Chapter 4 - management framework

OK,
The management of users.
Finally got the device talking to the Firewall.

They call this Dynamic access privilege management architecture.

Alright.
Sign in policy.
Define the URL
one for admins   /admin
the other for the users.
The Sign-in policy defines which realms will be available for the users.

The above is the signing in page.
You can see the administrator URLs we have configured
and the User ones.
*/ means nothing besides the https://name_of_device
/admin   remember is to get to the admin.
Then you create other ones for fun.
To each you can make a sign-in page, either customized or reg
then assign an Authentication domain that will authenticate the users.
The last checkbox is simply to enable it.

Then Authentication Realm.
AAA is the Authentication server, the credentials are forwarded to it.
Authentication policy- you set rules like checks before it sends your data to the server AAA
Directory Server   is an LDAP that gives you user and group information that will be mapped to roles.
Role Mapping rules. You map them to the roles you want to create in the MAG.


User role - defines properties for users like session. A user can have many roles.
Role restriction - You can limit the role attachments by forcing it to pass more checks for the role.
Resource access policy-  to protect a SPECIFIC  resource.

• It can use the enforcement points
• It can add additional items like 
• source interface it must come through
• Auth Table mapping
• IP address pool assignment to assign him an IP

Network access policies  - Layer 2 policies that control the 802.1x settings on the enforcement points.
They define the Radius data that the MAG will send to the enforcement 802.1x points.


Connection Process - High Level.

User Authentication process.

I don't know,
Print this part above out and study it.
It's made from three parts.

• What the USER does
• What the MAG Secure Access device does
• What the AAA does -  The AAA is made up from the
• Authentication Server
• (Ldap/AD) server will give you the groups

It's divided in the Authentication process. Once that part is done the MAG will look for the Authorization
which means what is the user actually allowed to do.
At the end it will send the relevant data to the enforcement points.

Authentication
First part is the host
Second part is credentials
Third part is sending the credentials to the AAA
then
Authorization
MAG queries the LDAP for groups
Maps groups and user to role
Applies role restrictions
Creates a session user role
then
Enforcement
Sends the data required to the endpoints
Policies and Auth table entries

The endpoints are.
Firewalls
802.1x  switch , accesspoints
OAC


Case Study 1::

The device works in a non restrictive fashion.
So if the role allows it but another denies it , you will get the allow permission.
User Interface policy is applied the first policy.
maximum session length will be the "highest" value.

If you get two roles and one has a requirement you did not pass, then you can access only ONE role.

Host Enforcer can also check if the policy permits access to the RESOURCE.
not only if the HOST is ok.

Realm authentication
sign in policy
user role
role restrictions
resource policies
network policies.


I

Chapter 3 - Configuration

Scenario 1.

We have a LAN
The guys in the LAN will want to reach the Servers
The Firewall will block them till they reach the MAG
The MAG will tell the firewall to allow them.
They will get access.

Sounds Simple.
Let's see what simple is like with the MAG.
Alright connect the console cable to the SM160 or SM 360 module itself. (not the management one)

in the case of the smaller devices it is mixed in with the MAG
so for example.

 2600

   4610

Voila, anyway console to console port.
9600
8data bits
1 stop bit
no flow.
This is standard for Juniper.
The console in the MAG appliance is so you can set up an IP. The devices are mainly WEB managed
and don't run the JUNOS one OS marketing . They still run the web portal instead.

BOOT UP

When you boot the MAG Modules SM160 - SM360
You get to select the personality.
Secure Access Service  -  this is for the SSL gateway
Access Control Service-   this is so you can use it as a NAC internally on the network.
remember one option is  for the SSL  the second is as a NAC LAN device.

please choose from among the following factory-reset-personality images:
[1]  Junos Pulse Secure Access service
[2]  Junos Pulse  ACCESS CONTROL service
so we choose 2.
It can take 20 minutes to install the device. Jeez, well take a break and get a sandwich.

Then you get the license agreement.
If you are bored or need to prolong the installation press R  to read it.
If not press Y .

Interface configuration.
nothing new here.
IP
Subnet
Gateway
DNS
second DNS  (optional)
DNS domain     blogspot.com
WINS     (optional)

Then it asks you to review and confirm.
Press Y enter

Ok, this configured port 1

Port 1 is in the middle
Port 0 is for  OOB management and is configured from the WebUI


Ok,.
After that you create an admin user and his password.
This is mainly for Console and for first access.


Alright, this device uses Certificates. Yes, those annoying pop ups we dismiss because they are outdated
or badly kept. This is a security device so certificate.

