Juniper Aims For Pervasive Network Security With New Firewalls, Policy Enforcer
November 16, 2016
Seid Yassin (557 articles)

Juniper Aims For Pervasive Network Security With New Firewalls, Policy Enforcer

Juniper Networks has announced two new firewalls in its SRX line with throughput up to 40Gbps. The company also announced Policy Enforcer, software that can push security policies to access switches to block or quarantine compromised hosts. The products were announced at Juniper NXTWORK 2016, a partner and customer event in Santa Clara.

The new products tie into Juniper’s efforts to provide more pervasive security throughout the network and enable a more automated response to threats.

Fire Away

The new firewalls include the SRX 4100 and SRX 4200. Both are based on x86 rather than custom silicon to help keep costs down. The 4100 model has a top throughput of 20Gbps, and the 4200 is 40Gbps.

Both models include next-gen firewall capabilities, IPS, and crypto acceleration support. As with most firewall platforms, throughput will be affected by the number of features in use.

The Enforcer

Policy Enforcer is a new extension to Juniper’s Security Director. Security Director centralizes management and policy for Juniper security products. Policy Enforcer takes policies from Security Director and can push them out in real time to Juniper EX and QFX switches in response to security incidents.

For instance, if a file passes through an SRX firewall, the firewall can send that file to the Cloud ATP service for inspection. If the file is determined to be malicious, Policy Enforcer can be evoked.

Policy Enforcer will identify the IP and MAC addresses of the host with the malicious file. It can then insert a policy on the switch to which that host is connected. Policy options include putting the host into a quarantine VLAN or preventing it from accessing the Internet. If a user physically moves a host (for example a laptop) and that hosts connects to a new switch, the policy will follow.

Juniper says it has plans to extend this enforcement capability to third-party switches, but it didn’t provide specifics around switch platforms or a timeline.

Juniper says the new firewalls will be available in the fourth quarter of 2016.

Juniper is right to pursue a security strategy that weaves identification and enforcement throughout the network, rather than just at discrete points such as a DMZ or data center firewall layer.

Other vendors are also touting this approach, incuding VMware with its NSX software, which lets administrators seed virtual firewalls throughout the organization to provide more granular monitoring and enforcement.

I think Juniper will be better positioned if it can incorporate more access layer and WLAN devices from other vendors under its Policy Enforcer umbrella.

Source | packetpushers