SSL VPN A look at UCD through the tunnel



Similar documents
Requirements on terminals and network Telia Secure Remote User, TSRU (version 7.1 R4)

Requirements on terminals and network Telia Secure Remote User, TSRU (version 7.3 R6)

What s New in Juniper s SSL VPN Version 6.0

Juniper SSL VPN Notes Page 1

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

To Configure Network Connect, We need to follow the steps below:

What s New in Juniper s IVE Platform Version 5.2. Highlights of this Release. What s New in IVE v5.2

Novell Access Manager SSL Virtual Private Network

Java Secure Application Manager

What s New in Juniper Networks Secure Access (SA) SSL VPN Version 6.4

SSL-TLS VPN 3.0 Certification Report. For: Array Networks, Inc.

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Setting Up Scan to SMB on TaskALFA series MFP s.

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

Requirements Collax Security Gateway Collax Business Server or Collax Platform Server including Collax SSL VPN module

Securing access to Citrix applications using Citrix Secure Gateway and SafeWord. PremierAccess. App Note. December 2001

Remote Vendor Monitoring

Mobile Admin Architecture

Securing Citrix with SSL VPN Technology

Juniper Networks Secure Access Release Notes

CNS-207 Implementing Citrix NetScaler 10.5 for App and Desktop Solutions

VMWARE VIEW WITH JUNIPER NETWORKS SA SERIES SSL VPN APPLIANCES

ACE Management Server Deployment Guide VMware ACE 2.0

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

F-Secure Messaging Security Gateway. Deployment Guide

"Charting the Course... Implementing Citrix NetScaler 11 for App and Desktop Solutions CNS-207 Course Summary

SSL VPN Technology White Paper

Fundamentals of Windows Server 2008 Network and Applications Infrastructure

PRODUCT CATEGORY BROCHURE

VPNSCAN: Extending the Audit and Compliance Perimeter. Rob VandenBrink

SSL-Based Remote-Access VPN Solution

ADMINISTRATIVE POLICY # (2014) Remote Access. Policy Number: ADMINISTRATIVE POLICY # (2014) Remote Access

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

Windows Remote Access

Does your Citrix or Terminal Server environment have an Achilles heel?

Symantec On-Demand Protection 2.6 Juniper IVE SSL VPN 5.2 Integration Guide

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

Achieving PCI-Compliance through Cyberoam

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief

PRODUCT CATEGORY BROCHURE. Juniper Networks SA Series

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP Edge Gateway for Layered Security and Acceleration Services

Exam Questions SY0-401

Communication Ports Used by Citrix Technologies. April 2011 Version 1.5

Communication ports used by Citrix Technologies. July 2011 Version 1.5

Get Success in Passing Your Certification Exam at first attempt!

Citrix Access on SonicWALL SSL VPN

Executive Summary and Purpose

1Y0-250 Implementing Citrix NetScaler 10 for App and Desktop Solutions Practice Exam

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Citrix Access Gateway

Network Virtualization Network Admission Control Deployment Guide

California State Polytechnic University, Pomona. Desktop Security Standard and Guidelines

Directory and File Transfer Services. Chapter 7

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

Network Access Control ProCurve and Microsoft NAP Integration

Compiled By: Chris Presland v th September. Revision History Phil Underwood v1.1

CNS Implementing NetScaler 11.0 For App and Desktop Solutions

Building A Secure Microsoft Exchange Continuity Appliance

How To Authenticate An Ssl Vpn With Libap On A Safeprocess On A Libp Server On A Fortigate On A Pc Or Ipad On A Ipad Or Ipa On A Macbook Or Ipod On A Network

Table of Contents. 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2

Secure, Mobile Access to Corporate , Applications, and Intranet Resources

SECURE ACCESS TO THE VIRTUAL DATA CENTER

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

Windows Server 2003 default services

A Guide to New Features in Propalms OneGate 4.0

COORDINATED THREAT CONTROL

Introduction to Endpoint Security

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

NETASQ MIGRATING FROM V8 TO V9

Pass Through Proxy. How-to. Overview:..1 Why PTP?...1

Information Technology Career Cluster Introduction to Cybersecurity Course Number:

Cyber Essentials. Test Specification

Using a VPN with Niagara Systems. v0.3 6, July 2013

App Orchestration Setup Checklist

Unisys Internet Remote Support

Cisco IOS SSL VPN: Router-Based Remote Access for Employees and Partners

Windows Services. Support Windows and mixed-platform workgroups with high-performance, affordable network services. Features

Implementation Guidelines. Dyna Pass. Wireless Secure Access

Easy and secure application access from anywhere

How To Connect To Bloomerg.Com With A Network Card From A Powerline To A Powerpoint Terminal On A Microsoft Powerbook (Powerline) On A Blackberry Or Ipnet (Powerbook) On An Ipnet Box On

Family Datasheet AEP Series A

Exhibit B5b South Dakota. Vendor Questions COTS Software Set

Enterprise Solution for Remote Desktop Services System Administration Server Management Server Management (Continued)...