The next stage in the CLI is generating one.
Common NAME      -  my-mag-AC.blogspot.com
organiztion         blogspot.com
hit some random characters and press enter.
Then you get the certificate and the device telling you , you are DONE.



CLI menu.
The CLI menu is kinda 1980's .
You choose a numbered option.

1. network Settings and tools     - has ping ARP
2. Admin password    -did that
3. display log   -  ok  system logs
4. system operation   - ? reboot or reset to factory
5. Toggle password protection for the console-   turn on admin on console
6. Create a Super admin session -  ? locks out everybody else and let's you in 
7. System Snapshot - ??   saves settings to backup file
8. reset allowed Encryption strength for SSL  -  you can drop it from 128 to 40-bit cipher like K8
   from Cisco so you can export it to Iran.

Ok, from here it is all WEB.
What fun, memorizing screenshots.

https://device_IP/admin  

username password   and disregard the certificate that does not work yet

(You can make it work by getting a real certificate from the CA)

when you connect using the IP certificate warning always appears.

Sorry, hard to get any screenshots.
I guess you can buy a MAG. You'd need a 4610
You can also try Ingram Micro they have a lab.
The last choice is begging Juniper for access to their labs.

Anyway.
This is the way the screen looks.

You have the main Toolbar on the left.
SYSTEM - obvious + logs
AUTHENTICATION- servers
ADMINISTRATORS- set admin users
USERS - - realms and roles for them.
UAC - rules to connect to the firewall.
MAINTENANCE  -  archiving

This screen is for the Secure Access
not the Access Control.
You can quickly tell that by the lack of the UAC on the left side menus.





and when you hover over something it opens sub menus. rolling the mouse
or click on what you want .

Alright
Tab called Guidance at the corner.

This will open up
Wizards.
When this is the first time it will pop up or you can invoke it or dismiss it.

Task 1.

Alright.
Fake Task menu.
But you get the idea.
System Setup -->  Set date and time
pick time zone
select either NTP server and give it an IP   or   set up the time manually.

Pulse -Firewall and CA must be on the same time if not SECURITY does not work.

Next upgrade the device.
Next install your licenses from License management system at http://juniper.com/generate_license.
You need the Hardware ID and authorization code you get when you buy licenses.

Base license comes with the device for 2 users.
Common Access License  - you buy for the 'concurrent users'

Last is a Certificate.
System>> configuration > certificates > device Certificates new CSR
or you can use the wizard we are in.

A CSR is the data so a big Kahuna CA can make you a certificate which you can import.
Or you can use a self signed certificate.

CSR menu looks like this   Certificate Signing request.


So you can save it as a .cert and email it to the CA
you can email it to the CA
you can paste the text into a CA portal.

Then you import back the response from the CA>

and voila you have a CA certified server.

then you have to tell the port to use the NEW certificate.


So you can set up different ports with different certificates ?? I guess.

Next you must import the cetificate of the Authorizing CA itself into the device.
This is the certificate of the CA of the certifying authority.

Screenshot place

Ok.
Now if we go to the UAC part of the menu
We can add a Firewall as an enforcer.
Must be Junos or Netscreen.


platform
Name
password
Serial  - must be the Chassis hardware serial
{If you add a cluster you add two serial numbers}
Group
IDP module.    {this is for enabling IDP scanning on the traffic}
IP




Configuring the ENFORCER - Firewall.
Set timezone date or NTP
root# set system time-zone America/New_York
run set date 201107130900.00
Set security zone MAG on the MAG interface
set security zones security-zone MAG address-book address AC1 172.168.13.1/32
set security zones security-zone MAG host-inbound-traffic system-services ping ssh ssl
set security zones security-zone MAG interface ge-0/0/2
### so you added an address for it  and allowed ping/ssh/ssl as services that can hit the zone
###  then you add an inteface to the zone
Set a hostname for the infranet-controller
set services unified-access-control infranet-controller   AC1
set services unified-access-control infranet-controller   AC1    address  x.x.x.x
set services unified-access-control infranet-controller   AC1    interface ge-0/0/2.2
set services unified-access-control infranet-controller   AC1    password my_secret_pass

ok I guess this is still easy.
Set up IP
set up interface to MAG
set up a password and a name of the infranet-controller.
Set up the zone
add an interface to it
add the MAG address to the address book

root# show services
unified-access-control {
    infranet-controller AC1 {
        address 172.16.0.5;
        interface fe-0/0/2.0;
        password "$9$pZt90Ic8X-dwgO1Nb2gDj0BIclMLxdY2a"; ## SECRET-DATA

next you can
set services unified-access-control infranet-controller   AC1    ca-profile   AC
basically this will use the same CA certificate of the CA master, so it can verify the MAG
Certificate. This is optional.

commit and-quit

Verifying.
Check the STATUS window.
Green ok
White not good.
 - UAC  > INfranet Enforcer > Connection
Verify the IP and Serial of the enforcer
Verify the - System --> log events --> log   for id=GWE*
then you can see the connection events for tips .

