Your SlideShare is downloading. ×
Uac sales pres_20_apr09-2
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Uac sales pres_20_apr09-2

493
views

Published on

Juniper UAC

Juniper UAC

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
493
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. UAC Overview Slide Show Instructions
    • This PPT includes 3 “custom shows” for different audiences:
      • UAC Intro – BDM: UAC Use Cases and Market Overview
      • UAC Intro – TDM: UAC Use Cases, Market Overview and UAC Architecture Deep Dive
    • To access each slideshow, hit “Sli d e Show,” then “Custom Shows.” Select appropriate presentation and click “Show.”
  • 2. Creating your own Custom Show
    • Follow these instructions to modify shows to suit your audience:
      • Add new slides to a custom show
      • Rearrange slides
      • Create a new custom show
  • 3. Access Control Solutions Unified Access Control
  • 4. Access Control Solutions Unified Access Control
  • 5. Agenda
    • Market Trends and Needs
    • Use Cases
    • NAC Market Leadership
    • Coordinated Security Architecture
    • Architecture Examples
    • Case Studies
    • Summary
  • 6. Agenda
    • Market Trends and Needs
    • Use Cases
    • NAC Market Leadership
    • Coordinated Security Architecture
    • Architecture Examples
    • Case Studies
    • Summary
  • 7. Agenda
    • Market Trends and Needs
    • Use Cases
    • NAC Market Leadership
    • Case Studies
    • Summary
  • 8. Agenda
    • Use Cases
    • NAC Market Leadership
    • Coordinated Security Architecture
    • Architecture Examples
    • Summary
  • 9. Agenda
    • Market Trends and Needs
    • Use Cases
    • NAC Market Leadership
    • Coordinated Security Architecture
    • Architecture Examples
    • Case Studies
    • Summary
  • 10. Agenda
    • Market Trends and Needs
    • Use Cases
    • NAC Market Leadership
    • Case Studies
    • Summary
  • 11. Agenda
    • Use Cases
    • NAC Market Leadership
    • Coordinated Security Architecture
    • Architecture Examples
    • Summary
  • 12. Market Trends and Needs Worldwide economic crisis Layoffs and RIFs abound Financial institutions failing Market values falling Decreased budgets Severe credit crunch Proliferation of network threats Insider threat incidences rise Escalation in outsourcing and off-shoring Build-up of mergers and acquisitions Increased emphasis on regulatory compliance … However, need to do more, but with less Networks now more strategic than ever to corporate growth…
  • 13. Fully Coordinated Security Infrastructure UAC “Nerve Center” Management/ Visibility 802.1X NAC Identity-Aware Security Enterprise-Wide Access Control Device Control Coordinated Threat Control
  • 14. Agenda
    • Market Trends and Needs
    • Use Cases
    • NAC Market Leadership
    • Coordinated Security Architecture
    • Architecture Examples
    • Case Studies
    • Summary
  • 15. Agenda
    • Use Cases
    • NAC Market Leadership
    • Coordinated Security Architecture
    • Architecture Examples
    • Summary
  • 16. Agenda
    • Market Trends and Needs
    • Use Cases
    • NAC Market Leadership
    • Case Studies
    • Summary
  • 17. Use Case – Insider Threat Mitigation
    • Challenge
    • UAC
      • Coordinated, enterprise-wide access control
      • Authorized network and application access only
      • Identity-enabled behavior anomaly detection and mitigation
      • Identity-based firewalling for data center
      • Third-party device collaboration and interoperability
      • Comprehensive, identity-enabled logging and reporting
    % of Participants Who Experienced an Insider Incident 2007 e-Crime Watch Survey 671 respondents 41 39 55 49
  • 18. Use Case – Addressing Compliance
    • Challenge
    • UAC
      • Stops unauthorized network, application, and data access
      • Checks and assesses device security posture – pre- and post-admission
      • Consistent, cross-network access policy enforcement
      • Instant data access authorization
      • Identity-enables profiling, auditing, and logging
      • FIPS compliant hardware and client
  • 19. Use Case – Secure Guest Access
    • Challenge
    • UAC
      • Limits guest access
      • Base level and depth of access on guest type, identity and role
      • Device health and security assessment – pre- and post-admission
      • One-time guest accounts
      • Time-based guest accounts
      • VLAN or overlay guest use enforcement
      • Administrator controlled
    Mike Fratto | InformationWeek Analytics | 2008 NAC Survey 58% 57% 47% 44% 42% 30% Guests Employee, remote access Employee, connected wireless to LAN Contractors/outsourced labor Unmanageable devices such as printers, VoIP phones, card readers, cameras Employee, connected via wired LAN Note: Percentages based on a rating of 4 to 5 on a five-point scale where 1 is “low” and 5 is “High” Note: Percentages based on a rating of 4 to 5 on a five-point scale where 1 is “low” and 5 is “High” LAN Threat by Users Rate the following types of users by their degree of threat for your LAN.
