Buyer’s Guide
For Integrated Firewall and
Virtual Private Network Solutions
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089 USA
408 745 2000 or 888 JUNIPER
Part Number: 710008-001 June 2004
FW/IPSec VPN Buyer’s Guide
Introduction
Technology is radically changing the way companies conduct business, opening up new possibilities that enable
efficiencies and growth on a global scale. But for everything that technology facilitates, it also opens up new risks,
forcing companies to think about how to protect the assets they are working so hard to build. Security and IT
administrators are faced daily with the challenge of successfully implementing technology that supports the
company’s success, while maintaining the security of the organization’s critical resources.
The first step that organizations generally take is to control who and what gets in and out of the network by
deploying a firewall. Firewalls perform access control, user authentication, traffic management and policy
enforcement to ensure only appropriate users and services are able to traverse the network and that business
applications are given priority. Firewalls, however, are no longer relegated to just perimeter deployments. Rather
organizations are increasingly taking advantage of firewall capabilities throughout the network to segment it and
apply security policies between different segments. These segments, or zones, could represent geographically
distributed networks, such as regional offices, different types of traffic, such as wireless or VPN connections,
different departments or even different servers. This segmentation enables the organization to create additional
levels of trust to protect sensitive resources and perform attack containment.
Firewalls also provide some protection against attacks, traditionally focusing on preventing network-level exploits,
such as Denial of Service attacks. But, as many organizations have come to realize, attackers are increasingly
attacking vulnerabilities found not at the network-level, but at the application-layer, and are actually leveraging traffic
“allowed” by the firewall to get into the network. As a result, some firewalls have started to look deeper into the
traffic they are allowing in and out of the network to try to identify and prevent attacks found at the application-layer.
Firewalls are also often coupled with virtual private network (VPN) functionality, which is designed to enable
organizations to provision site-to-site connectivity that takes advantage of the cost-benefits of the public Internet
infrastructure in a secure manner. The most commonly deployed site-to-site VPN technology is an IPSec VPN, so
this guide will focus on these solutions. IPSec VPNs encrypt traffic to maintain its confidentiality and protect against
tampering with or altering of the data. As a result, they enable organizations to securely extend their network
perimeter across the public Internet to facilitate secure communications between geographically distributed
locations.
As with any solution, an administrator needs to be aware of the potential impact that a device can have on their
network’s performance and availability, as well as the time and management implications that each solution
introduces. While VPN functionality can also be deployed as a standalone solution, it is always a good idea to apply
access controls to the VPN traffic. As a result, the tight integration of firewall and VPN functionality can reduce
network complexity, simplify deployment and management and reduce the overall total cost of ownership of an
organization’s connectivity and security.
Administrators need these solutions to enable business productivity, as well as network security, so this guide is
designed to help organizations find the balance they need between functionality and security, without compromising
one for the other. This guide provides a framework for evaluating firewall and VPN security solutions. It is organized
into three sections. The first is an executive level summary that splits the evaluation criteria into five different
categories and explains the impact of each category on the overall solution’s ability to deliver value. The next
section takes those five categories and provides a quick checklist for each that will help the evaluator start to ask
the questions that will differentiate the capabilities of products. Finally, the last section provides a detailed list of
features that make up each category to enable evaluators to really make product comparisons to ensure they can
select the one that best meets the needs and requirements of their organization.
Copyright © 2004, Juniper Networks, Inc.
3
FW/IPSec VPN Buyer’s Guide
Executive Summary
Firewall/IPSec VPNs serve as the foundation upon which a strong security stance can be built, so the purchase
decision should be framed in terms that support a long-term investment that can be leveraged as the organization’s
needs change and grow. The chosen firewall/VPN solution should not only provide robust security functionality, but
also the networking and availability features that will support the company’s ongoing connectivity and expansion
requirements. In addition, the security solution needs to be easily integrated into the network and simple to manage,
so that it does not put a strain on already tight IT, security and networking budgets. There are so many firewall and
VPN vendors in the market that it can become overwhelming for a company to try and sort through them all and
determine what the best solution is for their environment. This section is designed to help decision-makers and
evaluators think, in broad terms, about the criteria that will be most helpful as they make their solution choice.
1.
Provide strong security.
