Presentation is loading. Please wait.

Presentation is loading. Please wait.

End to End Security Westcon / Juniper 5 daagse Pieter van Dijk Dennis de Leest.

Similar presentations


Presentation on theme: "End to End Security Westcon / Juniper 5 daagse Pieter van Dijk Dennis de Leest."— Presentation transcript:

1 End to End Security Westcon / Juniper 5 daagse Pieter van Dijk Dennis de Leest

2 2 Copyright © 2009 Juniper Networks, Inc. AGENDA Alles ??? Hmmm.. - LAN - Wan - Datacenter - Demo Hoe bouwen we dat met OPEN standaarden …….

3 3 Copyright © 2009 Juniper Networks, Inc. MULTI-YEAR TRENDS IN THE ENTERPRISE Mega Data Centers (thousands) Clients (billions) Global High-Performance Network Campus Branch Home Mobile Workforce Globalization Data/App Consolidation The Distributed Enterprise

4 4 Copyright © 2009 Juniper Networks, Inc. NAC USE CASES Guest Networking Internet Are You One of Us? Yes No "Main" Network Endpoint Baselining Patches? Antivirus? Firewall? Identity-Aware Network NAC IAM Monitoring/Containment Backbone LANs

5 5 Copyright © 2009 Juniper Networks, Inc. IDENTITY AWARE NETWORKING Subset of Applications Mission-Critical Applications Guest Network Sales Finance HR Sales Finance Employees HR

6 6 Copyright © 2009 Juniper Networks, Inc. WHAT IS UAC  Authentication and Authorization  AAA Integration, Active Directory, LDAP  Endpoint Posture Assessment  Enforce Windows patch assessment and remediation  Enforce antivirus, personal firewall, etc.  Built in anti-malware and anti-spyware  Role and Identity-based Access Control  With EX Series switches (Layer 2)  With ScreenOS, SRX Series, J Series routers (Layer 3)  With IDP Series (Layer 7: Application-based)

7 7 Copyright © 2009 Juniper Networks, Inc. STANDARDS-BASED, IDENTITY-AWARE ACCESS CONTROL AND NETWORK SECURITY

8 8 Copyright © 2009 Juniper Networks, Inc. INDUSTRY RECOGNITION “Juniper’s Unified Access Control (UAC) is the most complete NAC solution and scored highest in Current Offering” The Forrester Wave™: Network Access Control, Q The Forrester Market Research Report, Q ‘Best NAC’ Gold Award

9 9 Copyright © 2009 Juniper Networks, Inc. UAC FOR SECURE GUEST ACCESS Easy to use – just a few simple steps  Provision delegated administration (to receptionist or any other authorized corporate sponsor)  Delegated administration enables creation of guest user accounts with simple username and password  Guest users connect to any Ethernet jack or via wireless in the corporate offices  Guest users are able to access the Internet  Bases level and depth of access on guest type, identity, and role Mike Fratto | InformationWeek Analytics | 2008 NAC Survey 58% 57% 47% 44% 42% 30% Guests Employee, remote access Employee, wireless LAN Contractors/ outsourced labor Unmanageable devices Employee, wired LAN Note: Percentages based on a rating of 4 to 5 on a five-point scale where 1 is “low” and 5 is “High” LAN Threat by Users

10 10 Copyright © 2009 Juniper Networks, Inc. FULLY COORDINATED SECURITY INFRASTRUCTURE 802.1X NAC Enterprise-Wide Access Control Application Level Enforcement Management and Visibility Identity Aware Security UAC “Nerve Center” Proven Endpoint Control

11 11 Copyright © 2009 Juniper Networks, Inc. CENTRAL POLICY COORDINATION Seamless AAA integration Comprehensive endpoint integrity  Automatic and manual remediation  Dynamic updates Dynamic, market-leading antispyware/antimalware check Standards-based (TNC, 802.1X, RADIUS,…) Unmatched scale, resilient HA Enterprise-wide management Security hardened IC Series IDP Series SA Series Firewall STRM Series 802.1X Switches & APs EX Series SRX Series UAC “Nerve Center”

