This transcript is from a PodTech.net podcast at:
http://www.podtech.net/home/technology/1401/securing-remote-users-and-branch-offices
Guest: Stephen Philip - Juniper Networks
Host: John Furrier - PodTech
John Furrier - PodTech
We're here at PodTech.net at Juniper Networks headquarters for the Juniper News Podcast here, with Stephen Philip, the director of product marketing for the security products group. Welcome to the Podcast.
Stephen Philip - Juniper Networks
Thanks John.
John Furrier - PodTech
So, I see a lot of news going on within Juniper; you see a lot of the stuff going on with the security products within Juniper; you manage the high end firewalls, SSL, VPN, Intrusion Detection, application Acceleration, and in particular the Secure Services Gateway Family of products is developing. Talk about what's happening with that product and the sector that it's competing in, and news there.
Stephen Philip - Juniper Networks
At the highest level, enterprises are looking at how they can improve productivity, how they can reduce cost and how they can attain what's the buzz in the market of business continuity. So, availability, resiliency, risk management, those type of things; but where the SSG line, which is the abbreviation of the Secure Services Gateway, where they tend to fit in primarily, is in the branch environment. So, obviously those same drive is applied to the branch, and if you think of what's happening in the branch with that branches, when now it's something like 90% of employees are not in headquarters - right? So, if you start to apply those same principles to the branch, there's a lot of things happening. So, how do I enable the productivity of that branch personnel to be the same as their headquarters cousins?
How do I reduce cost when I potentially have thousands of these remarks and locations without support and things like that? So, there are number of things happening within the branch market in that context; so things like the use of the internet as a backbone technology for example, the use of consolidating into single IP infrastructures for your backbone networks, and whether it be the use of the internet as a private IP network -- direct access to resources of the branch, rather than necessarily coming back to the central site. The use of broadband technology to reduce cost increase, the bandwidth into those branches -- that's some of the things that are starting to happen, and as we get it through, I'll probably elaborate a little bit more on those.
John Furrier - PodTech
I mean branch office and remote users has always been a hot button in IT; but now, more importantly, because of the internet is a backbone, and the collapsing of a single IP infrastructure, really provides more capabilities. How does someone who is a director of IT out there, deal with this? I mean, honestly the benefits are application access, but tell about it from a cost perspective and deployment perspective because it used to cost a lot of money five, six years ago, even like, ten years ago, millions of dollars, but now, people are working at home, they're working in branch offices.
Stephen Philip - Juniper Networks
Well, depending on the size of your network, it still costs millions of dollars, but -- so obviously, controlling costs is a key part of how people look at this, and it comes in a number of ways. As I said before, leveraging, internet technology and broadband technology that is being rolled out around the world, and in fact you are seeing in North Asia and in Europe, probably a little bit ahead of rolling out things like Metro Ethernet and very high bandwidth broadband connections, but the US and the Americas is certainly catching up pretty quickly. So the use of, and access to those technologies, the consolidation of your networks, such that you don't have 13 networks anymore; historically we've had a voice network, a frame network, a leased line network, all in -- everything about (ph) access and whatever else -- and also the voice network. So, the consolidation of those things can certainly drive down the costs associated with that. And then also, we've seen the design within the branches start to see device consolidation as well. So, this is...
John Furrier - PodTech
Give me an example on that.
Stephen Philip - Juniper Networks
Well, so, as I was going to say, it can be mixed blessing, so if we talk to someone about an IT director, about what they want in their central site, typically they'll say well, I want discrete platforms for performance, bandwidth, for mostly that (Inaudible) you, that's at (ph) the central site. As soon as you talk to them and you say, well what do you want of your 100, 1000 remote sites, I say, oh, I would like to have a single platform that consolidates all these functions. Now...
John Furrier - PodTech
That's the wish list.
Stephen Philip - Juniper Networks
That's the wish list, and whether it's achievable, it depends on what you are trying to do in the bar associated with that. And so we have certainly seen within the market, those things happening. And some of the things that we doing with the SSG portfolio clearly plays into that way of thinking, but its not as simple as just adding features; its where does that - what is the -- where does the intellectual property come from, or how good are those features you add? And when you turn on those features, do you impact things - create another bottleneck...
