Juniper Networks 710008-001 User Manual
FW/IPSec VPN Buyer’s Guide
Copyright © 2004, Juniper Networks, Inc. 4
Executive Summary
Firewall/IPSec VPNs serve as the foundation upon which a strong security stance can be built, so the purchase
decision should be framed in terms that support a long-term investment that can be leveraged as the organization’s
needs change and grow. The chosen firewall/VPN solution should not only provide robust security functionality, but
also the networking and availability features that will support the company’s ongoing connectivity and expansion
requirements. In addition, the security solution needs to be easily integrated into the network and simple to manage,
so that it does not put a strain on already tight IT, security and networking budgets. There are so many firewall and
VPN vendors in the market that it can become overwhelming for a company to try and sort through them all and
determine what the best solution is for their environment. This section is designed to help decision-makers and
evaluators think, in broad terms, about the criteria that will be most helpful as they make their solution choice.
1.
Provide strong security.
The solution needs to provide robust security functionality to maximize the protection it provides to the
network. Some of the functionality that should be included is strong access control, user authentication,
attack protection - both at the network and application-layer - IPSec and encryption choices for data
integrity, and network segmentation for attack containment. Ideally, the functionality should be integrated to
maximize the security derived from the solution. Integrating the VPN functionality into the firewall, for
instance, requires fewer open ports and enables firewall policies to be easily applied to VPN traffic. It is
especially important, however, to scrutinize the feature set of products that integrate multiple functions to
ensure they are not too simplistic in their approach and are not lacking all of the robust, proven features that
are required for strong security. While initially appealing because they seem to be easy to manage, an
integrated solution that does not marry best-of-breed functionality can actually end up creating more work
due to the security holes they allow. For example, how effective is it to have intrusion prevention integration
that can only stop network-layer attacks? In response, it is more important that the solution provides the
granularity and flexibility needed to identify differences in traffic and appropriately process that traffic than to
satisfy a checklist. In addition, it is important to identify potential vulnerabilities that could be introduced by
the device itself, such as those associated with general-purpose platforms and operating systems. It is also
important that the solution accommodate the different requirements of different network segments, from the
smallest remote office to the largest central site, to ensure security can be uniformly deployed and eliminate
any weak links. The solution should be designed for and deliver security to justify its deployment.
network. Some of the functionality that should be included is strong access control, user authentication,
attack protection - both at the network and application-layer - IPSec and encryption choices for data
integrity, and network segmentation for attack containment. Ideally, the functionality should be integrated to
maximize the security derived from the solution. Integrating the VPN functionality into the firewall, for
instance, requires fewer open ports and enables firewall policies to be easily applied to VPN traffic. It is
especially important, however, to scrutinize the feature set of products that integrate multiple functions to
ensure they are not too simplistic in their approach and are not lacking all of the robust, proven features that
are required for strong security. While initially appealing because they seem to be easy to manage, an
integrated solution that does not marry best-of-breed functionality can actually end up creating more work
due to the security holes they allow. For example, how effective is it to have intrusion prevention integration
that can only stop network-layer attacks? In response, it is more important that the solution provides the
granularity and flexibility needed to identify differences in traffic and appropriately process that traffic than to
satisfy a checklist. In addition, it is important to identify potential vulnerabilities that could be introduced by
the device itself, such as those associated with general-purpose platforms and operating systems. It is also
important that the solution accommodate the different requirements of different network segments, from the
smallest remote office to the largest central site, to ensure security can be uniformly deployed and eliminate
any weak links. The solution should be designed for and deliver security to justify its deployment.
2.
Offer predictable performance.
The solution needs to be an enabler to network connectivity rather than a barrier. If the solution cannot
keep up with the performance requirements of the network segment that it is designed to protect, its value
will be significantly diminished. Not surprisingly, it must be able to efficiently process traffic and deliver
predictable performance under load. The performance should be sustainable for both large and small
packets. It should also minimize latency and accommodate the necessary concurrent sessions and VPN
tunnels that are required for that particular network segment. In order to provide adequate Denial of Service
(DoS) protection the solution needs to support a high ramp rate to handle attempts at performance
overload. The solution must be able to handle the performance requirements of the network and function
without degradation.
keep up with the performance requirements of the network segment that it is designed to protect, its value
will be significantly diminished. Not surprisingly, it must be able to efficiently process traffic and deliver
predictable performance under load. The performance should be sustainable for both large and small
packets. It should also minimize latency and accommodate the necessary concurrent sessions and VPN
tunnels that are required for that particular network segment. In order to provide adequate Denial of Service
(DoS) protection the solution needs to support a high ramp rate to handle attempts at performance
overload. The solution must be able to handle the performance requirements of the network and function
without degradation.