Secure Access SSL VPN Product Line Presentation
Download
Report
Transcript Secure Access SSL VPN Product Line Presentation
Secure Access SSL VPN
Product Line Presentation
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
IPSec VPN vs. SSL VPN
Internet
Kiosk
Branch Office
Internet
Sales
Mobile
Users
Internet
HR
Finance
Department
Servers
Remote Office
DMZ-1
Telecommuters
HQ
Application Type
Remote/Branch Office
Application Type
Type of Connection
Fixed Site-to-Site
Type of Connection
Type of Endpoint Device
Managed
Partners,
Customers,
Contractors
Employee Remote Access,
Telecommuter, Mobile User,
Partner Extranet and
Network access
Mobile or Fixed
Type of Endpoint Device
Managed, Unmanaged
VPN Type
IPSec VPN
VPN Type
SSL VPN
Access Requirement
Network Access
Access Requirement
Per Application Access
Control Requirement
IP to IP control
Control Requirement
User to Application control
Remote Network Security
Managed, Trusted
Remote Network Security
Unmanaged, Untrusted
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
Use Case #1 - Employee Remote Access
Employees with
Mobile Devices
Employees with
Corporate Laptops
Corporate
Intranet
Employees
with Home PCs
Email
Server
Firewall
Router
Applications
Server
SSL VPN Ease of Use
Anytime, anywhere access from home PC,
corporate laptop, mobile phone, or kiosk
No software to install, configure, or maintain
Only Web-browser & Internet connection
needed
Copyright © 2007 Juniper Networks, Inc.
Increased Security with SSL VPN
Encrypted and authenticated access
Restrict users’ access to specific
applications & resources
Comprehensive security checks on endpoints
before granting access
Proprietary and Confidential
www.juniper.net
‹#›
Use Case #2 - Extranet Portal
Suppliers
Customers
Corporate
Intranet
Web
Applications
Partners
Firewall
Router
Flexibility with SSL VPN
Rapidly add/drop access to partners, suppliers,
& customers
No client software required on devices
Access from any Web-enabled device
Copyright © 2007 Juniper Networks, Inc.
Client/Serer
Applications
SSL VPN Management
Limit access to select applications or resources
Ensure corporate security policy is met before
granting access
No need to maintain or configure users’ devices
Proprietary and Confidential
www.juniper.net
‹#›
Access Control & AAA
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
Seamless AAA Integration
Full Integration into customer AAA infrastructure
• AD, LDAP, RADIUS, Certificate, OTP, etc.
Password Management Integration
• User self service for password management
• Reduced support costs, increased productivity
• All standard LDAP, MSFT AD
Single Sign-On – Native Capabilities
• Leveraged across all web apps seamless user experience
• Forms, Header, SAML, Cookie, Basic Auth, NTLM
SAML Support – Web single sign-on, integration with I&AM
platforms
• Standards-based Web SSO
Partnerships with leading AM Vendors (CA, Oracle, RSA, etc.)
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
Enhance Your VPN Authentication
with eToken
Just plug in your
eToken
And type in your
password
(Factor 1)
(Factor 2)
Without both ‘factors,’ a user cannot logon,
or sign a transaction
User VPN password / private key are never exposed
outside the token
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
Token Management System (TMS)
• TMS is a full life-cycle management system
enabling deployment, provisioning and
maintenance of tokens and their associated
security applications in an organization
• links between:
- Users
- Organizational rules
- SeTMS curity device(s)
- Security application(s)
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
Provision by Purpose
Three Different Access Methods to Control Users’ Access to Resources
Dynamic Access Control based on User, Device, Network, etc.
Network Connect
Secure Application
Manager (SAM)
Core Access
- IPSec-like experience with full
network layer tunnel
- Access to client/server
applications such as Windows &
Java applications
- Access to Web-based
applications, file shares,
Telnet/SSH hosted apps, and
Outlook Web Access
- Supports all client applications &
resource intensive applications like
VoIP & streaming media
- Recommended for remote and
mobile employees only as full
network access is granted
LAN-like L3 access to
Client/Server and web apps
with Network Connect
Copyright © 2007 Juniper Networks, Inc.
