Juniper Networks Network Router 710008 001 User Manual

Buyer’s Guide  
For Integrated Firewall and  
Virtual Private Network Solutions  
Juniper Networks, Inc.  
1194 North Mathilda Avenue  
Sunnyvale, CA 94089 USA  
408 745 2000 or 888 JUNIPER  
Part Number: 710008-001 June 2004  
 
FW/IPSec VPN Buyer’s Guide  
Introduction  
Technology is radically changing the way companies conduct business, opening up new possibilities that enable  
efficiencies and growth on a global scale. But for everything that technology facilitates, it also opens up new risks,  
forcing companies to think about how to protect the assets they are working so hard to build. Security and IT  
administrators are faced daily with the challenge of successfully implementing technology that supports the  
company’s success, while maintaining the security of the organization’s critical resources.  
The first step that organizations generally take is to control who and what gets in and out of the network by  
deploying a firewall. Firewalls perform access control, user authentication, traffic management and policy  
enforcement to ensure only appropriate users and services are able to traverse the network and that business  
applications are given priority. Firewalls, however, are no longer relegated to just perimeter deployments. Rather  
organizations are increasingly taking advantage of firewall capabilities throughout the network to segment it and  
apply security policies between different segments. These segments, or zones, could represent geographically  
distributed networks, such as regional offices, different types of traffic, such as wireless or VPN connections,  
different departments or even different servers. This segmentation enables the organization to create additional  
levels of trust to protect sensitive resources and perform attack containment.  
Firewalls also provide some protection against attacks, traditionally focusing on preventing network-level exploits,  
such as Denial of Service attacks. But, as many organizations have come to realize, attackers are increasingly  
attacking vulnerabilities found not at the network-level, but at the application-layer, and are actually leveraging traffic  
“allowed” by the firewall to get into the network. As a result, some firewalls have started to look deeper into the  
traffic they are allowing in and out of the network to try to identify and prevent attacks found at the application-layer.  
Firewalls are also often coupled with virtual private network (VPN) functionality, which is designed to enable  
organizations to provision site-to-site connectivity that takes advantage of the cost-benefits of the public Internet  
infrastructure in a secure manner. The most commonly deployed site-to-site VPN technology is an IPSec VPN, so  
this guide will focus on these solutions. IPSec VPNs encrypt traffic to maintain its confidentiality and protect against  
tampering with or altering of the data. As a result, they enable organizations to securely extend their network  
perimeter across the public Internet to facilitate secure communications between geographically distributed  
locations.  
As with any solution, an administrator needs to be aware of the potential impact that a device can have on their  
network’s performance and availability, as well as the time and management implications that each solution  
introduces. While VPN functionality can also be deployed as a standalone solution, it is always a good idea to apply  
access controls to the VPN traffic. As a result, the tight integration of firewall and VPN functionality can reduce  
network complexity, simplify deployment and management and reduce the overall total cost of ownership of an  
organization’s connectivity and security.  
Administrators need these solutions to enable business productivity, as well as network security, so this guide is  
designed to help organizations find the balance they need between functionality and security, without compromising  
one for the other. This guide provides a framework for evaluating firewall and VPN security solutions. It is organized  
into three sections. The first is an executive level summary that splits the evaluation criteria into five different  
categories and explains the impact of each category on the overall solution’s ability to deliver value. The next  
section takes those five categories and provides a quick checklist for each that will help the evaluator start to ask  
the questions that will differentiate the capabilities of products. Finally, the last section provides a detailed list of  
features that make up each category to enable evaluators to really make product comparisons to ensure they can  
select the one that best meets the needs and requirements of their organization.  
Copyright © 2004, Juniper Networks, Inc.  
3
 
