The estimated reading time for this post is 2 minutes
Juniper SRX Consultancy – CESG Certified VPN
- Day 1 – Installation of 2 x Juniper SRX100 firewalls
- Day 2 – Configure Certificate based User VPN to SRX firewalls
- Day 3 – Continue configure & testing Certificate based User VPN to SRX firewalls
- Day 4 – Documentation based on CESG guidelines
- Day 5 – Follow up remediation work required as a result of the NCC or other third-party testing and validation
Caveats, Requirements, Assumptions
- SRX100 – Firewalls to be configured with VRRP for failover, but each firewall will be standalone. They will NOT be configured as a cluster with stateful failover (to meet CESG security requirements).
- SRX100 – Initial firewall configuration assumed to be a basic configuration based on estimated 1 day installation
- SRX100 – Full admin & user access to firewalls at all times to test
- IPSec VPN – Configuration of client to firewall IPSec VPN’s. IPSec tunnel will be authenticated using x.509 certificates (using Windows 7 IPSec client with certs manually deployed).
- IPSec VPN must be configured as per CESG security guidelines (http://www.cesg.gov.uk/servicecatalogue/CPA/Pages/CPA-certified-products.aspx)
- IPSec VPN fully documented as to where it meets, and does not meet the requirements. This document is a key deliverable and will be submitted to the MoD as part of their compliance submission.
- IPSEC VPN using Windows 7 clients with IPSec tunnel (cert based) to the firewalls, IPSEC VPN Users user will authenticate via RSA 2FA using RSA Authentication Manager V8.1 for user authentication
- IPSEC VPN – configuration to be done on best endeavours basis – based on any caveats/constraints from Microsoft & Juniper Networks
- IPSEC VPN – Microsoft Certificate or other CA server to be in place and configured with User certificate issued.
- RSA Solution: Reseller will be installing the RSA solution.
- RSA solution: Integration details to be provided
- IPSEC VPN – after authentication users will be able to launch a MS Terminal Services desktop session.
- Consultant – Power for consultants laptop to be available in data centre
- Consultant – Internet Access in data centre
- Consultant – serial & network access to firewalls
- Consultant – responsible for Juniper SRX configuration only
- Documentation – exact documents to be followed to be given to consultant
- Documentation – to be produced in simple format covering main technical issues with formatting & other presentation as time allows.
- Equipment – Surrounding network already configured to allow routing between firewall, outside network & MS Terminal Services and MS Certificate servers
- Testing – customer to provide laptop to test.
- Follow up work will be done as time allows and will be assumed to consist of minor changes to configuration & documentation
- Remediation Work – undertaken after third party testing has been performed.