RSA Solution Brief

RSA & Juniper Networks

Securing Remote Access with SSL VPNs and Strong Authentication
RSA Solution Brief

The need to ensure that only authorized users are granted access is mission critical.
Businesses increasingly need to provide employees with easy and cost-effective mobile and remote access to corporate applications and resources. To provide true network security, the access method itself must be bulletproof, and controls must be put in place to manage the identity of the individual who is accessing network resources. The combination of secure socket layer (SSL) security and ease of deployment solutions with strong, two-factor authentication solutions allows organizations of all sizes to cost-effectively safeguard the corporate network while enabling easy remote access to authorized users. Juniper Networks and RSA provide a compelling, SSL-based virtual private network (VPN) and two-factor authentication security solution that is flexible, scalable and simple to administer so businesses can efficiently provide mobile and remote access to the enterprise while protecting information and applications.

I. Introduction
As organizations become more global in nature, the environment of todays worker is evolving, from one of centralization and control to one of mobility and performance. The numbers of remote and mobile workers is on the rise with the number of mobile workers in the U.S. alone reaching 103 million by 2008, and the following year the number of worldwide mobile workers reaching 878 million. With an increasing number of mobile and remote workers, a challenge for many of todays organizations is how to provide effective technology tools to maximize the productivity of remote and mobile workers while maintaining a high level of security for critical company information. Opening up access to the enterprise can bring risk to those organizations that do not implement precautions to safeguard valuable information. The spike in numbers, coupled with growing security challenges, increasingly complex mobile applications, and the strong demand for round-theclock support is leaving IT organizations in a bind. Most organizations have limited IT resources to manage a growing base of mobile workers, and often times it is too complex to properly ensure that sensitive corporate information is adequately protected. Therefore, innovative technology solutions are required in order to easily integrate into existing infrastructure and to provide end-user self-service remediation. This, in turn, simplifies the overall enduser experience and minimizes the need for ongoing technical support.

II. Remote Access Trends

In the not-too-distant past, information gathering was a function of time and resources. Today, a wealth of information is available to anyone with an Internet connection. The ubiquity of the Internet has leveled the playing field, allowing organizations of all sizes to compete successfully with one another. Secure remote access solutions now also leverage the Internet and allow organizations to achieve significant savings and productivity improvements over alternative approaches to remote access via the Internet, such as dedicated circuits and private telephone lines. Real-time remote and mobile access was formerly the exclusive domain of larger firms with the IT infrastructure, budget and resources to ensure security. With new, innovative solutions, however, companies of all sizes can now take advantage of the Internet for secure connectivity, such as using SSL-based Virtual Private Networks (VPNs). A VPN allows an organization to use a public networksuch as the Internetto send and receive private data in a secure and private manner. While the need for site-to-site connectivity is well served by IPSec VPNs, the more complex challenge for organizations is the high touch endpoint management and dynamic access requirements of remote or mobile employees. Total Cost of Ownership The total cost of ownership can be defined as the acquisition cost plus the cost of usability and maintenance over time. As most organizations are cost-sensi-

RSA Solution Brief

tive , the purchase price of a remote access VPN solution is a major consideration. Organizations also have to carefully evaluate the cost of usability and maintenance before selecting a secure VPN solution to ensure that the enterprise will not be burdened by excessive ongoing operational costs. The VPN solution needs to be able to be supported by existing resources and it has to be easy for end-users to gain remote access to ensure that the total cost of ownership (TCO) remains low and productivity high. Solutions that require users to install software on their PCs inevitably pose major support burdens on already constrained IT resources. Non-technical users demand a solution that is simple to use and organizations often prefer to avoid the cost and hassles of installing client software, configuring it, teaching employees how to use it and supporting them when they encounter difficulties. Even as more and more organizations become increasingly tech savvyrelying on computers to connect with customers, track inventory or manage booksmany cannot yet justify in-house IT support. Such staffing is required to deploy, install and configure an IPSec VPN for remote access for individuals. Desktop support must be available to work with mobile users in case of problems, including difficulties with Network Address Translation (NAT) issues and firewall or proxy traversal. Security Still another important consideration is security. An open IPSec VPN tunnel is also a path into the corporate LAN. The tunnel itself is encrypted and secure, but that security is rendered meaningless if one end of the connection is open to the outside world (splittunneling). Clearly in the case of a site-to-site connection it is reasonable to assume that the VPN connection is between two known entities, but this is not the case with remote users tunneling into the LAN. Todays remote access security concerns center around what can come in through the tunnel, taking advantage of VPN sessions often left open by users. For organizations, both large and small, even a minor security breach can mean anything from irreversible damage to brand reputation in the case of a larger organization, to the downfall of the business as a whole for a smaller company.

