Juniper Partners Sound Off On Security Vulnerability, Stock Slide

Juniper partners are cautiously optimistic their sales won't be affected after Juniper Networks' revelation last week that it had found a major vulnerability in its firewall operating system through which hackers can decrypt virtual private network (VPN) connections.

"I haven't had any customers ask about it yet, but that may change," said Chris Becerra, president and CEO of Terrapin Systems, a San Jose, Calif.-based solution provider and Juniper Elite partner, in an interview with CRN on Monday. "I'm going to talk to my sales team today about network security issues that we should be talking to our customers about for 2016."

Juniper's stock price took a dive Monday morning, dropping nearly 5 percent, to $27.05. The company's market capitalization dropped from $11.34 billion Dec. 16, the day before the vulnerability was announced, to $10.52 billion Monday. Juniper shares were at $27.29 as of 2:30 p.m. Eastern time Monday.

[Related: The 10 Biggest Networking Stories Of 2015]

"Every company has its bumps," said George Miller, vice president of sales at Integration Partners, a Lexington, Mass.-based solution provider and Elite Juniper partner. "This is a bump that relates to a lot of their old technology that's been out for a long time. … I don't think it really affects our business."

On Dec. 17, Juniper stole national headlines when it revealed it had found "unauthorized code" affecting devices running ScreenOS -- the operating system for its NetScreen firewall devices. The Sunnyvale, Calif.-based company said a hacker could use it to gain administrative access to NetScreen devices and decrypt VPN connections.

On Dec. 20, Juniper released a blog saying it learned that the number of versions of ScreenOS affected by the issues is "more limited than originally believed." Administrative access vulnerabilities affect only ScreenOS 6.3.0r17 through 6.3.0r20., the blog said. VPN decryption affects only ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20, according to the blog. Juniper is still strongly recommending that all customers update their systems and apply the emergency security patch it created for customers "with the highest priority."

Juniper declined to give any further information regarding the security vulnerability or a reported potential FBI investigation when contacted by CRN.

Partners say the security vulnerabilities stem from Juniper products that aren't used anymore by the vast majority of the vendor's customers.

"They've been replacing all these NetScreen devices for the past five or six years," said Miller. "This is older technology that was designed and built eight to 10 years ago that the majority of Juniper customers have moved off of."

The networking vendor said the vulnerabilities don't affect its SRX security line or devices running on its Junos platform.

According to CNN, the FBI is probing a breach at Juniper on the suspicion that a foreign government might be responsible for installing a back door on its equipment that would allow spying. CNN cited unnamed U.S. officials who said they were concerned because hackers could use the flaw to access government agencies that used Juniper solutions, such as the FBI, Defense Department and Justice Department.

One top executive from a solution provider with strong public sector sales that is a longtime Juniper partner argued that most of the local, state and federal governments are "behind the times" in regard to their network security infrastructure.

"It takes them so long to [review] something and to get it through their procurement systems, and once they finally do, they stick with it for too long," said the solution provider, whose company is ranked on the CRN 2015 Solution Provider 500 list. "We do a bunch of business with state and local governments, and the majority of them are all on older technology. Whether its Juniper or Cisco, they're not up to today's standard from a security perspective."

Becerra agreed, adding that both enterprises and SMBs need to take a "strong look at their network infrastructure."

"There's a lot of enterprises out there that have some antiquated technology that has been in for six or seven years that's not up to date, and these hackers are so sophisticated that they can get into these systems so easily," said Becerra. "Companies really have to do a better job and take a better strategic look at how they want to leverage security technology, because if they haven't been hacked already, they're going to be hacked very soon in a big way."

PUBLISHED DEC. 21, 2015