FW/IPSec VPN Buyer’s Guide  
Executive Summary  
Firewall/IPSec VPNs serve as the foundation upon which a strong security stance can be built, so the purchase  
decision should be framed in terms that support a long-term investment that can be leveraged as the organization’s  
needs change and grow. The chosen firewall/VPN solution should not only provide robust security functionality, but  
also the networking and availability features that will support the company’s ongoing connectivity and expansion  
requirements. In addition, the security solution needs to be easily integrated into the network and simple to manage,  
so that it does not put a strain on already tight IT, security and networking budgets. There are so many firewall and  
VPN vendors in the market that it can become overwhelming for a company to try and sort through them all and  
determine what the best solution is for their environment. This section is designed to help decision-makers and  
evaluators think, in broad terms, about the criteria that will be most helpful as they make their solution choice.  
1.  
Provide strong security.  
The solution needs to provide robust security functionality to maximize the protection it provides to the  
network. Some of the functionality that should be included is strong access control, user authentication,  
attack protection - both at the network and application-layer - IPSec and encryption choices for data  
integrity, and network segmentation for attack containment. Ideally, the functionality should be integrated to  
maximize the security derived from the solution. Integrating the VPN functionality into the firewall, for  
instance, requires fewer open ports and enables firewall policies to be easily applied to VPN traffic. It is  
especially important, however, to scrutinize the feature set of products that integrate multiple functions to  
ensure they are not too simplistic in their approach and are not lacking all of the robust, proven features that  
are required for strong security. While initially appealing because they seem to be easy to manage, an  
integrated solution that does not marry best-of-breed functionality can actually end up creating more work  
due to the security holes they allow. For example, how effective is it to have intrusion prevention integration  
that can only stop network-layer attacks? In response, it is more important that the solution provides the  
granularity and flexibility needed to identify differences in traffic and appropriately process that traffic than to  
satisfy a checklist. In addition, it is important to identify potential vulnerabilities that could be introduced by  
the device itself, such as those associated with general-purpose platforms and operating systems. It is also  
important that the solution accommodate the different requirements of different network segments, from the  
smallest remote office to the largest central site, to ensure security can be uniformly deployed and eliminate  
any weak links. The solution should be designed for and deliver security to justify its deployment.  
2.  
Offer predictable performance.  
The solution needs to be an enabler to network connectivity rather than a barrier. If the solution cannot  
keep up with the performance requirements of the network segment that it is designed to protect, its value  
will be significantly diminished. Not surprisingly, it must be able to efficiently process traffic and deliver  
predictable performance under load. The performance should be sustainable for both large and small  
packets. It should also minimize latency and accommodate the necessary concurrent sessions and VPN  
tunnels that are required for that particular network segment. In order to provide adequate Denial of Service  
(DoS) protection the solution needs to support a high ramp rate to handle attempts at performance  
overload. The solution must be able to handle the performance requirements of the network and function  
without degradation.  
Copyright © 2004, Juniper Networks, Inc.  
4
 
