Secure Remote Access with Comprehensive Client Certificate Management

Transcription

1 APPLICATION NOTE SA Series SSL VPN Appliances and MultiFactor SecureAuth Solution Secure Remote Access with Comprehensive Client Certificate Management Copyright 2009, Juniper Networks, Inc. 1

2 Table of Contents Introduction...3 Scope...3 Description and Deployment Scenario...3 Initial Redirect Setup... 4 Enrollment Automation Configuration... 5 Post Enrollment Redirect... 6 Certificate Authentication... 6 Dual-Authentication Options... 6 Summary...7 About Juniper Networks Copyright 2009, Juniper Networks, Inc.

3 Introduction Juniper Networks provides the industry s leading SSL VPN solution for secure, anytime, anywhere remote access. Broad support for all clients, including mobile, with extensive support for public key infrastructure (PKI)-based authentication helps customers increase security and decrease risk. MultiFactor, the leader in Web application security solutions, provides SecureAuth, a comprehensive certificate management solution for client X.509 certificate authentication, including enrollment, backend directory integration, and complete X.509 certificate life cycle management. Together, these products enable customers to deploy client certificates with reduced total cost of ownership. By minimizing management costs and automating the provisioning and self-service costs, customers can deploy client certificates on a global scale, without impacting the bottom line. Scope This document provides the specific steps required to configure MultiFactor SecureAuth, which is a two-factor X.509-based authentication solution, with Juniper Networks SA Series SSL VPN Appliances. Design Considerations Hardware Requirements Juniper Networks SA Series SSL VPN Appliance MultiFactor SecureAuth Appliance Software Requirements None Description and Deployment Scenario The power of this solution begins when a user needs to access protected resources. In this scenario, the level of trust needs to be increased in order to adequately identify and trust this end user. First, enrollment is mandated, with the user going through a self-service enrollment process courtesy of MultiFactor s SecureAuth appliance. Accessed through the SSL VPN proxy mode, this enrollment process begins by authenticating and identifying the user with a configured backend directory such as Active Directory. Next, SecureAuth invokes its component which comes down from the client side to do a certificate signing request (CSR) and private key generation. SecureAuth then takes the CSR, gets it signed with its configured certificate authority (CA), and installs the newly signed X.509 certificate into the user s local certificate store. At this point, portals and VPN solutions like the SA Series can honor the certificate as authentication and identification for that user. This is done by using certificate-based authentication on the SA Series SSL VPN appliance. The SA Series can also enforce additional policies at this time, such as X.509 attribute checking (against a backend directory) or perhaps endpoint security posture interrogation via Host Checker. Secondary authentication can also be configured to require the X.509 certificate and also a domain password credential. The SecureAuth device also manages the X.509 certificate life cycle by issuing certificates with configurable life spans, re-issuing and automating the provisioning of new certificates as they are needed. SSL VPN SecureAuth User Directory (e.g. AD) Figure 1: SA Series SSL VPN and MultiFactor SecureAuth solution Copyright 2009, Juniper Networks, Inc. 3

4 Initial Redirect Setup In order to prompt unenrolled users to get them enrolled and issue a client certificate, SA Series SSL VPN Appliances can automatically detect this posture when a user attempts to log in and redirect them. This is done using two Instant Virtual Extranet (IVE) components. The first component uses the customizable sign-in page framework. By configuring a sign-in URL and a custom sign-in page, administrators can upload their own.zip file to the IVE to have it used for the pre-authentication login pages. In this case, the SSL.thtml (SSL error page) and LoginPage.thtml (standard login page for CA and more) are modified. Since the need here is to redirect the user upon failed CA, a refresh/redirect HTML tag must be added in the correct location for these files. The redirect HTML tag which needs to be added is: <meta http-equiv= refresh content= 0;url= anonymous >, where IVE.COM is the hostname/ip of the IVE and /anonymous corresponds to an anonymous sign-in URL (and realm) which also must be configured. The actual URL can be anything, but */anonymous seems to work nicely. Figure 2: LoginPage.thtml (based on IVE 6.2R1 sample.zip) 4 Copyright 2009, Juniper Networks, Inc.

