Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Copyright © 2008 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net.

Published byGriselda Sanders Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Copyright © 2008 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net."— Presentation transcript:

1 Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Copyright © 2008 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Securing Remote Access using SSL-VPN Niklas Henriksson – Systems Engineer nhenriksson@juniper.net

2 Copyright © 2008 Juniper Networks, Inc. 2 Provision by Purpose Three Different Access Methods to Control Users’ Access to Resources Dynamic Access Control based on User, Device, Network, etc. Network ConnectSecure Application Manager (SAM) Core Access - IPSec-like experience with full network layer tunnel - Supports all client applications & resource intensive applications like VoIP & streaming media - Recommended for remote and mobile employees only as full network access is granted - Access to client/server applications such as Windows & Java applications - One click access to applications such as Citrix, Microsoft Outlook, and Lotus Notes - Ideal for remote & mobile employees and partners if they have application software loaded on their PCs - Access to Web-based applications, file shares, Telnet/SSH hosted apps, and Outlook Web Access - Granular access control all the way up to the URL or file level - Ideal for most users to access from any device on any network (corporate laptop, home PC customer or partner PC, kiosk, PDA, etc.) LAN-like L3 access to Client/Server and web apps with Network Connect Granular web application access control with Core Access method Granular client/server application access control with Secure Application Manager

3 Copyright © 2008 Juniper Networks, Inc. 3  Full cross platform/browser support  Secure Web Application Access Support for widest range of web-based content and applications Sharepoint, OWA, iNotes, PDF, Flash, Java applets, HTML, Javascript, DHTML, VBScript, XML, etc. Host & deliver any Java applet  Secure File Share Access Web front-end for Windows and Unix Files (CIFS/NFS) Access Methods (Application & Resources) - Core Access -  Integrated E-mail Client  Secure Terminal Access Access to Telnet/SSH (VT100, VT320…) Anywhere access with no terminal emulation client

4 Copyright © 2008 Juniper Networks, Inc. 4  Seamlessly and securely access any Citrix or Windows Terminal Services deployment Intermediate traffic via native TS support, WSAM, JSAM, Network Connect, Hosted Java Applet Replacement for Web Interface/Nfuse  Native TS Support Granular Use Control Secure Client delivery Integrated Single Sign-on Java RDP/JICA Fallback WTS: Session Directory Citrix: Auto-client reconnect/ session reliability Many additional reliability, usability, access control options Access Methods (Application & Resources) - Terminal Services -

5 Copyright © 2008 Juniper Networks, Inc. 5 Access Methods (Application & Resources) - Secure Application Manager -  Full cross platform support; Windows + Java versions  Granular control – users access specific client/server applications Access C/S applications without provisioning full Layer 3 tunnel Eliminates costs, complexity, and security risks associated with VPNs No incremental software/hardware or customization to existing apps  WSAM – secure traffic to specific client/server applications Supports Windows Mobile/PPC, in addition to full Windows platforms Granular access and auditing/logging capabilities Installer Service available for constrained user privilege machines  JSAM – supports static TCP port client/server applications Enhanced support for MSFT MAPI, Lotus Notes, Citrix NFuse Drive mapping through NetBIOS support Install without advanced user privileges

6 Copyright © 2008 Juniper Networks, Inc. 6 Full Layer 3 Access, similar to IPSec VPN Adaptive, Dual Transport Mode Initially attempts to set up high performance, IPSec transport If blocked by network, seamlessly fails over to SSL Cross Platform Dynamic Download (A|X or Java delivery) Range of options – browser launch, standalone EXE, scriptable launcher, MSFT Gina Client-side Logging, Auditing and Diagnostics High Availability Transport Mode High Availability Transport Mode High Performance Transport Mode High Performance Transport Mode X High Performance Transport Mode High Performance Transport Mode Access Methods (Application & Resources) - Network Connect -

7 Copyright © 2008 Juniper Networks, Inc. 7 Seamless AAA Integration  Full Integration into customer AAA infrastructure AD, LDAP, RADIUS, Certificate, OTP, etc.  Password Management Integration User self service for password management Reduced support costs, increased productivity All standard LDAP, MSFT AD  Single Sign-On – Native Capabilities Leveraged across all web apps  seamless user experience Forms, Header, SAML, Cookie, Basic Auth, NTLM  SAML Support – Web single sign-on, integration with I&AM platforms Standards-based Web SSO Partnerships with leading AM Vendors (CA, Oracle, RSA, etc.)

