Remote Access VPN Buyer's Guide: Juniper

By Lisa Phifer | Jun 29, 2011 | Print this Page
http://www.enterprisenetworkingplanet.com/datacenter/Remote-Access-VPN-Buyers-Guide-Juniper-3936586.htm

When Juniper Networks acquired Netscreen, the SA Series of SSL VPN appliances created by Neoteris came along for the ride. In parallel, Juniper developed the IC Series of Unified Access Control (UAC) appliances to control LAN resource access.

As the gap between remote and local evaporates, enterprises need to enforce policies independent of endpoint location. To deliver more cost-effective, easier-to-manage control, Juniper recently introduced a new MAG Series of Junos Pulse Gateways, described here in EnterpriseNetworkingPlanet's remote access VPN buyer's guide.

Embracing the move to secure mobility

According to director of product management Rich Campagna, Junos Pulse is a reaction to the dramatic shift in device types and ownership sweeping the industry.

"Many [enterprise networks] have gone from corporate-owned and -managed devices to mobile devices owned and operated by users," he said. "This drove us to accommodate devices running iOS and Android. For example, we provide Layer 3 VPN access from iPhones and iPads. We've been doing a good job of staying ahead of this trend."

Junos Pulse also addresses migration from remote (Internet-based) access to local (enterprise wireless) access. "I go between airports and Juniper offices and customer sites throughout my workday, and Junos Pulse helps me move seamlessly," said Campagna. "When I checked email from home this morning, I was prompted to log in and connected to an SSL VPN running on a MAG. I then closed my machine and drove to the office. When I opened it, Junos Pulse transferred my session to a UAC service on a MAG."

Benefiting from platform consolidation

This mobility could be orchestrated by Junos Pulse using SSL VPN and UAC services on separate appliances, but the MAG Series lets enterprises run both on the same platform or redistribute services across platforms based on load or business need.

The MAG Series is a modular architecture, ranging from a fixed appliance that runs just one service to an expandable chassis that runs up to 4 service modules. "The MAG 2600 is small form factor and whisper-quiet, made for locations without data centers, supporting up to 100 SSL VPN users," said Campagna. "The MAG 4610 is similar but sized for a medium or large business with up to 1,000 SSL VPN users."

For large enterprises, the MAG 6610 is a 1U chassis, typically clustered to be managed and react as if it were one appliance for synchronization and load balancing. "The MAG 6610 can run two service modules, so you might run SSL VPN on one and UAC on the other, supporting up to 20K SSL VPN users and 30K UAC users," he said. Finally, the MAG 6611 is a 2U chassis with twice the service/user capacity.

Service modules that can run on each MAG are equivalent across all models; the distinction is primarily scale, as well as form factor and physical redundancy. Although customers can still purchase older SA Series appliances, consolidating VPN and UAC services on a unified MAG platform brings advantages without loss of functionality.

"Say you have an organization with 50K employees. During the business day, all 50K are logged in somewhere -- maybe via UAC at headquarters and SSL VPN from regional offices. We offer converged licensing so that you can break a 50K simultaneous user license into different appliances and modules," explained Campagna. "If you find that the bulk of your VPN users are coming into one appliance, you can shift more licenses there. Buying user licenses in bulk also gets you a volume discount."

This flexibility preserves customer investment as workforce needs evolve. Over time, more licenses can be purchased to accommodate growth. However, because licenses are based on concurrent cached sessions, an endpoint that moves between VPN and UAC consumes just one license, regardless of location, access method, or endpoint type.

Securing remote network access

The Junos Pulse Secure Access Service that runs on MAG Series gateways is a direct descendent of software that powers SA Series appliances. Beyond transparent session handoff (aka NAC-SSL federation) described above, the Secure Access Service delivers authenticated, encrypted VPN connectivity from endpoint to MAG.

"Our control channel [between the endpoint and MAG] runs SSL. Our secure transport uses a dynamic mix of IPsec and SSL. After we establish the control channel, if there's nothing blocking IPsec/IKEv2, we'll fire that tunnel up. Otherwise, we'll fire up a Layer 3 SSL VPN tunnel. The end user never sees this happening," said Campagna.

In fact, Juniper supports three methods of SSL VPN connectivity, all included in the Common Access License. First, there's clientless core access to Web applications (including JavaScript, XML, or Flash) and proxied applications such as Outlook Web Access, file shares, Sharepoint, and VMware or Citrix virtual desktops.

Second, there's Juniper's Secure Application Manager (SAM), a load-on-demand Java or Windows client that can reach most client/server applications. Finally, Network Connect (NC) delivers the Layer 3 IPsec-or-SSL tunnel described by Campagna, with or without installed software.

Scanning and securing endpoints

For transparent mobility, endpoints must run the Junos Pulse client. This single, integrated client enables federated, role-based control over local and remote access, complemented by endpoint security.

Juniper's Host Checker can scan endpoints before and during VPN sessions to assess security posture, leveraging TNC-standard APIs for third-party integration. Unmanaged endpoints without AV can dynamically download Enhanced Endpoint Security (EES) -- an OEM of Webroot's SpySweeper. Non-compliant endpoints can be auto-remediated, quarantined, or blocked, as directed by policy. "We've been working to avoid help desk calls. In many cases, we can now auto-install missing updates, turn on a personal firewall, or do whatever is required for compliance," said Campagna.

Readers familiar with TNC will note this sounds very familiar. That's because Junos Pulse finally knits SA and UAC endpoint security into one unified client. All endpoint security features are included in the Common Access License, with two exceptions: EES and a Java RDP applet are separately licensed through OEM agreements with Webroot and HOB, respectively.

Customers with Juniper network infrastructure (e.g., SRX Series Services Gateways) can also use a separately licensed Coordinated Threat Control option to detect attacks during a VPN session. "Not only does the SRX stop attack traffic, but it can provide feedback to the MAG to disable SSL VPN access or drop the user back into a lower level of access," explained Campagna.

Finally, the SMobile mobile security products acquired by Juniper last summer have now been integrated into Junos Pulse Mobile Security Suite. This suite lets the Junos Pulse client protect smartphones from viruses, malware, SMS spam, loss/theft, and physical compromise. Remote data backup/restore and activity logging also give IT control over smartphones allowed to access corporate resources, without requiring ownership.

Users must install Junos Pulse free of charge from the site appropriate for each mobile operating system: Apple App Store, Google Android Market, Nokia Ovi Store, Windows Marketplace, or BlackBerry App World. However, supported security features vary by OS. For example, Android users get web/email VPN, antivirus, backup/restore, and loss/theft protection, while iOS users are currently limited to VPN.

Bottom line

According to Campagna, MAG Series appliances and Junos Pulse are Juniper's way of answering customer requests for mobile device integration and transparency, paired with strong security. "SSL VPN provides secure transport, but customers asked us for an end-to-end solution. Now our enterprise customers can tell users to download Junos Pulse from the Android Market -- they'll get everything they need to connect securely plus everything IT wants them to use to secure their own devices," he said.

By consolidating SA and UAC services onto shared physical platforms and consolidating all endpoint security into one software client, Juniper has improved user transparency while giving enterprise IT fewer discrete pieces to license, manage, and maintain. While gaps remain -- for example, Junos Pulse mobile clients do not yet support UAC -- Juniper is making visible progress towards delivering unified, transparent, secure mobility.

 

Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. With over 25 years in the network industry, Lisa has reviewed, deployed, and tested network security products for nearly a decade.