0
Unified Access Control
Agenda <ul><li>Enterprise Trends </li></ul><ul><li>Enterprise Pain Points </li></ul><ul><li>Juniper’s Unified Access Contr...
Enterprise Trends INCREASED THREAT VOLUME FASTER OUTBREAKS MORE  TARGETS Mobile devices transiting  the LAN perimeter Wide...
Enterprise Results Skyrocketing security costs; loss of productivity with downtime <ul><ul><li>Employees </li></ul></ul><u...
Why Control Access? Pain Access  Control Phased 802.1x rollout Regulation/Compliance Diversity of  endpoints Changing atti...
Why is this technology so important?? <ul><li>Dynamic Network Boundaries – Location Complication </li></ul><ul><ul><li>Mob...
This market is exploding!! But don’t believe us… “  Nearly 40% of all large enterprises are looking to implement a solutio...
Problems Facing Access Control Adoption <ul><li>Must tie user identity, device state and network info to access </li></ul>...
The Solution: Unified Access Control Infranet Agent (IA) Comprehensive enterprise integration AAA Servers Identity Stores ...
Infranet Controller Overview <ul><ul><li>Easy out-of-the-box deployment </li></ul></ul><ul><ul><li>Centralized Policy Mana...
Infranet Agent <ul><li>Lightweight client downloaded automatically to Windows endpoints </li></ul><ul><li>Several easy ins...
Infranet Agent Benefits <ul><li>Windows Single Sign-On </li></ul><ul><ul><li>Used with Active Directory or Windows NT Doma...
Infranet Agentless <ul><li>Web based clientless access </li></ul><ul><li>Provides: </li></ul><ul><ul><li>Access from machi...
Phase One Infranet Enforcers <ul><li>Phase 1 incorporates Juniper FW/VPN platforms </li></ul><ul><li>Screen OS 5.3 Softwar...
How it works... User connection (Agent) Data Center Mission critical apps, File Servers, ERP, CRM etc AAA Servers (Active ...
Problem: Need to tie user identity, device state and network info to access <ul><li>Juniper’s Unified Access Control solut...
Problem: Must enable true security, throughout the session <ul><li>Comprehensive endpoint Host Checks </li></ul><ul><ul><u...
Problem: Must enable true security, throughout the session <ul><li>Remediation site makes it easy for users to comply with...
Problem: Need to enable security TODAY <ul><li>Unified Access Control solution </li></ul><ul><ul><li>Enables phased deploy...
Problem: Need it to “just work” – for the enterprise and the users <ul><ul><li>The solution is cross platform  </li></ul><...
Competitive Positioning You  KNOW  we don’t like Cisco…so don’t listen to us Juniper's approach to the NNV conundrum can b...
UAC Use Cases <ul><ul><li>Deployed for dynamic access control to datacenter resources </li></ul></ul><ul><ul><li>Part of e...
UAC Use Cases <ul><ul><li>Vendor access from unmanaged endpoints needs to be controlled </li></ul></ul><ul><ul><li>Machine...
EMEA Case Study <ul><li>Regional government </li></ul><ul><li>Why they bought </li></ul><ul><ul><li>Thin client computing ...
EMEA Case Study <ul><li>Secure Printing </li></ul><ul><li>Compliance concerns over print jobs traveling in the clear over ...
Consider UAC 1.x when <ul><li>You are interested in LAN access control with 802.1x, but </li></ul><ul><ul><li>Haven’t roll...
Layer 2 Access Control Offerings Odyssey Access Client & Steel-Belted Radius SBR 802.1X
Value Proposition for Odyssey (OAC) 802.1x Supplicant <ul><li>Ideal for large scale enterprise-wide deployments </li></ul>...
Value Proposition for Steel Belted Radius <ul><li>Most flexible, reliable RADIUS server </li></ul><ul><li>Performance – ca...
UAC 1.X Review of how it works today AAA Servers Identity Stores Enforcers Infranet Agent Infranet Controller 1 .  2 .  3 ...
UAC 2.0: Layer 2 + Layer 3 The future of Unified Access Control AAA Servers Identity Stores Enforcers Infranet Agent w/Int...
UAC 2.0: Comprehensive Control  Open APIs IPSec Open APIs Standards 802.1x RADIUS Standards Security   Software Supplicant...
Benefits of UAC with L2 Access Control <ul><li>Standards Based Solution </li></ul><ul><ul><li>Support for enforcement on v...
Summary  -  Juniper’s UAC Solution Delivers <ul><ul><li>LAN Access Control today without requiring an 802.1x rollout  </li...
Thank you!
Upcoming SlideShare
Loading in...5
×

Unified Access Control Sales Presentation

1,269

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,269
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
46
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • This slide is animated, This slide also includes A LOT of speaker’s notes. At the bottom of the primary script, you’ll find statistics and information that you can use to help to prove these statements, should that be required. There are also graphic statistic slides in the backup section, should you need them. It helps to see how the need for access control evolved. Click It began as enterprises sought to provide more and more access to network resources, to an increasingly large audience in order to save time and raise productivity. As access increased, so too did the diversity of user types, including remote/mobile employees, business partners, customers, contractors and more. This meant that access was provided to a broad range of endpoints…some unmanaged, some badly managed, and some, like those belonging to customers or partners, fundamentally unmanageable. Add to this trend the fact that mobile devices are now regularly transiting the LAN perimeter. You might not think about this, but when you take your laptop home at night, then bring it back into the network in the morning, you have completely bypassed all the perimeter safeguards that the enterprise as put in place. In fact, Forrester estimates that about 60% of network threats walk through the door like this. And finally, in an effort to make resources easy to access and manage, companies are consolidating their resources. This makes great sense from a productivity point of view, but it also makes these resources into a single juicy target. CLICK It’s no surprise, then that as access increases, security will decrease. Click Attacks are increasing in volume - 11% QoQ increase in new vulnerabilities – Q2,’05 SANS And in speed: Zotob took 96 hours from patch to full outbreak The very thing we did to increase productivity, more access to more people to more resources, is now working against us. And when systems go down and access is lost, works stops. Productivity is lost due to downtime, and security costs skyrocket. *************************************************************************** Facts and statistics Many enterprise users are mobile According to Topic Overview: Enterprise Mobility Forrester Research, March 2006, penetration within organizations that use mobile applications is strong — on average, 22% of the workforce uses mobile applications like mobile email and calendaring, field force automation, and logistics. This means that: Employee PCs go in and out of the LAN Business partners’, guests’ and contractors’ devices do too Internet use is pervasive According to InternetWorld Stats, Internet usage has grown 183.4% between 2000 and 2005 Security breaches are growing According to Deloitte Touche Tohmatsu: More than three-quarters (78 percent) of financial institutions reported a security breach from outside the organization in the past year, up from 26 percent in 2005; almost half (49 percent) experienced at least one internal breach, up from 35 percent in 2005. More than one quarter (26 percent) of life sciences &amp; health care companies experienced a breach of their security systems within the past year (17 percent external breaches and 9 percent internal breaches). There are additional graphical slides that show the growth of threats, the cost of breaches, and the cost of downtime at the end of this presentation.
