Juniper Networks, www.juniper.net
Price: Starts at $940
Juniper Networks' NetScreen-5GT Wireless device packs a lot of security into an affordable, highly configurable package for SMBs and branch offices. Despite somewhat difficult installation/configuration and weak documentation, this device is a steal at less than $1,000.
The 5GT Wireless bundles a stateful deep-packet inspection firewall, IPSec VPN and AV into a wireless access point. It supports up to four WLANs, each of which can employ different encryption and authentication methodologies. The device supports a wide range of security protocols, including WEP, WPA (both AES and TKIP) and IPSec, and an equally impressive collection of authentication methods—EAP (TLS, TTLS and PEAP), PSK, LDAP, RADIUS, RSA, SecureID and LDAP.
The 5GT Wireless provides firewall protection, including NAT, through five 10/100 Mbps Ethernet ports and an ADSL port. The device can be administered through a graphical Web interface, command line, console connection, Telnet or SSH. Unfortunately, the Rapid Deployment Wizard doesn't live up to its name, and we opted to initialize and configure the device manually. There are too many unexplained settings choices, and a wrong choice affects the rest of the install. For a device with such extensive security options, the documentation was minimal.
Our testing simulated the device's ability to create multiple security zones, such as those a small business or remote location might deploy. We provided open wireless access to the Internet for customers, secured wireless access for on-site vendors using WEP, and the most secure wireless access for employees, using AES WPAv2 (802.11i). Additionally, the employees' wired network was run through the 5GT Wireless.
General wireless radio operations, such as antenna diversity, operation mode, transmission rates and powers, and channel and MAC address control, are very configurable. SSIDs were created by simply choosing a button in the SSID list, which opened an extensive array of settings, such as WEP authentication and encryption methods, and WPA authentication, binding and broadcast and isolation methods—all on a single page. You can also monitor active wireless associations and conduct site surveys to ascertain the current state of wireless activity.
Once the WLANs were defined, we created and assigned detailed policies for each, with options to permit or deny more than 70 different services (such as HTTP, FTP and SSH) and 18 applications (including SMTP, POP3, IMAP). For example, we allowed AOL on our open wireless connection, but denied it on our vendor and employee WLANs.
Other policy settings include AV; VPN tunneling and logging; granular control over NAT, authentication, URL filtering, traffic shaping, users and groups; and configurable alarm thresholds.
The IPSec VPN offers the same elements of security and interoperability found in Juniper's NetScreen enterprise boxes. Reporting and logging are as comprehensive as the device's security capabilities. Extensive system logs, counters for hardware, flow and zones, interface bandwidth, policies, wireless statistics, and active users can be sent to security administrators via the console, interface, e-mail, SNMP, syslog, WebTrends and NSM.
The Netscreen-5GT Wireless delivers an enterprise-caliber capability at an SMB price.
Sandra Kay Miller wrote this for the August 2005 issue of Information Security magazine.