  • 20. Use Case – Secure Outsourcing/Off-shoring
    • Challenge - US off-shoring to grow nearly 3X by 2015
    • UAC
      • Protects remote and local network access
      • Stops unauthorized network, application, and data access
      • Checks and assesses device security posture – before and during session
      • Virtual network segmentation
      • In transit data encryption
      • Identity-enabled firewalling at the data center
    Estimated Number of U.S. Jobs Moving Offshore, 2003-2015 2003 2004 2005 2006 2007 2008 2010 2015 Management 3,500 15,000 34,000 42,000 48,000 64,000 106,000 259,000 Business 30,000 55,000 91,000 105,000 120,000 136,000 176,000 356,000 Computer 102,000 143,000 181,000 203,000 228,000 247,000 322,000 542,000 Architecture 14,000 27,000 46,000 54,000 61,000 70,000 93,000 191,000 Life Sciences 300 2,000 4,000 5,500 6,500 9,000 16,000 39,000 Legal 6,000 12,000 20,000 23,000 26,000 29,000 39,000 79,000 Art, Design 2,500 4,500 8,000 9,000 10,000 11,000 15,000 30,000 Sales 11,000 22,000 38,000 47,000 55,000 67,000 97,000 218,000 Office 146,000 256,000 410,000 475,000 541,000 616,000 815,000 1,600,000 Total 315,000 540,000 830,000 960,000 1,100,000 1,200,000 1,700,000 3,400,000
  • 21. Agenda
    • Market Trends and Needs
    • Use Cases
    • NAC Market Leadership
    • Coordinated Security Architecture
    • Architecture Examples
    • Case Studies
    • Summary
  • 22. Agenda
    • Use Cases
    • NAC Market Leadership
    • Coordinated Security Architecture
    • Architecture Examples
    • Summary
  • 23. Agenda
    • Market Trends and Needs
    • Use Cases
    • NAC Market Leadership
    • Case Studies
    • Summary
  • 24. UAC – NAC Market Leader The Forrester Wave™: Network Access Control, Q3 2008
  • 25. Agenda
    • Market Trends and Needs
    • Use Cases
    • NAC Market Leadership
    • Coordinated Security Architecture
    • Architecture Examples
    • Case Studies
    • Summary
  • 26. Agenda
    • Use Cases
    • NAC Market Leadership
    • Coordinated Security Architecture
    • Architecture Examples
    • Summary
  • 27. Central Policy Coordination
    • Seamless AAA integration
    • Comprehensive endpoint integrity
      • Automatic and manual remediation
      • Dynamic updates
    • Standards-based (TNC, 802.1X, RADIUS,…)
    • Unmatched scale, resilient HA
    • Enterprise-wide management
    • Security hardened
    UAC “Nerve Center” IC Series IDP Series SA Series Firewall STRM Series 802.1X Switches & APs EX Series SRX Series
  • 28. Complete 802.1X NAC
    • EX Series Ethernet Switch support
      • Identity-based QoS, bandwidth limiting, and priority scheduling
      • Mirror traffic to IDP for monitoring and logging
    • Vendor agnostic
      • Supports ANY vendor ’s 802.1X-compatible switches and access points
    • Granular policy capabilities
      • VLANs, ACLs, QoS,…
    IC Series EX Series Any 802.1X Switch/AP 802.1X NAC
  • 29. Identity-Aware Security
    • Enables true mobility
      • Eliminate ACLs – “follow the user” policies
      • Identity-based, secure network segmentation
    • Supports any Juniper security policy
      • SRX Series Services Gateways
      • ScreenOS firewalls
      • IDP Application Layer Enforcer
    SSG Series SRX Series IDP IC Series Corporate Data Center Identity-Aware Security Apps Data Finance Video
  • 30. Proven Endpoint Control
    • Comprehensive integrity checks
      • Antivirus, personal firewall, OS and application patches, anti-X, machine certificates, custom checks,…
    • Simple, automatic
      • Remediation – unparalleled user experience
      • Updates – reduces administrative tasks
    • Standards-based
    • Cross-platform support
      • Windows, Mac, Linux
      • Native Windows supplicant
    Endpoint Control
  • 31. Enterprise-Wide Access Control
    • Federated Remote/Local Access
      • Single login protected network/resource access
      • Intelligently provisions network access
      • Simplifies user experience
    • Shared, centrally managed policies
    Corporate Data Center Apps Finance Video Local User SA-Series Internet IC Series IF-MAP UAC Enforcer NSM Policies Policies Enterprise-Wide Access Control
  • 32. Management and Visibility
    • Juniper NSM: Central management
    • Juniper STRM: Strong visibility; comprehensive reporting and analysis
    • Comprehensive Juniper portfolio coverage
    Management/ Visibility
  • 33.