  • This slide is animated This slide shows the key five enterprise network segments. Let’s first look at the segments that involve users, then we’ll look at the ones that involve the LAN itself. Users coming into the LAN first showed up as a problem in the extended enterprise, with remote users logging into the LAN using IPSec VPN tunnels and bringing in all kinds of nastiness with them. The problem just got compounded as the audience that needed access extended to third parties, like business partners or customers. Next, the LAN itself. Just as you bypass perimeter security when you come into the enterprise and log directly into the LAN, so do guests, customers, and contractors. This is the area where Forrester tells us 60% of threats walk in the door. When we look at the distributed enterprise, the situation is the same as that in the LAN, but a bit worse. This is because you have all the same audiences, and people transiting the perimeter, but you cannot presume the same level of security and control in a branch office that you would find in headquarters. In all of these areas, if we could guarantee a consistent level of security across the endpoints, and a means to restrict those that don’t meet this level to a “safe” set of LAN resources, we could go a long way toward solving the problem. Now, let’s look at the LAN itself. First, the data center. As we mentioned, the move to consolidate has great productivity benefits, but it also has great security risks. And finally, the Internet. Forrester predicts that the remaining 40% of network threats come from people surfing the Web. In the locations, we could solve much of the remaining problems by simply ensuring that users would have to have a sufficient level of security on their endpoints before we let them access these resources. CLICK Now let’s look at the solutions. We solved the problem of mobile/remote/third party access with our Secure Access SSL VPN, which provides a means to check endpoint security, very granular access control, and an access method. Remember – if you need access control with an access method, you need SSL VPN CLICK The rest of the segments really need access control
  • This slide is animated. Here is another way to look at the need for access control. Access control is a sub-set of network security. So why deploy it at all? [click] Most security is installed as a response to Pain – pain being a positive indication to change or respond to something. For access control the story often starts with securing wireless networks - where we need to control who is gaining access to network assets. This has led to the proliferation of 802.1x as a port-based access control methodology that has evolved from the wireless to the wired network. However, making all your ports 802.1x compliant can take a considerable amount of planning and deployment time. Increasingly compliance with both industry regulation and legislation is also driving a pain-response couplet. [click] This also leads to changing attitude to risk – compliance, along with recent breaches, the location complication of a mobile workforce and more demanding applications all contribute to the risk stance at any part of the network changing. Response to the mobile workers has in large been solved by SSL VPNs with a blend of AAA, endpoint, secure transport and granular roles-based access to applications bringing an access mechanism (with some control). [click] Couple this to the increasing diversity of endpoints and operating systems and the requirement that users accessing our network with devices with which we have no management relationship leads to two-key responses: Layer 2 or layer 3-7 access control, each with their unique strengths.
  • This slide is animated So why is access control so important today? CLICK Dynamic Network boundaries Much more mobile workforce, users needing to work from a variety of locations, drop-in workers, contractors, auditors, partners etc all need differentiated and auditable access to our network. All this from a diversity of endpoints. Simple port-based access control can have issues in these cases especially in the deployment of 802.1x supplicants. Also these people may be bringing threats into the very heart of a network and therefore it’s a good idea to be able to regulate their access while allowing them to be as productive as possible. CLICK Sophisticated attacks. Even with our layered responses to emerging threats we still need to be cautious of day-zero attacks (when an exploit is first seen ‘in the wild’) even more than this – highly targeted attacks (crimeware) may only target 5 people in an organisation and so AV companies etc will never have them reported or attracted to their honey-nets. CLICK Applications VoD, P2P, IM, and non-standard VoIP withport-hopping protocols that appear like legitimate traffic can sometimes make the enforcement of acceptable usage policy difficult. This is where vendors who have both a breadth and depth of solutions together with added awareness between portfolio elements can really deliver value into a network and therefore the business. CLICK Bad people Money-led hacking – using careless people – the unwitting agents of catastrophe. Access control helps these users make the right decision by offering a higher degree of control and security.
  • This slide is animated, although you don’t have to click on anything. The purpose of the slide is to show that the market is predicting the rise of this segment, not just us because we are selling something.
