Juniper scores with WLAN protector

With the announcement of its NetScreen-5GT Wireless firewall this week, Juniper has firmly (and finally) jumped on the wireless bandwagon.

In our exclusive Network World Clear Choice Test, we found the NetScreen-5GT Wireless to be a clean melding of a trusted, full-featured firewall to a secure wireless access point.

The NetScreen-5GT Wireless makes a bold statement in the world of firewalls targeted at the small and midsize business (SMB) and remote site markets. Although Check Point, SonicWall, WatchGuard and Fortinet all have added wireless technology to their lower-end boxes, none has brought the same level of flexibility as Juniper when it comes to support for wireless LANs (WLAN), authentication technology and security policies.

Our test centered on the product's wireless features and capabilities. It is well suited for sophisticated wireless environments, where multiple security zones and authentication systems are required within a small geographic area (a single floor, for example). At the same time, with its optional asymmetric DSL port, the NetScreen-5GT Wireless can act as a complete SMB secure access product, offering Internet connectivity, guest, employee, and wireless and wired access in the DMZ, and fly-by virus scanning.

The NetScreen-5GT Wireless offers basic radio capabilities: It has one 802.11b/g radio with a few antenna options (including high-gain directional and omni-directional). But its impressive security capabilities make the Juniper box stand out.

The NetScreen-5GT Wireless lets you create up to four different WLANs, each identified by its own Service Set Identifier (SSID). A critical part of any multi-SSID access point is that it have unique Ethernet addresses for each SSID - called basic SSIDs (BSSID). This feature - also supported by more established wireless gear vendors such as Aruba Wireless Networks and Airespace (recently acquired by Cisco) - requires significant hardware support. Without it, multiple SSID systems have poor interoperability with many wireless-enabled laptops. The NetScreen-5GT Wireless supports up to four BSSIDs, one for each wireless LAN. We had no interoperability problems with drivers on Windows or Macintosh clients tested.

Each wireless LAN also can have different authentication and encryption parameters, and these are fully under the control of the IT manager. In our testing, we tried everything from simple Wired Equivalent Privacy authentication to the most secure 802.1X authentication using 802.11i (often called WPAv2). Every method we tried, including Protected Extensible Authentication Protocol (PEAP), Tunneled Transport Layer Security and TLS authentication, worked the first time. This level of interoperability was positively eerie, based on past testing experience.

The NetScreen-5GT Wireless also can be set to require a Web-based authentication. When this feature is enabled, users who want to get on the corporate, protected network first have to use a Web browser to connect to the NetScreen-5GT, and provide a username and password. We tested this feature by having the NetScreen-5GT Wireless check the username and password against our corporate RADIUS server (see how we did it )

Although the Web pages that Juniper has built in for Web-based authentication will not win any beauty contests, the functionality this feature needs - a place to put in a username and password - was all there.

The ability to put each of these WLANs into a different security zone rounded out the wireless capabilities. In NetScreen-speak, security zones are the barriers between different parts of a network, and you can define security policy between any two zones. This means that each of the four WLANs can have a different SSID, can be authenticated and secured differently, and can have a different security policy. That's great flexibility for the network manager.