Unified Access Control Overview

A Unified Access Control (UAC) deployment uses the following components to secure a network and ensure that only qualified end users can access protected resources:

• Infranet Controllers—An Infranet Controller is a policy decision point in the network. It uses authentication information and policy rules to determine whether or not to provide access to individual resources on the network. You can deploy one or more Infranet Controllers in your network.
• Infranet Enforcers—An Infranet Enforcer is a policy enforcement point in the network. It receives policies from the Infranet Controller and uses the rules defined in those policies to determine whether or not to allow an endpoint access to a resource. You deploy the Infranet Enforcers in front of the servers and resources that you want to protect.
• Infranet Agents—An Infranet Agent is a client-side component that runs directly on network endpoints (such as users’ computers). The agent checks that the endpoint complies to the security criteria specified in Host Checker policies and relays that compliance information to the Infranet Enforcer. The Infranet Enforcer then allows or denies the endpoint access based on the compliance results.

An SRX Series or J Series device can act as an Infranet Enforcer in a UAC network. Specifically, it acts as a Layer 3 enforcement point, controlling access by using IP-based policies pushed down from the Infranet Controller. When deployed in a UAC network, an SRX Series or J Series device is called a JUNOS Enforcer.

Figure 42: Integrating a JUNOS Security Device into a Unified Access Control Network

This topic includes the following information about deploying an SRX Series or J Series device as a JUNOS Enforcer in a UAC network:

• Communications Between the JUNOS Enforcer and the Infranet Controller
• JUNOS Enforcer Policy Enforcement
• Communications Between the JUNOS Enforcer and a Cluster of Infranet Controllers
• Communications Between the JUNOS Enforcer and the Infranet Agent
• Related Topics

Communications Between the JUNOS Enforcer and the Infranet Controller

When you configure an SRX Series or J Series device to connect to an Infranet Controller through the JUNOS CLI, the SRX Series or J Series device and the Infranet Controller establish secure communications as follows:

1. The Infranet Controller presents its server certificate to the SRX Series or J Series device. If configured to do so, the SRX Series or J Series device verifies the certificate. (Server certificate verification is not required; however, as an extra security measure you can verify the certificate to implement an additional layer of trust.)
2. The SRX Series or J Series device and the Infranet Controller perform mutual authentication using the proprietary challenge-response authentication. For security reasons, the password is not included in the message sent to the Infranet Controller.
3. After successfully authenticating the SRX Series or J Series device, the Infranet Controller sends it user authentication and resource access policy information. The SRX Series and J Series devices uses this information to act as the JUNOS Enforcer in the UAC network.
4. Thereafter, the Infranet Controller and the JUNOS Enforcer can communicate freely with one another over the SSL connection. The communications are controlled by a proprietary protocol called JUNOS UAC Enforcer Protocol (JUEP).

JUNOS Enforcer Policy Enforcement

Once the SRX Series or J Series device has successfully established itself as the JUNOS Enforcer, it secures traffic as follows:

1. First, the JUNOS Enforcer uses the appropriate JUNOS security policy to process the traffic. A security policy uses criteria such as the traffic’s source IP address or the time of day that the traffic was received to determine whether or not the traffic should be allowed to pass. (For more information about security policies, see Security Policies.)

   Note: IPsec is currently not supported in JUNOS-Unified Access Control (UAC) deployments. As such, you should use IP-based security policies.

2. Once it determines that the traffic may pass based on the JUNOS security policy, the JUNOS Enforcer maps the traffic flow to an authentication table entry. The JUNOS Enforcer uses the source IP address of the first packet in the flow to create the mapping.

   An authentication table entry contains the source IP address and user role(s) of a user who has already successfully established a UAC session. A user role identifies a group of users based on criteria such as type (for instance, “Engineering” or “Marketing”) or status (for instance, “Antivirus Running”). The JUNOS Enforcer determines whether to allow or deny the traffic to pass based on the authentication results stored in the appropriate authentication table entry. (For more information about authentication tables and user roles, see the Unified Access Control Administration Guide.)

   The Infranet Controller pushes authentication table entries to the JUNOS Enforcer when the devices first connect to one another (as explained in Communications Between the JUNOS Enforcer and the Infranet Controller) and as necessary throughout the session. For example, the Infranet Controller might push updated authentication table entries to the JUNOS Enforcer when the user’s computer becomes noncompliant with endpoint security policies, when you change the configuration of a user’s role, or when you disable all user accounts on the Infranet Controller in response to a security problem such as a virus on the network.

   If the JUNOS Enforcer drops a packet due to a missing authentication table entry, the device sends a message to the Infranet Controller, which in turn may provision a new authentication table entry and send it to the JUNOS Enforcer. This process is called dynamic authentication table provisioning.

   To display a summary of the authentication table entries configured from the Infranet Controller, use the show services unified-access-control authentication-table command.

