juniper sa-sslvpn

SA SERIES SSL VPN APPLIANCES PRODUCT LINE PRESENTATION

May 19, 2010

2 Copyright © 2010 Juniper Networks, Inc. www.juniper.net

AGENDA

1. SSL VPN Market Overview

2. SSL VPN Use Cases

3. Access Control and AAA

4. End-to-End Security

5. Secure Meeting

6. Hardware, Management and High Availability


BUSINESS CHALLENGE: GRANT ACCESS VS. ENFORCE SECURITY

Maximize Productivity with Access...

Allow partner access to applications(Extranet portal)

Increase employee productivity by providing anytime, anywhere access(Intranet, E-mail, terminal services)

Customize experience and access for diverse user groups (partners, suppliers, employees)

Enable provisional workers(contractors, outsourcing)

Support myriad of devices (smartphones, laptops, kiosks)

…While Enforcing Strict Security Allow access only to necessary

applications and resources for certain users

Mitigate risks from unmanaged endpoints

Enforce consistent security policy

…And the Solution Must Achieve Positive ROI

Minimize initial CAPEX costs Lower ongoing administrative and support OPEX costs


Branch Office

HQ

MobileUsers

Department Servers DMZ-1

Finance

HR

Sales

Telecommuters

Partners, Customers, Contractors

InternetKiosk

Remote Office

IPSEC VPN VS. SSL VPN

IPSec VPN

Remote/Branch Office Deployments

Fixed Site-to-Site

Managed Endpoints

Layer 3 Network Access

IP to IP Control

Access from Managed, Trusted Networks

Internet

Internet

SSL VPN

Employee Remote AccessTelecommuters

Mobile UsersPartner Extranets

Mobile or Fixed

Managed or Unmanaged Endpoints

Access Control Per Application

User to Application ControlAccess allowed from Unmanaged and Untrusted

networks as well


THE SOLUTION:JUNIPER NETWORKS SECURE ACCESS SSL VPN

VoIPTeleworker

Business Partneror Customer

Wireless/Mobile DeviceUser

AirportKiosk User

Mobile User –Cafe

Secure SSL access to remote users from any device or location

Easy access from Web-browsers – no client software to manage

Dynamic, granular access control to manage users and resources

Single comprehensive solution to access various application types from various devices available

SA6500


JUNIPER NETWORKS SSL VPN MARKET LEADERSHIP

Source: 4Q09 Infonetics Research Network Security Appliances and Software Report

Juniper maintains #1 market share position worldwide

Leader since SSL VPN product category inception


ANALYST PRAISE & RECOGNITION

2008 Gartner Magic Quadrant for SSL VPN

Source: Gartner (October 2009)

http://www.gartner.com/technology/media-products/reprints/juniper/vol6/article1/article1.html

2009 Magic Quadrant Key Takeaways:

“Juniper has maintained the product vision, execution and overall momentum so effectively that it has held a leadership position continuously…”

“…unchallenged disruptive sales advantage”

“Juniper is the No. 1 competitive threat…”

“Year after year, Juniper's products earn a high satisfaction rating…”


JUNIPER SA SSL VPN RECOGNITION & AWARDS

AwardWinning

MarketLeading

3rd PartyCertified

Market share leader & proven solution with over 20,000 customers


AGENDA





5. Secure Meeting



Applications Server

CorporateIntranet

Employees with Corporate Laptops

Employeeswith Home PCs

Employees with Mobile Devices

#1 - REMOTE ACCESS AT LOWER OPERATING COSTS

Email Server

Firewall

RouterInternet

SA6500

Increased Productivity Anytime, anywhere access from any device No endpoint software to install or manage Easy access facilitated from common browsers

Increased Security Encrypted secure access to corporate resources Granular access control Comprehensive endpoint security enforcement


