With the announcement of its NetScreen-5GT Wireless firewall this month, Juniper Networks has firmly (and finally) jumped on the wireless bandwagon.

In an exclusive Network World Clear Choice Test, we found the NetScreen-5GT Wireless to be a clean melding of a trusted, full-featured firewall to a secure wireless access point.

The NetScreen-5GT Wireless makes a bold statement in the world of firewalls targeted at the small and midsize business (SMB) and remote site markets. Although Check Point, SonicWall (read our review), WatchGuard and Fortinet all have added wireless technology to their lower-end boxes, none has brought the same level of flexibility as Juniper when it comes to support for wireless LANs (WLAN), authentication technology and security policies.

Our test centred on the product's wireless features and capabilities. It is well suited for sophisticated wireless environments, where multiple security zones and authentication systems are required within a small geographic area (a single floor, for example). At the same time, with its optional asymmetric DSL port, the NetScreen-5GT Wireless can act as a complete SMB secure access product, offering Internet connectivity, guest, employee, and wireless and wired access in the DMZ, and fly-by virus scanning.

The NetScreen-5GT Wireless offers basic radio capabilities: It has one 802.11b/g radio with a few antenna options (including high-gain directional and omni-directional). But its impressive security capabilities make the Juniper box stand out.

Advanced security in the hardware makes it interoperate
The NetScreen-5GT Wireless lets you create up to four different WLANs, each identified by its own Service Set Identifier (SSID). A critical part of any multi-SSID access point is that it have unique Ethernet addresses for each SSID - called basic SSIDs (BSSID). This feature - which requires significant hardware support - is also supported by more established wireless gear vendors such as Aruba (read our review) and Airespace (read our review), which has been recently acquired by Cisco. Without it, multiple SSID systems have poor interoperability with many wireless-enabled laptops. The NetScreen-5GT Wireless supports up to four BSSIDs, one for each WLAN. We had no interoperability problems with drivers on Windows or Macintosh clients tested.

Each WLAN can also have different authentication and encryption parameters, and these are fully under the control of the IT manager. In our testing, we tried everything from simple Wired Equivalent Privacy authentication to the most secure 802.1X authentication using 802.11i (often called WPAv2). Every method we tried, including Protected Extensible Authentication Protocol (PEAP), Tunneled Transport Layer Security and TLS authentication, worked the first time. This level of interoperability was positively eerie, based on past testing experience.

Web-based authentication
The NetScreen-5GT Wireless also can be set to require Web-based authentication. When this feature is enabled, users who want to get on the corporate, protected network first have to use a Web browser to connect to the NetScreen-5GT, and provide a username and password. We tested this feature by having the NetScreen-5GT Wireless check the username and password against our corporate RADIUS server.

We integrated the device into our existing test bed, using it as our production wireless access point for several days.

Our 802.1X RADIUS server, Odyssey from Funk Software, was set up to handle authentication with the NetScreen-5GT Wireless. Then, we used laptops from Dell running Windows XP with Dell's internal wireless card, from Apple computer running Mac OS X with Apple's internal wireless card, as well as PDAs from HP and Nokia, to connect to the wireless network.

Because of the popularity of Cisco's wireless hardware in enterprise networks, we also ran XP tests using the Cisco 802.11a/b/g wireless card and Cisco's own wireless management software.

To test the different wireless authentication mechanisms, we switched the NetScreen-5GT Wireless through different configurations, including basic 802.1X, 802.1X with WPAv1, and 802.1X with WPAv2. We also used Wired Equivalent Privacy and Web-based authentication for the PDAs to test interoperability.

Testing stability
To verify the stability of the wireless connection and the ability to use all four BSSID, we used an ASUS WL-330g Ethernet-to-wireless adapter to connect our HP printer to the NetScreen-5GT Wireless as well.

Although the Web pages that Juniper has built in for Web-based authentication will not win any beauty contests, the functionality this feature needs - a place to put in a username and password - was all there.

The ability to put each of these WLANs into a different security zone rounded out the wireless capabilities. In NetScreen-speak, security zones are the barriers between different parts of a network, and you can define security policy between any two zones. This means that each of the four WLANs can have a different SSID, can be authenticated and secured differently, and can have a different security policy. That's great flexibility for the network manager.

It won't replace the enterprise switch
The NetScreen-5GT Wireless will not challenge enterprise-level wireless access point or switch products. Although the WLAN features are outstanding, Juniper placed some constraints on its use by not supporting all combinations of bridged and routed configurations. While most configurations using different subnets or network address translation (NAT) are supported, the NetScreen-5GT Wireless wouldn't work well in an environment where you expect people to roam between access points.

Also, while the NetScreen-5GT Wireless has full IPSec and Layer 2 Tunneling Protocol VPN features, it's missing some high-end WLAN device features, such as virtual LAN support.

The NetScreen-5GT Wireless has its share of rough edges. The initial setup wizard is certainly not easy to use.

In addition, GUI designers seem unfamiliar with wireless terms, which makes setting up some parameters - such as establishing wireless authentication methods - more confusing than necessary.

It may be overkill
For IT shops that don't see a need for multiple WLANs, the NetScreen-5GT Wireless can be expensive overkill. When fully tricked out with anti-virus, intrusion-prevention features, four WLANs and three wired security zones, it lists for more than $2,000.

Having that much control adds significantly to the bottom-line cost because the starter NetScreen-5GT Wireless with two wireless and wired interfaces starts at $770. If adding a single access point to a wired network is all you want, a $50 wireless 802.11b/g access point would be a better addition.

In larger offices or environments where secure, controlled wireless is important, the NetScreen-5GT Wireless brings a wealth of features. It builds on the powerful core of features in all NetScreen firewalls, including in-line anti-virus and intrusion prevention, flexible VPN, firewall policy and NAT features, along with an easy-to-use management. The NetScreen-5GT Wireless offers a lot of security power in an elegant package.


This product doesn't compete with wireless switches, and it may be overkill for some applications, but it mixes a full-featured firewall with a secure access point.