Category Archives: Pulse Secure

Articles on Juniper & Pulse secure SA & MAG Devices when running Pulse Secure Access Service

Understanding Juniper Networks FIPS Level 1 Support

juniper

Understanding Juniper Networks FIPS Level 1 Support

Following from Juniper website:

What Is FIPS?

Federal Information Processing Standard (FIPS) are a set of standards that define security requirements for products that implement cryptographic modules used to secure sensitive but unclassified information. The most recent standards are defined in the FIPS Publication 140-2.

The FIPS documents define, among other things, security levels for computer and networking equipment. U.S. Federal Government departments, and other organizations, use FIPS to evaluate the cryptographic capabilities of the equipment they consider for purchase. Cryptographic modules are validated against separate areas of the FIPS specification. An overall certification level is assigned based on the minimum level achieved in any area. Although primarily aimed at environments requiring strict security, FIPS levels are increasingly enforced as qualifying criteria for all U.S. Federal Government contracts. Security-conscious private enterprises might also use FIPS levels as an equipment evaluation benchmark. FIPS levels also serve as a customer-neutral description of vendor requirements. Vendors can engineer security products to FIPS levels and extend the applicability and eligibility of these products across a broad customer base, thereby eliminating exhaustive and time-consuming customer-by-customer product qualification procedures.

What Is FIPS Level 1 Support?

Juniper Networks offers FIPS level 1 support starting with Secure Access Service release 7.4 and Access Control Service release 4.4. Both services use a 140-2 level 1 certified cryptographic module to comply with FIPS. When FIPS level 1 support is enabled applications, such as browsers, accessing the web server must support Transport Layer Security (TLS), the latest version of Secure Socket Layer (SSL). If the platform features hardware acceleration, then for SSL processing SSL hardware acceleration is disabled,  (IPSec hardware acceleration is not affected), as hardware acceleration does not comply with FIPS validation. Only FIPS approved algorithms are used when in FIPS level 1 support is enabled.

Note: You cannot run FIPS level 1 support on a hardware FIPS platform such as the SA6500 FIPS SSL VPN Appliance. For more information on the hardware FIPS platform, see the Secure Access Service Administration Guide and the Access Control Service Administration Guide.

For more information about the Juniper Networks Pulse Cryptography Module, see the security policy PDF Document and the validation certificate. For a complete list of validated FIPS 140-1 and FIPS 140-2 cryptography modules, see http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2012.

Published: 2014-01-17

FIPS Supported Platforms

The following platforms support FIPS level 1:

  • Junos Pulse Gateway MAG2600
  • Junos Pulse Gateway MAG4610
  • Junos Pulse Gateway MAG6610
  • Junos Pulse Gateway MAG6611
  • Junos Pulse Gateway MAG-SM160
  • Junos Pulse Gateway MAG-SM360
  • Secure Access Service and Access Control Service virtual appliances

Supported Cipher Suites when FIPS Level 1 Support is Enabled

FIPS-ciphers

Implementing the Juniper Junos Pulse Secure Access Service: The right way

Junos Pulse Secure Access Service

Think of Security upon implementation:

Interfaces
  • Use External & internal interfaces
    • Both interfaces should be behind a firewall
    • if same firewall used – each interface should be connected to a different Zone
    • internal & external interfaces should be on different subnets
    • make sure internal interface is on own network with no other devices
Management
  • if a Management interface is available – use it
  • make sure external interface disabled for Management access
  • Management Authentication should be using Internal database or encrypted connection to external database
  • Strong password should be used
  • management should be limited to selected LAN subnets only
External ports through Firewall – to Junos Pulse Secure Access Service
  • HTTP (auto redirect to HTTPS)
  • HTTPS
  • IKEv2 (UDP 500)
  • ESP – NAT Traversal (UDP 4500)
Internal ports through Firewall – Services to LAN
  • NTP
  • DNS
  • LDAPS (TCP 636)
  • Kerberos (UDP 88) , (TCP 464 & UDP 464)
  • SCP (SSH)
Less Secure Protocols if needed – Services to LAN
  • NTLM
  • LDAP (TCP 389)
  • RADIUS (UDP 1812/1813)
  • FTP
  • SMB (TCP/UDP 135 -139), (TCP 445)
Roles
  • Should represent User Groups
  • Unmanaged Apple/Android
  • Unmanaged Partner (Windows)
  • Unmanaged Support (Windows)
  • Unmanaged User (Windows)
  • Managed User (Windows)
  • Remediation Managed User (Windows)
Sign in Policies
  • */ = Windows Users Realm
  • */tablet= Apple/Android Users Realm
  • */external = Third-Parties Realm
Apple/Android Users Realm
  • Token Authentication
  • AD Authentication
  • No Host Checking Authentication Policy
  • *Ipad* Browser Authentication Policy
  • *Macintosh* Browser Authentication Policy
  • *Android* Browser Authentication Policy
  • Unmanaged Apple/Android Devices Group = Pulse VPN Client with Restricted ACL & No split tunneling
Windows Users Realm
  • Token Authentication
  • AD Authentication
  • Selected AV Host Checking Authentication Policy – Managed Device
  • Any AV Host Checking Authentication Policy – Unmanaged Device
  • Registry Key Host Checking Authentication Policy – Managed Device
  • *Windows* Browser Authentication Policy
  • *Pulse* Browser Authentication Policy
  • Managed Device Group = Pulse VPN Client (Access as required)
  • Unmanaged Device Group = OWA Only
  • Remediation Devices = Pulse VPN Client – restricted to Remediation Servers
Third-Parties Realm
  • AD Authentication
  • Restricted times on Support AD Accounts
  • Any AV Host Checking Authentication Policy
  • Windows 7/8 Host Checking Authentication Policy
  • *Windows* Browser Authentication Policy
  • *Pulse* Browser Authentication Policy
  • Partners Group = Web Resources
  • Support Group = Pulse VPN Client – restricted access
Resource Profiles
  • User wherever possible
  • use templates where possible
Pulse Client
  • Apple/Android users – manual start of Pulse, can change settings & */tablet connection – Pool A
  • External Third Party users – manual start of Pulse, can change settings &  */external connection – Pool B
  • Internal Windows Users – location awareness rules, can not change settings & default connection – Pool C

