FW/IPSec VPN Buyer’s Guide

3.Deliver a high level of fault tolerance to ensure the solution is always available.

Being able to survive a failure and maintain both connectivity and the security stance of the organization is the sign of good solution. The solution needs to provide redundancy at all levels to give an organization the flexibility to choose the level of availability they want for each of their network segments, based on their cost and connectivity requirements. The device, itself, needs to offer solid-state performance and component redundancy. It then needs to support a high availability configuration that is able to maintain session and VPN state information and survive a failure both up and down stream of the device, offering an active/active, full mesh architecture. It needs to include network redundancy, leveraging the resiliency of dynamic routing and supporting path redundancy to multiple ISPs or a dial-back up line. At the VPN level, it needs to support multiple tunnels and minimize failover time to ensure optimal connectivity. Only a solution that is able to provide all of the redundancy pieces is truly fault tolerant.

4.Offer ease of use and management.

The real costs of a solution are tied not to the initial capital outlay, but to the ongoing management and operational costs associated with keeping the solution up and running. If a solution requires a lot of time and resources to maintain, it is going to take away from other activities and increase the management burden on the organization. The solution needs to be easy to interact with to ensure changes can be quickly made to keep the security policy in force. An administrator should be able to manage the device, network and security aspects of the solution, from a single interface, as opposed to having to go to one interface to make routing changes and another interface to set security policies. It should automate as much as possible to minimize human intervention, using tools such as templates and auto-configurations to maximize consistent security deployments throughout the network. It should also, however, provide granular controls to ensure that specific sites have a configuration that is most appropriate to their environment. It should enable different people in the organization to efficiently do their jobs, without introducing any risk to the security at large. For example, a NOC administrator should be able to get access to device status, but shouldn’t be able to make security policy changes, a CIO should be able to see reports, but not make routing changes, etc. It should also be easy to troubleshoot to enable organizations to quickly resolve problems. Organizations don’t want to waste a lot of time on managing, rather they want an easy to use solution that enables them to spend time on activities core to their business success.

5.Enable quick and simple deployment and installation.

IT, network and security managers are expected to do more with less, so it is important to be able to get solutions up and running quickly. It needs to seamlessly integrate into the network environment, without introducing interoperability issues. It should be intuitive, so that it doesn’t require a lot of training or security expertise to use. Updates need to be easy to accomplish, without having to worry about overriding custom configurations or introducing new vulnerabilities. For instance, an organization doesn’t want to have to worry about how a newly applied patch to the operating system will affect the underlying platform or the applications that it is running. The solution should be designed with everything working together, to minimize complexity and simplify deployment and installation.

Copyright © 2004, Juniper Networks, Inc.

5

Page 5
Image 5
Juniper Networks 710008-001 manual Offer ease of use and management