Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,184
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
66
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Need to authenticate users and certify endpoint compliance before provisioning user IP address/granting network access
  • Need to control access to mission critical applications and company sensitive data, allowing only authorized users/devices access
  • Need to populate user/role information in network infrastructure products for access to the network/applications
  • Must be able to identify guest users and to grant them appropriate access, but different access than employees

Transcript

  • 1. Win HealthCare Event 20 Mars 2008 Unified Access Control (UAC)
  • 2.
    • Access Control Issues and Trends
    • The What, How and Why of Network Access Control (NAC)
    • Juniper Networks Unified Access Control (UAC)
    • What Analysts & Press Are Saying About UAC
    • Summary
    Agenda
  • 3. What is Network Access Control (NAC)? Network access control MUST be a key component of any/every network today! Network Access Control (NAC) Provisions network (and application) access based on a user’s identity, the health and/or security state of their device, network location, what network groups or attributes they have been assigned, and their role
  • 4. Access Control Issues Mobility driving dynamic network boundaries Widely diverse users and devices Unmanaged or ill-managed endpoints Mission critical network assets Access Increases Explosive growth of vulnerabilities Patch-to-outbreak time getting shorter New breed of threats can arrive with trusted users, devices, and traffic Secure & Resilient Network Experience Decreases INCREASED THREAT VOLUME FASTER OUTBREAKS MORE TARGETS CARELESS USERS MALICIOUS ATTACKERS Harder to control/more demanding applications
  • 5. Trends in Access Control Exploding access requirements = Rapidly dissolving network boundaries
      • Employees
      • Business Partners
      • Customers
      • Guests
      • Contractors
      • Managed/ Ill Managed Endpoints
      • Trusted/ Un-trusted Traffic
      • WAN Access
      • Solved by DMZ deployments of firewalls, IDP, SSL VPNs
      • Need for Comprehensive ACCESS CONTROL
      • Remote Access
      • Server Farms / Data Center
    Enterprise
      • Remote Offices/ Branch Offices
      • Campus
      • Diverse users
      • Employees
      • Business partners
      • Customers
      • Guests
      • Contractors
      • Business Applications
      • Email
      • Internal Resources
      • - Ill managed endpoints
      • - Lack of Control
      • Trust is presumed,
      • but unenforceable
      • Vulnerable servers are accessed by EVERY user population
      • Worms, viruses, spyware
      • Malware, Trojans and more
    Internet
  • 6.
    • Enterprises today are challenged by:
      • Network protection
      • Application level access control
      • Network visibility and monitoring
      • Guest user access
    Why Network Access Control (NAC)?
  • 7.
    • Growing number of mobile users (employees, guests, others)
    • Unmanaged devices attempting network access
    • Network de-perimeterization
    • Explosion in newly detected vulnerabilities
    Why Network Access Control (NAC)? Network Protection from Un-trusted/Unauthorized Users, Devices Partner Applications Mobile Employee Guest User mobility, explosion of mobile devices, and widespread use/deployment of unmanaged, distrusted devices threatens LAN security Corporate Office
  • 8. Why Network Access Control (NAC)? Application Level Access Control
    • Lack control over application access
    • Protecting the network may not be as important as protecting applications and data
    • Regulatory compliance drives access control requirements
    Engineering Employee Corporate Office Finance User Finance Server Engineering Resources
    x
    Guest Must ensure and prove only authorized users are able to access applications and data
  • 9. Why Network Access Control (NAC)? Network Visibility & Monitoring
    • Lack visibility into user resource access
    • Regulatory compliance drives the need to monitor, audit, and log user access to corporate resources
    Corporate Office Partner Guest Finance User Applications Must know who is accessing and what is going on within the LAN – The first step to active enforcement
  • 10. Why Network Access Control (NAC)? Guest User Access
    • Guest user access continues to be a major challenge
    • Need to be able to regulate what guests can access, where they can go on the network
    Corporate Office Need to dynamically differentiate and enforce access for guest users Guest Applications
