SA, IC AND PULSE PRESENTATION
Jay DineshkumarJay DineshkumarFederal [email protected]
AGENDA
JUNOS PULSE OVERVIEW
JUNOS PULSE AND SERVICES LATEST FEATURES
2 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
SUMMARY
RESOURCES AND NEXT STEPS
AGENDA
JUNOS PULSE OVERVIEW
JUNOS PULSE AND SERVICES LATEST FEATURES
3 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
SUMMARY
RESOURCES AND NEXT STEPS
INTRODUCTION TO JUNOS PULSE
A single multi-service network client (Junos Pulse) + a single gateway (MAG Series) delivers:• Secure mobile and remote access (via SSL VPN)• Network/LAN access control (via UAC)
Junos Pulse Secure Access Service
4 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
MAG Series Junos Pulse Gateway
Junos Pulse Secure Access Service
Junos Pulse features include:• Support for desktop, laptop and mobile OS• Endpoint security checks (via Juniper Host
Checker) prior to network connection• Location awareness (laptops)• Session migration • Session data federation
Junos Pulse (on laptop/desktop)
Junos Pulse (on mobile device)
AGENDA
JUNOS PULSE OVERVIEW
JUNOS PULSE AND SERVICES LATEST FEATURES
5 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
SUMMARY
RESOURCES AND NEXT STEPS
JUNOS PULSE AND JUNOS PULSE PRODUCTSLATEST FEATURES AND FUNCTIONS
� FIPS 140-2 Level 1 Compliance
� IPv6 Support (Phase 1.5)
� FIPS 140-2 Level 1 Compliance
� HTML5 Support (Phase 1)
Junos Pulse 4.0Junos Pulse Secure
Access Service / SSL VPN 7.4
� FIPS 140-2 Level 1 Compliance
Junos Pulse Access Control Service /
UAC 4.4
6 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
� Support for (SAML) Basic Attribute Profiles
� SNMPv3 Support� Junos Pulse
Enhancements� Machine auth, machine
cert auth, credential provider
(Phase 1)� IPv6 Support (Phase
1.5) � Support for Basic
Security Assertion Markup Language (SAML) Basic Attribute Profiles
� SNMPv3 Support
JUNOS PULSE 4.0
New Features in Junos Pulse (client) 4.0:
� FIPS 140-2 Level 1 Compliance
� IPv6 Support (Phase 1.5) (SSL VPN Only)
� Support for SAML Basic Attribute Profiles (SSL VPN
7 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
Attribute Profiles (SSL VPN Only)
� SNMPv3 Support (SSL VPN Only)
� Junos Pulse Enhancements
JUNOS PULSE – Highlights - 1
- Modular Architecture
- Windows – L3 VPN, WSAM, HC, App. Accel. iPass, NAC (L2 & L3) - MAC OSX – L3 VPN, HC, L3 NAC, no 802.1x capability.- iOS – L3 VPN, HC, web re-writer- Android – L3 VPN, HC, web re-writer
8 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
- Android – L3 VPN, HC, web re-writer
- Ease of deployment – all aspects controlled on server side.
- Consistent and simplified user interface across multiple platforms
- Server and client are de-coupled
- Full Windows app, no dependency on JAVA
JUNOS PULSE – Highlights - 2
- Pre-config file could be used to deploy Pulse, hosted on an internal server, or use SMS, etc. Beware of hidden GUID!
- IPv6 only supported on Win, MAC, iOS
- IPv6 - 6-on-6 due 2H, 2013.
9 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
- IPv6 - 6-on-6 due 2H, 2013.
- Connection grouping and failover is on the roadmap.
- Location awareness for Pulse desktop
- Pulse for iOS supports smartcard auth now (CAC and PIV only).
- No Pulse support in IVS based systems.
