460 likes | 756 Views
SA Series SSL VPN Appliances Product Line Presentation. AGENDA. SSL VPN Market Overview SSL VPN Use Cases Access Control and AAA End-to-End Security Junos Pulse Secure Meeting Business Continuity with SSL VPN Hardware, Management and High Availability.
E N D
AGENDA • SSL VPN Market Overview • SSL VPN Use Cases • Access Control and AAA • End-to-End Security • Junos Pulse • Secure Meeting • Business Continuity with SSL VPN • Hardware, Management and High Availability
Business Challenge: Grant Access vs. Enforce Security Maximize Productivity with Access... • Allow partner access to applications(Extranet portal) • Increase employee productivity by providing anytime, anywhere access(Intranet, E-mail, terminal services) • Customize experience and access for diverse user groups (partners, suppliers, employees) • Enable provisional workers(contractors, outsourcing) • Support myriad of devices (smartphones, laptops, kiosks) …While Enforcing Strict Security • Allow access only to necessary applications and resources for certain users • Mitigate risks from unmanaged endpoints • Enforce consistent security policy …And the Solution Must Achieve Positive ROI • Minimize initial CAPEX costs • Lower ongoing administrative and support OPEX costs
The Solution:Juniper Networks SA Series SSL VPN Appliances Mobile User – Cafe • Secure SSL access to remote users from any device or location • Easy access from Web-browsers – no client software to manage • Dynamic, granular access control to manage users and resources • Single comprehensive solution to access various application types from various devices available VoIP Teleworker SA6500 Business Partner or Customer Wireless User Airport Kiosk User
Juniper Networks SSL VPN Market Leadership Juniper maintains #1 market share position worldwide Leader since SSL VPN product category inception Source: 3Q10 Infonetics Research Network Security Appliances and Software Report
Analyst Praise & Recognition 2008 Gartner Magic Quadrant for SSL VPN 2010 Magic Quadrant Key Takeaways: “Juniper has maintained the product vision, execution and overall momentum so effectively that it has held a Magic Quadrant leadership position continuously …” “…entrenched in the Fortune 500 with a track record for large deployments.” “Juniper is the No. 1 competitive threat cited by peer vendors…” “Junos Pulse…is expected to pose a strong competitive advantage for Juniper SSL VPN sales.” http://www.gartner.com/technology/media-products/reprints/juniper/vol6/article7/article7.html Source: Gartner (December 2010)
Juniper SA SSL VPN Recognition & Awards Award Winning 3rd Party Certified Market Leading Market share leader & proven solution with over 30,000 customers
Service Providers Enterprise Serving Enterprises and Service Providers
AGENDA • SSL VPN Market Overview • SSL VPN Use Cases • Access Control and AAA • End-to-End Security • Junos Pulse • Secure Meeting • Business Continuity with SSL VPN • Hardware, Management and High Availability
#1 - Remote Access at Lower Operating Costs SA6500 Employees with Corporate Laptops Employees with Mobile Devices Employees with Home PCs Corporate Intranet Email Server Firewall Internet Router Applications Server Increased Productivity • Anytime, anywhere access from any device • No endpoint software to install or manage • Easy access facilitated from common browsers Increased Security • Encrypted secure access to corporate resources • Granular access control • Comprehensive endpoint security enforcement
#2 - Extranet Portals with Greater Security SA6500 Suppliers Customers Corporate Intranet Client/Serer Applications Web Applications Partners Firewall Internet Router Administrative ease of use • Easier management of authorized users • No client software enforced on external users • Access enabled from any Web-enabled device Enforcement of corporate security policies • Granular access to select applications or resources • Endpoint security enforced before granting access • No administrative hassle of managing users’ devices
#3 – Business Continuity in Case of Emergencies SA6500 Applications Server Partners Customers Corporate Intranet Employees Firewall Email Server Web Applications Internet Router Unplanned Events That Could Impact Business Continuity: Hurricane, Snowstorm, Strike, Virus Outbreak, Terrorist Attack Continued Business Operations • High remote access demand during emergency • Simple scalability to increased demand • Sustain access for partners and customers Increased Productivity • Enable users to work from home or any location • Assure employees’ safety • Minimize downtime
#4 – Mobile Device Access SA6500 iPhone Corporate Intranet Email Server Firewall Router Internet Applications Server Improved Ease of Use, Higher Productivity • Access from any mobile device • ActiveSync facilitates secure access to Exchange • Enforce mobile device integrity and security
AGENDA • SSL VPN Market Overview • SSL VPN Use Cases • Access Control and AAA • End-to-End Security • Junos Pulse • Secure Meeting • Business Continuity with SSL VPN • Hardware, Management and High Availability