On the firewall enforcer.(SRX)
>show services unified-access-control status
should say connected the interface IP Host  port etc.

TroubleShooting
From the MAG
 - Maintenance  >>Troubleshooting >> tools >> commands
you can do ping  ARP  traceroute etc. to help troubleshoot.

















On the Firewall
Verify
time date timezone
routing
zone interface permissions   PING SSH   SSL must be allowed on host-inbound-interface
certificates if using.


must sync the clocks up  to 5 min apart

must use the hardware serial ID and authorization code to generate the licenses to add to the device.

Chapter 2 Basics

Well, let's get started.


This is the network today for most IT people.

Pretty much the usual.
If you have a branch you set up a VPN using IPSEC.
If you have users they get a VPN client and connect to the Firewall and then they have access to the whole
network.
If you have contractors it's a problem.
The same with Partners.
Most companies will set up a website or similar for the partner and contractors. However then
that website will need to be public.
The Firewall is your BORDER guard and protects you against the bad people.

This design is old.
For example. If your user takes his laptop home, connects to work. Then downloads some virus.
When he brings back the laptop to work. Your network will be infected.

The same if he brings in a USB with an infected file.
another old way to protect your network was to set up the Servers in a datacenter and call it a DMZ
and then add another firewall.

DMZ is great but the rest of your network is still full of viruses, keyloggers and people removing sensitive
information.

So how do you solve this.

1. You need network protection based on the device.
1. So for example an IPAD gets internet only.
2. A contractor can access only the required server and none of the others
3. A device can be evaluated to see if it safe to join the LAN
4. You can place non qualified devices or users in a remediated VLAN so
   they can correct the faults.
2. Diverse user access
1. So admin can access all
2. Accounting only accounting 
3. Guest can only access specific things
3. Application-level control.
1. By that they mean that you can only access the application but not the fileshare
2. This is mainly driven by regulatory compliance requirements
4. Visibility into who is doing what.

The solution is NAC. which we talk about here.

it must be simple, proven and integrate easily.
If it's not simple, it sucks.
If it is some random company then you will be begging for support
You should not have to redesign the network to get it to work.

NAC network access control has no perimeter.
Every device is assumed to be un-safe until you allow it.
Because it evaluates every device, the role and permissions it can protect all of the network.

So we identify the device, then the user, then assign him a role(group)  then the applications he can access, then we log it ALL.

We can also add additional controls like AV and signal bandwidth limits to other devices to enforce.

What Juniper's NAC solution looks like.

Ok.
So traffic goes through the firewall on the SSL or VPN ports
It is accelerated if needed by the application acceleration.
Then the communication is handled and terminated by the SECURE ACCESS .
Secure access determines if you can CONNECT.
then the Access control can determine if they are allowed to USE the program

then you reach the data.

So far so good.
3 appliances each with a role.

They also added mobile Security

With Mobile security you can control the security on the SmartPhones. For example deleting data, applications or finding lost phones.

So 

Accelerator

Secure Access to terminate the connections

Access control to control devices

Mobile Security to control the security of smartphones.

Depending on what you use you can customize the Junos pulse to load only those
parts on the end client.

The usual user list can be Radius, RSA, LDAP, Active Directory etc.

The devices can affect the behavior of other devices. For example if Access control does not like PC2
it can tell the Switch to block the port  (assuming this is an intelligent switch 802.1x)
The firewall can allow IPs or set up VPNs

So the client
Junos pulse is the agent  or supplicant

The switch is 802.1x along with the firewall and hostchecker are the enforcers   - authenticator
and the Gateway- SA AC  is the Authenticating server

and the Radius is the   authenticating server. - The SA can also transfer the requests to it.

Gateway does

AAA by connecting to those servers authentication , authorization , accounting  -  users, roles

Radius for 802.1x      the MAG can work as a Radius or connect to an external Radius.

Endpoint assessment and fixing.  This is done using HostChecker uses IMC integrity measurement collector

NAC can send remediation instructions by reviewing the IMV measurement verifiers to correct the host.
        

The AGENT is
Junos Pulse

Odyssey client
Java

Agentless HostChecker
third party TNC supported.

Enforcement points are.

