| Terms |
Definitions |
|
Describe Network Connect.
|
Creates a Virtual Network Adapter with an IP Address from the internal network.
Attempts to use IPSec, then fails back to SSL
Can be integrated with the Graphical Identification and Authorization (GINA) module in Windows, allowing the user to log into the corporate network at the same time they log into Windows
Can be deployed with Java or Active X, supporting Windows, Linux, and Mac
Suffers from the least amount of logging (none) compared to SAM and Core Access
|
|
What interface is supported for initial configuration of the IVE? What are it's settings?
|
Menu driven setup over serial console and terminal emulation software
9600 baud, 8 data bits, 1 stop bit, and no flow control
|
|
Identify the two IVE product families Juniper offers and list the products in each.
Identify the major difference between the product families.
|
Juniper Networks Secure Access
SA 700, SA 2000, SA 4000, SA 6000, and SA 6000 SP
NetScreen-SA
NS-SA 1000, NS-SA 3000, NS-SA 5000
The NetScreen-SA line was acquired from NetScreen in April 2004
The Secure Access line is Juniper's newest offering
|
|
Identify the most commonly used standards for asymmetric and symmetric encryption in SSL.
|
RSA is used for asymmetric.
3DES or AES is used for symmetric
|
|
Describe the SA 6000-SP
|
Industry's first SSL VPN platform with virtualization
Enables Service Providers to deliver SSL VPN services to multiple enterprises
|
|
Which trusted industry organizations certify the IVE platform?
What industry security certifications does Juniper hold?
|
iSec Partners
Cybertrust
TruSecure
VPNC
FIPS
ICSA Labs
Only vendor in the queue for Common Criteria
|
|
List the competetive weaknesses of the Nortel product line
|
Entered the market after aquisition of Alteon in 2003
Core market is service providers
Strength is GUI flexibility
|
|
What are the three types of Authentication?
|
Pre-Authentication
User Roles
Resource Policies
|
|
Describe how SSL sets up a secure session.
|
Client requests the channel through https: prefix.
Server transfers it's x.509 certificate containing it's public key
The client uses the public key to encrypt a symmetric key which will be used for the remainter of the session
|
|
Describe the difference between symmetric and asymmetric encryption.
|
Symmetric encryption uses the same key to encode and decode the data.
Asymmetric encryption uses a pair of keys (Public and Private) to encode and decode the data.
|
|
List the competetive weaknesses of the Aventail product line
|
Immature appliance due to it's non hardened use of the Linux OS and software - susceptible to Apache based attacks.
Web file access has PHP3 bugs
Difficult to deploy, use, and manage
Aventail Connect uses win32 SOCKS5 client and requires installation and reboot on each PC.
No support for Windows Authentication such as Kerberos or NTLM
Provide standard web access - use an Active X port forwarder requiring admin rights on Windows.
|
|
List the competetive weaknesses of Citrix's product line.
|
Server based computing company recently entering security market with acquisitions of Net6 in late 2004 and NetScalar in mid 2005.
Weaker access options, poor endpoint security, poor management
|
|
Define Pre-Authentication. What are the qualifications which fall under pre-authentication?
|
Defines checks which are run before a user is prompted for credentials
Qualifications include:
Source ip address
Whether the system is running current antivirus and firewall software
Browser settings
Results of the host checker process
Number of concurrent users and password length
|
|
How is the administrator web site accessed? What is special about the administrator page?
|
Access is available over http, located at the IP Address of the IVE, and the word admin is located in the URL
There is a note on the screen which confirms the administrator login page
|
|
How can users be mapped to roles?
|
Based on the user name
LDAP group membership
Radius (most simplistic and easier configuration)
|
|
Describe the functionality of the Cache Cleaner.
|
Used to remove redisual data to prevent subsequent users from finding temporary copies of files
Temporary files
Application Caches
Browser History
|
|
Up to how many LDAP servers can be used for Authentication/Authorization? What are the appropriate settings to use for Active Directory?
|
Three
Specify the "Admin DN" as "cn=Administrator,cn=Users, dc=domain, dc=com", and type in the password
Under "Finding user entries"
Use the root of the domain as the "Base DN"
The user filter should be set to "samAccountName=<USER>"
Under "Determining group membership"
Use the root of the domain as the "Base DN"
Set the "Filter" to "CN=<GROUPNAME>"
Set the "Member Attribute" to "member"
|
|
What is FIPS?
