Download - SSL-VPN.ppt
7/23/2019 SSL-VPN.ppt
http://slidepdf.com/reader/full/ssl-vpnppt 1/23
Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidential www.uniper.net !Copyright © 200" Juniper Networks, Inc. Proprietary and Confidential www.uniper.net
#ecuring $e%ote &ccess using ##'()PN
Niklas *enriksson + #yste%s ngineer
nhenriksson-uniper.net
7/23/2019 SSL-VPN.ppt
http://slidepdf.com/reader/full/ssl-vpnppt 2/23
Copyright © 200" Juniper Networks, Inc. 2
Proision /y PurposeThree Different Access Methods to Control Users’ Access to Resources
Dynamic Access Control based on User, Device, Network, etc
Network Connect #ecure &pplicationanager 1#&
Core &ccess
- IPSec-like experience with fullnetwork layer tunnel
- Supports all client applications &resource intensive applications like
VoIP & streaming media
- Recommended for remote andmobile employees only as full
network access is granted
- ccess to client!serverapplications such as "indows &
#ava applications
- $ne click access toapplications such as %itrix
'icrosoft $utlook and (otus)otes
- Ideal for remote & mobileemployees and partners if they
have application softwareloaded on their P%s
- ccess to "eb-basedapplications file shares
*elnet!SS+ hosted apps and$utlook "eb ccess
- ,ranular access control all theway up to the R( or file level
- Ideal for most users to access
from any device on any network.corporate laptop home P%
customer or partner P% kioskP/ etc01
!AN"like !# access to
Client$%erver and web a&&swith Network Connect
'ranular web a&&lication
access control with Core Access method
'ranular client$servera&&lication access control with
%ecure A&&lication Mana(er
7/23/2019 SSL-VPN.ppt
http://slidepdf.com/reader/full/ssl-vpnppt 3/23
Copyright © 200" Juniper Networks, Inc. 3
4ull cross platfor%5/rowser
support #ecure 6e/ &pplication &ccess
2 Support for widest range of
web-based content andapplications
2 Sharepoint $" i)otes
P/3 3lash #ava applets
+*'( #avascript /+*'(
V4Script 5'( etc0
2 +ost & deliver any #ava applet #ecure 4ile #hare &ccess
2 "eb front-end for "indows and
nix 3iles .%I3S!)3S1
&ccess ethods 1&pplication $esources
- Core Access - Integrated (%ail Client
#ecure 8er%inal &ccess2 ccess to *elnet!SS+ .V*677
V*897:1
2 nywhere access with no terminalemulation client
7/23/2019 SSL-VPN.ppt
http://slidepdf.com/reader/full/ssl-vpnppt 4/23
Copyright © 200" Juniper Networks, Inc. 9
#ea%lessly and securely access any Citri: or 6indows
8er%inal #erices deploy%ent2 Intermediate traffic via native *S support "S' #S' )etwork
%onnect +osted #ava pplet
2 Replacement for "eb Interface!)fuse Natie 8# #upport
2 ,ranular se %ontrol
2 Secure %lient delivery
2 Integrated Single Sign-on
2 #ava R/P!#I% 3allback
2 "*S; Session /irectory
2 %itrix; uto-client reconnect!
session reliability
2 'any additional reliability usability
access control options
&ccess ethods 1&pplication $esources
- Terminal Services -
7/23/2019 SSL-VPN.ppt
http://slidepdf.com/reader/full/ssl-vpnppt 5/23
Copyright © 200" Juniper Networks, Inc. ;
&ccess ethods 1&pplication $esources- Secure Application Manager -
4ull cross platfor% support<
6indows = Jaa ersions >ranular control + users access
specific client5serer applications2 ccess %!S applications without
provisioning full (ayer 8 tunnel2 <liminates costs complexity and security
risks associated with VP)s
2 )o incremental software!hardware or
customi=ation to existing apps
6#& + secure traffic to specificclient5serer applications2 Supports "indows 'obile!PP% in
addition to full "indows platforms2 ,ranular access and auditing!logging
capabilities2 Installer Service available for
constrained user privilege machines
J#& + supports static 8CP portclient5serer applications2 <nhanced support for 'S3* 'PI
(otus )otes %itrix )3use2 /rive mapping through )et4I$S
support2 Install without advanced user privileges
7/23/2019 SSL-VPN.ppt
http://slidepdf.com/reader/full/ssl-vpnppt 6/23
Copyright © 200" Juniper Networks, Inc. ?
