Buyer’s Guide For Integrated Firewall and Virtual Private Network Solutions Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408 745 2000 or 888 JUNIPER www.juniper.
Table of Contents Introduction................................................................................................................................... 3 Executive Summary...................................................................................................................... 4 Quick Checklist............................................................................................................................. 6 Detailed Buyer’s Checklist ........................................
FW/IPSec VPN Buyer’s Guide Introduction Technology is radically changing the way companies conduct business, opening up new possibilities that enable efficiencies and growth on a global scale. But for everything that technology facilitates, it also opens up new risks, forcing companies to think about how to protect the assets they are working so hard to build.
FW/IPSec VPN Buyer’s Guide Executive Summary Firewall/IPSec VPNs serve as the foundation upon which a strong security stance can be built, so the purchase decision should be framed in terms that support a long-term investment that can be leveraged as the organization’s needs change and grow. The chosen firewall/VPN solution should not only provide robust security functionality, but also the networking and availability features that will support the company’s ongoing connectivity and expansion requirements.
FW/IPSec VPN Buyer’s Guide 3. Deliver a high level of fault tolerance to ensure the solution is always available. Being able to survive a failure and maintain both connectivity and the security stance of the organization is the sign of good solution. The solution needs to provide redundancy at all levels to give an organization the flexibility to choose the level of availability they want for each of their network segments, based on their cost and connectivity requirements.
FW/IPSec VPN Buyer’s Guide Quick Checklist This section builds upon the framework for evaluating firewall and VPN products that was described in the previous section, providing a quick checklist of some of the top questions to pose in each criteria category. For more indepth questions that enable a side-by-side comparison of different solutions, go to the Detailed Buyer’s Checklist that follows this section. 1. Provide Strong Security • • • • • • • • • • 2.
FW/IPSec VPN Buyer’s Guide 3. Deliver a high level of fault tolerance to ensure the solution is always available • • • • • • 4. Offer ease of use and management. • • • • • • • • • • 5.
FW/IPSec VPN Buyer’s Guide Detailed Buyer’s Checklist This section provides a feature/functionality checklist for each of the criteria categories to help evaluators determine the true capabilities of vendor solutions they are considering. Evaluation Date: Evaluated By: Feature Juniper Networks Firewall / IPSec VPN / Deep Inspection Solutions* Alternate Solution: Notes 1.
FW/IPSec VPN Buyer’s Guide capabilities • Ability to apply policies to restrict traffic between internal network segments Ability to split network into completely separate domains and create security policies for each one • Completely separate policies • Completely separate administrative controls Certifications: • Common Criteria • ICSA certification Yes, Security Zones Yes, Virtual Systems Yes Yes Yes Yes VPN Specific Uses IPSec for secure communications Supports IKE for flexible encryption negotiatio
FW/IPSec VPN Buyer’s Guide Open source code The number of years the solutions have been available on the market The applications that have been recognized as best-ofbreed All functionality managed with the same console Built in features that protect against tampering: • Packaging sealed with custom tape • Uses tamper seals to indicate authenticity • Hardware can restrict remote access via access lists • Access list creation based on IP and MAC addresses • Hardware protects against password overrides • Hard
FW/IPSec VPN Buyer’s Guide Can scale from a small remote user to a large central site to eliminate weak links • Juniper Networks NetScreen-5XT, 5GT seriesfor remote/home offices • Juniper Networks NetScreen-25 & -50 for branch office or small central site • Juniper Networks NetScreen-200 series for medium central site, regional offices • Juniper Networks NetScreen-500 and Juniper Networks NetScreen-ISG 2000 for large central sites • Juniper Networks NetScreen-5000 series for large central sites, data cent
FW/IPSec VPN Buyer’s Guide 2. Predictable Performance Ability to process traffic of varying packet sizes to meet the performance requirements of the network Accelerates intensive processing with hardware Ability to support applications with a low tolerance for latency/jitter, such as VoIP, multimedia, etc.
FW/IPSec VPN Buyer’s Guide 3.
FW/IPSec VPN Buyer’s Guide Supports different VPN deployment modes: Rule-based/Policy-based Route-based Dynamic Route-based (Best Path) Support multiple VPN gateways to enable VPN to persist in the event of a failure Supports multiple tunnels, running the same services, between VPN gateways Yes Yes Yes Yes Yes Supports fail-over between tunnels based on alternate static routes defined in the route table Supports fail-over between redundant tunnels using dynamic routing Supports fail-over between redundant
FW/IPSec VPN Buyer’s Guide 4.
FW/IPSec VPN Buyer’s Guide in logs Identification of failures in logs o Web-based trouble shooting Offers roll-back option to lastknown “good” configuration, if changes do not “work” Ability to integrate with other management and enterprise platforms/systems: o SNMP traps o MIP o MIB o CLI via SSH for configuration o Syslog o NTP On-line help Yes o Yes Yes Yes Yes Yes Yes Yes Yes Yes Broad array of support options Support is delivered by a single vendor with a single support contract VPN Specific New n
FW/IPSec VPN Buyer’s Guide 5.
FW/IPSec VPN Buyer’s Guide Features for Remote Users and Offices Remote User solution including VPN, firewall, virus and application-level protection Provides strong remote site security: o Integrated functionality to apply access control to remote traffic o Ability to protect against viruses and applicationlevel attacks o Split tunneling support o Separation of corporate and personal traffic to ensure personal/Internet traffic cannot enter the corporate network through the VPN Supports a dial-back-up opti
