Juniper Networks Solution for Unified Access Control _UAC_ in the

Document Sample
Juniper Networks Solution for Unified Access Control _UAC_ in the Powered By Docstoc
					                                                   Solution Brochure




Juniper Networks Unified Access Control
         (UAC) Solution in the Enterprise
       Seamless interoperability with standards-based
    best-in-class solutions and a growing list of leading
                                    technology alliances
Juniper Networks | Unified Access Control (UAC) Solution in the Enterprise




Unified Access Control for the Enterprise
Solution Overview


Today’s organizations are faced with the competing challenges
of offering access to their network resources and applications,
while simultaneously protecting the business. A diverse set
of users need access to a myriad of network resources and
applications, ranging from simple Internet access to sensitive
internal data. As access has grown, however, so has the risk
in providing it. Users may become unknowingly infected when
surfing the Internet or working remotely, then bring the infected
device into the enterprise network.
                                                                                                       3




Access Control Challenges for
the Enterprise
In order to provide the right level of access for each user, it is essential to combine endpoint
security information with user identity before access is allowed. The enterprise must be able to
create security policies so that security professionals are able to see the policy as it is changed,
observe the effects, and use that data to make the policy more effective.
Good access control must minimize risk. The best solutions enable access control via a networking
infrastructure built to handle enterprise throughput, performance, and availability requirements.
Working with a vendor-agnostic solution allows the enterprise to leverage their existing investments
in networking infrastructure without being locked into a single vendor solution.
Challenges
One of the most challenging aspects of network security is that it’s constantly changing. Today’s
user population includes a variety of individuals that the network was not necessarily built
to accommodate, such as business partners, guests, and contractors. There are a range of
operating systems which must be accommodated, as well as several different access types,
including VPNs and wireless.
The biggest challenge for an enterprise is balancing the requirements for access, while
simultaneously protecting the business. The network must be accessible enough to feed the
productivity of workers and partners, yet secure enough not to affect business continuity, privacy,
or data security. The balancing point is unique to each organization. Network access that is too
loose creates unacceptable risk. Yet, network access that is too controlling restricts business
opportunities and productivity. Even though you may not be able to control where users are or
what devices they use to access your network, you can still protect your network and give users
access to needed resources.
Once you’ve determined your corporate security policies, how can you ensure that users follow
the rules? And there’s more than just your rules—there are also industry and government
requirements for security, data privacy, user privacy, and record keeping.
Trends
There are a number of factors shaping the business requirements of controlling access to
enterprise networks. First, enterprise business networks are spreading out geographically.
According to a report from Nemertes Research, 89% percent of employees work away from
company headquarters at least part of the time. For example, some industries, such as financial
services and high-touch consumer products, are opening more branch offices to be closer to their
customers. Many information economy organizations have large numbers of teleworkers who only
come into the office periodically—their home is an extension of the corporate network.
Of course, employees don’t have to be in a work location in order to work. With notebook computers,
ubiquitous PDAs, and wireless Internet access, more and more workers can work wherever they are,
whenever they want. They could be checking their e-mail from the airport or train station, getting a
sales quote at a customer location, or surfing the Internet in a restaurant or café.
All this mobility and blurry network boundaries are creating new security concerns. Now it’s not
enough to authenticate the user, you must also validate the device, even if you don’t own it.
Customers, contractors, suppliers, even guests, expect some network consideration when visiting
your business. Since they are all working to make money for your organization, you don’t want to
limit their productivity.
Yet users—even trusted ones—can open the enterprise network to a host of threats. Enterprise
laptops may become unknowingly infected when workers surf the Internet or work remotely, then
connect their infected devices directly into the network. Many times, network attacks are launched
unwittingly by trusted users whose devices are insecure and have been breached. Or, by guest
users who may only need an Internet connection that come onto the network with their own
unmanaged devices, and unknowingly expose sensitive resources to threats.
4   Juniper Networks | Unified Access Control (UAC) Solution in the Enterprise