CorporateIntranet

Partners

#2 - EXTRANET PORTALS WITH GREATER SECURITY

Client/Serer Applications

Suppliers

Firewall

Customers

Router

Web Applications

SA6500

Internet

Administrative ease of use Easier management of authorized users No client software enforced on external users Access enabled from any Web-enabled device

Enforcement of corporate security policies Granular access to select applications or resources Endpoint security enforced before granting access No administrative hassle of managing users’ devices


#3 – MOBILE DEVICE ACCESS

Firewall

Router

Apple iPhone

Applications Server

CorporateIntranet

Email Server

SA6500

Internet

Improved Ease of Use, Higher Productivity Access from any mobile device ActiveSync facilitates secure access to Exchange Enforce mobile device integrity and security


AGENDA





5. Secure Meeting



DYNAMIC ACCESS METHODS BY PURPOSE

Network Connect Secure Application Manager Core Access

Layer-3 connectivity to corporate network

Access to client/server applications such as Windows & Java applications

Access to Web-based applications, File shares, Telnet/SSH hosted apps,

and Outlook Web Access

Supports all applications including resource intensive applications like

VoIP & streaming media

One click access to applications such as Citrix, Microsoft Outlook, and

Lotus Notes

Granular access control all the way up to the URL or file level

Recommended for remote and mobile employees only as full

network access is granted

Ideal for remote & mobile employees and partners if they have client

applications on their PCs

Ideal for remote & mobile employees and partners accessing from

unmanaged, untrusted networks

Layer-3 access to corporate network

Granular web application access control

Granular client/server application access control

Three different access methods to control users’ access to resourcesDynamic access control based on user, device, network, etc.


CLIENTLESS ACCESS METHOD: CORE ACCESS

Broad set of supported platforms and browsers

Secure, Easy Web Application Access

Pre-defined resource policies for Sharepoint, Lotus Webmail, etc.

Support for Flash, Java applets, HTML, Javascript, DHTML, XML, etc.

Support for Hosting & delivering any Java applet

Secure File Share Access Web front-end for Windows and Unix

Files (CIFS/NFS)

Integrated E-mail Client

Secure Terminal Access Access to Telnet/SSH (VT100,

VT320…) Anywhere access with no terminal

emulation client


SECURE APPLICATION MANAGER

Full cross platform support for both Windows & Java versions

Granular access control policies for client/server applications

Access applications without provisioning full Layer 3 tunnel

Eliminates costs, complexity, and security risks of IPSec VPNs

No incremental software/hardware or customization to existing apps

WSAM – secure traffic to specific client/server applications

Supports Windows Mobile/PPC, in addition to all Windows platforms

Granular access and auditing/logging capabilities

Installer Service available for constrained user privilege machines

JSAM – supports static TCP port client/server applications

Enhanced support for MSFT MAPI, Lotus Notes, Citrix NFuse

Drive mapping through NetBIOS support

Install without advanced user privileges


LAYER-3 ACCESS METHOD: NETWORK CONNECT

Full Layer 3 Access to corporate network Dynamic, Dual Transport Mode

Dynamically tries SSL in case IPSec is blocked in the network

Cross Platform Dynamic Download (Active-X or Java delivery) Launching options include – browser-based, standalone EXE, scriptable launcher and Microsoft Gina

Client-side Logging, Auditing and Diagnostics available

High Performance

Transport ModeHigh Performance

Transport Mode

High Availability

Transport ModeHigh Availability

Transport Mode

SA Series


ACCESS METHODSTERMINAL SERVICES

Seamlessly and securely access any Citrix or Windows Terminal Services deployment

Intermediate traffic via native TS support, WSAM, JSAM, Network Connect, Hosted Java Applet

Replacement for Web Interface/Nfuse

Native TS Support Granular Use Control Secure Client delivery Integrated Single Sign-on Java RDP/JICA Fallback WTS: Session Directory Citrix: Auto-client reconnect/

session reliability Many additional reliability, usability,

access control options


ACCESS METHODSVIRTUAL DESKTOP INFRASTRUCTURE (VDI)