The solution needs to provide robust security functionality to maximize the protection it provides to the
network. Some of the functionality that should be included is strong access control, user authentication,
attack protection - both at the network and application-layer - IPSec and encryption choices for data
integrity, and network segmentation for attack containment. Ideally, the functionality should be integrated to
maximize the security derived from the solution. Integrating the VPN functionality into the firewall, for
instance, requires fewer open ports and enables firewall policies to be easily applied to VPN traffic. It is
especially important, however, to scrutinize the feature set of products that integrate multiple functions to
ensure they are not too simplistic in their approach and are not lacking all of the robust, proven features that
are required for strong security. While initially appealing because they seem to be easy to manage, an
integrated solution that does not marry best-of-breed functionality can actually end up creating more work
due to the security holes they allow. For example, how effective is it to have intrusion prevention integration
that can only stop network-layer attacks? In response, it is more important that the solution provides the
granularity and flexibility needed to identify differences in traffic and appropriately process that traffic than to
satisfy a checklist. In addition, it is important to identify potential vulnerabilities that could be introduced by
the device itself, such as those associated with general-purpose platforms and operating systems. It is also
important that the solution accommodate the different requirements of different network segments, from the
smallest remote office to the largest central site, to ensure security can be uniformly deployed and eliminate
any weak links. The solution should be designed for and deliver security to justify its deployment.
2.
Offer predictable performance.
The solution needs to be an enabler to network connectivity rather than a barrier. If the solution cannot
keep up with the performance requirements of the network segment that it is designed to protect, its value
will be significantly diminished. Not surprisingly, it must be able to efficiently process traffic and deliver
predictable performance under load. The performance should be sustainable for both large and small
packets. It should also minimize latency and accommodate the necessary concurrent sessions and VPN
tunnels that are required for that particular network segment. In order to provide adequate Denial of Service
(DoS) protection the solution needs to support a high ramp rate to handle attempts at performance
overload. The solution must be able to handle the performance requirements of the network and function
without degradation.
Copyright © 2004, Juniper Networks, Inc.
4
FW/IPSec VPN Buyer’s Guide
3.
Deliver a high level of fault tolerance to ensure the solution is always available.
Being able to survive a failure and maintain both connectivity and the security stance of the organization is
the sign of good solution. The solution needs to provide redundancy at all levels to give an organization the
flexibility to choose the level of availability they want for each of their network segments, based on their cost
and connectivity requirements. The device, itself, needs to offer solid-state performance and component
redundancy. It then needs to support a high availability configuration that is able to maintain session and
VPN state information and survive a failure both up and down stream of the device, offering an
active/active, full mesh architecture. It needs to include network redundancy, leveraging the resiliency of
dynamic routing and supporting path redundancy to multiple ISPs or a dial-back up line. At the VPN level, it
needs to support multiple tunnels and minimize failover time to ensure optimal connectivity. Only a solution
that is able to provide all of the redundancy pieces is truly fault tolerant.
4.
Offer ease of use and management.
The real costs of a solution are tied not to the initial capital outlay, but to the ongoing management and
operational costs associated with keeping the solution up and running. If a solution requires a lot of time
and resources to maintain, it is going to take away from other activities and increase the management
burden on the organization. The solution needs to be easy to interact with to ensure changes can be quickly
made to keep the security policy in force. An administrator should be able to manage the device, network
and security aspects of the solution, from a single interface, as opposed to having to go to one interface to
make routing changes and another interface to set security policies. It should automate as much as
possible to minimize human intervention, using tools such as templates and auto-configurations to
maximize consistent security deployments throughout the network. It should also, however, provide
granular controls to ensure that specific sites have a configuration that is most appropriate to their
environment. It should enable different people in the organization to efficiently do their jobs, without
introducing any risk to the security at large. For example, a NOC administrator should be able to get access
to device status, but shouldn’t be able to make security policy changes, a CIO should be able to see
reports, but not make routing changes, etc. It should also be easy to troubleshoot to enable organizations to
quickly resolve problems. Organizations don’t want to waste a lot of time on managing, rather they want an
easy to use solution that enables them to spend time on activities core to their business success.
5.
Enable quick and simple deployment and installation.
