ssl-vpn.ppt

7/23/2019 SSL-VPN.ppt

http://slidepdf.com/reader/full/ssl-vpnppt 1/23

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidential www.uniper.net !Copyright © 200" Juniper Networks, Inc. Proprietary and Confidential www.uniper.net

#ecuring $e%ote &ccess using ##'()PN

Niklas *enriksson + #yste%s ngineer

nhenriksson-uniper.net



Copyright © 200" Juniper Networks, Inc. 2

Proision /y PurposeThree Different Access Methods to Control Users’ Access to Resources

Dynamic Access Control based on User, Device, Network, etc

Network Connect #ecure &pplicationanager 1#&

Core &ccess

- IPSec-like experience with fullnetwork layer tunnel

- Supports all client applications &resource intensive applications like

VoIP & streaming media

- Recommended for remote andmobile employees only as full

network access is granted

- ccess to client!serverapplications such as "indows &

#ava applications

- $ne click access toapplications such as %itrix

'icrosoft $utlook and (otus)otes

- Ideal for remote & mobileemployees and partners if they

have application softwareloaded on their P%s

- ccess to "eb-basedapplications file shares

*elnet!SS+ hosted apps and$utlook "eb ccess

- ,ranular access control all theway up to the R( or file level

- Ideal for most users to access

from any device on any network.corporate laptop home P%

customer or partner P% kioskP/ etc01

!AN"like !# access to

Client$%erver and web a&&swith Network Connect

'ranular web a&&lication

access control with Core Access method

'ranular client$servera&&lication access control with

%ecure A&&lication Mana(er




4ull cross platfor%5/rowser

support #ecure 6e/ &pplication &ccess

2 Support for widest range of

web-based content andapplications

2 Sharepoint $" i)otes

P/3 3lash #ava applets

+*'( #avascript /+*'(

V4Script 5'( etc0

2 +ost & deliver any #ava applet #ecure 4ile #hare &ccess

2 "eb front-end for "indows and

nix 3iles .%I3S!)3S1

&ccess ethods 1&pplication $esources

- Core Access - Integrated (%ail Client

#ecure 8er%inal &ccess2 ccess to *elnet!SS+ .V*677

V*897:1

2 nywhere access with no terminalemulation client




#ea%lessly and securely access any Citri: or 6indows

8er%inal #erices deploy%ent2 Intermediate traffic via native *S support "S' #S' )etwork

%onnect +osted #ava pplet

2 Replacement for "eb Interface!)fuse Natie 8# #upport

2 ,ranular se %ontrol

2 Secure %lient delivery

2 Integrated Single Sign-on

2 #ava R/P!#I% 3allback

2 "*S; Session /irectory

2 %itrix; uto-client reconnect!

session reliability

2 'any additional reliability usability

access control options

&ccess ethods 1&pplication $esources

- Terminal Services -



Copyright © 200" Juniper Networks, Inc. ;

&ccess ethods 1&pplication $esources- Secure Application Manager -

4ull cross platfor% support<

6indows = Jaa ersions >ranular control + users access

specific client5serer applications2 ccess %!S applications without

provisioning full (ayer 8 tunnel2 <liminates costs complexity and security

risks associated with VP)s

2 )o incremental software!hardware or

customi=ation to existing apps

6#& + secure traffic to specificclient5serer applications2 Supports "indows 'obile!PP% in

addition to full "indows platforms2 ,ranular access and auditing!logging

capabilities2 Installer Service available for

constrained user privilege machines

J#& + supports static 8CP portclient5serer applications2 <nhanced support for 'S3* 'PI

(otus )otes %itrix )3use2 /rive mapping through )et4I$S

support2 Install without advanced user privileges



Copyright © 200" Juniper Networks, Inc. ?

