We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byBarbara Masker
Modified about 1 year ago
End to End Security Westcon / Juniper 5 daagse Pieter van Dijk Dennis de Leest
2 Copyright © 2009 Juniper Networks, Inc. www.juniper.net AGENDA Alles ??? Hmmm.. - LAN - Wan - Datacenter - Demo Hoe bouwen we dat met OPEN standaarden …….
3 Copyright © 2009 Juniper Networks, Inc. www.juniper.net MULTI-YEAR TRENDS IN THE ENTERPRISE Mega Data Centers (thousands) Clients (billions) Global High-Performance Network Campus Branch Home Mobile Workforce Globalization Data/App Consolidation The Distributed Enterprise
4 Copyright © 2009 Juniper Networks, Inc. www.juniper.net NAC USE CASES Guest Networking Internet Are You One of Us? Yes No "Main" Network Endpoint Baselining Patches? Antivirus? Firewall? Identity-Aware Network NAC IAM Monitoring/Containment Backbone LANs
5 Copyright © 2009 Juniper Networks, Inc. www.juniper.net IDENTITY AWARE NETWORKING Subset of Applications Mission-Critical Applications Guest Network Sales Finance HR Sales Finance Employees HR
6 Copyright © 2009 Juniper Networks, Inc. www.juniper.net WHAT IS UAC Authentication and Authorization AAA Integration, Active Directory, LDAP Endpoint Posture Assessment Enforce Windows patch assessment and remediation Enforce antivirus, personal firewall, etc. Built in anti-malware and anti-spyware Role and Identity-based Access Control With EX Series switches (Layer 2) With ScreenOS, SRX Series, J Series routers (Layer 3) With IDP Series (Layer 7: Application-based)
7 Copyright © 2009 Juniper Networks, Inc. www.juniper.net STANDARDS-BASED, IDENTITY-AWARE ACCESS CONTROL AND NETWORK SECURITY
8 Copyright © 2009 Juniper Networks, Inc. www.juniper.net INDUSTRY RECOGNITION “Juniper’s Unified Access Control (UAC) is the most complete NAC solution and scored highest in Current Offering” The Forrester Wave™: Network Access Control, Q3 2008 The Forrester Market Research Report, Q4 2009 2009 ‘Best NAC’ Gold Award
9 Copyright © 2009 Juniper Networks, Inc. www.juniper.net UAC FOR SECURE GUEST ACCESS Easy to use – just a few simple steps Provision delegated administration (to receptionist or any other authorized corporate sponsor) Delegated administration enables creation of guest user accounts with simple username and password Guest users connect to any Ethernet jack or via wireless in the corporate offices Guest users are able to access the Internet Bases level and depth of access on guest type, identity, and role Mike Fratto | InformationWeek Analytics | 2008 NAC Survey 58% 57% 47% 44% 42% 30% Guests Employee, remote access Employee, wireless LAN Contractors/ outsourced labor Unmanageable devices Employee, wired LAN Note: Percentages based on a rating of 4 to 5 on a five-point scale where 1 is “low” and 5 is “High” LAN Threat by Users
10 Copyright © 2009 Juniper Networks, Inc. www.juniper.net FULLY COORDINATED SECURITY INFRASTRUCTURE 802.1X NAC Enterprise-Wide Access Control Application Level Enforcement Management and Visibility Identity Aware Security UAC “Nerve Center” Proven Endpoint Control
11 Copyright © 2009 Juniper Networks, Inc. www.juniper.net CENTRAL POLICY COORDINATION Seamless AAA integration Comprehensive endpoint integrity Automatic and manual remediation Dynamic updates Dynamic, market-leading antispyware/antimalware check Standards-based (TNC, 802.1X, RADIUS,…) Unmatched scale, resilient HA Enterprise-wide management Security hardened IC Series IDP Series SA Series Firewall STRM Series 802.1X Switches & APs EX Series SRX Series UAC “Nerve Center”
12 Copyright © 2009 Juniper Networks, Inc. www.juniper.net OPEN STANDARDS TNC open architecture for network security and access control Suite of standards ensuring interoperability Leverages existing network infrastructure and future proofs security Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Wired Network Perimeter UAC Agent Metadata Access Point (MAP) EX Series Firewall SRX Series Wireless SA Series SCADA Great Bay Third-Party Appliances Third-Party Firewalls IC Series MAP Server MAP Clients Insightix Lumeta Hirsch Wave Third-Party DLP UAC “Nerve Center”
