Could NAC be Juniper's not-so-secret weapon?

Juniper Networks' EX switches announced this week -- the company's first for the enterprise market -- support a homemade version of network-access control that may be a helpful selling point, industry experts say.

"You can't come into the LAN switch market and say, "I've got something that's just as good as everybody else," says Phil Hochmuth, an analyst with the Yankee Group. "You need something to set it apart. I think it's the NAC integration."

"If Juniper wants to displace the current vendors -- Cisco and HP ProCurve in particular -- then it needs an equally strong access-control story," says Rob Whiteley, an analyst with Forrester Research. "I think Juniper's UAC [Unified Access Control] delivers that, especially with the standards-based emphasis Juniper has been pushing for a while now." (Learn more about Switch Products from our Switch Buyer's Guide.)

Juniper's UAC policy-control server already could use any 802.1X-standard switches as enforcement points that set access rights via virtual LAN (VLAN) assignment. Now, with its own switches, the company can impose Layer 4 restrictions on access, not just Layer 2, the company says. So, the switches can enforce policies linked to a user's role in a company using access-control lists in addition to VLAN assignments.

The switches can define QoS as part of a user's access rights, making it possible to assign guests a lower QoS than full-time employees receive, for example.

With Juniper EX edge and core switches in a network, edge switch traffic can be mirrored via generic routing encapsulation tunnels to a data center where it can be monitored by Juniper's intrusion-detection gear to provide a form of postadmission NAC.

To this end, Juniper says it plans to evolve its NetScreen Security Manager software into a central policy-control platform. Users would set policies centrally and have them distributed throughout the network infrastructure. This will put UAC in perspective as an element of a coordinated network-security deployment that takes into account users' machines, identities, roles and access methods.

This echoes to some degree Cisco's recently announced TrustSec architecture for identity- and role-aware networks that impose access policies. Products to support TrustSec completely are still rolling out.

Cisco, which owns 70% of the LAN switching market, will be tough to displace, Hochmuth says, "Extreme  and Foundry have lived under that reality for years," he says. "LAN switching is an incredibly mature market with a lot of players."

While Juniper could have an uphill fight against the established players, it may cause trouble for switching start-ups. Most vulnerable are such vendors of NAC switches as ConSentry Networks and Nevis Networks. They sell switches that interrogate, enforce admission policies and perform deep-packet inspection on all access switch traffic, and restrict malicious connections. (Learn more about NAC products from our Network Access Control Buyer’s Guide.)

"When you talk about inserting a new switch vendor -- even if NAC is one of the drivers -- then the conversation is entirely different. Now you have to worry about single- vs. dual-sourced network strategies, QoS interoperability, end-to-end traffic like voice, support and maintenance contracts, and so forth," Whiteley says. "It's a decision that ultimately favors larger vendors, and Juniper has a more credible network pedigree."