Juniper Networks Inc. yesterday launched an updated version of its network access control (NAC) solution: Unified...
Access Control (UAC) version 2.0. The release updates the original UAC by adding 802.1X components, the Odyssey Access Client, and Steel-Belted Radius.
UAC 2.0 evolved out of Juniper's acquisition of Funk Software last year, said Stephen Philip, director of product marketing for Juniper's security products group.
Version 2.0 is an open standards-based Layer 2 and 3 access control solution designed to give companies real-time views and granular policy control throughout the network. The latest release supports multivendor environments for both the 802.1X standard and the Trusted Computing Group's Trusted Network Connect (TNC), a set of nonproprietary specifications that enable open standards-based access control.
UAC 2.0 balances access and security controls by binding user identity, endpoint integrity, and location information with access controls. The UAC solution combines Juniper's Infranet Control, which serves as the central policy manager; the UAC Agent, which is a dynamically downloadable endpoint software; and additional products that include Juniper firewalls and any 802.1X-enabled switch or wireless access point.
Both the Infranet Controller and the UAC Agent contain features from the Funk acquisition, Philip said, including the Odyssey Access Client 802.1X supplicant and Steel-Belted Radius.
Overall, the UAC solution gives access control from the start of a session, before a UP address is issued. Version 2.0 supports user identity and endpoint verification at both Layers 2 and 3 across an 802.1X infrastructure. It performs a host of endpoint assessment checks, including functionality tests and checks for antivirus, spyware, firewall, patch management, configuration policies, OS and malware checks. All can be incorporated into security policy.
The agent is also capable of initiating remediation actions to bring endpoints up to snuff before allowing them onto the network. Access control can also be performed in an agentless mode, Philip said.
Robert Lemm, IS supervisor for KAMO Electric Cooperative Inc., an Oklahoma-based power company that provides power to 17 other regional power companies, said all of KAMO's 17 branches were interconnected through the Internet, meaning they could all connect to one another. Lemm said the company wanted more control and wanted all of the companies to connect through headquarters. KAMO also wanted their postures to be evaluated before they could talk to the network.
Lemm and his team started looking for solutions. At first, Juniper wasn't an option. "At the time, Juniper had nothing on the table to meet our requirements," he said.
Lemm said he put out an RFP, and Cisco met pretty much all of his requirements with its Network Admission Control solutions. Over time, however, the cost of the Cisco NAC solution started adding up.
"They said, 'You're going to have to replace every switch in your network to make it work the way you want it to,' " Lemm said. That would mean pulling out and replacing 84 switches, he added, and it was completely unrealistic to rip out a $250,000 infrastructure.
"It was not a good business strategy for us [to swap switches]," he said. "We felt let down, disappointed."
After a few more evaluations, KAMO came to Juniper and gave them an RFP.
"They met almost every line item, and we didn't have to change our network strategy," Lemm said. Juniper's UAC takes up half the rack space Cisco's would have, he said, and the overall cost differed very little.
Version 2.0 will give Lemm more granular control over the co-ops and provide a really good "housekeeping tool."
"The Juniper UAC solution allows us to not only ensure policy compliance of devices and users prior to login and issuance of an IP address, but also to dynamically control access to resources and applications during the entire duration of the user session, for meaningful access control," Lemm added. "This approach has the potential to meet a wide range of challenges related to controlling our network."