What are the two methods for security access? 

What component provides the VPN technology?

Which method is the best for vpn and why?

• SSL and IPSec
• Network Connect provides the VPN technology
• IPSec is the preferred method because it was built to support multiple protocols.  SSL can only be used to tunnel between one client and the network and is not suppported for site to site vpns

What features does the TLS handshake protocol provide.

What does the TLS record protocol provide.

The Transport Layer Security Protocol provides the following features:

• Peer Identity verification
• Uses public/private key cryptology
• Standard Key negotiation

The TLS record protocol provides:

• Privacy via symmetric encryption (DES, RCA
• Keys generated during the TLS handshake
• Reliability via HMAC mechanisms (SHA, MD5)

Briefly describe the Juniper SPG.

• SPG = Secure Products Group
• Market Leader since aquisition of NetScreen
• Unique because they seek out security reviews of the IVE (Instant Virtual Extranet) Platform
• Market Leader because of their purpose built application security gateway

Define IPSec and describe it's use in VPNs.

What is the most significant difference between IPSec and SSL for VPNs.

• Network layer protocol implemented to provide secure channels across the internet
• Designed to carry any IP traffic from many users through a single tunnel. 
• It is highly efficient and requires less network overhead than SSL

• SSL can only be used to tunnel between a single user and a server

• Symmetric encryption uses the same key to encode and decode the data.
• Asymmetric encryption uses a pair of keys (Public and Private) to encode and decode the data.

• Client requests the channel through https: prefix.
• Server transfers it's x.509 certificate containing it's public key
• The client uses the public key to encrypt a symmetric key which will be used for the remainter of the session

• Uses Internet Key Exchange (IKE).  IKE uses two phases.
• Phase I
  • Uses UDP port 500
  • An X.509 certificate is used, or a pre-shared key
  • Diff-Helman (asymmetric) is used to transfer the information
• Phase II
  • Exchange of information about what networks will communicate over the tunnel
  • No equivalent in SSL

• RSA is used for asymmetric.
• 3DES or AES is used for symmetric

• X.509 is a standard which defines how asymmetric keys should be packaged
• Public Key
• Key owner
• Expiration date
• Name of organization which issued the key
• Allowable uses of the key
• Digital signature enabling the client to verify key and certificate holder integrity

Identify the two IVE product families Juniper offers and list the products in each.

Identify the major difference between the product families.

• Juniper Networks Secure Access

  • SA 700, SA 2000, SA 4000, SA 6000, and SA 6000 SP
• NetScreen-SA
  • NS-SA 1000, NS-SA 3000, NS-SA 5000

• The NetScreen-SA line was acquired from NetScreen in April 2004
• The Secure Access line is Juniper's newest offering

Describe the NetScreen Secure Access Product Line

• Targeted to small to medium (1000), medium to large (3000), and large enterprises (5000)
• Offers scalability options and provides headroom for user growth and application complexity
• Offers High Availability Clustering Options with Stateful System Peering, Active/Passive, and Active/Active configurations
• Replication provides for Multi-Site clusters and high user volume

• SA 700 (Small Medium Enterprises)
  • 10 to 25 concurrent users
  • Network Connect
• SA 2000 (Medium Enterprise)
  • 25 to 100 concurrent users
  • SAM/Network Connect
  • Secure Meeting
  • Advanced with CM
  • Cluster Pairs
• SA 4000 (Medium - Large Enterprise)
  • 50 to 1000 concurrent users
  • SAM/Network Connect
  • Secure Meeting
  • Advanced with CM
  • Instant Virtual System
  • SSL Acceleration
  • Cluster Pairs
• SA 6000 (Large Global Enterprise)
  • 100 to 2500 concurrent users
  • SAM/Network Connect
  • Secure Meeting
  • Advanced with CM
  • Instant Virtual System
  • GBIC
  • SSL Acceleration
  • Multi-Unit Clusters

• Industry's first SSL VPN platform with virtualization
• Enables Service Providers to deliver SSL VPN services to multiple enterprises

What is FIPS? 

Which products comply with FIPS certification?

• FIPS stands for Federal Information Processing Standard.
• NetScreen-SA 4000 and 6000 are FIPS certified

• Design of the Platform
• Security implemented at the client in addition to the server
• Certification by trusted industry organizations

• The file system is encrypted using AES
  • Ensures the data and proprietary information is protected in case of theft
  • Protects any user account information stored by the system
• O/S has been hardened - additional network services have been removed.
• Services are specialized services and not vulnerable to common vulnerabilities
• Access to the OS has been restricted by the User Interface
• Certification by trusted industry organizations

Describe the Host Checker and the remediation actions that can be taken.

What functionality does the Host Checker API provide?

• The Host Checker provides the ability to examine processes, services, and files on the client computer and use that information to determine how the intranet is accessed.
• Remediation Actions include:
  • Redirection of the user to a custom page describing how to fix the problem
  • Evaluation of an alternate policy
  • Killing a process or deleting a file on the client system

• Allows third party personal firewall and AV programs to communicate their status to the Host Checker

What are the components of the Juniper Endpoint Defense Initiative?

• Cache Cleaner
• Host Checker (Native Host Check)
• Host Checker Client Interface (Host Checker API)
• Host Checker Server Integration Interface

• Used to remove redisual data to prevent subsequent users from finding temporary copies of files
  • Temporary files
  • Application Caches
  • Browser History

• API allowing integration of a JEDI compliant system with the IVE
• Prompt Host Checker to run third party software on the client
  • Host Integrity Scans
  • Malware detectors
• Specify with granularity what the Host Checker should do based on results.  You can dynamically map users based on policies to:
  • Realms
  • Roles
  • Resources

Which trusted industry organizations certify the IVE platform?