THE JUNOS PULSE USER EXPERIENCE
10 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
1. User wakes up PC to read e-mail
2. Junos Pulse sees that user is remote
3. SSL VPN selected as access type
4. User authenticates
5. SSL VPN provisioned
1. User goes for coffee; wakes up PC
2. Junos Pulse sees that user is remote
3. SSL VPN selected as access type
4. User connected directly to hotspot
5. No authentication needed; session still valid
1. User goes to the office and wakes PC
2. Junos Pulse determines that user is on 802.1X corporate WLAN
3. UAC selected as access type
4. No authentication needed; session data migrated (via IF-MAP); session still valid
1. User goes to dinner; needs to check e-mail or on status of an order in a corporate application
2. Clicks on Junos Pulse on smartphone or tablet
3. User authenticates
4. Secure network and application access provisioned via SSL VPN to smartphone or tablet
JUNOS PULSE 4.0FIPS 140-2 LEVEL 1 COMPLIANCE
MAG Series
Windows or Mac
OS Desktop *
Windows or Mac
OS Laptop *
FIPS 140-2
Junos Pulse Secure Access Service (SSL VPN)
FIPS-compliant VPN data channel
established by MAG Series
running Junos Pulse Secure
11 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
Addresses UAC FIPS compliance by enabling Layer 3 network connection — from Pulse Access Control Service running on MAG Series gateway or Pulse Access Control Service Virtual Appliances — to be FIPS-compliant; works with agent-less access (captive portal use cases) and guest user account management (GUAM)
MAG SeriesOS Laptop *
iOS or Android Tablet
iOS or Android Smartphone
Junos Pulse Access Control Service (UAC)
Pulse Secure Access Service (or SA Series
SSL VPN Virtual Appliances) once
Junos Pulse client
authenticates to gateway or virtual
appliance
Currently available for Junos Pulse clients on iOS and Android*Junos Pulse clients on Windows and Mac OS supporting FIPS 140-2 available in Q2 2013
FIPs & TLS
- New MAG and VM appliances support FIPs 140-2 L1.
- FIPs now done in software, feature can be enabled on MAG or VM that can run 7.4 /4.4 or higher.
- Older HW appliances cannot enable software FIPs.
- No cost, no license to enable the feature. Yes, there is a performance hit.
12 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
- TLS 1.1 and 1.2 support was added to SA 7.4 an IC 4.4 code. Any appliance that can run above code supports TLS 1.1 and 1.2. That includes older FIPs appliances SA6000, SA6500, etc.
- NC does not support TLS 1.1, 1.2
- No ability to cherry pick or enforce specific TLS version yet.
- SHA-256 and 2048-bit certs were done a while back.
13 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
Suite B
- Suite B is only supported on MAG and VM that can run 7.4 or higher code.
- Older appliances do NOT support Suite B.
- Suite B requires loading an ECC device cert on head end appliance
- Suite B is used for browser based applications, JSAM, Pulse and HC(*).
- No Suite B support for NC, no plans.
14 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
- No Suite B support for NC, no plans.
- No Suite B support for TS client yet.
- Pulse supports Suite B in SSL transport mode only.
- Your mileage will vary based on client O/S, browser or who knows what ☺. So, test and validate with a sniffer. The server side is ready, but client side support is very sketchy.
- Not sure if iOS support ECC certs, hence Suite B. We are getting conflicting info.
FIPs, TLS 1.2 and Suite B
Your mileage will vary based on client O/S, browser or who knows what ☺. So, test and validate with a sniffer. The server side is ready, but client side support is very sketchy.
Not sure if iOS support ECC certs, hence Suite B. We are getting conflicting info.
15 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
What else is new?
