Template Scope of Work: Juniper SRX Consultancy – CESG Certified VPN


Juniper SRX Consultancy – CESG Certified VPN

  1. Day 1 – Installation of 2 x Juniper SRX100 firewalls
  2. Day 2 – Configure Certificate based User VPN to SRX firewalls
  3. Day 3 – Continue configure & testing Certificate based User VPN to SRX firewalls
  4. Day 4 – Documentation based on CESG guidelines
  5. Day 5 – Follow up remediation work required as a result of the NCC or other third-party testing and validation

Caveats, Requirements, Assumptions

  1. SRX100 – Firewalls to be configured with VRRP for failover, but each firewall will be standalone. They will NOT be configured as a cluster with stateful failover (to meet CESG security requirements).
  2. SRX100 – Initial firewall configuration assumed to be  a basic configuration based on estimated 1 day installation
  3. SRX100 – Full admin & user access to firewalls at all times to test
  4. IPSec VPN – Configuration of client to firewall IPSec VPN’s. IPSec tunnel will be authenticated using x.509 certificates (using Windows 7 IPSec client with certs manually deployed).
  5. IPSec VPN must be configured as per CESG security guidelines (http://www.cesg.gov.uk/servicecatalogue/CPA/Pages/CPA-certified-products.aspx)
  6. IPSec VPN fully documented as to where it meets, and does not meet the requirements. This document is a key deliverable and will be submitted to the MoD as part of their compliance submission.
  7. IPSEC VPN using Windows 7 clients with IPSec tunnel (cert based) to the firewalls, IPSEC VPN Users user will authenticate via RSA 2FA using RSA Authentication Manager V8.1 for user authentication
  8. IPSEC VPN – configuration to be done on best endeavours basis – based on any caveats/constraints from Microsoft & Juniper Networks
  9. IPSEC VPN – Microsoft Certificate or other CA server to be in place and configured with User certificate issued.
  10. RSA Solution: Reseller will be installing the RSA solution.
  11. RSA solution: Integration details to be provided
  12. IPSEC VPN – after authentication users will be able to launch a MS Terminal Services desktop session.
  13. Consultant – Power for consultants laptop to be available in data centre
  14. Consultant – Internet Access in data centre
  15. Consultant – serial & network access to firewalls
  16. Consultant – responsible for Juniper SRX configuration only
  17. Documentation – exact documents to be followed to be given to consultant
  18. Documentation – to be produced in simple format covering main technical issues with formatting & other presentation as time allows.
  19. Equipment – Surrounding network already configured to allow routing between firewall, outside network &  MS Terminal Services and MS Certificate servers
  20. Testing – customer to provide laptop to test.
  21. Follow up work will be done as time allows and will be assumed to consist of minor changes to configuration & documentation
  22. Remediation Work – undertaken after third party testing has been performed.

Implementing the Juniper Junos Pulse Secure Access Service: The right way

Junos Pulse Secure Access Service

Think of Security upon implementation:

  • Use External & internal interfaces
    • Both interfaces should be behind a firewall
    • if same firewall used – each interface should be connected to a different Zone
    • internal & external interfaces should be on different subnets
    • make sure internal interface is on own network with no other devices
  • if a Management interface is available – use it
  • make sure external interface disabled for Management access
  • Management Authentication should be using Internal database or encrypted connection to external database
  • Strong password should be used
  • management should be limited to selected LAN subnets only
External ports through Firewall – to Junos Pulse Secure Access Service
  • HTTP (auto redirect to HTTPS)
  • IKEv2 (UDP 500)
  • ESP – NAT Traversal (UDP 4500)
Internal ports through Firewall – Services to LAN
  • NTP
  • DNS
  • LDAPS (TCP 636)
  • Kerberos (UDP 88) , (TCP 464 & UDP 464)
  • SCP (SSH)
Less Secure Protocols if needed – Services to LAN
  • NTLM
  • LDAP (TCP 389)
  • RADIUS (UDP 1812/1813)
  • FTP
  • SMB (TCP/UDP 135 -139), (TCP 445)
  • Should represent User Groups
  • Unmanaged Apple/Android
  • Unmanaged Partner (Windows)
  • Unmanaged Support (Windows)
  • Unmanaged User (Windows)
  • Managed User (Windows)
  • Remediation Managed User (Windows)
Sign in Policies
  • */ = Windows Users Realm
  • */tablet= Apple/Android Users Realm
  • */external = Third-Parties Realm
Apple/Android Users Realm
  • Token Authentication
  • AD Authentication
  • No Host Checking Authentication Policy
  • *Ipad* Browser Authentication Policy
  • *Macintosh* Browser Authentication Policy
  • *Android* Browser Authentication Policy
  • Unmanaged Apple/Android Devices Group = Pulse VPN Client with Restricted ACL & No split tunneling
Windows Users Realm
  • Token Authentication
  • AD Authentication
  • Selected AV Host Checking Authentication Policy – Managed Device
  • Any AV Host Checking Authentication Policy – Unmanaged Device
  • Registry Key Host Checking Authentication Policy – Managed Device
  • *Windows* Browser Authentication Policy
  • *Pulse* Browser Authentication Policy
  • Managed Device Group = Pulse VPN Client (Access as required)
  • Unmanaged Device Group = OWA Only
  • Remediation Devices = Pulse VPN Client – restricted to Remediation Servers
Third-Parties Realm
  • AD Authentication
  • Restricted times on Support AD Accounts
  • Any AV Host Checking Authentication Policy
  • Windows 7/8 Host Checking Authentication Policy
  • *Windows* Browser Authentication Policy
  • *Pulse* Browser Authentication Policy
  • Partners Group = Web Resources
  • Support Group = Pulse VPN Client – restricted access
Resource Profiles
  • User wherever possible
  • use templates where possible
Pulse Client
  • Apple/Android users – manual start of Pulse, can change settings & */tablet connection – Pool A
  • External Third Party users – manual start of Pulse, can change settings &  */external connection – Pool B
  • Internal Windows Users – location awareness rules, can not change settings & default connection – Pool C