Another major security challenge is authenticating proving the identityof each user accessing the network. Passwords alone are insufficient for protecting the enterprise network. They are a source of frustration for end-users that are forced to remember complex passwords, and also for the business that has to bear the cost and lost productivity of password resets. A single-factor authentication system like the use of passwords provides insufficient protection for the needs of the enterprise. Two-factor authentication consisting of something the user knows and something the user hasis essential for providing remote access to the enterprise network.

Passwordsnot all theyre cracked up to be Studies continue to point to the ineffectiveness of passwords for securing enterprise information. For example, according to Forrester Research, when given the ability to do so, over 60 percent of users continuously use the same one or two passwords. Passwords are easily stolen, frequently guessed, easily cracked with freely available tools, costly to manage and often forgotten. End-user frustration with passwords is becoming an increasing concern. Users want a more simple and consistent authentication method and, while they express frustration and management worries about weak security, the cost of managing these systems is escalating out of control. Time is wasted as employees try to remember their passwords. Productivity is hurt each time a user gets locked out and has to call into the enterprise for assistance. Supporting the overhead of these calls is expensive when you take into consideration the lost productivity of the employee and the expenses associated with responding to the user either through internal IT personnel or outsourced IT service providers. This cost becomes considerable, particularly since according to research firm Gartner password reset requests and other user ID problems can account for 15 to 35 percent of all help desk call volume.

RSA Solution Brief

III. Remote Access Solution Criteria

In order to evaluate a remote access solution, an organization should consider the following areas of concern about mobile and remote access security solutions: Functional Requirements Connects users to the resources they need Solves the specific problem the organization is purchasing the solution to solve Works with all organization applications Makes the end-user experience comprehensible by non-technical employees Requires minimal network reconfiguration Does not require a new application on the client computers Total Cost of Ownership Considerations Purchase price Deployment cost Cost of any necessary hardware and software End-user training User help desk support /self-service remediation Day-to-day maintenance Leveragability (using a solution to solve multiple business problems) Security Protects end-users, sensitive data, applications and servers Can encrypt data in transit Endpoint security compliance Integrates with policy enforcement, particularly on the client side Leverages any investment already made in security, such as the deployment of security policies or applications

Easy-to-use by mobile, non-technical users Non-obtrusively integrates with existing AAA and other infrastructure solutions Delivers strong, two-factor authentication Scalability Must meet remote access needs today Must scale to meet the remote access needs into the future

IV. Securing the Enterprise

Secure Socket Layer (SSL) VPNs take advantage not only of the Internet, but also of certain protocols intrinsic to its use. The SSL encryption protocol was originally developed for securing online financial transactions and is one of the foundations of web commerce. SSL is part of all standard web browsers, so the client software that initiates secure data transit is already on the end-users device. Gartner has predicted that By 2008, SSL VPN networks will be the primary remote-access method for more than twothirds of business teleworking employees, more than three-quarters of contractors and more than 90% of casual employee access.1 Instead of relying upon the end-user to have a configured client on a company laptop or home computer (which is the case with IPsec VPNs), SSL VPNs use the SSL /HTTPS protocol (inherent in all web browsers already) as a secure transport mechanism. The use of SSL solves a variety of problems associated with IPSec VPNs, because SSL Does not need to be installed, Does not need to be configured on the client PC, Is readily available in standard web browsers, and Is familiar to most users, even those without a technical background.

RSA Solution Brief

Gartner, Inc., Magic Quadrant for SSL VPN, North America, 3Q06, by John Girard, December 27, 2006.