  • The purpose of this slide is to show the barriers to adoption of access control. It also sets up the “problem” section, which we will pay off in the upcoming “solution” slides. Background on the slide includes the same basic facts on the difficulties intrinsic to widespread access control deployment: The Users/Devices Some users/devices cannot be managed Not all resources should be accessible to all users The Network All networks have a unique architecture A “one config fits all” solution won’t work Most networks are heterogeneous A one vendor solution won’t work Networks need a phased approach Cannot rearchitect the entire network at once The Vendors Many offerings are built on new, non-field-tested technologies Many offerings are from startups
  • THIS SLIDE IS ANIMATED Juniper’s Unified Access Control is an easy-to-deploy solution that solves the problems of deploying access control today. Here is an overview of the products and what they do…we’ll go into more detail on the solution in later slides. CLICK The Infranet Controller is the access control decision point. It will automatically provision the dynamic download of the Infranet Agent, if that is required – the IA only needs to be downloaded the first time that a user logs in. The Infranet Controller provisions enforcement policy both at login and throughout the session, and can also provide remediation support if a user is non compliant. CLICK The Infranet Controller is fully integrated with virtually all authentication methods and schemes, which allows the enterprise to leverage their existing investments. The Infranet Agent software comes with the Controller appliance. CLICK The Infranet Agent actually consists of several components. The first is Host Check, which assesses the endpoint’s security state. This can include inspection of a number of different attributes, including ports, processes, and verification. It can also determine if the endpoint is running a variety of best-of-breed security applications, which are provisioned using open-standards-based APIs. The second element is the Host Enforcer. The Host Enforcer provides firewall policy if endpoint is accessing a network segment not protected by an Infranet Enforcer, and can provide optional Microsoft IPSec enforcement for authenticated and encrypted transport on Windows machines. Please note that IPSec can be deployed with null encryption if you still want to look at the traffic. The agent can also be configured to provide Windows Single SignOn for a seamless user experience in Active Directory environments. The Infranet Agent only needs to be downloaded once. After that, it will automatically start up, find the controller, and run. CLICK Unified access control can also be deployed with agentless enforcement. This is particularly critical for Mac and Linux platforms. Agentless enforcement binds endpoint assessment and user identification for source IP-based enforcement. In an agentless deployment, Host Check will still come down to check that the endpoint is compliant. CLICK The Infranet Controller then sends this information to the enforcement point. CLICK Phase one enforcers are any of Juniper’s market leading firewall/VPNs running ScreenOS version 5.3. CLICK The Infranet Agent continues to assess the endpoint state at administrator-configured intervals. If that state changes; for example, if a security application is disabled for any reason, this information goes to the controller, who will push the changed policy to the enforcement point. This allows real-time reaction to changing network elements.
  • This slide is animated. The Infranet Controller is a hardened appliance designed to function as the central policy management point. There are 2 versions – the IC 4000 and the IC 6000. The Controller is the central point for policy management, and is based on Juniper’s field-tested Secure Access SSL VPN policy engine. As such, it provides seamless interaction with virtually all AAA infrastructures with no changes. The IC also features many of the benefits pioneered in the SA appliance, including delegated administration and high availability. The Controller can provide access in two different ways, which we’ll explore in detail in a minute. Both methods provide real-time host checking at login and throughout the session. The Infranet Agent is designed for Microsoft Windows environments, and features a wealth of features. It can also dynamically push policies to the Enforcers. Agentless mode features source IP-based access, with policies enabled via static Web auth tables. If you are familiar with Juniper’s Secure Access SSL VPN, then the system status screen will look pretty familiar to you. One thing to notice… CLICK … is that there is an additional portion of the screen that shows connections with the infranet enforcers.
  • This slide introduces the Infranet Agent which is dynamically downloaded to Windows endpoints. There are several methods to deliver the agent to the endpoint. Using the adaptive delivery mechanism which Juniper mastered with Network Connect client on our SSL VPN devices, the agent will first try to download using Active X. If this is impossible, because of endpoint configuration, the agent will download using Jave. Or administrators can choose to add the Juniper Installer Service to the image that is burned onto corporate laptops, which will enable users to install a variety of Juniper agents, including those for SSL VPN. Or, administrators can choose to install the client software as part of new desktops. The Infranet Agent provides a wealth of specific features, including Windows SSO, IPSec authenticated transport options, and the Host Enforcer personal firewall.
  • In this slide, we’ll look at some of the specific advantages that the Agent provides. First is Windows SingleSignOn. After the Agent is downloaded the first time, it can be configured to use the Windows credentials to sign on the Controller automatically. Essentially, the user will only see the Agent itself once – when they first download it – after that, it is transparent. Another huge feature is the fact that using Agent enables IPSec to the desktop, which is very difficult to administer otherwise. This keeps all traffic inside the LAN protected inside an IPSec tunnel, without changing the IPSec client that administrators may have installed for other types of access. This security can be extremely helpful in areas with stringent compliance needs. The Agent can be configured to provide transport with encryption, or can be configured with null encryption if the administrator wants to use an IPS to sniff traffic.
  • The other way to provide access is with agentless access. This method allows access control from any machine, even those without administrator privileges, as well as addressing 3 rd party devices that cannot be managed. Once the user logs into the Controller, the IC sends down Host Checker (a very lightweight applet) to ensure that the device is compliant with the enterprise security policy. If the device is compliant, Host Checker sends that information to the controller, which passes the info on to the Enforcers. Enforcers allow access based on the source IP of the device for the life of the session. When the user signs out, HostChecker disappears. *PLEASE NOTE* proper signout is required for this last statement to be true. If the user’s device is not compliant, they can be sent to a remediation site for self-service. Agentless access is enabled on the Enforcer with Web auth tables, which must be configured and passed down to the Enforcers. The Host Check will continue to run at admin-configured intervals throughout the session.
  • This slide is animated CLICK Any Juniper firewall running Screen OS 5.3 can function as an enforcer. If a firewall is not on 5.3, it is available via a simple software upgrade. At the moment there are only 2 exceptions – SSG and ISG with IDP – they are on separate code trains. ISG without IDP is fine. CLICK Juniper firewalls offer a wide range of speeds from the 5GT all the way up to the 5400, as well as best-in-class security features.
  • Read the bullets
  • The need to handle all use cases is a very important element of an access control solution – after all, it’s not providing much security if it only works some of the time, on very specific cases. UAC: Works with managed, unmanaged, and unmanageable devices with 2 different forms of access. Provides extremely granular access control, based on the endpoint’s security state (checked at login and over time), AAA verification, and resource attributes.
  • Some solutions say they offer access control, but don’t actually feature much in the way of security. UAC features comprehensive Host Checks and allow the enterprise to choose the security application that they want to use. These Host Checks are administered at login and throughout the session, in both agent and agentless mode. These capabilities are built upon Juniper’s market-leading SSL VPN, which also features Host Checker capabilities. To make deployment for the administrator easier, the UAC solution now features a wealth of predefined popular endpoint assessment checks, making security enforcement as simple as point-n-click.
  • Juniper has taken still another step in making security policies easy to comply with by providing the means for users to self-remediate if needed. This save enormous time for IT and helpdesk staff. The enterprise can configure the remediation site in any way they wish. UAC also enables encryption to the desktop, a vital (and hard to deploy) feature for enterprises (or parts of enterprises) that have to comply with strict regulations. Finally, UAC now features auto monitoring of antivirus signature files. This means that the Controller itself can be configured to help to ensure that the AV signatures enables are the latest ones available, without any intervention from IT.
