With the recent release of the NetScreen-5GT Wireless firewall, Juniper Networks has firmly (and finally) jumped on the wireless bandwagon.
In our test, we found the NetScreen-5GT Wireless to be a clean melding of a trusted, full-featured firewall to a secure wireless access point.
The NetScreen-5GT Wireless makes a bold statement in the world of firewalls targeted at the small and midsize business (SMB) and remote site markets.
Although Check Point, SonicWall, WatchGuard and Fortinet have all added wireless technology to their lower-end boxes, none has brought the same level of flexibility as Juniper when it comes to support for wireless LANs (WLANs), authentication technology and security policies.
Our test centred on the product's wireless features and capabilities. It is well suited for sophisticated wireless environments, where multiple security zones and authentication systems are required within a small geographic area.
At the same time - with its optional asymmetric DSL port - it can act as a complete SMB secure access product offering Internet connectivity, wireless and wired access in the demilitarised zone and fly-by virus scanning.
The NetScreen-5GT Wireless offers basic radio capabilities: It has one 802.11b/g radio with a few antenna options including high-gain directional and omni-directional. But its impressive security capabilities make the Juniper box stand out.
It lets you create up to four different WLANs, each identified by its own Service Set Identifier (SSID).
A critical part of any multi-SSID access point is that it has unique Ethernet addresses for each SSID - called basic SSIDs (BSSIDs).
This feature - also supported by more established wireless gear vendors such as Aruba and Airespace - requires significant hardware support.
Without it, multiple SSID systems have poor interoperability with many wireless-enabled laptops.
The NetScreen-5GT Wireless supports up to four BSSIDs, one for each WLAN. We had no interoperability problems with drivers on Windows or Macintosh clients tested.
Each WLAN can also have different authentication and encryption parameters, and these are fully under the control of the IT manager.
In our testing, we tried everything from simple Wired Equivalent Privacy authentication to the most secure 802.1X authentication using 802.11i.
Every method we tried - including Protected Extensible Authentication Protocol (PEAP) Tunelled Transport Layer Security and TLS authentication - worked the first time. This level of interoperability was positively eerie, based on our past testing experience.
The NetScreen-5GT Wireless can also be set to require a Web-based authentication. When this feature is enabled, users who want to get on the corporate, protected network first have to use a Web browser to connect to the NetScreen-5GT, and provide a username and password. We tested this feature by having the NetScreen-5GT Wireless check the username and password against our corporate RADIUS server.
Although the Web pages that Juniper has built in for Web-based authentication will not win any beauty contests, the functionality this feature needs - a place to put in a username and password - was all there.
The ability to put each of these WLANs into a different security zone rounded out the wireless capabilities.
In NetScreen-speak, security zones are the barriers between different parts of a network, and you can define security policy between any two zones.
This means that each of the four WLANs can have a different SSID, can be authenticated and secured differently, and can have a different security policy.
That's great flexibility for the network manager.
The NetScreen-5GT Wireless will not challenge enterprise-level wireless access point or switch products.
Although the WLAN features are outstanding, Juniper placed some constraints on its use by not supporting all combinations of bridged and routed configurations.
While most configurations from using different subnets or network address translation (NAT) are supported, the NetScreen-5GT Wireless wouldn't work well in an environment where you expected people to roam between access points.
Also, while the NetScreen-5GT Wireless has full IPSec and Layer 2 Tunnelling Protocol VPN features, it's missing some high-end WLAN device features, such as virtual LAN support.
The NetScreen-5GT Wireless has its share of rough edges. The initial setup wizard is certainly not easy to use.
GUI designers also seem unfamiliar with wireless terms, which makes setting up some parameters - such as establishing wireless authentication methods - more confusing than necessary.
For IT shops that don't see a need for multiple WLANs, the NetScreen-5GT Wireless can be expensive overkill. When fully tricked out with antivirus, intrusion-prevention features, four WLANs and three wired security zones, it lists for more than $US2000.
Having that much control adds significantly to the bottom-line cost because the starter NetScreen-5GT Wireless with two wireless and wired interfaces starts at $US770. If adding a single access point to a wired network is all you want, a $US50 wireless 802.11b/g access point would be a better addition.
In larger offices or environments where secure, controlled wireless is important, the NetScreen-5GT Wireless brings a wealth of features. It builds on the powerful core of features in all NetScreen firewalls, including in-line antivirus and intrusion prevention, flexible VPN, firewall policy and NAT features, along with an easy-to-use management.
The NetScreen-5GT Wireless offers a lot of security power in an elegant package.
The product is distributed in Australia by ChannelWorx and Ingram Micro.
RRP: Prices start from $1230 for the NetScreen-5GT ADSL World with 10 users.