This Independent Study Research Report describes the features and steps to configure the Juniper Networks Secure Access 4000. The Juniper Instant Virtual Extranet (IVE) serves as the underlying operating system for all Junipers' SSL VPN appliances. The configuration steps described in this Independent Study utilize a Juniper Secure Access model 4000 (Juniper SA-4000). However, these configuration steps can be applied to other Juniper Secure Access models using the same IVE software.
Juniper Network Secure Access is basically a SSL VPN appliance capable of terminating SSL encrypted sessions from remote connections. One of the fundamental benefits of SSL VPNs is the ability to use a Web browser to securely access internal corporate resources of a private enterprise network taking advantage of the inherent SSL functionality built into standard Web browsers. Because they require no client-side software other than a web browser, SSL VPNs offers great convenience, and promise to provide a much lower Total Cost of Ownership than IPSEC VPNs. Yet, at the same time, this novel technology presents new challenges in the area of security. Secure access to the enterprise network from a Web browser accommodates most users' application needs operating at the application-layer, i.e., e-mail, web browsing and file sharing. However, not all applications operate at the application layer, with some requiring direct network layer access.
Keywords:
Secure Access, SSL VPN, Instant Virtual Extranet (IVE), Juniper SA4000.
Introduction:
Secure Access 4000 SSL VPN Appliance meets the strict security standards of independent Internet security Auditing agencies. It provides a hardened security gateway that uses the standards-based Secure Sockets Layer (SSL) protocol to provide remote access via a Web browser. There is no hardware or software clients to deploy configure or install; no changes required for internal servers; no Network Address Translation (NAT) or firewall traversal issues to manage, and virtually no ongoing maintenance. The combination of these features adds up to a solution with unbeatable security, radically lower total cost of ownership when compared to traditional VPNs, and a highly scalable implementation.
Access Privilege Management Capabilities:
This appliance provides dynamic access privilege management capabilities without infrastructure changes, custom development or software deployment/maintenance.
Pre-authentication Assessment: Host Checker/Cache Cleaner, results of endpoint security scans, source IP, browser type and digital certificates are examined before login is allowed.
Dynamic Authentication Policy: For each unique session dynamic authentication policy is established.
Dynamic Role Mapping: Combines network, device and session attributes to determine which of three different types of access is allowed.
Resource Authorization: Provides extremely granular access control to the URL, server or file level.
Granular Auditing and Logging: For security purposes as well as capacity planning it can be configured at per user, per resource, and per event level
Network Connect: Provides full network-layer connectivity without any human intervention provisioned cross-platform download. Users need only a Web browser.
End-to-End Layered Security:
Complete end-to-end layered security, including endpoint client, device, data and server layered security controls are available. These include:
Host Checker: Client computers can be checked both prior to and during a session to verify an acceptable security posture requiring running/installing endpoint security applications (firewall, antivirus, etc.). Also supports custom built checks including verifying ports closed/opened, checking process/files, verifying registry settings, machine certifications, and more.
Host Checker Application Programming Interface (API): An endpoint trust policy for managed PCs that have personal firewall, antivirus clients, or other installed security clients, and quarantine non-compliant endpoints.
Trusted Network Connect (TNC) Support on Host Checker: Allows interoperability with diverse endpoint security solutions like anti-virus, patch management, compliance management solutions.
Policy-based Enforcement: Allows the venture to create reliability of non-API-compliant hosts without custom script implementations or locking out external users such as clients or associates that run other security patrons.
Security Services Employ Kernel-level Packet Filtering and Safe Routing: Undesirable traffic is dropped before it is processed by the TCP stack.
Secure Virtual Workspace: A secure and separate environment for remote sessions that encrypts all data and controls I/O access (printers, drives).
Cache Cleaner: It erases all proxy downloads and temp files installed during the session at logout.
Data Trap and Cache controls: Rendering of content in non-cacheable format.
Integrated Malware Protection: Users and devices are protected from key loggers, Trojans, and remote control applications by pre-installed checks.
Coordinated Threat Control: Allows Secure Access SSL VPN and IDP devices to bind the session identity of the SSL VPN with the threat finding capabilities of IDP, taking automatic action on users initiated attacks.
High Availability:
Stateful Peering: Units that are part of a cluster pair synchronize system state, user profile-state, and session-state data among group of appliances in the cluster.
