NAC competition: Juniper's Infranet
Focuses on firewall, access control, with less emphasis on endpoint security.
Although it is possible to map the basic components in the Juniper Infranet to TCG's Trusted Network Connect architecture, the reality is that Juniper is trying to accomplish very different things, focusing on firewall and access control, with less emphasis on endpoint security.
Juniper breaks from other vendor's NAC architectures in the amount of control that it gives the network manager when building a NAC infrastructure. Juniper's strategy is very dependent on both authentication and on detailed access control using its firewalls. The result is that when someone enters a network under Juniper's NAC control, every connection goes through a stateful packet-filtering firewall, can be encrypted and is explicitly tied to an access-control policy based on a user's identity.
For example, when a system enters a network under Microsoft Network Access Protection with DHCP, the main concern is whether the user has the appropriate level of endpoint security. If so, the user is given unlimited access to the network. With Juniper's Infranet, the endpoint-security assessment of the user is optional, but the identity-based access-control policy is not.
This philosophical difference has one benefit: It makes it easier to decide whether the Juniper approach is right for you, and whether this level of authentication, security and access control is what you're looking for - or whether you mostly care about endpoint-security assessments.
On the client end, Juniper uses its Enterprise Infranet Agent as the focal point for client management. The Infranet Agent links to third-party TCG Integrity Measurement Collectors using its own JEDI API. Juniper also provides endpoint-security assessment tools - a feature of its SSL VPN called Host Checker - for checking endpoint status, such as open ports or running processes.
Because the user is assumed by Infranet's architecture to already have connected to the network, the Infranet Agent doesn't participate in Layer 2 authentication schemes, such as 802.1X. Instead, the Infranet Agent's role is to provide user authentication to the Policy Enforcement Point deeper in the network and the endpoint-security assessment information back to the Policy Decision Point, dubbed Infranet Controllers.
Juniper's firewall and SSL VPN products, called Infranet Enforcers, act as the Policy Enforcement Points and are typically located deep within the network.
The Infranet Agent also manages encryption between the end system and the Infranet Enforcer Policy Enforcement Point. By applying IPSec encryption between the client and the Infranet Enforcer, Juniper offers strong binding between the end station, its authentication and the applied policy. This security starts only at the Policy Enforcement Point; any misbehavior by the client before it reaches the Infranet Enforcer is uncontrolled in the Juniper Infranet model.
Juniper's Infranet Controllers, akin to the TCG's Policy Decision Points, are based closely on Juniper's SSL VPN product line, as both use the same policy engine.
Unlike other NAC architectures, Juniper's Policy Decision Points don't have a clear link between the Integrity Measurement Verifiers, which evaluate endpoint-security information from the Juniper Host Checker (acting as the Integrity Measurement Collector in the TCG scheme) and give a policy decision back to the Infranet Controller.
Instead, the Infranet architecture waves away the question of how Integrity Measurement Collectors can pass information to the Integrity Measurement Verifiers within the Policy Decision Point by pointing off to the JEDI specification. In reality, the JEDI specifications are mute on how this link will work. This is a weak point in the Infranet architecture, because management of desktop and roaming user policy has to be handled once in whatever enterprise console is used to control the third-party security tool and then a second time within the Infranet Controller environment.
Choosing a NAC architecture depends on your goals and your integration strategy. If you're an all-Cisco shop with modern hardware, you can hitch your horse to Cisco's architecture, which is as complete as anyone's.
For those interested in standards-based solutions, TCG's TNC is the only real option despite some risk. Microsoft's approach is most appropriate in smaller networks where you want to control the PCs you already own and are most concerned about viruses rather than authentication and access control.
Wave Systems to Demonstrate TNC Network Integrity Access Control with Juniper Networks
2/10/2006 Wave Systems Corp. (Nasdaq: WAVX, www.wave.com) announced that it will demonstrate network integrity access control capabilities using the industry standard Trusted Network Connect (TNC) architecture. TNC architecture is designed to deliver significantly strengthened network integrity. This demonstration, featuring Wave's Embassy(R) Trust Suite software products working with Juniper Networks L2 access control solution, will be conducted at the RSA Conference 2006, Booth 1407, Monday, Feb. 13 through Friday, Feb. 17 at the McEnery Convention Center, San Jose, CA.