  • 11. What is Juniper Networks - Unified Access Control (UAC)
    • Dynamic access control based on:
      • User identity
      • Device security state
      • Location
    • Enforcement Points
      • New/existing 802.1X infrastructure (switches, access points)
      • Layers 3-7 – Juniper firewalls/VPN
      • Combined L2 + L3-7 for maximum granularity
    UAC Agent AAA AAA Servers Identity Stores UAC Enforcement Points Central Policy Manager Endpoint profiling, user authentication, endpoint policy Dynamic Role Provisioning User access to protected resources Protected Resources User admission to network resources 802.1X
  • 12. Juniper Unified Access Control Components
    • Centralized policy engine
      • Authenticates users
      • Evaluates device
      • configurations
      • Determines role
      • Makes access decision
      • Distributes access
      • rules to enforcement
      • points
    • Maintains communication
    • with client during session
    • Hardened platform
    • Authenticates users
      • Handles requests at
      • Layer 2 (802.1X) and
      • Layer 3 (EAPoHTTP,
      • Web login)
      • MS-Active Directory,
      • LDAP, token,
      • RADIUS, PKI, local
      • database
      • EAP and RADIUS
      • handling provided by
      • Steel-Belted Radius®
      • technology
    • Compliance checks
      • Pre-defined patch
      • checks
      • Security software
        • Antivirus
        • Personal Firewalls
        • Spyware
        • Antimalware
      • Windows Service
      • Packs
      • System <values>
        • Processes
        • File system entries
        • Registry entries
        • MAC address
    • Layer 2 (802.1X)
      • Controlled access to
      • the network
      • Access decision
      • made on each
      • connection
      • Access control at
      • network’s edge
      • Wireless and wired
      • Internal ports
      • challenge each
      • access attempt, just
      • like remote access
      • Multi-vendor support
    • Multiple types of
    • enforcement points
      • ANY Juniper
      • firewall/VPN, secure
      • router, IDP
      • ANY 802.1X
      • compatible device
        • Access Points
        • Switches, including Juniper’s EX-series Switches
        • Other 802.1X
        • devices
    • Layers 3 – 7
      • Any Juniper FW/VPN,
      • secure router, IDP
      • platform
      • Provides in-network
      • protection
      • Post admission
      • policy compliance
      • Includes SSG and
      • ISG with IDP
      • (ScreenOS 5.4 or
      • later)
      • 75Mbps to 30Gbps
      • for wire speed policy
      • enforcement in LAN
    Infranet Controller
    • 3 ways to
    • communicate with the
    • Infranet Controller
      • UAC Agent – full or
      • lightweight
      • Agent-less Mode
      • Odyssey® Access
      • Client Enterprise
      • Edition (EE)
    Client Software Enforcement Points
  • 13. Juniper UAC Components: Juniper Infranet Controller
    • Infranet Controller 4000 (IC 4000)
    • High Availability
    • Scalability
      • Cluster pairs
    • Infranet Controller 6000
    • (IC 6000)
    • High Availability
    • Scalability
      • Multi-unit clusters
      • Unique hardware features
        • Hot swappable, field upgradeable power supply
        • Field upgradeable hard disk
  • 14. Juniper UAC Components: UAC Agent
    • Layer 2 (802.1X Client/Supplicant)
      • Layer 2 authentication and 802.1X device support
      • Profiles endpoint and authenticate user before assigning a VLAN
      • Includes Host Checker, Personal Firewall (Host Enforcer), Auto-Remediation (Windows)
      • Microsoft Windows XP, 2000, and Windows Vista support
    • Layer 3 (Firewall, IPSec & SourceIP Enforcement)
      • Integrated endpoint compliance/remediation
      • Trusted Network Connect (TNC) support
      • Includes Host Checker, Personal Firewall (Host Enforcer), Auto-Remediation (Windows)
    • Windows Single Sign-On
      • Eliminates user intervention when signing in
      • UAC Agent can use Windows credentials to automatically sign user/device into the IC
    • IPSec Transport
      • Provides authenticated and potentially encrypted transport
      • Native IPSec service, support for NAT-T
    • Diagnostics
      • IPsec Diagnostics & Configuration
      • Agent Diagnostics
      • Personal Firewall (Host Enforcer) Configuration
    IPSec Encryption 3DES, DES or null IPSec Encryption 3DES, DES or null
  • 15. Juniper UAC Components: UAC Agent-less Support
    • Dynamically downloaded persistent lightweight UAC Agent
    • Web based clientless access
    • Cross-platform support
      • Microsoft Windows
      • Apple Mac OS
      • Linux
      • Solaris
    • Includes Host Checking
