Juniper sa-sslvpn

SA SERIES SSL VPN APPLIANCES
PRODUCT LINE PRESENTATION
May 19, 2010

AGENDA

1. SSL VPN Market Overview
2. SSL VPN Use Cases
3. Access Control and AAA
4. End-to-End Security
5. Secure Meeting
6. Hardware, Management and High Availability

2 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

BUSINESS CHALLENGE: GRANT ACCESS VS. ENFORCE SECURITY
Maximize Productivity with Access... …While Enforcing Strict Security
 Allow partner access to applications  Allow access only to necessary
(Extranet portal) applications and resources for certain
users
 Increase employee productivity by
providing anytime, anywhere access  Mitigate risks from unmanaged
(Intranet, E-mail, terminal services) endpoints
 Customize experience and access for  Enforce consistent security policy
diverse user groups
(partners, suppliers, employees)
 Enable provisional workers
(contractors, outsourcing)
 Support myriad of devices
(smartphones, laptops, kiosks)

…And the Solution Must Achieve Positive ROI
 Minimize initial CAPEX costs
 Lower ongoing administrative and support OPEX costs


IPSEC VPN VS. SSL VPN

Internet
Kiosk
Mobile
Branch Office Sales
Users
HR Internet
Finance
Internet

Department
DMZ-1
Partners,
Servers
Customers,
Remote Office HQ Telecommuters Contractors

IPSec VPN SSL VPN
Employee Remote Access
Telecommuters
Remote/Branch Office Deployments
Mobile Users
Partner Extranets
Fixed Site-to-Site Mobile or Fixed
Managed Endpoints Managed or Unmanaged Endpoints
Layer 3 Network Access Access Control Per Application
IP to IP Control User to Application Control
Access allowed from Unmanaged and Untrusted
Access from Managed, Trusted Networks
networks as well


THE SOLUTION:
JUNIPER NETWORKS SECURE ACCESS SSL VPN

Mobile User –
Cafe
 Secure SSL access to remote users
from any device or location
VoIP
Teleworker
 Easy access from Web-browsers – no SA6500
client software to manage

 Dynamic, granular access control to
manage users and resources
Business Partner
or Customer
 Single comprehensive solution to
access various application types from
various devices available

Wireless/Mobile
Device
User

Airport
Kiosk User


JUNIPER NETWORKS SSL VPN MARKET LEADERSHIP

Juniper maintains #1 market share position worldwide
Leader since SSL VPN product category inception
Source: 4Q09 Infonetics Research Network Security Appliances and Software Report


ANALYST PRAISE & RECOGNITION
2008 Gartner Magic Quadrant for SSL VPN
2009 Magic Quadrant Key
Takeaways:

“Juniper has maintained the product
vision, execution and overall momentum
so effectively that it has held a
leadership position continuously…”

“…unchallenged disruptive sales
advantage”

“Juniper is the No. 1 competitive
threat…”

“Year after year, Juniper's products earn
a high satisfaction rating…”

http://www.gartner.com/technology/media-products/reprints/juniper/vol6/article1/article1.html Source: Gartner (October
2009)

JUNIPER SA SSL VPN RECOGNITION & AWARDS

Award
Winning

3rd Party
Certified

Market
Leading

Market share leader & proven solution with over 20,000 customers

AGENDA

SSL VPN Use Cases
5. Secure Meeting


#1 - REMOTE ACCESS AT LOWER OPERATING COSTS

SA6500

Employees with Employees with
Mobile Devices Corporate Laptops

Employees Corporate
with Home PCs Intranet
Email
Server
Firewall
Internet
Router
Applications
Server

Increased Productivity Increased Security
 Anytime, anywhere access from any device  Encrypted secure access to corporate resources
 No endpoint software to install or manage  Granular access control
 Easy access facilitated from common browsers  Comprehensive endpoint security enforcement