  • One of the biggest problems faced by enterprises is the need to deploy access control quickly, particularly in high-risk segments of the network. Some solutions make this difficult or expensive, by requiring upgrades to switching infrastructure or clients that need to be manually installed. With UAC, you can get access control where you need it in an afternoon. This allows you to protect critical resources today, in a phased deployment.
  • No one in IT has time to master completely new technologies, nor do they have time or resources to provide a lot of handholding for users. With UAC, the solution is cross platform, so it works with virtually every kind of device and management scheme. Captive portals on the Enforcers provide a “hotel room” experience, so users don’t need to know the Controller’s URL – they are automatically directed to it. Whether agent or agentless deployment is desired, the software can be dynamically pushed by the Controller. And best of all, all of these elements have been field tested.
  • Read the bullets – full report here: http://www.networkcomputing.com/showitem.jhtml?docid=1623f1
  • This slide is animated Read the bullets
  • This slide is animated Read the bullets
  • Read the bullets
  • Juniper acquired Funk Software in December 2005 – the maker of the leading 802.1X supplicant and the de-facto standard in RADIUS servers. Together, these elements form a unique means to provide authentication and access control at Layer 2.
  • There are many reasons why Odyssey is popular. One is that it works on both wired and wireless networks, which gives the enterprise a single solution that they can push to all users. Another is that the protocol supports a huge range of operating systems, platforms, and device types. Another plus is that the product supports and enables the use of complex authentication schemes. Still another is the fact that OAC is FIPS compliant, and compatible with the DOD’s Common Access Card (or CAC), which is a smart card that provides personal identification, building access, and both a digital signature and data encryption. Finally, OAC is current with all security standards, and supports all major EAP methods, which enables the enterprise to set up authentication in the way that works for them
  • Read the bullets…
  • THIS SLIDE IS ANIMATED To look at the future of Unified Access Control, let’s review how UAC works today. In the case we’ll look at, this is the first time the user has connected to this network CLICK Step 1. When a new endpoint seeks network access it is redirected to the Controller by the Enforcer. If the user already had the Agent installed, this step would be eliminated CLICK The Controller dynamically provisions the Infranet Agent. CLICK The Infranet Controller communicates with the agent, authenticates the user and gets access to the endpoint state info. CLICK The controller then communicates that intelligence to enforcers – in phase 1, Juniper’s NetScreen firewalls, including SSG and ISG with IDP. CLICK The user is connected to the resource.
  • THIS SLIDE IS ANIMATED With UAC 2.0, we will add the benefits of the market-leading Odyssey Access Client (OAC) to handle authentication and security state checks even before an IP address is assigned. We are also adding capabilities from Steel-Belted Radius, the de-facto standard in RADIUS servers, to the Controller to complete the transaction. In this scenario, we will assume that the endpoint already has OAC installed on it…if they do not, there is an additional step where it is downloaded as part of the Agent software. CLICK Step 1. User connects to 802.1X edge device – this could be any 802.1X-enabled switch or wireless access point. The switch or access point requests information (user credentials and endpoint security state information) from the endpoint and sends that information to the Controller. CLICK Step 2. In 2.0, the Controller will contain a subset of Steel-Belted Radius functionality, which enables authentication and assessment to be done on the Controller, or used as a front-end to the rest of the AAA infrastructure. CLICK Step 3. The Infranet Controller evaluates the credentials and system state and configures the 802.1X edge device for the users network session. At the same time, it updates all of the Layer 3 Enforcers under its domain, to let them know that the user is allowed access. CLICK Step 4. The user gets access to the resources. Note that another user could come onto the same LAN – for example, a guest, and, because their credentials and endpoint state would be different, so would their access.
  • Transcript of "Unified Access Control Sales Presentation"

    1. 1. Unified Access Control
    2. 2. Agenda <ul><li>Enterprise Trends </li></ul><ul><li>Enterprise Pain Points </li></ul><ul><li>Juniper’s Unified Access Control Solution </li></ul><ul><ul><li>Infranet Controller </li></ul></ul><ul><ul><li>Infranet Agent </li></ul></ul><ul><ul><li>Agentless Mode </li></ul></ul><ul><ul><li>Infranet Enforcers </li></ul></ul><ul><li>How UAC works </li></ul><ul><li>Use Cases </li></ul><ul><li>Juniper’s Layer 2 Access Offerings </li></ul><ul><ul><li>Odyssey Access Client </li></ul></ul><ul><ul><li>Steel-Belted Radius </li></ul></ul><ul><li>The next phase in access control </li></ul>
    3. 3. Enterprise Trends INCREASED THREAT VOLUME FASTER OUTBREAKS MORE TARGETS Mobile devices transiting the LAN perimeter Widely diverse users Unmanaged or ill managed endpoints Business critical network assets Access Increases Explosive growth of vulnerabilities Patch-to-outbreak time getting shorter New breed of threats can come in with “permitted” users and traffic Secure & Resilient Network Experience Decreases