    • Identity-enabled anomaly detection and mitigation
      • Remote or local access
      • Isolate threat to specific user or device
    • Employs specific, configurable policy actions
    • Addresses insider threats quickly
    Coordinated Threat Control IDP Series EX Series IC Series Application Servers Firewalls UAC Enforcement Points 802.1X Switches/APs Coordinated Threat Control
  • 34. Odyssey Access Client (OAC) STRM Series UAC Agent UAC Agent-less Mode Policies NSM Policies Cross-Portfolio, Integrated Access Control EX3200 EX4200 IDP Series Firewall SSG Series ISG Series SRX Series Application Servers IC Series UAC Appliance SBR Series SA Series SA Series
  • 35. Agenda
    • Market Trends and Needs
    • Use Cases
    • NAC Market Leadership
    • Coordinated Security Architecture
    • Architecture Examples
    • Case Studies
    • Summary
  • 36. Agenda
    • Use Cases
    • NAC Market Leadership
    • Coordinated Security Architecture
    • Architecture Examples
    • Summary
  • 37. Basic NAC Enforcement Local User Patch Remediation SRX Series IDP Series IC Series Corporate Data Center 1 2 EX Series 3 3 4 4 1. “Sales” user logs in from unpatched machine 2. EX quarantines user – access patch server only – automatically remediated 3. Remediation success; full access granted IC-EX establish VLAN, ACLs, and QoS for Session UAC pushes role-based FW policies to SRX UAC pushes application-layer policies to IDP 4. User attempt to access “Finance” data blocked Apps Data Finance Video
  • 38. Enterprise-wide Access Control Internet Mobile User Patch Remediation SRX Series IDP Series IC Series Corporate Data Center 1. “Sales” user logs in from unpatched machine 1 2. Quarantined for automatic patch remediation 2 SA Series 3. Remediation success; full access granted SA Session pushed to IC via IF-MAP UAC pushes role-based FW policies to SRX UAC pushes application-later policies to IDP 3 3 4. User attempt to access “Finance” data blocked 4 4 5. IDP Senses attack, informs IC SA terminates user session IC removes SRX/IDP access 5 Apps Data Finance Video
  • 39. Coordinated Threat Control UAC and IDP Series
    • User accesses network
    • User attempts to access applications stored on Data Center
    • IDP detects network threat
    • Signals anomaly information to IC Series appliance
    • IC correlates network threat to specific user and device
    • IC pushes appropriate policy to UAC enforcement points
    • UAC enforcement points take appropriate access control actions against offending user and/or device
    Corporate Data Center 1 2 3 4 5 6 7 Local User Apps Data Finance Video EX Series Firewalls UAC Enforcement Points 802.1X Switches/APs IC Series IDP Series
  • 40. Agenda
    • Market Trends and Needs
    • Use Cases
    • NAC Market Leadership
    • Coordinated Security Architecture
    • Architecture Examples
    • Case Studies
    • Summary
  • 41. Agenda
    • Use Cases
    • Market Trends and Needs
    • NAC Market Leadership
    • Case Studies
    • Summary
  • 42. Case Study – Bangchak Petroleum Public Co. Ltd.
    • IC Series UAC Appliances
    • SSG Series Secure Services Gateways
    • Separates refinery control systems from business applications
    • Protects against catastrophic attacks, including control hijacking and other operational disruptions
    • Prevents and mitigates wide range of malware and emerging security threats
    • Harden the security of its distribution control system (DCS)
    • Help deliver compliance with the ISO-27001 information security management standard
    • Comprehensive oil business with refinery, sales and distribution operations, and >1,000 gas stations across Thailand
    • >20 year old company with annual revenues >$2 billion
    http://www.juniper.net/company/presscenter/pr/2008/pr_2008_09_10-12_47.html Who 1 Challenges 2 Why Juniper 3 Juniper Products 4
  • 43. Case Study – Portland Community College
    • IC 4000s
    • SSG 140s
    • Web-based authentication
    • Firewall-based enforcement
    • User authentication via ERP
    • Differentiated access based on user and/or role
    • Secure existing wireless LAN
    • Restrict access for authorized users and guests
    • Grant appropriate access to each user
    • Minimize administrative burden
    • Preserve academic openness
    • Regional community college
    • 86,000 students
    • 4,000 faculty, staff, and other users
    • 3 campuses, 5 work centers
    • Distance learning worldwide
    • 350 wireless access points
    http://www.juniper.net/solutions/customer_profiles/352262.pdf Who 1 Challenges 2 Why Juniper 3 Juniper Products 4
  • 44. Case Study – Equifax
    • IC Series UAC Appliances
    • SSG Series Secure Services Gateways
    • Robust endpoint assessment and authentication
    • Flexibility
    • Audit/monitor mode
    • Strong relationships and partnerships
    • Ensure assets accessing LAN meets customer security requirements
    • Restrict access to/for authenticated, authorized users only (employees, contractors, etc.)