John Furrier - PodTech
You solve the problem that you originally set out to solve.
Stephen Philip - Juniper Networks
Correct, do you do that.
John Furrier - PodTech
What are some of the top challenges you are seeing in the client meetings (ph) out there; people out there are scratching their head, banging their head against the wall, whatever they are doing, they are redrawing their networks. What are the top three challenges that you see around this SSG product?
Stephen Philip - Juniper Networks
Well, I think it does depend on the size of the network; and the SSG portfolio is a broad portfolio. And then depending on how you look at it, there's the SSG 5, which has a number of variance, the SSG 20, the SSG 140 and then the SSG 500. So, within that there's around 11, 13 platforms depending on how you look at it. So, it can deal with the size -- the total size of the enterprise is worth the size of the branch. So that's one of the -- does it fit to TUMA requirements, and the challenge associated with the increasing bandwidth going into these branches, the direct access to the internet that many companies are opening up; historically it was, "Now I am going to back-up everything to the central site," but now the lines of businesses are really still saying, "No, I want to have direct Wi-Fi access out of the branch from my contractors," or my guest workers, or you have a very distributed enterprise and they want to access resources in their geography, not backhauling (ph) them direct to the central site. So, that raises a lot of security challenges. Now, I've got employees in a branch directly accessing the internet. So, how do I...
John Furrier - PodTech
So increased bandwidth is a big issue, and then just access; people just want diverse access points to get into the network, whether it's Wi-Fi on the road or...
Stephen Philip - Juniper Networks
Yeah, there's a number of things that drive the productivity requirements...
John Furrier - PodTech
Yeah.
Stephen Philip - Juniper Networks
...and then there's the other challenges I have on how do I reduce the costs, and then its, okay, how do I make sure that works? So, the business continuity challenge...
John Furrier - PodTech
So, productivity cost deployment (Voice Overlap)?
Stephen Philip - Juniper Networks
Yeah, its not just about deployment that way - it's, is that going to be secure? Is that going to bring down my network, or, I've now consolidated my network, I used to have 13 networks, now I have one or two and now the availability of that network becomes very critical.
John Furrier - PodTech
Security.
Stephen Philip - Juniper Networks
Security, availability, these things all play in.
John Furrier - PodTech
How does the Juniper product with the SSG address those?
Stephen Philip - Juniper Networks
So, one of the things that we looked at with the SSG was, the requirement to add additional security services to the platform; so the ability to do what's often referred to in the market as UTM -- and that means different things to different people, and there's a slightly different definitions, but typically it means firewall services, anti-virus capabilities in the gateway, the ability to do things like URL filtering to prevent people going to phishing sites or inappropriate sites for the business, and the ability to do things like anti-spam, so it offloads some of the effort that's happening with the email service. Well, that's typically a smaller enterprise solution, because typically most of the things that are on the central site. So, how do you implement those technologies on top of the firewall and the access, or the connectivity? And that's something that we have been working at and with the development of -- with partners; and so, on top of the firewall capabilities is also intrusion prevention capabilities, looking at the worms and trojans that are trying to come into the network.
So, our approach was to work with best-in-class partners such as Symantec, Kaspersky Labs, SurfControl, and others to enable us to have this platform that was using our strengths but also leveraging well-known partners in the marketplace and put them on a platform that can run all those things. That's nice, but now I am saying, I want to do that and I simultaneously want to increase my bandwidth. So, how do I do that and have it still, to perform? So, that's a lot of the development what the SSG platform was around, and developing a platform with sufficient headroom -- processing headroom.
John Furrier - PodTech
What is the SSG? If you had to kind of describe it real quick, -- I mean, as a product, I mean, the positioning of it, for people -- because there's a lot of things going on in there.
Stephen Philip - Juniper Networks
Yeah, so first and foremost, it's a security device -- security device with the ability to do firewalling, IPsec VPN - it also has routing capabilities designed for the branch environment. One of the things we added to this platform was, WAN interfaces. So, in many cases, you can replace the requirement for a router in that branch environment. So then, adding additional security services on top of that...
John Furrier - PodTech
It's like the central hub for security stuff right, in kind of layman's terms?
