FW/IPSec VPN Buyer’s Guide

Introduction

Technology is radically changing the way companies conduct business, opening up new possibilities that enable efficiencies and growth on a global scale. But for everything that technology facilitates, it also opens up new risks, forcing companies to think about how to protect the assets they are working so hard to build. Security and IT administrators are faced daily with the challenge of successfully implementing technology that supports the company’s success, while maintaining the security of the organization’s critical resources.

The first step that organizations generally take is to control who and what gets in and out of the network by deploying a firewall. Firewalls perform access control, user authentication, traffic management and policy enforcement to ensure only appropriate users and services are able to traverse the network and that business applications are given priority. Firewalls, however, are no longer relegated to just perimeter deployments. Rather organizations are increasingly taking advantage of firewall capabilities throughout the network to segment it and apply security policies between different segments. These segments, or zones, could represent geographically distributed networks, such as regional offices, different types of traffic, such as wireless or VPN connections, different departments or even different servers. This segmentation enables the organization to create additional levels of trust to protect sensitive resources and perform attack containment.

Firewalls also provide some protection against attacks, traditionally focusing on preventing network-level exploits, such as Denial of Service attacks. But, as many organizations have come to realize, attackers are increasingly attacking vulnerabilities found not at the network-level, but at the application-layer, and are actually leveraging traffic “allowed” by the firewall to get into the network. As a result, some firewalls have started to look deeper into the traffic they are allowing in and out of the network to try to identify and prevent attacks found at the application-layer.

Firewalls are also often coupled with virtual private network (VPN) functionality, which is designed to enable organizations to provision site-to-site connectivity that takes advantage of the cost-benefits of the public Internet infrastructure in a secure manner. The most commonly deployed site-to-site VPN technology is an IPSec VPN, so this guide will focus on these solutions. IPSec VPNs encrypt traffic to maintain its confidentiality and protect against tampering with or altering of the data. As a result, they enable organizations to securely extend their network perimeter across the public Internet to facilitate secure communications between geographically distributed locations.

As with any solution, an administrator needs to be aware of the potential impact that a device can have on their network’s performance and availability, as well as the time and management implications that each solution introduces. While VPN functionality can also be deployed as a standalone solution, it is always a good idea to apply access controls to the VPN traffic. As a result, the tight integration of firewall and VPN functionality can reduce network complexity, simplify deployment and management and reduce the overall total cost of ownership of an organization’s connectivity and security.

Administrators need these solutions to enable business productivity, as well as network security, so this guide is designed to help organizations find the balance they need between functionality and security, without compromising one for the other. This guide provides a framework for evaluating firewall and VPN security solutions. It is organized into three sections. The first is an executive level summary that splits the evaluation criteria into five different categories and explains the impact of each category on the overall solution’s ability to deliver value. The next section takes those five categories and provides a quick checklist for each that will help the evaluator start to ask the questions that will differentiate the capabilities of products. Finally, the last section provides a detailed list of features that make up each category to enable evaluators to really make product comparisons to ensure they can select the one that best meets the needs and requirements of their organization.

Copyright © 2004, Juniper Networks, Inc.

3

Page 3
Image 3
Juniper Networks 710008-001 manual Introduction