V. An Integrated Remote Access Solution for Organizations of All Sizes

Juniper Networks and RSA have worked closely together to offer a joint solution that helps allow organizations of all sizes to deploy SSL VPNs with strong, two-factor authentication. The SA appliance from Juniper comes in a wide variety of sizes, from SMB and SME, to large enterprise, and even carrier-class solutions. The SA provides a secure, costeffective way to enable authorized users to remotely access the corporate network. It uses SSL to provide transport encryption so that remote or mobile users can gain instant access from a standard web browser. It requires no client-side software, no changes to servers, and no ongoing maintenance. Furthermore, it provides self-service remediation for end-users, and assurance that users are only able to access the data and resources the administrator defines. This level of granularity is second-to-none and offers the most innovative secure, remote access solution in the market. You can deploy Junipers SA centrally in conjunction with strong two-factor authentication solutions from RSA to provide secure remote access. Remote users enter something they knowtheir personal identification number (PIN)and something they havethe constantly changing passcode on an RSA SecurID hardware or software authenticator. RSA offers flexible bundles and also offers an RSA SecurID Appliance that can be deployed centrally to further simplify management of the solution. The RSA Authentication Agent client software resides in the SA to enforce two-factor authentication via RSA Authentication Manager software. The SA appliance intermediates the client request and authenticates the user against the RSA Authentication Manager service. Access is granted only when the user has entered a valid RSA SecurID passcode; otherwise access is denied. Once authenticated, the authorization framework takes over, further limiting and restricting access to only those resources which are allowed.

This combined solution successfully addresses the challenges for enabling secure, cost-effective and scalable remote access. Organizations can empower workforce mobility and support both telecommuters and road warriors concurrently, using the same physical device. Productivity is increased by offering anywhere, anytime access and employees can respond faster to business demands by having ready access to secure network resources. This combined solution also helps organizations incorporate best practices for compliance with regulatory requirements for protecting information, such as HIPAA, GLBA, SOX, OCC, and more.

VI. SSL VPNs with Two-factor Authentication

The combined solution from Juniper and RSA provides major business advantages for organizations. Here you can see how this SSL VPN with two-factor authentication solution stacks up on the important business criteria established earlier in this paper. Functional Requirements Purpose-built for securing remote access While IPSec VPNs have been used for years to provide remote access, they were actually designed to provide site-to-site connections. The Juniper SA was designed to provide secure access for remote or mobile employees; RSAs secure enterprise access solutions are proven in the marketplace for authenticating users to enterprise networks. Flexible licensing options Juniper offers 4 different models: SA700, SA2000, SA4000, and the SA6000/SP. The licensing has been specifically designed to accommodate organizations of 25 to 35,000 concurrent sessions. RSAs secure remote access solutions are an ideal match for any size organization, and both products offer the ability to scale efficiently as the business grows and adds more remote users.

RSA Solution Brief

Juniper Networks and RSA have worked closely to offer a joint solution that helps enable organizations of all sizes to deploy SSL VPNs with strong, two-factor authentication.
Compatible with all deployed applications The Juniper SA offers a Layer 3 agent, delivered on the fly, to service any IP-based application. Network , Connect provides complete network access without requiring any client software be pre-installed, and uses standards-based protocols and encryption algorithms widely deployed worldwide. Remote users just enter their PIN and the constantly changing code on their RSA SecurID Authenticator into a standard web browser and gain network access as if their PCs were physically connected to the corporate network. Easy-to-use by non-technical users RSA offers RSA SecurID Authenticators in a wide variety of form factors, and also offers software-based authenticators that allow remote users to access the network using personal devices. Users no longer have to remember often incomprehensible passwords and can easily authenticate to the network and establish an encrypted tunnel via the SA using SSL. Integrates with existing infrastructure The Juniper SA is literally plug-and-play. It can be deployed in under an hour and requires no changes to the network infrastructure or servers. Most firewalls are configured to permit traffic from port 443 (SSL) already, which eliminates the need for firewall configuration changes. The RSA enterprise access solution is easily integrated into existing security infrastructure and can leverage existing account databases so the organization can augment its security posture and enable secure remote access very quickly. Total Cost of Ownership Considerations Purchase price The combined Juniper/RSA SSL-VPN with two-factor authentication solution is priced to accommodate the needs and budgets of any organization, large or small. Day-to-day maintenance The Juniper SA requires no day-to-day maintenance, and in fact, allows new users to gain VPN access without any changes. The RSA SecurID Authenticators avoid the cost and nuisance of resetting passwords, and provide far greater security. End user training Because the Juniper SA uses a simple web user interface and the SSL that most end users have already employed, there is no training required for end users. With this combined solution, users no longer have to remember obtuse, complicated passwords which they will most likely want to write down (a big no-no in the security world). Authorized users just key-in their PINs and the current token code into a web browser and, once they are authenticated, can continue about their business . User support Most end user support for IPSec VPNs is caused by client configuration issues, ISP compatibility problems, NAT issues, or firewall or proxy traversal problems. The Juniper/RSA combined solution makes these headaches go away completely. With the Juniper SA, even complex business security policies can be enforced while educating users on why they didnt get in and what they need to do to perform self-help. This reduces the influx of calls to the help desk, and expedites compliancy with business policies, enabling the user to quickly get back into their VPN session. With RSAs two-factor authentication solutions, you avoid the cost of supporting users who have lost or forgotten their passwords, and you establish a single identity per user that can be applied across multiple applications. Cost in hours, hardware and software of adding a new remote employee This is an easy way for most organizations to see the hidden costs of an IPSec VPN. The time and effort required to bring up each new user is a cost that cannot be leveraged over the deployment. With this com-

