Juniper NAC: Powerful, complex

Vendor: Juniper UAC v3.1 $42,400 Many deployment options, integration with SSL-VPN, powerful feature set Complexity, works best in Juniper-based network

Product:

Pricing (1,000 users):

Strengths:

Weaknesses:

Review: Trying to describe Juniper's UAC is difficult, because Juniper's NAC strategy has its tendrils in virtually every security product the company makes, from firewalls to switches to SSL VPNs.

Juniper UAC centers around their Infranet Controller, a hardware appliance that serves as a RADIUS proxy and server, an end-point security checker, and an access control policy manager. Once you’ve put in the appropriately sized Infranet Controller, though, Juniper stuns you with piles of options and flexibility.

Since NAC usually starts with authentication of some sort, Infranet Controller supports three different models: 802.1X or MAC-based authentication at the edge device, a captive portal for guest or staff authentication, and authentication using the UAC client. One nice feature of UAC is the ability to mix and match all three, although doing so will likely make an unmanageably complex configuration.

Authentication can be mixed with endpoint security checks, using either the UAC client for Mac and Windows, or Microsoft's NAP client. UAC builds on Juniper’s existing SSL VPN endpoint security base, so both installed clients and Web-based clients are supported for endpoint security checks.

Once users have passed authentication and endpoint security, access controls can be applied. Because Juniper encourages you to use 802.1X, it is able to push access control information down to switches at the edge. But Juniper has added hooks into its own ScreenOS and JunOS operating systems so that UAC can simultaneously push access controls into in-line devices including firewalls and many of its routing platforms.

One of the nice things about this approach is that you get many of the benefits of an in-line enforcement without the performance problems. UAC is also agnostic about the location of enforcement: you can use 802.1X controls, in-line controls, or both.

And, finally, UAC can push host-based access controls into network devices that are using the UAC client.

Juniper's end-point security checking doesn't end at the moment of authentication. Both continuous endpoint checking and external links to intrusion detection-/prevention-systems are supported, either using the TCG/TNC IF-MAP standard or a direct link if you’ve got Juniper’s own IDS/IPS.

UAC is the only product we tested that fully integrates a NAC product line with an SSL VPN product line — although the mechanism is fairly complex. Unfortunately, SSL VPNs don't inherently mix well with the mechanisms that vendors have chosen for NAC, so putting NAC and SSL VPN together seems to imply a single-vendor solution.

All this adds up to a difficult-to-master system. To Juniper's credit, though, I spent less time debugging problems with UAC than all the other NAC devices because by the time I figured out how to configure it, things just worked.

One big reason for this is because Juniper now includes a "Base Case" pre-configuration that pre-populates and documents UAC with common deployment strategies. Without the Base Case pre-configuration, no mortal would be able to figure out how to glue all the pieces of UAC together.

UAC isn't just for Juniper customers; you could use UAC to apply sophisticated NAC to a heterogeneous network of managed and unmanaged switches. It's a solid, if complex, product. However, UAC is best distinguished from the pack when Juniper's own enforcement devices are added to the network. In that case, UAC is a top contender for securing networks and endpoints with NAC.

Return to main test.

Join the discussion
Be the first to comment on this article. Our Commenting Policies