#2 - EXTRANET PORTALS WITH GREATER SECURITY

SA6500

Suppliers Customers

Corporate
Intranet
Client/Serer
Partners Web Applications
Firewall Applications

Internet Router

Administrative ease of use Enforcement of corporate security policies
 Easier management of authorized users  Granular access to select applications or resources
 No client software enforced on external users  Endpoint security enforced before granting access
 Access enabled from any Web-enabled device  No administrative hassle of managing users’ devices

#3 – MOBILE DEVICE ACCESS

SA6500

Apple iPhone

Corporate
Intranet
Email
Firewall Server

Internet Router

Applications
Server

Improved Ease of Use, Higher Productivity
 Access from any mobile device
 ActiveSync facilitates secure access to Exchange
 Enforce mobile device integrity and security


AGENDA

 Access Control and AAA

5. Secure Meeting


DYNAMIC ACCESS METHODS BY PURPOSE

Three different access methods to control users’ access to resources
Dynamic access control based on user, device, network, etc.

Network Connect Secure Application Manager Core Access

Access to Web-based applications,
Layer-3 connectivity to corporate Access to client/server applications
File shares, Telnet/SSH hosted apps,
network such as Windows & Java applications
and Outlook Web Access
Supports all applications including One click access to applications
Granular access control all the way
resource intensive applications like such as Citrix, Microsoft Outlook, and
up to the URL or file level
VoIP & streaming media Lotus Notes

Recommended for remote and Ideal for remote & mobile employees Ideal for remote & mobile employees
mobile employees only as full and partners if they have client and partners accessing from
network access is granted applications on their PCs unmanaged, untrusted networks

Layer-3 access to corporate Granular client/server Granular web application
network application access control access control


CLIENTLESS ACCESS METHOD: CORE ACCESS

Broad set of supported platforms Integrated E-mail Client
and browsers
Secure Terminal Access
Secure, Easy Web Application  Access to Telnet/SSH (VT100,
Access VT320…)
 Pre-defined resource policies for
 Anywhere access with no terminal
Sharepoint, Lotus Webmail, etc.
emulation client
 Support for Flash, Java applets,
HTML, Javascript, DHTML, XML, etc.
 Support for Hosting & delivering any
Java applet

Secure File Share Access
 Web front-end for Windows and Unix
Files (CIFS/NFS)


SECURE APPLICATION MANAGER

Full cross platform support for both WSAM – secure traffic to specific
Windows & Java versions client/server applications
 Supports Windows Mobile/PPC, in
Granular access control policies for addition to all Windows platforms
client/server applications  Granular access and auditing/logging
 Access applications without capabilities
provisioning full Layer 3 tunnel
 Installer Service available for
 Eliminates costs, complexity, and constrained user privilege machines
security risks of IPSec VPNs
 No incremental software/hardware or JSAM – supports static TCP port
customization to existing apps client/server applications
 Enhanced support for MSFT MAPI,
Lotus Notes, Citrix NFuse
 Drive mapping through NetBIOS
support
 Install without advanced user
privileges


LAYER-3 ACCESS METHOD: NETWORK CONNECT

rmance SA Series
High Perfo ode
M
Transport

High Availability
e
Transport Mod

Full Layer 3 Access to corporate network
Dynamic, Dual Transport Mode
 Dynamically tries SSL in case IPSec is blocked in the network

Cross Platform Dynamic Download (Active-X or Java delivery)
Launching options include – browser-based, standalone EXE, scriptable
launcher and Microsoft Gina
Client-side Logging, Auditing and Diagnostics available

ACCESS METHODS
TERMINAL SERVICES

Seamlessly and securely access any Citrix or Windows Terminal
Services deployment
 Intermediate traffic via native TS support, WSAM, JSAM, Network
Connect, Hosted Java Applet
 Replacement for Web Interface/Nfuse
Native TS Support
 Granular Use Control
 Secure Client delivery
 Integrated Single Sign-on
 Java RDP/JICA Fallback
 WTS: Session Directory
 Citrix: Auto-client reconnect/
session reliability
 Many additional reliability, usability,
access control options