    • Grant appropriate access to each user
    • Provider of value-added information solutions to businesses and consumers
    • 100+ year old Fortune 500 global information solutions leader with $1.8 billion in revenue and about 7,000 employees in 15 countries
    “ Equifax Bolsters Border Security”, Network World, 7/3/08 http://www.juniper.net/solutions/literature/misc/equifax_on_uac.pdf Who 1 Challenges 2 Why Juniper 3 Juniper Products 4
  • 45. Agenda
    • Market Trends and Needs
    • Use Cases
    • NAC Market Leadership
    • Coordinated Security Architecture
    • Architecture Examples
    • Case Studies
    • Summary
  • 46. Agenda
    • Use Cases
    • NAC Market Leadership
    • Coordinated Security Architecture
    • Architecture Examples
    • Summary
  • 47. Agenda
    • Use Cases
    • Market Trends and Needs
    • NAC Market Leadership
    • Case Studies
    • Summary
  • 48. UAC: Identity-Aware Security and Access Control Data Center Campus HQ Wired/Wireless BRANCH OFFICE INTERNET Dynamically handles guests, partners, contractors, unmanageable devices Mitigate threats by controlling access across wired/wireless networks Leverage IDP for correlating network threat information to dynamically protect the network Control access to applications Gain visibility and control for user/device access to network, resources and applications Flexible solution to support access control in distributed networks Centralized policy management across remote and local access CORPORATE OFFICES DATA CENTER
    • Centralized
    • validation
    • Distributed
    • enforcement
    Applications IC Series UAC Appliance HQ User EX Series ISG Series SRX Series IDP Series ISG Series with IDP Branch User SSG Series SA Series NSM Policies
  • 49. THANK YOU | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
  • 50. Additional Slides | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
  • 51. IC/IC + SA/IC Federation (IF-MAP) UAC Enforcer Corporate Data Center Apps Data Finance Video IC/IC Federation IC 1 Local User UAC Enforcer IDP Enforcer IC 2 IF-MAP EMEA HQ US HQ SA/IC Federation Local User SA-Series Internet IC-Series IF-MAP UAC Enforcer
  • 52. UAC and IF-MAP – Open Access Control
    • IC Series – Industry ’s first IF-MAP server!
    • TNC standard
    • Enforcement for third-party devices
    • Coordinated defense/response across multi-vendor deployments
    • Intuitive policies based on user identity and role vs. IP address
    IC Series IDP Series SA Series DLP IDS Third-Party Appliance Firewall Third-Party Firewall STRM Series 802.1X Switches & APs SIEM/SEM EX Series SRX Series
  • 53. Additional, New UAC 3.0 Features
    • UAC Agent Localization
      • Chinese (Traditional and Simple), Japanese, Korean, French (UI only)
    • UAC Agent –Windows 64-bit
    • Guest Account Provisioning Features
    • Client Upgrade Changes
    • Firewall VSYS Support
    • IC6500FIPS
  • 54. IC Series UAC Appliance Family
    • IC4500 UAC Appliance
      • For mid-range to large-sized enterprises
      • Supports from 25 to 5,000 simultaneous endpoint devices
    • IC6500 FIPS UAC Appliance
      • Same capabilities as IC6500
      • Adds FIPS certified hardware security module and tamper evident labels
    • IC6500 UAC Appliance
      • For large, multinational enterprise deployments
      • Supports up to 20,000 simultaneous endpoint devices per appliance
      • Supports up to 30,000 simultaneous endpoint devices in a 3-unit cluster
      • Redundant features include:
        • Dual, mirrored hot swappable SATA hard drives
        • Dual, hot swappable fans
        • Dual, hot swappable power supplies (optional)
  • 55. Juniper UAC and EX Series Ethernet Switches: Seamless Network Access Control 802.1X PROTECTED RESOURCES
    • Policy enforcement provided by EX Series switches and SSG Series, ISG Series, and SRX Series
    • IC Series appliance can push policy to EX Series switches for dynamic configuration based on user or device
    • Policy on EX Series switches can enforce specific QoS queuing or scheduling policies, VLAN assignment, or any other port configuration parameter
    Dynamic role provisioning AAA/Identity Stores AAA User, endpoint, location-based policies 1 2 2 3 1 UAC Agent EX Series IC Series UAC Appliance Firewall Apps Server