    4. 4. Enterprise Results Skyrocketing security costs; loss of productivity with downtime <ul><ul><li>Employees </li></ul></ul><ul><ul><li>Business partners </li></ul></ul><ul><ul><li>Customers </li></ul></ul><ul><ul><li>Guests </li></ul></ul><ul><ul><li>Contractors </li></ul></ul><ul><ul><li>Employees </li></ul></ul><ul><ul><li>Business partners </li></ul></ul><ul><ul><li>Customers </li></ul></ul><ul><ul><li>Guests </li></ul></ul><ul><ul><li>Contractors </li></ul></ul><ul><ul><li>Business Apps </li></ul></ul><ul><ul><li>E-mail </li></ul></ul><ul><ul><li>Internal Resources </li></ul></ul><ul><ul><li>- Ill managed endpoints </li></ul></ul><ul><ul><li>- Lack of Control </li></ul></ul><ul><ul><li>Trust is presumed, </li></ul></ul><ul><ul><li>but unenforceable </li></ul></ul><ul><ul><li>- Network and application layer threats can come in </li></ul></ul><ul><ul><li>- Valuable corporate information can go out </li></ul></ul><ul><ul><li>Vulnerable servers are accessed By EVERY user population </li></ul></ul><ul><ul><li>Worms, viruses, spyware </li></ul></ul><ul><ul><li>Malware, Trojans and more </li></ul></ul><ul><ul><li>WAN Access </li></ul></ul><ul><ul><li>Solved by SSL VPN, which provides ACCESS METHOD with control </li></ul></ul><ul><ul><li>Need for Comprehensive ACCESS CONTROL </li></ul></ul><ul><ul><li>Extended Enterprise </li></ul></ul><ul><ul><li>Server Farms / Data Center </li></ul></ul><ul><ul><li>Distributed Enterprise </li></ul></ul><ul><ul><li>Campus </li></ul></ul>Perimeter
    5. 5. Why Control Access? Pain Access Control Phased 802.1x rollout Regulation/Compliance Diversity of endpoints Changing attitude to risk Differentiated Access Partner/Consultant/employee Layer 2 Layer3-7 Recent Security Breach Location complication Demanding Applications Wireless Network Security
    6. 6. Why is this technology so important?? <ul><li>Dynamic Network Boundaries – Location Complication </li></ul><ul><ul><li>Mobile Workforce </li></ul></ul><ul><ul><li>Wireless Networks </li></ul></ul><ul><ul><li>Contractors </li></ul></ul><ul><ul><li>Partners </li></ul></ul><ul><ul><li>Diversity of endpoints </li></ul></ul><ul><li>Sophisticated Attacks </li></ul><ul><ul><li>Zero-Day Exploits </li></ul></ul><ul><ul><li>Rapid Infection Speed </li></ul></ul><ul><ul><li>Targeted Attacks (crimeware) </li></ul></ul><ul><ul><li>Rootkits, Botnets, Zombies and Back Doors </li></ul></ul><ul><li>Harder to control/More demanding Applications </li></ul><ul><ul><li>IM/VoIP/VoD </li></ul></ul><ul><ul><li>Unenforceable policy </li></ul></ul><ul><li>The Grey Network </li></ul><ul><ul><li>The Network you don’t know you own! </li></ul></ul><ul><li>The Usual Suspects </li></ul><ul><ul><li>Bad People </li></ul></ul><ul><ul><ul><li>More Money for Attackers </li></ul></ul></ul><ul><ul><ul><li>Extortion, Identity Theft, Bank Fraud, Corporate Espionage,… </li></ul></ul></ul><ul><ul><li>Careless People </li></ul></ul><ul><ul><ul><li>Accidental agents of catastrophe </li></ul></ul></ul>
    7. 7. This market is exploding!! But don’t believe us… “ Nearly 40% of all large enterprises are looking to implement a solution for LAN access control in the next 12-18 months” Forrester Research “ Once companies finish building out security for the edge of the network, they will turn their attention inward, and NAC is the obvious place to invest.” Infonetics – Jan 2006 Enforcing Network Access Control: Market Outlook and Worldwide Forecast “… we predict that, by 2007, 80 percent of enterprises will have implemented NAC (0.8 probability). This figure includes wireless and remote access virtual private network (VPN)-based NAC, as well as LAN-based NAC.” Gartner, Jan 2006 - Pitfalls Lurk Where IP Telephony Meets Network Access Control
    8. 8. Problems Facing Access Control Adoption <ul><li>Must tie user identity, device state and network info to access </li></ul><ul><ul><li>Including managed, unmanaged, and unmanageable 3 rd party devices </li></ul></ul><ul><ul><li>Enable granular access control </li></ul></ul><ul><li>Must enable true security, throughout the session </li></ul><ul><ul><li>Must check security posture initially and throughout the session </li></ul></ul><ul><ul><li>Should use your choice of security apps </li></ul></ul><ul><ul><li>Should give users the opportunity to remediate </li></ul></ul><ul><ul><li>With encryption where you need it </li></ul></ul><ul><li>Need to enable security TODAY </li></ul><ul><ul><li>Without rearchitecting my entire network </li></ul></ul><ul><ul><li>Without having to touch every single endpoint </li></ul></ul><ul><ul><li>In a phased manner </li></ul></ul><ul><li>Need it to “just work” – for the enterprise and the users </li></ul><ul><ul><li>With cross platform endpoints </li></ul></ul><ul><ul><li>With field-tested components that you can trust </li></ul></ul>
    9. 9. The Solution: Unified Access Control Infranet Agent (IA) Comprehensive enterprise integration AAA Servers Identity Stores Phase 1 Enforcers Infranet Controller (IC) Unified policy enforcement based on identity, endpoint assessment, and network <ul><li>Host Checker (J.E.D.I) </li></ul><ul><li>Host Enforcer (with firewall policy or optional dynamic MS IPSec enforcement) </li></ul><ul><li>MS Windows Single SignOn </li></ul><ul><li>Agentless enforcement for Windows, Mac and Linux </li></ul><ul><li>IA protects authenticated endpoints from malicious/non-compliant endpoints </li></ul><ul><li>Enforcers – ScreenOS 5.4 capable </li></ul><ul><li>NetScreen 5GT – NetScreen 5000 </li></ul><ul><li>From 90 Mbps to 30 Gbps </li></ul><ul><li>Access control decision point </li></ul><ul><li>Automatically provisions Infranet Agent (if required) </li></ul><ul><li>Dynamically provisions enforcement policy </li></ul><ul><li>Integrated remediation support </li></ul>