Stephen Philip - Juniper Networks
It allows you to consolidate a number of devices into that branch environment. So, it's not just security because it also provides the connectivity.
John Furrier - PodTech
So, securing branches is a big deal. I feel branch office is a distributed -- right that's a huge. Talk about some of the application environments. What are the types of clients that really use this? Can you just give a high level -- is it big monster enterprises, is it retail, both, what is that?
Stephen Philip - Juniper Networks
The segment is pretty broad; you look at a -- clearly a lot of the capabilities, which we really haven't finished talking about in terms of the large distributed enterprise, a lot of those -- the features are designed to cater to those. But that lends itself very well for the smaller business and so it really covers a large area, but sort of typical applications, I already mentioned retail and financial services going into branch locations, government agencies, remote deployment, management is a key element of doing this. So, how do you roll out thousands of branch offices and do it quickly? We've got customers that have rolled out thousands of remote sites in less than three months...
John Furrier - PodTech
Wow.
Stephen Philip - Juniper Networks
...averaging over 100 sites per night as a sort of a roll out.
John Furrier - PodTech
Take me through that real quick; I mean, that's important, that's the functionality which you do, but...
Stephen Philip - Juniper Networks
So, it's a lot about the pre-configuration and staging, and then the ability to push some very minor configuration onto the platform and then have the device call back to home, if you like, and get the management system to push the full configuration, so that once you've got contact with the device, its very easy then to go from there, but that initial contact (Voice Overlap).
John Furrier - PodTech
You're pushing the configuration simultaneously to where you deployed it.
Stephen Philip - Juniper Networks
Right, and then using that same sort of mode to -- I want to change policy; I want to universally change policy in my enterprise. So, does that mean I have to go to 3000 devices and change that configuration - and every one of them, or do I actually the configuration once and then push it out to all those sites simultaneously. And that can huge advantages in terms of the operational cost of doing this. The other element that comes into the management of these devices is the organizational structure of a company. Many times, you have a separate security team, networking team, and the sort of, the operations team. Now, I think we're seeing all the changes and how they consolidate and, no longer are they really silos, but clearly, as you consolidate a platform with different technologies, then those particular capabilities may be managed by different teams. And so, how do I have a consolidated device where I want the networking team to be able to change the wraps and the VPN's. I want the security team to be able to change the policies, and I want the operations guys to be able to administer the logs and do break fix. But I don't want anyone of them to be able to have read-write access to the other functions; and that's a capability called delegated authority which again is not a -- it's not part of the SSG per se, it's part of the central management system called NSM, which -- we incorporate (ph) for those devices (Voice Overlap).
John Furrier - PodTech
No, I told to do their job without hurting the network; you get -- the security maintains the integrity of the secure network but you don't have to co-ordinate different groups and just the management time probably gets accelerated down.
Stephen Philip - Juniper Networks
I mean, that capability, or that requirement often brings organizations to the conclusion that they won't go for integrated devices. Now, there are other reasons not to integrate, but often it can become back as organizational structure. I can't -- I need to have this theme work on this device, and this theme work on that device, and so...
John Furrier - PodTech
It's a big dependency.
Stephen Philip - Juniper Networks
Yeah, so there is a number of things that need to be aligned to enable you to do that integration and do it right.
John Furrier - PodTech
What is Unified Threat Management or UTM?
Stephen Philip - Juniper Networks
Yes, I mentioned that before; Unified Threat Management, UTM, is a term, which sort of talks about multi-layered security approach essentially - is, what are the different technologies that can keep my environment safe. Now typically, at a central site, these are going to be the discreet platforms. And most people -- as I talked about before at the central site, they are going to still look to have those platforms be discreet. But when you talk about small offices or branch offices, there is a lot of economic pressure to do that integration. So UTM really refers to the integration of firewall, VPN, Antivirus, IPS technology, Intrusion Prevention Technology, web faltering technologies, to look at the different types of attacks or threats you're going to have. Things like access control can also be included in that in some definitions.
John Furrier - PodTech
What's different now than five, six years ago in your mind?
Stephen Philip - Juniper Networks
So, I think there are so many things that are different five six years ago.