Clustering: Cluster pairs multiply aggregate throughput to handle unexpected burst traffic as well as resource intensive Application use.
Streamlined Management and Administration:
Central Manager is a strong product with a spontaneous Web-based UI designed to make easy the task of updating, monitoring, and configuring Secure Access appliances whether within a single device, local cluster or across a global cluster deployment.
Central Manager: Intuitive Web-based user interface (UI) for configuring, updating, and monitoring SA appliances within a single Device/cluster or across a global cluster deployment.
Password Management Integration: Standards-based interface for extensive integration with password policies in directory stores.
Web-based Single Sign-On (SSO) BASIC Auth and NTLM: Allows users to access other applications or resources that are protected by another access management System without re-entering login credentials.
Web-based SSO Forms-based, Header Variable-based, SAML-based: Ability to pass user name, credentials, and other customer-defined attributes to the authentication forms of other products and as header variables.
Role-based Delegation: Granular role-based delegation lessens IT bottlenecks by allowing administrators to delegate control of diverse Internal and external user populations to the appropriate parties.
Role Mapping and Resource Authorization Policies: Policies can be reused and copied.
Lower Total Cost of Ownership:
SSL: It Uses Secure connection between remote user and internal resource is via a Web connection at the application layer.
Industry-Standard Protocols and Security Methods: No installation or deployment of proprietary protocols is required.
Extensive Directory Integration and Broad Interoperability: Existing directories can be leveraged for authentication and authorization.
Incorporation with Strong Identity and Authentication and Access Management Platforms: Ability to support Security Assertion Markup Language (SAML), Secure ID, and public key infrastructure (PKI)/digital certificates.
Cross-platform Support: Resources can be accessed by any platform such as Linux, Mac, Windows, or mobile devices.
Multiple Hostname Support: This single appliance has ability to host different virtual extranet Websites.
Customizable User Interface: Customized sign-in pages can be created
Realms, Roles, and Resources
Realms, roles, and resources go hand in hand and together establish the core of the IVE's administrative experience. (Fig. 1)
Figure 1 Combined Relationship between Realms, Roles, and Resources
7.1 Realms simply define the authentication, authorization, and auditing services for a specific group of users, along with the ability to map those users to each of their roles. Users are only allowed to log in under the specific conditions that have been allowed by the administrator.
7.2 Roles are what users ultimately belong to. Just like realms, individual roles may be restricted from view, depending on the various policies implemented by the administrator.
7.3 Resources are anything on your network that remote users need to access. An administrator will decide what should or should not be allowed for each of the users, using realms and roles as the gatekeepers to the individual resources. The various resources that might be found within any role can include:
Web
Hosted Java Applet
Secure Application Manager (SAM)
Terminal Services
Secure Meeting
Network Connect
Authentication Servers
Many network administrators are familiar with the concept of AAA: Authentication, Authorization, and Accounting. Authentication identifies the user, authorization grants or denies that user access to a resource, and accounting records the access (or attempted access). The IVE integrates seamlessly into many existing AAA schemes, and includes some of its own as well. These include local authentication, LDAP, NIS, ACE, RADIUS, Active Directory/ NT, anonymous, SiteMinder, certificate, and SAML authentication. The IVE also allows for dual-factor authentication (the method of using two different ways of authenticating a user). Users are authenticated through three primary methods:
â- A password or PIN.
â- A hardware token.
â- A fingerprint or other biometric.
Dual-factor authentication must include two of these three methods. The IVE supports ACE and RADIUS server authentication, which can fall under the "hardware token" category. (ACE authentication relies on a hardware token, and many token-based authentication vendors use a RADIUS server on the backend.) The IVE does not support native biometric authentication.
Local Authentication: Local authentication uses a local database of usernames and passwords stored on the IVE.
LDAP: LDAP stands for Lightweight Directory Access Protocol. Many authentication servers use LDAP as their protocol for authentication.
NIS: NIS authentication is used to authenticate users against a Unix NIS server.
ACE: ACE authentication is used to integrate with an RSA ACE server. An ACE server allows users to authenticate using a hardware or software token, which uses a one-time password.
Radius: The IVE can use a RADIUS server to authenticate users, perform role-mapping based on RADIUS attributes, so it must be configured as a client on the RADIUS server.
Active Directory/Windows NT Server: Active Directory/Windows NT native authentication is supported on the IVE using NTLM (v1 or v2) or Kerberos-based authentication.
