Shared Flashcard Set


Sales Certification for Juniper
Computer Science

Additional Computer Science Flashcards





What are the two methods for security access? 

What component provides the VPN technology?

Which method is the best for vpn and why?

  • SSL and IPSec
  • Network Connect provides the VPN technology
  • IPSec is the preferred method because it was built to support multiple protocols.  SSL can only be used to tunnel between one client and the network and is not suppported for site to site vpns

What features does the TLS handshake protocol provide.


What does the TLS record protocol provide.


The Transport Layer Security Protocol provides the following features:

  • Peer Identity verification
  • Uses public/private key cryptology
  • Standard Key negotiation

The TLS record protocol provides:

  • Privacy via symmetric encryption (DES, RCA
  • Keys generated during the TLS handshake
  • Reliability via HMAC mechanisms (SHA, MD5)

Briefly describe the Juniper SPG.

  • SPG = Secure Products Group
  • Market Leader since aquisition of NetScreen
  • Unique because they seek out security reviews of the IVE (Instant Virtual Extranet) Platform
  • Market Leader because of their purpose built application security gateway
What is the corporate reason SSL VPN's are preferable over IP Sec VPNs?
IP Sec VPNs were costly and hard to set up

Define IPSec and describe it's use in VPNs.


What is the most significant difference between IPSec and SSL for VPNs.

  • Network layer protocol implemented to provide secure channels across the internet
  • Designed to carry any IP traffic from many users through a single tunnel. 
  • It is highly efficient and requires less network overhead than SSL


  • SSL can only be used to tunnel between a single user and a server
Describe the difference between symmetric and asymmetric encryption.
  • Symmetric encryption uses the same key to encode and decode the data.
  • Asymmetric encryption uses a pair of keys (Public and Private) to encode and decode the data.
Describe how SSL sets up a secure session.
  • Client requests the channel through https: prefix.
  • Server transfers it's x.509 certificate containing it's public key
  • The client uses the public key to encrypt a symmetric key which will be used for the remainter of the session
Describe the process of setting up an IPSec connection.
  • Uses Internet Key Exchange (IKE).  IKE uses two phases.
  • Phase I
    • Uses UDP port 500
    • An X.509 certificate is used, or a pre-shared key
    • Diff-Helman (asymmetric) is used to transfer the information
  • Phase II
    • Exchange of information about what networks will communicate over the tunnel
    • No equivalent in SSL


Identify the most commonly used standards for asymmetric and symmetric encryption in SSL.
  • RSA is used for asymmetric.
  • 3DES or AES is used for symmetric
What is X.509 and what information does the protocol transfer.
  • X.509 is a standard which defines how asymmetric keys should be packaged
  • Public Key
  • Key owner
  • Expiration date
  • Name of organization which issued the key
  • Allowable uses of the key
  • Digital signature enabling the client to verify key and certificate holder integrity

Identify the two IVE product families Juniper offers and list the products in each.


Identify the major difference between the product families.

  • Juniper Networks Secure Access

    • SA 700, SA 2000, SA 4000, SA 6000, and SA 6000 SP
  • NetScreen-SA
    • NS-SA 1000, NS-SA 3000, NS-SA 5000
  • The NetScreen-SA line was acquired from NetScreen in April 2004
  • The Secure Access line is Juniper's newest offering

Describe the NetScreen Secure Access Product Line

  • Targeted to small to medium (1000), medium to large (3000), and large enterprises (5000)
  • Offers scalability options and provides headroom for user growth and application complexity
  • Offers High Availability Clustering Options with Stateful System Peering, Active/Passive, and Active/Active configurations
  • Replication provides for Multi-Site clusters and high user volume
Describe the feature set of the Secure Access Product Line 700, 2000, 4000, 6000
  • SA 700 (Small Medium Enterprises)
    • 10 to 25 concurrent users
    • Network Connect
  • SA 2000 (Medium Enterprise)
    • 25 to 100 concurrent users
    • SAM/Network Connect
    • Secure Meeting
    • Advanced with CM
    • Cluster Pairs
  • SA 4000 (Medium - Large Enterprise)
    • 50 to 1000 concurrent users
    • SAM/Network Connect
    • Secure Meeting
    • Advanced with CM
    • Instant Virtual System
    • SSL Acceleration
    • Cluster Pairs
  • SA 6000 (Large Global Enterprise)
    • 100 to 2500 concurrent users
    • SAM/Network Connect
    • Secure Meeting
    • Advanced with CM
    • Instant Virtual System
    • GBIC
    • SSL Acceleration
    • Multi-Unit Clusters
Describe the SA 6000-SP
  • Industry's first SSL VPN platform with virtualization
  • Enables Service Providers to deliver SSL VPN services to multiple enterprises

What is FIPS? 