12 12 Copyright © 2009 Juniper Networks, Inc. OPEN STANDARDS TNC open architecture for network security and access control  Suite of standards ensuring interoperability Leverages existing network infrastructure and future proofs security Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Wired Network Perimeter UAC Agent Metadata Access Point (MAP) EX Series Firewall SRX Series Wireless SA Series SCADA Great Bay Third-Party Appliances Third-Party Firewalls IC Series MAP Server MAP Clients Insightix Lumeta Hirsch Wave Third-Party DLP UAC “Nerve Center”

13 13 Copyright © 2009 Juniper Networks, Inc. COMPLETE 802.1X NAC EX Series Ethernet Switch support  Identity-based QoS, bandwidth limiting, and priority scheduling  Mirror traffic to IDP Series for monitoring and logging Vendor agnostic  Supports ANY vendor’s 802.1X-compatible switches and access points Granular policy capabilities  VLANs, ACLs, QoS,… IC Series EX Series Any 802.1X Switch/AP 802.1X NAC

14 14 Copyright © 2009 Juniper Networks, Inc. IDENTITY-AWARE SECURITY Enables true mobility  Eliminate ACLs – “follow the user” policies  Identity-based, secure network segmentation Supports any Juniper security policy  SRX Series Services Gateways  ScreenOS firewalls (ISG Series, SSG Series)  IDP Series for Application Layer Enforcement  J Series as Layer 3 Enforcement Points SSG Series SRX Series IDP IC Series Apps Data Finance Video Corporate Data Center Identity Aware Security

15 15 Copyright © 2009 Juniper Networks, Inc. APPLICATION LEVEL ENFORCEMENT Industry’s first NAC solution to offer full Layer 2 – Layer 7 enforcement capabilities Enforces application layer policies across networks  Standalone IDP Series appliances as UAC enforcers  Control access via role/application based policies to IM, P2P, other corporate applications Identity-enabled anomaly detection and mitigation  Remote or local access  Isolate threat to specific user or device  Employs specific, configurable policy actions IDP Series EX Series IC Series Application Servers Firewalls UAC Enforcement Points 802.1X Switches/APs Application Level Enforcement

16 16 Copyright © 2009 Juniper Networks, Inc. MANAGEMENT AND VISIBILITY Juniper NSM  Central management Juniper STRM Series  Strong visibility  Comprehensive reporting and analysis Comprehensive Juniper portfolio coverage Management and Visibility

17 17 Copyright © 2009 Juniper Networks, Inc. ENTERPRISE-WIDE ACCESS CONTROL Federated Remote/Local Access  Single login protected network/resource access  Intelligently provisions network access  Simplifies user experience Shared, centrally managed policies Corporate Data Center Apps Finance Video Local User SA-Series Internet IC Series IF-MAP UAC Enforcer NSM Policies Enterprise-Wide Access Control

18 18 Copyright © 2009 Juniper Networks, Inc. UAC SUPPORTS UNMANAGEABLE DEVICES MAC based authentication for unmanageable devices  Printers  FAX Machines  VoIP phones  HVAC Systems  Health care monitoring devices, fusion pumps, etc. Partnership with industry leaders for detection/sensor capabilities  Great Bay Beacon  Insightix

19 19 Copyright © 2009 Juniper Networks, Inc. IC Series and EX Series establish VLAN, ACLs, and QoS for session UAC pushes role-based FW policies to SRX Series and application layer policies to IDP Series EX Series quarantines the user/device for automatic patch remediation Remediation successful; full network access granted User attempts to access “Finance” data, but is blocked Imagine a sales person in an office: “Sales” user logs in from un- patched device BASIC NAC ENFORCEMENT Local User Patch Remediation SRX Series IDP Series IC Series Corporate Data Center Apps Data Finance Video EX Series

