Juniper sa-sslvpn

SA SERIES SSL VPN APPLIANCESPRODUCT LINE PRESENTATIONMay 19, 2010

AGENDA1. SSL VPN Market Overview2. SSL VPN Use Cases3. Access Control and AAA4. End-to-End Security5. Secure Meeting6. Hardware, Management and High Availability2 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

BUSINESS CHALLENGE: GRANT ACCESS VS. ENFORCE SECURITYMaximize Productivity with Access... …While Enforcing Strict Security Allow partner access to applications  Allow access only to necessary (Extranet portal) applications and resources for certain users Increase employee productivity by providing anytime, anywhere access  Mitigate risks from unmanaged (Intranet, E-mail, terminal services) endpoints Customize experience and access for  Enforce consistent security policy diverse user groups (partners, suppliers, employees) Enable provisional workers (contractors, outsourcing) Support myriad of devices (smartphones, laptops, kiosks) …And the Solution Must Achieve Positive ROI  Minimize initial CAPEX costs  Lower ongoing administrative and support OPEX costs 3 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

IPSEC VPN VS. SSL VPN Internet Kiosk Mobile Branch Office Sales Users HR Internet Finance Internet Department DMZ-1 Partners, Servers Customers, Remote Office HQ Telecommuters Contractors IPSec VPN SSL VPN Employee Remote Access Telecommuters Remote/Branch Office Deployments Mobile Users Partner Extranets Fixed Site-to-Site Mobile or Fixed Managed Endpoints Managed or Unmanaged Endpoints Layer 3 Network Access Access Control Per Application IP to IP Control User to Application Control Access allowed from Unmanaged and Untrusted Access from Managed, Trusted Networks networks as well4 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

THE SOLUTION:JUNIPER NETWORKS SECURE ACCESS SSL VPN Mobile User – Cafe Secure SSL access to remote users from any device or location VoIP Teleworker Easy access from Web-browsers – no SA6500 client software to manage Dynamic, granular access control to manage users and resources Business Partner or Customer Single comprehensive solution to access various application types from various devices available Wireless/Mobile Device User Airport Kiosk User 5 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

JUNIPER NETWORKS SSL VPN MARKET LEADERSHIP Juniper maintains #1 market share position worldwide Leader since SSL VPN product category inception Source: 4Q09 Infonetics Research Network Security Appliances and Software Report6 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

ANALYST PRAISE & RECOGNITION 2008 Gartner Magic Quadrant for SSL VPN 2009 Magic Quadrant Key Takeaways: “Juniper has maintained the product vision, execution and overall momentum so effectively that it has held a leadership position continuously…” “…unchallenged disruptive sales advantage” “Juniper is the No. 1 competitive threat…” “Year after year, Junipers products earn a high satisfaction rating…” http://www.gartner.com/technology/media-products/reprints/juniper/vol6/article1/article1.html Source: Gartner (October 2009)7 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

JUNIPER SA SSL VPN RECOGNITION & AWARDS AwardWinning3rd PartyCertified MarketLeading Market share leader & proven solution with over 20,000 customers8 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

AGENDA1. SSL VPN Market Overview SSL VPN Use Cases3. Access Control and AAA4. End-to-End Security5. Secure Meeting6. Hardware, Management and High Availability9 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

#1 - REMOTE ACCESS AT LOWER OPERATING COSTS SA6500 Employees with Employees with Mobile Devices Corporate Laptops Employees Corporate with Home PCs Intranet Email Server Firewall Internet Router Applications ServerIncreased Productivity Increased Security Anytime, anywhere access from any device  Encrypted secure access to corporate resources No endpoint software to install or manage  Granular access control Easy access facilitated from common browsers  Comprehensive endpoint security enforcement 10 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

#2 - EXTRANET PORTALS WITH GREATER SECURITY SA6500 Suppliers Customers Corporate Intranet Client/Serer Partners Web Applications Firewall Applications Internet RouterAdministrative ease of use Enforcement of corporate security policies Easier management of authorized users  Granular access to select applications or resources No client software enforced on external users  Endpoint security enforced before granting access Access enabled from any Web-enabled device  No administrative hassle of managing users’ devices 11 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

#3 – MOBILE DEVICE ACCESS SA6500 Apple iPhone Corporate Intranet Email Firewall Server Internet Router Applications Server Improved Ease of Use, Higher Productivity  Access from any mobile device  ActiveSync facilitates secure access to Exchange  Enforce mobile device integrity and security12 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

AGENDA1. SSL VPN Market Overview2. SSL VPN Use Cases Access Control and AAA4. End-to-End Security5. Secure Meeting6. Hardware, Management and High Availability13 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