AAA

SA SeriesRemote/Mobile User

Apps Servers

Finance ServerVMware VDI

Citrix XenDesktop

SA interoperates with VMware View Manager and Citrix XenDesktop to enable administrators to consolidate and deploy virtual desktops with SA

Allows IT administrators to configure centralized remote access policies for users who access their virtual desktops

Dynamic delivery of Citrix ICA client or VMware View client to users, including dynamic client fallback options for easy connection to their virtual desktops

Benefits: – Seamless access (single sign-on) for remote users to their virtual desktops hosted on VMware or

Citrix servers– Saves users time and improves their experience accessing their virtual desktops


Pre-Authentication

Gathers informationfrom user, network, endpoint

Authentication &Authorization

Authenticate user Map user to role

Role Assignment

Assign session properties for user role

Resource Policy

Applications availableto user

ACCESS PRIVILEGE MANAGEMENT1 USER / 1 URL / 3 DEVICES & LOCATIONS

•Host Check: Pass•AV RTP On•Definitions up to date

•Machine Cert: Present•Device Type: Win XPManaged

Laptop

Unmanaged (Home PC/Kiosk)

Mobile Device

•Host Check: Fail•No AV Installed•No Personal FW

•Machine Cert: None•Device Type: Mac OS

•Host Check: N/A

•Machine Cert: None•Device Type: Win Mobile 6.0

•Auth: Digital Certificate

•Role Mapping: Managed

•Auth: AD Username/ Password

•Role Mapping: Unmanaged

•Auth: Digital Certificate

•Role Mapping: Mobile

•Access Method: Network Connect•File Access: Enabled•Timeout: 2 hours•Host Check: Recurring

•Access Method: Core•SVW Enabled•File Access: Disabled•Timeout: 30 mins•Host Check: Recurring

•Access Method: WSAM, Core•File Access: Enabled•Timeout: 30 mins

•Outlook (full version)•CRM Client/Server•Intranet•Corp File Servers•Sharepoint

•Outlook Web Access (no file up/download)•CRM Web (read-only)•Intranet

•Outlook Mobile•CRM Web•Intranet•Corp File Servers


customers.company.com

employees.company.com

partners.company.com

ONE DEVICE FOR MULTIPLE GROUPSCUSTOMIZE POLICIES AND USER EXPERIENCE FOR DIVERSE USERS

“Partner” Role

“Employee” Role

“Customer” Role

SA Series

Authentication Username/Password

Host Check Enabled – Any AV, PFW

Access Core Clientless

Applications MRP, Quote Tool

Authentication Username/Password


Access Core Clientless

Applications Support Portal, Docs

Authentication OTP or Certificate


Access Core + Network Connect

Applications L3 Access to Apps


SEAMLESS AAA INTEGRATION

Full Integration into customer AAA infrastructure AD, LDAP, RADIUS, RSA SecurID, Certificate, etc. Use of group membership and attributes for authorization/role

mapping

Password Management Integration Users can manage their AD/LDAP passwords through SSL VPN

Single Sign-On Capabilities Seamless user experience for web applications Forms, Header, SAML, Cookie, Basic Auth, NTLM v1/v2, Kerberos

SAML Support – Web single sign-on, integration with I&AM platforms


AGENDA





5. Secure Meeting



ENDPOINT SECURITY Host Checker

Support for hundreds of leading Third Party applications AV, Personal Firewall, Anti-Spyware, Anti-Malware,

Windows patch checks, machine certificate checks + Custom policy definition

Devices automatically learn latest signature versions from AV vendors

Check for AV installation, real-time protection status, definition file age

Varied remediation options to meet customer needs

Trusted Network Connect (TNC) architecture for seamless integration with all TNC compliant endpoint security products/vendors

