An upgrade to Juniper Networks' network access-control software makes it possible for customers to block network access via any switch, not just by Juniper firewalls.
When Juniper's Unified Access Control (UAC) 2.0 is released next month, it will support 802.1X port-level authentication, which can restrict what devices gain access to a network before they are assigned IP addresses. This 802.1X support puts Juniper on footing with Cisco and other vendors whose NAC schemes call for enforcement of access policies on all access switches. Juniper launched its UAC architecture using its firewalls as enforcement points with the intent of adding 802.1X later.
UAC 2.0 machines with profiles that fail security scans can be locked out of the network or quarantined on a designated virtual LAN, says John Oltsik, an analyst with Enterprise Strategy Group. UAC 2.0 still supports its existing enforcement mode of restricting access via Juniper firewalls (see graphic).
UAC, Juniper's architecture for access control, is compliant with an alternate, open-standard scheme called Trusted Network Connect promoted by Trusted Computing Group and works with any 802.1X switch. UAC competes with Cisco's Network Admission Control, which supports enforcement by its own 802.1X switches.
Juniper also is a partner with Microsoft, so its Network Access Protection software can fit into the UAC architecture.
The new Juniper 802.1X features come via technology Juniper acquired when it bought Funk Software last year. In particular, Juniper is adding client software called an 802.1X supplicant, which can be downloaded to machines as they seek authorization to join the network. The supplicant, sold as Odyssey Access Client by Funk, lets 802.1X switches enforce what switch-level access the supplicant machine will get.
Juniper also is adding a strippeddown version of Juniper's Steel-Belted Radius authentication, authorization and auditing software to its Infranet Controller device. Infranet Controller stores access policies and delivers them to the enforcement points. It also authenticates users and can push the 802.1X supplicants and endpoint scanning software to machines logging in.
With a RADIUS server onboard, Infranet Controllers don't need to access a separate RADIUS server, says Rob Whitelely, an analyst with Forrester Research. While most large businesses may have more than one RADIUS server, many are under control of remote access administrators, not security administrators, he says, so having the software integrated can reduce deployment headaches.
If customers already have suitable RADIUS servers, they can use them instead of the RADIUS capabilities that ship with UAC 2.0, he notes.
Robert Lumm, the IS supervisor for KAMOPower, says the power company serving Arkansas, Kansas, Missouri, Oklahoma and headquartered in Vinita, Okla., plans to use UAC 2.0 to restrict access to the company network by power network affiliate companies. Most of them access via wireless, and 802.1X enforcement will let him block them before they get access to the network, he says.
Oltsik says Layer 2 control can protect the network from some malicious behavior that Layer 3 control at the firewall leaves unprotected. "If control is at Layer 3, people will have an IP address and be on the network where they could be doing port scans or worm attacks. This keeps them off the network altogether," Oltsik says.
UAC 2.0 is available next month and starts at US$15,000 for an Infranet Controller to support 100 concurrent users.