20 20 Copyright © 2009 Juniper Networks, Inc. SA session data pushed to IC via IF- MAP UAC pushes role-based FW policies to SRX and application layer policies to IDP IDP senses attack, informs IC SA terminates user session IC removes SRX/IDP access “Sales” user’s device is quarantined for automatic patch remediation Remediation successful; full network access granted User attempts to access “Finance” data, but is blocked Imagine a sales person on the road: “Sales” user logs in from un- patched device ENTERPRISE-WIDE ACCESS CONTROL Apps Data Finance Video Mobile User Patch Remediation SRX Series IDP Series IC Series Corporate Data Center SA Series Internet

21 21 Copyright © 2009 Juniper Networks, Inc. DATA CENTER IDP Series IC Series UAC quarantines the user until P2P application is shut down STRM Series correlates log files from numerous devices; Generates standardized reports Once connected, employee attempts to file share via P2P application, contrary to acceptable use policies IDP Series detects/blocks inappropriate L7 traffic and asks UAC to identify the culprit User disables P2P app and is connected to the finance application Imagine a broker accessing finance applications: Employee/endpoint meet security policies CAMPUS APPLICATION LEVEL ENFORCEMENT

22 Client technology (windows based)

23 23 Copyright © 2009 Juniper Networks, Inc. JUNOS PULSE FOR WINDOWS Builds on Juniper’s market leading SA Series SSL VPN, UAC solution, and WXC Series technology! Dynamically provisioned software client (Junos Pulse) for:  Connectivity  Security  Acceleration  Collaboration Integrated multi-service gateways to terminate/control client Location awareness and session migration deliver anytime/anywhere access automatically, without user intervention Identity-enabled Standards-based, future-proofing network investments Integration platform for select 3 rd party apps Integrated multi-service network client delivering anytime/anywhere/everywhere connectivity, security, and acceleration with a simplified user experience

24 24 Copyright © 2009 Juniper Networks, Inc. SMART LOCATION BASED VPN AND LAN ACCESS For notebooks and netbooks:  Location Awareness – Seamless access as the user moves from remote access to LAN access  Pulse Client auto discovers High Speed/Low Latency connections  Seamless session migration – No need to re-authenticate Branch Office/Locations/Campus Remote Location (Hotel, Partner, etc.) Remote Users/Telecommuters WXC Series SA Series HQ IC Series (UAC) Mobile Users

25 25 Copyright © 2009 Juniper Networks, Inc. LAN Data Center NY Engineering Server Finance Server SSL VPN UAC SRX Data Center Tokyo Engineering Server Finance Server Corporate Network SSL VPN UAC SRX IF-MAP User: Adam Role: Finance Head Quarters User: Adam Role: Finance Remote Site SSL VPN REMOTE GLOBAL IDENTITY AWARE NETWORKING Adam in Finance attempts to access the Engineering Servers in the NY data center from his wired desktop at HQ, but access is denied. Adam is only allowed access to the Finance Server based on his credentials and access policies. Adam is now remote in Asia and attempts to access the Tokyo data center remotely from his mobile device. The same access policies applied to Adam when at HQ follow him anywhere and anytime he attempts network access. Client technology (mobile based)

26 26 Copyright © 2009 Juniper Networks, Inc. BENELUX 61 % Access work networks every day without employer’s knowledge 61 % Access work networks every day without employer’s knowledge 18 % Own a smartphone (5% own a tablet 7% own both) 18 % Own a smartphone (5% own a tablet 7% own both) 39 % Mix business and personal use on their mobile device 39 % Mix business and personal use on their mobile device 46 % Would like to have parental controls on their mobile device 46 % Would like to have parental controls on their mobile device 29 % Access personal financial information from their mobile device 29 % Access personal financial information from their mobile device 12 % Have shared personal financial information via or text 12 % Have shared personal financial information via or text 48 % Password protect their smartphone 48 % Password protect their smartphone 49 % Are concerned about identity theft resulting from smartphone use 49 % Are concerned about identity theft resulting from smartphone use 3 % Unfamiliar with security settings on mobile devices 3 % Unfamiliar with security settings on mobile devices 3 % Rely on corporate IT department to maintain mobile device security 3 % Rely on corporate IT department to maintain mobile device security 74 % Regard mobile security as a High or Top-Priority 74 % Regard mobile security as a High or Top-Priority 41 % Are concerned they will lose their mobile device and info 41 % Are concerned they will lose their mobile device and info All data Juniper Networks Global Smartphone Security Study October 2010 except * Canalys estimates and forecasts, August 2010 * 32.3 % CAGR Smartphone units by 2012 * 32.3 % CAGR Smartphone units by 2012 * 9 Million Smartphone Units 2010 * 9 Million Smartphone Units 2010

