Juniper holds its own for all-in-one NAC with Infranet Controller

Unified Access Control is Juniper’s overall architectural answer to NAC, and the company’s Infranet Controller server software lies at the center of the architecture.

Juniper Unified Access Control

Cost: $30,000 for 1,000 users

Score: 4.18

Unified Access Control (UAC) is Juniper’s overall architectural answer to NAC. The company’s Infranet Controller server software lies at the center of the architecture, providing overall management and policy control for access and enforcement standards. Within the Juniper UAC deployment, NAC enforcement can occur through a generic -configured network or through integration with Juniper’s security devices (a more complete discussion of Juniper’s 802.1X authentication success is here).

For testing, we used the Infranet Controller server in conjunction with a Juniper Secure Services Gateway (SSG) device to provide the NAC policy enforcement. Although Juniper obviously wants to sell firewalls to provide enforcement, the Infranet Controller can provide enforcement using VLANs when users authenticate with 802.1X switches or wireless controllers.

Management is handled through a Web GUI to the Infranet Controller, which is overall pretty intuitive and easy to navigate. We configured authentication against our Active Directory for testing, which was easy to set up. We just defined the account to use and the base search settings. Juniper also provides extensive support for different authentication platforms, including , , ACE (SecurID) and NIS.

User access is permitted through a combination of the machine’s location, user identification, integrity-assessment results and requested resources. Combined, this information determines what role a user is assigned, how each is authenticated, what security posture a user needs to follow to gain access, and in the end, what resources each is able to tap into.

Within this association, endpoint-security requirements are defined to provide additional requirements. For example, a user may be required to have an up-to-date antivirus installation running on a system. If this is in place, a user is assigned an employee role and granted full access to employee resources. If this is not in place, users could be assigned to different roles as determined by the administrator, and that may allow them to remediate the deficiency in their antivirus software or just provide limited resource access.

Juniper’s endpoint assessment covered some of the checks we were looking for during this test. Extensive product support is included for antivirus, antispyware, and host firewall products. Patch-checking functionality out of the box is minimal, however, covering only minimum service pack levels. Full patch-checking functionality can be achieved by deploying any patch-management product supporting the TCG/TNC framework, such as PatchLink, or by creating custom registry or file checks. Custom checks can also be defined for items such as registry keys, file properties, system processes and service ports. Ties to any general vulnerability scanners or active infection checking mechanisms are not available at this time.

Endpoint assessment occurs regularly, checking the machines as they enter the network and monitoring systems already connected to ensure they remain in compliance.

Remediation and enforcement can occur by forcing an noncompliant machine to change virtual-LAN assignments (when using 802.1X), blocking network access altogether by changing firewall rules, providing a remediation link, killing a process, and deleting a file. In our testing, all endpoint checks and remediation/enforcement activities worked as expected.

In addition to the native endpoint-security policies, Juniper also provides the Juniper Endpoint Defense Initiative (JEDI), a set of third-party applications to help expand compliance assessment functionality. For example, you could launch an antimalware scan or start the host firewall program on an endpoint before providing network access.

As UAC’s biggest weakness, we can point to the fact that traditional reporting functionality is not included in the package. A system-overview dashboard is available within the management GUI, but this is limited, showing the number of connected users and traffic throughput, for example.

No information relating to endpoint-assessment results is included. The system does keep extensive logs of most events -- everything from endpoint-assessment failures to the element that would comprise an audit trail for administrative account. But the only way to analyze them within the product is to apply filters to perform searches. These filters can be predefined or entered ad hoc.

The challenge: The results are presented in a text-only format and do not provide a strong foundation for generating reports for upper management. All logs can be sent to another system through syslog. This could add to the reporting capabilities, but that would require that you write some scripts to analyze the logs or have a log-management system or enterprise reporting tool tied to the syslog environment. Alerting functionality is available through , which could send notifications to an enterprise management system, such as HP OpenView.

One feature we would like to see added is the ability to drill down into a logged in user’s current and historical activity. Through the system, we can see active users and what realm/role they have been assigned to, but do not have any immediate details on endpoint-security results or, historically, what the user’s results have been.

Juniper provides a strong NAC product that would be a viable choice for any organization. As a TCG/TNC-compliant product, Juniper’s Infranet Controller can be part of an open NAC deployment when used with 802.1X switches and VLAN assignment. In an all-in-one environment, Juniper uses its own firewalls to provide access control enforcement — a proprietary "secret sauce" that can add value for network managers who want much more sophisticated and fine-grained access controls.

All other parts of the NAC deployment remain the same, including integration with TCG/TNC partners for endpoint-security assessment. The proprietary/open choice is not an either/or decision. When 802.1X authentication is used, the Juniper NAC solution can provide both coarse access control by assigning a user to a VLAN, and at the same time provide fine-grained access control for the same user at a different point in the network, using Juniper firewalls.

< Previous story: InfoExpress | Next story: Lockdown >

Learn more about this topic

Buyer's Guide: Network Access Control

Juniper embraces 802.1X to control network access


NAC competition: Juniper's Infranet


Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.