2 4ull 'ayer 3 &ccess, si%ilar to IP#ec )PN

2 &daptie, @ual 8ransport ode

2 Initially atte%pts to set up high perfor%ance, IP#ec transport2 If /locked /y network, sea%lessly fails oer to ##'

2 Cross Platfor% @yna%ic @ownload 1&AB or Jaa deliery

2 $ange of options + /rowser launch, standalone B,

scripta/le launcher, #48 >ina

2 Client(side 'ogging, &uditing and @iagnostics

*igh & .aila/ili t y

8ranspor t 0ode

*igh & .aila/ili t y

8ranspor t 0ode

*igh Per for%ance

8ranspor t 0ode

*igh Per for%ance

8ranspor t 0ode 5

*igh Per for%ance

8ranspor t 0ode

*igh Per for%ance

8ranspor t 0ode

&ccess ethods 1&pplication $esources- Network Connect -


http://slidepdf.com/reader/full/ssl-vpnppt 7/23Copyright © 200" Juniper Networks, Inc. 7

#ea%less &&& Integration 4ull Integration into custo%er &&& infrastructure

2 / (/P R/IS %ertificate $*P etc0

Password anage%ent Integration2 ser self service for password management

2 Reduced support costs increased productivity

2 ll standard (/P 'S3* /

#ingle #ign(n + Natie Capa/ilities2 (everaged across all web apps seamless user experience

2 3orms +eader S'( %ookie 4asic uth )*(' #&' #upport + 6e/ single sign(on, integration with I&

platfor%s2 Standards-based "eb SS$

Partnerships with leading ' Vendors .% $racle RS etc01


http://slidepdf.com/reader/full/ssl-vpnppt 8/23Copyright © 200" Juniper Networks, Inc. "

Pre(&uthentication

>athers infor%ation

fro% user, network,

endpoint

&uthentication &uthoriDation

&uthenticate user ap

user to role

$ole &ssign%ent

&ssign sessionproperties for user role

$esource Policy

&pplications aaila/le

to user

&ccess Priilege anage%ent + ! E$'#a%e person access fro% 3 different locations

2+ost %heck; Pass2 V R*P $n

2/efinitions up to date2'achine %ert; Present2/evice *ype; 6in BPanaged

'aptop

En%anaged

1*o%e PC5Fiosk

o/ile @eice

2+ost %heck; 4ail2)o V Installed2)o Personal 3"

2'achine %ert; None

2/evice *ype; ac #

2+ost %heck; N5&

2'achine %ert; None2/evice *ype; 6in o/ile

?.0

2 uth; @igital Certificate

2Role 'apping; anaged

2 uth; &@ Eserna%e5

Password

2Role 'apping;

En%anaged

2 uth; @igital Certificate

2Role 'apping; o/ile

2 ccess 'ethod;

Network Connect

23ile ccess; na/led2*imeout; 2 hours2+ost %heck; $ecurring

2 ccess 'ethod;

Core2#)6 na/led23ile ccess; @isa/led

2*imeout; 30 %ins2+ost %heck; $ecurring

2 ccess 'ethod;

6#&, Core23ile ccess; na/led2*imeout; 30 %ins

2utlook 1full ersion2C$ Client5#erer

2Intranet2Corp 4ile #erers2#harepoint

2utlook 6e/ &ccess

1no file up5download2C$ 6e/ 1read(only2Intranet

2utlook o/ile2C$ 6e/2Intranet2Corp 4ile #erers


http://slidepdf.com/reader/full/ssl-vpnppt 9/23Copyright © 200" Juniper Networks, Inc. G

customers0company0com

employees0company0com

partners0company0com

ne @eice for ultiple >roupsCusto%iDe policies and user e:perience for dierse users

&uthentication sername!Password

*ost Check <nabled > ny V P3"