IT, network and security managers are expected to do more with less, so it is important to be able to get
solutions up and running quickly. It needs to seamlessly integrate into the network environment, without
introducing interoperability issues. It should be intuitive, so that it doesn’t require a lot of training or security
expertise to use. Updates need to be easy to accomplish, without having to worry about overriding custom
configurations or introducing new vulnerabilities. For instance, an organization doesn’t want to have to
worry about how a newly applied patch to the operating system will affect the underlying platform or the
applications that it is running. The solution should be designed with everything working together, to
minimize complexity and simplify deployment and installation.
Copyright © 2004, Juniper Networks, Inc.
5
FW/IPSec VPN Buyer’s Guide
Quick Checklist
This section builds upon the framework for evaluating firewall and VPN products that was described in the previous
section, providing a quick checklist of some of the top questions to pose in each criteria category. For more in-
depth questions that enable a side-by-side comparison of different solutions, go to the Detailed Buyer’s Checklist
that follows this section.
1.
Provide Strong Security
•
Does the solution integrate best-of-breed technologies?
o
o
o
How long have the technologies been in the market?
Are there any third party verifications of viability available?
Are the technologies based on open source solutions?
•
•
•
Does the solution provide strong access control – stateful inspection?
What kind of user authentication does the solution support?
What network-level attacks does the solution protect against?
o
o
DoS attacks
DDoS attacks
•
Does it have the ability to make determinations on whether to allow or deny traffic based on application-
layer information?
o
o
What kind of application-level attacks can it detect?
What kind of application-level attacks can it prevent?
•
•
What kind of encryption does the VPN support?
Can the solution apply policies to internal traffic to establish additional layers of trust and contain
attacks?
•
•
What type of security certifications does the product have?
What kind of platform is the solution built on?
o
Is it a general-purpose platform that could introduce security risks?
•
Can the solution scale to meet the different security needs of small to large sites?
2.
Offer Predictable Performance
•
What are the performance (large and small packet size) capabilities of the solution to ensure that
performance remains predictable?
•
•
•
•
•
What has the solution done to optimize its traffic processing?
How does the solution minimize latency to ensure real-time applications are not degraded (e.g. VoIP)?
How does the solution handle very fast session ramp rates to protect against DoS attacks?
How does the architecture of the solution enable performance under load?
How does the solution handle multiple concurrent sessions to ensure user connectivity is not lost or
slowed?
•
•
How does the solution accommodate additional functionality, without degrading performance?
How does the solution accelerate the VPN negotiation to set up the VPN tunnels to make the time
imperceptible to the user?
•
How can the solution quickly create and then maintain VPN tunnels to ensure they are always available
for the user?
Copyright © 2004, Juniper Networks, Inc.
6
FW/IPSec VPN Buyer’s Guide
3.
Deliver a high level of fault tolerance to ensure the solution is always available
•
•
Does the solution support high availability (HA) configurations, including active/active, full mesh, to
reduce the chance of a single point of failure?
Does the HA solution maintain both session and VPN state information to ensure that both the
connection and VPN security association are maintained in the event of a failure?
Can the solution take advantage of dynamic routing as part of VPN resiliency?
Can the solution support redundant paths? If so, what kind – multiple ISPs, dial back-up?
What redundancy features have been built into the VPN configuration?
•
•
•
•
What are the mechanisms used to minimize fail-over latency and ensure maximum uptime?
4.
Offer ease of use and management.
•
•
Are there multiple ways to interact and manage the system?
How easy is it to perform management tasks?
o
Can device, network and security configurations be managed using the same interface?
•
Does the system grant different people in the organization different access privileges?
o
o
How does the system ensure that people are only accessing what they need to access?
How easy is it to set up or change a role to ensure access privileges map to current
employee activity?
•
•
How quickly can changes be made in a large distributed network?
Are there configuration templates to simplify deployments?
o
How easy is it to customize the template information for specific site deployments?
How easy is it to troubleshoot problems?
Is there a way to roll back to a previous configuration if changes affect the connectivity of
the solution?
•
o
•
•
•
•
How much manual intervention is needed when a VPN connection goes down?
Can firewall policies be easily applied to VPN traffic, without a lot of additional configuration?
How easy is it to add a network to the VPN?
How easy is it to configure complex VPN configurations, such as a hybrid full-mesh and hub and
spoke?
5.
Enable quick and simple deployment and installation
•
•
Are there different options that accommodate administrator preferences for installing and configuring
the system?