Leverage existing endpoint security application deployments

Antispyware Support with Enhanced Endpoint Security (EES) Functionality

Antispyware integrated from Webroot, the market leader in antispyware solutions

Secure Virtual Workspace Creates protected virtual system for untrusted machine

Cache Cleaner Remove browser contents/history at conclusion of user

session

Host Checker- Check devices before & during session- Ensure device compliance with corporate policy - Remediate devices when needed- Cross platform support

- No Anti-Virus Installed- Personal Firewall enabled- User remediated install anti-virus- Once installed, user granted access

- No anti-virus installed- No personal firewall - User granted minimal access

- AV Real-Time Protection running- Personal Firewall Enabled- Virus Definitions Up To Date- User granted full access

Home PC User

Corporate PC User

Airport Kiosk User

SA Series


ANTISPYWARE SUPPORT WITH ENHANCED ENDPOINT SECURITY (EES) FUNCTIONALITY

Number of newly discovered malicious programs are growing

Cost enterprises time, money, and productivity to quarantine and remediate contaminated endpoints

Addressing growth in malware, SA and UAC now dynamically download antispyware/antimalware software to endpoints

Regardless of user or location

Antispyware integrated from Webroot, the market leader in antispyware solutions

Number of simultaneous endpoints that can use the feature will depend on the optional subscription license ordered

Customer Benefits: Ensure only healthy devices are granted network access Protect corporate resources from infected endpoints Real time shield is always on with memory scan and virus

signatures Save IT time and money from correcting individual endpoints;

decrease user downtime that affects productivity

Antispyware / antimalware software

dynamically provisioned to

endpoints

Data & Applications

UAC Series

Road Warrior,

Partner, or Employee

SA Series

Malware


Data CenterCampus HQ Wired/ Wireless

Internet

Applications

3) IC provisions access control rules on UAC enforcement points

Remote User

2) SSL VPN talks to IC to let IC know of user session and roles provisioned

1) Remote user logs into SSL VPNSSL VPN provisions remote access sessions

4) User accesses resources protected by UAC with single login

• Consistent policies for remote and LAN access• Policy servers that can share knowledge of users for intelligent

provisioning of access inside network

LAN User

UAC-SA FEDERATION DIAGRAM

IC Series UAC Appliance

SA Series SSL VPN ISG Series with IDP

L2 Switch


JUNIPER’S COORDINATED THREAT CONTROL

Partner

Employee

Tunneled traffic

Intermediated traffic

Internet LAN

Correlated Threat Information

• Identity• Endpoint• Access history• Detailed traffic & threat information

Coordinated Identity-Based Threat Response

• Manual or automatic response• Response options:

• Terminate session• Disable user account• Quarantine user

• Supplements IDP threat prevention

Comprehensive Threat Detection and Prevention

•Ability to detect and prevent malicious traffic•Full layer 2-7 visibility into all traffic•True end-to-end security

1 - IDP detects threat and stops traffic

3 - SA identifies user & takes action on user session

2 - Signaling protocol to notify SSL VPN of attack

SA Series IDP


JUNOS PULSE

Dynamically provisioned software client for: Remote access Enterprise LAN access control WAN acceleration Dynamic VPN (for SRX)

Easy-to-use, intuitive user experience

Location aware with dynamic session migration

Identity-enabled

Standards-based

Integration platform for select 3rd party applications (e.g. Webroot antimalware)

Builds on Juniper’s market leading SA Series SSL VPN, UAC solution, and WXC technology!


JUNIPER NETWORKS ICE FOR BUSINESS CONTINUITY

Juniper Networks ICE delivers Proven market-leading SSL

VPN Easy deployments Instant activation Investment protection Affordable risk protection

Peak Demand

Nu

mb

er

of

Re

mo

te U

sers

Time

Average usage

Unplanned event

What will you do when your non-remote users need access?