    Juniper Networks Unified Access Control
    (UAC) Solution
    Clearly, enterprises need to provide appropriate access to valid users, while simultaneously
    protecting network resources and applications against any breach of privacy, integrity, or business
    continuity. Solutions must be flexible enough to comply with business security policies and industry
    and government regulations, without tearing out network equipment or creating new levels of user
    management complexity.
    Juniper Networks provides secure access control to your enterprise network based on a combination
    of user identity, endpoint security state, location, and policy. Juniper increases the productivity of
    today’s enterprise users while transparently, seamlessly securing enterprise resources, applications,
    and data. All this is accomplished without a forklift upgrade of your LAN infrastructure, wireless
    infrastructure, or database infrastructure.
    Juniper Networks Unified Access Control (UAC) solution delivers enterprise-class, network-based
    access control via seamless interoperability with standards-compliant switches – such as Juniper’s
    EX-series Ethernet LAN switches – access points, and endpoint security products. This is achieved
    through both open programming interfaces and the support of open standards from Trusted Network
    Connect (TNC), a workgroup of the Trusted Computing Group (TCG). Interoperability between
    Juniper’s UAC solution and market-leading Security Information and Event Management (SIEM)
    products, including Juniper Security Threat Response Manager (STRM), dramatically improves
    the detection and resolution of threats and attacks while delivering more cost-effective security
    operations. The result is a complete solution that makes full use of both the infrastructure and
    security investment that an enterprise has already deployed in their networks.
    Juniper Networks UAC solution consists of three (3) elements:
      •	 Juniper	Networks	Infranet	Controller	(IC)
        – The Infranet Controller is UAC’s centralized, hardened security policy engine optimized for
          LAN access control. Based on Juniper’s market-leading Secure Access SSL VPN appliances,
          the IC can automatically install an agent on devices that connect to your network, or for
          those devices where installing an agent is not feasible or possible, via its agent-less mode,
          collect authentication, endpoint integrity, and other necessary information and interface
          with your existing enterprise AAA infrastructure. The IC also features integrated RADIUS
          functionality via Juniper’s Steel-Belted Radius (SBR), allowing enterprises to authenticate
          users and enforce policy using existing databases.
      •	 Juniper	Networks	UAC	Agent
        – The UAC Agent is a dynamically downloaded agent that can be pre-configured on and
          provisioned in real time by the IC, installed using Juniper’s Installer Service, or deployed by
          other methods. The UAC Agent collects user credentials, device security state, and network
          location. The UAC Agent’s integrated Host Checker functionality, familiar from thousands of
          Secure Access SSL VPN deployments, scans endpoints for a variety of security applications
          and states, including antivirus, malware and personal firewalls, as well as enables custom
          checks of elements such as registry and port status and can perform an MD5 checksum
          to verify application validity. Devices can access the network without downloading the agent
          in circumstances where downloads of any software are not practical, such as in guest
          deployments, via UAC’s agent-less mode.
      •	 UAC	enforcement	points	
        – UAC enforcement points enforce dynamic access control and defined policies throughout
          your enterprise network in two different ways. Any switch or wireless access point
          supporting 802.1X – such as Juniper’s EX-series Ethernet switches – can be a UAC
          enforcement point, as can any Juniper Networks firewall platform, including Juniper’s Secure
          Services Gateway (SSG) and Integrated Security Gateway (ISG) platforms.
                                                                                                                                            5




Juniper Networks UAC Solution; Seamless
interoperability with standards-based
best-in-class solutions
The unique advantage of Juniper Networks UAC is its ability to integrate with your existing network
and security investments. This section details how Juniper Networks UAC deploys with several
solutions from dozens of valued technology alliance partners.
Interoperability with Ethernet Switching and Wireless LAN Infrastructure Solutions
The 802.1X standard – originally developed for the wired LAN, then applied to the wireless LAN
(WLAN) arena to provide user authentication before an IP address was assigned – is now broadly
deployed in both wired and wireless networks. Because of its flexibility, 802.1X lends itself nicely
to access control. Juniper has incorporated features from its market-leading 802.1X supplicant,
Odyssey® Access Client, as well as from Steel-Belted Radius®, the de facto standard in RADIUS
servers, into its UAC solution. The result is a standards-based access control solution that allows
the enterprise to use the 802.1X infrastructure that it already owns to deploy access control
easily, quickly, and cost-effectively.
The choice of enforcement points is often the limiting factor with a network access control
solution. Juniper has solved this problem by creating a solution that is as functional with
enforcement at Layer 2 as it is at Layers 3-7. For Layer 2 enforcement, UAC is interoperable with
any vendor’s standards-compliant, 802.1X-enabled wired or wireless switching devices, such as
the Juniper EX-series Ethernet switches. All Juniper Networks firewall/VPN platforms enforce
policy at Layers 3-7, including the ISG with Intrusion Detection and Prevention (IDP) and the SSG
secure routing platforms.