- One click access to
applications such as Citrix,
Microsoft Outlook, and Lotus
Notes
- Granular access control all the
way up to the URL or file level
- Ideal for most users to access
- Ideal for remote & mobile
from any device on any network
employees and partners if they
(corporate laptop, home PC
have application software loaded customer or partner PC, kiosk,
on their PCs
PDA, etc.)
Granular client/server
application access control with
Secure Application Manager
Proprietary and Confidential
Granular web application
access control with Core
Access method
www.juniper.net
‹#›
Access Methods (Application & Resources)
- Core Access Full cross platform/browser
support
Secure Web Application Access
• Support for widest range of
web-based content and
applications
Integrated E-mail Client
Secure Terminal Access
• Access to Telnet/SSH (VT100,
VT320…)
• Anywhere access with no terminal
emulation client
• Sharepoint, OWA, iNotes,
PDF, Flash, Java applets,
HTML, Javascript, DHTML,
VBScript, XML, etc.
• Host & deliver any Java applet
Secure File Share Access
• Web front-end for Windows and
Unix Files (CIFS/NFS)
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
Access Methods (Application & Resources)
- Terminal Services Seamlessly and securely access any Citrix or Windows
Terminal Services deployment
• Intermediate traffic via native TS support, WSAM, JSAM, Network
Connect, Hosted Java Applet
Native TS Support
•
•
•
•
•
•
Granular Use Control
Secure Client delivery
Integrated Single Sign-on
Java RDP/JICA Fallback
WTS: Session Directory
Citrix: Auto-client reconnect/
session reliability
• Many additional reliability, usability,
access control options
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
Access Methods (Application & Resources)
- Secure Application Manager Full cross platform support;
Windows + Java versions
Granular control – users access
specific client/server applications
WSAM – secure traffic to specific
client/server applications
• Supports Windows Mobile/PPC, in
addition to full Windows platforms
• Granular access and auditing/logging
capabilities
• Installer Service available for
constrained user privilege machines
• Access C/S applications without
provisioning full Layer 3 tunnel
• Eliminates costs, complexity, and security
risks associated with VPNs
• No incremental software/hardware or
customization to existing apps
JSAM – supports static TCP port
client/server applications
• Enhanced support for MSFT MAPI,
Lotus Notes, Citrix NFuse
• Drive mapping through NetBIOS
support
• Install without advanced user privileges
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
Access Methods (Application & Resources)
- Network Connect -
• Full Layer 3 Access, similar to IPSec VPN
• Adaptive, Dual Transport Mode
• Initially attempts to set up high performance, IPSec transport
• If blocked by network, seamlessly fails over to SSL
• Cross Platform Dynamic Download (A|X or Java delivery)
• Range of options – browser launch, standalone EXE,
scriptable launcher, MSFT Gina
• Client-side Logging, Auditing and Diagnostics
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
Access Privilege Management – 1 URL
Same person access from 3 different locations
Pre-Authentication
Gathers information
from user, network,
endpoint
Managed
Laptop
Unmanaged
(Home PC/Kiosk)
Mobile Device
Authentication &
Authorization
Authenticate user Map
user to role
•Host Check: Pass
•AV RTP On
•Definitions up to date
•Machine Cert: Present
•Device Type: Win XP
•Auth: Digital Certificate
•Host Check: Fail
•No AV Installed
•No Personal FW
•Machine Cert: None
•Device Type: Mac OS
•Auth: AD Username/
Password
•Host Check: N/A
•Auth: Digital Certificate
•Machine Cert: None
•Device Type: Win Mobile
6.0
•Role Mapping: Mobile
Copyright © 2007 Juniper Networks, Inc.