Meeting the peak in demand for remote access in the event of a disaster


AGENDA





5. Secure Meeting



SECURE MEETINGINSTANT COLLABORATION/REMOTE HELPDESK

Easy to Use Web Conferencing Share desktop/applications Group and private chat

Easy to Deploy and Maintain No pre-installed software required Web-based, cross platform Personalized meeting URLs for users

https://meeting.company.com/ meeting/johndoe

Affordable – No usage/service fees Secure

Fully encrypted/secured traffic using SSL

No peer-to-peer backdoor User credentials protected

Remote Helpdesk Functionality Automatic desktop sharing/remote

control request

Instant or scheduled online collaboration


AGENDA





5. Secure Meeting



Bre

ad

th o

f F

un

ctio

na

lity

JUNIPER SSL VPN PRODUCT FAMILY FUNCTIONALITY AND SCALABILITY TO MEET CUSTOMER NEEDS

Enterprise Size

Secure Access 700

Secure Access 2500

Secure Access 4500Secure Access 6500

Designed for: SMEs Secure remote accessIncludes: Network Connect

Options/upgrades:• 10-25 conc. users• Core Clientless

Access• Network & Security

Manager (NSM)

Designed for: Medium enterpriseSecure remote, intranet and extranet accessIncludes: Core Clientless Access SAMNC

Designed for: Medium to large enterpriseSecure remote, intranet and extranet accessIncludes: Core Clientless Access SAMNC

Options/upgrades:• 25-100 conc. users• Secure Meeting• Cluster Pairs• EES• NSM

Options/upgrades:• 50-1000 conc. users• Secure Meeting• Instant Virtual System• SSL Acceleration• Cluster Pairs• EES• NSM

Designed for: Large enterprises & SPsSecure remote, intranet and extranet accessIncludes: Core Clientless AccessSAMNCSSL accelerationHot swap drives, fans

Options/upgrades:• Up to 30K conc. users• Secure Meeting• Instant Virtual System• 4-port SFP card• 2nd power supply or

DC power supply• Multi-Unit Clusters• EES• NSM

All models are now Common Criteria EAL3+ certified:http://www.dsd.gov.au/infosec/evaluation_services/epl/network_security/juniper_networks_SAF.html


SECURE ACCESS FEATURES

Secure Meeting License High Availability License

Active-Passive or Active-Active support Stateful session failover

Enhanced Endpoint Security (EES) License Advanced troubleshooting tools for quick issue resolution

Policy trace, session recording, system snapshot, etc.

Granular Role-based administration Detailed logging and log filtering Config Import/Export Configuration backup/archiving

FIPS Certified Product Available


USEFUL LINKS

What’s New: New features in respective release. http://www.juniper.net/techpubs/software/ive/releasenotes/6.5-whats_new.pdf

Supported Platforms: http://www.juniper.net/techpubs/software/ive/releasenotes/SA-SupportedPlatforms-65.pdf

Client Side Changes:http://www.juniper.net/techpubs/software/ive/admin/6.5-ClientSideChanges.pdf


WHY JUNIPER FOR SSL VPN?

Core Competence in SSL-based Access

Proven in tens of thousands of customer deployments!

Market leadership/industry Awards Product maturity

Single Platform for All Enterprise Remote Access Needs

Support for complex Web content, Files, Telnet/SSH using only a browser

Client/Server applications Adaptive dual transport method for

network-layer access

End-to-End Security Robust host checking capabilities Dynamic Access Privilege Management 3rd party security audits

Performance, Scalability & HA Differentiated hardware platforms Global & local stateful clustering Compression, SSL acceleration, GBIC

connectors, dual hot-swappable hard disks, power supplies, and fans

Ease of Administration Centralized management Granular role-based delegation Extensive integration with existing

directories Native automatic endpoint remediation and

password management integration

juniper sa-sslvpn

Education

network access access

partner access

grant access

application control

higher productivity

ssl vpn market overview2

security12 copyright

well4 copyright