Which products comply with FIPS certification?

  • FIPS stands for Federal Information Processing Standard.
  • NetScreen-SA 4000 and 6000 are FIPS certified
Broadly categorize the security strengths of the IVE.
  • Design of the Platform
  • Security implemented at the client in addition to the server
  • Certification by trusted industry organizations
Describe the security features of the IVE platform design.
  • The file system is encrypted using AES
    • Ensures the data and proprietary information is protected in case of theft
    • Protects any user account information stored by the system
  • O/S has been hardened - additional network services have been removed.
  • Services are specialized services and not vulnerable to common vulnerabilities
  • Access to the OS has been restricted by the User Interface
  • Certification by trusted industry organizations

Describe the Host Checker and the remediation actions that can be taken.


What functionality does the Host Checker API provide?

  • The Host Checker provides the ability to examine processes, services, and files on the client computer and use that information to determine how the intranet is accessed.
  • Remediation Actions include:
    • Redirection of the user to a custom page describing how to fix the problem
    • Evaluation of an alternate policy
    • Killing a process or deleting a file on the client system
  • Allows third party personal firewall and AV programs to communicate their status to the Host Checker

What are the components of the Juniper Endpoint Defense Initiative?

  • Cache Cleaner
  • Host Checker (Native Host Check)
  • Host Checker Client Interface (Host Checker API)
  • Host Checker Server Integration Interface
Describe the functionality of the Cache Cleaner.
  • Used to remove redisual data to prevent subsequent users from finding temporary copies of files
    • Temporary files
    • Application Caches
    • Browser History


Describe the Host Check Server Integration Interface.
  • API allowing integration of a JEDI compliant system with the IVE
  • Prompt Host Checker to run third party software on the client
    • Host Integrity Scans
    • Malware detectors
  • Specify with granularity what the Host Checker should do based on results.  You can dynamically map users based on policies to:
    • Realms
    • Roles
    • Resources

Which trusted industry organizations certify the IVE platform?


What industry security certifications does Juniper hold?