FW/IPSec VPN Buyer’s Guide  
3.  
Deliver a high level of fault tolerance to ensure the solution is always available.  
Being able to survive a failure and maintain both connectivity and the security stance of the organization is  
the sign of good solution. The solution needs to provide redundancy at all levels to give an organization the  
flexibility to choose the level of availability they want for each of their network segments, based on their cost  
and connectivity requirements. The device, itself, needs to offer solid-state performance and component  
redundancy. It then needs to support a high availability configuration that is able to maintain session and  
VPN state information and survive a failure both up and down stream of the device, offering an  
active/active, full mesh architecture. It needs to include network redundancy, leveraging the resiliency of  
dynamic routing and supporting path redundancy to multiple ISPs or a dial-back up line. At the VPN level, it  
needs to support multiple tunnels and minimize failover time to ensure optimal connectivity. Only a solution  
that is able to provide all of the redundancy pieces is truly fault tolerant.  
4.  
Offer ease of use and management.  
The real costs of a solution are tied not to the initial capital outlay, but to the ongoing management and  
operational costs associated with keeping the solution up and running. If a solution requires a lot of time  
and resources to maintain, it is going to take away from other activities and increase the management  
burden on the organization. The solution needs to be easy to interact with to ensure changes can be quickly  
made to keep the security policy in force. An administrator should be able to manage the device, network  
and security aspects of the solution, from a single interface, as opposed to having to go to one interface to  
make routing changes and another interface to set security policies. It should automate as much as  
possible to minimize human intervention, using tools such as templates and auto-configurations to  
maximize consistent security deployments throughout the network. It should also, however, provide  
granular controls to ensure that specific sites have a configuration that is most appropriate to their  
environment. It should enable different people in the organization to efficiently do their jobs, without  
introducing any risk to the security at large. For example, a NOC administrator should be able to get access  
to device status, but shouldn’t be able to make security policy changes, a CIO should be able to see  
reports, but not make routing changes, etc. It should also be easy to troubleshoot to enable organizations to  
quickly resolve problems. Organizations don’t want to waste a lot of time on managing, rather they want an  
easy to use solution that enables them to spend time on activities core to their business success.  
5.  
Enable quick and simple deployment and installation.  
IT, network and security managers are expected to do more with less, so it is important to be able to get  
solutions up and running quickly. It needs to seamlessly integrate into the network environment, without  
introducing interoperability issues. It should be intuitive, so that it doesn’t require a lot of training or security  
expertise to use. Updates need to be easy to accomplish, without having to worry about overriding custom  
configurations or introducing new vulnerabilities. For instance, an organization doesn’t want to have to  
worry about how a newly applied patch to the operating system will affect the underlying platform or the  
applications that it is running. The solution should be designed with everything working together, to  
minimize complexity and simplify deployment and installation.  
Copyright © 2004, Juniper Networks, Inc.  
5
 
FW/IPSec VPN Buyer’s Guide  
Quick Checklist  
This section builds upon the framework for evaluating firewall and VPN products that was described in the previous  
section, providing a quick checklist of some of the top questions to pose in each criteria category. For more in-  
depth questions that enable a side-by-side comparison of different solutions, go to the Detailed Buyer’s Checklist  
that follows this section.  
1.  
Provide Strong Security  
Does the solution integrate best-of-breed technologies?  
o
o
o
How long have the technologies been in the market?  
Are there any third party verifications of viability available?  
Are the technologies based on open source solutions?  
Does the solution provide strong access control – stateful inspection?  
What kind of user authentication does the solution support?  
What network-level attacks does the solution protect against?  
o
o
DoS attacks  
DDoS attacks  
Does it have the ability to make determinations on whether to allow or deny traffic based on application-  
layer information?  
o
o
What kind of application-level attacks can it detect?  
What kind of application-level attacks can it prevent?  
What kind of encryption does the VPN support?  
Can the solution apply policies to internal traffic to establish additional layers of trust and contain  
attacks?  
What type of security certifications does the product have?  
What kind of platform is the solution built on?  
o
Is it a general-purpose platform that could introduce security risks?  
Can the solution scale to meet the different security needs of small to large sites?  
2.  
Offer Predictable Performance  
What are the performance (large and small packet size) capabilities of the solution to ensure that  
performance remains predictable?  
What has the solution done to optimize its traffic processing?  
How does the solution minimize latency to ensure real-time applications are not degraded (e.g. VoIP)?  
How does the solution handle very fast session ramp rates to protect against DoS attacks?  
How does the architecture of the solution enable performance under load?  
How does the solution handle multiple concurrent sessions to ensure user connectivity is not lost or  
slowed?  
How does the solution accommodate additional functionality, without degrading performance?  
How does the solution accelerate the VPN negotiation to set up the VPN tunnels to make the time  
imperceptible to the user?  
How can the solution quickly create and then maintain VPN tunnels to ensure they are always available  
for the user?  
Copyright © 2004, Juniper Networks, Inc.  
6
 