    10. 10. Infranet Controller Overview <ul><ul><li>Easy out-of-the-box deployment </li></ul></ul><ul><ul><li>Centralized Policy Management </li></ul></ul><ul><ul><ul><li>Endpoint, User, Access Policy configured in 1 box </li></ul></ul></ul><ul><ul><ul><li>Changes in policy dynamically propagated across network </li></ul></ul></ul><ul><ul><ul><li>Leverage existing AAA/identity stores for policy management </li></ul></ul></ul><ul><ul><li>Reliable Operation </li></ul></ul><ul><ul><ul><li>Delegated Administration </li></ul></ul></ul><ul><ul><ul><li>High Availability across LAN and WAN </li></ul></ul></ul><ul><ul><li>Cross Platform support with two types of delivery </li></ul></ul><ul><ul><ul><li>The Infranet Agent </li></ul></ul></ul><ul><ul><ul><li>Agentless Mode </li></ul></ul></ul><ul><ul><ul><li>Both enable Host Checking for ongoing real-time checks of endpoint security state </li></ul></ul></ul>IC 4000 IC 6000
    11. 11. Infranet Agent <ul><li>Lightweight client downloaded automatically to Windows endpoints </li></ul><ul><li>Several easy installation options </li></ul><ul><ul><li>Dynamic via ActiveX or Java </li></ul></ul><ul><ul><li>Juniper Installer Service </li></ul></ul><ul><ul><li>Pre-installed </li></ul></ul><ul><li>Provides: </li></ul><ul><ul><li>Windows Single SignOn </li></ul></ul><ul><ul><li>Source IP based access, or </li></ul></ul><ul><ul><li>Authenticated Transport (IPSec) </li></ul></ul><ul><ul><li>Troubleshooting tools </li></ul></ul><ul><ul><li>Host Checker and Remediation </li></ul></ul><ul><ul><li>Host Enforcer (Endpoint firewall) </li></ul></ul>
    12. 12. Infranet Agent Benefits <ul><li>Windows Single Sign-On </li></ul><ul><ul><li>Used with Active Directory or Windows NT Domain authentication on IC </li></ul></ul><ul><ul><li>Agent will use Windows credentials to automatically sign into the IC </li></ul></ul><ul><ul><li>Eliminates user intervention when signing into the Infranet </li></ul></ul><ul><li>IPSec Transport </li></ul><ul><ul><li>Leverages the Microsoft Windows native capability </li></ul></ul><ul><ul><li>Detects and disables (not uninstalls) IPSec client if another is installed </li></ul></ul><ul><li>Provides authenticated and potentially encrypted transport </li></ul><ul><ul><li>DES/3DES </li></ul></ul><ul><ul><li>Null encryption </li></ul></ul>IPSec Encryption 3DES, DES or null IPSec Encryption 3DES, DES or null
    13. 13. Infranet Agentless <ul><li>Web based clientless access </li></ul><ul><li>Provides: </li></ul><ul><ul><li>Access from machine without admin privileges </li></ul></ul><ul><ul><li>Agentless access </li></ul></ul><ul><ul><li>Cross-platform support </li></ul></ul><ul><ul><ul><li>Mac </li></ul></ul></ul><ul><ul><ul><li>Linux </li></ul></ul></ul><ul><ul><ul><li>Windows </li></ul></ul></ul><ul><ul><li>Source IP based access onto network </li></ul></ul><ul><ul><ul><li>Enough for many networks </li></ul></ul></ul><ul><ul><li>Host Checking and Remediation </li></ul></ul><ul><ul><li>Replacement / enhancement to complex departmental firewall deployment and management </li></ul></ul><ul><li>All browsers/platforms with JavaScript support </li></ul>
    14. 14. Phase One Infranet Enforcers <ul><li>Phase 1 incorporates Juniper FW/VPN platforms </li></ul><ul><li>Screen OS 5.3 Software upgrade required </li></ul><ul><li>75Mbps to 30Gbps for wire speed policy enforcement in LAN </li></ul><ul><li>Network security policy enforcement </li></ul><ul><ul><li>DOS Protection </li></ul></ul><ul><ul><li>Deep Packet Inspection </li></ul></ul><ul><ul><li>Anti Virus Capabilities </li></ul></ul><ul><ul><li>Content Management </li></ul></ul>HSC NetScreen 5 Series NetScreen 204 & 208 NetScreen 25 & 50 NetScreen 5200 & 5400 ISG Series NetScreen 500
    15. 15. How it works... User connection (Agent) Data Center Mission critical apps, File Servers, ERP, CRM etc AAA Servers (Active Directory) Infranet Controller Infranet Enforcer (IE) User 1. User tries to access resource - user is unable to get to resource. Traffic is blocked by the Infranet Enforcer]. 2. User is redirected to the Infranet Controller or to a remediation site. 3. Infranet Controller deploys Infranet Agent to the endpoint over SSL. 4. Infranet Agent profiles the endpoint. 5. User authenticates to the Infranet Controller using the Infranet Agent. 6. Infranet Controller authenticates user against AAA servers. (AD, LDAP, etc.) 7. Infranet Controller determines users access policy. 8. Infranet Controller provisions user access on the Infranet Enforcer over SSL and SSH. 9. Infranet Controller provisions connection policies on the Infranet Agent over SSL. 10. User accesses the resource directly through the enforcer. 1 2 4 5 6 7 8 9 10 3
    16. 16. Problem: Need to tie user identity, device state and network info to access <ul><li>Juniper’s Unified Access Control solution </li></ul><ul><ul><li>Handles all use cases </li></ul></ul><ul><ul><ul><li>Managed, unmanaged, and unmanageable devices </li></ul></ul></ul><ul><ul><ul><li>Employees, contractors, partners and guests </li></ul></ul></ul><ul><ul><ul><li>Agent or agentless mode available </li></ul></ul></ul><ul><ul><li>Granular access control </li></ul></ul><ul><ul><ul><li>Concept from Juniper’s Secure Access SSL VPN engine </li></ul></ul></ul><ul><ul><ul><li>Combines data for dynamic access privileges </li></ul></ul></ul><ul><ul><ul><ul><li>Network information </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Endpoint security state </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Checked throughout session </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><li>AAA information </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Works with virtually all AAA schemes </li></ul></ul></ul></ul></ul>
    17. 17. Problem: Must enable true security, throughout the session <ul><li>Comprehensive endpoint Host Checks </li></ul><ul><ul><ul><li>Check the endpoint security state </li></ul></ul></ul><ul><ul><ul><li>Host Checks run in both agent and agentless modes </li></ul></ul></ul><ul><ul><ul><li>Works with your choice of security applications </li></ul></ul></ul><ul><ul><ul><li>Host Checks can run at admin configurable times throughout the session </li></ul></ul></ul><ul><li>Predefined Host Checker for AV, FW, and Spyware </li></ul><ul><ul><li>Pre-Defined Endpoint Assessment Checks simplify deployment </li></ul></ul><ul><ul><ul><li>Query the application found, including Product type, Product version, Engine version, signatures, and last scan time. </li></ul></ul></ul><ul><ul><ul><li>Validate authenticity of app. </li></ul></ul></ul><ul><ul><ul><li>Tie remediation actions to specific Infranet Controller access policies </li></ul></ul></ul>