  • iSec Partners
  • Cybertrust
  • TruSecure
  • VPNC
  • FIPS
  • ICSA Labs
  • Only vendor in the queue for Common Criteria
Describe core access
  • Provided through the browser
  • Provides access to all internal web sites and applications which provide web interfaces, including OWA
  • Internal resources are never accessed directly by the client
  • Allows most detailed level of auditing and logging of any access method
  • Can be used to present file shares, telnet sessions, and terminal services
  • Supports complex Java, JavaScript, and Flash
Describe SAM
  • Captures only certain application traffic based and forwards it to the IVE.
  • Suffers from less sophisticated logging than Core Access, but is more granular than Network Connect.
  • Deployed with Java Secure Application Manager JSAM or with Active X Secure Application Manager WSAM.
  • JSAM forwards traffic based on TCP port, and WSAM forwards traffic based on the application executable.
  • JSAM needs access to the hosts table.  On NTFS, this requires administrative access.  On Linux, this requires root level access.
  • Does not support applications in which the server initiates the communication.
Describe Network Connect.
  • Creates a Virtual Network Adapter with an IP Address from the internal network.
  • Attempts to use IPSec, then fails back to SSL
  • Can be integrated with the Graphical Identification and Authorization (GINA) module in Windows, allowing the user to log into the corporate network at the same time they log into Windows
  • Can be deployed with Java or Active X, supporting Windows, Linux, and Mac
  • Suffers from the least amount of logging (none) compared to SAM and Core Access
Identify the 5 types of authentication which the IVE products support.
  • Internal authentication uses a database stored within the IVE device.
  • External Authentication can use 4 industry defined mechanisms:
    • NTLM for Windows NT, and Kerberos for Windows 2000 and above
    • LDAP provider
    • Radius provider
    • Secure ID for two factor authentication
Define Authorization and describe how realms are related to the authorization process.
  • Specifies what actions a user can perform
  • Is based on some aspect of the user
  • Realms provide associations to authentication servers, user roles, and pre-authentication options.
What are the three types of Authentication?
  • Pre-Authentication
  • User Roles
  • Resource Policies
Define Pre-Authentication. What are the qualifications which fall under pre-authentication?
  • Defines checks which are run before a user is prompted for credentials 
  • Qualifications include:
    • Source ip address
    • Whether the system is running current antivirus and firewall software
    • Browser settings
    • Results of the host checker process
    • Number of concurrent users and password length
How do user roles define what the user will have access to?
  • Whether the user will have access to JSAM, WSAM, or NC.
  • Controls the settings of Core Access
  • Define applications for SAM, and the NC address
  • Are defined as separate objects and not part of a Realm
What is the difference between roles and resource policies?
  • Roles are evaluated when the user logs in
  • Resource policies are checked when the resource is accessed
Define the authorization flow of the IVE objects.
  • User attempts to acess the IVE URL
  • Pre-authentication authorization rules are checked to see which realms are available to the user
  • User is presented with a login page based on which realms are available to the user
  • User is authenticated, then mapped to roles defined in the realm. 
  • This determines the final window presented to the user.
  • Whenever the user tries to access a resource, the corresponding resource policy is checked for appropriate access.
How can users be mapped to roles?
  • Based on the user name
  • LDAP group membership
  • Radius (most simplistic and easier configuration)
What interface is supported for initial configuration of the IVE?  What are it's settings?
  • Menu driven setup over serial console and terminal emulation software
  • 9600 baud, 8 data bits, 1 stop bit, and no flow control
List the settings which are configured during the initial configuration.
  • IP Address
  • Netmask
  • Default Gateway
  • DNS
  • Domain
  • Default SSL certificate
  • Administrator credentials
How is the administrator web site accessed?  What is special about the administrator page?
  • Access is available over http, located at the IP Address of the IVE, and the word admin is located in the URL
  • There is a note on the screen which confirms the administrator login page
List the steps required to add a new Active Directory or Windows NT authentication server.  Can this server be used for authorization?
  • Select "Signing in" from the left navigation bar
  • Select "Active Directory/ Windows NT" from the server type selection box.
  • Type in the addresses of the two domain controllers and the name of the domain.
  • The servers can not be used for authorization without defining an LDAP server.
Up to how many LDAP servers can be used for Authentication/Authorization?  What are the appropriate settings to use for Active Directory?
  • Three
  • Specify the "Admin DN" as "cn=Administrator,cn=Users, dc=domain, dc=com", and type in the password
  • Under "Finding user entries"
    • Use the root of the domain as the "Base DN"
    • The user filter should be set to "samAccountName=<USER>"
  • Under "Determining group membership"
    • Use the root of the domain as the "Base DN"
    • Set the "Filter" to "CN=<GROUPNAME>"
    • Set the "Member Attribute" to "member"
What is the function of the Realm?
  • The Realm connects the Authentication Servers with the access given to the user when they log in
  • Many organizations only need one Realm
How is a new realm created? What must be done after the realm is created?
  • Type in a name for the realm
  • Select an LDAP server for both Authentication and Authorization
  • A new role must be created
  • A Role Map is defined for existing groups in the LDAP server to Roles.
List the competetive weaknesses of the Aventail product line
  • Immature appliance due to it's non hardened use of the Linux OS and software - susceptible to Apache based attacks.
  • Web file access has PHP3 bugs
  • Difficult to deploy, use, and manage
  • Aventail Connect uses win32 SOCKS5 client and requires installation and reboot on each PC.
  • No support for Windows Authentication such as Kerberos or NTLM
  • Provide standard web access - use an Active X port forwarder requiring admin rights on Windows.
List the competetive weaknesses of the Cisco product line.
  • Performance problems supporting 100 concurrent users on any model, and mixed mode IPSec SSL supports maximum of 50 users
  • Low end hardware platforms - VPN 3000 Series
  • Can take days to weeks to set up
  • No Java rewriting, little JavaScript support, no VBScript, no Flash support
  • No WSAM equivalent, no "true" application support, and no MD5 app checking
  • No features like NC and cannnot support UDP/ICMP
List the competetive weaknesses of F5's security line.
  • Strength lies in load balancing and traffic management
  • Many holes in security exist including Apache, weak endpoint security and built in virtual desktop with many known exploits.
  • Management, granular control, and network configuration changes are limited.
  • Performance problems with high performance applications such as VoIP.
List the competetive weaknesses of Citrix's product line.
  • Server based computing company recently entering security market with acquisitions of Net6 in late 2004 and NetScalar in mid 2005.
  • Weaker access options, poor endpoint security, poor management
List the competetive weaknesses of the Nortel product line
  • Entered the market after aquisition of Alteon in 2003
  • Core market is service providers
  • Strength is GUI flexibility
Supporting users have an ad free experience!