uac sales pres_20_apr09-2

Access Control SolutionsUnified Access Control

5 Copyright © 2009 Juniper Networks, Inc. www.juniper.net

Agenda

Market Trends and Needs

Use Cases

NAC Market Leadership

Coordinated Security Architecture

Architecture Examples

Case Studies

Summary


Agenda


Use Cases




Case Studies

Summary


Agenda


Use Cases


Case Studies

Summary


Agenda

Use Cases




Summary


Agenda


Use CasesUse Cases

NAC Market LeadershipNAC Market Leadership

Coordinated Security ArchitectureCoordinated Security Architecture

Architecture ExamplesArchitecture Examples

Case StudiesCase Studies

SummarySummary


Agenda


Use CasesUse Cases



SummarySummary


Agenda

Use Cases




SummarySummary



Worldwide economic crisis

Layoffs and RIFs abound

Financial institutions failing

Market values falling

Decreased budgets

Severe credit crunch

Proliferation of network threats

Insider threat incidences rise

Escalation in outsourcing and off-shoring

Build-up of mergers and acquisitions

Increased emphasis on regulatory compliance

…However, need to do more, but with less

Networks now more strategic than ever to corporate growth…


Fully Coordinated Security Infrastructure

Management/Visibility

802.1X NAC

Identity-Aware Security

Enterprise-Wide Access Control

Device Control

UAC “Nerve Center”

Coordinated Threat Control


Agenda

Market Trends and NeedsMarket Trends and Needs

Use Cases





SummarySummary


Agenda

Use Cases




SummarySummary


Agenda


Use Cases



SummarySummary


Use Case – Insider Threat Mitigation

Challenge UAC

Coordinated, enterprise-wide access control

Authorized network and application access only

Identity-enabled behavior anomaly detection and mitigation

Identity-based firewalling for data center

Third-party device collaboration and interoperability

Comprehensive, identity-enabled logging and reporting

% of Participants Who Experienced an InsiderIncident

2007 e-Crime Watch Survey

671 respondents

0

20

40

60

80

100

2004 2005 2006 2007

41 39

55 49


Use Case – Addressing Compliance

Challenge

UAC Stops unauthorized network, application, and data access Checks and assesses device security posture – pre- and post-admission Consistent, cross-network access policy enforcement Instant data access authorization Identity-enables profiling, auditing, and logging FIPS compliant hardware and client


Use Case – Secure Guest Access

Challenge UAC Limits guest access Base level and depth of access

on guest type, identity and role Device health and security

assessment – pre- and post-admission

One-time guest accounts Time-based guest accounts VLAN or overlay guest use

enforcement Administrator controlled

Mike Fratto | InformationWeek Analytics | 2008 NAC Survey

58%

57%

47%

44%

42%

30%

Guests

Employee, remote access

Employee, connected wireless to LAN

Contractors/outsourced labor

Unmanageable devices such as printers, VoIP phones, card readers, cameras

Employee, connected via wired LAN

Note: Percentages based on a rating of 4 to 5 on a five-point scale where 1 is “low” and 5 is “High”

Note: Percentages based on a rating of 4 to 5 on a five-point scale where 1 is “low” and 5 is “High”

LAN Threat by UsersRate the following types of users by their

degree of threat for your LAN.


2003 2004 2005 2006 2007 2008 2010 2015

Management 3,500 15,000 34,000 42,000 48,000 64,000 106,000 259,000

Business 30,000 55,000 91,000 105,000 120,000 136,000 176,000 356,000

Computer 102,000 143,000 181,000 203,000 228,000 247,000 322,000 542,000

Architecture 14,000 27,000 46,000 54,000 61,000 70,000 93,000 191,000

Life Sciences 300 2,000 4,000 5,500 6,500 9,000 16,000 39,000

Legal 6,000 12,000 20,000 23,000 26,000 29,000 39,000 79,000

Art, Design 2,500 4,500 8,000 9,000 10,000 11,000 15,000 30,000

Sales 11,000 22,000 38,000 47,000 55,000 67,000 97,000 218,000

Office 146,000 256,000 410,000 475,000 541,000 616,000 815,000 1,600,000

Total 315,000 540,000 830,000 960,000 1,100,000 1,200,000 1,700,000 3,400,000

Estimated Number of U.S. Jobs Moving Offshore, 2003-2015

Use Case – Secure Outsourcing/Off-shoring Challenge - US off-shoring to grow nearly 3X by 2015

UAC Protects remote and local network access Stops unauthorized network, application, and data access Checks and assesses device security posture – before and during session Virtual network segmentation In transit data encryption Identity-enabled firewalling at the data center