2 4ull 'ayer 3 &ccess, si%ilar to IP#ec )PN
2 &daptie, @ual 8ransport ode
2 Initially atte%pts to set up high perfor%ance, IP#ec transport2 If /locked /y network, sea%lessly fails oer to ##'
2 Cross Platfor% @yna%ic @ownload 1&AB or Jaa deliery
2 $ange of options + /rowser launch, standalone B,
scripta/le launcher, #48 >ina
2 Client(side 'ogging, &uditing and @iagnostics
*igh & .aila/ili t y
8ranspor t 0ode
*igh & .aila/ili t y
8ranspor t 0ode
*igh Per for%ance
8ranspor t 0ode
*igh Per for%ance
8ranspor t 0ode 5
*igh Per for%ance
8ranspor t 0ode
*igh Per for%ance
8ranspor t 0ode
&ccess ethods 1&pplication $esources- Network Connect -
7/23/2019 SSL-VPN.ppt
http://slidepdf.com/reader/full/ssl-vpnppt 7/23Copyright © 200" Juniper Networks, Inc. 7
#ea%less &&& Integration 4ull Integration into custo%er &&& infrastructure
2 / (/P R/IS %ertificate $*P etc0
Password anage%ent Integration2 ser self service for password management
2 Reduced support costs increased productivity
2 ll standard (/P 'S3* /
#ingle #ign(n + Natie Capa/ilities2 (everaged across all web apps seamless user experience
2 3orms +eader S'( %ookie 4asic uth )*(' #&' #upport + 6e/ single sign(on, integration with I&
platfor%s2 Standards-based "eb SS$
Partnerships with leading ' Vendors .% $racle RS etc01
7/23/2019 SSL-VPN.ppt
http://slidepdf.com/reader/full/ssl-vpnppt 8/23Copyright © 200" Juniper Networks, Inc. "
Pre(&uthentication
>athers infor%ation
fro% user, network,
endpoint
&uthentication &uthoriDation
&uthenticate user ap
user to role
$ole &ssign%ent
&ssign sessionproperties for user role
$esource Policy
&pplications aaila/le
to user
&ccess Priilege anage%ent + ! E$'#a%e person access fro% 3 different locations
2+ost %heck; Pass2 V R*P $n
2/efinitions up to date2'achine %ert; Present2/evice *ype; 6in BPanaged
'aptop
En%anaged
1*o%e PC5Fiosk
o/ile @eice
2+ost %heck; 4ail2)o V Installed2)o Personal 3"
2'achine %ert; None
2/evice *ype; ac #
2+ost %heck; N5&
2'achine %ert; None2/evice *ype; 6in o/ile
?.0
2 uth; @igital Certificate
2Role 'apping; anaged
2 uth; &@ Eserna%e5
Password
2Role 'apping;
En%anaged
2 uth; @igital Certificate
2Role 'apping; o/ile
2 ccess 'ethod;
Network Connect
23ile ccess; na/led2*imeout; 2 hours2+ost %heck; $ecurring
2 ccess 'ethod;
Core2#)6 na/led23ile ccess; @isa/led
2*imeout; 30 %ins2+ost %heck; $ecurring
2 ccess 'ethod;
6#&, Core23ile ccess; na/led2*imeout; 30 %ins
2utlook 1full ersion2C$ Client5#erer
2Intranet2Corp 4ile #erers2#harepoint
2utlook 6e/ &ccess
1no file up5download2C$ 6e/ 1read(only2Intranet
2utlook o/ile2C$ 6e/2Intranet2Corp 4ile #erers
7/23/2019 SSL-VPN.ppt
http://slidepdf.com/reader/full/ssl-vpnppt 9/23Copyright © 200" Juniper Networks, Inc. G
customers0company0com
employees0company0com
partners0company0com
ne @eice for ultiple >roupsCusto%iDe policies and user e:perience for dierse users
&uthentication sername!Password
*ost Check <nabled > ny V P3"
&ccess %ore %lientless
&pplications 'RP ?uote *ool
&uthentication sername!Password
*ost Check <nabled > ny V P3"
&ccess %ore %lientless
&pplications Support Portal /ocs
&uthentication $*P or %ertificate
*ost Check <nabled > ny V P3"
&ccess %ore @ )etwork %onnect
&pplications (8 ccess to pps
HPartner $ole
H%ployee $ole
HCusto%er $ole
7/23/2019 SSL-VPN.ppt
http://slidepdf.com/reader/full/ssl-vpnppt 10/23Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidential www.uniper.net !0Copyright © 200" Juniper Networks, Inc. Proprietary and Confidential www.uniper.net
nd(to(nd #ecurity
7/23/2019 SSL-VPN.ppt
http://slidepdf.com/reader/full/ssl-vpnppt 11/23Copyright © 200" Juniper Networks, Inc. !!
