Juniper scores with WLAN protector

By Joel Snyder
Network World, 03/07/05

Original Article on Network World Web Site

With the announcement of its NetScreen-5GT Wireless firewall this week, Juniper has firmly (and finally) jumped on the wireless bandwagon.

In our exclusive Network World Clear Choice Test, we found the NetScreen-5GT Wireless to be a clean melding of a trusted, full-featured firewall to a secure wireless access point.

The NetScreen-5GT Wireless makes a bold statement in the world of firewalls targeted at the small and midsize business (SMB) and remote site markets. Although Check Point, SonicWall, WatchGuard and Fortinet all have added wireless technology to their lower-end boxes, none has brought the same level of flexibility as Juniper when it comes to support for wireless LANs (WLAN), authentication technology and security policies.

Our test centered on the product's wireless features and capabilities. It is well suited for sophisticated wireless environments, where multiple security zones and authentication systems are required within a small geographic area (a single floor, for example). At the same time, with its optional asymmetric DSL port, the NetScreen-5GT Wireless can act as a complete SMB secure access product, offering Internet connectivity, guest, employee, and wireless and wired access in the DMZ, and fly-by virus scanning.

The NetScreen-5GT Wireless offers basic radio capabilities: It has one 802.11b/g radio with a few antenna options (including high-gain directional and omni-directional). But its impressive security capabilities make the Juniper box stand out.

The NetScreen-5GT Wireless lets you create up to four different WLANs, each identified by its own Service Set Identifier (SSID). A critical part of any multi-SSID access point is that it have unique Ethernet addresses for each SSID - called basic SSIDs (BSSID). This feature - also supported by more established wireless gear vendors such as Aruba Wireless Networks and Airespace (recently acquired by Cisco) - requires significant hardware support. Without it, multiple SSID systems have poor interoperability with many wireless-enabled laptops. The NetScreen-5GT Wireless supports up to four BSSIDs, one for each wireless LAN. We had no interoperability problems with drivers on Windows or Macintosh clients tested.

Each wireless LAN also can have different authentication and encryption parameters, and these are fully under the control of the IT manager. In our testing, we tried everything from simple Wired Equivalent Privacy authentication to the most secure 802.1X authentication using 802.11i (often called WPAv2). Every method we tried, including Protected Extensible Authentication Protocol (PEAP), Tunneled Transport Layer Security and TLS authentication, worked the first time. This level of interoperability was positively eerie, based on past testing experience.

The NetScreen-5GT Wireless also can be set to require a Web-based authentication. When this feature is enabled, users who want to get on the corporate, protected network first have to use a Web browser to connect to the NetScreen-5GT, and provide a username and password. We tested this feature by having the NetScreen-5GT Wireless check the username and password against our corporate RADIUS server (see how we did it )

Although the Web pages that Juniper has built in for Web-based authentication will not win any beauty contests, the functionality this feature needs - a place to put in a username and password - was all there.

The ability to put each of these WLANs into a different security zone rounded out the wireless capabilities. In NetScreen-speak, security zones are the barriers between different parts of a network, and you can define security policy between any two zones. This means that each of the four WLANs can have a different SSID, can be authenticated and secured differently, and can have a different security policy. That's great flexibility for the network manager.

The NetScreen-5GT Wireless will not challenge enterprise-level wireless access point or switch products. Although the WLAN features are outstanding, Juniper placed some constraints on its use by not supporting all combinations of bridged and routed configurations. While most configurations from using different subnets or network address translation (NAT) are supported, the NetScreen-5GT Wireless wouldn't work well in an environment where you expected people to roam between access points.

Also, while the NetScreen-5GT Wireless has full IPSec and Layer 2 Tunneling Protocol VPN features, it's missing some high-end WLAN device features, such as virtual LAN support.

The NetScreen-5GT Wireless has its share of rough edges. The initial setup wizard is certainly not easy to use.

In addition, GUI designers seem unfamiliar with wireless terms, which makes setting up some parameters - such as establishing wireless authentication methods - more confusing than necessary.

For IT shops that don't see a need for multiple wireless LANs, the NetScreen-5GT Wireless can be expensive overkill. When fully tricked out with anti-virus, intrusion-prevention features, four WLANs and three wired security zones, it lists for more than $2,000.

Having that much control adds significantly to the bottom-line cost because the starter NetScreen-5GT Wireless with two wireless and wired interfaces starts at $770. If adding a single access point to a wired network is all you want, a $50 wireless 802.11b/g access point would be a better addition.

In larger offices or environments where secure, controlled wireless is important, the NetScreen-5GT Wireless brings a wealth of features. It builds on the powerful core of features in all NetScreen firewalls, including in-line anti-virus and intrusion prevention, flexible VPN, firewall policy and NAT features, along with an easy-to-use management. The NetScreen-5GT Wireless offers a lot of security power in an elegant package.