ACCESS METHODS
VIRTUAL DESKTOP INFRASTRUCTURE (VDI)

AAA

Apps Servers

SA Series Finance
Remote/Mobile User VMware VDI Server
Citrix XenDesktop

 SA interoperates with VMware View Manager and Citrix XenDesktop to enable
administrators to consolidate and deploy virtual desktops with SA
 Allows IT administrators to configure centralized remote access policies for users who
access their virtual desktops
 Dynamic delivery of Citrix ICA client or VMware View client to users, including dynamic
client fallback options for easy connection to their virtual desktops
 Benefits:
– Seamless access (single sign-on) for remote users to their virtual desktops hosted on VMware or
Citrix servers
– Saves users time and improves their experience accessing their virtual desktops


ACCESS PRIVILEGE MANAGEMENT
1 USER / 1 URL / 3 DEVICES & LOCATIONS

Pre-Authentication Authentication & Role Assignment Resource Policy
Authorization
Gathers information
Applications available
from user, network, Authenticate user Map Assign session
to user
endpoint user to role properties for user role

•Host Check: Pass •Auth: Digital Certificate •Access Method: •Outlook (full version)
•AV RTP On Network Connect •CRM Client/Server
•Definitions up to date •Role Mapping: Managed •File Access: Enabled •Intranet
•Machine Cert: Present •Timeout: 2 hours •Corp File Servers
Managed •Device Type: Win XP •Host Check: Recurring •Sharepoint
Laptop

•Host Check: Fail •Auth: AD Username/ •Access Method: •Outlook Web Access
•No AV Installed Password Core (no file up/download)
•No Personal FW •SVW Enabled •CRM Web (read-only)
•Machine Cert: None •Role Mapping: •File Access: Disabled •Intranet
•Device Type: Mac OS Unmanaged •Timeout: 30 mins
Unmanaged
•Host Check: Recurring
(Home PC/Kiosk)

•Host Check: N/A •Auth: Digital Certificate •Access Method: •Outlook Mobile
WSAM, Core •CRM Web
•Machine Cert: None •Role Mapping: Mobile •File Access: Enabled •Intranet
•Device Type: Win Mobile •Timeout: 30 mins •Corp File Servers
6.0
Mobile Device


ONE DEVICE FOR MULTIPLE GROUPS
CUSTOMIZE POLICIES AND USER EXPERIENCE FOR DIVERSE USERS

partners.company.com
“Partner” Role

Authentication Username/Password
Host Check Enabled – Any AV, PFW
Access Core Clientless
Applications MRP, Quote Tool

employees.company.com “Employee” Role
SA Series
Authentication OTP or Certificate
Access Core + Network Connect
Applications L3 Access to Apps

customers.company.com
“Customer” Role

Authentication Username/Password
Access Core Clientless
Applications Support Portal, Docs


SEAMLESS AAA INTEGRATION

Full Integration into customer AAA infrastructure
 AD, LDAP, RADIUS, RSA SecurID, Certificate, etc.
 Use of group membership and attributes for authorization/role
mapping
Password Management Integration
 Users can manage their AD/LDAP passwords through SSL VPN

Single Sign-On Capabilities
 Seamless user experience for web applications
 Forms, Header, SAML, Cookie, Basic Auth, NTLM v1/v2, Kerberos

SAML Support – Web single sign-on, integration with I&AM
platforms


AGENDA

5. Secure Meeting


ENDPOINT SECURITY
Host Checker Host Checker
 Support for hundreds of leading Third Party applications - Check devices before & during session
- Ensure device compliance with corporate policy
 AV, Personal Firewall, Anti-Spyware, Anti-Malware, - Remediate devices when needed
Windows patch checks, machine certificate checks +
Custom policy definition - Cross platform support
 Devices automatically learn latest signature versions from
AV vendors Home PC User Airport Kiosk User
 Check for AV installation, real-time protection status, SA Series
definition file age
 Varied remediation options to meet customer needs