Agenda


Use CasesUse Cases





SummarySummary


Agenda

Use CasesUse Cases




SummarySummary


Agenda


Use CasesUse Cases



SummarySummary


UAC – NAC Market Leader

The Forrester Wave™: Network Access Control, Q3 2008


Agenda


Use CasesUse Cases





SummarySummary


Agenda

Use CasesUse Cases




SummarySummary


Central Policy Coordination

Seamless AAA integration

Comprehensive endpoint integrity Automatic and manual remediation Dynamic updates

Standards-based (TNC, 802.1X, RADIUS,…)

Unmatched scale, resilient HA

Enterprise-wide management

Security hardened

UAC “Nerve Center”

IC Series

IDP Series

SA Series Firewall

STRM Series

802.1X Switches & APsEX Series

SRX Series


Complete 802.1X NAC

EX Series Ethernet Switch support Identity-based QoS, bandwidth limiting, and priority scheduling

Mirror traffic to IDP for monitoring and logging

Vendor agnostic Supports ANY vendor’s 802.1X-compatible switches and

access points

Granular policy capabilities VLANs, ACLs, QoS,…

802.1X NAC

IC Series

EX SeriesAny 802.1X Switch/AP



Enables true mobility Eliminate ACLs – “follow the user”

policies Identity-based, secure network

segmentation

Supports any Juniper security policy SRX Series Services Gateways ScreenOS firewalls IDP Application Layer Enforcer


SSG Series

SRX Series

IDP

IC Series

Apps

Data

Finance

Video

Corporate Data Center


Proven Endpoint Control

Comprehensive integrity checks Antivirus, personal firewall, OS and application patches, anti-X, machine

certificates, custom checks,…

Simple, automatic Remediation – unparalleled user experience Updates – reduces administrative tasks

Standards-based

Cross-platform support Windows, Mac, Linux Native Windows

supplicant

Endpoint Control



Federated Remote/Local Access Single login protected network/resource access Intelligently provisions network access Simplifies user experience

Shared, centrally managed policies



Apps

Finance

VideoLocal User

SA-SeriesInternet

IC Series

IF-M

AP

UAC Enforcer

NSM

Policies

Policies


Management and Visibility

Juniper NSM: Central management

Juniper STRM: Strong visibility; comprehensive reporting and analysis

Comprehensive Juniper portfolio coverage

Management/ Visibility


Identity-enabled anomaly detection and mitigation Remote or local access Isolate threat to specific user or device

Employs specific, configurable policy actions

Addresses insider threats quickly



IDP Series

EX Series

IC Series

Application Servers

Firewalls

UAC Enforcement Points

802.1X Switches/APs


Odyssey Access Client (OAC)

EX3200

EX4200

IDP SeriesFirewall

SSG Series

ISG Series

SRX Series

Application Servers

IC Series UAC ApplianceSBR Series

SA Series

STRM Series

UAC Agent

UAC Agent-less Mode

Policies NSMSA SeriesPolicies

Cross-Portfolio, Integrated Access Control


Agenda


Use CasesUse Cases





SummarySummary


Agenda

Use CasesUse Cases




SummarySummary


Basic NAC Enforcement

Local User

Patch Remediation

SRX Series

IDP Series

IC Series


Apps

Data

Finance

Video

1

2

EX Series

3

3

4

4

1. “Sales” user logs in from unpatched machine

2. EX quarantines user – access patch server

only – automatically remediated

3. Remediation success; full access granted

IC-EX establish VLAN, ACLs, and QoS for Session

UAC pushes role-based FW policies to SRX

UAC pushes application-layer policies to IDP

4. User attempt to access “Finance” data blocked


Enterprise-wide Access Control

InternetMobile User

Patch Remediation

SRX Series

IDP Series

IC Series


Apps

Data

Finance

Video

1. “Sales” user logs in from unpatched machine

1

2. Quarantined for automatic patch remediation

2

SA Series

3. Remediation success; full access granted

SA Session pushed to IC via IF-MAP

UAC pushes role-based FW policies to SRX

UAC pushes application-later policies to IDP

3

3

4. User attempt to access “Finance” data blocked

4

4

5. IDP Senses attack, informs IC

SA terminates user session

IC removes SRX/IDP access

5


Coordinated Threat ControlUAC and IDP Series

1. User accesses network

2. User attempts to access applications stored on Data Center

3. IDP detects network threat

4. Signals anomaly information to IC Series appliance

5. IC correlates network threat to specific user and device

6. IC pushes appropriate policy to UAC enforcement points

7. UAC enforcement points take appropriate access control actions against offending user and/or device

Local User

Apps

Data

Finance

Video


EX Series Firewalls


802.1X Switches/APs

IC Series

IDP Series

1

23

45

6

7


Agenda


Use CasesUse Cases




Case Studies

SummarySummary


Agenda

Use CasesUse Cases



Case Studies

SummarySummary


Case Study – Bangchak Petroleum Public Co. Ltd.