 Identity Management (IdM)                                      Patch Management
                                                                 and Remediation


                                 Juniper Networks
                               Unified Access Control
                                       (UAC)

                                             Jun
                                           Infr iper
                                         Contr anet                           Acce
                                               oller                               ss Po
                                                                                         int
   Odyssey Access
                         TNC
    Client (OAC)
                                                                              Wirele
                                                           802.1X        Switc
                                                                                     ss
                                                                                               EX 4
                                                                               h                    2
                                                                                               Serie 00
                                                                                                    s
      OAC
                                   ISG

                                          SSG                              Wireless LAN/Switching
  Endpoint Security   Unified Threat
                      Management
                         (UTM)                                   STR
                                                                500 M
                                                                   0



                                                          Security Information
                                                          & Event Management                              Juniper Networks Unified Access
                                                                (SIEM)                                    Control (UAC) Solution


                                      Applications
6   Juniper Networks | Unified Access Control (UAC) Solution in the Enterprise




    Interoperability with Endpoint Security Solutions
    Good network access control requires as much information about the user and device seeking
    access as possible, including the user identity and the endpoint’s security state. Current
    information about the endpoint’s security state adds another layer of protection to the network,
    as it establishes policy compliance and trustworthiness of endpoint devices separate from the
    user’s identity. This level of detail can be extremely useful in creating effective policy, even if the
    enterprise uses access control only as a baseline or auditing device.
    Virtually every enterprise has deployed some type of endpoint security solution, which can make
    interoperability with access control systems a challenge. Juniper has overcome this challenge by
    supporting open specifications and standards. Trusted Network Connect (TNC) specifications are
    designed to help network administrators solve the difficult task of enforcing security policies for
    network access in networks with a diverse mix of devices and software. Juniper Networks UAC
    interoperates seamlessly with all our technology alliance partners’ endpoint security solutions,
    allowing a complete access control solution to be deployed quickly and with confidence.
    Interoperability with Identity Management (IdM) Solutions
    Juniper Networks UAC IdM technology partners share a wealth of user information to provide
    the most granular access control policy possible and ensure the directory stores themselves
    are kept viable and up to date. The IC authentication, authorization and accounting (AAA) engine
                                                                                    ,
    interoperates seamlessly with all popular AAA schemes, including RADIUS, LDAP Active Directory,
    CA SiteMinder, Certificate/PKI servers and Anonymous Authentication servers. The IC combines
    user credentials and group or attribute information (for example, group membership) to the
    information gathered before the credentials were entered, including those gathered by Host
    Checker. This combination allows the IC to dynamically map the user to a role for the session.
    Role attributes can encompass session attributes/parameters, and can also specify restrictions
    with which the user must comply before they can map to a role, which is extremely useful in
    settings where security is vital and compliance must be ensured.
    Interoperability with Juniper Security Threat Response Manager (STRM) and many
    Security Information and Event Management (SIEM) Solutions
    Juniper’s UAC solution is able to react to the dynamic nature of network security more effectively
    when deployed with Juniper’s Security Threat Response Manager (STRM), or any well known
    Security Information and Event Management (SIEM) solution. Juniper STRM delivers advanced
    log management capabilities, SIEM, and Network Behavior Anomaly Detection (NBAD) to address
    log management, threat detection, compliance and audit requirements. Juniper STRM (or any
    SIEM) solution is a vital component of policy development, and can pull data from many different
    information systems, including Juniper UAC. This allows your enterprise to look at security in both
    a real-time and a historical context, and evaluate the success of policies based on their results.
    The data produced is valuable when attempting to trace a security breach, or as part of post-event
    computer/network forensic activities. The policies created in this process can then be pushed by
    Juniper UAC, making it easy to act on the new policies in the network.
    Interoperability with Patch Management and Remediation Solutions
    Worms and botnets take advantage of unpatched systems and propagate across large
    organizations, putting corporate data and resources at risk. Organizations must continually
    assess patch-related vulnerabilities on endpoints before allowing access to network resources.
    Unqualified endpoints need to be quarantined and automatically remediated with the patches
    necessary to bring each endpoint into compliance, without incurring substantial or incremental
    helpdesk costs. Juniper’s UAC solution interoperate seamlessly with several leading patch
    management and remediation companies. Additionally, Juniper UAC provides a flexible, scalable,
    and simple validation of the endpoint against patch and compliance policies.
    Interoperability with Unified Threat Management Solutions
    Juniper’s UAC solution works seamlessly with the Juniper Unified Threat Management (UTM)
    solutions to provide Stateful firewall, IPS, antivirus (anti-spyware, anti-phishing, anti-adware),
                                                                                                         7




