View
4.523
Download
4
Tags:
Embed Size (px)
DESCRIPTION
null Banglore June 2012 Meet
Citation preview
SA SERIES SSL VPN APPLIANCES PRODUCT LINE PRESENTATION
May 19, 2010
2 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
AGENDA
1. SSL VPN Market Overview
2. SSL VPN Use Cases
3. Access Control and AAA
4. End-to-End Security
5. Secure Meeting
6. Hardware, Management and High Availability
3 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
BUSINESS CHALLENGE: GRANT ACCESS VS. ENFORCE SECURITY
Maximize Productivity with Access...
Allow partner access to applications(Extranet portal)
Increase employee productivity by providing anytime, anywhere access(Intranet, E-mail, terminal services)
Customize experience and access for diverse user groups (partners, suppliers, employees)
Enable provisional workers(contractors, outsourcing)
Support myriad of devices (smartphones, laptops, kiosks)
…While Enforcing Strict Security Allow access only to necessary
applications and resources for certain users
Mitigate risks from unmanaged endpoints
Enforce consistent security policy
…And the Solution Must Achieve Positive ROI
Minimize initial CAPEX costs Lower ongoing administrative and support OPEX costs
4 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
Branch Office
HQ
MobileUsers
Department Servers DMZ-1
Finance
HR
Sales
Telecommuters
Partners, Customers, Contractors
InternetKiosk
Remote Office
IPSEC VPN VS. SSL VPN
IPSec VPN
Remote/Branch Office Deployments
Fixed Site-to-Site
Managed Endpoints
Layer 3 Network Access
IP to IP Control
Access from Managed, Trusted Networks
Internet
Internet
SSL VPN
Employee Remote AccessTelecommuters
Mobile UsersPartner Extranets
Mobile or Fixed
Managed or Unmanaged Endpoints
Access Control Per Application
User to Application ControlAccess allowed from Unmanaged and Untrusted
networks as well
5 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
THE SOLUTION:JUNIPER NETWORKS SECURE ACCESS SSL VPN
VoIPTeleworker
Business Partneror Customer
Wireless/Mobile DeviceUser
AirportKiosk User
Mobile User –Cafe
Secure SSL access to remote users from any device or location
Easy access from Web-browsers – no client software to manage
Dynamic, granular access control to manage users and resources
Single comprehensive solution to access various application types from various devices available
SA6500
6 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
JUNIPER NETWORKS SSL VPN MARKET LEADERSHIP
Source: 4Q09 Infonetics Research Network Security Appliances and Software Report
Juniper maintains #1 market share position worldwide
Leader since SSL VPN product category inception
7 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
ANALYST PRAISE & RECOGNITION
2008 Gartner Magic Quadrant for SSL VPN
Source: Gartner (October 2009)
http://www.gartner.com/technology/media-products/reprints/juniper/vol6/article1/article1.html
2009 Magic Quadrant Key Takeaways:
“Juniper has maintained the product vision, execution and overall momentum so effectively that it has held a leadership position continuously…”
“…unchallenged disruptive sales advantage”
“Juniper is the No. 1 competitive threat…”
“Year after year, Juniper's products earn a high satisfaction rating…”
8 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
JUNIPER SA SSL VPN RECOGNITION & AWARDS
AwardWinning
MarketLeading
3rd PartyCertified
Market share leader & proven solution with over 20,000 customers
9 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
AGENDA
1. SSL VPN Market Overview
2. SSL VPN Use Cases
3. Access Control and AAA
4. End-to-End Security
5. Secure Meeting
6. Hardware, Management and High Availability
10 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
Applications Server
CorporateIntranet
Employees with Corporate Laptops
Employeeswith Home PCs
Employees with Mobile Devices
#1 - REMOTE ACCESS AT LOWER OPERATING COSTS
Email Server
Firewall
RouterInternet
SA6500
Increased Productivity Anytime, anywhere access from any device No endpoint software to install or manage Easy access facilitated from common browsers
Increased Security Encrypted secure access to corporate resources Granular access control Comprehensive endpoint security enforcement
11 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
CorporateIntranet
Partners
#2 - EXTRANET PORTALS WITH GREATER SECURITY
Client/Serer Applications
