FW/IPSec VPN Buyer’s Guide
Executive Summary
Firewall/IPSec VPNs serve as the foundation upon which a strong security stance can be built, so the purchase decision should be framed in terms that support a long-term investment that can be leveraged as the organization’s needs change and grow. The chosen firewall/VPN solution should not only provide robust security functionality, but also the networking and availability features that will support the company’s ongoing connectivity and expansion requirements. In addition, the security solution needs to be easily integrated into the network and simple to manage, so that it does not put a strain on already tight IT, security and networking budgets. There are so many firewall and VPN vendors in the market that it can become overwhelming for a company to try and sort through them all and determine what the best solution is for their environment. This section is designed to help decision-makers and evaluators think, in broad terms, about the criteria that will be most helpful as they make their solution choice.
1.Provide strong security.
The solution needs to provide robust security functionality to maximize the protection it provides to the network. Some of the functionality that should be included is strong access control, user authentication, attack protection - both at the network and application-layer - IPSec and encryption choices for data integrity, and network segmentation for attack containment. Ideally, the functionality should be integrated to maximize the security derived from the solution. Integrating the VPN functionality into the firewall, for instance, requires fewer open ports and enables firewall policies to be easily applied to VPN traffic. It is especially important, however, to scrutinize the feature set of products that integrate multiple functions to ensure they are not too simplistic in their approach and are not lacking all of the robust, proven features that are required for strong security. While initially appealing because they seem to be easy to manage, an integrated solution that does not marry best-of-breed functionality can actually end up creating more work due to the security holes they allow. For example, how effective is it to have intrusion prevention integration that can only stop network-layer attacks? In response, it is more important that the solution provides the granularity and flexibility needed to identify differences in traffic and appropriately process that traffic than to satisfy a checklist. In addition, it is important to identify potential vulnerabilities that could be introduced by the device itself, such as those associated with general-purpose platforms and operating systems. It is also important that the solution accommodate the different requirements of different network segments, from the smallest remote office to the largest central site, to ensure security can be uniformly deployed and eliminate any weak links. The solution should be designed for and deliver security to justify its deployment.
2.Offer predictable performance.
The solution needs to be an enabler to network connectivity rather than a barrier. If the solution cannot keep up with the performance requirements of the network segment that it is designed to protect, its value will be significantly diminished. Not surprisingly, it must be able to efficiently process traffic and deliver predictable performance under load. The performance should be sustainable for both large and small packets. It should also minimize latency and accommodate the necessary concurrent sessions and VPN tunnels that are required for that particular network segment. In order to provide adequate Denial of Service (DoS) protection the solution needs to support a high ramp rate to handle attempts at performance overload. The solution must be able to handle the performance requirements of the network and function without degradation.
Copyright © 2004, Juniper Networks, Inc. | 4 |
