Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Juniper's EX Switch NAC Integration Is 'Me, Too'

So Shimel has beaten me to the punch on Tim Greene's article on Juniper's NAC product. There's nothing in Juniper's announcement concerning NAC and NAC enforcement. Tim brought up two other points, one about Cisco's TrustSec and the other about ConSentry and Nevis, that I wanted to comment on.
First, Juniper's Layer 4 NAC functionality is nothing more than setting packet-filter access-control lists (ACL) on a per-port or per-user level. Don't confuse Juniper's ACLs with stateful firewalling. The difference is pretty significant.

With stateful firewalls like Juniper's NetScreen line, network sessions are filtered based on IP addresses, ports, and session state. Activity like spoofing, packet insertion, and other network layer games is difficult to achieve. Packet filters, on the other hand, don't session, maintain state, and are prone to bypass techniques. Juniper's position, when asked why it used packet filters rather than stateful firewalls in the switches, is that it doesn't want to add features that will degrade performance. It doesn't want to make customers choose between a 48-port switch capable of pushing gig through each port and a 48-port switch with firewalling that degrades switch performance. If you want high-speed firewalling, Juniper will tell you to use an external firewall that can meet your performance needs. I think that is a practical position for Juniper to take. Rather than building a god box with degraded capabilities, build a purpose-built box with reliable functions.

TrustSec is an interesting move from Cisco, and I don't quite know what to make of it. Link-to-link encryption and authentication can certainly beef up a security posture and hide network traffic from prying eyes, but I really have to wonder at the use case when you consider there are other standardized ways to encrypt traffic end to end using IPsec, for example. With IPsec, you can't actually see what is in the payload, while with 802.1ae, the underlying IEEE protocol used in TrustSec, the traffic is decrypted and re-encrypted at each hop and can thus be inspected along the way. As long as your 802.1ae peers are trusted, then exposing the traffic along the way may be acceptable to you. If you want protection end to end, then some kind of VPN technology like IPsec is better suited. Honestly, I haven't done a lot of thinking about 802.1ae and its use cases. I would like to hear what security experts think.

Finally, Juniper's EX switches don't really compete with the trusted switches from ConSentry and Nevis. The NAC functions provided by ConSentry and Nevis are far and away more feature-rich than other switches from Cisco, Extreme, HP, Nortel, and others. The ConSentry and Nevis products support stateful firewalling per port, IDS and network anomaly detection functionality, passive authentication snooping so you don't need 802.1x to determine who a user is, application identification, and control. Oh yeah, they switch packets, too. I haven't tested its switch products, but the functions are very similar to those found in its in-line products, which I reviewed.

I don't think Juniper's switch line poses much of a threat to either ConSentry or Nevis. The latter two vendors have a big enough task competing against incumbents like Cisco, HP, and 3Com in the switch market as it is. Juniper, with its reputation, has a leg up on that score, as Jennifer Jabbusch aptly points out. Given that both ConSentry's and Nevis' products have far more security features than the rest of the switches out there, Juniper is just one more competitor in a flooded market. I think the biggest hurdle ConSentry and Nevis have in the sales cycle is getting face time, convincing admins the switches are stable and enterprise-class. But it has to do that regardless of what Juniper does.

  • 1