anti-spam, and Web filtering to protect the network from attack. Juniper’s UTM strategy leverages
technologies from our key technology solution alliance partners. To provide protection against
inbound and outbound attacks at all levels, Juniper integrates a complete set of best-in-class Unified
Threat Management (UTM) features into their line of branch office firewall platforms. By leveraging
the development, support and market expertise of many of the leading content security partners,
Juniper is able to deliver a set of best-in-class UTM features. Today, Juniper’s key UTM alliance
partners include; Websense (web filtering), Kaspersky (anti-virus) and Symantec (anti-spam).


Juniper Networks’ Technology Partners
Juniper Networks values its alliance partnerships with the industry’s leading security, device,
wireless and network infrastructure vendors. These partnerships allow you to leverage the
investments you’ve made in these best-in-class solutions, ensuring your access control solution
from Juniper easily integrates with your existing IT infrastructure equipment.



                                 Identity Management (IdM)




                                       Endpoint Security




                           Patch Management and Remediation



                                 Unified Threat Management




                           Ethernet Switching and Wireless LAN




                 Security Information and Event Management (SIEM)
8                                                     Juniper Networks | Unified Access Control (UAC) Solution in the Enterprise




    CORPORATE HEADQUARTERS
    AND SALES HEADQUARTERS
    FOR NORTH AND SOUTH AMERICA
                                                      Flexible Access Control Using Existing,
    Juniper Networks, Inc.
    1194 North Mathilda Avenue
    Sunnyvale, CA 94089 USA
                                                      Proven Solutions
    Phone: 888.JUNIPER (888.586.4737)
    or 408.745.2000                                   Juniper Networks UAC provides a flexible, standards-based access control solution that
    Fax: 408.745.2100                                 does not require you to endure expensive forklift upgrades or time-consuming upgrades or
    www.juniper.net
                                                      database changes. Juniper Networks allows enterprises to leverage their existing, deployed,
    EAST COAST OFFICE                                 standards-based switches and wireless access points and/or Juniper firewalls/switches
    Juniper Networks, Inc.
    10 Technology Park Drive                          to enforce corporate network policy. Juniper Networks UAC also works in conjunction with
    Westford, MA 01886-3146 USA
    Phone: 978.589.5800                               standard AAA, IdM, SIEM, endpoint security, unified threat management (UTM), and patch
    Fax: 978.589.0800                                 management and remediation vendors, so IT managers do not have to learn new systems
    ASIA PACIFIC REGIONAL                             or processes. Juniper’s proven, standards-based UAC solution can readily adapt to any new
    SALES HEADQUARTERS
                                                      infrastructure investments.
    Juniper Networks (Hong Kong) Ltd.
    26/F, Cityplaza One


                                                      About Juniper Networks
    1111 King’s Road
    Taikoo Shing, Hong Kong
    Phone: 852.2332.3636
    Fax: 852.2574.7803                                Juniper Networks, Inc. is the leader in high-performance networking. Juniper offers a
    EUROPE, MIDDLE EAST, AFRICA                       high-performance network infrastructure that creates a responsive and trusted environment
    REGIONAL SALES HEADQUARTERS
                                                      for accelerating the deployment of services and applications over a single network. This fuels
    Juniper Networks (UK) Limited
    Building 1                                        high-performance businesses. Additional information can be found at www.juniper.net.
    Aviator Park
    Station Road
    Addlestone
    Surrey, KT15 2PG, U.K.
    Phone: 44.(0).1372.385500
    Fax: 44.(0).1372.385501



    Copyright 2008 Juniper Networks, Inc. All
    rights reserved. Juniper Networks, the Juniper
    Networks logo, NetScreen, and ScreenOS are
    registered trademarks of Juniper Networks,
    Inc. in the United States and other countries.
    JUNOS and JUNOSe are trademarks of Juniper
    Networks, Inc. All other trademarks, service
    marks, registered trademarks, or registered
    service marks are the property of their
    respective owners. Juniper Networks assumes
    no responsibility for any inaccuracies in this
    document. Juniper Networks reserves the
    right to change, modify, transfer, or otherwise
    revise this publication without notice.




                                                                          To	purchase	Juniper	Networks	solutions,	please	
                                                                        contact	your	Juniper	Networks	sales	representative	
                                                                             at	1-866-298-6428	or	authorized	reseller.
    160012-003 June 2008