Trusted Network Connect (TNC) architecture for
seamless integration with all TNC compliant endpoint - No Anti-Virus Installed - No anti-virus installed
security products/vendors - Personal Firewall enabled - No personal firewall
 Leverage existing endpoint security application - User remediated  install - User granted minimal
anti-virus access
deployments - Once installed, user
granted access
Antispyware Support with Enhanced Endpoint
Security (EES) Functionality
 Antispyware integrated from Webroot, the market leader
in antispyware solutions
Corporate PC User
Secure Virtual Workspace
 Creates protected virtual system for untrusted machine

Cache Cleaner - AV Real-Time Protection running
 Remove browser contents/history at conclusion of user - Personal Firewall Enabled
session - Virus Definitions Up To Date
- User granted full access


ANTISPYWARE SUPPORT WITH ENHANCED ENDPOINT
SECURITY (EES) FUNCTIONALITY
Number of newly discovered malicious programs are growing
Cost enterprises time, money, and productivity to quarantine and Antispyware /
remediate contaminated endpoints antimalware software
dynamically
Addressing growth in malware, SA and UAC now dynamically provisioned to
download antispyware/antimalware software to endpoints endpoints
 Regardless of user or location
SA Series
Antispyware integrated from Webroot, the market leader in
antispyware solutions UAC Series

Number of simultaneous endpoints that can use the feature will
depend on the optional subscription license ordered
Customer Benefits: Data &
Applications
Road
 Ensure only healthy devices are granted network access Warrior,
Malware
Partner, or
 Protect corporate resources from infected endpoints Employee
 Real time shield is always on with memory scan and virus
signatures
 Save IT time and money from correcting individual endpoints;
decrease user downtime that affects productivity


UAC-SA FEDERATION DIAGRAM
Campus HQ Wired/ Wireless
Data Center

IC Series UAC Appliance

2) SSL VPN talks to IC to 3) IC provisions access
L2 Switch let IC know of user session control rules on UAC
enforcement points Applications
and roles provisioned

SA Series SSL VPN ISG Series with IDP
LAN User
4) User accesses resources
1) Remote user logs into SSL protected by UAC with single
VPN login
SSL VPN provisions remote
access sessions Internet

• Consistent policies for remote and LAN access
• Policy servers that can share knowledge of users for intelligent
Remote User provisioning of access inside network


JUNIPER’S COORDINATED THREAT CONTROL
3 - SA identifies user 2 - Signaling protocol 1 - IDP detects
& takes action on user to notify SSL VPN of threat and stops
session attack traffic
Partner
Intermediated
traffic

Internet LAN

SA Series IDP
Tunneled
traffic
Employee

Correlated Threat Information Comprehensive Threat Detection
Coordinated Identity-Based Threat and Prevention
• Identity Response
• Endpoint •Ability to detect and prevent
• Access history • Manual or automatic response malicious traffic
• Response options: •Full layer 2-7 visibility into all
• Detailed traffic & threat • Terminate session traffic
information • Disable user account •True end-to-end security
• Quarantine user
• Supplements IDP threat
prevention


JUNOS PULSE

Dynamically provisioned software client for:
 Remote access
 Enterprise LAN access control
 WAN acceleration
 Dynamic VPN (for SRX)

Easy-to-use, intuitive user experience
Location aware with dynamic session
migration
Identity-enabled
Standards-based
Integration platform for select 3rd party Builds on Juniper’s
applications (e.g. Webroot antimalware) market leading SA Series
SSL VPN, UAC solution,
and WXC technology!