802.1x switches and AP

SSG or SRX firewall. they are called Firewall enforcers.
Host Enforcer is part of the OAC does client side enforcing of policies

Junos Pulse Gateway

E voila

the appliance.

It is a centralized management device- you web into it and control the settings.

It can authenticate users to roles and resources.
   You get a user he gets a role and a policy is applied
    this policy is pushed dynamically to the endpoints.
{{it can use some standards like LDAP to get groups, AD for groups, PKI for certificates, Siteminder/
NIS for user SSO, }}
{{802.1x supports some sub protocols like EAP-TTLS m EAP-JUAC(juniper) , EAP-TLS,EAP-GTC (Token uses a one time code)  , EAP-SoH statement of health}}

Delivers software like Junos Pulse, Odyssey,Java, OAC applications  to the endpoints and talks to them.

So it can check for compliance using host Checker for policy in 802.1x you can place them in other VLAN
till they fix themselves.
host Checker uses IMC and IMV  integrity measurement collectors while the
gateway uses the IMV  integrity measurement versifier. TNC is the structure.

It is purpose built and hardened.

SA vpn will go to AAA uses data groups host checker and can give remediation.

Junos Pulse.

Alright,

802.1x obviously.
IPSEC support for setting up a tunnel after authentication.
Source IP for allowing the IP access after authentication
Integrated Host Checker.

location and identity aware 

Smart card 

logs on client side also troubleshooting tools.
You can either deploy it from the MAG if the laptops have administrator rights.
You can also install it using active directory. 

Windows

Odyssey access client

this baby is used for windows/mac/linux

802.1x
IPSEC
Source IP
Integrated host checker
Cool - client side firewall
When you disconnect it stops running the access policies on your laptop.

Java Agent

MAC and Linux
Runs in the background
no 802.1x support  :(
No IPSEC support :(
Runs a heart beat so when you disconnect it stops the policies.

HostChecker.
Agentless, runs on Linux, MAC, Windows.
dynamically downloads hostchecker
no 802.1x
no IPSEC
Must keep an open browser for it to live.

Third Party
must support 802.1x standard
TNC
or both.
Microsoft NAP for example.
IP phone with 802.1x support is another.
Phones without 802.1x support must rely on the MAC authentication server.

Enforcement points. - Security devices

Layer 3 to 7 uses the Firewall  Junos or ScreenOS

They get instructions from the Access Control Services it dynamically updates them.

Source IP available for everybody agent or agentless   it does not encrypt

IPSEC, you can signal the Firewall to run an IPSEC tunnel from the firewall to the device.(Pulse,OAC)

The MAG provisions the Firewall Enforcement points with Dynamic policies.

HTTP redirect. if the switch gets a request that does not have an authentication in place
it can redirect it to the Access Control MAG. This only works for HTTP.

So Source IP based enforcement.

Alright.

So 1. Authenticates to the Secure Access MAG.
2. the MAG tells the SRX to allow that IP in.

3. The SRX writes a permit rule.
4. The Laptop can access the server.     (this is un-encrypted)

So much fun.

Same thing but with IPSEC.

Alight same thing.
1. authenticate

2. set up the VPN

3. VPN in

4. Access the server.

Must have JUNOS PULSE or OAC client to do this.

Enforcement points 802.1x  we said are switches and Accesspoints.
Check the datasheets to see if they support this protocol.
Port based enforcement for switches
Association for APs , they will drop the association of the client if he fails.

802.1x is the codename here.
They can Dynamically assign the client a VLAN based on the results of his check
They can also filter applications or change QoS attributes.

You can use 802.1x or combine it with the Firewall enforcement.

So
Junos pulse works only on windows.

OAC agent   Windows / MAC

All the rest work on everything else.

IPSEC works only on Windows 

Source IP works on everything

802.1x because it blocks ports works on everything.
Host Enforcer of rules only OAC on Windows.   (this can block something on the end client)

Ok, those are the components.
Now let's see how the components INTERACT

So the supplicant uses 802.1x
talks to the switch.
The switch checks the Pulse gateway to see 

The Pulse also checks the supplicant to see if he is OK as far as security
then asks the AAA if he is allowed to do anything.
and then sends the 802.1x the allow him on and gives him access.

If the connection is external.

Same thing as before.
The device goes to the MAG using SSL or EAP-over-http.
The MAG checks the AAA
The MAG tells the firewall to open up.
The Firewall sets up a connection or an opening
Client can access the servers.

In case of failure I can put him in a temp vlan and tell him to remedy something.

Layer 2 Enforcement is 802.1x

Host Check
Then you pass the credentials to AAA
then you can come in and reach the LAN servers.