&ccess %ore %lientless

&pplications 'RP ?uote *ool

&uthentication sername!Password


&ccess %ore %lientless

&pplications Support Portal /ocs

&uthentication $*P or %ertificate


&ccess %ore @ )etwork %onnect

&pplications (8 ccess to pps

HPartner $ole

H%ployee $ole

HCusto%er $ole


http://slidepdf.com/reader/full/ssl-vpnppt 10/23Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidential www.uniper.net !0Copyright © 200" Juniper Networks, Inc. Proprietary and Confidential www.uniper.net

nd(to(nd #ecurity


http://slidepdf.com/reader/full/ssl-vpnppt 11/23Copyright © 200" Juniper Networks, Inc. !!

nd(Point #ecurity" )ost Checker "

Virus

irport Aiosk

'obile ser +ome P%

ser

'anaged P%

ser

*ost Checker - %heck devices before & during session- <nsure device compliance with corporate policy- Remediate devices when needed- %ross platform support

- )o nti-Virus Installed- Personal 3irewall enabled- ser remediated install anti-virus- $nce installed user granted access

- V Real-*ime Protection running- Personal 3irewall <nabled- Virus /efinitions p *o /ate- ser granted full access

- )o anti-virus installed- )o personal f irewall- ser granted minimal access


http://slidepdf.com/reader/full/ssl-vpnppt 12/23Copyright © 200" Juniper Networks, Inc. !2

ndpoint #ecurity" %ecure *irtual +orks&ace "

'i%ited5locked I5&ccess

#ession @atancrypted on(the(fly

1&#

nd of #essionK#ecure @elete $Persistent #ession

1ncrypted

Clip/oardperations locked

1)irtual $eal

$eal @esktop #)6

2+ost %hecker .#ava!ctive51 delivery2"in 9k!5P Systems .user privileges12 dmin-specified application access

2/o/ %leaning!Saniti=ing standard

compliant2Password-protected persistent sessions2%ontrolled I!$ ccess2%onfigurable look!feel

4ile #yste%

$eal )irtual



#yste% #ecurity

H#ecurity 4irst approach to deelop%ent2 +ardened $S based on (inux variant

2 Protection against many known attacks

2 <S encrypted hard disk on every appliance

In(8ransit @ata Protection2 /ata trapping

2 R( obfuscation

Nu%erous 3rd party security audits

Juniper #ecurity Incident $esponse 8ea% 1#I$8to Luickly inestigate any potential ulnera/ilities



8ypical 8hreat Control Challenges

'&N

Partner

%ployee

*unneledtraffic

Intermediatedtraffic

Internet

No Eser Identity Infor%ation

2 )o way to identify user with intermediatedtraffic

2 *ime-consuming to identify user withtunneled traffic

2 Identifying user is critical to mitigatingimpact of security threats

No Identity(ased Coordinated8hreat $esponse

2 )o ability to respond to source of threatbecause donBt know who user is

2 )o ability to automatically coordinateresponses in both IPS and SS( VP)


http://slidepdf.com/reader/full/ssl-vpnppt 15/23Copyright © 200" Juniper Networks, Inc. !;

JuniperMs Coordinated 8hreat Control

'&N

Partner

<mployee

6 - I/P detectsthreat and stops

traffic

8 - S identifies user& takes action on user

session

9 - Signaling protocolto notify SS( VP) of

attack

%orrelated *hreatInformation

2 Identity

2 <ndpoint

2 ccess history

2 /etailed traffic & threatinformation

%oordinated Identity-4ased*hreat Response

2 'anual or automatic response

2 Response options;

2 *erminate session

2 /isable user account

2 ?uarantine user

2 Supplements I/P threat

prevention

%omprehensive *hreat/etection and Prevention

2 bility to detect and preventmalicious traffic

23ull layer 9-C visibility into alltraffic

2*rue end-to-end security


http://slidepdf.com/reader/full/ssl-vpnppt 16/23Copyright © 200" Juniper Networks, Inc. !?