Suppliers
Firewall
Customers
Router
Web Applications
SA6500
Internet
Administrative ease of use Easier management of authorized users No client software enforced on external users Access enabled from any Web-enabled device
Enforcement of corporate security policies Granular access to select applications or resources Endpoint security enforced before granting access No administrative hassle of managing users’ devices
12 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
#3 – MOBILE DEVICE ACCESS
Firewall
Router
Apple iPhone
Applications Server
CorporateIntranet
Email Server
SA6500
Internet
Improved Ease of Use, Higher Productivity Access from any mobile device ActiveSync facilitates secure access to Exchange Enforce mobile device integrity and security
13 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
AGENDA
1. SSL VPN Market Overview
2. SSL VPN Use Cases
3. Access Control and AAA
4. End-to-End Security
5. Secure Meeting
6. Hardware, Management and High Availability
14 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
DYNAMIC ACCESS METHODS BY PURPOSE
Network Connect Secure Application Manager Core Access
Layer-3 connectivity to corporate network
Access to client/server applications such as Windows & Java applications
Access to Web-based applications, File shares, Telnet/SSH hosted apps,
and Outlook Web Access
Supports all applications including resource intensive applications like
VoIP & streaming media
One click access to applications such as Citrix, Microsoft Outlook, and
Lotus Notes
Granular access control all the way up to the URL or file level
Recommended for remote and mobile employees only as full
network access is granted
Ideal for remote & mobile employees and partners if they have client
applications on their PCs
Ideal for remote & mobile employees and partners accessing from
unmanaged, untrusted networks
Layer-3 access to corporate network
Granular web application access control
Granular client/server application access control
Three different access methods to control users’ access to resourcesDynamic access control based on user, device, network, etc.
15 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
CLIENTLESS ACCESS METHOD: CORE ACCESS
Broad set of supported platforms and browsers
Secure, Easy Web Application Access
Pre-defined resource policies for Sharepoint, Lotus Webmail, etc.
Support for Flash, Java applets, HTML, Javascript, DHTML, XML, etc.
Support for Hosting & delivering any Java applet
Secure File Share Access Web front-end for Windows and Unix
Files (CIFS/NFS)
Integrated E-mail Client
Secure Terminal Access Access to Telnet/SSH (VT100,
VT320…) Anywhere access with no terminal
emulation client
16 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
SECURE APPLICATION MANAGER
Full cross platform support for both Windows & Java versions
Granular access control policies for client/server applications
Access applications without provisioning full Layer 3 tunnel
Eliminates costs, complexity, and security risks of IPSec VPNs
No incremental software/hardware or customization to existing apps
WSAM – secure traffic to specific client/server applications
Supports Windows Mobile/PPC, in addition to all Windows platforms
Granular access and auditing/logging capabilities
Installer Service available for constrained user privilege machines
JSAM – supports static TCP port client/server applications
Enhanced support for MSFT MAPI, Lotus Notes, Citrix NFuse
Drive mapping through NetBIOS support
Install without advanced user privileges
17 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
LAYER-3 ACCESS METHOD: NETWORK CONNECT
Full Layer 3 Access to corporate network Dynamic, Dual Transport Mode
Dynamically tries SSL in case IPSec is blocked in the network
Cross Platform Dynamic Download (Active-X or Java delivery) Launching options include – browser-based, standalone EXE, scriptable launcher and Microsoft Gina
Client-side Logging, Auditing and Diagnostics available
High Performance
Transport ModeHigh Performance
Transport Mode
High Availability
Transport ModeHigh Availability
Transport Mode
SA Series
18 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
ACCESS METHODSTERMINAL SERVICES
Seamlessly and securely access any Citrix or Windows Terminal Services deployment
Intermediate traffic via native TS support, WSAM, JSAM, Network Connect, Hosted Java Applet
