobile handsets  Juniper Networks SA Series SSL VPN gateways communicating with clients Junos Pulse – for laptops/desktops with 3G cards for example – consists of same 2 components with built-in WAN acceleration capabilities for Windows systems Corporate Offices SSL VPN SA Series SSL VPN Video FinanceApplicationsDataMultimedia Database WXC Series Application Acceleration

28 28 Copyright © 2009 Juniper Networks, Inc. www.juniper.net JUNIPER’S APPROACH: JUNOS PULSE A single client for:  Connectivity  Security  Acceleration And Now:  Smart-device security & management

29 29 Copyright © 2009 Juniper Networks, Inc. www.juniper.net Security on Pulse for Mobile devices Antivirus Real-time protection Auto updates Scan all files All connections Personal Firewall Personal Firewall Inbound & outbound filtering Alerts & logging Customizable Anti Spam Block SMS & voice spam Blacklist filtering Disable alerts options Automatic denial options Loss & Theft Protection Loss & Theft Protection Remote lock and wipe Backup & restore GPS locate SIM change notification Device Control Device Control App inventory & control Content monitoring

30 30 Copyright © 2009 Juniper Networks, Inc. www.juniper.net ENFORCING NETWORK ACCESS POLICIES PC user Corporate Data Center Apps Data Finance Video Active Directory /LDAP Patch Remediation WLCs Pulse detects device is on corporate network and per user policy disables any active VPN sessions 1 1 During 802.1x authentication. MAG verifies PC meets company software and security policy requirements 2 2 Compliance check fails. Antivirus signatures are out of date and user is quarantined to remediation VLAN. Patch server updates signatures. User is now in compliance and granted network access 3 3 EX4500 VC and EX4200 VC  EX4200 VC SRX AppTrack feature combined with MAG data collects per user application information providing detailed reports in STRM  SRX AppSecure Polices block non- work related applications 6 6 SRX enforces user policies allowing user basic access to all servers except finance 5 5 MAG pushes role based FW policies to EX and SRX 4 4 Virus SW too old Internet MAG with Radius, SSLVPN and UAC modules SRX with IDP/AppSecure

31 31 Copyright © 2009 Juniper Networks, Inc. www.juniper.net Wireless User Tablet/smartphone Corporate Data Center Apps Data Video Active Directory /LDAP MAG with Radius, SSLVPN and UAC modules WLCs User needs to access company intranet over non-corporate network using iPad 1 1 User starts Junos Pulse and initiates a secure VPN session with MAG appliance 2 2 MAG verifies user login, establishes VPN and the device is allowed on the network. 3 3 SRX AppSecure Polices block non-work related applications 6 6 EX4500 VC and EX4200 VCs SRX with IDP/ AppSecure  SRX AppTrack feature combined with MAG data collects per user application information providing detailed reports in STRM Finance MOBILE DEVICE REMOTE NETWORK ACCESS POLICY AND ACCESS CONTROL SRX enforces user policies allowing user access to all servers except finance 5 5 MAG pushes role based ACL and FW policies to the SRX and EX 4 4  Internet

32

Download ppt "End to End Security Westcon / Juniper 5 daagse Pieter van Dijk Dennis de Leest."

Similar presentations

| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net 1 WX Client Rajoo Nagar PLM, WABU.

| Copyright © 2009 Juniper Networks, Inc. | 1 WX Client Rajoo Nagar PLM, WABU.
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net 1 Distributed Enterprise – Channel Proposition Jonathan Hallatt 22 nd July 2009.

| Copyright © 2009 Juniper Networks, Inc. | 1 Distributed Enterprise – Channel Proposition Jonathan Hallatt 22 nd July 2009.
!! Are we under attack !! Consumer devices continue to invade *Corporate enterprise – just wanting to plug in* Mobile Device Management.

!! Are we under attack !! Consumer devices continue to invade *Corporate enterprise – just wanting to plug in* Mobile Device Management.
Enterprise CAL Overview. Different Types of CALs Standard CAL base A component Standard CAL is a base CAL that provides access rights to basic features.

Enterprise CAL Overview. Different Types of CALs Standard CAL base A component Standard CAL is a base CAL that provides access rights to basic features.
Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.

Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.
The Cable Guys Inc. Drew Leach Tom McLoughlin Philip Mauldin Bill Smith.

The Cable Guys Inc. Drew Leach Tom McLoughlin Philip Mauldin Bill Smith.
SIMPLY CONNECTED THE NEW CAMPUS NETWORK, MOBILITY CHANGES EVERYTHING Alain Levens Sr. SE Campus & Branch February 14, 2012.

SIMPLY CONNECTED THE NEW CAMPUS NETWORK, MOBILITY CHANGES EVERYTHING Alain Levens Sr. SE Campus & Branch February 14, 2012.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, 2009 05/30/2009.

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Guest Server Guest Access - Simplified Tim Wellborn SE Sangeeta.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Guest Server Guest Access - Simplified Tim Wellborn SE Sangeeta.
Information Security in Real Business

Information Security in Real Business
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
MIGRATION FROM SCREENOS TO JUNOS based firewall

MIGRATION FROM SCREENOS TO JUNOS based firewall
Windows Server 2012 R2 Capabilities for BYOD Scenario Yuri Diogenes Senior Knowledge Engineer Data Center, Devices & Enterprise Client – CSI Team’s Page:

Windows Server 2012 R2 Capabilities for BYOD Scenario Yuri Diogenes Senior Knowledge Engineer Data Center, Devices & Enterprise Client – CSI Team’s Page:
All Rights Reserved © Alcatel-Lucent 2010 1 | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.

All Rights Reserved © Alcatel-Lucent | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.

1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.

Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
Be there without going there. Microsoft Lync is an enterprise-ready, unified communications platform that connects users everywhere, providing a consistent,

Be there without going there. Microsoft Lync is an enterprise-ready, unified communications platform that connects users everywhere, providing a consistent,
Office 365: Efficient Cloud Solutions Wednesday March 12, 9AM Chaz Vossburg / Gabe Laushbaugh.

Office 365: Efficient Cloud Solutions Wednesday March 12, 9AM Chaz Vossburg / Gabe Laushbaugh.

Similar presentations

Ads by Google