    Secure, Controlled Cross Platform Network/Application Access for ALL Endpoints = Peace of Mind
  • 16. Juniper UAC Components: Enforcement Points
    • ANY vendor’s 802.1X-enabled switches, access points, or devices, INCLUDING Juniper’s EX-series Switches
      • Simplifies access control deployment
      • Protects investment in existing infrastructure
      • Enables ongoing, best-in-class infrastructure choices
    • ANY Juniper Firewall/VPN platforms
      • Scalable enforcement points
        • Branch, Campus LAN, Data Center
          • 75Mbps to 30Gbps
      • Leverage post authentication
        • DOS Protection, Deep Packet Inspection
        • Antivirus Capabilities, Content Management
        • Intrusion Detection and Prevention
      • Captive Portal
        • Hotel room experience
    Vendor-agnostic Layer 2/802.1X wired/wireless, Layer 3-7 overlay, or combination
  • 17. Juniper UAC & EX-series Ethernet Switches UAC Agent 802.1X Switch Firewall Protected Resources
    • Policy enforcement provided by EX-series switches and SSG/ISG Firewalls
    • IC can push policy name to EX-series switches for dynamic configuration based on user or device
    • Policy on EX-series can enforce specific QoS queuing or scheduling policies, VLAN assignment, or any other port configuration parameter
    Dynamic Role Provisioning Identity Stores AAA User, endpoint, location-based policies 1 2 2 3 1 AAA
  • 18. UAC: Standards-based (TNC)
    • Open architecture for network access control
    • Suite of standards to ensure interoperability
    • Work Group in Trusted Computing Group (TCG)
    • Open standards
    • Leverages existing network infrastructure
    • Roadmap for the future (i.e., TPM)
    • Products supporting TNC standards shipping today
    Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Wireless Wired Network Perimeter UAC Agent
  • 19.
    • Support for heterogeneous 802.1X environments
    • Open, standards-based solution
      • 802.1X, RADIUS, IPSec, Trusted Network Connect (TNC), etc.
    • Uses proven, best-in-class products as a foundation
      • Secure Access SSL VPN, OAC, SBR
    • Dynamically downloaded clients
    • Agent-less mode
    • Comprehensive endpoint assessment checks
    • Extended auto remediation support
    • Dynamically addresses unmanageable endpoint devices
    UAC: Advanced Network Protection Comprehensive, vendor-agnostic, standards-based access control addresses unmanageable devices and delivers automatic remediation
  • 20.
    • Coordinated Threat Control
    • Leverages full Layer 2 – Layer 7 visibility into application traffic, minimizing downtime and delivering ability to:
      • Restrict network access
      • Quarantine malicious users/infected devices
      • Disable the user session
      • Log the event and notify administrators
    UAC: Advanced Network Protection Data Center Campus HQ Wired/ Wireless Internet Applications Step 1: Standalone IDP detects network threats Step 4: IC takes appropriate access control action Step 3: IC correlates network threat to specific user/device User Leverage Juniper IDP to isolate threats to the user or device level, then employ specific, configurable policy actions against the user or device Step 2: Signals anomaly information to Infranet Controller (IC)
  • 21.
    • Granular application access control
    • High performance, multi-user sessions
    • Cross platform solution with captive portal capabilities
    • Layer 3 persistent UAC Agent (Mac, Linux)
    • Dynamic IPSec for optional encryption
    • Ability to address large data center deployments
    UAC: Application Level Access Control Corporate Office Engineering Resources Finance Server Engineering Employee Controls access to mission critical applications and sensitive data, allowing access to only authorized users and devices Engineering Role
  • 22. UAC: Network Visibility & Monitoring
    • Identity-enabled profiler
      • User/role information + network/application usage
    • Dynamic role-based security policies
      • IDP, antivirus, spyware, antispam
    Guest Corporate Office Finance User Finance Server Engineering Resources Populates user/role information in network infrastructure products for access to network/applications
  • 23. User Visibility Correlation Workflow Users IC profile (user info) IC Logs (user info) Profiler Data (app info) Log Viewer with UAC logs Profiler Data With User and Application Correlation 2 4 5 1 User Logs in to access resources 2 3 4 5 IC Authenticates user and sends logs to ISG/IDP ISG/IDP receives IC and Profiler logs ISG/IDP sends both logs to NSM NSM correlates User with Application logs 3 1
  • 24. Application Profiler
  • 25. Network Profiler
  • 26.
