How it Works
Juniper Networks
Loading...
710008-001
User Manual
18 pgs265.4 Kb0

Juniper Networks 710008-001 User Manual

Buyer’s Guide For Integrated Firewall and Virtual Private Network Solutions
Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408 745 2000 or 888 JUNIPER www.juniper.net
Part Number: 710008-001 June 2004
Table of Contents
Introduction................................................................................................................................... 3
Executive Summary...................................................................................................................... 4
Quick Checklist............................................................................................................................. 6
Detailed Buyer’s Checklist ............................................................................................................ 8
1. Strong Security .....................................................................................................................8
2. Predictable Performance..................................................................................................... 12
3. Fault Tolerant – High Availability, Resiliency ...................................................................... 13
4. Ease of Use ........................................................................................................................15
5. Simple Deployment and Installation.................................................................................... 17
Features for Remote Users and Offices .............................................................................. 18
Features for Wireless .......................................................................................................... 18
Copyright © 2004, Juniper Networks, Inc.
FW/IPSec VPN Buyer’s Guide
Introduction
Technology is radically changing the way companies conduct business, opening up new possibilities that enable efficiencies and growth on a global scale. But for everything that technology facilitates, it also opens up new risks, forcing companies to think about how to protect the assets they are working so hard to build. Security and IT administrators are faced daily with the challenge of successfully implementing technology that supports the company’s success, while maintaining the security of the organization’s critical resources.
The first step that organizations generally take is to control who and what gets in and out of the network by deploying a firewall. Firewalls perform access control, user authentication, traffic management and policy enforcement to ensure only appropriate users and services are able to traverse the network and that business applications are given priority. Firewalls, however, are no longer relegated to just perimeter deployments. Rather organizations are increasingly taking advantage of firewall capabilities throughout the network to segment it and apply security policies between different segments. These segments, or zones, could represent geographically distributed networks, such as regional offices, different types of traffic, such as wireless or VPN connections, different departments or even different servers. This segmentation enables the organization to create additional levels of trust to protect sensitive resources and perform attack containment.
Firewalls also provide some protection against attacks, traditionally focusing on preventing network-level such as Denial of Service attacks. But, as many organizations have come to realize, attackers are increasingly attacking vulnerabilities found not at the network-level, but at the application-layer, and are actually leveraging traffic “allowed” by the firewall to get into the network. As a result, some firewalls have started to look deeper into the traffic they are allowing in and out of the network to try to identify and prevent attacks found at the application-layer.
Firewalls are also often coupled with virtual private network (VPN) functionality, which is designed to enable organizations to provision site-to-site connectivity that takes advantage of the cost-benefits of the public Internet infrastructure in a secure manner. The most commonly deployed site-to-site VPN technology is an IPSec VPN, so this guide will focus on these solutions. IPSec VPNs encrypt traffic to maintain its confidentiality and protect against tampering with or altering of the data. As a result, they enable organizations to securely extend their network perimeter across the public Internet to facilitate secure communications between geographically distributed locations.
As with any solution, an administrator needs to be aware of the potential impact that a device can have on their network’s performance and availability, as well as the time and management implications that each solution introduces. While VPN functionality can also be deployed as a standalone solution, it is always a good idea to apply access controls to the VPN traffic. As a result, the tight integration of firewall and VPN functionality can reduce network complexity, simplify deployment and management and reduce the overall total cost of ownership of an organization’s connectivity and security.
Administrators need these solutions to enable business productivity, as well as network security, so this guide is designed to help organizations find the balance they need between functionality and security, without compromising one for the other. This guide provides a framework for evaluating firewall and VPN security solutions. It is organized into three sections. The first is an executive level summary that splits the evaluation criteria into five different categories and explains the impact of each category on the overall solution’s ability to deliver value. The next section takes those five categories and provides a quick checklist for each that will help the evaluator start to ask the questions that will differentiate the capabilities of products. Finally, the last section provides a detailed list of features that make up each category to enable evaluators to really make product comparisons to ensure they can select the one that best meets the needs and requirements of their organization.
exploits,
Copyright © 2004, Juniper Networks, Inc. 3
FW/IPSec VPN Buyer’s Guide
Executive Summary
Firewall/IPSec VPNs serve as the foundation upon which a strong security stance can be built, so the purchase decision should be framed in terms that support a long-term investment that can be leveraged as the organization’s needs change and grow. The chosen firewall/VPN solution should not only provide robust security functionality, but also the networking and availability features that will support the company’s ongoing connectivity and expansion requirements. In addition, the security solution needs to be easily integrated into the network and simple to manage, so that it does not put a strain on already tight IT, security and networking budgets. There are so many firewall and VPN vendors in the market that it can become overwhelming for a company to try and sort through them all and determine what the best solution is for their environment. This section is designed to help decision-makers and evaluators think, in broad terms, about the criteria that will be most helpful as they make their solution choice.
1. Provide strong security.
The solution needs to provide robust security functionality to maximize the protection it provides to the network. Some of the functionality that should be included is strong access control, user authentication, attack protection - both at the network and application-layer - IPSec and encryption choices for data integrity, and network segmentation for attack containment. Ideally, the functionality should be integrated to maximize the security derived from the solution. Integrating the VPN functionality into the firewall, for instance, requires fewer open ports and enables firewall policies to be easily applied to VPN traffic. It is especially important, however, to scrutinize the feature set of products that integrate multiple functions to ensure they are not too simplistic in their approach and are not lacking all of the robust, proven features that are required for strong security. While initially appealing because they seem to be easy to manage, an integrated solution that does not marry best-of-breed functionality can actually end up creating more work due to the security holes they allow. For example, how effective is it to have intrusion prevention integration that can only stop network-layer attacks? In response, it is more important that the solution provides the granularity and flexibility needed to identify differences in traffic and appropriately process that traffic than to satisfy a checklist. In addition, it is important to identify potential vulnerabilities that could be introduced by the device itself, such as those associated with general-purpose platforms and operating systems. It is also important that the solution accommodate the different requirements of different network segments, from the smallest remote office to the largest central site, to ensure security can be uniformly deployed and eliminate any weak links. The solution should be designed for and deliver security to justify its deployment.