13 Copyright © 2009 Juniper Networks, Inc. www.juniper.net COMPLETE 802.1X NAC EX Series Ethernet Switch support Identity-based QoS, bandwidth limiting, and priority scheduling Mirror traffic to IDP Series for monitoring and logging Vendor agnostic Supports ANY vendor’s 802.1X-compatible switches and access points Granular policy capabilities VLANs, ACLs, QoS,… IC Series EX Series Any 802.1X Switch/AP 802.1X NAC
14 Copyright © 2009 Juniper Networks, Inc. www.juniper.net IDENTITY-AWARE SECURITY Enables true mobility Eliminate ACLs – “follow the user” policies Identity-based, secure network segmentation Supports any Juniper security policy SRX Series Services Gateways ScreenOS firewalls (ISG Series, SSG Series) IDP Series for Application Layer Enforcement J Series as Layer 3 Enforcement Points SSG Series SRX Series IDP IC Series Apps Data Finance Video Corporate Data Center Identity Aware Security
15 Copyright © 2009 Juniper Networks, Inc. www.juniper.net APPLICATION LEVEL ENFORCEMENT Industry’s first NAC solution to offer full Layer 2 – Layer 7 enforcement capabilities Enforces application layer policies across networks Standalone IDP Series appliances as UAC enforcers Control access via role/application based policies to IM, P2P, other corporate applications Identity-enabled anomaly detection and mitigation Remote or local access Isolate threat to specific user or device Employs specific, configurable policy actions IDP Series EX Series IC Series Application Servers Firewalls UAC Enforcement Points 802.1X Switches/APs Application Level Enforcement
16 Copyright © 2009 Juniper Networks, Inc. www.juniper.net MANAGEMENT AND VISIBILITY Juniper NSM Central management Juniper STRM Series Strong visibility Comprehensive reporting and analysis Comprehensive Juniper portfolio coverage Management and Visibility
17 Copyright © 2009 Juniper Networks, Inc. www.juniper.net ENTERPRISE-WIDE ACCESS CONTROL Federated Remote/Local Access Single login protected network/resource access Intelligently provisions network access Simplifies user experience Shared, centrally managed policies Corporate Data Center Apps Finance Video Local User SA-Series Internet IC Series IF-MAP UAC Enforcer NSM Policies Enterprise-Wide Access Control
18 Copyright © 2009 Juniper Networks, Inc. www.juniper.net UAC SUPPORTS UNMANAGEABLE DEVICES MAC based authentication for unmanageable devices Printers FAX Machines VoIP phones HVAC Systems Health care monitoring devices, fusion pumps, etc. Partnership with industry leaders for detection/sensor capabilities Great Bay Beacon Insightix
19 Copyright © 2009 Juniper Networks, Inc. www.juniper.net IC Series and EX Series establish VLAN, ACLs, and QoS for session UAC pushes role-based FW policies to SRX Series and application layer policies to IDP Series EX Series quarantines the user/device for automatic patch remediation Remediation successful; full network access granted User attempts to access “Finance” data, but is blocked Imagine a sales person in an office: “Sales” user logs in from un- patched device 5 4 123 BASIC NAC ENFORCEMENT Local User Patch Remediation SRX Series IDP Series IC Series Corporate Data Center Apps Data Finance Video EX Series
20 Copyright © 2009 Juniper Networks, Inc. www.juniper.net SA session data pushed to IC via IF- MAP UAC pushes role-based FW policies to SRX and application layer policies to IDP IDP senses attack, informs IC SA terminates user session IC removes SRX/IDP access “Sales” user’s device is quarantined for automatic patch remediation Remediation successful; full network access granted User attempts to access “Finance” data, but is blocked Imagine a sales person on the road: “Sales” user logs in from un- patched device 654 123 ENTERPRISE-WIDE ACCESS CONTROL Apps Data Finance Video Mobile User Patch Remediation SRX Series IDP Series IC Series Corporate Data Center SA Series Internet
