What can Juniper learn from Enterasys in network access control?
Dear Vorticians,
Last week I went into some depth about Cisco's strategy in the area of network access control, which I believe is one of the more important technology and market battles shaping up for the coming decade. I find it hard to believe that anything could have been more important than reading that deeply insightful piece, but if you by chance missed it, you can catch up here. (In fact, you can find all recent Vortex Digest entries, including the piece launching this exploration of network access control, right here.)
This week, I want to spend some time looking at Juniper and a couple of Cisco's other competitors in the enterprise network arena.
Under its Enterprise Infranet umbrella, Juniper offers a competing vision of network access control, known as Unified Access Control, that differs from Cisco's in one critical aspect - its simplicity. Cisco's Network Admission Control strategy is more sweeping and more complicated, calling for many devices in the network to play a role in determining whether and when an end node may gain access to resources and applications.
In Juniper's UAC world, things are pretty basic. An agent on an end system sends information to a Juniper Infranet Controller - a device that essentially embodies Juniper's SSL VPN smarts - which decides whether the client is good to go. The controller gives a yay or nay command to an Infranet Enforcer, a device that, as the name implies, enforces the yes-or-no access decision. In UAC's first incarnation, the enforcer is - no surprise - a Juniper firewall.
The UAC approach is simpler because, well, it has to be. Juniper doesn't sell switches and it doesn't dominate the enterprise routing market. As we've discussed, it's vital for Cisco to sell customers on the idea that traditional network gear needs to play a strong role in defending the enterprise. Juniper's foothold in the enterprise is in security devices and its strategy rests squarely on them.
That simplicity is both the strength and weakness of the Juniper approach. Juniper executives have told me they believe UAC represents a real opportunity for them to expand the company's visibility and influence within the enterprise. Their hope is that Cisco customers will be fearful of the complexity of NAC and resist costly upgrades of their infrastructure. UAC, they say, will enable customers to reap the security benefits of access control without undertaking a major network overhaul. If customers commit to Juniper's security strategy, can commitments to additional Juniper infrastructure be far behind?
Maybe, but simple could also seem pale and lightweight to Cisco customers. Cisco's approach may be more difficult to embrace, but it is tied into the infrastructure that customers have already committed to and want to preserve. What's more, embracing UAC would mean parting company with Cisco on a key future direction, something that customers could view as very dangerous.
Juniper is not by any means the first Cisco competitor to see security as a wedge to drive into the enterprise. One of the first network equipment makers to really focus on smart network gear was Enterasys, the spinout from the former Cabletron, and its experience with security should serve as a lesson for Juniper to study.
Several years ago, before the concept of network access control took on buzzword (buzzphrase?) status, Enterasys began pitching its Secure Networks strategy and since then the company has gone a long way to actually delivering integrated network security, fleshing out many of the concepts that other companies are only talking about today. In fact, Forrester Research said in 2005 that Enterasys had the "best currently shipping switch solution" for ensuring network safety.
An Enterasys executive wrote to me after last week's piece and said: "I was very pleased to see Enterasys Networks' name mentioned regarding some of your future NAC vendor coverage. Given that persons at Enterasys and Microsoft co-authored the 802.1x standard and that Enterasys has been supporting user authentication, policy based networking and now falls under the NAC initiatives, it would be nice to receive some of the credit.
"Personally, I'd like to see Network World and others ask (no, beg) vendors to gather round for a couple of technology bake-offs with their NAC and underlying technologies. We tend to lead the industry - almost to a fault of being so early to market with a technology/solution that only early adopters are willing to accept or implement the features. Most wait until the rest of the industry affirms our direction with their own marketing and eventual technology or product delivery.
"We were doing 802.1x before it was cool - the same with user policies or what is known as directory enabled networking. In fact, our Policy and Automated Security solution set today can watch for undesirable traffic and find and respond to any offending port/user on nearly any vendors' networking equipment faster than the actual manufacturer itself can. Our policy security capabilities being delivered today are backward-compatible to equipment manufactured about 10 years ago. Ask any other vendor to support both its legacy gear and the competition with a complete, open, security solution."
But for whatever reason - either the company was, as the writer claims, too early to market or it didn't have the marketing clout to capture customer attention or pick another reason - Enterasys has seen little benefit for its commitment to secure networking. Enterasys, which was recently acquired by an investment firm and taken private, maintains less than 2% revenue share in the enterprise LAN switch market and its share actually fell in 05, according to International Data Corp. Extreme Networks was also vocal fairly early on about secure networking and it's market share of less than 3% has remained virtually unchanged.
Will Juniper, which brings more visibility and resources to the market, be any more successful using security as a battering ram against the walls of Cisco?
Next week, we'll look at Microsoft and beyond.
Bye for now.
Back to Vortex Blog
Comments
Post a comment