#ecure &ccess 2;00 8argeted to s%all to %id(siDed

/usinesses

Ep to !00 concurrent userscala/ility

Industry leading ##' )PN featureset such asK

2 %omprehensive end-pointsecurity checks on devices

2 /ynamic granular access controlto resources based on each

userBs role2 Support for wide array of mobile

devices & cross platforms



#ecure &ccess 9;00 8argeted to %id to large(siDed

/usinesses

Ep to !000 concurrent userscala/ility

Industry leading ##' )PN featureset such asK

2 %omprehensive end-pointsecurity checks on devices

2 /ynamic granular access controlto resources based on each

userBs role2 Support for wide array of mobile

devices & cross platforms

ptional hardware(/ased ##'acceleration %odule


http://slidepdf.com/reader/full/ssl-vpnppt 18/23Copyright © 200" Juniper Networks, Inc. !"

#ecure &ccess ?;00 8argeted to large enterprises and

serice proiders

Ep to !0,000 concurrent userscala/ility on single unit

Ep to 30,000 concurrent user clusterscala/ility on four(unit cluster

Includes the optional co%ponentspreiously found on #& ?000 #P1%e%ory upgrade, hot swappa/lefans dries

@ual, %irrored hot swappa/le #&8&hard dries

@ual, hot swappa/le fans


http://slidepdf.com/reader/full/ssl-vpnppt 19/23Copyright © 200" Juniper Networks, Inc. !G

J r e a d t h

o f 4 u n c t i o n a l i t y

Juniper ##' )PN Product 4a%ily 4unctionality and #cala/ility to eet Custo%er Needs

nterprise #iDe

#ecure &ccess 700

#ecure &ccess 2;00#ecure &ccess 9;00

#ecure &ccess ?;00

@esigned forK

S'<s

Secure remote access

IncludesK

)etwork %onnect

ptions5upgradesK2 67-9D conc0 users2 %ore %lientless ccess

@esigned forK

'edium enterprise

Secure remote intranetand extranet access

IncludesK

%ore %lientless ccess

S')%

dvanced with %entral

'anager

@esigned forK

'edium to large

enterprise

Secure remote intranetand extranet access

IncludesK

%ore %lientless ccess

S')%


'anager

ptions5upgradesK2 9D-677 conc0 users2 Secure 'eeting2 %luster Pairs

ptions5upgradesK2 D7-6777 conc0 users2 Secure 'eeting2 Instant Virtual System2 SS( cceleration2 %luster Pairs

@esigned forK

(arge enterprises & SPs

Secure remote intranet

and extranet access

IncludesK %ore %lientless ccess

S')%


'anager

SS( acceleration

+ot swap drives fans

ptions5upgradesK2 p to 87777 conc0

users2 Secure 'eeting2 Instant Virtual System2 E-port S3P card2 9nd power supply or /%

power supply2 'ulti-nit %lusters



#yste% anage%ent

>ranular $ole(/ased ad%inistration2 (everages leading framework used for user sessions2 ssign tasks to appropriate groups .helpdesk security

operations etc01

Central anager

2 'anage!maintain all clustered devices from a single console Config I%port5:port

2 'ake offline config changes and import2 %onfiguration backup!archiving

Push Configuration2 Push full or partial configurations to other devices

>ranular logging and log filtering2 nalysis compliance and auditing reFuirements

&danced trou/leshooting tools for Luick issue resolution2 Policy trace session recording system snapshot etc0


http://slidepdf.com/reader/full/ssl-vpnppt 21/23Copyright © 200" Juniper Networks, Inc. 2!

Clustering5*igh &aila/ility

Natie Clustering2 S9D77 SED77 %luster Pairs

2 SGD77 'ulti-unit clusters

#tateful syste% peering2

System state and configuration settings2 ser profile and personali=ed configuration

2 ser session synch .users donBt have to login again in failover scenario1

&ctie5Passie configuration for sea%less failoer

&ctie5&ctie configuration for increased throughput and failoer

nterprise and #erice Proider )alue2 <nsured reliability of critical access infrastructure

2 Seamless failover no loss of productivity

2 <xpansive user scalability via replication

2 'anagement efficiency via central administration interface



uestionsO



http://www.juniper.net/

ssl-vpn.ppt

Documents