Control de acceso unificado
advertisement
Unified Access Control Solution Javier López – jlopez@juniper.net Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1 AGENDA SSL VPNs Review Unified Access Control Solution Unified Access Control Scenarios Live Demo Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 2 SSL VPNs vs. IPSec Employee remote access SSL VPN Home workers Intranet access SSL VPN Mobile Workers Extranet access SSL VPN Sales Business Partners HR Finance Internet Customers Department Servers DMZ Branch Offices Data Center Copyright © 2004 Juniper Networks, Inc. Site-to-Site IPSEC VPN Proprietary and Confidential www.juniper.net 3 Typical Custom Extranet Deployment SW Agent Web server SW Agent DMZ Web server SW Agent Web server SW Agent Policy Server SW Agent MRP/ERP Web server Web server SW Agent SW Web UNIFIED ACCESS ENFORCEMENT: Agent server Web Dynamic Authentication Policies server Expressive Role Definition & Mapping Rules Deployment Requirements: Extensive Dynamic Resource-based Authorization & Migration of Servers into DMZ Duplication Granular Auditing & Logging OS/Server Farms & Ongoing Patch Maintenance Harden Web Single Sign-On (SSO) of public facing infrastructure Maintenance Password Management Integration AAA Multiple Hostnames & Customizable UI resources Limitation to only those integrated Custom Endpoint Policy Enforcement API development for non-Web content Copyright © 2004 Juniper Networks, Inc. Internal Corporate LAN API SW Agent Web server SW Agent API Web server API API Proprietary and Confidential www.juniper.net 4 The Secure Access Platform in the Network Corporate LAN Telecommuters Sales & Service Mobile Employees Directory Store Partner A Extranet Partners Partner B = Encrypted External Session = Standard Internal Session Copyright © 2004 Juniper Networks, Inc. Intranet / Web Server E-mail Server Farms Unix/NFS MRP/ERP Proprietary and Confidential www.juniper.net 5 Three Access Methods for Granular Secure Access •Core •Client less access •Web content / links •Web based applications •XML, Flash, JAVA •Files (Webified) •Telnet (JSAM / SSH and WSAM) •Secure Application Manager •Terminal •TCP based Client / ServerEmulation application access •JSAM •JAVA applet •Cross platform •WSAM •Active-XCore control •Transparently Access redirects application requests •Per application (client process) •Per host (Hostname / IP:port range) •MD5 Checksum for application validation •Network Connect2K/XP/98 (NC) •Windows •Network Layer tunnel •Pocket PC (Win CE) •Virtual adapter •Static, DHCP and RADIUS based IP address assignment •TCP and UDP based Client / Server application access •Server Initiated applications such as VoIP, XWindows, NetMeeting Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 6 Step 3a: Control Access – 1 URL Same person access from 3 different locations Pre Authentication Gathers information from user, network, endpoint Dynamic Authentication Roles Assignment Authenticate user Map user to role Assign session properties for user role Digital Cert = NO Source IP = outside Host Check = failure Authentication = Strong Mapped to Field role Digital Cert = YES Source IP = outside Host Check = success Authentication = Strong From a Kiosk Mapped to Sales role From the field Digital Cert = YES; Source IP = LAN; Host Check = success Authentication = PW Mapped to Office role SAM = No File = No Web Download=Yes Web Upload=No Timeout = ½ hour Host Check = Recurring SAM = Yes File = Yes Web Download=Yes Web Upload = Yes Timeout = 2 hours Host Check = Recurring Network Connect = Yes Timeout = 12 hours Host Check = No Resource Policy Grant access to resource as specified by policy Resources = CRM Web-read only Outlook Web Access • • • Resources = CRM Client/Server • Exchange Resources = Full network access From the LAN Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 7 Juniper SSL VPN Product Family: Functionality and Scalability to Meet Customer Needs Options/upgrades: •10-25 conc. users •Core Clientless Access Options/upgrades: •25-100 conc. users •SAMNC Options/upgrades: •100-2500 conc. users •SAMNC •SAMNC •Secure Meeting •Secure Meeting •Advanced