Juniper and Microsoft Hook Up for NAC Work

Juniper Networks' Unified Access Control server will interoperate with Microsoft's Network Access Protection standard so the two can deal with security policy in NAC deployments.

Juniper Networks jumped into the NAC lovefest at Interop on May 21, announcing that its working to get its Unified Access Control NAC server to interoperate with Microsofts Network Access Protection standard.

Junipers Networks Infranet Controller is the policy management server at the center of Junipers UAC technology. Juniper said that by the first half of 2008, the Infranet Controller will be using Microsofts SOH (Statement of Health) client-server protocol, which is provided by Microsofts NAP agent, built into Vista and the upcoming Windows XP SP3 release.

Its all about opening wired and wireless networks to more users, both inside and outside an enterprise, and doing so securely, without those users dragging their out-of-date anti-virus signatures and infections in with them.

Juniper describes it as the paradigm of the shifting network perimeter, where some level of network access has to be doled out to outside vendors, clients, guests and contractors, and yet more levels of network access have to be doled out to employees based on letting them in and keeping them out where and when its necessary.

"Interoperability of NAC infrastructures enables customers to quickly and effectively adapt to changing business and network environments, especially now that companies will be able to leverage Windows Vista and Windows XP as their NAP or UAC clients," said Bob Muglia, senior vice president of the Server and Tools Business at Microsoft, in Junipers statement.

"Customers can feel confident in the investments they make today in NAP, Windows and the Juniper Networks UAC solution."

Karthik Krishnan, senior product line manager for Juniper, told eWEEK that the announcement is intended to highlight the "clear way enterprises can leverage existing or planned investments in NAC infrastructure as well as in Junipers UAC infrastructure and have them interoperate."

Krishnan added that Juniper is enabling enterprises to take advantage of various technologies in each solution and have them talk to each other.

"Enterprises not only have to provide access to diverse constituents but make sure it fits into access and security and compliance requirements. There have been different sets of standards [to do that] and they havent historically interoperated."

/zimages/5/28571.gifClick here to read more about standards and the state of NAC.

Junipers announcement means that customers can mix and match components or go with a best-of-breed approach and still have it all talk to each other, Krishnan said.

"[Microsofts] Statement of Health can be accessed through Infranet Controller. The Infranet Controller can interpret the Statement of Health for endpoint integrity, for whether an endpoint is compliant with corporate policy, can leverage that information as part of decision making, and can provision access control rules to 802.1x enforcement points in the form of VLAN assignments, or in the case of Juniper infrastructure, for example firewalls and secure routers or granular access controls, network applications. The Infranet Controller is leveraging the NAC client to determine endpoints compliance to policy and determining access level" based on that compliance, Krishnan said.

Microsoft announced also on May 21 that the NAP standard is being adopted by the Trustworthy Computing Group and tucked into its TNC (Trusted Network Connect) framework.

The TCG has adopted and published the Microsoft SOH protocol as a new TNC standard (IF-TNCCS-SOH). The move ushers in interoperability between NAP clients and servers and TNC clients, servers and infrastructure such as Junipers UAC products.

That move is significant in the NAC world, as it streamlines what had been three major standards—NAP, TNC and Ciscos NAC (Network Admission Control)—down into just Cisco NAC and TNC-NAP.


Microsofts NPS (Network Policy Server) will bring NAP health agents to the table and will interoperate with Junipers UAC products in heterogeneous network environments. NPS can act either as a policy server or can lend its endpoint information to Junipers Infranet Controller.

If the above paragraphs have entirely too many TLAs (Three-Letter Acronyms), heres a rough sketch of what the interoperability between Microsofts NAP standard and the Trustworthy Computing Groups TNC framework will be composed of, courtesy of the TCGs FAQ:

  • Endpoint The system that is requesting network access and being checked. This may be a NAP client such as a computer running Windows Vista or another kind of TNC client.
  • Policy Decision Point The system that evaluates the endpoint and decides what access should be granted. This may be a NAP server such as a Microsoft Network Policy Server or another kind of TNC server, like Junipers Infranet Controller.
  • Policy Enforcement Point A network element that denies or limits network access based on instructions from the Policy Decision Point. This may be a switch, router, VPN gateway, or other network element with enforcement capabilities.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.