What industry security certifications does Juniper hold?

• iSec Partners
• Cybertrust
• TruSecure

• VPNC
• FIPS
• ICSA Labs
• Only vendor in the queue for Common Criteria

• Provided through the browser
• Provides access to all internal web sites and applications which provide web interfaces, including OWA
• Internal resources are never accessed directly by the client
• Allows most detailed level of auditing and logging of any access method
• Can be used to present file shares, telnet sessions, and terminal services
• Supports complex Java, JavaScript, and Flash

• Captures only certain application traffic based and forwards it to the IVE.
• Suffers from less sophisticated logging than Core Access, but is more granular than Network Connect.
• Deployed with Java Secure Application Manager JSAM or with Active X Secure Application Manager WSAM.
• JSAM forwards traffic based on TCP port, and WSAM forwards traffic based on the application executable.
• JSAM needs access to the hosts table.  On NTFS, this requires administrative access.  On Linux, this requires root level access.
• Does not support applications in which the server initiates the communication.

• Creates a Virtual Network Adapter with an IP Address from the internal network.
• Attempts to use IPSec, then fails back to SSL
• Can be integrated with the Graphical Identification and Authorization (GINA) module in Windows, allowing the user to log into the corporate network at the same time they log into Windows
• Can be deployed with Java or Active X, supporting Windows, Linux, and Mac
• Suffers from the least amount of logging (none) compared to SAM and Core Access

• Internal authentication uses a database stored within the IVE device.
• External Authentication can use 4 industry defined mechanisms:
  • NTLM for Windows NT, and Kerberos for Windows 2000 and above
  • LDAP provider
  • Radius provider
  • Secure ID for two factor authentication

• Specifies what actions a user can perform
• Is based on some aspect of the user
• Realms provide associations to authentication servers, user roles, and pre-authentication options.

• Pre-Authentication
• User Roles
• Resource Policies

• Defines checks which are run before a user is prompted for credentials 
• Qualifications include:
  • Source ip address
  • Whether the system is running current antivirus and firewall software
  • Browser settings
  • Results of the host checker process
  • Number of concurrent users and password length

• Whether the user will have access to JSAM, WSAM, or NC.
• Controls the settings of Core Access
• Define applications for SAM, and the NC address
• Are defined as separate objects and not part of a Realm

• Roles are evaluated when the user logs in
• Resource policies are checked when the resource is accessed

• User attempts to acess the IVE URL
• Pre-authentication authorization rules are checked to see which realms are available to the user
• User is presented with a login page based on which realms are available to the user
• User is authenticated, then mapped to roles defined in the realm. 
• This determines the final window presented to the user.
• Whenever the user tries to access a resource, the corresponding resource policy is checked for appropriate access.

• Based on the user name
• LDAP group membership
• Radius (most simplistic and easier configuration)

• Menu driven setup over serial console and terminal emulation software
• 9600 baud, 8 data bits, 1 stop bit, and no flow control

• IP Address
• Netmask
• Default Gateway
• DNS
• Domain
• Default SSL certificate
• Administrator credentials

• Access is available over http, located at the IP Address of the IVE, and the word admin is located in the URL
• There is a note on the screen which confirms the administrator login page

• Select "Signing in" from the left navigation bar
• Select "Active Directory/ Windows NT" from the server type selection box.
• Type in the addresses of the two domain controllers and the name of the domain.
• The servers can not be used for authorization without defining an LDAP server.

• Three
• Specify the "Admin DN" as "cn=Administrator,cn=Users, dc=domain, dc=com", and type in the password
• Under "Finding user entries"
  • Use the root of the domain as the "Base DN"
  • The user filter should be set to "samAccountName=<USER>"
• Under "Determining group membership"
  • Use the root of the domain as the "Base DN"
  • Set the "Filter" to "CN=<GROUPNAME>"
  • Set the "Member Attribute" to "member"

• The Realm connects the Authentication Servers with the access given to the user when they log in
• Many organizations only need one Realm

• Type in a name for the realm
• Select an LDAP server for both Authentication and Authorization

• A new role must be created
• A Role Map is defined for existing groups in the LDAP server to Roles.

• Immature appliance due to it's non hardened use of the Linux OS and software - susceptible to Apache based attacks.
• Web file access has PHP3 bugs
• Difficult to deploy, use, and manage
• Aventail Connect uses win32 SOCKS5 client and requires installation and reboot on each PC.
• No support for Windows Authentication such as Kerberos or NTLM
• Provide standard web access - use an Active X port forwarder requiring admin rights on Windows.

• Performance problems supporting 100 concurrent users on any model, and mixed mode IPSec SSL supports maximum of 50 users
• Low end hardware platforms - VPN 3000 Series
• Can take days to weeks to set up
• No Java rewriting, little JavaScript support, no VBScript, no Flash support
• No WSAM equivalent, no "true" application support, and no MD5 app checking
• No features like NC and cannnot support UDP/ICMP

• Strength lies in load balancing and traffic management
• Many holes in security exist including Apache, weak endpoint security and built in virtual desktop with many known exploits.
• Management, granular control, and network configuration changes are limited.
• Performance problems with high performance applications such as VoIP.

• Server based computing company recently entering security market with acquisitions of Net6 in late 2004 and NetScalar in mid 2005.
• Weaker access options, poor endpoint security, poor management

• Entered the market after aquisition of Alteon in 2003
• Core market is service providers
• Strength is GUI flexibility