w/ CM •Cluster Pairs Breadth of Functionality Options/upgrades: •50-1000 conc. users •Secure Meeting •Advanced w/ CM •Instant Virtual System •SSL Acceleration •Advanced w/ CM •Instant Virtual System •GBIC •Cluster Pairs •Multi-Unit Clusters Secure Access 4000 Secure Access 6000 Secure Access 2000 Secure Access 700 Designed for: SMEs Secure remote access Includes: Network Connect Designed for: Medium enterprise Secure remote, intranet and extranet access Includes: Core Clientless Access Designed for: Medium to large enterprise Secure remote, intranet and extranet access Includes: Core Clientless Access Designed for: Large-global enterprise Secure remote, intranet and extranet access Includes: Core Clientless Access SSL acceleration Enterprise Size Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 8 Case #1: Remote Access for Students/Teachers Mobile User 1,000’s Teachers’ Home PCs Corporate Intranet 10,000’s Students’ Home PCs Intranet Web Farm Web Mail Farm Cost Scalability Increased Security Users access from home PCs No install, configuration or support Only variable cost is authentication Unified Security Layer Across Servers Known Hardened Security Posture Common Auth’n & Auth’z Policies Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 9 Case #2: Campus Services Access School C School B Corporate Intranet School A Unix/NFS Files Cost Scalability Increased Security Rapidly Add/Drop Partners No Timely Security Negotiations No Cap Ex per Additional Partner Group Based Auth’z Policies Strong Auth’n & PKI Resource-Based Logging Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential ERP Application Server www.juniper.net 10 AGENDA SSL VPNs Review Unified Access Control Solution Unified Access Control Scenarios Live Demo Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 11 Trend and Business Problem WAN LAN Data Center Mission critical apps, File Servers, ERP, CRM etc 11% QoQ increase in new vulnerabilities – Q2,’05 SANS Remote Office Mobile User Zotob took 96 hours from patch to full outbreak Day Extenders LAN User Widely diverse users Unmanaged or ill managed endpoints Business Partners New threats exploit common TCP ports, “Deadly” network and application-layer threats requiring both host intelligence and network-based Business critical network assets enforcement Copyright © 2005 Juniper Networks, Inc. LAN User Proprietary and Confidential www.juniper.net 12 How the Enterprise Infranet works What Does it Do? • The Enterprise Infranet couples user identity, network identity, and endpoint status with network and endpoint policies. How Does it do it? • Using a centralized policy management to push policy based on user, endpoint, network, etc to enforcement points throughout the network. Policy management is done by leveraging Dynamic Access Privilege Management (proven by #1 SSL VPN - IVE) • Enforce the policies on different points throughout the network (proven by #1 FW/VPN – ScreenOS) Copyright 2005 Juniper Networks, Copyright ©©2004 Juniper Networks, Inc. Inc. Proprietary and Confidential Proprietary and Confidential www.juniper.net www.juniper.net 13 13 Unified Access Control Solution Infranet Controller (IC) How does it work? AAA Servers Identity Stores Infranet Agent (IA) Comprehensive enterprise integration • Host Checker (J.E.D.I) • Host Enforcer (with firewall policy or optional dynamic MS IPSec enforcement) • MS Windows Single SignOn • Agentless enforcement for Mac and Linux • IA protects authenticated endpoints from malicious/non-compliant endpoints Copyright © 2005 Juniper Networks, Inc. • Access control decision point • Automatically provisions Infranet Agent (if required) • Dynamically provisions enforcement policy • Integrated remediation support Unified policy enforcement based on identity, endpoint assessment, and network Phase 1 Enforcers • Enforcers – ScreenOS 5.3 capable • NetScreen 5GT – NetScreen 5000 • From 90 Mbps to 30 Gbps Proprietary and Confidential www.juniper.net 14 Juniper Networks Infranet Controllers IC 6000 •Supports up to 25,000 concurrent endpoints per appliance •High Availability/Scalability •Multi-unit clusters •Unique hardware