21 Copyright © 2009 Juniper Networks, Inc. www.juniper.net DATA CENTER IDP Series IC Series UAC quarantines the user until P2P application is shut down STRM Series correlates log files from numerous devices; Generates standardized reports Once connected, employee attempts to file share via P2P application, contrary to acceptable use policies IDP Series detects/blocks inappropriate L7 traffic and asks UAC to identify the culprit User disables P2P app and is connected to the finance application Imagine a broker accessing finance applications: Employee/endpoint meet security policies CAMPUS 654 123 APPLICATION LEVEL ENFORCEMENT
Client technology (windows based)
23 Copyright © 2009 Juniper Networks, Inc. www.juniper.net JUNOS PULSE FOR WINDOWS Builds on Juniper’s market leading SA Series SSL VPN, UAC solution, and WXC Series technology! Dynamically provisioned software client (Junos Pulse) for: Connectivity Security Acceleration Collaboration Integrated multi-service gateways to terminate/control client Location awareness and session migration deliver anytime/anywhere access automatically, without user intervention Identity-enabled Standards-based, future-proofing network investments Integration platform for select 3 rd party apps Integrated multi-service network client delivering anytime/anywhere/everywhere connectivity, security, and acceleration with a simplified user experience
24 Copyright © 2009 Juniper Networks, Inc. www.juniper.net SMART LOCATION BASED VPN AND LAN ACCESS For notebooks and netbooks: Location Awareness – Seamless access as the user moves from remote access to LAN access Pulse Client auto discovers High Speed/Low Latency connections Seamless session migration – No need to re-authenticate Branch Office/Locations/Campus Remote Location (Hotel, Partner, etc.) Remote Users/Telecommuters WXC Series SA Series HQ IC Series (UAC) Mobile Users
25 Copyright © 2009 Juniper Networks, Inc. www.juniper.net LAN Data Center NY Engineering Server Finance Server SSL VPN UAC SRX Data Center Tokyo Engineering Server Finance Server Corporate Network SSL VPN UAC SRX IF-MAP User: Adam Role: Finance Head Quarters User: Adam Role: Finance Remote Site SSL VPN REMOTE GLOBAL IDENTITY AWARE NETWORKING Adam in Finance attempts to access the Engineering Servers in the NY data center from his wired desktop at HQ, but access is denied. Adam is only allowed access to the Finance Server based on his credentials and access policies. Adam is now remote in Asia and attempts to access the Tokyo data center remotely from his mobile device. The same access policies applied to Adam when at HQ follow him anywhere and anytime he attempts network access. Client technology (mobile based)
26 Copyright © 2009 Juniper Networks, Inc. www.juniper.net BENELUX 61 % Access work networks every day without employer’s knowledge 61 % Access work networks every day without employer’s knowledge 18 % Own a smartphone (5% own a tablet 7% own both) 18 % Own a smartphone (5% own a tablet 7% own both) 39 % Mix business and personal use on their mobile device 39 % Mix business and personal use on their mobile device 46 % Would like to have parental controls on their mobile device 46 % Would like to have parental controls on their mobile device 29 % Access personal financial information from their mobile device 29 % Access personal financial information from their mobile device 12 % Have shared personal financial information via email or text 12 % Have shared personal financial information via email or text 48 % Password protect their smartphone 48 % Password protect their smartphone 49 % Are concerned about identity theft resulting from smartphone use 49 % Are concerned about identity theft resulting from smartphone use 3 % Unfamiliar with security settings on mobile devices 3 % Unfamiliar with security settings on mobile devices 3 % Rely on corporate IT department to maintain mobile device security 3 % Rely on corporate IT department to maintain mobile device security 74 % Regard mobile security as a High or Top-Priority 74 % Regard mobile security as a High or Top-Priority 41 % Are concerned they will lose their mobile device and info 41 % Are concerned they will lose their mobile device and info All data Juniper Networks Global Smartphone Security Study October 2010 except * Canalys estimates and forecasts, August 2010 * 32.3 % CAGR Smartphone units by 2012 * 32.3 % CAGR Smartphone units by 2012 * 9 Million Smartphone Units 2010 * 9 Million Smartphone Units 2010