What kind of platform is the solution running on?
o
o
Is the solution based on a general-purpose platform?
Is the solution delivered as an appliance for easy deployment?
•
How easy is it to deploy a device in the field?
o
o
What level of technical expertise is required?
Can it be managed centrally?
•
Does the solution have a transparent deployment mode that does not require routing changes to the
network?
•
•
•
What routing protocols does the solution support?
What networking features does the solution support to facilitate a timely deployment?
How are patches applied?
Copyright © 2004, Juniper Networks, Inc.
7
FW/IPSec VPN Buyer’s Guide
Detailed Buyer’s Checklist
This section provides a feature/functionality checklist for each of the criteria categories to help evaluators determine
the true capabilities of vendor solutions they are considering.
Evaluation Date:
Evaluated By:
Juniper Networks
Firewall / IPSec VPN /
Deep Inspection
Solutions*
Alternate
Solution:
Feature
Notes
1. Strong Security
Performs Stateful Inspection
Protects against network-
level attacks
Protects against DoS and
DDoS attacks
Yes
Yes
Yes
Yes
e.g. IP fragmentation,
ICMP “ping of death”
e.g. Syn, UDP, ICMP
Floods
Protects against transport
layer attacks
e.g. Port scans, Tear Drop
attack
Protects against application-
layer attacks:
e-mail
Yes
e.g. Nimda Worm, Code
Red Worm
Yes (SMTP, POP, IMAP)
Web
FTP
DNS
Yes
Yes
Yes
The use of proxies can
result in significant
performance degradation
Uses proxies for attack
detection
No
Uses Stateful signatures for
attack detection
Yes
Uses protocol enforcement
for attack detection
Yes
Yes, matches user defined
patterns
Blocks malicious URLs
Yes, low-end products have
embedded antivirus
Protects against viruses
Options for strong user
authentication:
Web Auth
Yes
Yes
Tokens
User name/Password:
HTTP
Yes
Yes
Yes
FTP
Telnet
Options for strong user
verification:
RADIUS
Internal Database
LDAP
Yes
Yes
Yes
Yes
SecureID
Built in attack containment
Copyright © 2004, Juniper Networks, Inc.
8
FW/IPSec VPN Buyer’s Guide
capabilities
Yes, Security Zones
•
Ability to apply
policies to restrict
traffic between
internal network
segments
Ability to split network into
completely separate
domains and create security
policies for each one
• Completely separate
policies
Yes, Virtual Systems
Yes
Yes
• Completely separate
administrative
controls
Certifications:
Yes
Yes
•
•
Common Criteria
ICSA certification
VPN Specific
Uses IPSec for secure
communications
Also enables
interoperability with other
IPSec VPNs
Yes
Yes
Supports IKE for flexible
encryption negotiations
Strong encryption options:
AES
An interoperability feature
Yes
Yes
Yes
DES
3DES
Options for strong user
authentication:
Xauth
Yes
Yes
Yes
Yes
Yes
Web Auth
X.509 certificates
Tokens
User name/Password
Options for strong user
verification:
RADIUS
Internal Database
LDAP
SecureID
X.509 certificates
Yes
Yes
Yes
Yes
Yes
Certifications:
Yes
Yes
•
•
FIPS 140-1 or 140-2
ICSA IPSec
Integration/System Design
FW/VPN/Deep Inspection --
Antivirus also included in
low-end
The number of applications
delivered in the solution
The source of the
applications are:
Proprietary
Yes – FW/VPN/Deep
Inspection
Partnerships
Yes, antivirus through
Trend Micro partnership
Yes, Remote client via
OEM relationships
Copyright © 2004, Juniper Networks, Inc.