Dynamic Access Methods by Purpose Different access methods to control users’ access to resourcesDynamic access control based on user, device, network, etc. Layer 3 access to corporate network Granular web application access control Granular client/server application access control
Broad set of supported platforms and browsers Secure, Easy Web Application Access Pre-defined resource policies for Sharepoint, Lotus Webmail, etc. Support for Flash, Java applets, HTML, Javascript, DHTML, XML, etc. Support for Hosting & delivering any Java applet Secure File Share Access Web front-end for Windows and Unix Files (CIFS/NFS) Integrated E-mail Client Secure Terminal Access Access to Telnet/SSH (VT100, VT320…) Anywhere access with no terminal emulation client Clientless Access Method: Core Access
Full cross platform support for both Windows & Java versions Granular access control policies for client/server applications Access applications without provisioning full Layer 3 tunnel Eliminates costs, complexity, and security risks of IPSec VPNs No incremental software/hardware or customization to existing apps WSAM – secure traffic to specific client/server applications Supports Windows Mobile/PPC, in addition to all Windows platforms Granular access and auditing/logging capabilities Installer Service available for constrained user privilege machines JSAM – supports static TCP port client/server applications Enhanced support for MSFT MAPI, Lotus Notes, Citrix NFuse Drive mapping through NetBIOS support Install without advanced user privileges Secure Application Manager
Full Layer 3 Access to corporate network Dynamic, Dual Transport Mode Dynamically tries SSL in case IPSec is blocked in the network Cross Platform Dynamic Download (Active-X or Java delivery) Launching options include – browser-based, standalone EXE, scriptable launcher and Microsoft Gina Client-side Logging, Auditing and Diagnostics available Layer 3 Access Method:junos pulse or Network Connect High Performance Transport Mode SA Series High Availability Transport Mode
Seamlessly and securely access any Citrix or Windows Terminal Services deployment Intermediate traffic via native TS support, WSAM, JSAM, Network Connect, Hosted Java Applet Replacement for Web Interface/Nfuse Native TS Support Granular Use Control Secure Client delivery Integrated Single Sign-on Java RDP/JICA Fallback WTS: Session Directory Citrix: Auto-client reconnect/ session reliability High-quality Java RDP applet support available Many additional reliability, usability, access control options Access MethodsTerminal Services
ACCESS METHODS VIRTUAL DESKTOP INFRASTRUCTURE (VDI) AAA Apps Servers Finance Server SA Series Remote/Mobile User VMware VDI Citrix XenDesktop • SA interoperates with VMware View Manager and Citrix XenDesktop to enable administrators to consolidate and deploy virtual desktops with SA • Allows IT administrators to configure centralized remote access policies for users who access their virtual desktops • Dynamic delivery of Citrix ICA client or VMware View client to users, including dynamic client fallback options for easy connection to their virtual desktops • Benefits: • Seamless access (single sign-on) for remote users to their virtual desktops hosted on VMware or Citrix servers • Saves users time and improves their experience accessing their virtual desktops
Access Privilege Management1 User / 1 URL / 3 Devices & Locations Authentication &Authorization Authenticate user Map user to role Role Assignment Assign session properties for user role Resource Policy Applications availableto user Pre-Authentication Gathers informationfrom user, network, endpoint • Access Method: Network Connect • File Access: Enabled • Timeout: 2 hours • Host Check: Recurring • Outlook (full version) • CRM Client/Server • Intranet • Corp File Servers • Sharepoint • Host Check: Pass • AV RTP On • Definitions up to date • Machine Cert: Present • Device Type: Win XP • Auth: Digital Certificate • Role Mapping: Managed Managed Laptop • Access Method: Core • SVW Enabled • File Access: Disabled • Timeout: 30 mins • Host Check: Recurring • Outlook Web Access (no file up/download) • CRM Web (read-only) • Intranet • Host Check: Fail • No AV Installed • No Personal FW • Machine Cert: None • Device Type: Mac OS • Auth: AD Username/ Password • Role Mapping: Unmanaged Unmanaged (Home PC/Kiosk) • Access Method: WSAM, Core • File Access: Enabled • Timeout: 30 mins • Outlook Mobile • CRM Web • Intranet • Corp File Servers • Host Check: N/A • Machine Cert: None • Device Type: Win Mobile 6.0 • Auth: Digital Certificate • Role Mapping: Mobile Mobile Device
partners.company.com One Device for Multiple GroupsCustomize policies and user experience for diverse users “Partner” Role employees.company.com “Employee” Role SA Series customers.company.com “Customer” Role