JUNIPER NETWORKS ICE FOR BUSINESS CONTINUITY

Meeting the peak in demand for remote access in the event of a disaster

Juniper Networks ICE delivers
 Proven market-leading SSL
Peak Demand
VPN
 Easy deployments
Number of Remote Users

 Instant activation
 Investment protection
 Affordable risk protection

What will you do
Average usage when your non-
remote users need
access?
Unplanned event Time

AGENDA

5. Secure Meeting


SECURE MEETING
INSTANT COLLABORATION/REMOTE HELPDESK
Easy to Use Web Conferencing
 Share desktop/applications Instant or scheduled online
 Group and private chat collaboration
Easy to Deploy and Maintain
 No pre-installed software required
 Web-based, cross platform
 Personalized meeting URLs for users
 https://meeting.company.com/ meeting/johndoe

Affordable – No usage/service fees
Secure
 Fully encrypted/secured traffic using
SSL
 No peer-to-peer backdoor
 User credentials protected

Remote Helpdesk Functionality
 Automatic desktop sharing/remote
control request


AGENDA

5. Secure Meeting


JUNIPER SSL VPN PRODUCT FAMILY
FUNCTIONALITY AND SCALABILITY TO MEET CUSTOMER NEEDS
Options/upgrades: Options/upgrades: Options/upgrades: Options/upgrades:
• 10-25 conc. users • 25-100 conc. users • 50-1000 conc. users • Up to 30K conc. users
• Core Clientless • Secure Meeting • Secure Meeting • Secure Meeting
Access • Cluster Pairs • Instant Virtual System • Instant Virtual System
• Network & Security • EES • SSL Acceleration • 4-port SFP card
Manager (NSM) • NSM • Cluster Pairs • 2nd power supply or
• EES DC power supply
• NSM • Multi-Unit Clusters
• EES
• NSM
Breadth of Functionality

Secure Access 6500
Secure Access 4500
Secure Access 2500
Designed for:
Designed for: Large enterprises & SPs
Designed for: Medium to large Secure remote, intranet
Secure Access 700 Medium enterprise enterprise and extranet access
Secure remote, intranet Secure remote, intranet Includes:
and extranet access and extranet access Core Clientless Access
Designed for: Includes: Includes: SAMNC
SMEs Core Clientless Access Core Clientless Access SSL acceleration
Secure remote access SAMNC SAMNC Hot swap drives, fans
Includes:
Network Connect

Enterprise Size
All models are now Common Criteria EAL3+ certified:
http://www.dsd.gov.au/infosec/evaluation_services/epl/network_security/juniper_networks_SAF.html

SECURE ACCESS FEATURES

Secure Meeting License
High Availability License
 Active-Passive or Active-Active support
 Stateful session failover

Enhanced Endpoint Security (EES) License
Advanced troubleshooting tools for quick issue resolution
 Policy trace, session recording, system snapshot, etc.

Granular Role-based administration
Detailed logging and log filtering
Config Import/Export
 Configuration backup/archiving

FIPS Certified Product Available


USEFUL LINKS

What’s New: New features in respective release.
http://www.juniper.net/techpubs/software/ive/releasenotes/6.5-whats_new.p

Supported Platforms:
http://www.juniper.net/techpubs/software/ive/releasenotes/SA-SupportedPl

Client Side Changes:
http://www.juniper.net/techpubs/software/ive/admin/6.5-ClientSideChanges


WHY JUNIPER FOR SSL VPN?

Core Competence in Performance, Scalability & HA
SSL-based Access  Differentiated hardware platforms
 Proven in tens of thousands of customer  Global & local stateful clustering
deployments!
 Compression, SSL acceleration, GBIC
 Market leadership/industry Awards
connectors, dual hot-swappable hard
 Product maturity disks, power supplies, and fans

Single Platform for All Ease of Administration
Enterprise Remote Access Needs  Centralized management
 Support for complex Web content, Files,  Granular role-based delegation
Telnet/SSH using only a browser
 Extensive integration with existing
 Client/Server applications
directories
 Adaptive dual transport method for  Native automatic endpoint remediation
network-layer access and password management integration

End-to-End Security
 Robust host checking capabilities
 Dynamic Access Privilege Management
 3rd party security audits


Juniper sa-sslvpn

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (20)

Similar a Juniper sa-sslvpn

Similar a Juniper sa-sslvpn (20)

Más de n|u - The Open Security Community

Más de n|u - The Open Security Community (20)

Último

Último (20)

Juniper sa-sslvpn

Notas del editor