    18. 18. Problem: Must enable true security, throughout the session <ul><li>Remediation site makes it easy for users to comply with policy </li></ul><ul><li>Encryption to the desktop </li></ul><ul><li>Automatic Monitoring of AV signature files </li></ul><ul><ul><li>Virus signature version monitoring </li></ul></ul><ul><ul><ul><li>Used in conjunction with pre-defined host checks </li></ul></ul></ul><ul><ul><ul><li>IC contacts Juniper download site at periodic intervals to obtain latest virus signature versions </li></ul></ul></ul><ul><ul><ul><li>IA checks currently installed version on PC against list to see if host check passes </li></ul></ul></ul>
    19. 19. Problem: Need to enable security TODAY <ul><li>Unified Access Control solution </li></ul><ul><ul><li>Enables phased deployment </li></ul></ul><ul><ul><ul><li>Can protect the network at critical choke points today </li></ul></ul></ul><ul><ul><ul><li>Roll out enterprise-wide deployments or switch-based enforcement on your timeline </li></ul></ul></ul><ul><ul><li>Leverage what you have </li></ul></ul><ul><ul><li>Can be easily dropped into your network with no changes </li></ul></ul><ul><ul><li>Dynamic agent download or agentless deployment </li></ul></ul><ul><ul><ul><li>No pre-installation required </li></ul></ul></ul>
    20. 20. Problem: Need it to “just work” – for the enterprise and the users <ul><ul><li>The solution is cross platform </li></ul></ul><ul><ul><ul><li>Windows </li></ul></ul></ul><ul><ul><ul><li>Mac </li></ul></ul></ul><ul><ul><ul><li>Linux </li></ul></ul></ul><ul><ul><li>Captive Portal functionality on enforcers redirects new users automatically - the IC is transparent to the end user </li></ul></ul><ul><ul><li>Agent software is dynamically downloaded if required </li></ul></ul><ul><ul><ul><li>No pre-installation required </li></ul></ul></ul><ul><ul><li>Field Tested components </li></ul></ul><ul><ul><ul><li>Controller policy engine from Juniper’s #1 SSL VPN </li></ul></ul></ul><ul><ul><ul><li>Dynamic delivery also from Secure Access SSL VPN </li></ul></ul></ul><ul><ul><ul><li>Enforcers bring years of NetScreen experience </li></ul></ul></ul>
    21. 21. Competitive Positioning You KNOW we don’t like Cisco…so don’t listen to us Juniper's approach to the NNV conundrum can be summed up in two words: Simple and straightforward. Out of the box it took us less than 30 minutes to get the [Juniper] IE and IC up and running” “ Juniper's node-validation components are more comprehensive than the base Cisco NAC offerings.” “ This simplicity is what allows Juniper Infranet to deliver a lot of functionality from the get-go .” “ A full Cisco NAC implementation is a complicated, intrusive process ” “ For starters, Cisco has developed a gallon of alphabet soup's worth of new protocols to allow communication among devices… … At the same time, protocols that haven't gone through IETF or IEEE standards processes tend to make IT people nervous” “ The alerting and troubleshooting interface in [Cisco’s] Secure ACS is abysmal …” “ The ACS user interface, however, is confusing .”
    22. 22. UAC Use Cases <ul><ul><li>Deployed for dynamic access control to datacenter resources </li></ul></ul><ul><ul><li>Part of enterprise wide zoning/firewalling strategy at a lot of enterprises </li></ul></ul><ul><ul><li>Layer dynamic policy on a per user basis, by binding user, network and endpoint integrity information </li></ul></ul><ul><ul><li>Ease of deployment key </li></ul></ul><ul><ul><li>High Availability critical (Both Policy server and enforcement points) </li></ul></ul><ul><ul><li>Firewalls in transparent mode for bump in the wire enforcement </li></ul></ul>Data Center <ul><ul><li>Distributed Juniper firewall deployment (Branch office, DMZ, wireless) </li></ul></ul><ul><ul><li>Flexible enforcement options </li></ul></ul><ul><ul><li>Support for employees, partners, guests with agent/agentless modes </li></ul></ul><ul><ul><li>Cross platform support (Windows, Mac and Linux) </li></ul></ul><ul><ul><li>WAN/LAN clustering of policy servers </li></ul></ul><ul><ul><li>Policy Specific Remediation for self administering platform </li></ul></ul><ul><ul><li>Active Directory Integration </li></ul></ul>Enterprise Wired & Wireless
    23. 23. UAC Use Cases <ul><ul><li>Vendor access from unmanaged endpoints needs to be controlled </li></ul></ul><ul><ul><li>Machines with admin rights/ guest privileges </li></ul></ul><ul><ul><li>On demand delivery of agent preferred </li></ul></ul><ul><ul><li>Dynamic access easily enforced in branch office firewalls </li></ul></ul><ul><ul><li>Pre-populated list of endpoint security policies </li></ul></ul>Retail <ul><ul><li>Partners/guest access to network from conference rooms </li></ul></ul><ul><ul><li>Mixed Hardware: Plenty of Mac, Linux, Solaris machines </li></ul></ul><ul><ul><li>Regulatory Compliance requirements (Access to financials etc) </li></ul></ul><ul><ul><li>Delegated administration for granular control over policy control </li></ul></ul><ul><ul><li>Granular access control (HR, Accounting, finance, marketing, engg) </li></ul></ul><ul><ul><li>Single Sign on preferable </li></ul></ul>High Tech <ul><ul><li>Flat network with no zoning </li></ul></ul><ul><ul><li>Rollout of 802.1x planned over a 2-3 year period </li></ul></ul><ul><ul><li>Segregated network for traders, partners, employees </li></ul></ul><ul><ul><li>IPsec service for strong security (encrypting data/ authenticating endpoints) </li></ul></ul><ul><ul><li>High Availability critical (DOS Protection etc) </li></ul></ul><ul><ul><li>Distributed Architecture support </li></ul></ul><ul><ul><li>Leverage existing investments (SEM, endpoint, switch/routing infrastructure) </li></ul></ul>Finance