 

Juniper Licensing Changes in Secure Access 8.0

Licensing Changes in 8.0

Published: 2013-11-20

http://www.juniper.net/techpubs/en_US/sa8.0/topics/reference/general/secure-access-license-upgrading.html

When upgrading to Secure Access Service 8.0 or Access Control Service 5.0 from a prior release, every effort is made to retain the existing behavior. For example, if a device was previously defined as a license client, it is configured as a client device after the upgrade. If a device was previously defined as a license server, it is configured as a license service device after the upgrade.

The following list summarizes the licensing changes for this release:

  • All devices, including virtual appliances, will have all applicable Juniper features enabled by default after upgrading or resetting to the Secure Access Service 8.0 or Access Control Service 5.0 software version. Some optional features still require keys to unlock their usage. Note that EULA acceptance is still mandatory and you are entitled to use the features of the software that you have licensed within the limits of your Proof of Entitlement.
  • All licenses on a device prior to the upgrade are listed on the license summary page after the upgrade. Juniper licenses, however, will list the full capacity for each feature.
  • All temporary licenses, such as LAB, EVAL and ICE, will expire as with previous releases.
  • All subscription licenses will expire as with previous releases. Subscription licenses related to Juniper features will have no effect on the corresponding feature when they expire. When optional subscription licenses expire, their feature counts will be affected as with previous releases.
  • Some optional features still require licenses, a license server, or both, and expire as with the previous release. These features include:
    • ACCESS-EES-countU-yearsYR
    • ACCESS-RDP-countU-yearsYR (Secure Access Service only)
    • ACCESS-PRM-countU-yearsYR (Access Control Service only)
    • IC4000/6000/4500/6500-SOH (Access Control Service only)
    • CONN-PULSE-countU-yearsYR (Access Control Service only)
  • Clustering works as follows:
    • Because all devices already have maximum user counts enabled, there is no need to install Juniper-featured licenses with similar counts on each node in a cluster.
    • For optional features, each node in a cluster should have similar license counts.
  • Adding or deleting Juniper feature licenses (such as Concurrent Users, Collaboration, RADIUS, and IF-MAP) will not have an impact on the features available on the device. Features are enabled by default and at maximum capacity.
  • Auto-increment, sometimes called Trust but Verify, works as follows:
    • Optional features will continue to function as with previous releases.
    • For Juniper-related features:
      • If a license client device is running Secure Access Service 8.0 or Access Control Service 5.0, it will never auto-increment because it is already at maximum capacity.
      • License server devices running Secure Access Service 8.0 or Access Control Service 5.0 will support auto-increments for clients running previous versions of the Secure Access Service or Access Control Service software.
      • License client devices running software versions prior to Secure Access Service 8.0 or Access Control Service 5.0 will behave as before.
  • Surrendering and recalling of user count licenses (Concurrent Users and Collaboration) that have no duration associated with them is supported regardless of whether a license member license is present when a device upgrades to Secure Access Service 8.0 or Access Control Service 5.0.
  • IVS will continue to be supported on platforms except for virtual appliances and MAG Series devices.
  • For Access Control Service, if the Guest Access license was installed prior to the upgrade, then it is available as a device mode option after the upgrade.

For Juniper features and the license server:

  • Although your license server can run a different software version than your license client devices, Juniper Networks strongly suggests that you upgrade both your license server and license client devices to Secure Access Service 8.0 or Access Control Service 5.0.
  • If a license client is running a software version prior to Secure Access Service 8.0 or Access Control Service 5.0 and is connected to a license server running Secure Access Service 8.0 or Access Control Service 5.0, it will continue to lease license capacity as before.
  • License servers running Secure Access Service 8.0 or Access Control Service 5.0 have maximum capacity licenses for Concurrent Users and Junos Pulse Collaboration.
  • License clients running Secure Access Service 8.0 or Access Control Service 5.0 connected to a license server running software prior to Secure Access Service 8.0 or Access Control Service 5.0 will lease reserved capacity but not incremental capacity. Incremental leasing is not required because the device has maximum capacity for Juniper features. Any existing incremental capacity before upgrading to Secure Access Service 8.0 or Access Control Service 5.0 is retained until the expiration of the incremental lease period.
    Note: Administrators must explicitly remove the configuration for Concurrent Users and Pulse Collaboration from the client configuration on the license server so the device does not lease unnecessary capacity from the license server’s pool of licenses.
  • If the license client and license server are both running Secure Access Service 8.0 or Access Control Service 5.0, they will stop leasing Juniper features. The admin GUI is unchanged from previous releases even though leasing no longer occurs. Capacity already leased for Juniper features are freed up on the license server and license clients will drop all capacity leased for Juniper features.