Re: SA deployment

angel_medarov_ · ‎02-11-2011

Hi all,
There is the following situation in medical center with network:
router
firewall
switches(802.1x)
and on the switches - users(staff, doctors and etc), servers(PACS, lab and etc.), wireless APs(802.1x)

The idea is to create different VLANs for the servers, and others for the different kind of users.
The role of the SA is to check and authenticate users and give them access only to the resources they need (access to different VLANs).

So I heard opinions that this could happened ("All they need is AAA and 802.1x switch") also this is impossible as this is internal network.
So I look at brochures, data sheets, learning ... and all I see is diagrams for remote users, partners, public computers and etc. Nothing is mentioned for internal lan.

So is this possible or not ?
And if possible where should they deploy the SA?

jbakers24_ · ‎02-11-2011

yes that is possible, deoploy the SA device behind the internet firewall. The way i usually set this up is with vlans and virtual ports. You can tag the vlans and set different roles to use different vlans. Each vlan will have its own routing table.

spuluka · ‎02-13-2011

You can use the SA in this fashion, but really the SA is designed to be an outside to inside security platform.

I think what you really want for your situation is the UAC (Unified Access Control) product line. This is the product that is used for internal NAC (Network Access Control).

http://www.juniper.net/us/en/products-services/security/uac/

The forum where these are discussed is the Identity and Policy Control one.

http://forums.juniper.net/t5/Identity-and-Policy-Control/bd-p/UnifiedAccessControl

Steve Puluka BSEET - IP Architect - DQE Communications Pittsburgh, PA (Metro-Ethernet & ISP) - http://puluka.com/home

angel_medarov_ · ‎02-13-2011

Thanks for replies!

I first thought about UAC, but SA could give future aspect for a use both inside and outside. With UAC there is no growth.

Thats why I consider to offer SA.