Full Integration into customer AAA infrastructure AD, LDAP, RADIUS, Certificate, OTP, etc. Password Management Integration User self service for password management Reduced support costs, increased productivity All standard LDAP, MSFT AD Single Sign-On Capabilities Seamless user experience for web applications Forms, Header, SAML, Cookie, Basic Auth, NTLM v1/v2, Kerberos SAML Support – Web single sign-on, integration with I&AM platforms Standards-based Web SSO Partnerships with leading AM Vendors (CA, Oracle, RSA, etc.) Seamless AAA Integration
Kerberos Constrained Delegation & SSO Active Directory Authentication Manager Step 2: SA authenticates user Step 4: SA presents auth credentials on behalf of user to AD to get Kerberos ticket Step 1: User logs in with Core Access Step 5: SA enables SSO to back end apps Applications Step 3: User tries to access application protected by KCD SA SSL VPN Remote User • Single Sign On (SSO) to backend apps using Core Access • NTLMV2 • Kerberos SSO
Premier Java rdp applet Windows Terminal Servers • Delivers quality Java applet support for remote desktop connections • Partnered with Hobsoft to offer as an embedded feature of SA SSL VPN • Integrated licensing for simple administrative deployments • Multiple monitors support • Enterprise-class features • No admin rights requirements • Cross-platform support (Windows, Mac, Linux) • Single-source Juniper (JTAC) support • All SA SSL VPNs will ship with 2 user concurrent license; additional support can be bought with subscription licenses SA Series RDP Applet Internet Premier Java RDP Applet Enables Windows Terminal Server Connectivity Multiple Monitors Support with RDP Applet Remote User
AGENDA • SSL VPN Market Overview • SSL VPN Use Cases • Access Control and AAA • End-to-End Security • Junos Pulse • Secure Meeting • Business Continuity with SSL VPN • Hardware, Management and High Availability
Point-and-click policy configuration with support for hundreds of leading applications AV, Personal Firewall, Anti-Spyware, Anti-Malware, Windows patch checks, machine certificate checks + Custom policy definition for maximum policy definition flexibility Scan prior to and during authenticated sessions Embedded update mechanism to add new applications with no software upgrade Devices automatically learn latest signature versions from AV vendors Check for AV installation, real-time protection status, definition file age Varied remediation options to meet customer needs Custom/standard remediation, automatic remediation, quarantine, Secure Virtual Workspace, 3rd party policy remediation, etc. Trusted Network Connect (TNC) architecture for seamless integration with all TNC compliant endpoint security products/vendors Leverage existing endpoint security application deployments HC policies similar to Juniper’s UAC offering, for common endpoint security across local and remote access deployments Host CheckerAssessing the Endpoint • Host Checker • Check devices before & during session • Ensure device compliance with corporate policy • Remediate devices when needed • Cross platform support Home PC User Airport Kiosk User SA Series • No Anti-Virus Installed • Personal Firewall enabled • User remediated install anti-virus • Once installed, user granted access • No anti-virus installed • No personal firewall • User granted minimal access Corporate PC User • AV Real-Time Protection running • Personal Firewall Enabled • Virus Definitions Up To Date • User granted full access
Real Desktop SVW Endpoint Security – Secure Virtual Workspacedesigned and optimized for unsecure kiosks • Shreds workspace data when session ends in kiosk • Prevents desktop search software from intercepting or indexing secure web traffic • Comprehensive protection of company resources when accessed from low security devices, as determined by Host Checker. Kiosk Limited/Blocked I/O Access from SVW Clipboard Operations Blocked from SVW to Real Desktop • Host Checker (Java/ActiveX) delivery • Win 2k/XP Systems (user privileges) • Admin-specified application access • DoD Cleaning/Sanitizing standard compliant • Password-protected persistent sessions • Controlled I/O Access • Configurable look/feel Session Data Encrypted on-the-fly (AES) End of Session: Secure Delete OR Persistent Session (Encrypted) Real File System Virtual File System
“Security First” approach to development Hardened OS based on Linux variant Protection against many known attacks AES encrypted hard disk on every appliance In-Transit Data Protection Data trapping URL obfuscation Numerous 3rd party security audits Juniper Security Incident Response Team (SIRT) to quickly investigate any potential vulnerabilities System Security
AGENDA • SSL VPN Market Overview • SSL VPN Use Cases • Access Control and AAA • End-to-End Security • Junos Pulse • Secure Meeting • Business Continuity with SSL VPN • Hardware, Management and High Availability
JUNOS PULSE (FOR WINDOWS) • Dynamically provisioned client for: • Connectivity • Security • Acceleration • Support for desktops, notebooks and netbooks • Location aware and identity-enabled • Standards-based • Platform for select third party applications • Builds on Juniper’s market leading SA Series SSL VPN, UAC solution, and WXC Series technology!