Replacement for Web Interface/Nfuse
Native TS Support Granular Use Control Secure Client delivery Integrated Single Sign-on Java RDP/JICA Fallback WTS: Session Directory Citrix: Auto-client reconnect/
session reliability Many additional reliability, usability,
access control options
19 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
ACCESS METHODSVIRTUAL DESKTOP INFRASTRUCTURE (VDI)
AAA
SA SeriesRemote/Mobile User
Apps Servers
Finance ServerVMware VDI
Citrix XenDesktop
SA interoperates with VMware View Manager and Citrix XenDesktop to enable administrators to consolidate and deploy virtual desktops with SA
Allows IT administrators to configure centralized remote access policies for users who access their virtual desktops
Dynamic delivery of Citrix ICA client or VMware View client to users, including dynamic client fallback options for easy connection to their virtual desktops
Benefits: – Seamless access (single sign-on) for remote users to their virtual desktops hosted on VMware or
Citrix servers– Saves users time and improves their experience accessing their virtual desktops
20 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
Pre-Authentication
Gathers informationfrom user, network, endpoint
Authentication &Authorization
Authenticate user Map user to role
Role Assignment
Assign session properties for user role
Resource Policy
Applications availableto user
ACCESS PRIVILEGE MANAGEMENT1 USER / 1 URL / 3 DEVICES & LOCATIONS
•Host Check: Pass•AV RTP On•Definitions up to date
•Machine Cert: Present•Device Type: Win XPManaged
Laptop
Unmanaged (Home PC/Kiosk)
Mobile Device
•Host Check: Fail•No AV Installed•No Personal FW
•Machine Cert: None•Device Type: Mac OS
•Host Check: N/A
•Machine Cert: None•Device Type: Win Mobile 6.0
•Auth: Digital Certificate
•Role Mapping: Managed
•Auth: AD Username/ Password
•Role Mapping: Unmanaged
•Auth: Digital Certificate
•Role Mapping: Mobile
•Access Method: Network Connect•File Access: Enabled•Timeout: 2 hours•Host Check: Recurring
•Access Method: Core•SVW Enabled•File Access: Disabled•Timeout: 30 mins•Host Check: Recurring
•Access Method: WSAM, Core•File Access: Enabled•Timeout: 30 mins
•Outlook (full version)•CRM Client/Server•Intranet•Corp File Servers•Sharepoint
•Outlook Web Access (no file up/download)•CRM Web (read-only)•Intranet
•Outlook Mobile•CRM Web•Intranet•Corp File Servers
21 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
customers.company.com
employees.company.com
partners.company.com
ONE DEVICE FOR MULTIPLE GROUPSCUSTOMIZE POLICIES AND USER EXPERIENCE FOR DIVERSE USERS
“Partner” Role
“Employee” Role
“Customer” Role
SA Series
Authentication Username/Password
Host Check Enabled – Any AV, PFW
Access Core Clientless
Applications MRP, Quote Tool
Authentication Username/Password
Host Check Enabled – Any AV, PFW
Access Core Clientless
Applications Support Portal, Docs
Authentication OTP or Certificate
Host Check Enabled – Any AV, PFW
Access Core + Network Connect
Applications L3 Access to Apps
22 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
SEAMLESS AAA INTEGRATION
Full Integration into customer AAA infrastructure AD, LDAP, RADIUS, RSA SecurID, Certificate, etc. Use of group membership and attributes for authorization/role
mapping
Password Management Integration Users can manage their AD/LDAP passwords through SSL VPN
Single Sign-On Capabilities Seamless user experience for web applications Forms, Header, SAML, Cookie, Basic Auth, NTLM v1/v2, Kerberos
SAML Support – Web single sign-on, integration with I&AM platforms
23 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
AGENDA
1. SSL VPN Market Overview
2. SSL VPN Use Cases
3. Access Control and AAA
4. End-to-End Security
5. Secure Meeting
6. Hardware, Management and High Availability
24 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
ENDPOINT SECURITY Host Checker
Support for hundreds of leading Third Party applications AV, Personal Firewall, Anti-Spyware, Anti-Malware,
Windows patch checks, machine certificate checks + Custom policy definition
Devices automatically learn latest signature versions from AV vendors
Check for AV installation, real-time protection status, definition file age
Varied remediation options to meet customer needs
Trusted Network Connect (TNC) architecture for seamless integration with all TNC compliant endpoint security products/vendors
