Who has the best Security Switch Solution for your network? We asked major manufacturers, Part Two- Juniper Networks

Many customers have asked me when looking at network switching manufacturers, who has the best security solution for my network? Rather than posting a very long story and having everyone bash me for my views, I took it to the people who build the switches. That's right, we sent each major manufacturer a list of 10 questions that customer ask me on a consistent basis. Below are the companies who replied to me and will be part of this multi post story:

HP ProCurve, Enterasys Networks, Juniper Networks, Foundry Networks (See Part 1: Entersys)

A few companies did not give us a reply those companies were:

Cisco, Nortel, 3Com, Force 10, Extreme Networks

I would like to thank each company that took the time to give our readers more information on their security solutions for network switches. This week we are going to look at Juniper Networks and a special thanks to Juniper Networks for answering these questions below. We have made no changes any of the answers provided.

Questions answered by:

Ramesh Padmanabhan, Vice President of Engineering, Ethernet Platforms Business Group at Juniper Networks.

Chris Spain, Senior Director, Product Management, Ethernet Platforms Business Group at Juniper Networks

Switch Security Questions

1.     Why is the vision for your switch security solution better than other vendors?

Juniper Networks has a strong security DNA with market-leading firewalls, secure routers, SSL VPN, and network access control solutions. We have taken a lot of the intellectual capital in the company on security and baked that into the development of the EX-Series Ethernet switches. Features like denial of service protection, dynamic ARP inspection and network access control have been built right into the network operating system so that the switches have a deep and wide set of security functionalities built right into the box.

2.     Do you feel that open standards are best for security solutions and how does it play in your solution?

Yes, open standards are important for network and security solutions because they prevent vendor lock-in and allow customers to select the best technologies for each function. Juniper firmly believes in open standards and participates actively in the Trusted Network Connect Computing group for open, standards-based network access control. UAC is based on industry standards including 802.1X, Extensible Authentication Protocol (EAP), RADIUS, IPSec, and the Trusted Computing Group's (TCG) Trusted Network Connect (TNC) standards for endpoint integrity and network access control.

3.     What is the most important security feature of your solution?

This is a question that has a different answer for every customer. Juniper has integrated a number of security technologies into the EX-Series Ethernet switches including denial of service protection, protected memory spaces in the operating system, and Unified Access Control (UAC). The tight integration with UAC allows customers to deploy network access control with a phased approach, using the technology where it is most needed today, such as guest access or offshoring. By reducing the number of moving parts in a NAC solution, customers save time and gain more confidence in controlling access to and providing locks on the network, and that's just what we've done with the UAC solution: make it simpler and more efficient. 

4.     Why is your Network Access Control solution an important part of your security solution?

With the addition of the EX-Series Ethernet switches, Juniper is offering an end-to-end network access control solution that builds on our industry leading, standards-based Unified Access Control to deliver pre and post-admission access control management and enforcement, protecting sensitive corporate data from unauthenticated access, attacks and breaches.

5.     How does mobility security play into your security solution and why is it better than other vendors?

Firstly, wireless networks today are all overlaid on top of the wired infrastructure, so the security solution must be standards-compliant in order to interoperate. The EX-Series switches can transparently authenticate wireless client sessions through the industry standard 802.1X protocol. Working in conjunction with the Juniper UAC solution, the switches can also place guest wireless users into a separate VLAN and provide per-user rate limiting and traffic mirroring of wireless sessions.

6.     How does your security solution adapt to a changing customer environment?

Securing access to the network is only part of the problem that needs to be solved. Once a user is on the network, things often change with respect to a device's health, security state, or even network location. The Juniper UAC solution proactively and periodically reassesses the user session and device in order to determine the appropriate access. If for example, the user has turned off his personal firewall, or if there was a virus infection since the user first gained access, the EX switch will dynamically place that user in a quarantine VLAN or shut off that user's port - based on the IT administrative policy.

7.     So a company can save money on existing equipment, how does your switch security solution work with a customer's SIM, NAC, IDS, Anti-Virus or general network management tools that are from different vendors?

The extensive instrumentation in Juniper's JUNOS network operating system has been made available through standard protocols for technology alliance partners that serve patch management, endpoint security, unified threat management, identity management, and security information management. Juniper has worked hard with these alliance partners to make the overall experience for the customer as seamless as possible.

8.     Customers are now looking at VoIP and Convergence security, which starts at the switch. Why is your solution better than other vendors?

Working in conjunction with the Juniper Unified Access Control solution, the Juniper EX-Series switches are able to authenticate IP Phones that support LLDP and 802.1X, as well as any other 802.1X client such as a PC that may be connected behind that same IP Phone. For those customers, who are deploying Unified Communications applications, the EX-Series switches can segregate those applications into a separate VLAN and apply different priority handling to that traffic throughout the network. For inspection of voice traffic, the Juniper UAC solution can transparently route traffic through Juniper firewalls and IDP systems to ensure validity of SIP sessions.

9.     Customers want proactive security so problems are taken care of in real time, does your solution fix problems in real time, how does it work and why is it better than other vendors?

Juniper's UAC can perform endpoint posture checks prior to and after network admission on a proactive and periodic basis to ensure that if the user's authentication or endpoint state ever changes, UAC, in conjunction with the Juniper EX-series Ethernet switch, can make the appropriate, resulting access control changes. UAC can also be configured to monitor endpoint security state, such as antivirus, firewall, ports, registry settings, and so on for any changes in state or policy compliance. If there is a change in state or compliance at any point during a user's session, UAC can make the appropriate access control decisions and signal the Juniper EX-series Ethernet switch or other enforcement point to take the decided action.

10.  In the next five years what switch security solution will customers have to deal with and how is your company looking to the future?

Over the next five years, we believe that deploying, designing, and managing network security will get a lot easier. Today, there are a lot of moving pieces in network security and the approach has really been a band-aid. The truth is that when people designed their networks 6 to 10 years ago, security was not a major part of the design, so firewalls, IDP, SSL, etc have all been overlaid on top of the base network design. Juniper has been doing the heavy lifting of integrating security products as services into the base network operating system. When security services are available as a part of the network OS, then security is integrated in every network device, every network layer, and every network design. This makes it as easy to deploy services like inspection, interrogation, encryption, and monitoring, as it is to deploy a router or a switch. Reaction is coordinated.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)