Revolution 2008

The latest version of the NSM platform supports Juniper's SSL VPN products, Unified Access Control (UAC) NAC gear and EX enterprise switches. Previously the platform managed only firewalls and intrusion-detection products. Later this year, NSM will be expanded further to support Juniper M-Series multiservice edge routers and MX-Series Ethernet services routers under NSM.
The overhaul of NSM will help Juniper compete against Cisco for corporate business, says John Oltsik, an analyst with Enterprise Strategy Group. "Cisco has rich management of its devices," he says, "but it requires layering multiple software packages. NSM aggregates functions and is more elegant."

The ability to set policies across network and security gear will make it possible for businesses to set service-level policies across both domains, Oltsik says, giving added value to owners of broad Juniper portfolios. "They can set virtual-LAN and QoS and security policies from one central console," he says.
Many customers will want to keep management rights separated by role anyway, says Dave Passmore, an analyst with the Burton Group. They may want security staff to access only security devices and network staff to access only routers and switches, he says.

The expanded NSM will help out with the SA6000 SSL VPN gear used by IFC Corp., the commercial arm of The World Bank, says Glenn Hudler, an information officer with the company.

With 65 VPN devices and 73 Juniper firewalls, the new NSM will go a long way toward simplifying configuration and eliminating errors, Hudler says. "If we had to manually send configurations for the firewalls, we literally couldn't do it," he says. "There would be so many mistakes."

The situation is similar with the VPNs. "The chances of making a mistake without NSM are pretty high," Hudler says.

The platform also lets Hudler define a new configuration policy and compare it to current configurations. NSM tells him whether the proposed changes do what he intended, unintentionally undo other policies or replicate existing policies.
The new NSM required bringing together management of disparate products that were developed in-house or acquired. (Compare Network Monitoring and Management products.)

NSM was created by NetScreen, which Juniper bought in 2004. NetScreen came to Juniper with firewalls, IPSec and SSL VPNs, and intrusion-detection gear, some of which was acquired as well. For instance, NetScreen bought its SSL VPN gear when it purchased Neoteris in 2003.

To bring management of this smorgasbord of devices under NSM, Juniper instituted an XML interface called the device-management interface (DMI). NSM was adapted to talk to DMI, and that capability makes it possible for Juniper to add product lines to the management platform quickly, the company says. Formerly called NetScreen Security Manager, Juniper renamed the platform Network and Security Manager so it retained the familiar NSM acronym by which it was known.
New NAC capabilities

Juniper has made its UAC technology compatible out of the box with Microsoft's Network Access Protection (NAP) NAC technology. This means customers can use elements of one with elements of the other.

Rather than distribute Juniper's UAC client, the NAP client that comes built into Windows XP and Vista can handle reporting on the status of endpoints.

UAC has supported NAP for more than a year, based on public demonstrations, but that required complex configuration. Now, the support is standard with UAC.

Along with NAP interoperability, new UAC software makes it simpler to install and deploy UAC client software. It also makes it possible for UAC to auto-remediate more third-party products, such as antivirus software, and enables UAC to scale to hundreds of thousands of endpoints at a time.

Juniper also has broadened the number of devices that can send security input to its Infranet Controller, the UAC policy controller, to isolate misbehaving endpoints.

The company's Coordinated Threat Control architecture enables various devices on the network to report to the Infranet Controller about significant security incidents. Based on the severity of these events, the controller's policies can call for quarantining the offending machine or restricting its access to the network. In extreme cases, its session can be cut and further access attempts denied until the attack can be analyzed.

Juniper has expanded this reporting capability to include the firewall within its Integrated Security Gateway appliance.
Juniper is also announcing two new Infranet Controller appliances, the IC 4500 and the IC 6500, new hardware that boosts performance of earlier models. The IC 4500 costs $10,000 for the appliance, plus licenses for concurrent users. The smallest license is for 25 users and costs $1,500. The IC 6500 appliance costs $15,000, plus licenses. The smallest license package is for 100 users and costs $4,300.