Juniper SA Overview
Download as PPTX, PDF1 like2,118 views
Juniper SSL VPN provides secure remote access to network resources through a web interface without requiring client installation. It uses granular authentication, authorization and auditing to control access for realms, users, roles and specific resources. SSL VPN encrypts connections at the application layer for individual remote access, while IPsec operates at the network layer for site-to-site encryption over insecure networks in either transport or tunnel mode. SSL VPN crypto negotiation allows seamless access to resources without multiple connections.
Juniper SA Overview
- 1. Overview: Juniper SSL VPNStrategy, Architecture and Introduction
- 2. Technical OverviewFeaturesExtranet style web interface access to resourcesFull/split tunnel capabilities with Network ConnectMobile ready with Junos PulseNo client installation requiredGranular Authentication, Authorization and Auditing capabilitiesSecure Meeting Space
- 3. Basic ConceptsJuniper model for secure remote access is granular allowing each component to be administered en masse or individuallyRealms -> Users -> Roles -> ResourcesRealms: Groupings of authentication resources (RADIUS, AD, LDAP, Local, etc)Users: User objects (individuals who will be granted access)Roles: Ad-hoc groups of users that can contain one or more security groupsResources: Specific network resources that roles are enabled to accessRDP connections to serversWeb pagesNetwork CIDR blocks (ie, 165.124.188.0/26)File Shares
- 5. IPsec VPN v. SSL VPN: What’s the difference?IPsec Designed for site-to-site encryption over insecure networksEncapsulates packets at the network layerOperates in two modesTransport Mode: Packets payload is encrypted at sender and decrypted at receiverTunnel Mode: Sessions are built and torn down between endpoints (sites and user)=
- 6. IPsec Modes
- 8. SSL VPNDesigned specifically for individual remote access to resourcesAllows for granular access to resourcesRequires no software installation or configurationAllows for users to have a seamless experience- no more connections and disconnections
- 9. SSL Crypto Negotiation
- 10. SSL VPN Cont’d
Editor's Notes
- #6: IPSec was originally developed for secure site to site traffic between physically separated hosts or networks-Was an answer for how to secure networks as companies began transitioning from private ppp links to internet connectionsnote that this is NOT specifically designed for remote access. GRE tunnels are compute intensive, heavy things to set up.it takes the same amount of horsepower it to establish a site to site as it does to establish a remote access tunnel– they are essentially the same thing- same memory, same algorithms, just slightly different methods of handing authentication and key exchangeTherefore, specific client applications or hardware needs to be installed to get these things up and running– the Cisco VPN client we’re all so familiar with or the PIX/ASA/SPA hardwareThis becomes a real problem when you’re dealing with consultants or contractors that you’ll never meet– how do you get the client software/hardware installed properly?IPSec handles packets at the network layer of the Internet Model. This is important because it means that applications can function over a IPSec connection without having to be modified or hacked upNotable exceptions: multicast traffic, NAT’d client traffic (ESP in transport mode or IPsec authentication headers)This also means that since the connection is a true IP connection, the end user (or network) truly becomes a node on the destination network and can interact with devices or provide services to the network as if it were local.This is a benefit from many user’s perspectives as they can typically function exactly as they are used to at workBut this is a downside from a security perspective. It is functionally equivalent to handing a contractor a network cable- no real, granular authorization, little audit trail.
- #9: Another pro of SSL VPN’s is that they allow more precise access control. First of all they provide tunnels to specific applications rather than to the entire corporate LAN. So, users on SSL VPN connections can only access the applications that they are configured to access rather than the whole network. Second, it is easier to provide different access rights to different users and have more granular control over user access.