nd(Point #ecurity" )ost Checker "
Virus
irport Aiosk
'obile ser +ome P%
ser
'anaged P%
ser
*ost Checker - %heck devices before & during session- <nsure device compliance with corporate policy- Remediate devices when needed- %ross platform support
- )o nti-Virus Installed- Personal 3irewall enabled- ser remediated install anti-virus- $nce installed user granted access
- V Real-*ime Protection running- Personal 3irewall <nabled- Virus /efinitions p *o /ate- ser granted full access
- )o anti-virus installed- )o personal f irewall- ser granted minimal access
7/23/2019 SSL-VPN.ppt
http://slidepdf.com/reader/full/ssl-vpnppt 12/23Copyright © 200" Juniper Networks, Inc. !2
ndpoint #ecurity" %ecure *irtual +orks&ace "
'i%ited5locked I5&ccess
#ession @atancrypted on(the(fly
1&#
nd of #essionK#ecure @elete $Persistent #ession
1ncrypted
Clip/oardperations locked
1)irtual $eal
$eal @esktop #)6
2+ost %hecker .#ava!ctive51 delivery2"in 9k!5P Systems .user privileges12 dmin-specified application access
2/o/ %leaning!Saniti=ing standard
compliant2Password-protected persistent sessions2%ontrolled I!$ ccess2%onfigurable look!feel
4ile #yste%
$eal )irtual
7/23/2019 SSL-VPN.ppt
http://slidepdf.com/reader/full/ssl-vpnppt 13/23Copyright © 200" Juniper Networks, Inc. !3
#yste% #ecurity
H#ecurity 4irst approach to deelop%ent2 +ardened $S based on (inux variant
2 Protection against many known attacks
2 <S encrypted hard disk on every appliance
In(8ransit @ata Protection2 /ata trapping
2 R( obfuscation
Nu%erous 3rd party security audits
Juniper #ecurity Incident $esponse 8ea% 1#I$8to Luickly inestigate any potential ulnera/ilities
7/23/2019 SSL-VPN.ppt
http://slidepdf.com/reader/full/ssl-vpnppt 14/23Copyright © 200" Juniper Networks, Inc. !9
8ypical 8hreat Control Challenges
'&N
Partner
%ployee
*unneledtraffic
Intermediatedtraffic
Internet
No Eser Identity Infor%ation
2 )o way to identify user with intermediatedtraffic
2 *ime-consuming to identify user withtunneled traffic
2 Identifying user is critical to mitigatingimpact of security threats
No Identity(ased Coordinated8hreat $esponse
2 )o ability to respond to source of threatbecause donBt know who user is
2 )o ability to automatically coordinateresponses in both IPS and SS( VP)
7/23/2019 SSL-VPN.ppt
http://slidepdf.com/reader/full/ssl-vpnppt 15/23Copyright © 200" Juniper Networks, Inc. !;
JuniperMs Coordinated 8hreat Control
'&N
Partner
<mployee
6 - I/P detectsthreat and stops
traffic
8 - S identifies user& takes action on user
session
9 - Signaling protocolto notify SS( VP) of
attack
%orrelated *hreatInformation
2 Identity
2 <ndpoint
2 ccess history
2 /etailed traffic & threatinformation
%oordinated Identity-4ased*hreat Response
2 'anual or automatic response
2 Response options;
2 *erminate session
2 /isable user account
2 ?uarantine user
2 Supplements I/P threat
prevention
%omprehensive *hreat/etection and Prevention
2 bility to detect and preventmalicious traffic
23ull layer 9-C visibility into alltraffic
2*rue end-to-end security
7/23/2019 SSL-VPN.ppt
http://slidepdf.com/reader/full/ssl-vpnppt 16/23Copyright © 200" Juniper Networks, Inc. !?
