Remote Access VPN Buyer's Guide: Juniper - Page 2

MAG Series Junos Pulse gateways unify network access control and SSL VPN to deliver safer mobile access.

 By Lisa Phifer
Page 2 of 2   |  Back to Page 1
Print Article

"Our control channel [between the endpoint and MAG] runs SSL. Our secure transport uses a dynamic mix of IPsec and SSL. After we establish the control channel, if there's nothing blocking IPsec/IKEv2, we'll fire that tunnel up. Otherwise, we'll fire up a Layer 3 SSL VPN tunnel. The end user never sees this happening," said Campagna.

In fact, Juniper supports three methods of SSL VPN connectivity, all included in the Common Access License. First, there's clientless core access to Web applications (including JavaScript, XML, or Flash) and proxied applications such as Outlook Web Access, file shares, Sharepoint, and VMware or Citrix virtual desktops.

Second, there's Juniper's Secure Application Manager (SAM), a load-on-demand Java or Windows client that can reach most client/server applications. Finally, Network Connect (NC) delivers the Layer 3 IPsec-or-SSL tunnel described by Campagna, with or without installed software.

Scanning and securing endpoints

For transparent mobility, endpoints must run the Junos Pulse client. This single, integrated client enables federated, role-based control over local and remote access, complemented by endpoint security.

Juniper's Host Checker can scan endpoints before and during VPN sessions to assess security posture, leveraging TNC-standard APIs for third-party integration. Unmanaged endpoints without AV can dynamically download Enhanced Endpoint Security (EES) -- an OEM of Webroot's SpySweeper. Non-compliant endpoints can be auto-remediated, quarantined, or blocked, as directed by policy. "We've been working to avoid help desk calls. In many cases, we can now auto-install missing updates, turn on a personal firewall, or do whatever is required for compliance," said Campagna.

Readers familiar with TNC will note this sounds very familiar. That's because Junos Pulse finally knits SA and UAC endpoint security into one unified client. All endpoint security features are included in the Common Access License, with two exceptions: EES and a Java RDP applet are separately licensed through OEM agreements with Webroot and HOB, respectively.

Customers with Juniper network infrastructure (e.g., SRX Series Services Gateways) can also use a separately licensed Coordinated Threat Control option to detect attacks during a VPN session. "Not only does the SRX stop attack traffic, but it can provide feedback to the MAG to disable SSL VPN access or drop the user back into a lower level of access," explained Campagna.

Finally, the SMobile mobile security products acquired by Juniper last summer have now been integrated into Junos Pulse Mobile Security Suite. This suite lets the Junos Pulse client protect smartphones from viruses, malware, SMS spam, loss/theft, and physical compromise. Remote data backup/restore and activity logging also give IT control over smartphones allowed to access corporate resources, without requiring ownership.

Users must install Junos Pulse free of charge from the site appropriate for each mobile operating system: Apple App Store, Google Android Market, Nokia Ovi Store, Windows Marketplace, or BlackBerry App World. However, supported security features vary by OS. For example, Android users get web/email VPN, antivirus, backup/restore, and loss/theft protection, while iOS users are currently limited to VPN.

Bottom line

According to Campagna, MAG Series appliances and Junos Pulse are Juniper's way of answering customer requests for mobile device integration and transparency, paired with strong security. "SSL VPN provides secure transport, but customers asked us for an end-to-end solution. Now our enterprise customers can tell users to download Junos Pulse from the Android Market -- they'll get everything they need to connect securely plus everything IT wants them to use to secure their own devices," he said.

By consolidating SA and UAC services onto shared physical platforms and consolidating all endpoint security into one software client, Juniper has improved user transparency while giving enterprise IT fewer discrete pieces to license, manage, and maintain. While gaps remain -- for example, Junos Pulse mobile clients do not yet support UAC -- Juniper is making visible progress towards delivering unified, transparent, secure mobility.


Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. With over 25 years in the network industry, Lisa has reviewed, deployed, and tested network security products for nearly a decade.

This article was originally published on Jun 29, 2011
Get the Latest Scoop with Networking Update Newsletter