Tag Archives: CESG

Template Scope of Work: Juniper SRX Consultancy – CESG Certified VPN

juniper

Juniper SRX Consultancy – CESG Certified VPN

  1. Day 1 – Installation of 2 x Juniper SRX100 firewalls
  2. Day 2 – Configure Certificate based User VPN to SRX firewalls
  3. Day 3 – Continue configure & testing Certificate based User VPN to SRX firewalls
  4. Day 4 – Documentation based on CESG guidelines
  5. Day 5 – Follow up remediation work required as a result of the NCC or other third-party testing and validation

Caveats, Requirements, Assumptions

  1. SRX100 – Firewalls to be configured with VRRP for failover, but each firewall will be standalone. They will NOT be configured as a cluster with stateful failover (to meet CESG security requirements).
  2. SRX100 – Initial firewall configuration assumed to be  a basic configuration based on estimated 1 day installation
  3. SRX100 – Full admin & user access to firewalls at all times to test
  4. IPSec VPN – Configuration of client to firewall IPSec VPN’s. IPSec tunnel will be authenticated using x.509 certificates (using Windows 7 IPSec client with certs manually deployed).
  5. IPSec VPN must be configured as per CESG security guidelines (http://www.cesg.gov.uk/servicecatalogue/CPA/Pages/CPA-certified-products.aspx)
  6. IPSec VPN fully documented as to where it meets, and does not meet the requirements. This document is a key deliverable and will be submitted to the MoD as part of their compliance submission.
  7. IPSEC VPN using Windows 7 clients with IPSec tunnel (cert based) to the firewalls, IPSEC VPN Users user will authenticate via RSA 2FA using RSA Authentication Manager V8.1 for user authentication
  8. IPSEC VPN – configuration to be done on best endeavours basis – based on any caveats/constraints from Microsoft & Juniper Networks
  9. IPSEC VPN – Microsoft Certificate or other CA server to be in place and configured with User certificate issued.
  10. RSA Solution: Reseller will be installing the RSA solution.
  11. RSA solution: Integration details to be provided
  12. IPSEC VPN – after authentication users will be able to launch a MS Terminal Services desktop session.
  13. Consultant – Power for consultants laptop to be available in data centre
  14. Consultant – Internet Access in data centre
  15. Consultant – serial & network access to firewalls
  16. Consultant – responsible for Juniper SRX configuration only
  17. Documentation – exact documents to be followed to be given to consultant
  18. Documentation – to be produced in simple format covering main technical issues with formatting & other presentation as time allows.
  19. Equipment – Surrounding network already configured to allow routing between firewall, outside network &  MS Terminal Services and MS Certificate servers
  20. Testing – customer to provide laptop to test.
  21. Follow up work will be done as time allows and will be assumed to consist of minor changes to configuration & documentation
  22. Remediation Work – undertaken after third party testing has been performed.

CESG IPSEC Guides (2013) & Juniper Appliances

cesg

About CESG

CESG protects the vital interests of the UK by providing policy and assistance on the security of communications and electronic data, working in partnership with industry and academia.

CESG IPSEC GUIDES

CESG have produced some guidance for IPSEC VPN’s – guidance adhered to by government departments & associated bodies.

  • Version2.1 CESG IPSEC Security Gateway Guide can be found on the CESG site
  • Version 2.3 CESG IPSEC VPN FOR REMOTE WORKING – SOFTWARE CLIENT Guide can be found on the CESG site

Juniper MAG Devices with Juniper Pulse Secure Access Service

The Juniper Pulse Secure Access Service running version 7.4+ software on a Juniper MAG device can be used for CESG IPSEC VPNs which supports ECDHE Ciphers & IKEv2

A caveat is that MAG devices don’t support FIPS level 3 compliant cryptographic modules – but FIPS is not referenced directly in the guide.

ECDHE Ciphers supported by SA

With Elliptic-Curve Cryptography (ECC) certificates:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

With RSA Certificates:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

IKEv2 Clients

Any IKEv2 Client can be used for CESG IPSEC eg:

About IKEv2

CESG IPSEC refers to use of IKEv2. More information can be found on the Juniper Website. Also please note the following:

  • On the Juniper SA/MAG Device – IKEv2 does not support automatic cluster failover. After cluster failover, IKEv2 users must reconnect to Secure Access Service.
  • On the Juniper SA/MAG Device -IKEv2 uses UDP port 500 with Juniper Pulse Secure Access Service.

Notes about use with Certificates

For IKEv2 with client certification authentication to work with Windows 7 IKEv2 client, the certificate imported in to Secure Access Service must have the enhanced key usage (EKU) value set to serverAuth(1.3.6.1.5.5.7.3.1)

Also ECC certificates are currently only supported on MAG and Virtual Appliance platforms, they are not usable on SAx500 devices.  See Chapter 32, Elliptic Curve Cryptography, in the 7.4 or later Admin Guide for more details on these certificates and setting custom cipher options.

FIPS level 1 Supported Platforms

  • The following platforms support FIPS level 1:
    • Junos Pulse Gateway MAG2600
    • Junos Pulse Gateway MAG4610
    • Junos Pulse Gateway MAG6610
    • Junos Pulse Gateway MAG6611
    • Junos Pulse Gateway MAG-SM160
    • Junos Pulse Gateway MAG-SM360
    • Secure Access Service and Access Control Service virtual appliances

More info here

FIPS  Level 3 Supported Platforms

  • Juniper SA4500 FIPS
  • Juniper SA6500 FIPS
Note
  • FIPS Level 3 refers to a Cryptographic Hardware Security Module
  • You cannot run FIPS level 1 support on a hardware FIPS platform such as the SA4500/6500 FIPS SSL VPN Appliance
  • SA4500/6500 FIPS SSL VPN Appliances do not support newer ECC certificates.

The last point leaves a conundrum – go with MAG and have a higher encrypted channel across the Internet or go with SA and have a weaker encrypted channel & a higher protected stored private key.