Juniper Networks this week plans to unveil a policy management appliance, a key piece of a secure network access scheme designed to rival those of Cisco and Microsoft.
The major difference between Juniper's Infranet strategy and Cisco's Network Admission Control (NAC) system is that Cisco uses switches and routers to deny access to unqualified machines while Juniper relies on its firewalls (though says it will use other vendors' switches over time).
Microsoft's Network Access Protection (NAP) scheme also relies on other vendors' gear to enforce policies and, like Cisco's plan, is supported by an extensive partner program. Other vendors, such as Aventail, Elemental and Sygate, offer products that can be used to control network access without relying on network hardware for enforcement.
Juniper's Infranet architecture calls for placing its appliances, dubbed Infranet Controllers, in a network where computers logging on can reach them and users can authenticate. The devices send an Infranet Agent - a Java applet or Active X agent - down to the computer to scan it for compliance with network security policies. This includes looking for updated virus signatures, software patches and the like.
Juniper touts its architecture as less intrusive than Cisco's because it overlays security on LANs without requiring costly switch upgrades. NAC requires that Cisco switches be brought up to an acceptable IOS software version. To use switches as enforcement points, Juniper's Infranet requires the cooperation of other vendors, which may prove challenging in the case of Cisco. Juniper has a partner program of its own for this purpose and is working with the Trusted Computing Group to develop specifications that switch vendors can adopt to enable them to become enforcement points.
Because Cisco owns more than 70 percent of the switch market, Juniper's Infranet will have to work its way into Cisco shops. Juniper sells no switches of its own, so many potential Infranet customers will have to weigh overlaying Juniper's firewalls and Infranet Controllers vs. upgrading their switches to determine what makes the best security and financial sense, says Eric Maiwald, senior analyst with Burton Group. Some all-Cisco shops "say yes to NAC but say it may take a while because of all the upgrades they have to go through," he says, and such customers may view Infranet as an interim alternative.
Compucredit, an Atlanta financial firm, tested beta models of Infranet Controller as a way to simplify administration of end user access rights, as end users move from location to location on the network, says Ben Griffin, senior network and systems engineer for the company. Currently, end user rights are tied to subnets and virtual LANs (VLAN), which requires network administrators to intervene when an end user switches desks. He found that end user security staff rather than network infrastructure staff could handle changes on the Infranet Controller without having to tinker with the structure of VLANs or change firewall settings. "That's a 30 percent to 40 percent time savings," Griffin says.
Juniper's Infranet Controller comes in two models, the IC 4000 and IC 6000. The 4000 supports 100 to 3,000 simultaneous computers and costs US$25,000 to US$160,000, while the 6000 supports 250 to 25,000 endpoints and costs US$60,000 to US$390,000.