27 Copyright © 2009 Juniper Networks, Inc. www.juniper.net WHAT IS JUNOS PULSE? Junos Pulse for Mobile Devices consists of 2 components Software clients (some Juniper developed, some native to handset OSs) on various mobile handsets Juniper Networks SA Series SSL VPN gateways communicating with clients Junos Pulse – for laptops/desktops with 3G cards for example – consists of same 2 components with built-in WAN acceleration capabilities for Windows systems Corporate Offices SSL VPN SA Series SSL VPN Video FinanceApplicationsDataMultimedia Database WXC Series Application Acceleration
28 Copyright © 2009 Juniper Networks, Inc. www.juniper.net JUNIPER’S APPROACH: JUNOS PULSE A single client for: Connectivity Security Acceleration And Now: Smart-device security & management
29 Copyright © 2009 Juniper Networks, Inc. www.juniper.net Security on Pulse for Mobile devices Antivirus Real-time protection Auto updates Scan all files All connections Personal Firewall Personal Firewall Inbound & outbound filtering Alerts & logging Customizable Anti Spam Block SMS & voice spam Blacklist filtering Disable alerts options Automatic denial options Loss & Theft Protection Loss & Theft Protection Remote lock and wipe Backup & restore GPS locate SIM change notification Device Control Device Control App inventory & control Content monitoring
30 Copyright © 2009 Juniper Networks, Inc. www.juniper.net ENFORCING NETWORK ACCESS POLICIES PC user Corporate Data Center Apps Data Finance Video Active Directory /LDAP Patch Remediation WLCs Pulse detects device is on corporate network and per user policy disables any active VPN sessions 1 1 During 802.1x authentication. MAG verifies PC meets company software and security policy requirements 2 2 Compliance check fails. Antivirus signatures are out of date and user is quarantined to remediation VLAN. Patch server updates signatures. User is now in compliance and granted network access 3 3 EX4500 VC and EX4200 VC EX4200 VC SRX AppTrack feature combined with MAG data collects per user application information providing detailed reports in STRM SRX AppSecure Polices block non- work related applications 6 6 SRX enforces user policies allowing user basic access to all servers except finance 5 5 MAG pushes role based FW policies to EX and SRX 4 4 Virus SW too old Internet MAG with Radius, SSLVPN and UAC modules SRX with IDP/AppSecure
31 Copyright © 2009 Juniper Networks, Inc. www.juniper.net Wireless User Tablet/smartphone Corporate Data Center Apps Data Video Active Directory /LDAP MAG with Radius, SSLVPN and UAC modules WLCs User needs to access company intranet over non-corporate network using iPad 1 1 User starts Junos Pulse and initiates a secure VPN session with MAG appliance 2 2 MAG verifies user login, establishes VPN and the device is allowed on the network. 3 3 SRX AppSecure Polices block non-work related applications 6 6 EX4500 VC and EX4200 VCs SRX with IDP/ AppSecure SRX AppTrack feature combined with MAG data collects per user application information providing detailed reports in STRM Finance MOBILE DEVICE REMOTE NETWORK ACCESS POLICY AND ACCESS CONTROL SRX enforces user policies allowing user access to all servers except finance 5 5 MAG pushes role based ACL and FW policies to the SRX and EX 4 4 Internet
JUNOS PULSE Junos PULSE for Windows Junos PULSE Mobile Security Suite.
Copyright © 2008 Juniper Networks, Inc. 1 Juniper Networks Access Control Solutions Delivering Comprehensive and Manageable Network Access Control Solutions.
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
SIMPLY CONNECTED THE NEW CAMPUS NETWORK, MOBILITY CHANGES EVERYTHING Alain Levens Sr. SE Campus & Branch February 14, 2012.
JUNOS PULSE Ing Stephen Vella Computime Ltd. Head of Technology Solutions.
Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.