- VM IC- Great Bay profiler for NAC- Licensing
- No need for cluster licenses- Perpetual and subscription licenses- License server
16 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
- Windows RT, Windows phone – 2H, 2013
JUNOS PULSE 4.0FIPS 140-2 LEVEL 1 COMPLIANCE (CONTINUED)
� FIPS support for Apple iOS and Google Android leverages third-party, FIPS-certified library from SafeLogic (www.safelogic.com)
� FIPS ciphers used only when Junos Pulse, in concert with SSL VPN and/or UAC, is deployed in FIPS mode
� Supported ciphers including:• Elliptic Curve Cryptography (ECC) = public key cryptosystem, especially
useful in mobile (wireless) environments
17 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
useful in mobile (wireless) environments
• Digital Signal Algorithm (DSA) = FIPS standard for digital signatures proposed by NIST
JUNOS PULSE 4.0FIPS 140-2 LEVEL 1 COMPLIANCE (CONTINUED)
In addition to AES, Suite B includes cryptographic algorithms for key exchange, digital signatures, and hashing, specifically:� Encryption—AES-GCM, 128- or 256-bit block cipher
� Key Exchange—Ephemeral Unified Model and One-Pass Diffie Hellman (ECDH)
� Digital Signature—Elliptic Curve Digital Signature Algorithm (ECDSA)
� Hashing—SHA-256 and SHA-384
18 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
Suite B also mandates both TLS 1.2 and ECC ciphers
Non-approved algorithms will be disabled when in FIPS mode
Network Time Protocol (NTP) configuration is enhanced to optionally authenticate NTP traffic
� An administrator may also choose not to enable NTP authentication
� NTP package for Juniper’s SSL VPN has been upgraded to NTPv4, and is backward compatible with both NTPv3 and NTPv2
JUNOS PULSE SECURE ACCESS SERVICE 7.4HTML5 SUPPORT (PHASE 1)
Junos Pulse Secure Access Service (SSL VPN)
Supports:� Microsoft Internet
Explorer 10� Latest Mozilla
Firefox Extended Support Release (ESR)
Junos Pulse Secure Access Service 7.4 supports HTML5 through Rewriter, with new elements, attributes, and APIs
Support for audio and video multimedia traffic available without requiring additional plug-ins
19 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
MAG Series
(ESR)� Apple Safari
Running on: � Microsoft Windows
7 and Windows 8 Apple Mac OSX 10.7 and Mac OSX 10.8
� Linux Ubuntu� Android 4.0 (Ice
Cream Sandwich)� Apple iOS 5.x
HTML5 support in Pulse Secure Access Service 7.4 scales to thousands of users, remaining on par with standard support for Rewriter sessions
RDP access 4 can be delivered over HTML5 via third-party RDP through WebSockets translator such as Ericom
JUNOS PULSE SECURE ACCESS SERVICE 7.4IPv6 SUPPORT (PHASE 1.5)
MAG Series
Junos Pulse Secure Access Service (SSL VPN)
Sales
Engineering
IPv4
Home-based Engineer
Home-based Salesperson
IPv4
20 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
Use CaseAn enterprise has a number of home-based workers from different internal groups such as sales, engineering, finance, etc., but wants to employ additional security for home-based engineers’ access SolutionHome-based workers accessing corporate network using Junos Pulse and Pulse Secure Access Service 7.4 connect via IPv4 network; however, for additional security, traffic of home-based engineers is on the IPv6 network
FinanceFinance Manager Working From Home
JUNOS PULSE SECURE ACCESS SERVICE 7.4IPv6 SUPPORT (PHASE 1.5)
Junos Pulse 4.0 and Pulse Secure Access Service 7.4 enable end users today to access IPv6 resources—along with IPv4 resources—from an IPv4 network
Remaining access methods—including Junos Pulse Secure Application Manager (SAM), legacy Network Connect (NC) and Windows SAM, Rewriter, etc.—and Junos Pulse Access Control
21 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
Windows SAM, Rewriter, etc.—and Junos Pulse Access Control Service are not supported
All other services, such as authentication, authorization, and accounting (AAA) servers, Domain Name System (DNS) servers, and Host Checker, must be on an IPv4 network
JUNOS PULSE 4.0 ENHANCEMENTS
A framework similar to the debug log file –
capturing more detailed information – is now integrated into the
Windows event viewer
Ability to suspend or exit an SSL VPN tunnel set up by Junos Pulse Secure Access Service without losing session
context
22 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
Junos Pulse 4.0
An event logging framework that captures operational events and can be easily reviewed
and understood by network administrators
SNMPv3 SUPPORT
Junos Pulse 4.0 and Pulse Secure Access Service 7.4 now support Simple Network Management Protocol version 3 (SNMPv3) IETF standard