FW/IPSec VPN Buyer’s Guide  
3.  
Deliver a high level of fault tolerance to ensure the solution is always available  
Does the solution support high availability (HA) configurations, including active/active, full mesh, to  
reduce the chance of a single point of failure?  
Does the HA solution maintain both session and VPN state information to ensure that both the  
connection and VPN security association are maintained in the event of a failure?  
Can the solution take advantage of dynamic routing as part of VPN resiliency?  
Can the solution support redundant paths? If so, what kind – multiple ISPs, dial back-up?  
What redundancy features have been built into the VPN configuration?  
What are the mechanisms used to minimize fail-over latency and ensure maximum uptime?  
4.  
Offer ease of use and management.  
Are there multiple ways to interact and manage the system?  
How easy is it to perform management tasks?  
o
Can device, network and security configurations be managed using the same interface?  
Does the system grant different people in the organization different access privileges?  
o
o
How does the system ensure that people are only accessing what they need to access?  
How easy is it to set up or change a role to ensure access privileges map to current  
employee activity?  
How quickly can changes be made in a large distributed network?  
Are there configuration templates to simplify deployments?  
o
How easy is it to customize the template information for specific site deployments?  
How easy is it to troubleshoot problems?  
Is there a way to roll back to a previous configuration if changes affect the connectivity of  
the solution?  
o
How much manual intervention is needed when a VPN connection goes down?  
Can firewall policies be easily applied to VPN traffic, without a lot of additional configuration?  
How easy is it to add a network to the VPN?  
How easy is it to configure complex VPN configurations, such as a hybrid full-mesh and hub and  
spoke?  
5.  
Enable quick and simple deployment and installation  
Are there different options that accommodate administrator preferences for installing and configuring  
the system?  
What kind of platform is the solution running on?  
o
o
Is the solution based on a general-purpose platform?  
Is the solution delivered as an appliance for easy deployment?  
How easy is it to deploy a device in the field?  
o
o
What level of technical expertise is required?  
Can it be managed centrally?  
Does the solution have a transparent deployment mode that does not require routing changes to the  
network?  
What routing protocols does the solution support?  
What networking features does the solution support to facilitate a timely deployment?  
How are patches applied?  
Copyright © 2004, Juniper Networks, Inc.  
7
 
FW/IPSec VPN Buyer’s Guide  
Detailed Buyer’s Checklist  
This section provides a feature/functionality checklist for each of the criteria categories to help evaluators determine  
the true capabilities of vendor solutions they are considering.  
Evaluation Date:  
Evaluated By:  
Juniper Networks  
Firewall / IPSec VPN /  
Deep Inspection  
Solutions*  
Alternate  
Solution:  
Feature  
Notes  
1. Strong Security  
Performs Stateful Inspection  
Protects against network-  
level attacks  
Protects against DoS and  
DDoS attacks  
Yes  
Yes  
Yes  
Yes  
e.g. IP fragmentation,  
ICMP “ping of death”  
e.g. Syn, UDP, ICMP  
Floods  
Protects against transport  
layer attacks  
e.g. Port scans, Tear Drop  
attack  
Protects against application-  
layer attacks:  
e-mail  
Yes  
e.g. Nimda Worm, Code  
Red Worm  
Yes (SMTP, POP, IMAP)  
Web  
FTP  
DNS  
Yes  
Yes  
Yes  
The use of proxies can  
result in significant  
performance degradation  
Uses proxies for attack  
detection  
No  
Uses Stateful signatures for  
attack detection  
Yes  
Uses protocol enforcement  
for attack detection  
Yes  
Yes, matches user defined  
patterns  
Blocks malicious URLs  
Yes, low-end products have  
embedded antivirus  
Protects against viruses  
Options for strong user  
authentication:  
Web Auth  
Yes  
Yes  
Tokens  
User name/Password:  
HTTP  
Yes  
Yes  
Yes  
FTP  
Telnet  
Options for strong user  
verification:  
RADIUS  
Internal Database  
LDAP  
Yes  
Yes  
Yes  
Yes  
SecureID  
Built in attack containment  
Copyright © 2004, Juniper Networks, Inc.  
8
 