Anonymous: The anonymous server allows users to access the IVE and its resources without ever needing to provide a username and password.
SiteMinder: The IVE can integrate with a SiteMinder policy server.
Certificate: The Certificate Server allows the IVE to authenticate users based on client-side certificates.
SAML: Secure Access Markup Language (SAML) authentication allows the IVE to pass user and session state information to an SAML server/environment and keeps users from having to enter their credentials multiple times.
Secure Application Manager
Secure Access Manager is an optional feature of the Juniper SSL concentrator that performs intermediation of traffic from client/server applications. Several popular client/server applications benefit from built-in support on the IVE, including Lotus Notes and Microsoft Exchange. The IVE is capable of automatically provisioning one of several SAM clients, so no initial software on the client is necessary. Both Java and ActiveX versions of SAM are available to run on the most commonly deployed operating systems: Windows, Mac, and Linux. There are many features of SAM that make it an extremely useful tool for network engineers, including:
â- Supports both Microsoft Windows and non-Windows systems. The Java version of SAM works on Windows, Mac, and Linux. A single method to provide access across multiple computer types reduces complexity and makes support easier.
â- It can be either pre-installed on a corporate computer or dynamically delivered to connecting users, thus lowering the system's total cost of ownership (TCO).
â- A slew of security features make SAM a great choice for secure remote access. Socket access can be carefully controlled to allow only the minimum traffic necessary to support the application.
â- It gives rich set of logging and troubleshooting features. This gives engineers and support technicians the tools they need to identify and solve problems quickly.
â- It does not require any additional client IP addresses because it performs Network Address Translation (NAT) on all connections through the IVE, rather than assigning the client an IP address on the internal network.
9.1 SAM Versions
WSAM (Windows version)
JSAM (Java version)
Network Connect
â- Network Connect clients exist for Windows, Mac OS X, and Linux. The software can be automatically installed the first time a user attempts to log on and automatically updated each time the IVE software is updated-essentially eliminating the need for a corporate software distribution system to maintain the client.
â- The Network Connect software first tries to build a tunnel with IPSec (which is faster) and automatically switches to SSL if IPSec doesn't succeed. This ensures the connecting user has the best chance to successfully create the tunnel.
â- Access control is clearly one of the most powerful features of the IVE. With Network Connect, users can be limited at both Layer 3 (hostname or IP address/ subnet, with wildcards) and Layer 4 (ports/protocols). In addition, tight integration with Juniper's Host Checker software allows access to be limited based on the posture of the connecting computer. Access control on many popular IPSec concentrators was notoriously difficult to configure, so it was rarely implemented.
â- unlike traditional IPSec VPNs, Network Connect multicast mode supports streams up to 2 Mbps over a tunnel. The IVE functions as an Internet Group Management Protocol (IGMP) version 3 proxies-issuing multicast joins and leaves for the Network Connect client. For organizations looking to replace their existing IPSec VPN concentrator and maintain the same base functionality, Network Connect is the right choice. Network Connect builds an encrypted IP tunnel like its predecessor, but the ability to use SSL solves many of the problems that afflict IPSec-only concentrators. Administrators no longer need to build and maintain (and secure) a separate access method for Mac users in the Marketing Department and application developers running Linux. Network Connect users benefit from many features unavailable in traditional concentrators, including proxy server support, which makes connecting from many public areas possible for the first time. Using SSL means that VPN access works from inside most networks without firewall modification.
Endpoint Security
Network security has always been somewhat of a moving target for security administrators. As direct access to resources (both server and workstation) has become less common to attackers due to firewalls and network address translation (NAT), attackers have shifted their tactics to use subtler methods of compromise, such as worms, Trojans, spyware, and other browser and operating system exploits to gain control of internal systems through trusted assets. Feature like Host Checker helps to ensure compliance on Windows, Macintosh, and Linux machines. If a user logs into a machine, browses for some content on your company intranet site, and then leaves the machine, he may leave sensitive information behind. The IVE implements two features to help protect against this. One is called Cache Cleaner, which removes files remaining on the user's computer, and the other is Secure Virtual Desktop, which creates a virtual environment where everything is contained within the desktop.