Same thing but with the Firewall.

Deployment.

• Front End is the MAG before the Firewall.- This is the easiest to deploy and is for when you don't use 802.1x
• WAN gateway - this in the opposite as you control the traffic going out, for example what guests can send and that the devices meet the hostchecker security.
• Campus Wired -   Devices must access the Gateway to enter the network
  the same for phones and MAC devices. So you control the LAN.
• Campus Wireless-   same thing but with Wireless since you already have a user password experience this is a good place for initial deployment of the NAC.
• MAC address authentication -    Allows you to control which MAC addresses are allowed on the LAN

Questions

What are the components.

1. Junos Pulse  access control    - Gateway
2. Endpoint software             - agent, agentless
3. Enforcement points           - 802.1x or firewall

Enforcement options.
802.1x -  Switch or Access point
Firewall -  Junos or SSG     IPSEC or IP based
Endpoint  -   OAC or Junos can run   IPSEC and Host-enforcer(OAC).  

Secure Access Model.
You connect using Layer 2 to the MAG it will push your settings to you.
You connect to MAG remotely  then it will push settings to the Firewall for you to enter.

Endpoint options are.
Pulse
OAC  - remember an odyssey on the sea.
Java
Agentless

Intro - Objectives

Intro

This exam is a requirement mainly for Juniper partners however it is valuable in configuring and
maintaining any corporate VPN set up.


Alright, I have ordered the course materials still have to wait for them.
So let's prep by looking at the Exam information.

• 
  

Overview

• Describe the concepts, operation, and functionality of the Junos Pulse Access Control Service
  • Components
  • Component functions and interaction
• Identify the components of the access management framework
  • Interrelationship between realms, roles and policies

Initial Configuration

• Configure the basic elements of a Junos Pulse Access Control Service environment
  • Initial Junos Pulse Access Control Service configuration
  • SRX Series device configuration (as a firewall enforcer)
  • Configure authentication servers
  • Connectivity verification

Roles

• Describe the concepts, operation and functionality of roles
  • Purpose of roles
  • Role mapping
  • Customization of the end-user experience
• Configure roles
  • Roles and role options

End User Access

• Describe the Junos Pulse Access Control Service client access options
  • Junos Pulse
  • Odyssey Access Client (OAC)
  • Machine authentication and third party supplicant
  • Agentless access
• Configure Junos Pulse Access Control Service clients
  • Junos Pulse
  • Odyssey Access Client (OAC)
  • Agentless access

Firewall Enforcement

• Describe the concepts, operation and functionality of firewall enforcement
  • Purpose of resource policies
  • Resource policies for firewall enforcement
  • Captive portal
• Configure firewall enforcement
  • Junos Pulse Access Control Service configuration
  • SRX Series device configuration
  • ScreenOS device configuration
  • Captive portal

Layer 2 Enforcement

• Describe the concepts, operation and functionality of Layer 2 enforcement techniques
  • 802.1X security
  • RADIUS (related to 802.1X)
  • MAC authentication
  • Multiple supplicant authentication
• Configure Layer 2 enforcement
  • Junos Pulse Access Control Service configuration
  • SRX Series device configuration

Endpoint Defense

• Describe the concepts, operation and functionality of endpoint defense
  • Host Checker
  • Enhanced Endpoint Security (EES)
  • Authentication policies and role restrictions
• Configure endpoint defense
  • Host Checker
  • Enhanced Endpoint Security (EES)
  • Authentication policies and role restrictions

Authentication Options

• Describe the concepts, operation and functionality of user authentication
  • Authentication process
  • Authentication options
• Configure authentication
  • Authentication servers including LDAP, RADIUS, AD/NT, anonymous
  • Authentication realms

Management and Troubleshooting

• Demonstrate knowledge of how to manage and troubleshoot a Junos Pulse Access Control Service environment, including the Junos Pulse Access Control Service and SRX Series devices
  • Logging
  • System Monitoring
  • File Management
  • Information collection
  • Component connectivity
  • End user connectivity and enforcement

High Availability

• Describe the concepts and requirements for high availability in a Junos Pulse Access Control Service environment
  • Clustering
  • Deployment options and considerations
• Configure high availability
  • Junos Pulse Access Control Service configuration
  • ScreenOS device configuration
  • SRX Series device configuration

Integration

• Describe the concepts and requirements for Junos Pulse Access Control Service integration with other components
  • Integration with IF-MAP client
  • Integration with STRM
  • Integration with IDP
• Configure integration
  • IF-MAP federation
  • Syslog
  • Sensors