FW/IPSec VPN Buyer’s Guide  
capabilities  
Yes, Security Zones  
Ability to apply  
policies to restrict  
traffic between  
internal network  
segments  
Ability to split network into  
completely separate  
domains and create security  
policies for each one  
Completely separate  
policies  
Yes, Virtual Systems  
Yes  
Yes  
Completely separate  
administrative  
controls  
Certifications:  
Yes  
Yes  
Common Criteria  
ICSA certification  
VPN Specific  
Uses IPSec for secure  
communications  
Also enables  
interoperability with other  
IPSec VPNs  
Yes  
Yes  
Supports IKE for flexible  
encryption negotiations  
Strong encryption options:  
AES  
An interoperability feature  
Yes  
Yes  
Yes  
DES  
3DES  
Options for strong user  
authentication:  
Xauth  
Yes  
Yes  
Yes  
Yes  
Yes  
Web Auth  
X.509 certificates  
Tokens  
User name/Password  
Options for strong user  
verification:  
RADIUS  
Internal Database  
LDAP  
SecureID  
X.509 certificates  
Yes  
Yes  
Yes  
Yes  
Yes  
Certifications:  
Yes  
Yes  
FIPS 140-1 or 140-2  
ICSA IPSec  
Integration/System Design  
FW/VPN/Deep Inspection --  
Antivirus also included in  
low-end  
The number of applications  
delivered in the solution  
The source of the  
applications are:  
Proprietary  
Yes – FW/VPN/Deep  
Inspection  
Partnerships  
Yes, antivirus through  
Trend Micro partnership  
Yes, Remote client via  
OEM relationships  
Copyright © 2004, Juniper Networks, Inc.  
9
 
FW/IPSec VPN Buyer’s Guide  
Safenet  
No  
Open source code  
The number of years the  
solutions have been  
available on the market  
The applications that have  
been recognized as best-of-  
breed  
FW/VPN – June 1998  
Deep Inspection/Intrusion  
Prevention – Feb 2002  
FW/VPN/Deep Inspection  
(Gartner Magic Quadrant)  
Simplifies deployment,  
reduces chance for human  
error that could result in  
vulnerabilities  
All functionality managed  
with the same console  
FW/VPN/Deep Inspection  
managed with same  
interface/console  
Built in features that protect  
against tampering:  
Packaging sealed  
with custom tape  
Uses tamper seals  
to indicate  
Yes  
Yes  
authenticity  
Hardware can  
restrict remote  
access via access  
lists  
Yes  
Access list creation  
based on IP and  
MAC addresses  
Hardware protects  
against password  
overrides  
Hardware uses  
secure connections  
for remote access  
Custom OS built for  
security  
Yes  
Yes  
Yes  
Yes  
A custom OS is less  
prone to known attacks  
than a general purpose  
OS  
Yes  
Yes  
OS is hardened  
FIPs certified for  
physical protection  
of keys and  
configuration, as  
well as software  
protection  
Guards against  
vulnerabilities within the  
system itself:  
One, Juniper Networks  
uses a single OS  
The number of  
different patches that  
need to potentially  
be applied  
None, purpose-built  
appliance with custom OS  
The general purpose  
systems or platforms  
that are used  
Juniper Networks  
NetScreen-Remote or  
Juniper Networks  
NetScreen-Secure  
Access (SSL) for  
remote/mobile users  
Copyright © 2004, Juniper Networks, Inc.  
10  
 
FW/IPSec VPN Buyer’s Guide  
Juniper Networks  
NetScreen-5XT, 5GT  
seriesfor remote/home  
offices  
Juniper Networks  
NetScreen-25 & -50  
for branch office or  
small central site  
Can scale from a small  
remote user to a large  
central site to eliminate weak  
links  
Juniper Networks  
NetScreen-200 series  
for medium central  
site, regional offices  
Juniper Networks  
NetScreen-500 and  
Juniper Networks  
NetScreen-ISG 2000  
for large central sites  
Juniper Networks  
NetScreen-5000 series  
for large central sites,  
data centers, service  
providers  
Solution dependent on other  
vendors to make changes or  
innovations  
Applications under load  
continue to perform all  
security functionality  
No  
No  
Some solutions simply  
pass traffic when under  
load – creating security  
risk  
Copyright © 2004, Juniper Networks, Inc.  
11  
 