TNC is a security architecture standard promoted by the Trusted Computing Group (TCG) designed to help improve the security and compliance integrity of clients during the network connection process. The TNC establishes a level of network access based on the configuration and integrity of the client. Network administrators implementing the TNC expect to have fewer security problems, lower support costs and less downtime caused by poorly configured or infected client systems.
The TNC standard was developed by a TCG subgroup of more than 60 networking and technology industry companies representing client and network security; switches, routers, and hubs; systems and systems management; and operating systems.
At RSA, Wave is demonstrating its Embassy secure software technology by delivering platform integrity services on a PC equipped with a Trusted Platform Module (TPM). The Embassy technology platform is designed to support hardware security features provided by TPM security chips currently shipping in millions of personal computers.
In the case of platform trust services, Embassy technology, using a TPM, enforces a set of policies to collect integrity information from the PC, such as the state of anti-virus software, whether the operating system has been tampered with, or whether all appropriate patches have been downloaded to the client. The Embassy platform provides these client functions in concert with IT department policies which can be set through network equipment and software from Juniper Networks. Clients not meeting the pre-determined policies, such as those for patch levels, can be quarantined for remediation, repaired, and then allowed access to the network.
"The TNC standard leverages existing network infrastructure to deliver secure and cost-effective, best-in-class access control solutions. Adding TPM support to the client component of the system is a natural extension of the solutions' ability to control use and protect enterprises from non-compliant or malware-infected machines," said Andrew Harding, director of product management at Juniper Networks, Inc. "Juniper Networks is showing the interaction between Wave's Embassy Trust Suite software products and Juniper Networks' Layer 2 access control technology, demonstrating how standards-based systems can provide complete, seamless trusted computing and access control."
"It is exciting to see Wave Systems releasing an implementation of the Platform Trust Services (PTS) standard from the TCG, since PTS is an essential piece of the trusted computing ecosystem," said Dr. Thomas Hardjono, co-chair of the TCG Infrastructure Working Group. "The PTS is designed to work on a broad range of platforms, including the PC-Client platform, Server platform, Mobile Phone platform, and the Network platform. Wave has clearly shown their leadership in the trusted computing technology space."
"The platform integrity feature available with Wave's Embassy technology is one of the industry's first solutions designed to provide TNC products with the strong authentication capabilities of a TPM," said Brian Berger, Wave's executive vice president, marketing and sales. "Embassy delivers key identity capabilities for the network authentication of users and machines as well as important integrity capabilities for the collection of data necessary to determine the health of a particular PC prior to network access."
The Embassy Trust Suite and the Embassy Enterprise Authentication Server deliver improved trusted computing features for enterprise and government markets. These features include network policy management, data protection, biometric authentication, smart card authentication, password authentication and machine authentication of a user's personal computer to a server.
For more information about Wave's products and services, please go to www.wave.com.
Juniper, Symantec join forces to secure remote machines
12/05/05 Juniper Networks is announcing an agreement with Symantec for software that makes sure remote machines meet security policies before they can access Juniper SSL VPNs.
Based on technology Symantec acquired when it bought WholeSecure earlier this year, the Advanced Endpoint Defense Module downloads a software agent to remote machines to scan them for malicious code such as Trojans, keystroke loggers and viruses. The software can also monitor remote machines during SSL sessions to make sure their profiles don't change to an unacceptable state.
Customers can use the software to create separate policies for separate groups. So it might be all right for IT staff to have key loggers on their machines, but not the marketing department.
The configuration software for the endpoint-protection software is tuned to check for certain specific security software running on the remote client. This feature is meant to save time. So if a customer wanted to check that a certain brand of anti-virus software was active and updated, they would just designate the software search for that brand. Before, customers would have to type in what specific registry checks to make to determine if the anti-virus is present, for instance, which called for more individual entries on the part of an administrator.
A 25-user Advanced Endpoint Defense Module ships standard with any of Juniper's SA model VPN gateways. If customers want more than 25, they can pay for more licenses. It costs $1,000 to cover 50 more simultaneous users and $30,000 for 2,500. The module is available now.
AI