MOBYLLA 2012 Mobylla Hellas – InfocomAPPs, ATHENS, Feb.21 st, 2012.
Juniper Networks CONFIDENTIAL 1 MIGRATION FROM SCREENOS TO JUNOS BASED FIREWALL PRESENTER NAME JULY 2014.
All Rights Reserved © Alcatel-Lucent | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.
Copyright © 2008 Juniper Networks, Inc. 1 Network Access Control for Education By Steve Hanna, Distinguished Engineer, Juniper Co-Chair,
| Copyright © 2009 Juniper Networks, Inc. | 1 WX Client Rajoo Nagar PLM, WABU.
1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.
No boundaries with Unified Web Security Solutions Steven Vlastra Sr. Systems Engineer - Benelux.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Welcome to the Human Network Matt Duke 11/29/06.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
PC Security Data protection through device lockdown (Group Policy, app mgmt., OSD, compliance) Hardening devices against attack (patch, anti-malware,
© 2013 Avaya Inc. All rights reserved Avaya UC Collaboration Solution A complete solution for midsize companies Mobility Video SecurityNetworking.
Windows Server 2012 R2 Capabilities for BYOD Scenario Yuri Diogenes Senior Knowledge Engineer Data Center, Devices & Enterprise Client – CSI Team’s Page:
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
Office 365: Efficient Cloud Solutions Wednesday March 12, 9AM Chaz Vossburg / Gabe Laushbaugh.
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.
Customer Sales Presentation Stoneware webNetwork Powered by ThinkServer.
System Center 2012 Configuration Manager Service Pack 1 Overview.
JUNIPER TECHNOLOGY UPDATE Debbie Montano Jan 31, 2011.
© 2008 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,
Partnering For Profitability Growing your business with Microsoft Forefront Security Solutions Mark Hassall Director Security & Access BG Microsoft Corporation.
CAMPUS LAN DESIGN GUIDE Design Considerations for the High-Performance Campus LAN.
Managing your IT Environment. Microsoft Operations Manager 2005 Overview.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
© 2003, Cisco Systems, Inc. All rights reserved _07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.
Deploying XenApp and XenDesktop with BIG-IP Brent Imhoff – Field Systems Engineer Gary Zaleski – Solutions Architect Michael Koyfman – Solutions Architect.
Network and Server Basics. Learning Objectives After viewing this presentation, you will be able to: Understand the benefits of a client/server network.
Dual WAN Router Brand & Marketing MGMT Dept DrayTek Corp Vigor2912 Series 14 th Jan Based on f/w RC4.
Be there without going there. Microsoft Lync is an enterprise-ready, unified communications platform that connects users everywhere, providing a consistent,
Mobile Security Solution Solution Overview Check Point Mobile Threat Prevention is an innovative approach to mobile security that detects and stops advanced.
Unify and Simplify: Security Management
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco NAC Guest Server Guest Access - Simplified Tim Wellborn SE Sangeeta.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
May 30 th – 31 st, 2007 Chateau Laurier Ottawa. Getting it Done: Understanding the Security Features of Windows Vista Kai Axford, CISSP, MCSE-Security.
Unified Student-Centric Authentication and Authorization Nathan Wilder Special Assistant - Technology Office of the CIO.
Asif Jinnah Field Desktop Services Enabling a Flexible Workforce, an insider’s view.
Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.
Dell Connected Security Solutions Simplify & unify.
!! Are we under attack !! Consumer devices continue to invade *Corporate enterprise – just wanting to plug in* Mobile Device Management.
Agency Introduction to DDM Dell Desktop Manager (DDM) Implementation.
1.How many X86 servers do you have? Are you running any HP equipment in your data center? 2.What mission critical applications are you running on these.
1 Panda Malware Radar Discovering hidden threats Channel Presentation Name Date.
Mobility Without Vulnerability: Secure and Enable Your Mobile Users, Apps, and Devices David Clapp – Intuitive.
Be Microsoft’s first and best customer Enabling world-class and predictable customer, client, and partner experience Protecting Microsoft’s physical and.
© 2017 SlidePlayer.com Inc. All rights reserved.