Juniper this week is set to reveal a key component of its corporate customer strategy that will include a network quarantine scheme that relies on the use of the company's WAN VPN technology to enforce access, security and QoS policies.
This announcement follows this week's news that the company is buying Peribit Networks and Redline Networks to add technology it needs to address two other aspects of Juniper's Enterprise Infranet plan: assuring application response time across wide-area links and improving performance of data center servers.
Enterprise Infranet is Juniper's its efforts to prevent and contain security threats and make sure individual applications perform well on business networks.
In its announcement, the company is expected to tout one aspect of Enterprise Infranet as an overlay security structure that doesn't rely on costly switch upgrades such as those required by Cisco's switch-based Network Admission Control program.
Instead, Juniper controls who has access to what network resources based on ensuring end-user devices on the LAN and the WAN are properly configured, policies that define access rights and enforcement points in front of key enterprise resources, says Kittu Kolluri, general manager of Juniper's security products group.
In particular, Juniper will protect end-user machines, WAN gateways and devices that front-end server farms - such as the Redline boxes, which offload TCP processing from servers and streamline communications with remote users. "If we can protect these three strategic points in the network, we can achieve a lot in terms of the use control and threat control," Kolluri says.
But the overlay architecture ultimately might limit its adoption, says Rob Whitely, an analyst with Forrester Research, because competitors are working on standards to support quarantining based on switches. After switch-based alternatives are available in 12 to 18 months, businesses that prefer separate network and security architectures still will be interested, but many others will be drawn to switch-based security, he says.
Under Enterprise Infranet, both internal and external users will authenticate to the network. Security and access policies for users and the machines they are using will be enforced with Juniper's firewall/VPN gear. Eventually, other network gear will act as enforcement points, such as routers and intrusion detection and prevention gear - all of which Juniper makes.
This leaves out switches, something Juniper lacks and which many observers think the company should acquire. "If they want to attack Cisco seriously, they need switches," Whitely says. "If they just want to attack (Cisco based on security), they're doing a good job."
Key to Enterprise Infranet is a new hardware appliance called Infranet Controller that creates policy associations between end-user machines and Juniper firewall/VPN devices that protect key network resources. Users authenticate to the Infranet Controller, Java and Active X agents assess the security of the device and the device establishes the access rights the endpoint should be granted.
When users connect to a resource, the Infranet Controller sets up an IPSec tunnel between the user device and a firewall/VPN enforcement device protecting the resource. If a network attack is detected, the Infranet Controller can revoke the IPSec session keys to shut down tunnels, says Rod Murchison, Juniper's senior director of product management.
Enterprise Infranet parallels security-overlay efforts from vendors such as Check Point Software, Caymas Systems, Vernier Networks, newly announced Lockdown Networks and Cisco itself via its Clean Access gear, Whitely says. "Juniper will pull more weight than some because it has more of a security name and is financially stable," he says.
Using some of its financial clout, which includes US$1.1 billion in cash and short-term investments, Juniper plans to buy Peribit ($337 million), a developer of WAN optimization technology, and application front-end vendor Redline ($132 million). Both vendors address layer 4-7 switching, which Juniper says will let it provide application acceleration and performance assurance.
WAN optimization enables better application performance over congested WAN links by making more efficient use of TCP/IP, compressing traffic and caching. Application front-ends offload TCP processing from servers, multiplex TCP sessions and cache and compress traffic.
"Application acceleration is the best kept secret in networking," Juniper CEO Scott Kriens said.
The acquisitions also bring customers, 900 in the case of Peribit and 350 in the case of Redline. But customers have reservations.
"Peribit has had a road map that's very aggressive and they've delivered. Does this mean stagnation?" asks long-time Peribit customer Martin Cox, technical services manager for planning and development at BOC Edwards Global in Wilmington, Mass. However, he says he likes the idea of one company controlling Peribit and Redline technology.
"With Peribit on the WAN and Redline at the edge, if they get it all to work, it could be quite exciting for improving application performance," he says.
Cox is a little leery of the technology winding up in routers, though, because he's already got routers. "If they turned it into a fancy router and it cost the same as Peribit, I won't care. If it costs more, I won't be very happy."