3. Once it determines that the traffic may pass based on the authentication table entries, the JUNOS Enforcer maps the flow to a resource. The JUNOS Enforcer uses the destination IP address specified in the flow to create the mapping. Then the device uses that resource as well as the user role specified in the authentication table entry to map the flow to a resource access policy.

   A resource access policy specifies a particular resource to which you want to control access based on user role. For instance, you might create a resource access policy that only allows users who are members of the “Engineering” and “Antivirus Running” user roles access to the “Engineering-Only” server. Or you might create a resource access policy that allows members of the “No Antivirus Running” user role access to the “Remediation” server where antivirus software is available for download. (For more information about resource access policies, see the Unified Access Control Administration Guide.)

   The Infranet Controller pushes resource access policies to the JUNOS Enforcer when the devices first connect to one another (as explained in Communications Between the JUNOS Enforcer and the Infranet Controller) and when you modify your resource access policy configurations on the Infranet Controller.

   If the JUNOS Enforcer drops the packet due to a “deny” policy, the JUNOS Enforcer sends a message to the Infranet Controller, which in turn sends a message to the endpoint’s Odyssey Access Client (if available). (The Infranet Controller does not send “deny” messages to the “agentless” client.)

   To display a summary of UAC resource access policies configured from the Infranet Controller, use the show services unified-access-control policies command.

4. Once it determines that the traffic may pass based on the resource access policies, the JUNOS Enforcer processes the traffic using the remaining application services defined in the JUNOS policy. The JUNOS Enforcer runs the remaining services in the following order: Intrusion Detection and Prevention (IDP), URL filtering, and Application Layer Gateways (ALGs).

Communications Between the JUNOS Enforcer and a Cluster of Infranet Controllers

You can configure a JUNOS Enforcer to work with more than one Infranet Controller in a high availability configuration known as an Infranet Controller cluster. The JUNOS Enforcer communicates with only one Infranet Controller at a time; the other Infranet Controllers are used for failover. If the JUNOS Enforcer cannot connect to the first Infranet Controller you added to a cluster, it tries to connect to the failed Infranet Controller again. Then it fails over to the other Infranet Controllers in the cluster. It continues trying to connect to Infranet Controllers in the cluster until a connection occurs.

When the JUNOS Enforcer cannot establish a connection to an Infranet Enforcer, it preserves all its existing authentication table entries and Unified Access Control (UAC) policies and takes the timeout action that you specify. Timeout actions include:

• close—Close existing sessions and block any further traffic. This is the default option.
• no-change—Preserve existing sessions and require authentication for new sessions.
• open—Preserve existing sessions and allow new sessions access.

Once the JUNOS Enforcer is able to reestablish a connection to an Infranet Controller, the Infranet Controller compares the authentication table entries and UAC policies stored on the JUNOS Enforcer with the authentication table entries and policies stored on the Infranet Controller and reconciles the two as required.

The Infranet Controllers configured on a JUNOS Enforcer should all be members of the same Infranet Controller cluster.

Communications Between the JUNOS Enforcer and the Infranet Agent

An Infranet Agent helps you secure traffic on your network starting with the endpoints that initiate communications as follows:

1. The Infranet Agent, which runs directly on the endpoint, checks that the endpoint is compliant with your Unified Access Control (UAC) Host Checker policies. You can use a wide variety of criteria within a UAC Host Checker policy to determine compliance. For example, you can configure the Host Checker policy to confirm that the endpoint is running antivirus software or a firewall or that the endpoint is not running specific types of malware or processes.
2. The Infranet Agent transmits the compliance information to the JUNOS Enforcer.
3. The JUNOS Enforcer allows or denies the endpoint access to the resources on your network based on the Host Checker compliance results.

Because the Infranet Agent runs directly on the endpoint, you can use the Infranet Agent to check the endpoint for security compliance at any time. For instance, when a user tries to sign into the Infranet Controller, you can require the Infranet Agent to send compliance results immediately—the user will not even see the sign-in page until the Infranet Agent returns positive compliance results to the Infranet Controller. You can also configure the Infranet Agent to check for compliance after the user signs in or periodically during the user session. For more information about the Infranet Agent, see the Unified Access Control Administration Guide.

To integrate the Infranet Agent into a JUNOS-UAC deployment, no special configuration is required on the JUNOS Enforcer. You simply need to create IP-based security policies enabling access to the appropriate endpoints as you would for any other JUNOS-UAC deployment. (For more information, see JUNOS Enforcer Policy Enforcement.) If the endpoints running the Infranet Agent have appropriate access, they will automatically send their compliance results to the Infranet Controller and the Infranet Controller will update the authentication table entries accordingly and push them to the JUNOS Enforcer. The JUNOS Enforcer supports connections with the Odyssey Access Client and “agentless” Infranet Agents.

Related Topics

• Enabling Unified Access Control on SRX Series and J Series Devices
• Configuring the SRX Series and J Series Devices as a JUNOS Enforcer
• Configuring the JUNOS Enforcer Failover Options
• Enabling the JUNOS Enforcer Test-Only Mode