Secure Access from Mobile devices Junos Pulse for mobile devices enables smartphone and mobile device access to email, Web, and corporate applications Corporate Apps Web Apps Applications Email More Applications on More Devices Over Time
Junos Pulse Mobile Security Suite Comprehensive Smartphone Device Management and Security Solution Antivirus Firewall Anti-Spam Loss/Theft Protection Device Monitoring/Control Sold with SA Series SSL VPN or as standalone Requires Junos Pulse Mobile Security Gateway Secure, hosted deployment
AGENDA • SSL VPN Market Overview • SSL VPN Use Cases • Access Control and AAA • End-to-End Security • Junos Pulse • Secure Meeting • Business Continuity with SSL VPN • Hardware, Management and High Availability
Secure MeetingInstant Online Collaboration • Easy to Use Web Conferencing • Share desktop/applications • Group and private chat • No training required • Easy to Deploy and Maintain • No pre-installed software required • Web-based, cross platform • Personalized meeting URLs for users • https://meeting.company.com/ meeting/johndoe • Affordable – No usage/service fees • Secure • Fully encrypted/secured traffic using SSL • No peer-to-peer backdoor • User credentials protected • Policy flexibility to meet authentication requirements Instant or scheduled online collaboration
Secure MeetingRemote Helpdesk Functionality • Reduce desktop/application support costs by speeding time to issue resolution • Significant cost savings over phone-based troubleshooting • Improve helpdesk/technician productivity • Fast, easy setup with automatic setting configuration: • Dynamic client delivery, cross-platform support • Automatic desktop sharing/remote control request • Secure Chatting disabled SA Series Remote assistance to any user with no software installation Employee Help Desk
AGENDA • SSL VPN Market Overview • SSL VPN Use Cases • Access Control and AAA • End-to-End Security • Junos Pulse • Secure Meeting • Business Continuity with SSL VPN • Hardware, Management and High Availability
Business Continuity Challenges Disastrous Events • Maintain productivity • Sustain partnerships • Continue to deliver exceptional service to customers and partners with online collaboration • Meet government mandates for Disaster Recovery and compliance Pandemic H1N1 Virus Avian/Bird Flu SARS Natural Earthquakes Hurricanes Other Terror attacks Winter storms Bird Flu Outbreaks? Bird Flu Outbreaks? Social Distancing Geographical isolation Quarantines Recent Unplanned Events - Impacting the Global Business MTA Strike in NYC (Dec 05) Asia Quake Disaster (Dec 04) Pakistani Earthquake (Oct 05) Recent examples: Volcanic Ash Event (April ‘10) Snowstorms in US (Feb ‘10)
Juniper Networks ICE delivers Proven market-leading SSL VPN Easy deployments Instant activation Investment protection Affordable risk protection Meeting the peak in demand for remote access in the event of a disaster Juniper Networks ICE for Business Continuity Peak Demand Number of Remote Users What will you do when your non-remote users need access? Average usage Time Unplanned event
AGENDA • SSL VPN Market Overview • SSL VPN Use Cases • Access Control and AAA • End-to-End Security • Junos Pulse • Secure Meeting • Business Continuity with SSL VPN • Hardware, Management and High Availability
Juniper SSL VPN Product Family Functionality and Scalability to Meet Customer Needs • Options/upgrades: • 10-25 conc. users • Core Clientless Access • Network & Security Manager (NSM) • Options/upgrades: • 25-100 conc. users • Secure Meeting • Cluster Pairs • EES • NSM • Options/upgrades: • 50-1000 conc. users • Secure Meeting • Instant Virtual System • SSL Acceleration • Cluster Pairs • EES • NSM • Options/upgrades: • Up to 30K conc. users • Secure Meeting • Instant Virtual System • 4-port SFP card • 2nd power supply or DC power supply • Multi-Unit Clusters • EES • NSM SA6500 SA4500 Breadth of Functionality SA2500 Designed for: Large enterprises & SPsSecure remote, intranet and extranet access Includes: Core Clientless AccessSSL acceleration Hot swap drives, fans Designed for: Medium to large enterpriseSecure remote, intranet and extranet access Includes: Core Clientless Access Designed for: Medium enterpriseSecure remote, intranet and extranet access Includes: Core Clientless Access SA700 Designed for: SMEs Secure remote access Includes: Network Connect Enterprise Size All models are Common Criteria EAL3+ certified: http://www.dsd.gov.au/infosec/evaluation_services/epl/network_security/juniper_networks_SAF.html
Native Clustering SA2500, SA4500 Cluster Pairs SA6500 Multi-unit clusters Stateful system peering System state and configuration settings User profile and personalized configuration User session synch (users don’t have to login again in failover scenario) Active/Passive configuration for seamless failover Active/Active configuration for increased throughput and failover Enterprise and Service Provider Value Ensured reliability of critical access infrastructure Seamless failover, no loss of productivity Expansive user scalability via replication Management efficiency via central administration interface User Record Synchronization Synchronization of user records such as user bookmarks across distributed non-clustered SA Series appliances Ease of experience for users who often travel from one region to another Clustering/High Availability