RealTime IT News

Juniper's Network Security Gets Nosier

For a time, Network Access Control (NAC) was all the rage in the enterprise networking world, offering the promise of security by validating users when they attempted to access the network.

But admission-based security control doesn't keep an eye on users after they gain access to the network.

That's where the Interface for Metadata Access Point (IF-MAP) standard comes into play, enabling multiple components of network infrastructure to communicate and to correlate security data to user activity.

IF-MAP is also a critical new component in Juniper Networks' security portfolio, which today received an overhaul with a new NAC release, new services router and new network management software update to makes sense of it all.

The new releases comes as the market for network security continues to grow, hitting $5.5 billion in 2008, according to Infonetics Research, which also found that Juniper remains No. 2 behind market leader Cisco.

With its new Adaptive Threat Management solutions, Juniper is aiming to grow share and provide an integrated approach to managing network security.

"To be frank, most devices on the network security side often operate in silos -- be it an IPS, firewall, or VPN, they operate separately," Sanjay Beri, Juniper's general manager of access solutions, told InternetNews.com. "Making sure that's not the case, so you can get the benefit of sharing information in a multivendor, open standard way, that's a big piece of this announcement."

The new security integration is coming by way of Juniper's UAC (unified access control) 3.0 technology, which is Juniper's flavor of NAC. The UAC 3 release is the first major upgrade to Juniper http://www.internetnews.com/infra/article.php/3643436">UAC since its 2.0 release in 2006.

Integrating IF-MAP is one of the new release's critical components, tying it into Juniper's other offerings for tighter security.

The upshot of IF-MAP is that it goes beyond pre-admission access control, correlating post-connection events tracked by different network security devices to enforce policies on network use even after a user has connected.

A consortium of vendors called the Trusted Computing Group (TCG) is developing IF-MAP as an open standard for hardware-based security. Members include HP, IBM, Intel and Microsoft. Juniper is also a consortium member, working on TCG's Trusted Network Connect (TNC) initiative, which is developing an open standard for NAC admission control.

The IF-MAP standard was http://www.internetnews.com/infra/article.php/3743346">first announced in April 2008, and has yet to be finalized. Still, Beri said the standard lays important groundwork for cross-vendor compatibility in the realm of post-connection activity tracking.

"There is still work to be done on IF-MAP at TCG," Beri said. "However, the spec is published on the TCG Web site and there are vendors working on interoperability ... Other vendors have integrated with us via IF-MAP. The key for us on the IF-MAP side is people don't have to come to us to integrate."

New Juniper security interface and SRX hardware

New changes in Juniper's security portfolio also make managing security policy across multiple devices easier.

Beri explained that Juniper is now offering a unified management interface, so enterprises can administer both local LAN access as well as remote SSL-VPN access though a single UAC interface.

As a result, a network administrator will now have the ability to define a security policy that is common across both remote access and the LAN side.

The unified policy framework will also introduce identity federation among both local and remote users. One result is that a network's LAN and remote areas will share users' identity and state information, so they remote users won't have to log in twice, Beri said.

Juniper is also rolling out new SRX router upgrades to its hardware portfolio. The company first debuted SRX in September 2008 as its new services router product family.

The line's two initial models, the 5600 and 5800 gateways, offered improved scalability and performance over Juniper's older ISG product line, along with added firewall and security capabilities.

With today's launch of its new SRX 3400 and 3600, Juniper is taking the capabilities of the SRX 5800 and shrinking them down into a smaller form factor.

The company is banking that this is a key selling point for companies looking for high performance but a smaller footprint. Brian Lazear, director of product management for Juniper's high-end security business unit, claimed that the SRX 5800 is the world's fastest firewall, with a dynamic services architecture that lets customers scale services as needed.

While the SRX platform competes against Cisco's ASR product lineup, Juniper's SRX is also competing against its own, older ISG routers, users of which the company is hoping to the SRX to get new performance benefits.

Lazear noted that new silicon enhancements in the SRX 3800 provide up to 175,000 connections per second of capability. The older Juniper ISG that was in the same size class could only support up to 30,000 connections per second according to Lazear.

Though Juniper's adaptive threat technology advances the bar in terms of security, there is still work to be done in advancing the platform.

"I'm a realist there are always problems to solve," Beri said. "I think the net result of what Juniper has built is a framework to innovate and do it well. The SRX let's people build more services as needed. Our policy framework with UAC and SSL all applies whether we came out with a new box or not."

"What we're really about is setting the right architecture and framework but absolutely we expect there to be more innovation," Beri added. "If there wasn't I guess we'd all be out of business."