NAC Advanced Technologies Business Development Manager Toru Konno toruk@juniper.net v1.81 Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 1
,,, J-SOX ISMS PCIDSS,, IM/VoIP/VoD Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 2
Network Access Control NAC Network Access Control) Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 3
NAC Overview 802.1x 802.1x In Line In VPN Line VPN SSL, SSL, IPSec IPSec DHCP DHCP Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 4
Juniper s UAC Overview - Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 5
Juniper UAC UAC UAC x Pre-Admission Post-Admission Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 6
UAC Policy Manager ( ) (PC Agent ( ) Firewall &.1X Devices ( ) Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 7
UAC Infranet Enforcer ( ): Infranet Agent ( ): (A.K.A Odyssey Access Client) Personal Firewall VPN IEEE802.1X IC 25 Infranet Controller ( ): IA IE IA Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 8
Infranet Enforcer (IE) Juniper Network Enforcer (Application Base): NetScreen SSG/ISG IC Juniper Enforcer IEEE802.1X Enforcer (VLAN Base): IEEE802.1X IEEE802.1x VLAN Host Enforcer (Application Base): Agent FW Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 9
Infranet Agent (IA) OS Windows2000/XP/Vista/MAC OS/Linux/Solaris) Agent Agent-Less HostChecker PC AntiVirus/windows update HostEnforcer FW) IPSec IEEE802.1X Windows /GINA TNC (IMC-IF ) Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 10
Infranet Agent IA Host Checker Juniper OS Windows TCP/UDP / MD5 NetBIOS PC MAC Address PC MAC Address TNC Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 11
Infranet Agent (IA) IPsec Tunnel IPsec IPsec IE NAT Traversal NAT IPsec Firewall (IE) Agent (IA) IA IE IPsec * IPSec Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 12
Infranet Agent (IA) Windows Shavlik Microsoft Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 13
Infranet Agent (IA) Auto-Remediation Windows 2000/XP/Vista Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 14
Infranet Agent (IA) Agent-less IE IC IC IC IA Active-X/Java IA Agent (IA) Firewall (IE) Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 15
Infranet Agent vs Agent-Less Full Agent Mode OS Windows2k, XP Persistent Agent Mode MAC Linux Agent-less Mode UAC OS Full Agent Mode Linux Solaris, MAC OS 2008 Q4).1X Supplicant IPsec Tunnel Patch Management Host Checker Host Enforcer Auto remediation Full Agent Mode (Windows2K, XP) Yes Yes Yes Yes Yes Yes Persistent Agent Mode (MAC, Linux) No No No Yes No No Agent-less Mode (All) No No *Yes Yes No **Yes *Agent-Less Windows ** Agent-Less Auto Remediation Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 16
Infranet Controller (IC) UAC IA IE IA Pre (RADIUS, Active Directory, LDAP, RSA, PKI, OTP NIS SSO) TNC (IMV-IF ) Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 17
Infranet Controller (IC) UAC SSG UTM *SBR RADIUS EX 802.1x TCG/TNC IMV-IF TCG/TNC NAP *Steal Belted Radius: Juniper Networks Radius Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 18
Infranet Controller (IC) Role VLAN Policy Role Role VLAN Role Resource Policy Resource Policy Resource VLAN ACL QOS Agent (IA) User ID: ToruK PASS: a5gtrm9 (IC) Resource Resource Resource (IE) Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 19
Infranet Controller (IC) 30,000 1 15,000 (IA) L2(IE) 1024 L3(IE) 128 IA IC6500 High Availability/Scalability 8 Active-Active, Active-Standby HDD 5,000 1 5000 (IA) L2(IE) 512 L3(IE) 64 IA IC4500 High Availability/Scalability ( 2 Active-Standby http://www.juniper.co.jp/products_and_services/unified_access_control/ Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 20
Security Solutions Around UAC- Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 21
IdM Juniper Unified Access Control 802.1x SIEM In Line VPN SSL, IPSec Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 22
UAC UAC SA L2 EX.1X IA NSM + STRM L3 NS/SSG/ISG L3 IDP Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 23
UAC Identity Management NAP Patch Management and Remediation PKI Directory Managed PKI LDAP/RADIUS/SDI.1X Support Devices OTP SSO IEEE 802.1x Host Checker Syslog Syslog Binary integlity Integrated Compliance Endpoint Security TPM Solution Security Information & Event Management (SIEM) Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 24
Deployment Scenario - Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 25
UAC A Policy Manager (IC) Agent (IA) (PC Firewall (IE) Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 26
UAC B Policy Manager (IC) Firewall Agent Java/Active-X Firewall (PC (IE) Agent-less (IA) Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 27
UAC Policy Manager (IC) (PC + 802.1X Devices IE Agent (IA) 802.1X VLAN.1X EAP Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 28
UAC D Policy Manager (IC) (PC + 802.1X Devices IE) Agent (IA) 802.1X VLAN Agent (IA).1X EAP Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 29
UAC E Policy Manager (IC) (PC + Agent (IA) Host Enforcer Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 30
UAC F TCG-TNC API Radius, LDAP, AD, OTP, PKI, SAML Policy Manager (IC) (PC Firewall (IE) PKI Agent (IA) 802.1X Devices IE) TCG-TNC API Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 31
Deployment Scenario - Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 32
企業ネットワーク環境でのUAC使用例 HQ Administration Room Enterprize HQ DC Data Center SOHO/Small Branch/ Mobile Users Branch Office Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 33
HQ Dynamic VLAN Multi-Supplicant Unmanaged device DNS/DHCP, etc Network Printer UAC Agent (Supplicant) Host Checker Personal Firewall UAC Agent (Supplicant) Host Checker Personal Firewall Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 34
HQ L3/4 enforcement UTM dynamic control URL Redirect Local Servers UAC Agent (Agent-Less mode) Host Checker UAC Agent (Agent-Less mode) Host Checker Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 35
HQ Working with ext IdM Looking up attributes HQ DC L3/4 enforcement IDP Module User information stored Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 36
HQ Branch L3/4 enforcement UTM Local Servers UAC Agent Host Checker Host Enforcer UAC Agent (Agent-Less mode) Host Checker Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 37
Employee remote access SSL VPN HR Sales Home Workers Mobile Workers Extranet access SSL VPN Business Partners Finance Customers Department Servers SSL-VPN (Core, Sum, NC) SVW, etc Host Checker L2-7 enforcement Authentication Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 38
Secure Access (SA) 30,000 1 10,000 SSL IC6500 High Availability/Scalability 4 Active-Active, Active-Standby HDD 100/1,000 1 1,000 / SSL IC2500/4500 High Availability/Scalability 2 Active-Active, Active-Standby http://www.juniper.co.jp/products_and_services/ssl_vpn_secure_access/ Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 39
Juniper UAC UAC 2005 Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 40
Copyright 2008 Juniper Networks, Inc. www.juniper.co.jp 41