Juniper and Microsoft Hook Up for NAC Work

Juniper Networks jumped into the NAC lovefest at Interop on May 21, announcing that it's working to get its Unified Access Control NAC server to interoperate with Microsoft's Network Access Protection standard.

Juniper's Networks Infranet Controller is the policy management server at the center of Juniper's UAC technology. Juniper said that by the first half of 2008, the Infranet Controller will be using Microsoft's SOH (Statement of Health) client-server protocol, which is provided by Microsoft's NAP agent, built into Vista and the upcoming Windows XP SP3 release.

It's all about opening wired and wireless networks to more users, both inside and outside an enterprise, and doing so securely, without those users dragging their out-of-date anti-virus signatures and infections in with them.

Juniper describes it as the paradigm of the shifting network perimeter, where some level of network access has to be doled out to outside vendors, clients, guests and contractors, and yet more levels of network access have to be doled out to employees based on letting them in and keeping them out where and when it's necessary.

"Interoperability of NAC infrastructures enables customers to quickly and effectively adapt to changing business and network environments, especially now that companies will be able to leverage Windows Vista and Windows XP as their NAP or UAC clients," said Bob Muglia, senior vice president of the Server and Tools Business at Microsoft, in Juniper's statement.

"Customers can feel confident in the investments they make today in NAP, Windows and the Juniper Networks UAC solution."

Karthik Krishnan, senior product line manager for Juniper, told eWEEK that the announcement is intended to highlight the "clear way enterprises can leverage existing or planned investments in NAC infrastructure as well as in Juniper's UAC infrastructure and have them interoperate."

Krishnan added that Juniper is enabling enterprises to take advantage of various technologies in each solution and have them talk to each other.

"Enterprises not only have to provide access to diverse constituents but make sure it fits into access and security and compliance requirements. There have been different sets of standards [to do that] and they haven't historically interoperated."

Juniper's announcement means that customers can mix and match components or go with a best-of-breed approach and still have it all talk to each other, Krishnan said.

"[Microsoft's] Statement of Health can be accessed through Infranet Controller. The Infranet Controller can interpret the Statement of Health for endpoint integrity, for whether an endpoint is compliant with corporate policy, can leverage that information as part of decision making, and can provision access control rules to 802.1x enforcement points in the form of VLAN assignments, or in the case of Juniper infrastructure, for example firewalls and secure routers or granular access controls, network applications. The Infranet Controller is leveraging the NAC client to determine endpoints' compliance to policy and determining access level" based on that compliance, Krishnan said.

Microsoft announced also on May 21 that the NAP standard is being adopted by the Trustworthy Computing Group and tucked into its TNC (Trusted Network Connect) framework.

The TCG has adopted and published the Microsoft SOH protocol as a new TNC standard (IF-TNCCS-SOH). The move ushers in interoperability between NAP clients and servers and TNC clients, servers and infrastructure such as Juniper's UAC products.

That move is significant in the NAC world, as it streamlines what had been three major standards—NAP, TNC and Cisco's NAC (Network Admission Control)—down into just Cisco NAC and TNC-NAP.

Microsoft's NPS (Network Policy Server) will bring NAP health agents to the table and will interoperate with Juniper's UAC products in heterogeneous network environments. NPS can act either as a policy server or can lend its endpoint information to Juniper's Infranet Controller.

If the above paragraphs have entirely too many TLAs (Three-Letter Acronyms), here's a rough sketch of what the interoperability between Microsoft's NAP standard and the Trustworthy Computing Group's TNC framework will be composed of, courtesy of the TCG's FAQ:

-- Endpoint The system that is requesting network access and being checked. This may be a NAP client such as a computer running Windows Vista or another kind of TNC client.

-- Policy Decision Point The system that evaluates the endpoint and decides what access should be granted. This may be a NAP server such as a Microsoft Network Policy Server or another kind of TNC server, like Juniper's Infranet Controller.

-- Policy Enforcement Point A network element that denies or limits network access based on instructions from the Policy Decision Point. This may be a switch, router, VPN gateway, or other network element with enforcement capabilities.

Copyright 2007 by Ziff Davis Media, Distributed by United Press International