FW/IPSec VPN Buyer’s Guide  
2. Predictable Performance  
Ability to process traffic of  
varying packet sizes to meet  
the performance  
Yes,  
See Tolly Reports for  
third party verification  
requirements of the network  
Accelerates intensive  
Yes, including custom  
security ASICs  
processing with hardware  
Ability to support applications  
with a low tolerance for  
latency/jitter, such as VoIP,  
multimedia, etc.  
Yes, hardware is  
optimized for streamlined  
processing  
Fast session ramp rates to  
protect against DoS attacks  
Yes, Dedicated hardware,  
allowing separate paths  
for session set up and  
established flows  
Yes,  
ASIC/FPGAs offload  
intensive processing,  
making CPU available  
for new/additional  
functions  
Provide additional  
functionality without  
degrading performance  
Programmability in  
ASIC to accelerate  
future functions  
Turning on all applications  
does not affect the solutions  
ability to meet the  
See spec sheets for  
performance numbers  
performance needs of the  
deployment  
Traffic prioritization to ensure  
business critical applications  
are available  
Yes  
Deliver Quality of Service  
(QoS):  
o
o
Control bandwidth  
Set priority field in  
the Type of Service  
(TOS) byte to reflect  
traffic class priority  
Yes  
Yes  
VPN Specific  
Accelerate IKE  
negotiations for quick  
tunnel set up  
Yes, OS and Hardware  
designed specifically to  
negotiate security  
associations  
Purpose built solutions can  
develop process efficiencies  
over general purpose OS’  
Minimal latency to ensure  
real-time applications are  
not degraded:  
Yes,  
Unnecessary traversals of  
PCI busses is a common  
problem with PC-based  
platforms using VPN  
acceleration cards, adding  
latency to application.  
oProvides fast path for  
established flows  
oPackets are quickly  
processed without  
unnecessary  
traversals of PCI  
busses  
Maintain large numbers of  
tunnels to ensure  
availability  
Yes  
Copyright © 2004, Juniper Networks, Inc.  
12  
 
FW/IPSec VPN Buyer’s Guide  
3. Fault Tolerant – High Availability, Resiliency  
Device, itself, provides  
redundancy:  
o
o
Solid-state  
Redundant  
Yes  
Yes  
components  
(fans/power supplies)  
Port Density  
o
Yes  
Supports dynamic routing  
protocols:  
Enables the survival of  
failures at the transport level  
–needed for other  
o
o
o
OSPF  
BGP  
RIP  
Yes  
Yes  
Yes  
components of resiliency  
High Availability (HA)  
Configurations to reduce single  
point of failure:  
o
Stateful (sharing  
session information) to  
maintain connections  
VPN sync (sharing  
VPN information to  
maintain security  
association in the  
event of a failure)  
Active-passive HA  
(one device  
Yes  
Yes  
o
o
Yes  
processing traffic, with  
the second device as a  
back-up)  
o
o
Active-active HA (both  
devices processing  
traffic)  
Active-active, full-  
mesh HA to survive a  
failure up or  
Yes  
Yes  
downstream from  
device  
Redundant physical  
connections (e.g. connections  
to different service providers)  
Alternate transport options,  
such as:  
Note: need to support  
dynamic routing to do this  
Yes  
o
o
DSL  
Dial back-up  
Yes  
Yes  
A high Mean Time Before  
Failure (MTBF) expectancy  
VPN Specific  
Yes, using Bellcore  
MTBF calculations  
Ability to run dynamic routing  
through its tunnels to  
Yes, Dynamic Route-  
based VPNs (Best  
Path VPNs)  
automatically learn the network  
and route around failures  
Product’s HA performs VPN  
sync (sharing VPN state  
information) to maintain the  
VPN connection in the event of  
a failure  
Note: most routers cannot  
offer this functionality  
Yes  
Copyright © 2004, Juniper Networks, Inc.  
13  
 
