Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Unified Access Control Solution Javier López –

Published byValerie Mitchell Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Unified Access Control Solution Javier López –"— Presentation transcript:

1 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Unified Access Control Solution Javier López – jlopez@juniper.netjlopez@juniper.net

2 2 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net  SSL VPNs Review  Unified Access Control Solution  Unified Access Control Scenarios  Live Demo AGENDA

3 3 Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net SSL VPNs vs. IPSec Business Partners Mobile Workers Branch Offices Home workers Data Center Internet Department Servers DMZ Finance HR Sales Customers Extranet access SSL VPN Site-to-Site IPSEC VPN Intranet access SSL VPN Employee remote access SSL VPN

4 4 Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Typical Custom Extranet Deployment Web server DMZ MRP/ERP API Internal Corporate LAN Web server API Web server Policy Server SW Agent Web server SW Agent Extensive Deployment Requirements:  Duplication & Migration of Servers into DMZ  Harden OS/Server Farms & Ongoing Patch Maintenance  Maintenance of public facing infrastructure  AAA Limitation to only those integrated resources  Custom API development for non-Web content UNIFIED ACCESS ENFORCEMENT:  Dynamic Authentication Policies  Expressive Role Definition & Mapping Rules  Dynamic Resource-based Authorization  Granular Auditing & Logging  Web Single Sign-On (SSO)  Password Management Integration  Multiple Hostnames & Customizable UI  Endpoint Policy Enforcement

5 5 Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net The Secure Access Platform in the Network MRP/ERP Intranet / Web Server Unix/NFS = Encrypted External Session = Standard Internal Session Corporate LAN Partner A Directory Store Partner B Extranet Partners Server Farms E-mail Sales & Service Telecommuters Mobile Employees

6 6 Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Three Access Methods for Granular Secure Access Core Access Core Client less access Web content / links Web based applications XML, Flash, JAVA Files (Webified) Telnet / SSH Terminal Emulation Secure Application Manager (JSAM and WSAM) TCP based Client / Server application access JSAM JAVA applet Cross platform WSAM Active-X control Transparently redirects application requests Per application (client process) Per host (Hostname / IP:port range) MD5 Checksum for application validation Windows 2K/XP/98 Pocket PC (Win CE ) Network Connect (NC) Network Layer tunnel Virtual adapter Static, DHCP and RADIUS based IP address assignment TCP and UDP based Client / Server application access Server Initiated applications such as VoIP, X- Windows, NetMeeting

7 7 Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net From the field From the LAN From a Kiosk Pre Authentication Gathers information from user, network, endpoint Dynamic Authentication Authenticate user Map user to role Roles Assignment Assign session properties for user role Resource Policy Grant access to resource as specified by policy SAM = No File = No Web Download=Yes Web Upload=No Timeout = ½ hour Host Check = Recurring Digital Cert = NO Source IP = outside Host Check = failure Authentication = Strong Mapped to Field role Resources = CRM Web-read only Outlook Web Access Digital Cert = YES Source IP = outside Host Check = success Authentication = Strong Mapped to Sales role SAM = Yes File = Yes Web Download=Yes Web Upload = Yes Timeout = 2 hours Host Check = Recurring Resources = CRM Client/Server Exchange Digital Cert = YES; Source IP = LAN; Host Check = success Authentication = PW Mapped to Office role Network Connect = Yes Timeout = 12 hours Host Check = No Resources = Full network access Step 3a: Control Access – 1 URL Same person access from 3 different locations

8 8 Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Breadth of Functionality Juniper SSL VPN Product Family: Functionality and Scalability to Meet Customer Needs Enterprise Size Secure Access 700 Secure Access 2000 Secure Access 4000 Secure Access 6000 Designed for: SMEs Secure remote access Includes: Network Connect Options/upgrades: 10-25 conc. users Core Clientless Access Designed for: Medium enterprise Secure remote, intranet and extranet access Includes: Core Clientless Access Designed for: Medium to large enterprise Secure remote, intranet and extranet access Includes: Core Clientless Access Options/upgrades: 25-100 conc. users SAMNC Secure Meeting Advanced w/ CM Cluster Pairs Options/upgrades: 50-1000 conc. users SAMNC Secure Meeting Advanced w/ CM Instant Virtual System SSL Acceleration Cluster Pairs Designed for: Large-global enterprise Secure remote, intranet and extranet access Includes: Core Clientless Access SSL acceleration Options/upgrades: 100-2500 conc. users SAMNC Secure Meeting Advanced w/ CM Instant Virtual System GBIC Multi-Unit Clusters