11.1 Host Checker functions on Windows, Macintosh, and Linux machines and provides compliance checking abilities on a remote machine. The Windows module comes with predefined rules which can check for a wide array of antivirus, antispyware, antimalware, firewall, and operating system-checking packages. It can additionally check for other machine characteristics, such as running processes, files, Registry settings, and ports running on a machine (as well as perform other checks). It can be integrated at the realm, role mapping, role, and resource policy levels to provide exceptional granularity for controlling how users interact with the product.
11.2 Cache Cleaner allows administrators to ensure that a client does not leave data in browser caches and other folders on the machine onto which it is connecting. Cache Cleaner runs on Windows, and has the most features when running through Internet Explorer. When using Internet Explorer, Cache Cleaner can remove content from individual domains, or can clear out specific files and folders. When running in browsers other than Internet Explorer (e.g., Firefox) Cache Cleaner can remove files and folders on the client machine to clean up after the client's session.
11.3 Secure Virtual Workspace creates a virtual desktop environment within which all activity can be contained. You can restrict users' ability to access local drives, shared drives, printers, and removable media when they are connected within an SVW session. You can control what applications can run within the SVW session, as well as whether users can switch between user desktops. SVW provides another layer of security to prevent client machines from impacting internal networks by controlling what they can access on their desktop within the connection.
11.4 IVE/IDP Integration: The IVE supports integration with the Juniper IDP sensor, which allows the IDP to send signals to the IVE when it detects malicious traffic passing through the IDP from the IVE. This allows you to not only block the attacks, but also proactively enforce a policy on the user's session. Custom expressions, which are known as events in the sensor policies configuration, are used to define which attacks the IVE will match (functions like an access list). The IVE can perform several different actions on a granular basis.
Web/File/Telnet/SSH
Most of the features in the IVE follow similar conventions with regard to defining bookmarks and resource policies. This allows you to quickly build your skill-set whether you are defining Web rewriting policies or file SSO access.
12.1 Clientless Access Overview: The IVE supports a Web-based user interface for passing user Web traffic to internal network resources. The access does not require any provisioned clients (other than a Web browser) to be installed on the client machine. Access to file shares can be securely transported between a client Web browser and internal file shares. Both Windows (CIFS/SMB) and UNIX (NFS) files are supported.
12.2 Web Access: User roles allow administrators to enable Web browsing along with other user experience-related settings, such as adding bookmarks, allowing active content, and allowing users to browse URLs through the IVE. Web resource policies provide the capability to granularly control what a user can access and through which roles. They apply only to Web traffic passed through the IVE Web interface, and not to Network Connect or SAM (which can have their own policies for such access).
12.3 File Access: File bookmarks enable the administrator to configure access to file shares that can be browsed through the WebUI of the IVE. Resource policies can enable SSO authentication for Windows (CIFS/SMB) shares. They can be static credentials as well as dynamic system variables that will apply the appropriate attributes of the user trying to access the resource.
12.4 Telnet/SSH Access: Telnet is an application that allows for interactive communication between a client and a server. The IVE supports Telnet and SSH clients through the use of prebuilt Java applets that get opened on the user's machine and then tunnel traffic through the SSL VPN from the client to the IVE.
System
Many options and controls when deploying an SSL VPN solution can include advanced features such as VLANs and Client Certificates, and it can also be deployed to provide managed services using the Instant Virtual Systems framework.
13.1 Status: Basic node monitoring, including clustered nodes, uptime, and version information. Central Manager provides Graphs and historical XML data. Active Users can be used to see who's on, what their NC IP is, and if they've set off any IDP triggers.
13.2 Configuration: System licensing occurs here. Administrators should add licenses to the main cluster node, for user concurrency and to enable features-and also add CL licenses to other nodes which will then join and inherit all the licensed features. Certificates for Devices and Client Authentication can be configured here. CRL and OCSP are supported, and Root CA certificates can be imported for back-end HTTPS trust relationships. Client types can be configured to provide mobile users with a smaller form-factor IVE display.
13.3 Network: Port Management should be fairly straightforward, with the exception of VLANs, which require some additional configuration both on the device and on the switched environment.
Logging
14.1 Log Types and Facilities: IVE contains multiple log files for different types of activity, such as Event, User Access, Admin, NC Packet, Client Upload, and Sensor. Licensing plays an important role regarding what features are available for logging.
Advanced license provides the Central Management capabilities. You can control which users are logged in with the Active User log. You can remove sessions as well as search for user sessions.
14.2 Log Filtering: With the Central Management feature set (advanced license), you can perform extensive log filtering and save such data queries for future user. Central Manager allows you to perform advanced features, such as altering the log format for log exporting.