features • Hot swappable, field upgradeable power supply • Field upgradeable hard disk • Hot swappable fans IC 4000 •Supports up to 3000 concurrent endpoints per appliance •High Availability/Scalability •Cluster pairs Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 15 Infranet Agent • Dynamically provisioned endpoint assessment and policy enforcement agent • No pre-installed client software • Lightweight (<1Mb) • Host Checker (J.E.D.I) for endpoint assessment • Native Functionality • APIs for leveraging third party endpoint solutions • Pre login and post login endpoint assessment for compliance enforcement during entire duration of user session • Host Enforcer • Dynamic role based firewall policy • Optional dynamic MS IPSec enforcement • MS Windows Single SignOn • Agentless enforcement for Mac and Linux • Endpoint Assessment but no IPsec Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 16 Phase One Infranet Enforcers • Phase 1 incorporates Juniper FW/VPN platforms NetScreen 25 & 50 NetScreen 500 • Screen OS 5.3 Software upgrade required • 75Mbps to 30Gbps for wire speed policy enforcement in LAN HSC NetScreen ISG Series • Network security policy enforcement • DOS Protection 5 Series • Deep Packet Inspection • Anti Virus Capabilities • Content Management • Logging and Auditing • SEM, NSM Integration NetScreen 204 & 208 NetScreen 5200 & 5400 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 17 Enterprise Infranet Service Control Layer Deployment Scenarios Enterprise Infranet Controller (IC) Mobile Worker Bus. Partner AAA Servers Identity Stores Infranet Enforcer (IE) Mission critical apps, File Servers, ERP, CRM etc 3. Authorize, Authorize, 3. Enforce Log Enforce && Log J.E.D.I. APIs Native or 3rd Party Host Compliance 1.Endpoint: Assess, Authenticate,Remediate, Contain & Self-Protect Trusted Xport (IE) Data Center (IE) 2. Trusted XPort (IE) Self-Defense Enterprise Infranet Agent (IA) Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 18 AGENDA SSL VPNs Review Unified Access Control Solution Unified Access Control Scenarios Live Demo Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 19 Server Front End Deployment Scenario Data Center AAA Servers Identity Stores Network Services (DNS, DHCP) Mission critical apps, File Servers, ERP, CRM etc Infranet Enforcer (IE) Users Enterprise Infranet Controller (IC6000) Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 20 WAN Gateway Deployment Scenario AAA Servers Identity Stores Network Services (DNS, DHCP) Infranet Enforcer (IE) Users Data Center Enterprise Infranet Controller (IC4000) Copyright © 2005 Juniper Networks, Inc. Mission critical apps, File Servers, ERP, CRM etc Proprietary and Confidential www.juniper.net 21 Distributed Enterprise Branch Office Corporate Office AAA Servers Identity Stores Network Services (DNS, DHCP) Site to Site VPN Infranet Enforcer (IE) Infranet Enforcer (IE) AAA Servers Identity Stores Network Services (DNS, DHCP) Data Center Users Copyright © 2005 Juniper Networks, Inc. Users Enterprise Infranet Controller (IC6000) Mission critical apps, File Servers, ERP, CRM etc Proprietary and Confidential www.juniper.net 22 Campus – Wired Deployment Scenario Enterprise Infranet Controller (IC6000) AAA Servers Identity Stores GigE Infranet Enforcer Data Center Mission critical apps, File Servers, ERP, CRM etc Users Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 23 Campus – Wireless Deployment Scenario Enterprise Infranet Controller (IC4000) AAA Servers Identity Stores GigE Data Center Mission critical apps, File Servers, ERP, CRM etc Infranet Enforcer (IE) Generic AP Infranet Enforcer (IE) Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 24 AGENDA SSL VPNs Review Unified Access Control Solution Unified Access Control Scenarios Live Demo Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 25 Demo Network architecture Local Auth Server 172.26.60.0/24 Infranet Controller (IC-4000) Enforcer 5GT .100 .1 .101 Infranet Agent (IA) Enforcer NS-25 2.2.2.2 Untrust Zone 1.0.0.10 Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 26 Thank You Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 27