Who

11Challenges

22Why

Juniper

33Juniper

Products

44

• IC Series UAC Appliances

• SSG Series Secure Services Gateways

• Separates refinery control systems from business applications

• Protects against catastrophic attacks, including control hijacking and other operational disruptions

• Prevents and mitigates wide range of malware and emerging security threats

• Harden the security of its distribution control system (DCS)

• Help deliver compliance with the ISO-27001 information security management standard

• Comprehensive oil business with refinery, sales and distribution operations, and >1,000 gas stations across Thailand

• >20 year old company with annual revenues >$2 billion

http://www.juniper.net/company/presscenter/pr/2008/pr_2008_09_10-12_47.html


Case Study – Portland Community College

Who

11Challenges

22Why

Juniper

33Juniper

Products

44

• IC 4000s • SSG 140s

• Web-based authentication

• Firewall-based enforcement

• User authentication via ERP

• Differentiated access based on user and/or role

• Secure existing wireless LAN

• Restrict access for authorized users and guests

• Grant appropriate access to each user

• Minimize administrative burden

• Preserve academic openness

• Regional community college

• 86,000 students• 4,000 faculty, staff,

and other users• 3 campuses, 5 work

centers• Distance learning

worldwide• 350 wireless access

points

http://www.juniper.net/solutions/customer_profiles/352262.pdf


Case Study – Equifax

Who

11Challenges

22Why

Juniper

33Juniper

Products

44

• IC Series UAC Appliances

• SSG Series Secure Services Gateways

• Robust endpoint assessment and authentication

• Flexibility• Audit/monitor

mode• Strong

relationships and partnerships

• Ensure assets accessing LAN meets customer security requirements

• Restrict access to/for authenticated, authorized users only (employees, contractors, etc.)

• Grant appropriate access to each user

• Provider of value-added information solutions to businesses and consumers

• 100+ year old Fortune 500 global information solutions leader with $1.8 billion in revenue and about 7,000 employees in 15 countries

“Equifax Bolsters Border Security”, Network World, 7/3/08http://www.juniper.net/solutions/literature/misc/equifax_on_uac.pdf


Agenda


Use CasesUse Cases





Summary


Agenda

Use CasesUse Cases




Summary


UAC: Identity-Aware Security and Access Control

Data Center

Campus HQ Wired/Wireless

BRANCH OFFICE

INTERNET

Dynamically handles guests, partners, contractors, unmanageable devices

Mitigate threats by controlling access across wired/wireless networks

Leverage IDP for correlating network threat information to dynamically protect

the network

Control access to applications

Gain visibility and control for user/device access to

network, resources and applicationsFlexible solution to

support access control in distributed

networks

Centralized policy management across remote and local access

CORPORATE OFFICES

DATA CENTER Centralized validation

Distributed enforcement

Applications

IC Series UAC Appliance

HQ User

EX Series ISG Series

SRX SeriesIDP Series

ISG Series with IDP

Branch User

SSG Series

SA Series

NSM

Policies


IC/IC + SA/IC Federation (IF-MAP)

UAC Enforcer


Apps

Data

Finance

Video

IC/IC Federation

IC 1

Local User

UAC Enforcer

IDP Enforcer

IC 2

IF-MAP

EMEA HQUS HQ

SA/IC Federation

Local User

SA-SeriesInternet

IC-Series

IF-M

AP

UAC Enforcer


UAC and IF-MAP – Open Access Control

IC Series – Industry’s first IF-MAP server! TNC standard Enforcement for third-party devices Coordinated defense/response across multi-vendor deployments Intuitive policies based on user identity and role vs. IP address

IC Series

IDP Series

SA Series

DLP IDS Third-Party Appliance

Firewall

Third-Party Firewall

STRM Series802.1X Switches & APs

SIEM/SEM

EX Series

SRX Series


Additional, New UAC 3.0 Features

UAC Agent Localization Chinese (Traditional and Simple), Japanese, Korean, French (UI only)

UAC Agent –Windows 64-bit

Guest Account Provisioning Features

Client Upgrade Changes

Firewall VSYS Support

IC6500FIPS


IC Series UAC Appliance Family

IC4500 UAC Appliance

For mid-range to large-sized enterprises

Supports from 25 to 5,000 simultaneous endpoint devices

IC6500 FIPS UAC Appliance

Same capabilities as IC6500 Adds FIPS certified hardware

security module and tamper evident labels

IC6500 UAC Appliance

For large, multinational enterprise deployments

Supports up to 20,000 simultaneous endpoint devices per appliance

Supports up to 30,000 simultaneous endpoint devices in a 3-unit cluster

Redundant features include: Dual, mirrored hot swappable

SATA hard drives Dual, hot swappable fans Dual, hot swappable power

supplies (optional)


