Juniper Networks Inc. last month released a policy management appliance aimed at securing the network infrastructure by building more intelligent firewalls and combining router technology to effectively marshal more agile business processes.
Juniper’s Infranet architecture calls for placing its appliances, dubbed Infranet Controllers, into a network so users can authenticate themselves. The devices send an Infranet Agent — a Java applet or Active X agent — down to the computer to scan it for compliance with network security policies. This includes looking for updated virus signatures, software patches and the like.
Achieving agility in a secure business environment demands an entirely holistic perspective on IT security, according to Mark Bouchard, founder of Millerville, Md.-based Missing Link Security Services LLC, and Juniper’s Infranet strategy takes a suitably integrated approach.
“What’s needed is a systems integration approach. Perimeter control, protection at the edge of the network, is not enough anymore,” said Bouchard, a former analyst with Stamford, Conn.-based Meta Group Inc.
“The traditional model of securing the perimeter needs to be extended to a more pervasive perimeter, one that brings [security measures] much closer to the data centre.”
Bouchard, speaking at a ComputerWorld-Network World Canada Live Tour event in Toronto recently, outlined a security model that draws the perimeter inward to isolate the internal network.
Bouchard says security needs to smarten up to keep up with evolving cyber threats. “Security measures have to advance inward, upward and outward,” he said.
The idea is to group technically related computing resources, such as servers and applications, into business units and then build internal firewalls around each unit, integrating these where practical.
The Internet demilitarized zone (DMZ) also needs strengthening and the data centre requires its own best-of-breed security, encompassing firewalls, intrusion prevention systems (as opposed to detection systems) and anti-virus engines, says Bouchard.
The upward evolution of security seeks to gain a higher level of application awareness and control, moving beyond layer-7 security to target specific utility applications, business applications and sensitive data.
The boundaries of the secure edge are also pushed outward to remote computing, using SSL VPN technology.
Ryan Gerome, director of emerging technologies for Sunnyvale, Calif.-based Juniper, says the Infranet strategy is aimed at securing five key areas of the network: data centres; campus (local area network and wireless LAN); wide area network (WAN) gateways (Web, e-mail and business applications); distributed enterprise (remote and branch offices); and extended enterprise (mobile workers and business partners).
Each level of security intelligence — network, application, user and end point — focuses on control of delivery, use and threat, says Gerome. “If there’s granular visibility at each of these levels, we can set more defined policy access,” he said.
“The Infranet is not new technology, it’s just a new application of the technology. We’ve taken SSL VPN technology and made it LAN-facing. It’s the integration of end point, application and network intelligence for policy enforcement.”
Juniper touts its architecture as less intrusive than Cisco’s Network Admission Control (NAC) system because it overlays security on LANs without requiring costly switch upgrades. NAC requires that Cisco switches be brought up to an acceptable IOS software version.
To use switches as enforcement points, Juniper’s Infranet requires the cooperation of other vendors, which may prove challenging in the case of Cisco. Juniper has a partner program of its own for this purpose and is working with the Trusted Computing Group to develop specifications that switch vendors can adopt to enable them to become enforcement points.
Microsoft’s Network Access Protection (NAP) scheme also relies on other vendors’ gear to enforce policies and, like Cisco’s plan, is supported by an extensive partner program. Other vendors, such as Aventail, Elemental and Sygate, offer products that can be used to control network access without relying on network hardware for enforcement.