Juniper's NAC Strategy, Refined

Juniper's switch announcement is raising a lot of eyebrows. Many in the industry point to this announcement as the play Juniper needed to make to get into the enterprise. The switches -- at first blush -- look like any other switch supporting the common layer two and three protocols. Don't look for earth shattering security features, though. The design philosophy is to switch frames at line rate. Adding processing that couls impact performance is not in the offing.

Juniper uses the Infranet controller as the NAC policy server that performs host assessment and assigns access control based on host condition, username and group membership, time of day, and location. Hosts can be placed in VLAN's which provides quarantine or polices can be set on Juniper's Netscreen firewall.

Switch integration within their own product line doesn't extend that model much. 802.1X is still the enforcement method of choice, but the Infranet Controller can also access control lists on Junipers EX series. The ACL's can apply QoS shaping and tagging to packets. The ACL's can also filter packets similar to a stateless packet filter. The switches can also detect anomalous behavior like flooding and scanning. None of the features are unique to Juniper's EX switches. Enterasys and HP Procurve switches already have similar functionality.

Juniper did say that possible future feature sets could include automatically shunting traffing to a local or remote mirror port based network behavior.

NAC switches from vendors like Consentry and Nevis offer more in-depth security features like stateful packer filtering, user based ACL through snooping and 802.1x, and packet analysis for protocol identification and intrusion detection. What these competing switches don't have is Juniper's track record.