2. Technical Overview Features Extranet style web interface access to resources Full/split tunnel capabilities with Network Connect Mobile ready with Junos Pulse No client installation required Granular Authentication, Authorization and Auditing capabilities Secure Meeting Space
3. Basic Concepts Juniper model for secure remote access is granular allowing each component to be administered en masse or individually Realms -> Users -> Roles -> Resources Realms: Groupings of authentication resources (RADIUS, AD, LDAP, Local, etc) Users: User objects (individuals who will be granted access) Roles: Ad-hoc groups of users that can contain one or more security groups Resources: Specific network resources that roles are enabled to access RDP connections to servers Web pages Network CIDR blocks (ie, 165.124.188.0/26) File Shares
5. IPsec VPN v. SSL VPN: What’s the difference? IPsec Designed for site-to-site encryption over insecure networks Encapsulates packets at the network layer Operates in two modes Transport Mode: Packets payload is encrypted at sender and decrypted at receiver Tunnel Mode: Sessions are built and torn down between endpoints (sites and user) =
8. SSL VPN Designed specifically for individual remote access to resources Allows for granular access to resources Requires no software installation or configuration Allows for users to have a seamless experience- no more connections and disconnections
IPSec was originally developed for secure site to site traffic between physically separated hosts or networks-Was an answer for how to secure networks as companies began transitioning from private ppp links to internet connectionsnote that this is NOT specifically designed for remote access. GRE tunnels are compute intensive, heavy things to set up.it takes the same amount of horsepower it to establish a site to site as it does to establish a remote access tunnel– they are essentially the same thing- same memory, same algorithms, just slightly different methods of handing authentication and key exchangeTherefore, specific client applications or hardware needs to be installed to get these things up and running– the Cisco VPN client we’re all so familiar with or the PIX/ASA/SPA hardwareThis becomes a real problem when you’re dealing with consultants or contractors that you’ll never meet– how do you get the client software/hardware installed properly?IPSec handles packets at the network layer of the Internet Model. This is important because it means that applications can function over a IPSec connection without having to be modified or hacked upNotable exceptions: multicast traffic, NAT’d client traffic (ESP in transport mode or IPsec authentication headers)This also means that since the connection is a true IP connection, the end user (or network) truly becomes a node on the destination network and can interact with devices or provide services to the network as if it were local.This is a benefit from many user’s perspectives as they can typically function exactly as they are used to at workBut this is a downside from a security perspective. It is functionally equivalent to handing a contractor a network cable- no real, granular authorization, little audit trail.
Another pro of SSL VPN’s is that they allow more precise access control. First of all they provide tunnels to specific applications rather than to the entire corporate LAN. So, users on SSL VPN connections can only access the applications that they are configured to access rather than the whole network. Second, it is easier to provide different access rights to different users and have more granular control over user access.