Leverage existing endpoint security application deployments
Antispyware Support with Enhanced Endpoint Security (EES) Functionality
Antispyware integrated from Webroot, the market leader in antispyware solutions
Secure Virtual Workspace Creates protected virtual system for untrusted machine
Cache Cleaner Remove browser contents/history at conclusion of user
session
Host Checker- Check devices before & during session- Ensure device compliance with corporate policy - Remediate devices when needed- Cross platform support
- No Anti-Virus Installed- Personal Firewall enabled- User remediated install anti-virus- Once installed, user granted access
- No anti-virus installed- No personal firewall - User granted minimal access
- AV Real-Time Protection running- Personal Firewall Enabled- Virus Definitions Up To Date- User granted full access
Home PC User
Corporate PC User
Airport Kiosk User
SA Series
25 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
ANTISPYWARE SUPPORT WITH ENHANCED ENDPOINT SECURITY (EES) FUNCTIONALITY
Number of newly discovered malicious programs are growing
Cost enterprises time, money, and productivity to quarantine and remediate contaminated endpoints
Addressing growth in malware, SA and UAC now dynamically download antispyware/antimalware software to endpoints
Regardless of user or location
Antispyware integrated from Webroot, the market leader in antispyware solutions
Number of simultaneous endpoints that can use the feature will depend on the optional subscription license ordered
Customer Benefits: Ensure only healthy devices are granted network access Protect corporate resources from infected endpoints Real time shield is always on with memory scan and virus
signatures Save IT time and money from correcting individual endpoints;
decrease user downtime that affects productivity
Antispyware / antimalware software
dynamically provisioned to
endpoints
Data & Applications
UAC Series
Road Warrior,
Partner, or Employee
SA Series
Malware
26 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
Data CenterCampus HQ Wired/ Wireless
Internet
Applications
3) IC provisions access control rules on UAC enforcement points
Remote User
2) SSL VPN talks to IC to let IC know of user session and roles provisioned
1) Remote user logs into SSL VPNSSL VPN provisions remote access sessions
4) User accesses resources protected by UAC with single login
• Consistent policies for remote and LAN access• Policy servers that can share knowledge of users for intelligent
provisioning of access inside network
LAN User
UAC-SA FEDERATION DIAGRAM
IC Series UAC Appliance
SA Series SSL VPN ISG Series with IDP
L2 Switch
27 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
JUNIPER’S COORDINATED THREAT CONTROL
Partner
Employee
Tunneled traffic
Intermediated traffic
Internet LAN
Correlated Threat Information
• Identity• Endpoint• Access history• Detailed traffic & threat information
Coordinated Identity-Based Threat Response
• Manual or automatic response• Response options:
• Terminate session• Disable user account• Quarantine user
• Supplements IDP threat prevention
Comprehensive Threat Detection and Prevention
•Ability to detect and prevent malicious traffic•Full layer 2-7 visibility into all traffic•True end-to-end security
1 - IDP detects threat and stops traffic
3 - SA identifies user & takes action on user session
2 - Signaling protocol to notify SSL VPN of attack
SA Series IDP
28 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
JUNOS PULSE
Dynamically provisioned software client for: Remote access Enterprise LAN access control WAN acceleration Dynamic VPN (for SRX)
Easy-to-use, intuitive user experience
Location aware with dynamic session migration
Identity-enabled
Standards-based
Integration platform for select 3rd party applications (e.g. Webroot antimalware)
Builds on Juniper’s market leading SA Series SSL VPN, UAC solution, and WXC technology!
29 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
JUNIPER NETWORKS ICE FOR BUSINESS CONTINUITY
Juniper Networks ICE delivers Proven market-leading SSL
VPN Easy deployments Instant activation Investment protection Affordable risk protection
Peak Demand
Nu
mb
er
of
Re
mo
te U
sers
Time
Average usage
Unplanned event
What will you do when your non-remote users need access?