� Delivers interoperable, standards-based network management
� Provides a comprehensive authentication, authorization and encryption mechanism, with support framework extensions
� Enables secure access to devices through a combination of authentication and encrypted packets
23 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
and encrypted packets
� Message integrity – ensures a packet has not been modified or changed while in-transit
� Authentication – ensures message source is valid
� Encryption – secures the packet contents from unauthorized view
� Offers security models and security levels within security models—a two-tiered approach that enables greater security
� Leverages username and Message Digest 5 (MD5) and Secure Hash Algorithm (SHA) for authentication
JUNOS PULSE SECURE ACCESS SERVICE 7.4SAML BASIC ATTRIBUTE PROFILE SUPPORT
Junos Pulse Secure Access Service 7.4 supports SAML Basic Attribute profiles as defined in the SAML standard (http://docs.oasis-open.org/security/saml/v2.0/)
Basic Attribute Profile specifies simplified naming of SAML attributes together with attribute values based on the built-in XML Schema data
24 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
together with attribute values based on the built-in XML Schema data types
JUNOS PULSE SECURE ACCESS SERVICE 7.4SAML BASIC ATTRIBUTE PROFILE SUPPORT (CONTINUED)
MAG Series
Junos Pulse Secure Access Service (SSL VPN)
SAML Assertion
Apps
SAML SP
w/attribute data
SAML Assertion
w/attribute data
25 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
A MAG Series Junos Pulse Gateway running Junos Pulse Secure Access Service 7.4 may serve as a SAML Service Provider (SP), and consume a SAML assertion, resulting in a session on the gateway
Can obtain attribute data received as part of the incoming SAML assertion and send attribute data to backend resources or applications as part of a new (or separate) assertion generated by the same MAG Series gateway running Pulse Secure Access Service
JUNOS PULSE SECURE ACCESS SERVICE 7.4SAML BASIC ATTRIBUTE PROFILE SUPPORT (CONTINUED)
MAG Series
Junos Pulse Secure Access Service (SSL VPN)
SAML Assertion
Apps
SAML IdP
w/attribute data
SAML Assertion
w/attribute data
26 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
MAG Series gateway running Pulse Secure Access Service will also need to be configured as a SAML Identity Provider (IdP) in this use case to generate and send the new assertion
New assertion can include attributes retrieved from the original SAML assertion that as well as any additional or new attributes that an administrator would choose to send as part of the assertion
New attribute attribute-value information can be statically configured by an administrator or dynamically retrieved from an LDAP data store based on user authentication
AGENDA
JUNOS PULSE OVERVIEW
JUNOS PULSE AND SERVICES LATEST FEATURES
27 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
SUMMARY
RESOURCES AND NEXT STEPS
JUNOS PULSE AND JUNOS PULSE PRODUCTSLATEST FEATURES AND FUNCTIONS
� FIPS 140-2 Level 1 Compliance
� IPv6 Support (Phase 1.5)
� FIPS 140-2 Level 1 Compliance
� HTML5 Support (Phase 1)
Junos Pulse 4.0Junos Pulse Secure
Access Service / SSL VPN 7.4
� FIPS 140-2 Level 1 Compliance
Junos Pulse Access Control Service /
UAC 4.4
28 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
� Support for (SAML) Basic Attribute Profiles
� SNMPv3 Support� Junos Pulse
Enhancements� Machine auth, machine
cert auth, credential provider
(Phase 1)� IPv6 Support (Phase
1.5) � Support for Basic
Security Assertion Markup Language (SAML) Basic Attribute Profiles
� SNMPv3 Support
AGENDA
JUNOS PULSE OVERVIEW
JUNOS PULSE AND SERVICES LATEST FEATURES
29 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
SUMMARY
RESOURCES AND NEXT STEPS
KEY RESOURCES
Junos Pulse Product Pagehttp://www.juniper.net/us/en/products-services/software/junos-platform/junos-pulse/
Junos Pulse Partner Center Product Page
https://www.juniper.net/partners/partner_center/products/software/junos-pulse/
Marketing Concierge Services
https://jmc.juniper.net/Orgs/Initiative.aspx?id=1151(Search on MAG Series)
30 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
MAG Series on Learning Academy
http://jpartnertraining.juniper.net/index.php?page=view_course&course_id=630 (Please copy and paste link to your browser)
Partner iPad Apphttp://itunes.apple.com/us/app/juniper-partner-app/id486869816?mt=8
Key Contacts Pulse Product Marketing: [email protected]
Top Related