Template Scope of Work: Juniper SRX Consultancy – CESG Certified VPN

The estimated reading time for this post is 2 minutes


Juniper SRX Consultancy – CESG Certified VPN

  1. Day 1 – Installation of 2 x Juniper SRX100 firewalls
  2. Day 2 – Configure Certificate based User VPN to SRX firewalls
  3. Day 3 – Continue configure & testing Certificate based User VPN to SRX firewalls
  4. Day 4 – Documentation based on CESG guidelines
  5. Day 5 – Follow up remediation work required as a result of the NCC or other third-party testing and validation

Caveats, Requirements, Assumptions

  1. SRX100 – Firewalls to be configured with VRRP for failover, but each firewall will be standalone. They will NOT be configured as a cluster with stateful failover (to meet CESG security requirements).
  2. SRX100 – Initial firewall configuration assumed to be  a basic configuration based on estimated 1 day installation
  3. SRX100 – Full admin & user access to firewalls at all times to test
  4. IPSec VPN – Configuration of client to firewall IPSec VPN’s. IPSec tunnel will be authenticated using x.509 certificates (using Windows 7 IPSec client with certs manually deployed).
  5. IPSec VPN must be configured as per CESG security guidelines (http://www.cesg.gov.uk/servicecatalogue/CPA/Pages/CPA-certified-products.aspx)
  6. IPSec VPN fully documented as to where it meets, and does not meet the requirements. This document is a key deliverable and will be submitted to the MoD as part of their compliance submission.
  7. IPSEC VPN using Windows 7 clients with IPSec tunnel (cert based) to the firewalls, IPSEC VPN Users user will authenticate via RSA 2FA using RSA Authentication Manager V8.1 for user authentication
  8. IPSEC VPN – configuration to be done on best endeavours basis – based on any caveats/constraints from Microsoft & Juniper Networks
  9. IPSEC VPN – Microsoft Certificate or other CA server to be in place and configured with User certificate issued.
  10. RSA Solution: Reseller will be installing the RSA solution.
  11. RSA solution: Integration details to be provided
  12. IPSEC VPN – after authentication users will be able to launch a MS Terminal Services desktop session.
  13. Consultant – Power for consultants laptop to be available in data centre
  14. Consultant – Internet Access in data centre
  15. Consultant – serial & network access to firewalls
  16. Consultant – responsible for Juniper SRX configuration only
  17. Documentation – exact documents to be followed to be given to consultant
  18. Documentation – to be produced in simple format covering main technical issues with formatting & other presentation as time allows.
  19. Equipment – Surrounding network already configured to allow routing between firewall, outside network &  MS Terminal Services and MS Certificate servers
  20. Testing – customer to provide laptop to test.
  21. Follow up work will be done as time allows and will be assumed to consist of minor changes to configuration & documentation
  22. Remediation Work – undertaken after third party testing has been performed.