    • Correlates Users with Application
      • Ability to correlate UAC logs (user info) with Profiler data
      • User have a view into what apps are being used at a user level
    • Visible in Profiler
      • Full profiler support
      • Users can view data in Application and Network view
    • Better understanding of user level behavior in network
      • Allows administrators to monitor user behavior and see what apps are being used the most
    • Log viewer gives you reporting capabilities
      • Ability to view and generate built-in/custom reports based on users
    • Better enforcement of policies
      • With visibility into user behavior admins can take appropriate action and create security policies to block certain apps
    Identity Enabled Profiler – Key Features
  • 27.
    • Create guest accounts on the Infranet Controller
    • Supports guest user authentication without endpoint checking
    • Provides single client for wired and wireless access
    • Delivers cross-platform agent-less mode
    • Support for all access points and switches, providing VLAN and RADIUS attribute based policies
    UAC: Guest User Access Corporate Office Guest Applications Guest Role Dynamically identifies guest users, assigns roles, grants guests appropriate, differentiated network access Enforcement
  • 28.
    • Simplifies access control deployments
      • Downloads UAC agent based on role – agent-based or agent-less
      • Extended authentication protocol support
    • Enables phased approach to access control deployments, leveraging existing network infrastructure and components
    • Open, standards-based solution
      • 802.1X, RADIUS, EAP, IPSec, Trusted Network Connect (TNC), etc.
    • Uses proven, best-in-class security and access control products as a foundation
      • Secure Access SSL VPN, Odyssey ® Access Client (OAC), Steel Belted Radius ® (SBR)
    • Delivers consistent user and administrator experience
    UAC: Quick, Easy Deployment
  • 29. Juniper UAC Certifications and “Best Practices”
    • Security Audits – Public and private 3 rd party independent security assessments
    Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Security and Deployment Concerns for Access Control Essential Security Practices Dynamic access privilege management (fine grain security control) leverages a backend AAA infrastructure for policy enforcement The Unified Access Control solution provides fine-grained security control for users and systems The Unified Access Control solution can verify the usage of external modules, system settings, running processes, and binaries/binary checksums in order to identify and classify infected or unknown endpoints. Security precautions are utilized to protect communication with these external programs The Access Control solution protects integrity and confidentiality of secured communication from active attackers on the protected client’s network The Unified Access Control solution provides protection from both infected endpoints and malicious attackers The Infranet Controller appliances run the IVE platform which uses a hardened and minimized operating system and utilizes strong run-time protections for attacks against network services. Infranet Agent deployment does not expose users to network or local privilege escalation or information disclosure security risks. The default Agent distribution mechanism cryptographically protects against middle person attacks and server impersonation attacks The Unified Access Control solution uses a secure deployment model Enforcement of the security policies rely on stateful firewall rules for packet acceptance or rejection. 3 rd party network resources (e.g. upgrades to switches, routers, printers) are not required for a secure end point deployment. The Access Control solution uses strong security protocols, proven security technologies, and requires minimal impact on existing networks.
  • 30. UAC: Flexible, Standards-based Access Control Data Center Campus HQ Wired/ Wireless Branch Office Internet Dynamically handles guests, partners, contractors, unmanageable devices Mitigate threats by controlling access across wired/wireless networks Centralized validation Distributed enforcement Flexible solution to support access control in distributed networks Applications Leverage IDP for correlating network threat information to dynamically protect the network Control access to applications Gain visibility and control for user/device access to network, resources and applications
  • 31. What the Experts Are Saying About UAC “ All in all, this is a big announcement. You have added a lot of horsepower to it,” says Aaron Vance, senior analyst for the Synergy Research Group, about UAC 2.1 &quot;[N]etwork access control presents [a] significant growth opportunity to the company and UAC could quickly evolve into its flagship security offering. This release helps Juniper remain competitive in a crowded market and better leverage its broader security portfolio,&quot; writes Andrew Braunberg, an analyst with consultancy Current Analysis, on UAC 2.1 “ As for technology solutions users should keep their guard up. Everyone is in this business and promising the moon. Look for open comprehensive solutions that can address immediate threats and then scale gracefully over time. Juniper Networks is one vendor that can meet these requirements”, writes Jon Oltsik, analyst with the Enterprise Strategy Group (ESG) “ Juniper took the brain trust from Funk [Software], combined it with a lot of expertise in SSL VPN policy definition, and came up with a solid and credible first stab at the NAC policy-management problem,” says Joel Snyder, senior partner for Opus One, a security consulting firm