9 9 Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Web Mail Farm Intranet Web Farm Corporate Intranet 1,000’s Teachers’ Home PCs 10,000’s Students’ Home PCs Mobile User Cost Scalability  Users access from home PCs  No install, configuration or support  Only variable cost is authentication Increased Security  Unified Security Layer Across Servers  Known Hardened Security Posture  Common Auth’n & Auth’z Policies WWW Case #1: Remote Access for Students/Teachers

10 10 Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net ERP Application Server Corporate Intranet School A Cost Scalability  Rapidly Add/Drop Partners  No Timely Security Negotiations  No Cap Ex per Additional Partner Increased Security  Group Based Auth’z Policies  Strong Auth’n & PKI  Resource-Based Logging Unix/NFS Files School B School C Case #2: Campus Services Access

11 11 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net  SSL VPNs Review  Unified Access Control Solution  Unified Access Control Scenarios  Live Demo AGENDA

12 12 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Trend and Business Problem WAN LAN Remote Office LAN User Mobile User Day Extenders Business Partners LAN User Data Center Mission critical apps, File Servers, ERP, CRM etc Widely diverse users Unmanaged or ill managed endpoints Business critical network assets “Deadly” network and application-layer threats 11% QoQ increase in new vulnerabilities – Q2,’05 SANS Zotob took 96 hours from patch to full outbreak New threats exploit common TCP ports, requiring both host intelligence and network-based enforcement

13 13 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net How the Enterprise Infranet works  What Does it Do? The Enterprise Infranet couples user identity, network identity, and endpoint status with network and endpoint policies.  How Does it do it? Using a centralized policy management to push policy based on user, endpoint, network, etc to enforcement points throughout the network. Policy management is done by leveraging Dynamic Access Privilege Management (proven by #1 SSL VPN - IVE) Enforce the policies on different points throughout the network (proven by #1 FW/VPN – ScreenOS) 13 Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net

14 14 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Unified Access Control Solution How does it work? Infranet Agent (IA) Comprehensive enterprise integration AAA Servers Identity Stores Phase 1 Enforcers Infranet Controller (IC) Unified policy enforcement based on identity, endpoint assessment, and network IA protects authenticated endpoints from malicious/non-compliant endpoints Host Checker (J.E.D.I) Host Enforcer (with firewall policy or optional dynamic MS IPSec enforcement) MS Windows Single SignOn Agentless enforcement for Mac and Linux Enforcers – ScreenOS 5.3 capable NetScreen 5GT – NetScreen 5000 From 90 Mbps to 30 Gbps Access control decision point Automatically provisions Infranet Agent (if required) Dynamically provisions enforcement policy Integrated remediation support

15 15 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Juniper Networks Infranet Controllers IC 4000 Supports up to 3000 concurrent endpoints per appliance High Availability/Scalability Cluster pairs IC 6000 Supports up to 25,000 concurrent endpoints per appliance High Availability/Scalability Multi-unit clusters Unique hardware features Hot swappable, field upgradeable power supply Field upgradeable hard disk Hot swappable fans

16 16 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Infranet Agent Dynamically provisioned endpoint assessment and policy enforcement agent No pre-installed client software Lightweight (<1Mb) Host Checker (J.E.D.I) for endpoint assessment Native Functionality APIs for leveraging third party endpoint solutions Pre login and post login endpoint assessment for compliance enforcement during entire duration of user session Host Enforcer Dynamic role based firewall policy Optional dynamic MS IPSec enforcement MS Windows Single SignOn Agentless enforcement for Mac and Linux Endpoint Assessment but no IPsec

17 17 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Phase One Infranet Enforcers Phase 1 incorporates Juniper FW/VPN platforms Screen OS 5.3 Software upgrade required 75Mbps to 30Gbps for wire speed policy enforcement in LAN Network security policy enforcement DOS Protection Deep Packet Inspection Anti Virus Capabilities Content Management Logging and Auditing SEM, NSM Integration HSC NetScreen 5 Series NetScreen 204 & 208NetScreen 25 & 50 NetScreen 5200 & 5400 ISG Series NetScreen 500

