`Case 3:17-cv-05659-WHA Document 480-3 Filed 05/16/19 Page 1 of 4
`
`
`
`
`
`EXHIBIT 2
`EXHIBIT 2
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 480-3 Filed 05/16/19 Page 2 of 4
`Case 3:17-cv-05659-WHA Document 480-3 Filed 05/16/19 Page 2 of 4
`
`JUNIPET
`
`
`
`Aurnentication and intecsrated User Firewalls
`Feature Guide for becurity Devices
`
`
`
`Modified: 2017-08-02
`
`Copyright © 2017, Juniper Networks, Inc.
`
`JNPR-FNJN_29007 00009469
`
`
`
`Case 3:17-cv-05659-WHA Document 480-3 Filed 05/16/19 Page 3 of 4
`Case 3:17-cv-05659-WHA Document 480-3 Filed 05/16/19 Page 3 of 4
`
`Authentication and Integrated User Firewalls Feature Guide for Security Devices
`
`certificate with its own identity and signs this new certificate with its own public key
`(provided as a part of the proxy profile configuration). When the client accepts such
`a certificate, it sends a shared pre-master key encrypted with the public key on the
`certificate. Because SSL proxy replaced the original key with its own key,it is able to
`receive the shared pre-master key. Decryption and encryption take place in each
`direction (client and server), and the keys are different for both encryption and
`decryption.
`
`i? depicts how SSL inspection (on an existing SRX Series IDP module)
`:
`
`typically used to protect servers. SSL inspection requires access to the private keys
`isis
`used by the servers so that the SRX Series device can decrypt the encrypted traffic.
`
`Figure 1 SSL insmection onan Existing SR Series [DP Mocuie
`
`SSL inspection
`
`
`
`eT
`aa : :
`Untrust fpoohatemet
`Zone
`\
`“he
`Na - .
`
`3 oe
`
`SPO Series device
`
`i Server private keys
`:
`loaded an the
`rye oe
`SRX Series device
`
`SRE Series device BMtZ
`zone g0s4212
`
`Vebservers
`
`
`re
`= shows how SSL proxy works on an encrypted payload. When
`application firewall (AppFW), Intrusion Detection and Prevention (IDP), or application
`tracking (AppTrack) is configured, the SSL proxy acts as an SSL server by terminating
`the SSL session from the client and establishing a new SSL session to the server, the
`SRX Series device decrypts and then reencrypts all SSL proxy traffic. SSL proxy uses the
`following:
`
`« SSL-T-SSL terminator on the client side.
`
`« SSL-I-SSL initiator on the server side.
`
`« Configured AppFW,IDP, or AppTrack services use the decrypted SSL sessions.
`
`12
`
`Copyright © 2017, Juniper Networks,Inc.
`
`JNPR-FNJN_29007 00009506
`
`
`
`Case 3:17-cv-05659-WHA Document 480-3 Filed 05/16/19 Page 4 of 4
`Case 3:17-cv-05659-WHA Document 480-3 Filed 05/16/19 Page 4 of 4
`
`Chapter 3: Configuring Encrypted Files Using SSL Proxy
`
`
`
`
`
` =:
`If none of the services (AppFW,IDP, or AppTrack) are configured,
`then SSLproxy services are bypassed even if an SSL proxy profile is
`attached to a firewall policy.
`
` TE: The IDP module will not perform its SSL inspection on a session if
`SSL pproxy is enabled for that session. Thatis, if both SSL inspection and
`SSL proxy are enabled onasession, SSL proxy will always take precedence.
`
`Figure 2. S31 Froxyoan an Encryoted Payinac
`
`SSL forward proxy
`
`Unerust
`zone
`
`a
`a a
`i
`nternet
`\
`te%,
`
`Me
`
`Server keys are unknown, so
`the server certificate is modified
`d by the SRX Series device
`
`Trust
`zone
`
`Client
`
`+ais=3=
`
`
`
`Perfect Forward Secrecy (PFS) is a feature of specific key agreement protocols that
`provides assurancesyour session keys will not be compromised even if the private key
`of the server is compromised. By generating a unique session key for every session flow
`a user initiates, the compromise of a single session key will not affect any data other than
`that exchangedin the specific session protected by that particular key. For PFS to function,
`the key used to protect transmission of data must not be used to derive any additional
`keys, and if the key used to protect transmission of data was derived from some other
`keying material, that material must not be used to derive any further keys.
`
`The ECDHE (Elliptic Curve DHE) cipher suits are used to enable the PFS on SSL proxy.
`ECDHE cipher suits are based on elliptic curve cryptography, which provides the same
`level of security as the RSA with smaller keys. SSL proxy is targeted to support only
`ECDHE ciphers suites as they are less expensive computationally than DHE ciphers.
`
`Copyright © 2017, Juniper Networks, Inc.
`
`13
`
`JNPR-FNJIN_29007 00009507
`
`
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
