Blocking attacks based on IP addresses is a traditional method, and company IT managers have at times been known to block entire countries by IP address -- such as China, for instance or other places where a steady attack stream might be viewed as routinely originating. But this tactic has its drawbacks, especially when proxy servers are now commonly used to try and shield the visibility of employees to the outside world, Koretz points out. He says device fingerprinting is so much more effective and accurate, Juniper is advocating giving up IP address-based blocking entirely in favor of device fingerprinting. He also says reputation analysis services based on IP address are not worth the bother.
Juniper's device-fingerprint approach appears to have won some measure of support from customers. David Giambruno, senior vice president and chief information officer at Revlon, said in a statement he sees the new products as "a step in the right direction" because "current protections need to evolve beyond IP-based blocking to definitive attack prevention."
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email: firstname.lastname@example.org.
Read more about wide area network in Network World's Wide Area Network section.