5 Figure 3: SSL.thtml (based on IVE 6.2R1 sample.zip) Once these files have been properly modified, they are put back into the.zip file and uploaded as the new custom sign-in page for that sign-in policy (e.g., the default */ or some other customized URL/hostname). Back on the IVE, a new role (and corresponding role mapping rule) must be added for that realm to map anonymous users into. The role should be web-enabled, but needs nothing else. One bookmark should be created for the following URL, but more importantly, the role s UI option should be set to use a Custom Start Page which points to the URL: Ideally, this role will also have proper access control lists (ACLs) limiting what a user can access, and also reduced idle and maximum session timers. Note: See the SecureAuth Configuration Guide for more information on properly forming this link. Enrollment Automation Configuration SecureAuth enables simple, low maintenance certificate services by tying directly into your existing user data store and integrating tightly into the functions of the SA Series SSL VPN Appliances. Key components of the SecureAuth configuration are directory access and registration methods, and these are configured through the SecureAuth Administrative User Interface. Please see the SecureAuth Configuration Guide for details. Copyright 2009, Juniper Networks, Inc. 5

6 Post Enrollment Redirect The post enrollment redirect URL provides a pointer back to the SA Series SSL VPN appliance so that a newly enrolled system can resubmit credentials and map to an access policy. The URL is that of the IVE access policy, and is configured in the SecureAuth Administrative User Interface. Please see the SecureAuth Configuration Guide for details. Certificate Authentication Certificate-based authentication on the IVE is actually quite simple. First, the administrator creates a new Auth Server for certificate authentication. There is only one option here, which is how to identify the user once they are authenticated. Typically, the <certdn.cn> is used, as the CN commonly contains the username. This is ultimately the value which will be mapped into that user s <user> variable to track user sessions, and also can be used later for policy definition, if needed. Next, the certificate server is mapped to a realm which is mapped to the sign-in page (e.g., */, not */anonymous). A role or multiple roles are then set up as desired for remote access, and associated role mapping rules can be configured as well. Lastly, in order to trust client certificates for authentication, an issuing or root CA certification (or certifications) must be uploaded to the IVE, under Configuration > Certificates > Trusted Client CAs. These may be configured for client authentication (or not), and optionally, certificate revocation list (CRL) or Online Certificate Status Protocol (OCSP) checking may be enabled here as well. Figure 4: Configuration screen to upload certificates As you upload CA Certificates here, you will also see chains form if you have any separate intermediate/root CA configurations. Dual-Authentication Options In some cases, you may want to require a second form of authentication such as a domain password, in addition to the X.509 client certificate. This is done on the SA Series SSL VPN appliance by using Secondary Authentication. This is configured in the realm, and can be a variety of popular authentication services, for example Lightweight Directory Access Protocol (LDAP). The user name field can even be populated in advance for this scenario, and can include the certificate s CN field by using the attribute variable <certdn.cn>. With secondary authentication enabled, the IVE can also now validate the user s credentials (user name from the certificate and provided password) against the backend directory/store. Additional authorization can also occur here (e.g., group membership for role mapping). 6 Copyright 2009, Juniper Networks, Inc.

7 Figure 5: Authentication screen on SA Series SSL VPN Summary Instant access to , contacts, and the intranet are all critical elements of any successful company. Equally important are the flexibility, mobility, and security of these network-based communications. Juniper Networks SA Series SSL VPN Appliances have demonstrated support for the applications and access that enterprises require in today s global business environment. With deep platform support for Mac OS, Linux, Windows, and beyond, the SA Series has become a critical foundation for securing many of today s business critical technologies. Flexible solutions like the SA Series with SecureAuth help keep a mobile enterprise empowered, enabled, and working more efficiently. These are all key benefits that Juniper s high-performance customers have grown to depend upon. About Juniper Networks Juniper Networks, Inc. is the leader in high-performance networking. Juniper offers a high-performance network infrastructure that creates a responsive and trusted environment for accelerating the deployment of services and applications over a single network. This fuels high-performance businesses. Additional information can be found at Corporate and Sales Headquarters APAC Headquarters EMEA Headquarters To purchase Juniper Networks solutions, Juniper Networks, Inc North Mathilda Avenue Sunnyvale, CA USA Phone: 888.JUNIPER ( ) or Fax: Juniper Networks (Hong Kong) 26/F, Cityplaza One 1111 King s Road Taikoo Shing, Hong Kong Phone: Fax: Juniper Networks Ireland Airside Business Park Swords, County Dublin, Ireland Phone: EMEA Sales: Fax: please contact your Juniper Networks representative at or authorized reseller. Copyright 2009 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice EN Dec 2009 Printed on recycled paper Copyright 2009, Juniper Networks, Inc. 7