DYNAMIC ACCESS METHODS BY PURPOSE Three different access methods to control users’ access to resources Dynamic access control based on user, device, network, etc. Network Connect Secure Application Manager Core Access Access to Web-based applications, Layer-3 connectivity to corporate Access to client/server applications File shares, Telnet/SSH hosted apps, network such as Windows & Java applications and Outlook Web Access Supports all applications including One click access to applications Granular access control all the way resource intensive applications like such as Citrix, Microsoft Outlook, and up to the URL or file level VoIP & streaming media Lotus Notes Recommended for remote and Ideal for remote & mobile employees Ideal for remote & mobile employees mobile employees only as full and partners if they have client and partners accessing from network access is granted applications on their PCs unmanaged, untrusted networks Layer-3 access to corporate Granular client/server Granular web application network application access control access control14 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

CLIENTLESS ACCESS METHOD: CORE ACCESS Broad set of supported platforms Integrated E-mail Client and browsers Secure Terminal Access Secure, Easy Web Application  Access to Telnet/SSH (VT100, Access VT320…)  Pre-defined resource policies for  Anywhere access with no terminal Sharepoint, Lotus Webmail, etc. emulation client  Support for Flash, Java applets, HTML, Javascript, DHTML, XML, etc.  Support for Hosting & delivering any Java applet Secure File Share Access  Web front-end for Windows and Unix Files (CIFS/NFS)15 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

SECURE APPLICATION MANAGER Full cross platform support for both WSAM – secure traffic to specific Windows & Java versions client/server applications  Supports Windows Mobile/PPC, in Granular access control policies for addition to all Windows platforms client/server applications  Granular access and auditing/logging  Access applications without capabilities provisioning full Layer 3 tunnel  Installer Service available for  Eliminates costs, complexity, and constrained user privilege machines security risks of IPSec VPNs  No incremental software/hardware or JSAM – supports static TCP port customization to existing apps client/server applications  Enhanced support for MSFT MAPI, Lotus Notes, Citrix NFuse  Drive mapping through NetBIOS support  Install without advanced user privileges16 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

LAYER-3 ACCESS METHOD: NETWORK CONNECT rmance SA Series High Perfo ode M Transport High Availability e Transport Mod Full Layer 3 Access to corporate network Dynamic, Dual Transport Mode  Dynamically tries SSL in case IPSec is blocked in the network Cross Platform Dynamic Download (Active-X or Java delivery) Launching options include – browser-based, standalone EXE, scriptable launcher and Microsoft Gina Client-side Logging, Auditing and Diagnostics available17 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

ACCESS METHODSTERMINAL SERVICES Seamlessly and securely access any Citrix or Windows Terminal Services deployment  Intermediate traffic via native TS support, WSAM, JSAM, Network Connect, Hosted Java Applet  Replacement for Web Interface/NfuseNative TS Support  Granular Use Control  Secure Client delivery  Integrated Single Sign-on  Java RDP/JICA Fallback  WTS: Session Directory  Citrix: Auto-client reconnect/ session reliability  Many additional reliability, usability, access control options18 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

ACCESS METHODS VIRTUAL DESKTOP INFRASTRUCTURE (VDI) AAA Apps Servers SA Series FinanceRemote/Mobile User VMware VDI Server Citrix XenDesktop  SA interoperates with VMware View Manager and Citrix XenDesktop to enable administrators to consolidate and deploy virtual desktops with SA  Allows IT administrators to configure centralized remote access policies for users who access their virtual desktops  Dynamic delivery of Citrix ICA client or VMware View client to users, including dynamic client fallback options for easy connection to their virtual desktops  Benefits: – Seamless access (single sign-on) for remote users to their virtual desktops hosted on VMware or Citrix servers – Saves users time and improves their experience accessing their virtual desktops 19 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

ACCESS PRIVILEGE MANAGEMENT 1 USER / 1 URL / 3 DEVICES & LOCATIONS Pre-Authentication Authentication & Role Assignment Resource Policy Authorization Gathers information Applications available from user, network, Authenticate user Map Assign session to user endpoint user to role properties for user role •Host Check: Pass •Auth: Digital Certificate •Access Method: •Outlook (full version) •AV RTP On Network Connect •CRM Client/Server •Definitions up to date •Role Mapping: Managed •File Access: Enabled •Intranet •Machine Cert: Present •Timeout: 2 hours •Corp File Servers Managed •Device Type: Win XP •Host Check: Recurring •Sharepoint Laptop •Host Check: Fail •Auth: AD Username/ •Access Method: •Outlook Web Access •No AV Installed Password Core (no file up/download) •No Personal FW •SVW Enabled •CRM Web (read-only) •Machine Cert: None •Role Mapping: •File Access: Disabled •Intranet •Device Type: Mac OS Unmanaged •Timeout: 30 mins Unmanaged •Host Check: Recurring(Home PC/Kiosk) •Host Check: N/A •Auth: Digital Certificate •Access Method: •Outlook Mobile WSAM, Core •CRM Web •Machine Cert: None •Role Mapping: Mobile •File Access: Enabled •Intranet •Device Type: Win Mobile •Timeout: 30 mins •Corp File Servers 6.0 Mobile Device 20 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