2. Offer predictable performance.
The solution needs to be an enabler to network connectivity rather than a barrier. If the solution cannot keep up with the performance requirements of the network segment that it is designed to protect, its value will be significantly diminished. Not surprisingly, it must be able to efficiently process traffic and deliver predictable performance under load. The performance should be sustainable for both large and small packets. It should also minimize latency and accommodate the necessary concurrent sessions and VPN tunnels that are required for that particular network segment. In order to provide adequate Denial of Service (DoS) protection the solution needs to support a high ramp rate to handle attempts at performance overload. The solution must be able to handle the performance requirements of the network and function without degradation.
Copyright © 2004, Juniper Networks, Inc. 4
FW/IPSec VPN Buyer’s Guide
3. Deliver a high level of fault tolerance to ensure the solution is always available.
Being able to survive a failure and maintain both connectivity and the security stance of the organization is the sign of good solution. The solution needs to provide redundancy at all levels to give an organization the flexibility to choose the level of availability they want for each of their network segments, based on their cost and connectivity requirements. The device, itself, needs to offer solid-state performance and component redundancy. It then needs to support a high availability configuration that is able to maintain session and VPN state information and survive a failure both up and down stream of the device, offering an active/active, full mesh architecture. It needs to include network redundancy, leveraging the resiliency of dynamic routing and supporting path redundancy to multiple ISPs or a dial-back up line. At the VPN level, it needs to support multiple tunnels and minimize failover time to ensure optimal connectivity. Only a solution that is able to provide all of the redundancy pieces is truly fault tolerant.
4. Offer ease of use and management.
The real costs of a solution are tied not to the initial capital outlay, but to the ongoing management and operational costs associated with keeping the solution up and running. If a solution requires a lot of time and resources to maintain, it is going to take away from other activities and increase the management burden on the organization. The solution needs to be easy to interact with to ensure changes can be quickly made to keep the security policy in force. An administrator should be able to manage the device, network and security aspects of the solution, from a single interface, as opposed to having to go to one interface to make routing changes and another interface to set security policies. It should automate as much as possible to minimize human intervention, using tools such as templates and auto-configurations to maximize consistent security deployments throughout the network. It should also, however, provide granular controls to ensure that specific sites have a configuration that is most appropriate to their environment. It should enable different people in the organization to efficiently do their jobs, without introducing any risk to the security at large. For example, a NOC administrator should be able to get access to device status, but shouldn’t be able to make security policy changes, a CIO should be able to see reports, but not make routing changes, etc. It should also be easy to troubleshoot to enable organizations to quickly resolve problems. Organizations don’t want to waste a lot of time on managing, rather they want an easy to use solution that enables them to spend time on activities core to their business success.
5. Enable quick and simple deployment and installation.
IT, network and security managers are expected to do more with less, so it is important to be able to get solutions up and running quickly. It needs to seamlessly integrate into the network environment, without introducing interoperability issues. It should be intuitive, so that it doesn’t require a lot of training or security expertise to use. Updates need to be easy to accomplish, without having to worry about overriding custom configurations or introducing new vulnerabilities. For instance, an organization doesn’t want to have to worry about how a newly applied patch to the operating system will affect the underlying platform or the applications that it is running. The solution should be designed with everything working together, to minimize complexity and simplify deployment and installation.
Copyright © 2004, Juniper Networks, Inc. 5
FW/IPSec VPN Buyer’s Guide
Quick Checklist
This section builds upon the framework for evaluating firewall and VPN products that was described in the previous section, providing a quick checklist of some of the top questions to pose in each criteria category. For more in­depth questions that enable a side-by-side comparison of different solutions, go to the Detailed Buyer’s Checklist that follows this section.
1. Provide Strong Security
Does the solution integrate best-of-breed technologies?
o How long have the technologies been in the market? o Are there any third party verifications of viability available? o Are the technologies based on open source solutions?
Does the solution provide strong access control – stateful inspection?
What kind of user authentication does the solution support?
What network-level attacks does the solution protect against?
o DoS attacks o DDoS attacks
Does it have the ability to make determinations on whether to allow or deny traffic based on application­layer information?
o What kind of application-level attacks can it detect? o What kind of application-level attacks can it prevent?
What kind of encryption does the VPN support?
Can the solution apply policies to internal traffic to establish additional layers of trust and contain
attacks?
What type of security certifications does the product have?
What kind of platform is the solution built on?
o Is it a general-purpose platform that could introduce security risks?
Can the solution scale to meet the different security needs of small to large sites?
2. Offer Predictable Performance
What are the performance (large and small packet size) capabilities of the solution to ensure that performance remains predictable?
What has the solution done to optimize its traffic processing?
How does the solution minimize latency to ensure real-time applications are not degraded (e.g. VoIP)?
How does the solution handle very fast session ramp rates to protect against DoS attacks?
How does the architecture of the solution enable performance under load?
How does the solution handle multiple concurrent sessions to ensure user connectivity is not lost or
slowed?
How does the solution accommodate additional functionality, without degrading performance?
How does the solution accelerate the VPN negotiation to set up the VPN tunnels to make the time
imperceptible to the user?
How can the solution quickly create and then maintain VPN tunnels to ensure they are always available for the user?
Copyright © 2004, Juniper Networks, Inc. 6
Loading...
+ 12 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use