John Furrier - PodTech
Security environments are actually much more focused on threats, it's really...
Stephen Philip - Juniper Networks
So, you know, nowadays most of the attacks are on the application layer, whereas probably five years ago, most of the discussion was around (Inaudible) global attacks. So, that's clearly one; the use of the internet as a backbone is certainly much more prevalent now. The preparedness for organizations to do what I called 'direct internet access' or 'split tunneling' is much -- organizations are much more likely to do that I think because now more and more employees are located in the branches and there is real drive to do that and there is a requirement to have those branches be very productive and autonomous. And so historically, I would talk to organizations about split tunneling, and most of them say we don't do that, its just not part of our security policy. Now, that's a valid security policy, but what we are seeing nowadays is lines of business saying, okay, but I want you to make it secure; I want to do this, I want to have my Florida office be able to directly access the internet and not come back to New York or whatever, and I understand there is a security concern there, but that's what I am giving to you as your responsibility.
John Furrier - PodTech
The business is driving more now that it did five years ago; the business is saying we can make this happen.
Stephen Philip - Juniper Networks
Yeah, I think so, rather than necessarily the security team saying, we don't do this.
John Furrier - PodTech
And this is what's available.
Stephen Philip - Juniper Networks
Yeah. We just don't do this in our environment. So that has changed; you know obviously bandwidth -- bandwidth in other branches has changed considerably through this.
John Furrier - PodTech
And we get customers that I talked to; your customers' had loved firewall products and management software is just seamless and it's really a testimony to the products. Congratulations. Second question, five six years from now, what do you see? And that's not just the Juniper position but just someone who is in the security business running a group that's pretty diversified in the security area, what's the horizon look like? What would be different five six years from now in your mind?
Stephen Philip - Juniper Networks
I think we are going to see from a -- I suppose from a product and technology perspective, I'm always -- I love to gaze into the crystal ball and say, because everyone's typically, classically wrong.
John Furrier - PodTech
It's (Inaudible) big guesses. We don't document on a PodTech to see who is right, we go back five years later and...
Stephen Philip - Juniper Networks
...and give you a booby project you know. But, I always look back to look forward. And if you were to talk about firewall and VPN technology five, six years ago -- I know, because I was, people would talk about those things as separate functions. Most of the vendors sold separate devices, you might have some VPN capability in your firewall, or some firewall capability in your VPN, but really if you wanted the real stuff, you board a separate platform. That something that Juniper drove, was that change with our NetScreen Appliances, where really people started to -- can say firewall VPN as a category. And now, it would be difficult to find an analyst or even a customer that isn't expecting their firewall VPN platform to have fully fledged functionality in that. And people still may deploy a VPN -- solve a problem with a VPN firewall appliance and do just VPN, or do just firewall, but typically it's the same platform. So, really that technology -- that functional integration of that technology -- now clearly, those integrations happened before that, but they weren't really usable; as a colleague of mine talks about, is the integration of PDA's and cell phones, right? For some people, over the years, we have done enough to make it usable, for other people - "No, I still have separate - my requirements are separate." So, they still happen -- now, clearly we are seeing, people almost say, firewall VPN changed me. I think you are going to start to see that, especially in branch environments where you see these other technologies.
John Furrier - PodTech
The integration...
Stephen Philip - Juniper Networks
The integration being much more functional. Now, most of the people who would listen to this Podcast are looking there, and they are sort of saying, "Okay, I understand this benefit about doing this integration, but my (Inaudible) is pretty high for this integration; I don't want to have - I don't want to go out and be in a situation where I've made this decision, I turned to all the features and I find that it doesn't work the way that I need it to work." So I think that there is a lot of development effort, and obviously Juniper's doing a lot of that to drive that integration to be functional. So, I think that we will see that; we will see that real functional integration of these different technologies into the branch, certainly in that timeframe.
John Furrier - PodTech
Final question, for the podcast here. If you have a party and someone says, hey, you work for Juniper, and you had to describe them the security philosophy to state what's going on here. How would you describe stuff that Juniper is doing?
Stephen Philip - Juniper Networks
Yeah, one of the things that you would need to be able to do is...
Copyright ©2006 PodTech.net. All rights reserved. Privacy policy.