OVERVIEW OF TYPICAL WINDOWS SERVER ROLES

SSL VPN Technical Primer

msuite5 & mdesign Installation Prerequisites

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Deploying F5 with Microsoft Active Directory Federation Services

Security. TestOut Modules

DEPLOYMENT GUIDE. Deploying the BIG-IP LTM v9.x with Microsoft Windows Server 2008 Terminal Services

Barracuda Networks Technical Documentation. Barracuda SSL VPN. Administrator s Guide. Version 2.x RECLAIM YOUR NETWORK

Deploy Remote Desktop Gateway on the AWS Cloud

Understanding VPN Technology Choices

Router Security - Approaches and Techniques You Can Use Today

Technical White Paper

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

Network Security Guidelines. e-governance

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Barracuda Load Balancer Online Demo Guide

Transcription:

SSL VPN A look at UCD through the tunnel

Background Why? Who is it for?

Stakeholders IET Library Schools and Colleges

Key Requirements Integrate with existing authentication Flexible security groups within system Enforce Network Admission Control Split Tunnel services Granular Administration Browser Support Monitoring and Logging Scalable 24/7/365 operation

Timeline 11-05 VPN Workgroup Established 11-06 Law School Pilot 10-07 SSL VPN Live for Library 3-06 Workgroup Recommends SSL-VPN 3-07 VPN Project Team 11-07 Law School becomes 1 st IVS

The Solution Juniper SA-6000 High Availability Cluster

Juniper SSL VPN What is it? How does it work? The Juniper Networks Instant Virtual Extranet (IVE) platform serves as the underlying hardware and hardened network operating system intermediates the data that flows between external users and your institutions internal resources. The UCD VPN infrastructure was constructed utilizing a two node Juniper Networks SA-6000 IVE cluster capable of providing secure access to institutional resources 24/7/365 even in the face of a catastrophic hardware failure. To diminish the attack surface area of departmental resources, the IVE intermediation process receives requests from the external authenticated users and makes requests to the internal resources on behalf of those users/workstations. This method of service provision adds a layer of protection to institutional resources not available via classic VPN service deployments. Access to the IVE solely requires that end users have only a Web browser that supports SSL, Sun Java runtime and an Internet connection.

Juniper Networks Host Checker and UCD Cyber Security Compliance The UC Davis Cyber Security program dictates that all workstations connecting to the University electronic communications network meet predefined security standards. To ensure that remote clients meet this mandate the Juniper SSL VPN offering was chosen due to its advanced platform agnostic workstation auditing capabilities, known as Host Checker. Architecture Within Host Checker The Juniper Networks Host Checker architecture is based on the TNC (Trusted Network Computing) open architecture for the acquisition and verification of client OS security metrics. The IVE utilizes client-side agents (IMC s) to interrogate and obtain antivirus, antispyware, patch management, firewall, and other configuration and security information. To ensure the integrity of information presented to Host Checker from the client side agents the IVE contains software modules (IMV s) which verify the client-side agent generated information thus ensuring that the metrics presented to Host Checker are accurate and unadulterated. Note: The Trusted Network Connect (TNC) is a subgroup of the Trusted Computing Group. For more information about IMVs and IMCs, see www.trustedcomputinggroup.org.

Remote Access Features Secure Application Manager Windows version (WSAM) The Windows version of the Secure Application Manager is a Windows-based solution that enables you to secure traffic to individual client/server applications and application servers. Java version (JSAM) The Java version of the Secure Application Manager provides support for static TCP port client/server applications, including enhanced support for Microsoft MAPI, Lotus Notes, and Citrix NFuse. JSAM also provides NetBIOS support, which enables users to map drives to specified protected resources. File rewriting This feature enables access to NFS and SMB based file server shares for remote users. Mount points are displayed as links within User Home Page with all file system operations occurring with the security credentials of the authenticated user allowing existing file system ACLs to be used sans modification. Web rewriting This feature uses the VPN to intermediate traffic to Web-based applications and Web pages enabling remote users access to institutional web resources otherwise not accessible from off network clients.

Remote Access Features Telnet/SSH The Telnet/SSH option enables users to connect to internal servers in the clear using Telnet protocols or to communicate over an encrypted Secure Shell (SSH) session through a Web-based terminal session emulation. This feature supports the following applications and protocols: Network Protocols Supported network protocols include Telnet and SSH. Terminal Settings Supported terminal settings include VT100, VT320, and derivatives including screen buffers. Security Supported security mechanisms include Web/client security using SSL and host security (such as SSH if desired). Terminal Services Enables terminal emulation sessions on a Windows terminal server, Citrix NFuse server, or Citrix Metaframe server, providing for a more secure RDP session by intermediating the RDP traffic through the IVE SSL tunnel.