Juniper UAC and EX Series Ethernet Switches:Seamless Network Access Control

802.1X

PROTECTED RESOURCES

Policy enforcement provided by EX Series switches and SSG Series, ISG Series, and SRX Series

IC Series appliance can push policy to EX Series switches for dynamic configuration based on user or device

Policy on EX Series switches can enforce specific QoS queuing or scheduling policies, VLAN assignment, or any other port configuration parameter

Dynamic role provisioning

AAA/Identity StoresAAA

User, endpoint, location-

based policies

12

2

3

1

UAC Agent

EX Series


Firewall

Apps Server


UAC and EX Series FeaturesIdentity-based QoS

Guest User

InternetGatewayRouter

Bandwidth-limit guest traffic; mark with low-priority DSCP

ERP Servers

QoS policies stored on IC Series appliance and sent to the EX Series switch, implementing dynamic QoS

policies per user session

Marketing User

Place ERP traffic in high-priority queue; mark with high-priority DSCP

Place e-mail traffic in best-effort queue; mark with medium-priority DSCP

Email Servers

Finance User

EX Series

CORPORATE NETWORK


INTERNET


Customer Profile – Australian Unity

One of Australia's leading integrated financial institutions

National healthcare, financial services and retirement living organization, serving more than 400,000 Australians and employing over 1,000 staff

Invested in comprehensive range of Juniper Networks campus solutions including switching and network security technologies

EX Series switches provide high-performance, carrier-class Ethernet switching to help ensure uninterrupted business operations

UAC combines user identity, device security state and network location information to create unique network access control policy per user and per session, enforcing access policy at Layer 2 through 802.1X-enabled EX Series Ethernet Switches

NSM streamlines administration with a single, powerful management interface and embedded templates for rapid, enterprise-wide policy provisioning

Combining Secure Access SSL VPN, UAC and NSM ensures access and security policies created for remote access can be leveraged for LAN-based access, and vice-versa

Enables the company to meet the growing and rigorous technical and security demands of its organization while streamlining operations and reducing capital and operational expenses

https://www.juniper.net/us/en/company/press-center/press-releases/2009/pr_2009_01_15-17_31.html


Standards-based Architecture TNC open architecture for network access control

Suite of standards to ensure interoperability

Work Group of Trusted Computing Group (TCG)

Open standards Leverages existing network infrastructure Roadmap for the future (i.e., TPM) Products supporting TNC standards

shipping today

Access Access Requester (AR)Requester (AR)

Policy Enforcement Policy Enforcement Point (PEP)Point (PEP)

Policy Decision Point Policy Decision Point (PDP)(PDP)

Wired

NetworkPerimeter

UAC Agent

Metadata Access Metadata Access Point (MAP)Point (MAP)

EX Series

Firewall

SRX Series

Wireless SA Series

DLP

IDS

Third-Party Appliances

Third-Party Firewalls

SIEM/SEM

IC SeriesIC Series

IF-MAP Server

IF-MAP Clients


UAC AgentOR

NAP Client

802.1X Switches & Access Points

Juniper Firewall Platforms

Policy ServerIdentity Stores

Applications and Data


Microsoft NPS

Windows Statement of Health (SOH) and Embedded NAP Agent Support

1

Authenticate user, Profile endpoint,

Determine location

22Dynamically

provision policy enforcement

1

3

External enforcement/ validation of SOH,

transmits info back for use in policy decisions

4Control

access to protected resources

IF-TNCCS-SOH

EX Series

SRX Series ISG Series

ISG Series with IDP

SSG Series

IC Series


St. Mary’s County (MD) Public Schools

Who

11Challenges

22Why

Juniper

33Juniper

Products

44

• IC4000 UAC Appliances

• Same level of control over wired and wireless networks

• Leverages existing 802.1X investment

• Flexible, phased approach

• Ensure strong access control for wireless communications

• Protect networks against compromised laptops and wireless attacks

• Support rollout of digital classrooms while minimizing administrative burden on IT staff

• Public school district in Maryland

• 16,000 students, 2,100 staff

• 26 schools, Grades K-12



St. Monica’s College (Australia)

Who

11Challenges

22Why

Juniper

33Juniper

Products

44

• IC4000 UAC Appliances

• SA4000 SSL VPN Appliances

• SSG140 Secure Services Gateways

• WXC500 Application Acceleration Platforms

• Ease of integration

• Ease of use• A high level of

security and reliability at a reasonable price

• Centralized infrastructure

• Build secure intranet to support learning management system

• Secure converged voice, data and video applications

• Enable 24/7, secure remote access to selected applications

• Regional Catholic co-educational secondary college

• Over 2,300 students, teachers and support staff

• Two campuses, 1 km apart


uac sales pres_20_apr09-2

Technology