•Role Mapping: Managed
•Role Mapping:
Unmanaged
Proprietary and Confidential
Role Assignment
Assign session
properties for user role
Resource Policy
Applications available
to user
•Access Method:
Network Connect
•File Access: Enabled
•Timeout: 2 hours
•Host Check: Recurring
•Outlook (full version)
•CRM Client/Server
•Intranet
•Corp File Servers
•Sharepoint
•Access Method:
Core
•SVW Enabled
•File Access: Disabled
•Timeout: 30 mins
•Host Check: Recurring
•Outlook Web Access
(no file up/download)
•CRM Web (read-only)
•Intranet
•Access Method:
WSAM, Core
•File Access: Enabled
•Timeout: 30 mins
•Outlook Mobile
•CRM Web
•Intranet
•Corp File Servers
www.juniper.net
‹#›
One Device for Multiple Groups
Customize policies and user experience for diverse users
partners.company.com
“Partner” Role
Authentication Username/Password
employees.company.com
Host Check
Enabled – Any AV, PFW
Access
Core Clientless
Applications
MRP, Quote Tool
“Employee” Role
Authentication OTP or Certificate
customers.company.com
Host Check
Enabled – Any AV, PFW
Access
Core + Network Connect
Applications
L3 Access to Apps
“Customer” Role
Authentication Username/Password
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
Host Check
Enabled – Any AV, PFW
Access
Core Clientless
Applications
Support Portal, Docs
www.juniper.net
‹#›
End-to-End Security
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
End-Point Security
- Host Checker Host Checker
- Check devices before & during session
- Ensure device compliance with corporate policy
- Remediate devices when needed
- Cross platform support
Virus
Home PC
User
- No anti-virus installed
- No personal firewall
- User granted minimal access
- No Anti-Virus Installed
- Personal Firewall enabled
- User remediated install anti-virus
- Once installed, user granted access
Managed PC
User
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
Airport Kiosk
Mobile User
- AV Real-Time Protection running
- Personal Firewall Enabled
- Virus Definitions Up To Date
- User granted full access
www.juniper.net
‹#›
Endpoint Security
- Integrated Malware Protection -
powered by
•Integrated Malware protection delivered dynamically as part of Host Checker and
enforced at the Realm, Role, or Resource level
•Continually updated signature database for rapid response to new threats
•Category 1 Threats – Trojan Horses and Key Loggers with known malicious intent
•Category 2 Threats – Monitoring Applications and Remote Controls with possible malicious
intent
•Behavior Blocker – Zero-hour defense scans PC for key logger and screen capture behavior
before threat is known!
1 User attempts to begin SSL VPN session
2 AED delivered via Host Checker
3 AED updates threat signatures via web service
3
4 Pre-auth and period scans - threats blocked
5 Response options – grant/deny access,
remediate, quarantine role
5
4
1
Copyright © 2007 Juniper Networks, Inc.
Internet
2
Proprietary and Confidential
www.juniper.net
‹#›
Endpoint Security
- Secure Virtual Workspace •Host Checker (Java/ActiveX) delivery
•Win 2k/XP Systems (user privileges)
•Admin-specified application access
Limited/Blocked I/O
Access
Real Desktop
SVW
Clipboard
Operations Blocked
(Virtual Real)
•DoD Cleaning/Sanitizing standard compliant
•Password-protected persistent sessions
•Controlled I/O Access
•Configurable look/feel
Session Data
Encrypted on-the-fly
(AES)
File System
Real
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
Virtual
End of Session:
Secure Delete OR
Persistent Session
(Encrypted)
www.juniper.net
‹#›
Typical Threat Control Challenges
Partner
Intermediated
traffic
LAN
Internet
Tunneled
traffic
Employee
No User Identity Information
• No way to identify user with intermediated
traffic
• No ability to respond to source of threat
• Time-consuming to identify user with
tunneled traffic
because don’t know who user is
• Identifying user is critical to mitigating impact
of security threats
Copyright © 2007 Juniper Networks, Inc.
