DamianGrace.com

Behind the scenes

Posts Tagged ‘SA6000’

Juniper SSL/VPN Basic Functionality

October 15th, 2009

I had to do a quick write up on the Juniper Secure Access SSL/VPN products for a client. It seemed a waste to be for his eyes only so I have shared it here (slightly modified) hoping it will help someone out.

So, basically there are three broad levels of remote access that the Juniper SSL/VPN offers. They are:

Web Based
Secure Application Manager (SAM)
Network Connect (NC)

The levels of functionality increase as you move down the list.

Web Based
This is the simplest access level. A user can connect to the Juniper SSL/VPN using a standard web browser and from the browser interface get access to a broad range of resources within the corporate network. The administrator must provide explicit access to these resources in order for users to connect to them. Shortcut links can be placed on the portal webpage to make life easy for the end user.

Potential available resources include:

Web Access (internal or external Websites)
File access (Access to file shares)
Telnet/SSH
Terminal Services

Secure Application Manager (SAM)
SAM instructs any traffic coming from a particular application (outlook.exe for example) to be pushed down the tunnel rather than onto the resident network. I usually don’t use this feature myself as you can usually get the same functionality and more from NC. However it does have its uses.

Network Connect (NC)
NC requires administrative privileges to be installed. Once installed NC acts much like your traditional IPSec VPN’s. In fact NC will actually attempt to setup an IPSec tunnel before failing back to tunnelling over SSL if unsuccessful. Port 4500 UDP and protocol 50 are required to be opened between the host and the SSL/VPN device in order for IPSec to work. SSL tunnelling only requires TCP port 443. Once connected, the host will actually be granted an IP address on the internal network. This is perfect for applications that require server based traffic initialisation.

The options above provide a higher level of granularity and flexibility than any IPSec VPN solution… but it doesn’t stop there

For each of the options above you have the ability to restrict or allow based on a number of different factors.
These include but are not limited to

Protocols
Port Number, and
Destinations IP

The way these restrictions are implemented is quite easy too. You have the ability to use a wildcard character (*) and its as simple as this.

To allow traffic to your intranet URL and everything under it: http://myintranet/*
This can be extended to allow sub-domains as well but doing: http://*myintranet/*
To allow Remote Desktop traffic to a range of computers you can do it like this : tcp://10.10.10.10-25:3389, or to all computers tcp://*:3389
You can even allow all traffic to all destinations like this: *:* (although this is not recommended )

The real fun begins when you start looking into the ‘Host Checker’ functionality. Host Checker allows you to check the connecting computer for certain items before allowing them to have connection onto the corporate network. A lot of companies like to ensure that the connecting computer has the latest (within a week or two) AV definitions installed before allowing them access. That is only the half of the Host Checker functionality. Based on the Host Checker results, you can actually change the level of access the user receives into the network. My personal favourite and one that I suggest to all our clients is to hide a registry key somewhere in the registry of all corporate laptops. Obviously you should trust your laptops a little more than an internet kiosk right? So when the users logs in from our ‘trusted’ laptop we can give them their full access. However, if the registry key is not located we can assume they are on an un-trusted computer and we can restrict their access and only issue them with OWA access for example.

That’s a very basic rundown of the vast amount of functionality that the Juniper SSL/VPNs have. I must admint I really don’t like recommending products that I don’t believe in… That being said, I think that the Juniper Secure Access devices are awesome!!!

No comments »

Posted in Remote Access

Tags: Access Core Clientless Access Juniper Network Connect SA2000 SA2500 SA4000 SA4500 SA6000 SA6500 SA700 Secure Secure Access Secure Application Manager SSL SSL/VPN VPN

- Subscribe Subscribe to my blogs feed
Who is Damian Grace?
- Damian has over five years experience working as a security consultant. During that time he has provided security advice to some of Australia's largest organizations including Local and State Government facilities, Banks and Telecommunications providers.
  
  He has a passion for learning and constant improvement. This becomes evident when looking at the his list of achievements which includes a Diploma in Network Engineering, Certified Information Systems Security Professional (CISSP), GIAC Certified Penetration Tester (GPEN), GIAC Certified Forensic Analyst (GCFA), GIAC Systems and Network Auditor (GSNA), GIAC Security Essentials Certification (GSEC), Offensive-Security - Pentesting with Backtrack (OSCP) and most recently the GIAC Web Application Penetration Tester (GWAPT) certification.
  
  Damian is also a member of Australian Information Security Association (AISA) and part of the GIAC Advisory Board.
Twitter: damiangrace
- Nice little vid demonstrating the new phishing attack I tweeted about yesterday - http://bit.ly/bnZaen 04:16:56 AM May 26, 2010 from web
- Internet Explorer drops below 60% market share - http://bit.ly/9AQqrQ <-- Bout time! Support Firefox. 02:51:18 AM May 04, 2010 from web
- Rapid7 Takes Penetration Testing Mainstream With Metasploit Express - http://bit.ly/bzEK3V 08:13:26 PM April 22, 2010 from web
- 3.5 hrs stuck in a traffic jam on the F3 so far. Stupid idiots wait 8 hours before opening contraflow. Well done Dicks!!! 10:36:32 AM April 12, 2010 from TweetDeck
Categories
Sites I Read

Back to Top

Valid XHTML 1.0 Transitional | Valid CSS 3