Providing a remote access solution has never been more simple and cost effective. It is well established that SSL VPN solves most, if not all the obstacles inherent in IPSec VPN and traditional hand-built extranet portals.
These issues centre on deployment, management and cost and have been the reason why in many instances that the “remote access” service was only given to a few “super users”.
As early adopters to Juniper SSL (formerly Neoteris and Netscreen SSL) Net-Ctrl have an enviable track record in installing and supporting Juniper SSL in to complex multinationals as well SMB environments.
The beauty of Juniper SSL is that the deployment is located where your I.T. professionals are stationed. Furthermore, as no changes are required to the internal network the implementation process is rarely more than two days from start to finish.
Juniper SSL is able to integrate tightly in to an organisation’s user database infrastructure, principally, but not limited to MS Active Directory and LDAP. This means that if a user exists on AD for internal use then they by default (if enabled to do so) will have access via the Juniper SSL portal in to the internal network from the external.
For these reasons we term this as an “Instant Virtual Extranet”. IVE.
Once in place, which is normally on a DMZ of an Internet gateway firewall, the Juniper SSL appliance has become a single portal for every conceivable user type, be they an employee (junior to CEO), agent, customer, contractor, supplier or anyone who requires access to information or applications (web based or otherwise) hosted within an organisation’s internal network..
Higher-end users such as IT staff can also benefit from tools designed specifically with them in mind which means that they through SSH connections (via SSL) can manage servers, router, switches etc, whilst away from their physical office.
At this point is worth mentioning that Juniper SSL has a formidable array of functions that make the entire experience both secure for the organisation and easy for the end-user.
Juniper SSL ensures that the client PC does not write to memory, but if the user chooses to save in to temporary internet files then this data will be removed automatically whether the user session is terminated accidentally of deliberately.
There are three methods to gain access to the internal network when using the Juniper SSL IVE appliance. These are:
The first two methods are made using a proxy technology that means that no malicious code can exploit the connection.
Additionally, prior to the SSL connection being established the client PC can be probed for profiling purposes which will then determine what level of access that user/PC client will be given. Real-life examples are detailed below:
Joe, a company director has a corporate laptop computer which he uses at home and on business trips, though sometimes he requires remote access when he doesn’t have his laptop with him.
The laptop has been given a small text file which is hidden somewhere on his C drive. It has installed Trend Micro antivirus and a Checkpoint Integrity PC firewall. Joe normally carries a SafeWord Strong User Authentication password generator, but at weekends this usually gets left at home when he’s out and about..
It’s a typical weekday evening. Joe arrives home at 6.30pm, opens a bottle of something cool, kisses the wife and kids and then decides to have a quick look at his email through the family PC.
On this PC “desktop” there is a small Juniper SSL application called Secure Application Manager, he clicks it and Joe is prompted to enter his domain user name and password and the password from his SafeWord security token. This takes 20 seconds in total to establish the connection.
Joe then clicks on his Outlook shortcut and within a few seconds he has access to corporate email and his designated file-shares.
It’s a Saturday evening. Joe and his wife are at a house party and Joe receives a phone call from a colleague saying that Joe really ought to read and respond to an email straight away. Luckily a PC is accessible so Joe opens the browser on an Apple Mac (a new experience for Joe who is MS through and through) and types in the URL for the corporate Juniper SSL extranet.
Oh no!
Joe doesn’t have his security token, but no worry the system allows Joe to authenticate but because it’s not his computer will only allow him access to webmail and his home drive. This is all Joe needs to respond to the email and attach the draft document that the customer requires.
Joe also uses this opportunity to advise his customer that pricing and data sheets are now available through the new Juniper SSL portal which will allow the customer to access what he needs, when he needs it.
Pleasantly surprised by the Mac’s GUI Joe exits the portal and resumes his evening, remembering to turn off his mobile phone!
It’s Tuesday evening and Joe’s team is playing on TV. Joe is torn between watching the game and finishing a spreadsheet for tomorrow morning, but decides to do both!
Joe connects wirelessly to the Internet ADSL router using his corporate laptop computer. Using his SafeWord security token and his static credentials he quickly gains access to the corporate system. All of the requirements that the in-built host-checker is looking for are located which means that he has maximum external access rights.
Joe locates the spread sheet on his network corporate home drive and settles down to an evening of statistics both on and off the field of play.
The rain has been torrential for three days and the river has burst its banks again. The last time this happened the offices where fine but only a handful of staff could make it in to work.. This time it’s no different except that the company has contingency plan for just this kind of event.
They ordered the purchase of the Juniper SSL ICE (In Case of Emergency) licence which provides access for everyone who needs it for a limited period.
So Joe is not alone in being able to work and serve his customers whilst they all waited for the water to subside.
These three access requirements are not untypical scenarios. The message worth remembering here is that access through the Juniper SSL appliance is granular and can be dynamically granted dependent upon the results of the integrity scan and authentication method.
The three access methods:
How SafeWord authentication integrates:
Access Improved, now enhanced “end point” security.
We’ve indicated that the Juniper SSL doesn’t write to memory but sometimes there is a requirement for just that. The spreadsheet that Joe was working on was to stay on his laptop computer, even though the data is very business sensitive and should not fall in to the wrong hands.
Joes delivers his presentation but looses his laptop computer
Joe places his laptop carry case between his feet whilst buying a much needed coffee at the railway station. Whilst he searches for the right coins someone unknown makes off with his laptop. He’ll never see it again.
It’s a major inconvenience and an embarrassment but because his IT team is forward thinking they have deployed a centrally managed hard disc encryption system to his laptop computer. This means that the data cannot be viewed by anyone without the correct user credentials, credentials that are stored securely in Joe’s brain and the Management Console back at HQ.
Disaster averted but Joe will not hear the end of this from his colleagues until the end of time!