9
FW/IPSec VPN Buyer’s Guide
Safenet
No
Open source code
The number of years the
solutions have been
available on the market
The applications that have
been recognized as best-of-
breed
FW/VPN – June 1998
Deep Inspection/Intrusion
Prevention – Feb 2002
FW/VPN/Deep Inspection
(Gartner Magic Quadrant)
Simplifies deployment,
reduces chance for human
error that could result in
vulnerabilities
All functionality managed
with the same console
FW/VPN/Deep Inspection
managed with same
interface/console
Built in features that protect
against tampering:
•
Packaging sealed
with custom tape
Uses tamper seals
to indicate
Yes
Yes
•
authenticity
•
Hardware can
restrict remote
access via access
lists
Yes
•
•
•
•
Access list creation
based on IP and
MAC addresses
Hardware protects
against password
overrides
Hardware uses
secure connections
for remote access
Custom OS built for
security
Yes
Yes
Yes
Yes
•
A custom OS is less
prone to known attacks
than a general purpose
OS
Yes
Yes
•
•
OS is hardened
FIPs certified for
physical protection
of keys and
configuration, as
well as software
protection
Guards against
vulnerabilities within the
system itself:
One, Juniper Networks
uses a single OS
•
The number of
different patches that
need to potentially
be applied
None, purpose-built
appliance with custom OS
•
The general purpose
systems or platforms
that are used
• Juniper Networks
NetScreen-Remote or
Juniper Networks
NetScreen-Secure
Access (SSL) for
remote/mobile users
Copyright © 2004, Juniper Networks, Inc.
10
FW/IPSec VPN Buyer’s Guide
• Juniper Networks
NetScreen-5XT, 5GT
seriesfor remote/home
offices
• Juniper Networks
NetScreen-25 & -50
for branch office or
small central site
Can scale from a small
remote user to a large
central site to eliminate weak
links
• Juniper Networks
NetScreen-200 series
for medium central
site, regional offices
• Juniper Networks
NetScreen-500 and
Juniper Networks
NetScreen-ISG 2000
for large central sites
• Juniper Networks
NetScreen-5000 series
for large central sites,
data centers, service
providers
Solution dependent on other
vendors to make changes or
innovations
Applications under load
continue to perform all
security functionality
No
No
Some solutions simply
pass traffic when under
load – creating security
risk
Copyright © 2004, Juniper Networks, Inc.
11
FW/IPSec VPN Buyer’s Guide
2. Predictable Performance
Ability to process traffic of
varying packet sizes to meet
the performance
Yes,
See Tolly Reports for
third party verification
requirements of the network
Accelerates intensive
Yes, including custom
security ASICs
processing with hardware
Ability to support applications
with a low tolerance for
latency/jitter, such as VoIP,
multimedia, etc.
Yes, hardware is
optimized for streamlined
processing
Fast session ramp rates to
protect against DoS attacks
Yes, Dedicated hardware,
allowing separate paths
for session set up and
established flows
Yes,
• ASIC/FPGAs offload
intensive processing,
making CPU available
for new/additional
functions
Provide additional
functionality without
degrading performance
• Programmability in
ASIC to accelerate
future functions
Turning on all applications
does not affect the solutions
ability to meet the
See spec sheets for
performance numbers
performance needs of the
deployment
Traffic prioritization to ensure
business critical applications
are available
Yes
Deliver Quality of Service
(QoS):
o
o
Control bandwidth
Set priority field in
the Type of Service
(TOS) byte to reflect
traffic class priority
Yes
Yes
VPN Specific
Accelerate IKE
negotiations for quick
tunnel set up
Yes, OS and Hardware
designed specifically to
negotiate security
associations
Purpose built solutions can
develop process efficiencies
over general purpose OS’
Minimal latency to ensure
real-time applications are
not degraded:
Yes,
Unnecessary traversals of
PCI busses is a common
problem with PC-based
platforms using VPN
acceleration cards, adding
latency to application.
oProvides fast path for
established flows
oPackets are quickly
processed without
unnecessary
traversals of PCI
busses
Maintain large numbers of
tunnels to ensure
availability
Yes
Copyright © 2004, Juniper Networks, Inc.