14.3 Log Management: In addition to log archiving, individual logs can be saved, as well as all logs off of the IVE. Logs can be manually cleared from the IVE to assist in freeing up disk space.
14.4 Syslog Exporting: You can configure the IVE to export syslogs to an external data repository that is more purpose built for retaining logs.
14.4 SNMP Management: The IVE supports both SNMP polling and traps. You can configure which types of events should trigger traps on the IVE. Various external tools exist to handle the processing of SNMP traps as well as perform SNMP polling to collect statistics. The Central Management feature set allows you to view additional resource graphs on the dashboard, such as information relating to the CPU and memory statistics, throughput, and users logged in. You can alter the appearance of graphs, including the colors, and time period of the graphs.
14.5 Reporting: The Clear View Reporter by NWG Technologies is an appliance developed for reporting, alerting, and external log storage (from IVE) to fill the gap of reporting functionality available on the IVE.
Enterprise Features
There are a variety of ways a managed solution may be deployed and configured. This ranges from a traditional single-customer deployment (CPE) to a hosted model and a shared hosted model. Depending on how you manage your IT organization or what services you want to provide as an SP, you may employ one or more of these architectures.
15.1 Instant Virtual Systems: Instant Virtual Systems are a management paradigm that extends the remote access management boundary one level up from where it is today. Administration is also something you'll want to consider before designing a virtualized offering.
15.2 VLANs and Source Routing: Virtual LANs, or VLANs, are often used to segment L2 networks by marking the packet with an 802.1q-compliant tag, or VLAN ID. Because the packets for a subscriber can be marked as for a specific VLAN, they can easily be identified throughout the system-not just by the IVE.
15.3 Administration Techniques: This is different from customer premises equipment (CPE), wherein this managed service is homed on the SP's network, not the customer's. Customer premises equipment design is often employed when your customer does not want to share equipment or wants manageability of his or her equipment.
15.4 Clustering: A load balancer will be required for Active/Active clusters and that the Network Connect ESP transport mode requires specific configurations that may not be found in all load balancers.
15.5 Understanding Cluster Communication and Status: All cluster communication occurs over the internal port. If your clusters can't reach each other over their internal ports, then clustering will not work. High latency and/or high loss connections can cause issues for clusters. Juniper has incorporated several important features in the IVE that can be extremely useful for monitoring everything from user activity to system performance and events. By leveraging the various logging facilities available in, for example, Event, User Access, Admin, and Client logs, you can gain an in-depth understanding of virtually all activity on the IVE device.
Case Study
We create a network in which we can access internal corporate LAN through internet with the help of Juniper SA-4000. In this scenario we have four zones Trust, Untrust, DMZ and Test Lab.
Trust Zone: in which our organization LAN resides; we can configure Juniper SA-4000 from this zone.
Unturst zone: in which the client comes from internet to use our organization resources.
DMZ: zone in which Juniper SA reside. This zone provides us security because anybody access DMZ from internet but the server is in Test Lab zone nobody can access it without authentication.
TestLab: In this zone, the organization resources are reside example VMware server.
By using the SA-4000 any client from outside the network can connect to the organizations network without any hassle. The client just has to enter the web address and he/she can connect to the network according to the rules defined for that client.
On SA-4000 we can allow specific users by assigning them specific roles(policies) which they can access when they connect. They can be connected by WSAM where we can create bookmark for any task i.e. telnet, remote desktop, etc. or can connect via Network connect which will assign them an IP address by which they can connect to the organizations network.
Conclusion:
The Juniper Network SSL VPN Appliances congregate the necessities of organizations of a range of sizes. SA Series appliances are based on the Instant Virtual Extranet (IVE) platform, which uses SSL, the security protocol easily available in all standard Web browsers. The use of SSL eliminates the need for pre-installed client software deployment, changes to internal servers, and costly ongoing maintenance and desktop support. SA Series appliances also offer sophisticated partner/customer extranet features that enable controlled access to differentiated users and groups with no software agents, no DMZ deployments, and no infrastructure changes.
Acknowledgement:
This Independent Study Report could not have been written without the help of my advisor Mr. Mubashir Ahmad who not only served as my supervisor but also encouraged and challenged me throughout my academic program. He guided me through the study process, never accepting less than my best efforts. I thank him.