8 Copyright © 2008 Juniper Networks, Inc. 8 Pre-Authentication Gathers information from user, network, endpoint Authentication & Authorization Authenticate user Map user to role Role Assignment Assign session properties for user role Resource Policy Applications available to user Access Privilege Management – 1 URL Same person access from 3 different locations Host Check: Pass AV RTP On Definitions up to date Machine Cert: Present Device Type: Win XP Managed Laptop Unmanaged (Home PC/Kiosk) Mobile Device Host Check: Fail No AV Installed No Personal FW Machine Cert: None Device Type: Mac OS Host Check: N/A Machine Cert: None Device Type: Win Mobile 6.0 Auth: Digital Certificate Role Mapping: Managed Auth: AD Username/ Password Role Mapping: Unmanaged Auth: Digital Certificate Role Mapping: Mobile Access Method: Network Connect File Access: Enabled Timeout: 2 hours Host Check: Recurring Access Method: Core SVW Enabled File Access: Disabled Timeout: 30 mins Host Check: Recurring Access Method: WSAM, Core File Access: Enabled Timeout: 30 mins Outlook (full version) CRM Client/Server Intranet Corp File Servers Sharepoint Outlook Web Access (no file up/download) CRM Web (read-only) Intranet Outlook Mobile CRM Web Intranet Corp File Servers

9 Copyright © 2008 Juniper Networks, Inc. 9 customers.company.com employees.company.com partners.company.com One Device for Multiple Groups Customize policies and user experience for diverse users AuthenticationUsername/Password Host CheckEnabled – Any AV, PFW AccessCore Clientless ApplicationsMRP, Quote Tool AuthenticationUsername/Password Host CheckEnabled – Any AV, PFW AccessCore Clientless ApplicationsSupport Portal, Docs AuthenticationOTP or Certificate Host CheckEnabled – Any AV, PFW AccessCore + Network Connect ApplicationsL3 Access to Apps “Partner” Role “Employee” Role “Customer” Role

10 Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 10 Copyright © 2008 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net End-to-End Security

11 Copyright © 2008 Juniper Networks, Inc. 11 End-Point Security - Host Checker - Virus Airport Kiosk Mobile User Home PC User Managed PC User Host Checker - Check devices before & during session - Ensure device compliance with corporate policy - Remediate devices when needed - Cross platform support - No Anti-Virus Installed - Personal Firewall enabled - User remediated  install anti-virus - Once installed, user granted access - AV Real-Time Protection running - Personal Firewall Enabled - Virus Definitions Up To Date - User granted full access - No anti-virus installed - No personal firewall - User granted minimal access

12 Copyright © 2008 Juniper Networks, Inc. 12 Endpoint Security - Secure Virtual Workspace - Limited/Blocked I/O Access Session Data Encrypted on-the-fly (AES) End of Session: Secure Delete OR Persistent Session (Encrypted) Clipboard Operations Blocked (Virtual  Real) Real Desktop SVW Host Checker (Java/ActiveX) delivery Win 2k/XP Systems (user privileges) Admin-specified application access DoD Cleaning/Sanitizing standard compliant Password-protected persistent sessions Controlled I/O Access Configurable look/feel File System RealVirtual

13 Copyright © 2008 Juniper Networks, Inc. 13 System Security  “Security First” approach to development Hardened OS based on Linux variant Protection against many known attacks AES encrypted hard disk on every appliance  In-Transit Data Protection Data trapping URL obfuscation  Numerous 3 rd party security audits  Juniper Security Incident Response Team (SIRT) to quickly investigate any potential vulnerabilities

14 Copyright © 2008 Juniper Networks, Inc. 14 Typical Threat Control Challenges LAN Partner Employee Tunneled traffic Intermediated traffic Internet No User Identity Information No way to identify user with intermediated traffic Time-consuming to identify user with tunneled traffic Identifying user is critical to mitigating impact of security threats No Identity-Based Coordinated Threat Response No ability to respond to source of threat because don’t know who user is No ability to automatically coordinate responses in both IPS and SSL VPN

15 Copyright © 2008 Juniper Networks, Inc. 15 Juniper’s Coordinated Threat Control LAN Partner Employee 1 - IDP detects threat and stops traffic 3 - SA identifies user & takes action on user session 2 - Signaling protocol to notify SSL VPN of attack Correlated Threat Information Identity Endpoint Access history Detailed traffic & threat information Coordinated Identity- Based Threat Response Manual or automatic response Response options: Terminate session Disable user account Quarantine user Supplements IDP threat prevention Comprehensive Threat Detection and Prevention Ability to detect and prevent malicious traffic Full layer 2-7 visibility into all traffic True end-to-end security

16 Copyright © 2008 Juniper Networks, Inc. 16 Secure Access 2500  Targeted to small to mid-sized businesses  Up to 100 concurrent user scalability  Industry leading SSL VPN feature set such as: Comprehensive end-point security checks on devices Dynamic, granular access control to resources based on each user’s role Support for wide array of mobile devices & cross platforms

17 Copyright © 2008 Juniper Networks, Inc. 17 Secure Access 4500  Targeted to mid to large-sized businesses  Up to 1000 concurrent user scalability  Industry leading SSL VPN feature set such as: Comprehensive end-point security checks on devices Dynamic, granular access control to resources based on each user’s role Support for wide array of mobile devices & cross platforms  Optional hardware-based SSL acceleration module

18 Copyright © 2008 Juniper Networks, Inc. 18 Secure Access 6500  Targeted to large enterprises and service providers  Up to 10,000 concurrent user scalability on single unit  Up to 30,000 concurrent user cluster scalability on four-unit cluster  Includes the optional components previously found on SA 6000 SP (memory upgrade, hot swappable fans & drives)  Dual, mirrored hot swappable SATA hard drives  Dual, hot swappable fans