Meeting the peak in demand for remote access in the event of a disaster
30 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
AGENDA
1. SSL VPN Market Overview
2. SSL VPN Use Cases
3. Access Control and AAA
4. End-to-End Security
5. Secure Meeting
6. Hardware, Management and High Availability
31 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
SECURE MEETINGINSTANT COLLABORATION/REMOTE HELPDESK
Easy to Use Web Conferencing Share desktop/applications Group and private chat
Easy to Deploy and Maintain No pre-installed software required Web-based, cross platform Personalized meeting URLs for users
https://meeting.company.com/ meeting/johndoe
Affordable – No usage/service fees Secure
Fully encrypted/secured traffic using SSL
No peer-to-peer backdoor User credentials protected
Remote Helpdesk Functionality Automatic desktop sharing/remote
control request
Instant or scheduled online collaboration
32 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
AGENDA
1. SSL VPN Market Overview
2. SSL VPN Use Cases
3. Access Control and AAA
4. End-to-End Security
5. Secure Meeting
6. Hardware, Management and High Availability
33 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
Bre
ad
th o
f F
un
ctio
na
lity
JUNIPER SSL VPN PRODUCT FAMILY FUNCTIONALITY AND SCALABILITY TO MEET CUSTOMER NEEDS
Enterprise Size
Secure Access 700
Secure Access 2500
Secure Access 4500Secure Access 6500
Designed for: SMEs Secure remote accessIncludes: Network Connect
Options/upgrades:• 10-25 conc. users• Core Clientless
Access• Network & Security
Manager (NSM)
Designed for: Medium enterpriseSecure remote, intranet and extranet accessIncludes: Core Clientless Access SAMNC
Designed for: Medium to large enterpriseSecure remote, intranet and extranet accessIncludes: Core Clientless Access SAMNC
Options/upgrades:• 25-100 conc. users• Secure Meeting• Cluster Pairs• EES• NSM
Options/upgrades:• 50-1000 conc. users• Secure Meeting• Instant Virtual System• SSL Acceleration• Cluster Pairs• EES• NSM
Designed for: Large enterprises & SPsSecure remote, intranet and extranet accessIncludes: Core Clientless AccessSAMNCSSL accelerationHot swap drives, fans
Options/upgrades:• Up to 30K conc. users• Secure Meeting• Instant Virtual System• 4-port SFP card• 2nd power supply or
DC power supply• Multi-Unit Clusters• EES• NSM
All models are now Common Criteria EAL3+ certified:http://www.dsd.gov.au/infosec/evaluation_services/epl/network_security/juniper_networks_SAF.html
34 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
SECURE ACCESS FEATURES
Secure Meeting License High Availability License
Active-Passive or Active-Active support Stateful session failover
Enhanced Endpoint Security (EES) License Advanced troubleshooting tools for quick issue resolution
Policy trace, session recording, system snapshot, etc.
Granular Role-based administration Detailed logging and log filtering Config Import/Export Configuration backup/archiving
FIPS Certified Product Available
35 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
USEFUL LINKS
What’s New: New features in respective release. http://www.juniper.net/techpubs/software/ive/releasenotes/6.5-whats_new.pdf
Supported Platforms: http://www.juniper.net/techpubs/software/ive/releasenotes/SA-SupportedPlatforms-65.pdf
Client Side Changes:http://www.juniper.net/techpubs/software/ive/admin/6.5-ClientSideChanges.pdf
36 Copyright © 2010 Juniper Networks, Inc. www.juniper.net
WHY JUNIPER FOR SSL VPN?
Core Competence in SSL-based Access
Proven in tens of thousands of customer deployments!
Market leadership/industry Awards Product maturity
Single Platform for All Enterprise Remote Access Needs
Support for complex Web content, Files, Telnet/SSH using only a browser
Client/Server applications Adaptive dual transport method for
network-layer access
End-to-End Security Robust host checking capabilities Dynamic Access Privilege Management 3rd party security audits
Performance, Scalability & HA Differentiated hardware platforms Global & local stateful clustering Compression, SSL acceleration, GBIC
connectors, dual hot-swappable hard disks, power supplies, and fans
Ease of Administration Centralized management Granular role-based delegation Extensive integration with existing
directories Native automatic endpoint remediation and
password management integration