  • 32. UAC: Ripped from the Headlines “ Juniper Networks is updating its Unified Access Control (UAC) technology in a new release that expands the capabilities and definition of what network access control is all about.” – 10/8/07 – Juniper Redefines Network Access Control – Internetnews.com (By Sean Michael Kerner) http://www.internetnews.com/infra/article.php/3703766 “ Andrew Braunberg, senior analyst at Washington, D.C.-based research firm Current Analysis, said Juniper's UAC updates will continue to make Juniper a worthy competitor in the network access control market.” – 10/11/07 – Juniper Updates Network Access Control – SearchNetworking.com (By By Andrew R. Hickey, News Editor) http://searchnetworking.techtarget.com/originalContent/0,289142,sid7_gci1276216,00.html “ Juniper Networks …is adding tighter integration within its security portfolio by tying its network access control and intrusion prevention technologies together.” – 10/8/07 – Juniper Links NAC, Intrusion Prevention – ChannelWeb (CMP Channels) (By Jennifer Hagendorf Follett) http://www.crn.com/security/202300203 “ So if IDP picked up on a certain machine blasting out thousands of e-mails, for instance, that information would be shared with the Infranet Controller, which could quarantine the machine, end its session or simply log the event. Operating alone, IDP drops malicious packets but doesn’t deal with their source. This is a good addition to Juniper’s NAC offering…” – 10/8/07 – Juniper's NAC upgrade takes action against machines behaving badly – Network World (By Tim Greene) http://www.networkworld.com/newsletters/vpn/2007/1008nac1.html
  • 33. UAC: Ripped from the Headlines
    • “ We chose Juniper's UAC 2.0 for this test drive because it claimed to use TNC standards to interoperate in a diverse multi-vendor environment. By the end, we were pleased to have implemented nearly all of our planned policies, using most of the switches and APs that we happened to try.” – 6/25/07 – Bolting the Back Door with NAC – ISP Planet (By Lisa Phifer)
    • http://www.isp-planet.com/technology/2007/nac_4f.html
    “ Juniper takes NAC to the next level with the integration between the UAC appliance and Juniper’s ScreenOS-based firewall product line but only inside the TCG/TNC NAC framework. Using Juniper’s access control model, you not only separate users based on VLANs, you also scatter firewalls inside your network to provide full stateful firewall rules for each user.” – 4/19/07 – NAC Enforcement Tools Fall Short – Network World (By Joel Snyder) http://www.networkworld.com/reviews/2007/041907-nac-enforcement.html?page=3 “ Juniper brought in a NetScreen 5GT firewall and developed a more elegant solution for guest users based on the standard tools built-in to ScreenOS and the UAC appliance. Because the ScreenOS operating system inside of the firewall is tied closely to the Juniper UAC appliance, the firewall was able to cooperate with the UAC appliance and create a captive portal environment that was closely tied to the policy tools within the UAC.” – 4/19/07 – NAC Authentication with XP Clients is a Snap – Network World (By Joel Snyder) http://www.networkworld.com/reviews/2007/041907-nac-authentication.html?page=3
  • 34. Juniper Unified Access Control (UAC)
    • Advanced Network Protection
      • Dynamically addresses unmanageable endpoints
      • Dynamic, session-specific access policy by user
      • Extended automated remediation capabilities
      • Pre-defined patch management checks
      • Coordinated Threat Control
      • Robust, dynamic agent with cross platform support
      • Agent-less deployment
      • Guest networking
    • Control, Visibility, Monitoring
      • Identity-enabled profiler
      • Role-based threat management policies
      • Dynamic access and threat control
      • Granular auditing and logging
    • Simple, Flexible Access Control
      • Open, standards-based solution
      • Based on industry-proven, best-in-class security and access control products
      • Downloadable UAC Agent based on role – agent-based or agent-less
      • Open architecture support (TNC)
      • Dynamically download pre-configured UAC Agent
      • Reduces security, compliance and continuity risks
      • Improves security policy enforcement for dynamic set of users and devices across the extended enterprise
      • Eliminates inefficiencies that increase costs and reduce productivity
    Reducing Cost and Complexity While Protecting Networks and Applications
  • 35. Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net