Which products comply with FIPS certification?
|
FIPS stands for Federal Information Processing Standard.
NetScreen-SA 4000 and 6000 are FIPS certified
|
|
What are the components of the Juniper Endpoint Defense Initiative?
|
Cache Cleaner
Host Checker (Native Host Check)
Host Checker Client Interface (Host Checker API)
Host Checker Server Integration Interface
|
|
List the steps required to add a new Active Directory or Windows NT authentication server. Can this server be used for authorization?
|
Select "Signing in" from the left navigation bar
Select "Active Directory/ Windows NT" from the server type selection box.
Type in the addresses of the two domain controllers and the name of the domain.
The servers can not be used for authorization without defining an LDAP server.
|
|
What is the difference between roles and resource policies?
|
Roles are evaluated when the user logs in
Resource policies are checked when the resource is accessed
|
|
Describe core access
|
Provided through the browser
Provides access to all internal web sites and applications which provide web interfaces, including OWA
Internal resources are never accessed directly by the client
Allows most detailed level of auditing and logging of any access method
Can be used to present file shares, telnet sessions, and terminal services
Supports complex Java, JavaScript, and Flash
|
|
Describe the feature set of the Secure Access Product Line 700, 2000, 4000, 6000
|
SA 700 (Small Medium Enterprises)
10 to 25 concurrent users
Network Connect
SA 2000 (Medium Enterprise)
25 to 100 concurrent users
SAM/Network Connect
Secure Meeting
Advanced with CM
Cluster Pairs
SA 4000 (Medium - Large Enterprise)
50 to 1000 concurrent users
SAM/Network Connect
Secure Meeting
Advanced with CM
Instant Virtual System
SSL Acceleration
Cluster Pairs
SA 6000 (Large Global Enterprise)
100 to 2500 concurrent users
SAM/Network Connect
Secure Meeting
Advanced with CM
Instant Virtual System
GBIC
SSL Acceleration
Multi-Unit Clusters
|
|
Briefly describe the Juniper SPG.
|
SPG = Secure Products Group
Market Leader since aquisition of NetScreen
Unique because they seek out security reviews of the IVE (Instant Virtual Extranet) Platform
Market Leader because of their purpose built application security gateway
|
|
How is a new realm created? What must be done after the realm is created?
|
Type in a name for the realm
Select an LDAP server for both Authentication and Authorization
A new role must be created
A Role Map is defined for existing groups in the LDAP server to Roles.
|
|
Define the authorization flow of the IVE objects.
|
User attempts to acess the IVE URL
Pre-authentication authorization rules are checked to see which realms are available to the user
User is presented with a login page based on which realms are available to the user
User is authenticated, then mapped to roles defined in the realm.
This determines the final window presented to the user.
Whenever the user tries to access a resource, the corresponding resource policy is checked for appropriate access.
|
|
List the settings which are configured during the initial configuration.
|
IP Address
Netmask
Default Gateway
DNS
Domain
Default SSL certificate
Administrator credentials
|
|
How do user roles define what the user will have access to?
|
Whether the user will have access to JSAM, WSAM, or NC.
Controls the settings of Core Access
Define applications for SAM, and the NC address
Are defined as separate objects and not part of a Realm
|
|
Describe the security features of the IVE platform design.
|
The file system is encrypted using AES
Ensures the data and proprietary information is protected in case of theft
Protects any user account information stored by the system
O/S has been hardened - additional network services have been removed.
Services are specialized services and not vulnerable to common vulnerabilities
Access to the OS has been restricted by the User Interface
Certification by trusted industry organizations
|
|
What are the two methods for security access?
What component provides the VPN technology?
Which method is the best for vpn and why?
|
SSL and IPSec
Network Connect provides the VPN technology
IPSec is the preferred method because it was built to support multiple protocols. SSL can only be used to tunnel between one client and the network and is not suppported for site to site vpns
|
|
Describe the Host Check Server Integration Interface.
|
API allowing integration of a JEDI compliant system with the IVE
Prompt Host Checker to run third party software on the client
Host Integrity Scans
Malware detectors
Specify with granularity what the Host Checker should do based on results. You can dynamically map users based on policies to:
Realms
Roles
Resources
|
|
Describe SAM
|
Captures only certain application traffic based and forwards it to the IVE.