ONE DEVICE FOR MULTIPLE GROUPS CUSTOMIZE POLICIES AND USER EXPERIENCE FOR DIVERSE USERSpartners.company.com “Partner” Role Authentication Username/Password Host Check Enabled – Any AV, PFW Access Core Clientless Applications MRP, Quote Toolemployees.company.com “Employee” Role SA Series Authentication OTP or Certificate Host Check Enabled – Any AV, PFW Access Core + Network Connect Applications L3 Access to Appscustomers.company.com “Customer” Role Authentication Username/Password Host Check Enabled – Any AV, PFW Access Core Clientless Applications Support Portal, Docs21 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

SEAMLESS AAA INTEGRATION Full Integration into customer AAA infrastructure  AD, LDAP, RADIUS, RSA SecurID, Certificate, etc.  Use of group membership and attributes for authorization/role mapping Password Management Integration  Users can manage their AD/LDAP passwords through SSL VPN Single Sign-On Capabilities  Seamless user experience for web applications  Forms, Header, SAML, Cookie, Basic Auth, NTLM v1/v2, Kerberos SAML Support – Web single sign-on, integration with I&AM platforms22 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

ENDPOINT SECURITYHost Checker Host Checker  Support for hundreds of leading Third Party applications - Check devices before & during session - Ensure device compliance with corporate policy  AV, Personal Firewall, Anti-Spyware, Anti-Malware, - Remediate devices when needed Windows patch checks, machine certificate checks + Custom policy definition - Cross platform support  Devices automatically learn latest signature versions from AV vendors Home PC User Airport Kiosk User  Check for AV installation, real-time protection status, SA Series definition file age  Varied remediation options to meet customer needsTrusted Network Connect (TNC) architecture forseamless integration with all TNC compliant endpoint - No Anti-Virus Installed - No anti-virus installedsecurity products/vendors - Personal Firewall enabled - No personal firewall  Leverage existing endpoint security application - User remediated  install - User granted minimal anti-virus access deployments - Once installed, user granted access Antispyware Support with Enhanced Endpoint Security (EES) Functionality  Antispyware integrated from Webroot, the market leader in antispyware solutions Corporate PC User Secure Virtual Workspace  Creates protected virtual system for untrusted machine Cache Cleaner - AV Real-Time Protection running  Remove browser contents/history at conclusion of user - Personal Firewall Enabled session - Virus Definitions Up To Date - User granted full access 24 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

ANTISPYWARE SUPPORT WITH ENHANCED ENDPOINTSECURITY (EES) FUNCTIONALITYNumber of newly discovered malicious programs are growingCost enterprises time, money, and productivity to quarantine and Antispyware /remediate contaminated endpoints antimalware software dynamicallyAddressing growth in malware, SA and UAC now dynamically provisioned todownload antispyware/antimalware software to endpoints endpoints  Regardless of user or location SA SeriesAntispyware integrated from Webroot, the market leader inantispyware solutions UAC SeriesNumber of simultaneous endpoints that can use the feature willdepend on the optional subscription license orderedCustomer Benefits: Data & Applications Road  Ensure only healthy devices are granted network access Warrior, Malware Partner, or  Protect corporate resources from infected endpoints Employee  Real time shield is always on with memory scan and virus signatures  Save IT time and money from correcting individual endpoints; decrease user downtime that affects productivity 25 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

UAC-SA FEDERATION DIAGRAM Campus HQ Wired/ Wireless Data Center IC Series UAC Appliance 2) SSL VPN talks to IC to 3) IC provisions access L2 Switch let IC know of user session control rules on UAC enforcement points Applications and roles provisioned SA Series SSL VPN ISG Series with IDP LAN User 4) User accesses resources 1) Remote user logs into SSL protected by UAC with single VPN login SSL VPN provisions remote access sessions Internet • Consistent policies for remote and LAN access • Policy servers that can share knowledge of users for intelligent Remote User provisioning of access inside network26 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

JUNIPER’S COORDINATED THREAT CONTROL 3 - SA identifies user 2 - Signaling protocol 1 - IDP detects & takes action on user to notify SSL VPN of threat and stops session attack traffic Partner Intermediated traffic Internet LAN SA Series IDP Tunneled traffic EmployeeCorrelated Threat Information Comprehensive Threat Detection Coordinated Identity-Based Threat and Prevention• Identity Response• Endpoint •Ability to detect and prevent• Access history • Manual or automatic response malicious traffic • Response options: •Full layer 2-7 visibility into all• Detailed traffic & threat • Terminate session trafficinformation • Disable user account •True end-to-end security • Quarantine user • Supplements IDP threat prevention 27 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