RSA Solution Brief

bined solution, granting access to a new user is as simple as adding their name, credentials and access controls or leveraging existing user directories. No further configurations need to take place on the Juniper SA, and a simple user activation process can be quickly carried out in order to issue a new SecurID token. Security Data, user, and server protection. With the Juniper SA, all data is wiped after the session is terminated. Furthermore, any back-end application data, such as cookies and passwords, is stored on an encrypted drive within the SAnot on the end-users PC. Furthermore, since the SA is a true reverse proxy, users do not have direct access to back-end web applications and services, further minimizing risk. Encrypt data in transit. SSL uses strong encryption, and is a field-tested global standard for sensitive transactions. The Juniper SA offers a variety of ciphers and hashing algorithms which the administrator can define to further strengthen the tunnel encryption. Integrate with policy enforcement. RSA SecurID authenticators ensure that the user trying to gain remote access is who he or she claims to be, so the SME can centrally define policies that are applied to user groups. Enforcing security polices is simple with the Juniper SA. The SA is fully compatible with all leading authentication methods and stores, and with this joint solution the organization can centrally manage access according to business policies. Leverage existing investments in security. The Juniper SA is seamlessly compatible with RSAs two-factor authentication solutions. Organizations can leverage existing user account directories and endpoint security implementations while securing remote and mobile access to the enterprise. Scalability Meet remote access needs both today and tomorrow. This joint solution offered by RSA and Juniper costeffectively scales to support fast growing organizations. Because the Juniper SA is an application-layer device and does not require the deployment, installation, configuration or maintenance of client software, adding users is very easy. If you want to add the

capability of more simultaneous users, it requires just a simple upgrade to the software license. And RSAs two-authentication solutions support cost-effective scalability so you can easily add new users as well, making the overall process very simple and concise.

SUMMARY
Juniper Networks and RSA provide a compelling security solution that is flexible, simple to administer and very robust. RSAs strong, two-factor authentication technology has been embraced by thousands of companies and is used by millions of users worldwide. The Juniper SA is a best-in-class SSL VPN appliance and has been proven by more than 10,000 customers worldwide. This combined solution scales to meet the needs of growing organizations and it dramatically lowers the cost of ownership for mobile and remote access. No client hardware is needed, no changes are required to servers and ongoing maintenance is minimized. The convenience of using RSA SecurID authentication technology with the Juniper SA allows organizations to deploy costeffective SSL VPNs to connect offices and allow easy and secure access for mobile and remote users. About Juniper Networks Juniper Networks transforms the business of networking. A leading global provider of networking and security solutions, Juniper Networks maintains an intense focus on customers who derive strategic value from their networks. Its customers include major network operators, enterprises, healthcare, government agencies, and research and educational institutions globally. Juniper Networks delivers a portfolio of networking solutions that support the complex scale, security and performance of the worlds most demanding mission-critical networks, including 24 of the worlds top 25 service providers, 9 of the top 10 aerospace/defense companies, 50% of the Global Fortune 100, 40% of the Global Fortune 500, and 8 of the top 10 commercial banks (and that is just for SSL-VPN). For more information and to see Junipers other network/security products, please visit www.juniper.net.

RSA Solution Brief

RSA is your trusted partner

RSA, The Security Division of EMC, is the expert in information-centric security, enabling the protection of information throughout its lifecycle. RSA enables customers to cost-effectively secure critical information assets and online identities wherever they live and at every step of the way, and manage security information and events to ease the burden of compliance. RSA offers industry-leading solutions in identity assurance & access control, encryption & key management, compliance & security information management and fraud protection. These solutions bring trust to millions of user identities, the transactions that they perform, and the data that is generated. For more information, please visit www.RSA.com and www.EMC.com.

20052007 RSA Security Inc. All Rights Reserved. RSA,SecurID and the RSA logo are either registered trademarks or trademarks of RSA Security Inc. in the United States and/or other countries. EMC is a registered trademark of EMC Corporation. Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Remote Access 500 and Network Connect are trademarks of Juniper Networks Inc. All other products and services mentioned are trademarks of their respective companies.

JNP SB 0307