RealTime IT News

Juniper Gets Ready to Roll UAC 2.0

Network Access Control (NAC) is quickly becoming a generic term for a wide swatch of network access control technologies from various vendors.

It's important to note that NAC as a technology is a term used by Cisco for its product.

Rather than fall in line with the generic, Cisco's lead rival, Juniper Networks , is pushing its own term for access control, which it has dubbed Unified Access Control or UAC for short.

Juniper is planning on using next week's Interop trade show in New York as a showcase for its next-generation UAC 2.0 initiative.

Karthik Krishnan, Juniper Networks' UAC product manager, explained to internetnews.com that Juniper originally announced UAC late last year.

Currently UAC is in version 1.2, which is what Juniper will be showing in its booth while the next generation 2.0 will be showcased at the InteropLabs demo, which itself is a showcase of networking technologies.

The existing UAC 1.2 solution is comprised of Juniper Infranet controllers, which were released last October.

The UAC 2.0 solution will bolt on the new 802.1x technologies that Juniper gained with its acquisition of Funk Software. The 802.1x IEEE standard provides for port-based security.

"What this really provides us with is the ability to provide access control across the entire duration of a user's access to the network," Krishnan explained.

"Prior to them even getting an IP address it provides the ability to validate the end point and the ability to validate the user identity and allow them onto the network."

Once users are on a network, they can take advantage of the existing functionality in Juniper's infrastructure products to provide controlled access to resources and applications in a very granular format.

Juniper's UAC is also supporting at least two of the Trusted Network Connect (TNC) standards. TNC is an effort to provide open standards for access control. Krishnan noted that there are two TNC specifications that are relevant to UAC, which Juniper supports.

"The first thing is just using RADIUS assignments for VLAN attributes across heterogeneous networks," Krishnan explained.

"So by supporting the TNC specification, we are able to use the Infranet controller to set standard allow/deny decisions on any vendors' 802.1x switch or access point."

The ability to allow customers to leverage their existing infrastructures is a critical element of UAC, according to Krishnan. In his view, customers don't want to necessarily change to a single vendor solution just to make network control happen.

The other key TNC specification is one for endpoint solutions to plug into an access control framework.

The net effect of the TNC endpoint spec is that any endpoint solutions, regardless if whether it's patch management or antivirus, will have the ability to write to a single set of APIs and be able to leverage that against all of the NAC solutions.

Network access control solutions recently came under fire at the Black Hat conference in Las Vegas, where Ofir Arkin, CTO of security research firm Insightix, explained how easy it was to bypass many non 802.1x NAC-type solutions.

"We've taken a lot of pains to make sure the solution is secure and that it can't be bypassed," Krishnan said.

One of those "pains" is to not use some manner of DHCP method for authentication.

DHCP approaches to NAC were ridiculed by Arkin at Black Hat as being inherently insecure.

"One of the reasons we haven't done DHCP is that you can bypass it; it's just not very secure," Krishnan agreed. "It really provides you with a phantom illusion of access control when you're not really getting it in the network."

Krishnan also took aim at the notion that only Cisco will interoperate with Microsoft's version of access control called Network Address Protection (NAP).

"We don't have an announcement at this time but are having ongoing conversations with Microsoft," Krishnan said.

"And given that Longhorn Server isn't due till the second half of '07, I expect that when Microsoft actually ships NAP we will have all sorts of integration with the solution."

One of the biggest obstacles to access control adoption for Juniper isn't necessarily the technology; it's the crowded nature of the NAC marketplace itself.

"The critical thing is to rise above the noise," Krishnan said. "Every vendor is claiming to have a NAC solution."

Juniper is expected to release UAC 2 to the marketplace in the fourth quarter of this year.