No Identity-Based Coordinated
Threat Response
• No ability to automatically coordinate
responses in both IPS and SSL VPN
Proprietary and Confidential
www.juniper.net
‹#›
Juniper’s Coordinated Threat Control
Partner
3 - SA identifies user
& takes action on user
session
2 - Signaling protocol
to notify SSL VPN of
attack
1 - IDP detects
threat and stops
traffic
LAN
Employee
Correlated Threat
Information
Coordinated IdentityBased Threat Response
Comprehensive Threat
Detection and Prevention
• Identity
• Manual or automatic response
• Endpoint
• Response options:
•Ability to detect and prevent
malicious traffic
• Access history
• Terminate session
•Full layer 2-7 visibility into all
traffic
• Detailed traffic & threat
information
• Disable user account
•True end-to-end security
• Quarantine user
• Supplements IDP threat
prevention
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
Instant Online Collaboration
- Secure Meeting Easy to Use Web Conferencing
Instant or scheduled
online collaboration
• Share desktop/applications
• Group and private chat
• No training required
Easy to Deploy and Maintain
• No pre-installed software required
• Web-based, cross platform
• Personalized meeting URLs for users
•
https://meeting.company.com/johndoe
Affordable – No usage/service fees
Secure
• Fully encrypted/secured traffic using SSL
• No peer-to-peer backdoor
• User credentials protected
• Policy flexibility to meet authentication requirements
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
Remote Helpdesk Functionality
- Secure Meeting Reduce desktop/application support costs by speeding
time to issue resolution
• Significant cost savings over phone-based troubleshooting
• Improve helpdesk/technician productivity
Fast, easy setup with automatic setting configuration:
• Dynamic client delivery, cross-platform support
• Automatic desktop sharing/remote control request
• Secure Chatting disabled
Help Desk
Copyright © 2007 Juniper Networks, Inc.
Remote assistance to any user with
no software installation
Proprietary and Confidential
Employee
www.juniper.net
‹#›
Juniper SSL VPN Product Family
Functionality and Scalability to Meet Customer Needs
Breadth of Functionality
Options/upgrades:
• 10-25 conc. users
• Core Clientless Access
Options/upgrades:
• 25-100 conc. users
• SAMNC
• Secure Meeting
• Advanced w/ CM
• Cluster Pairs
Options/upgrades:
• 50-1000 conc. users
• SAMNC
• Secure Meeting
• Advanced w/ CM
• Instant Virtual System
• SSL Acceleration
• Cluster Pairs
Secure Access 4000
Options/upgrades:
• Thousands of conc.
users
• SAMNC
• Secure Meeting
• Advanced w/ CM
• Instant Virtual System
• GBIC
• SSL Acceleration
• Multi-Unit Clusters
Secure Access 6000
Secure Access 2000
Secure Access 700
Designed for:
SMEs
Secure remote access
Includes:
Network Connect
Designed for:
Medium enterprise
Secure remote, intranet
and extranet access
Includes:
Core Clientless Access
Designed for:
Medium to large
enterprise
Secure remote, intranet
and extranet access
Includes:
Core Clientless Access
Designed for:
Large-global enterprise
Secure remote, intranet
and extranet access
Includes:
Core Clientless Access
SSL acceleration
Enterprise Size
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
Why Juniper for SSL VPN?
Core Competence in
SSL-based Access
•
•
•
Performance, Scalability & HA
Proven in tens of thousands of customer
deployments!
Market Leadership/Industry Awards
Product Maturity
Single Platform for All
Enterprise Remote Access Needs
•
•
•
Support for complex Web content, Files,
Telnet/SSH using only a browser
Client/Server applications
Adaptive dual transport method for
network-layer access
•
•
•
Differentiated hardware platforms
Global & local stateful clustering
Compression, SSL acceleration, GBIC
connectors, Dual hot-swappable hard
disks, power supplies, and fans
Ease of Administration
•
•
•
•
Centralized Management
Granular Role-based Delegation
Extensive integration with existing
directories
Native endpoint remediation and
password management integration
End-to-End Security
•
•
•
Robust host checking capabilities
Dynamic Access Privilege Management
3rd party security audits
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
‹#›
26