    24. 24. EMEA Case Study <ul><li>Regional government </li></ul><ul><li>Why they bought </li></ul><ul><ul><li>Thin client computing to enforce access in a highly regulated environment </li></ul></ul><ul><ul><li>Significant proportion of endpoints unable to run thin-client due to technical constraints </li></ul></ul><ul><ul><li>UAC rolled out to secure these endpoints – led to additional secure printing application </li></ul></ul><ul><ul><li>No client install required </li></ul></ul><ul><li>What was sold </li></ul><ul><ul><li>IC4000, ISG2000 and NS 5GT enforcement points </li></ul></ul>
    25. 25. EMEA Case Study <ul><li>Secure Printing </li></ul><ul><li>Compliance concerns over print jobs traveling in the clear over the network </li></ul><ul><li>Solution </li></ul><ul><ul><li>Place a 5GT as an enforcement point in front of the print-farm </li></ul></ul><ul><ul><li>Infranet policy to encrypt traffic between client machine and enforcement point </li></ul></ul>
    26. 26. Consider UAC 1.x when <ul><li>You are interested in LAN access control with 802.1x, but </li></ul><ul><ul><li>Haven’t rolled your switching infrastructure </li></ul></ul><ul><ul><li>Need to secure a segment of your LAN immediately </li></ul></ul><ul><li>You are an existing Juniper firewall customer </li></ul><ul><ul><li>Plenty of options to enforce policy in an overlay manner </li></ul></ul><ul><li>You are an existing SSL VPN customer who understands Juniper’s policy control engine and </li></ul><ul><ul><li>Has plenty of users with managed/unmanaged devices </li></ul></ul><ul><ul><li>Cares about plug n’ play policy server that works with diverse AAA servers/ endpoint solutions </li></ul></ul>
    27. 27. Layer 2 Access Control Offerings Odyssey Access Client & Steel-Belted Radius SBR 802.1X
    28. 28. Value Proposition for Odyssey (OAC) 802.1x Supplicant <ul><li>Ideal for large scale enterprise-wide deployments </li></ul><ul><ul><li>Standardize on one security solution across organization </li></ul></ul><ul><ul><li>Uses a common tool to administer clients across all platforms </li></ul></ul><ul><ul><li>Same client supports wired and wireless simultaneously </li></ul></ul><ul><ul><li>Supports a huge range of OS, platforms and device types </li></ul></ul><ul><li>Supports complex authentication schemes </li></ul><ul><li>FIPS-compliant since Fall 2005 </li></ul><ul><ul><li>Compatible with DOD CAC card </li></ul></ul><ul><li>Current with all security standards </li></ul><ul><li>Supports all major EAP methods </li></ul>2G GSM/CSD Dial (ports)
    29. 29. Value Proposition for Steel Belted Radius <ul><li>Most flexible, reliable RADIUS server </li></ul><ul><li>Performance – can handle more authentication transactions/second than Microsoft or Cisco </li></ul><ul><li>All Steel Belted Radius servers fully support AAA functions </li></ul><ul><li>Comprehensive feature set, designed for compatibility in heterogeneous environment </li></ul><ul><ul><li>Multi-platform </li></ul></ul><ul><ul><li>Multi-vendor </li></ul></ul><ul><li>Broadest line of RADIUS servers for every network architecture: </li></ul><ul><ul><li>Enterprise Edition (EE): Mid-Large Enterprises & Branch </li></ul></ul><ul><ul><li>Global Enterprise Edition (GEE): Fortune 500 and Gov’t </li></ul></ul><ul><ul><li>Appliance – both EE & GEE available on hardened form factor for easy deployment </li></ul></ul>
    30. 30. UAC 1.X Review of how it works today AAA Servers Identity Stores Enforcers Infranet Agent Infranet Controller 1 . 2 . 3 . 4 . 5 .
    31. 31. UAC 2.0: Layer 2 + Layer 3 The future of Unified Access Control AAA Servers Identity Stores Enforcers Infranet Agent w/Integrated OAC Infranet Controller w/Integrated SBR 802.1X 1. 2. 3. 4.
    32. 32. UAC 2.0: Comprehensive Control Open APIs IPSec Open APIs Standards 802.1x RADIUS Standards Security Software Supplicant + TCG-TNC HC + Access Agent Policy Servers SBR+TCG-TNC Net Access Authority Layer 2 Layer 3 - 7 Infranet Agent Enforcement Point
    33. 33. Benefits of UAC with L2 Access Control <ul><li>Standards Based Solution </li></ul><ul><ul><li>Support for enforcement on vendor agnostic switch infrastructure (TNC IF-PEP Compliant) </li></ul></ul><ul><ul><li>Support for TNC standards on endpoint vendor interoperability </li></ul></ul><ul><li>Comprehensive Security </li></ul><ul><ul><li>Secure at edge, in the network or both </li></ul></ul><ul><ul><li>Protect network assets (L2-L7) </li></ul></ul><ul><li>Ease of Deployment </li></ul><ul><ul><li>Flexible support for evolving networks </li></ul></ul><ul><ul><li>On demand agent and agentless modes for diverse user/endpoint scenarios (partners, guests, non 802.1x, Linux, Mac) </li></ul></ul>
    34. 34. Summary - Juniper’s UAC Solution Delivers <ul><ul><li>LAN Access Control today without requiring an 802.1x rollout </li></ul></ul><ul><ul><ul><li>Granular secure access to your LAN for employees, contractors, partners with cross platform support </li></ul></ul></ul><ul><ul><li>Layer 3-7 Access control via dynamic IPSec VPN or Source-based IP policy </li></ul></ul><ul><ul><li>A clear route to Layer 2 port based access control </li></ul></ul><ul><ul><li>Leverage of your existing Juniper firewall investment </li></ul></ul><ul><ul><li>Proven technology from the SSL VPN portfolio </li></ul></ul><ul><ul><li>Support for users with managed/unmanaged devices </li></ul></ul><ul><ul><li>A plug n’ play policy server that works with diverse AAA servers/ endpoint solutions </li></ul></ul><ul><ul><li>Security without compromising performance </li></ul></ul>
    35. 35. Thank you!
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×