19 Copyright © 2008 Juniper Networks, Inc. 19 Breadth of Functionality Juniper SSL VPN Product Family Functionality and Scalability to Meet Customer Needs Enterprise Size Secure Access 700 Secure Access 2500 Secure Access 4500 Secure Access 6500 Designed for: SMEs Secure remote access Includes: Network Connect Options/upgrades: 10-25 conc. users Core Clientless Access Designed for: Medium enterprise Secure remote, intranet and extranet access Includes: Core Clientless Access SAMNC Advanced with Central Manager Designed for: Medium to large enterprise Secure remote, intranet and extranet access Includes: Core Clientless Access SAMNC Advanced with Central Manager Options/upgrades: 25-100 conc. users Secure Meeting Cluster Pairs Options/upgrades: 50-1000 conc. users Secure Meeting Instant Virtual System SSL Acceleration Cluster Pairs Designed for: Large enterprises & SPs Secure remote, intranet and extranet access Includes: Core Clientless Access SAMNC Advanced with Central Manager SSL acceleration Hot swap drives, fans Options/upgrades: Up to 30,000 conc. users Secure Meeting Instant Virtual System 4-port SFP card 2 nd power supply or DC power supply Multi-Unit Clusters

20 Copyright © 2008 Juniper Networks, Inc. 20 System Management  Granular Role-based administration Leverages leading AAA framework used for user sessions Assign tasks to appropriate groups (helpdesk, security, operations, etc.)  Central Manager Manage/maintain all clustered devices from a single console  Config Import/Export Make offline config changes and import Configuration backup/archiving  Push Configuration Push full or partial configurations to other devices  Granular logging and log filtering Analysis, compliance, and auditing requirements  Advanced troubleshooting tools for quick issue resolution Policy trace, session recording, system snapshot, etc.

21 Copyright © 2008 Juniper Networks, Inc. 21 Clustering/High Availability  Native Clustering SA2500, SA4500  Cluster Pairs SA6500  Multi-unit clusters  Stateful system peering System state and configuration settings User profile and personalized configuration User session synch (users don’t have to login again in failover scenario)  Active/Passive configuration for seamless failover  Active/Active configuration for increased throughput and failover  Enterprise and Service Provider Value Ensured reliability of critical access infrastructure Seamless failover, no loss of productivity Expansive user scalability via replication Management efficiency via central administration interface

22 Copyright © 2008 Juniper Networks, Inc. 22 Questions?

23 Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 23 Copyright © 2008 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Copyright © 2008 Juniper Networks, Inc. 23

Download ppt "Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Copyright © 2008 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net."

Similar presentations

| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net 1 WX Client Rajoo Nagar PLM, WABU.

| Copyright © 2009 Juniper Networks, Inc. | 1 WX Client Rajoo Nagar PLM, WABU.
Ljubomir Ivaniš CPU d.o.o.

Ljubomir Ivaniš CPU d.o.o.
2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.

2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
SA Series SSL VPN Appliances Product Line Presentation

SA Series SSL VPN Appliances Product Line Presentation
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Securing Remote Network Access FirePass ®. Business Case VirginiaCORIS is an initiative to modernize the way that offender information is managed, to.

Securing Remote Network Access FirePass ®. Business Case VirginiaCORIS is an initiative to modernize the way that offender information is managed, to.
Module 3 Windows Server 2008 Branch Office Scenario.

Module 3 Windows Server 2008 Branch Office Scenario.
Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.

Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.
Ronald Beekelaar Beekelaar Consultancy Intelligent Application Gateway (IAG) 2007.

Ronald Beekelaar Beekelaar Consultancy Intelligent Application Gateway (IAG) 2007.
ISSA Presentation. Agenda Remote Access Evolution SSL VPN Drivers Why SSL VPNs Basic Deployment Security vs. IPSec The New Security Concerns Addressing.

ISSA Presentation. Agenda Remote Access Evolution SSL VPN Drivers Why SSL VPNs Basic Deployment Security vs. IPSec The New Security Concerns Addressing.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.

Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.
Introducing Quick Heal Endpoint Security 5.3. “Quick Heal Endpoint Security 5.3 is designed to provide simple, intuitive centralized management and control.

Introducing Quick Heal Endpoint Security 5.3. “Quick Heal Endpoint Security 5.3 is designed to provide simple, intuitive centralized management and control.
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.

1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
Kaspersky Open Space Security: Release 2 World-class security solution for your business.

Kaspersky Open Space Security: Release 2 World-class security solution for your business.
©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Endpoint Security Current portfolio and looking forward October 2010.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Endpoint Security Current portfolio and looking forward October 2010.
© 2005,2006 NeoAccel Inc. Training Access Modes. © 2005,2006 NeoAccel Inc. Agenda 2. Access Terminals 6. Quick Access Terminal Client 3. SSL VPN-Plus.

© 2005,2006 NeoAccel Inc. Training Access Modes. © 2005,2006 NeoAccel Inc. Agenda 2. Access Terminals 6. Quick Access Terminal Client 3. SSL VPN-Plus.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Managing Client Access

Managing Client Access

Similar presentations

Ads by Google