12
FW/IPSec VPN Buyer’s Guide
3. Fault Tolerant – High Availability, Resiliency
Device, itself, provides
redundancy:
o
o
Solid-state
Redundant
Yes
Yes
components
(fans/power supplies)
Port Density
o
Yes
Supports dynamic routing
protocols:
Enables the survival of
failures at the transport level
–needed for other
o
o
o
OSPF
BGP
RIP
Yes
Yes
Yes
components of resiliency
High Availability (HA)
Configurations to reduce single
point of failure:
o
Stateful (sharing
session information) to
maintain connections
VPN sync (sharing
VPN information to
maintain security
association in the
event of a failure)
Active-passive HA
(one device
Yes
Yes
o
o
Yes
processing traffic, with
the second device as a
back-up)
o
o
Active-active HA (both
devices processing
traffic)
Active-active, full-
mesh HA to survive a
failure up or
Yes
Yes
downstream from
device
Redundant physical
connections (e.g. connections
to different service providers)
Alternate transport options,
such as:
Note: need to support
dynamic routing to do this
Yes
o
o
DSL
Dial back-up
Yes
Yes
A high Mean Time Before
Failure (MTBF) expectancy
VPN Specific
Yes, using Bellcore
MTBF calculations
Ability to run dynamic routing
through its tunnels to
Yes, Dynamic Route-
based VPNs (Best
Path VPNs)
automatically learn the network
and route around failures
Product’s HA performs VPN
sync (sharing VPN state
information) to maintain the
VPN connection in the event of
a failure
Note: most routers cannot
offer this functionality
Yes
Copyright © 2004, Juniper Networks, Inc.
13
FW/IPSec VPN Buyer’s Guide
Supports different VPN
deployment modes:
Rule-based/Policy-based
Route-based
Dynamic Route-based (Best
Path)
Yes
Yes
Yes
Support multiple VPN
gateways to enable VPN to
persist in the event of a failure
Supports multiple tunnels,
running the same services,
between VPN gateways
For rule-based or policy-
based VPNs
Yes
Yes
Note: rule-based or policy-
based VPNs cannot do this,
only route-based and
dynamic route-based VPNs
For route-based VPNs, can
take up to a minute for fail-
over
Supports fail-over between
tunnels based on alternate
static routes defined in the
route table
Supports fail-over between
redundant tunnels using
dynamic routing
Yes
Yes
For dynamic route-based
VPNs, can take up to a
minute for fail-over
Yes, custom VPN
Path Monitor-
configurable interval
to allow fail-over in
seconds
Supports fail-over between
redundant tunnels using
another mechanism
R-associate VPN with another
tunnel without having to
renegotiate the encryption
keys
Yes, Security
Association mirroring
mechanism
Copyright © 2004, Juniper Networks, Inc.
14
FW/IPSec VPN Buyer’s Guide
4. Ease of Use
Multiple ways to interact with
the system:
o
o
o
CLI
Web UI
Central Management
Platform
Yes
Yes
Yes
Remote management options:
o
o
o
o
SSH
Telnet
Web (HTTP/HTTPs)
Centralized
Management GUI
Syslog
SNMP
Ping for remote
monitoring
Yes
Yes
Yes
Yes
o
o
o
Yes
Yes
Yes
Ability to manage the device,
network and security
Yes, Juniper
functionality from a single
console
Networks NetScreen-
Security Manager
Ability to view all logs in central
location
Yes
Ability to assign different
people in the organization
different read/write privileges
Policy changes can be
distributed quickly to one or
many devices
Yes, role-based
administration
Yes, Juniper
Networks NetScreen-
Security Manager
Firewall policies can be easily
applied to VPN traffic, without
having to define the network
(IP-based) within that policy
Policies can be easily applied
to new networks/interfaces
Offers VLAN support to
integrate subnets easily
Different network segments
can have different policy sets,
effectively segmenting the
network
See Juniper Networks VPN
White Paper “Dynamic VPNs
Achieving Scalable, Secure
Site-to-Site Connectivity”
Yes, using Security
Zones
Yes, using Security
Zones
Yes
Yes, using Security
Zones
Administrators can apply
universal rules to multiple
security zones
Yes, unique to
NetScreen
Different network segments,
departments, offices, etc. can
manage their own security,
completely separate from each
other:
Yes, Virtual Systems
o
Separate management
devices
Separate “view”
Yes
Yes
o
Built in troubleshooting
features:
o
Contextual information
Yes
Copyright © 2004, Juniper Networks, Inc.
