Juniper Networks 710008-001 User Manual
FW/IPSec VPN Buyer’s Guide
Copyright © 2004, Juniper Networks, Inc.
3
Introduction
Technology is radically changing the way companies conduct business, opening up new possibilities that enable
efficiencies and growth on a global scale. But for everything that technology facilitates, it also opens up new risks,
forcing companies to think about how to protect the assets they are working so hard to build. Security and IT
administrators are faced daily with the challenge of successfully implementing technology that supports the
company’s success, while maintaining the security of the organization’s critical resources.
The first step that organizations generally take is to control who and what gets in and out of the network by
deploying a firewall. Firewalls perform access control, user authentication, traffic management and policy
enforcement to ensure only appropriate users and services are able to traverse the network and that business
applications are given priority. Firewalls, however, are no longer relegated to just perimeter deployments. Rather
organizations are increasingly taking advantage of firewall capabilities throughout the network to segment it and
apply security policies between different segments. These segments, or zones, could represent geographically
distributed networks, such as regional offices, different types of traffic, such as wireless or VPN connections,
different departments or even different servers. This segmentation enables the organization to create additional
levels of trust to protect sensitive resources and perform attack containment.
Firewalls also provide some protection against attacks, traditionally focusing on preventing network-level exploits,
such as Denial of Service attacks. But, as many organizations have come to realize, attackers are increasingly
attacking vulnerabilities found not at the network-level, but at the application-layer, and are actually leveraging traffic
“allowed” by the firewall to get into the network. As a result, some firewalls have started to look deeper into the
traffic they are allowing in and out of the network to try to identify and prevent attacks found at the application-layer.
Firewalls are also often coupled with virtual private network (VPN) functionality, which is designed to enable
organizations to provision site-to-site connectivity that takes advantage of the cost-benefits of the public Internet
infrastructure in a secure manner. The most commonly deployed site-to-site VPN technology is an IPSec VPN, so
this guide will focus on these solutions. IPSec VPNs encrypt traffic to maintain its confidentiality and protect against
tampering with or altering of the data. As a result, they enable organizations to securely extend their network
perimeter across the public Internet to facilitate secure communications between geographically distributed
locations.
As with any solution, an administrator needs to be aware of the potential impact that a device can have on their
network’s performance and availability, as well as the time and management implications that each solution
introduces. While VPN functionality can also be deployed as a standalone solution, it is always a good idea to apply
access controls to the VPN traffic. As a result, the tight integration of firewall and VPN functionality can reduce
network complexity, simplify deployment and management and reduce the overall total cost of ownership of an
organization’s connectivity and security.
Administrators need these solutions to enable business productivity, as well as network security, so this guide is
designed to help organizations find the balance they need between functionality and security, without compromising
one for the other. This guide provides a framework for evaluating firewall and VPN security solutions. It is organized
into three sections. The first is an executive level summary that splits the evaluation criteria into five different
categories and explains the impact of each category on the overall solution’s ability to deliver value. The next
section takes those five categories and provides a quick checklist for each that will help the evaluator start to ask
the questions that will differentiate the capabilities of products. Finally, the last section provides a detailed list of
features that make up each category to enable evaluators to really make product comparisons to ensure they can
select the one that best meets the needs and requirements of their organization.
efficiencies and growth on a global scale. But for everything that technology facilitates, it also opens up new risks,
forcing companies to think about how to protect the assets they are working so hard to build. Security and IT
administrators are faced daily with the challenge of successfully implementing technology that supports the
company’s success, while maintaining the security of the organization’s critical resources.
The first step that organizations generally take is to control who and what gets in and out of the network by
deploying a firewall. Firewalls perform access control, user authentication, traffic management and policy
enforcement to ensure only appropriate users and services are able to traverse the network and that business
applications are given priority. Firewalls, however, are no longer relegated to just perimeter deployments. Rather
organizations are increasingly taking advantage of firewall capabilities throughout the network to segment it and
apply security policies between different segments. These segments, or zones, could represent geographically
distributed networks, such as regional offices, different types of traffic, such as wireless or VPN connections,
different departments or even different servers. This segmentation enables the organization to create additional
levels of trust to protect sensitive resources and perform attack containment.
Firewalls also provide some protection against attacks, traditionally focusing on preventing network-level exploits,
such as Denial of Service attacks. But, as many organizations have come to realize, attackers are increasingly
attacking vulnerabilities found not at the network-level, but at the application-layer, and are actually leveraging traffic
“allowed” by the firewall to get into the network. As a result, some firewalls have started to look deeper into the
traffic they are allowing in and out of the network to try to identify and prevent attacks found at the application-layer.
Firewalls are also often coupled with virtual private network (VPN) functionality, which is designed to enable
organizations to provision site-to-site connectivity that takes advantage of the cost-benefits of the public Internet
infrastructure in a secure manner. The most commonly deployed site-to-site VPN technology is an IPSec VPN, so
this guide will focus on these solutions. IPSec VPNs encrypt traffic to maintain its confidentiality and protect against
tampering with or altering of the data. As a result, they enable organizations to securely extend their network
perimeter across the public Internet to facilitate secure communications between geographically distributed
locations.
As with any solution, an administrator needs to be aware of the potential impact that a device can have on their
network’s performance and availability, as well as the time and management implications that each solution
introduces. While VPN functionality can also be deployed as a standalone solution, it is always a good idea to apply
access controls to the VPN traffic. As a result, the tight integration of firewall and VPN functionality can reduce
network complexity, simplify deployment and management and reduce the overall total cost of ownership of an
organization’s connectivity and security.
Administrators need these solutions to enable business productivity, as well as network security, so this guide is
designed to help organizations find the balance they need between functionality and security, without compromising
one for the other. This guide provides a framework for evaluating firewall and VPN security solutions. It is organized
into three sections. The first is an executive level summary that splits the evaluation criteria into five different
categories and explains the impact of each category on the overall solution’s ability to deliver value. The next
section takes those five categories and provides a quick checklist for each that will help the evaluator start to ask
the questions that will differentiate the capabilities of products. Finally, the last section provides a detailed list of
features that make up each category to enable evaluators to really make product comparisons to ensure they can
select the one that best meets the needs and requirements of their organization.