18 18 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Data Center Mission critical apps, File Servers, ERP, CRM etc AAA Servers Identity Stores 1.Endpoint: Assess, Authenticate,Remediate, Contain & Self-Protect Enterprise Infranet Service Control Layer Deployment Scenarios Enterprise Infranet Controller (IC) 3. Authorize, Enforce & Log 2. Trusted XPort (IE) Enterprise Infranet Agent (IA) J.E.D.I. APIs Native or 3 rd Party Host Compliance Trusted Xport Self-Defense Mobile Worker Bus. Partner Infranet Enforcer (IE) (IE) 3. Authorize, Enforce & Log

19 19 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net  SSL VPNs Review  Unified Access Control Solution  Unified Access Control Scenarios  Live Demo AGENDA

20 20 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Server Front End Deployment Scenario Data Center Mission critical apps, File Servers, ERP, CRM etc AAA Servers Identity Stores Network Services (DNS, DHCP) Enterprise Infranet Controller (IC6000) Infranet Enforcer (IE) Users

21 21 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net WAN Gateway Deployment Scenario Data Center Mission critical apps, File Servers, ERP, CRM etc AAA Servers Identity Stores Network Services (DNS, DHCP) Enterprise Infranet Controller (IC4000) Infranet Enforcer (IE) Users

22 22 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Distributed Enterprise Data Center Mission critical apps, File Servers, ERP, CRM etc AAA Servers Identity Stores Network Services (DNS, DHCP) Enterprise Infranet Controller (IC6000) Infranet Enforcer (IE) Users Branch OfficeCorporate Office Infranet Enforcer (IE) Site to Site VPN AAA Servers Identity Stores Network Services (DNS, DHCP)

23 23 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Campus – Wired Deployment Scenario Data Center Mission critical apps, File Servers, ERP, CRM etc AAA Servers Identity Stores Enterprise Infranet Controller (IC6000) GigE Users Infranet Enforcer

24 24 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Data Center Mission critical apps, File Servers, ERP, CRM etc AAA Servers Identity Stores Campus – Wireless Deployment Scenario Enterprise Infranet Controller (IC4000) Infranet Enforcer (IE) Generic AP GigE

25 25 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net  SSL VPNs Review  Unified Access Control Solution  Unified Access Control Scenarios  Live Demo AGENDA

26 26 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net Demo Network architecture Infranet Agent (IA) Local Auth Server Enforcer NS-25 Infranet Controller (IC-4000) 172.26.60.0/24.1.101.100 2.2.2.2 1.0.0.10 Untrust Zone Enforcer 5GT

27 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 27 Thank You

Download ppt "Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Unified Access Control Solution Javier López –"

Similar presentations

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 JUNIPER NETWORKS Moving up the Partner Program.

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 JUNIPER NETWORKS Moving up the Partner Program.
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net 1 WX Client Rajoo Nagar PLM, WABU.

| Copyright © 2009 Juniper Networks, Inc. | 1 WX Client Rajoo Nagar PLM, WABU.
Ljubomir Ivaniš CPU d.o.o.

Ljubomir Ivaniš CPU d.o.o.
The System Center Family Microsoft. Mobile Device Manager 2008.

The System Center Family Microsoft. Mobile Device Manager 2008.
Standards Certification Education & Training Publishing Conferences & Exhibits Using Outbound IP Connections for Remote Access EXPO 2005 Chicago, IL.

Standards Certification Education & Training Publishing Conferences & Exhibits Using Outbound IP Connections for Remote Access EXPO 2005 Chicago, IL.
Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.

Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Copyright © 2008 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net.

Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Copyright © 2008 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Introduction to ISA 2004 Dana Epp Microsoft Security MVP.

Introduction to ISA 2004 Dana Epp Microsoft Security MVP.
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Check Point Software SSL VPN Solutions Technical Overview Thorsten Schuberth Technical.

©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Check Point Software SSL VPN Solutions Technical Overview Thorsten Schuberth Technical.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, 2009 05/30/2009.

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
© 2003, Cisco Systems, Inc. All rights reserved. 111 8426_07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.

© 2003, Cisco Systems, Inc. All rights reserved _07_2003_Richardson_c11 Security Strategy Update Self Defending Network Initiative Network Admission.
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.

1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
Copyright Microsoft Corp. 2006 Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.

Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.
© 2005,2006 NeoAccel Inc. Training Access Modes. © 2005,2006 NeoAccel Inc. Agenda 2. Access Terminals 6. Quick Access Terminal Client 3. SSL VPN-Plus.

© 2005,2006 NeoAccel Inc. Training Access Modes. © 2005,2006 NeoAccel Inc. Agenda 2. Access Terminals 6. Quick Access Terminal Client 3. SSL VPN-Plus.

Similar presentations

Ads by Google