Daily Archives: April 1, 2014
Template Scope of Work: Juniper SRX Consultancy – CESG Certified VPN
Juniper SRX Consultancy – CESG Certified VPN
- Day 1 – Installation of 2 x Juniper SRX100 firewalls
- Day 2 – Configure Certificate based User VPN to SRX firewalls
- Day 3 – Continue configure & testing Certificate based User VPN to SRX firewalls
- Day 4 – Documentation based on CESG guidelines
- Day 5 – Follow up remediation work required as a result of the NCC or other third-party testing and validation
Caveats, Requirements, Assumptions
- SRX100 – Firewalls to be configured with VRRP for failover, but each firewall will be standalone. They will NOT be configured as a cluster with stateful failover (to meet CESG security requirements).
- SRX100 – Initial firewall configuration assumed to be a basic configuration based on estimated 1 day installation
- SRX100 – Full admin & user access to firewalls at all times to test
- IPSec VPN – Configuration of client to firewall IPSec VPN’s. IPSec tunnel will be authenticated using x.509 certificates (using Windows 7 IPSec client with certs manually deployed).
- IPSec VPN must be configured as per CESG security guidelines (http://www.cesg.gov.uk/servicecatalogue/CPA/Pages/CPA-certified-products.aspx)
- IPSec VPN fully documented as to where it meets, and does not meet the requirements. This document is a key deliverable and will be submitted to the MoD as part of their compliance submission.
- IPSEC VPN using Windows 7 clients with IPSec tunnel (cert based) to the firewalls, IPSEC VPN Users user will authenticate via RSA 2FA using RSA Authentication Manager V8.1 for user authentication
- IPSEC VPN – configuration to be done on best endeavours basis – based on any caveats/constraints from Microsoft & Juniper Networks
- IPSEC VPN – Microsoft Certificate or other CA server to be in place and configured with User certificate issued.
- RSA Solution: Reseller will be installing the RSA solution.
- RSA solution: Integration details to be provided
- IPSEC VPN – after authentication users will be able to launch a MS Terminal Services desktop session.
- Consultant – Power for consultants laptop to be available in data centre
- Consultant – Internet Access in data centre
- Consultant – serial & network access to firewalls
- Consultant – responsible for Juniper SRX configuration only
- Documentation – exact documents to be followed to be given to consultant
- Documentation – to be produced in simple format covering main technical issues with formatting & other presentation as time allows.
- Equipment – Surrounding network already configured to allow routing between firewall, outside network & MS Terminal Services and MS Certificate servers
- Testing – customer to provide laptop to test.
- Follow up work will be done as time allows and will be assumed to consist of minor changes to configuration & documentation
- Remediation Work – undertaken after third party testing has been performed.
Implementing the Juniper Junos Pulse Secure Access Service: The right way
Junos Pulse Secure Access Service
Think of Security upon implementation:
Interfaces
- Use External & internal interfaces
- Both interfaces should be behind a firewall
- if same firewall used – each interface should be connected to a different Zone
- internal & external interfaces should be on different subnets
- make sure internal interface is on own network with no other devices
Management
- if a Management interface is available – use it
- make sure external interface disabled for Management access
- Management Authentication should be using Internal database or encrypted connection to external database
- Strong password should be used
- management should be limited to selected LAN subnets only
External ports through Firewall – to Junos Pulse Secure Access Service
- HTTP (auto redirect to HTTPS)
- HTTPS
- IKEv2 (UDP 500)
- ESP – NAT Traversal (UDP 4500)
Internal ports through Firewall – Services to LAN
- NTP
- DNS
- LDAPS (TCP 636)
- Kerberos (UDP 88) , (TCP 464 & UDP 464)
- SCP (SSH)
Less Secure Protocols if needed – Services to LAN
- NTLM
- LDAP (TCP 389)
- RADIUS (UDP 1812/1813)
- FTP
- SMB (TCP/UDP 135 -139), (TCP 445)
Roles
- Should represent User Groups
- Unmanaged Apple/Android
- Unmanaged Partner (Windows)
- Unmanaged Support (Windows)
- Unmanaged User (Windows)
- Managed User (Windows)
- Remediation Managed User (Windows)
Sign in Policies
- */ = Windows Users Realm
- */tablet= Apple/Android Users Realm
- */external = Third-Parties Realm
Apple/Android Users Realm
- Token Authentication
- AD Authentication
- No Host Checking Authentication Policy
- *Ipad* Browser Authentication Policy
- *Macintosh* Browser Authentication Policy
- *Android* Browser Authentication Policy
- Unmanaged Apple/Android Devices Group = Pulse VPN Client with Restricted ACL & No split tunneling
Windows Users Realm
- Token Authentication
- AD Authentication
- Selected AV Host Checking Authentication Policy – Managed Device
- Any AV Host Checking Authentication Policy – Unmanaged Device
- Registry Key Host Checking Authentication Policy – Managed Device
- *Windows* Browser Authentication Policy
- *Pulse* Browser Authentication Policy
- Managed Device Group = Pulse VPN Client (Access as required)
- Unmanaged Device Group = OWA Only
- Remediation Devices = Pulse VPN Client – restricted to Remediation Servers
Third-Parties Realm
- AD Authentication
- Restricted times on Support AD Accounts
- Any AV Host Checking Authentication Policy
- Windows 7/8 Host Checking Authentication Policy
- *Windows* Browser Authentication Policy
- *Pulse* Browser Authentication Policy
- Partners Group = Web Resources
- Support Group = Pulse VPN Client – restricted access
Resource Profiles
- User wherever possible
- use templates where possible
Pulse Client
- Apple/Android users – manual start of Pulse, can change settings & */tablet connection – Pool A
- External Third Party users – manual start of Pulse, can change settings & */external connection – Pool B
- Internal Windows Users – location awareness rules, can not change settings & default connection – Pool C