  • 56. UAC and EX Series Features Identity-based QoS Guest User Internet Gateway Router Bandwidth-limit guest traffic; mark with low-priority DSCP ERP Servers QoS policies stored on IC Series appliance and sent to the EX Series switch, implementing dynamic QoS policies per user session Marketing User Place ERP traffic in high-priority queue; mark with high- priority DSCP Place e-mail traffic in best-effort queue; mark with medium-priority DSCP Email Servers Finance User EX Series CORPORATE NETWORK IC Series UAC Appliance INTERNET
  • 57. Customer Profile – Australian Unity
    • One of Australia's leading integrated financial institutions
    • National healthcare, financial services and retirement living organization, serving more than 400,000 Australians and employing over 1,000 staff
    • Invested in comprehensive range of Juniper Networks campus solutions including switching and network security technologies
      • EX Series switches provide high-performance, carrier-class Ethernet switching to help ensure uninterrupted business operations
      • UAC combines user identity, device security state and network location information to create unique network access control policy per user and per session, enforcing access policy at Layer 2 through 802.1X-enabled EX Series Ethernet Switches
      • NSM streamlines administration with a single, powerful management interface and embedded templates for rapid, enterprise-wide policy provisioning
      • Combining Secure Access SSL VPN, UAC and NSM ensures access and security policies created for remote access can be leveraged for LAN-based access, and vice-versa
    • Enables the company to meet the growing and rigorous technical and security demands of its organization while streamlining operations and reducing capital and operational expenses
    • https://www.juniper.net/us/en/company/press-center/press-releases/2009/pr_2009_01_15-17_31.html
  • 58. Standards-based Architecture
    • TNC open architecture for network access control
    • Suite of standards to ensure interoperability
    • Work Group of Trusted Computing Group (TCG)
    • Open standards
    • Leverages existing network infrastructure
    • Roadmap for the future (i.e., TPM)
    • Products supporting TNC standards shipping today
    Access Requester (AR) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Wired Network Perimeter UAC Agent Metadata Access Point (MAP) Wireless IF-MAP Server IF-MAP Clients EX Series Firewall SRX Series SA Series DLP IDS Third-Party Appliances Third-Party Firewalls SIEM/SEM IC Series IC Series
  • 59. Windows Statement of Health (SOH) and Embedded NAP Agent Support UAC Agent OR NAP Client 802.1X Switches & Access Points Juniper Firewall Platforms Policy Server Identity Stores Applications and Data UAC Enforcement Points Microsoft NPS 1 Authenticate user, Profile endpoint, Determine location 2 2 Dynamically provision policy enforcement 1 3 External enforcement/ validation of SOH, transmits info back for use in policy decisions 4 Control access to protected resources IF-TNCCS-SOH SRX Series ISG Series ISG Series with IDP SSG Series IC Series EX Series
  • 60. St. Mary ’s County (MD) Public Schools
    • IC4000 UAC Appliances
    • Same level of control over wired and wireless networks
    • Leverages existing 802.1X investment
    • Flexible, phased approach
    • Ensure strong access control for wireless communications
    • Protect networks against compromised laptops and wireless attacks
    • Support rollout of digital classrooms while minimizing administrative burden on IT staff
    • Public school district in Maryland
    • 16,000 students, 2,100 staff
    • 26 schools, Grades K-12
    http://www.juniper.net/solutions/customer_profiles/352264.pdf Who 1 Challenges 2 Why Juniper 3 Juniper Products 4
  • 61. St. Monica ’s College (Australia)
    • IC4000 UAC Appliances
    • SA4000 SSL VPN Appliances
    • SSG140 Secure Services Gateways
    • WXC500 Application Acceleration Platforms
    • Ease of integration
    • Ease of use
    • A high level of security and reliability at a reasonable price
    • Centralized infrastructure
    • Build secure intranet to support learning management system
    • Secure converged voice, data and video applications
    • Enable 24/7, secure remote access to selected applications
    • Regional Catholic co-educational secondary college
    • Over 2,300 students, teachers and support staff
    • Two campuses, 1 km apart
    http://www.juniper.net/solutions/customer_profiles/352267.pdf Who 1 Challenges 2 Why Juniper 3 Juniper Products 4
  • 62.