#ecure &ccess 2;00 8argeted to s%all to %id(siDed
/usinesses
Ep to !00 concurrent userscala/ility
Industry leading ##' )PN featureset such asK
2 %omprehensive end-pointsecurity checks on devices
2 /ynamic granular access controlto resources based on each
userBs role2 Support for wide array of mobile
devices & cross platforms
7/23/2019 SSL-VPN.ppt
http://slidepdf.com/reader/full/ssl-vpnppt 17/23Copyright © 200" Juniper Networks, Inc. !7
#ecure &ccess 9;00 8argeted to %id to large(siDed
/usinesses
Ep to !000 concurrent userscala/ility
Industry leading ##' )PN featureset such asK
2 %omprehensive end-pointsecurity checks on devices
2 /ynamic granular access controlto resources based on each
userBs role2 Support for wide array of mobile
devices & cross platforms
ptional hardware(/ased ##'acceleration %odule
7/23/2019 SSL-VPN.ppt
http://slidepdf.com/reader/full/ssl-vpnppt 18/23Copyright © 200" Juniper Networks, Inc. !"
#ecure &ccess ?;00 8argeted to large enterprises and
serice proiders
Ep to !0,000 concurrent userscala/ility on single unit
Ep to 30,000 concurrent user clusterscala/ility on four(unit cluster
Includes the optional co%ponentspreiously found on #& ?000 #P1%e%ory upgrade, hot swappa/lefans dries
@ual, %irrored hot swappa/le #&8&hard dries
@ual, hot swappa/le fans
7/23/2019 SSL-VPN.ppt
http://slidepdf.com/reader/full/ssl-vpnppt 19/23Copyright © 200" Juniper Networks, Inc. !G
J r e a d t h
o f 4 u n c t i o n a l i t y
Juniper ##' )PN Product 4a%ily 4unctionality and #cala/ility to eet Custo%er Needs
nterprise #iDe
#ecure &ccess 700
#ecure &ccess 2;00#ecure &ccess 9;00
#ecure &ccess ?;00
@esigned forK
S'<s
Secure remote access
IncludesK
)etwork %onnect
ptions5upgradesK2 67-9D conc0 users2 %ore %lientless ccess
@esigned forK
'edium enterprise
Secure remote intranetand extranet access
IncludesK
%ore %lientless ccess
S')%
dvanced with %entral
'anager
@esigned forK
'edium to large
enterprise
Secure remote intranetand extranet access
IncludesK
%ore %lientless ccess
S')%
dvanced with %entral
'anager
ptions5upgradesK2 9D-677 conc0 users2 Secure 'eeting2 %luster Pairs
ptions5upgradesK2 D7-6777 conc0 users2 Secure 'eeting2 Instant Virtual System2 SS( cceleration2 %luster Pairs
@esigned forK
(arge enterprises & SPs
Secure remote intranet
and extranet access
IncludesK %ore %lientless ccess
S')%
dvanced with %entral
'anager
SS( acceleration
+ot swap drives fans
ptions5upgradesK2 p to 87777 conc0
users2 Secure 'eeting2 Instant Virtual System2 E-port S3P card2 9nd power supply or /%
power supply2 'ulti-nit %lusters
7/23/2019 SSL-VPN.ppt
http://slidepdf.com/reader/full/ssl-vpnppt 20/23Copyright © 200" Juniper Networks, Inc. 20
#yste% anage%ent
>ranular $ole(/ased ad%inistration2 (everages leading framework used for user sessions2 ssign tasks to appropriate groups .helpdesk security
operations etc01
Central anager
2 'anage!maintain all clustered devices from a single console Config I%port5:port
2 'ake offline config changes and import2 %onfiguration backup!archiving
Push Configuration2 Push full or partial configurations to other devices
>ranular logging and log filtering2 nalysis compliance and auditing reFuirements
&danced trou/leshooting tools for Luick issue resolution2 Policy trace session recording system snapshot etc0
7/23/2019 SSL-VPN.ppt
http://slidepdf.com/reader/full/ssl-vpnppt 21/23Copyright © 200" Juniper Networks, Inc. 2!
Clustering5*igh &aila/ility
Natie Clustering2 S9D77 SED77 %luster Pairs
2 SGD77 'ulti-unit clusters
#tateful syste% peering2
System state and configuration settings2 ser profile and personali=ed configuration
2 ser session synch .users donBt have to login again in failover scenario1
&ctie5Passie configuration for sea%less failoer
&ctie5&ctie configuration for increased throughput and failoer
nterprise and #erice Proider )alue2 <nsured reliability of critical access infrastructure
2 Seamless failover no loss of productivity
2 <xpansive user scalability via replication
2 'anagement efficiency via central administration interface
7/23/2019 SSL-VPN.ppt
http://slidepdf.com/reader/full/ssl-vpnppt 22/23Copyright © 200" Juniper Networks, Inc. 22
uestionsO