27 27 Copyright © 2009 Juniper Networks, Inc. WHAT IS JUNOS PULSE? Junos Pulse for Mobile Devices consists of 2 components  Software clients (some Juniper developed, some native to handset OSs) on various mobile handsets  Juniper Networks SA Series SSL VPN gateways communicating with clients Junos Pulse – for laptops/desktops with 3G cards for example – consists of same 2 components with built-in WAN acceleration capabilities for Windows systems Corporate Offices SSL VPN SA Series SSL VPN Video FinanceApplicationsDataMultimedia Database WXC Series Application Acceleration

28 28 Copyright © 2009 Juniper Networks, Inc. JUNIPER’S APPROACH: JUNOS PULSE A single client for:  Connectivity  Security  Acceleration And Now:  Smart-device security & management

29 29 Copyright © 2009 Juniper Networks, Inc. Security on Pulse for Mobile devices Antivirus Real-time protection Auto updates Scan all files All connections Personal Firewall Personal Firewall Inbound & outbound filtering Alerts & logging Customizable Anti Spam Block SMS & voice spam Blacklist filtering Disable alerts options Automatic denial options Loss & Theft Protection Loss & Theft Protection Remote lock and wipe Backup & restore GPS locate SIM change notification Device Control Device Control App inventory & control Content monitoring

30 30 Copyright © 2009 Juniper Networks, Inc. ENFORCING NETWORK ACCESS POLICIES PC user Corporate Data Center Apps Data Finance Video Active Directory /LDAP Patch Remediation WLCs Pulse detects device is on corporate network and per user policy disables any active VPN sessions 1 1 During 802.1x authentication. MAG verifies PC meets company software and security policy requirements 2 2 Compliance check fails. Antivirus signatures are out of date and user is quarantined to remediation VLAN. Patch server updates signatures. User is now in compliance and granted network access 3 3 EX4500 VC and EX4200 VC  EX4200 VC SRX AppTrack feature combined with MAG data collects per user application information providing detailed reports in STRM  SRX AppSecure Polices block non- work related applications 6 6 SRX enforces user policies allowing user basic access to all servers except finance 5 5 MAG pushes role based FW policies to EX and SRX 4 4 Virus SW too old Internet MAG with Radius, SSLVPN and UAC modules SRX with IDP/AppSecure

31 31 Copyright © 2009 Juniper Networks, Inc. Wireless User Tablet/smartphone Corporate Data Center Apps Data Video Active Directory /LDAP MAG with Radius, SSLVPN and UAC modules WLCs User needs to access company intranet over non-corporate network using iPad 1 1 User starts Junos Pulse and initiates a secure VPN session with MAG appliance 2 2 MAG verifies user login, establishes VPN and the device is allowed on the network. 3 3 SRX AppSecure Polices block non-work related applications 6 6 EX4500 VC and EX4200 VCs SRX with IDP/ AppSecure  SRX AppTrack feature combined with MAG data collects per user application information providing detailed reports in STRM Finance MOBILE DEVICE REMOTE NETWORK ACCESS POLICY AND ACCESS CONTROL SRX enforces user policies allowing user access to all servers except finance 5 5 MAG pushes role based ACL and FW policies to the SRX and EX 4 4  Internet

32


Download ppt "End to End Security Westcon / Juniper 5 daagse Pieter van Dijk Dennis de Leest."

Similar presentations


Ads by Google