Hi, I've been trying to ask this question through various official channels but it would appear that just about everyone is away for the holidays, so I thought I'd try here are well..
IÕm struggling to find some information regarding JuniperÕs positioning on the IKEv2 feature in 7.0, ItÕs not something that is that well documented and I canÕt find any competitive/reference information to it. IÕve asked our local SEÕs, but theyÕve not yet come back to me and I need to get the customer something sooner than later.
To give you a brief background, we have an existing large SA customer (with 2800 users) who are totally dependent on it for their remote access. Recently weÕve been doing some account updates highlighting some of the new features in 7.0 and the general direction of the product, and they sprung the question on me Why shouldnÕt we just terminate our Windows 7 Client directly on Windows Server 2008?Ó I was floored by the question initially, but I gave them my knee-jerk reaction of Scalability/Security/Manageability but this didnÕt seem to satisfy them. Basically I need a more comprehensive answer of why for them, Juniper SA should continue to terminate their VPNS rather than use the native features Within Windows 7/2008. I know that there is some background relationship between Juniper and Microsoft, but I need to get a grip on what the limitations are compared to using IVE as the termination point in this context.
Any analysis, insight, direction or other assistance on the subject I would greatly appreciate it.
Seasons Greeting and Happy new Year to all!
Because IKE/PPTP need commonly closed firewall ports opened, and for routers to support pass through, whereas an SA will fall back to SSL, and port 443 is open on pretty much all firewalls.
Host Checker features are far more advances than Microsoft Statement of health etc, you can check AV signatures, software firewall etc in a good level of detail, and provide remediation options to fix them.
Using resource profiles and roles mean that you can scale very specific security requirements easily across thousands of users with very little effort. You can use Single Sign on to many web applications, Citrix, terminal services.
4. Network appliance
The device is designed and manufactured to provide excellent VPN encryption and decryption, it can be placed in a network behind IPS/IDS and work solely as an SSL gateway, why on earth would you want to use your processing power to run Windows, anti virus etc.
A planned OS release schedule which can be done with no downtime in a cluster, a completely standard architecture, client and everything else means support is easy. Are VPN users going to have to disconnect every Friday for M$ updates on the server?
Exposing a windows box to web traffic, tut tut. The SA is Debian Linux hardened by Juniper, with very few vulnerabilities (OK, nothing is perfect) but your average script kiddie won't be able to touch it.
The SA doesn't just work with M$ stuff, what about pulse from an Iphone/Android, this is the way remote access is going...
The SA is designed to do exactly what it is doing. Server 2k8 is a jack of all trades, and certainly not a master of this one.
Thanks for the input..
In terms of IKEv2 vs SSL, I can clearly see the value/benfit/features, it's more about Juniper's implementation of IKEv2 termination versus Microsoft's. In this case, a lot of the added value features such as hostchecking, Single sign-on etc just don't/can't exist in this scenario.
The resource profile is a good one, but in context all 2000+ users are served from a single resource role, they have no idea what there users get up too, so they do an "Any/Any" Accept, although the IPS integration (or at least possible integration with) is a good call.
The availabiliy and scalability is a good call as well.
From my limited reading so far on the subject, it would appear the biggest barrier to adopting it the MS solution is in fact IPv6; it's essenitally a requirement for basic deploytments, although you can use IPv4 translation..This alone is enough to scare most enterprises away as in my experience, virtually none of my customers have even thought about it, and certainly none of the ISPs i deal with on a regular basis are offering it as part of packages.