JUNOS PULSEDynamically provisioned software client for:  Remote access  Enterprise LAN access control  WAN acceleration  Dynamic VPN (for SRX)Easy-to-use, intuitive user experienceLocation aware with dynamic sessionmigrationIdentity-enabledStandards-basedIntegration platform for select 3rd party Builds on Juniper’sapplications (e.g. Webroot antimalware) market leading SA Series SSL VPN, UAC solution, and WXC technology!28 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

JUNIPER NETWORKS ICE FOR BUSINESS CONTINUITY Meeting the peak in demand for remote access in the event of a disaster Juniper Networks ICE delivers  Proven market-leading SSL Peak Demand VPN  Easy deploymentsNumber of Remote Users  Instant activation  Investment protection  Affordable risk protection What will you do Average usage when your non- remote users need access? Unplanned event Time29 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

SECURE MEETINGINSTANT COLLABORATION/REMOTE HELPDESK Easy to Use Web Conferencing  Share desktop/applications Instant or scheduled online  Group and private chat collaboration Easy to Deploy and Maintain  No pre-installed software required  Web-based, cross platform  Personalized meeting URLs for users  https://meeting.company.com/ meeting/johndoe Affordable – No usage/service fees Secure  Fully encrypted/secured traffic using SSL  No peer-to-peer backdoor  User credentials protected Remote Helpdesk Functionality  Automatic desktop sharing/remote control request31 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

JUNIPER SSL VPN PRODUCT FAMILYFUNCTIONALITY AND SCALABILITY TO MEET CUSTOMER NEEDS Options/upgrades: Options/upgrades: Options/upgrades: Options/upgrades: • 10-25 conc. users • 25-100 conc. users • 50-1000 conc. users • Up to 30K conc. users • Core Clientless • Secure Meeting • Secure Meeting • Secure Meeting Access • Cluster Pairs • Instant Virtual System • Instant Virtual System • Network & Security • EES • SSL Acceleration • 4-port SFP card Manager (NSM) • NSM • Cluster Pairs • 2nd power supply or • EES DC power supply • NSM • Multi-Unit Clusters • EES • NSMBreadth of Functionality Secure Access 6500 Secure Access 4500 Secure Access 2500 Designed for: Designed for: Large enterprises & SPs Designed for: Medium to large Secure remote, intranet Secure Access 700 Medium enterprise enterprise and extranet access Secure remote, intranet Secure remote, intranet Includes: and extranet access and extranet access Core Clientless Access Designed for: Includes: Includes: SAMNC SMEs Core Clientless Access Core Clientless Access SSL acceleration Secure remote access SAMNC SAMNC Hot swap drives, fans Includes: Network Connect Enterprise Size All models are now Common Criteria EAL3+ certified: http://www.dsd.gov.au/infosec/evaluation_services/epl/network_security/juniper_networks_SAF.html33 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

SECURE ACCESS FEATURES Secure Meeting License High Availability License  Active-Passive or Active-Active support  Stateful session failover Enhanced Endpoint Security (EES) License Advanced troubleshooting tools for quick issue resolution  Policy trace, session recording, system snapshot, etc. Granular Role-based administration Detailed logging and log filtering Config Import/Export  Configuration backup/archiving FIPS Certified Product Available34 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

USEFUL LINKS What’s New: New features in respective release. http://www.juniper.net/techpubs/software/ive/releasenotes/6.5-whats_new.p Supported Platforms: http://www.juniper.net/techpubs/software/ive/releasenotes/SA-SupportedPl Client Side Changes: http://www.juniper.net/techpubs/software/ive/admin/6.5-ClientSideChanges35 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

WHY JUNIPER FOR SSL VPN? Core Competence in Performance, Scalability & HA SSL-based Access  Differentiated hardware platforms  Proven in tens of thousands of customer  Global & local stateful clustering deployments!  Compression, SSL acceleration, GBIC  Market leadership/industry Awards connectors, dual hot-swappable hard  Product maturity disks, power supplies, and fans Single Platform for All Ease of Administration Enterprise Remote Access Needs  Centralized management  Support for complex Web content, Files,  Granular role-based delegation Telnet/SSH using only a browser  Extensive integration with existing  Client/Server applications directories  Adaptive dual transport method for  Native automatic endpoint remediation network-layer access and password management integration End-to-End Security  Robust host checking capabilities  Dynamic Access Privilege Management  3rd party security audits36 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

Juniper sa-sslvpn

by n|u - The Open Security Community on Jun 21, 2012

Accessibility

Categories

Upload Details

Usage Rights

2 Embeds 336

Statistics