15
FW/IPSec VPN Buyer’s Guide
in logs
o
Identification of failures
in logs
Web-based trouble
shooting
Yes
Yes
o
Offers roll-back option to last-
known “good” configuration, if
changes do not “work”
Yes
Ability to integrate with other
management and enterprise
platforms/systems:
Note: NTP integration allows
internal clocks to be
synchronized to ensure log
files have accurate time
stamps
o
o
o
o
SNMP traps
MIP
MIB
CLI via SSH for
configuration
Syslog
Yes
Yes
Yes
Yes
o
o
Yes
Yes
Yes
NTP
On-line help
Broad array of support options
Support is delivered by a
single vendor with a single
support contract
Yes
Yes
VPN Specific
Yes, utilizing dynamic
routing and Security
Zones
New networks can be easily
added to the VPN
Yes,
oDynamic routing
automatically finds
available routes
oRoute-based
VPNs can switch
to alternate routes
in route table
Reroute around problems with
minimal human intervention
Flexibility to do complex VPN
configurations (e.g. hybrid full
mesh, hub and spoke) using:
o
o
o
Rule-based VPNs
Route-based
Dynamic Route-
Based
Yes
Yes
Yes
Copyright © 2004, Juniper Networks, Inc.
16
FW/IPSec VPN Buyer’s Guide
5. Simple Deployment and Installation
Delivered as an appliance for
simple deployment
Yes
Delivered as software that has to
be loaded onto hardware
Multiple deployment options:
Can introduce interoperability
issues
No
o
o
Transparent mode
Route mode
oBGP
Yes
Yes
Yes
oOSPF
Yes
oNAT
Yes, can be done on
per policy basis
Offers multiple ways to interact
with the system:
o
Command Line Interface
(CLI)
Yes
o
o
Web interface
Graphical User Interface
(GUI)/central
Yes
Yes, Juniper
Networks NetScreen-
Security Manager
management platform
Wizards to guide an administrator
through tasks, such as initial
configuration, policy install, VPN
set up
Templates available for consistent
configuration of multiple devices
Integrated key networking
functionality for easy integration
into a network environment, such
as:
Yes
Yes
oSupport of DIPs allows
policy-based address
translations using pools of
IP addresses to handle
overlapping IP addresses.
oMIPs provide one-to-one
IP mapping for internal
servers
oVIPs provides mapping of
protocols from one public
external IP to multiple
internal private IPs based
on the port. Allows one IP
address to support Web,
FTP, e-mail and other
servers.
o
o
Dynamic routing protocols
Virtual Routers
oSupport multiple
routing domains
Multiple methods of
address translation
oDynamic IPs (DIPs)
Support Mapped
IPsVLANs (MIPs)
Support Virtual IPs (VIPs)
Supports NAT
Yes
Yes
Yes
o
o
Yes
Yes
Yes
o
o
Yes
oPolicy-based
oPAT/NAT capabilities
Yes
Yes
Single patches that apply to the
platform, OS and applications
Not possible if applications,
OS and hardware are not fully
integrated or from the same
vendor
Yes
Ability to maintain the VPN
abstraction and continue to
leverage dynamic routing when
applying the firewall policy
Tools and services to facilitate
migration from other Firewall/VPN
products
If the firewall policy requires
the use of IP addresses then
the management advantages
of dynamic routing are lost.
Yes, through Security
Zones
Yes
Copyright © 2004, Juniper Networks, Inc.
17
FW/IPSec VPN Buyer’s Guide
Features for Remote Users and Offices
Remote User solution including
VPN, firewall, virus and
application-level protection
Provides strong remote site
security:
Yes
Eliminates “weak” links with
affordable solutions
o
Integrated functionality
to apply access control
to remote traffic
Ability to protect against
viruses and application-
level attacks
Yes
Yes
o
o
o
Split tunneling support
Separation of corporate
and personal traffic to
ensure personal/Internet
traffic cannot enter the
corporate network
Yes
Yes
through the VPN
Supports a dial-back-up option to
ensure connectivity at a remote
office
Yes
Remote office appliance for easy
installation
Yes, purpose-built
device
Ability to configure a device at
the corporate office, so that
technical resources are not
needed at a remote site
Easy to manage to ensure
security experts don’t need to be
on site:
Yes, Rapid
Deployment
o
Managed using the
same console as large
central site solutions to
ensure consistent policy
enforcement is
consistent
Can be managed
centrally
Yes
Yes
o
Features for Wireless
Can separate wireless traffic and
apply a security policy to it to
control access
See Securing Wireless LANS
white paper at
ources/whitepapers/enterpris
e/
Yes, Security
Zones
*Please see specific product data sheets for individual product features, available on the Web site at
Copyright © 2004, Juniper Networks, Inc.
18
|