Suffers from less sophisticated logging than Core Access, but is more granular than Network Connect.
Deployed with Java Secure Application Manager JSAM or with Active X Secure Application Manager WSAM.
JSAM forwards traffic based on TCP port, and WSAM forwards traffic based on the application executable.
JSAM needs access to the hosts table. On NTFS, this requires administrative access. On Linux, this requires root level access.
Does not support applications in which the server initiates the communication.
|
|
What is the corporate reason SSL VPN's are preferable over IP Sec VPNs?
|
IP Sec VPNs were costly and hard to set up
|
|
What is the function of the Realm?
|
The Realm connects the Authentication Servers with the access given to the user when they log in
Many organizations only need one Realm
|
|
List the competetive weaknesses of F5's security line.
|
Strength lies in load balancing and traffic management
Many holes in security exist including Apache, weak endpoint security and built in virtual desktop with many known exploits.
Management, granular control, and network configuration changes are limited.
Performance problems with high performance applications such as VoIP.
|
|
Describe the process of setting up an IPSec connection.
|
Uses Internet Key Exchange (IKE). IKE uses two phases.
Phase IUses UDP port 500
An X.509 certificate is used, or a pre-shared key
Diff-Helman (asymmetric) is used to transfer the information
Phase IIExchange of information about what networks will communicate over the tunnel
No equivalent in SSL
|
|
What features does the TLS handshake protocol provide.
What does the TLS record protocol provide.
|
The Transport Layer Security Protocol provides the following features:
Peer Identity verification
Uses public/private key cryptology
Standard Key negotiation
The TLS record protocol provides:
Privacy via symmetric encryption (DES, RCA
Keys generated during the TLS handshake
Reliability via HMAC mechanisms (SHA, MD5)
|
|
Describe the Host Checker and the remediation actions that can be taken.
What functionality does the Host Checker API provide?
|
The Host Checker provides the ability to examine processes, services, and files on the client computer and use that information to determine how the intranet is accessed.
Remediation Actions include:
Redirection of the user to a custom page describing how to fix the problem
Evaluation of an alternate policy
Killing a process or deleting a file on the client system
Allows third party personal firewall and AV programs to communicate their status to the Host Checker
|
|
List the competetive weaknesses of the Cisco product line.
|
Performance problems supporting 100 concurrent users on any model, and mixed mode IPSec SSL supports maximum of 50 users
Low end hardware platforms - VPN 3000 Series
Can take days to weeks to set up
No Java rewriting, little JavaScript support, no VBScript, no Flash support
No WSAM equivalent, no "true" application support, and no MD5 app checking
No features like NC and cannnot support UDP/ICMP
|
|
Describe the NetScreen Secure Access Product Line
|
Targeted to small to medium (1000), medium to large (3000), and large enterprises (5000)
Offers scalability options and provides headroom for user growth and application complexity
Offers High Availability Clustering Options with Stateful System Peering, Active/Passive, and Active/Active configurations
Replication provides for Multi-Site clusters and high user volume
|
|
Define IPSec and describe it's use in VPNs.
What is the most significant difference between IPSec and SSL for VPNs.
|
Network layer protocol implemented to provide secure channels across the internet
Designed to carry any IP traffic from many users through a single tunnel.
It is highly efficient and requires less network overhead than SSL
SSL can only be used to tunnel between a single user and a server
|
|
What is X.509 and what information does the protocol transfer.
|
X.509 is a standard which defines how asymmetric keys should be packaged
Public Key
Key owner
Expiration date
Name of organization which issued the key
Allowable uses of the key
Digital signature enabling the client to verify key and certificate holder integrity
|
|
Identify the 5 types of authentication which the IVE products support.
|
Internal authentication uses a database stored within the IVE device.
External Authentication can use 4 industry defined mechanisms:
NTLM for Windows NT, and Kerberos for Windows 2000 and above
LDAP provider
Radius provider
Secure ID for two factor authentication
|
|
Define Authorization and describe how realms are related to the authorization process.
|
Specifies what actions a user can perform
Is based on some aspect of the user
Realms provide associations to authentication servers, user roles, and pre-authentication options.
|
|
Broadly categorize the security strengths of the IVE.
|
Design of the Platform
Security implemented at the client in addition to the server
Certification by trusted industry organizations
|