Remote Access Features Secure Meeting The IVE Secure Meeting applications allows users to securely schedule and hold online meetings between institutional and non institutional users. In meetings, users can share their desktops and applications with one another over a secure connection, allowing everyone in the meeting to instantaneously share data on-screen. Meeting attendees can also securely collaborate online by remote-controlling one another's desktops and through text chatting using a separate application window that does not interfere with the presentation. Network Connect The Network Connect option provides secure, SSL-based network-level remote access to all enterprise application resources using the IVE over port 443. When Network Connect runs, the client s machine effectively becomes a node on the remote (corporate) LAN and becomes invisible on the user s local LAN; the IVE appliance serves as the Domain Name Service (DNS) gateway for the client and knows nothing about the user s local LAN. This type of VPN is analogous to the more traditional VPN services such as PP-TP and IPSEC tunnels and is what most folks picture when they think of a VPN.

Resource based routing Split tunnel VPN Split Tunnel When split-tunneling is used, Network Connect modifies the default route on clients such that only traffic destined for institutional networks traverses the VPN tunnel. Traffic not destined for the institutional network will not enter the VPN tunnel. Single Tunnel A single tunnel VPN modifies the route on the client such that ALL traffic traverses the VPN tunnel regardless of destination. Spit Tunnel Benefits By ensuring that only traffic destined to specific departmental network resources traverses the VPN tunnel Net Connect more efficiently utilizes the intuitional networks infrastructure and decreases the attack surface area available to malicious traffic.

Split Tunnel VPN Graphical Representation

Access Control Shared or private, who has access to the VPN? Departments within an institution who participate with the SSL VPN service are granted their own Independent Virtual System (IVS) within the SA-6000 cluster. IVS systems are completely independent from one another with separate VPN-DMZ VLANs and external facing interfaces for client access. Within the IVS the Department IT Staff may construct separate ACL s to provision the amount and type of access granted to users based on a plethora of available criteria (authentication realm, Home Department (from LDAP), IT Staff defined groups, and more) Since the IVS s are independent of each other subscribing department IT Administrators are granted complete control of their IVS. This allows for the Department IT staff to custom tailor the device to their specific needs. What authentication mechanisms are available to the VPN IET CR supports the campus Kerberos directory for authentication via the campus Radius server Internal User Database. The IVS contains its own directory store for available for authentication. Microsoft Active Directory: Supports NTLM V1, NTLM v2, and MS Kerberos. Radius: Hosted via OSS platforms or Microsoft Windows Network Information Service (NIS/YP) for *nix based account authentication. LDAP: Supports LDAP and LDAPS for secure LDAP based authentication.

Access Control Delimiting access based on organizational lines. Departments within an academic institution can be vast in their complexity, IT resources must be flexible to meet the ever changing needs of the department. To meet this charge the SSL VPN has a very powerful ACL engine, allowing for Department Administrators to establish application and network profiles for end users based on organizational lines Roles: Admin Roles: Consist of ACL s to different Admin functions of the box. Basically there are two roles here, Admin and ReadOnlyAdmin. Admin has full control and can make changes within the IVE. Read only can view all areas within the Admin application but cannot make changes to the IVE. This allows senior level Support Staff to grant access to the Administration application to junior level Support Staff for the purposes of diagnostics without the ability to make possibly harmful changes to the IVE User Roles: Consist of ACL s and profiles for the various VPN applications within the IVE. Through the proper utilization of roles a Dept may delineate access to various resources across disparate networks based on department defined criteria Logging and Auditing: The IVE contains extensive diagnostic and logging features for the Dept Support Staff to resolve problems pertaining to Authentication, Role/Policy evaluation, and client side VPN applications. Client side logs capture entire sessions for every application available within the IVS. This grants administrators the data they need to solve any situation that may occur related to the VPN. In the situation where possible device problems are discovered these logs can be used by juniper support to furnish specific patches to resolve such occurrences. The IVS allows for the complete auditing and recording of client sessions to ensure accountability and forensic data for sensitive data situations. Lets look at an imaginary Department with a couple subsidiary units.

Ex. Access Control

Test Drive Now that we have explored the major aspects of the SSL VPN on paper lets take it for a test drive and see how it works in practice. Please feel free to stop me at any point if you have questions or would like an aspect explained in further detail I would also like to take this moment to thank you all for allowing me the opportunity to present the SSL-VPN service to you today. Thank you!

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information