FW/IPSec VPN Buyer’s Guide  
Supports different VPN  
deployment modes:  
Rule-based/Policy-based  
Route-based  
Dynamic Route-based (Best  
Path)  
Yes  
Yes  
Yes  
Support multiple VPN  
gateways to enable VPN to  
persist in the event of a failure  
Supports multiple tunnels,  
running the same services,  
between VPN gateways  
For rule-based or policy-  
based VPNs  
Yes  
Yes  
Note: rule-based or policy-  
based VPNs cannot do this,  
only route-based and  
dynamic route-based VPNs  
For route-based VPNs, can  
take up to a minute for fail-  
over  
Supports fail-over between  
tunnels based on alternate  
static routes defined in the  
route table  
Supports fail-over between  
redundant tunnels using  
dynamic routing  
Yes  
Yes  
For dynamic route-based  
VPNs, can take up to a  
minute for fail-over  
Yes, custom VPN  
Path Monitor-  
configurable interval  
to allow fail-over in  
seconds  
Supports fail-over between  
redundant tunnels using  
another mechanism  
R-associate VPN with another  
tunnel without having to  
renegotiate the encryption  
keys  
Yes, Security  
Association mirroring  
mechanism  
Copyright © 2004, Juniper Networks, Inc.  
14  
 
FW/IPSec VPN Buyer’s Guide  
4. Ease of Use  
Multiple ways to interact with  
the system:  
o
o
o
CLI  
Web UI  
Central Management  
Platform  
Yes  
Yes  
Yes  
Remote management options:  
o
o
o
o
SSH  
Telnet  
Web (HTTP/HTTPs)  
Centralized  
Management GUI  
Syslog  
SNMP  
Ping for remote  
monitoring  
Yes  
Yes  
Yes  
Yes  
o
o
o
Yes  
Yes  
Yes  
Ability to manage the device,  
network and security  
Yes, Juniper  
functionality from a single  
console  
Networks NetScreen-  
Security Manager  
Ability to view all logs in central  
location  
Yes  
Ability to assign different  
people in the organization  
different read/write privileges  
Policy changes can be  
distributed quickly to one or  
many devices  
Yes, role-based  
administration  
Yes, Juniper  
Networks NetScreen-  
Security Manager  
Firewall policies can be easily  
applied to VPN traffic, without  
having to define the network  
(IP-based) within that policy  
Policies can be easily applied  
to new networks/interfaces  
Offers VLAN support to  
integrate subnets easily  
Different network segments  
can have different policy sets,  
effectively segmenting the  
network  
See Juniper Networks VPN  
White Paper “Dynamic VPNs  
Achieving Scalable, Secure  
Site-to-Site Connectivity”  
Yes, using Security  
Zones  
Yes, using Security  
Zones  
Yes  
Yes, using Security  
Zones  
Administrators can apply  
universal rules to multiple  
security zones  
Yes, unique to  
NetScreen  
Different network segments,  
departments, offices, etc. can  
manage their own security,  
completely separate from each  
other:  
Yes, Virtual Systems  
o
Separate management  
devices  
Separate “view”  
Yes  
Yes  
o
Built in troubleshooting  
features:  
o
Contextual information  
Yes  
Copyright © 2004, Juniper Networks, Inc.  
15  
 
FW/IPSec VPN Buyer’s Guide  
in logs  
o
Identification of failures  
in logs  
Web-based trouble  
shooting  
Yes  
Yes  
o
Offers roll-back option to last-  
known “good” configuration, if  
changes do not “work”  
Yes  
Ability to integrate with other  
management and enterprise  
platforms/systems:  
Note: NTP integration allows  
internal clocks to be  
synchronized to ensure log  
files have accurate time  
stamps  
o
o
o
o
SNMP traps  
MIP  
MIB  
CLI via SSH for  
configuration  
Syslog  
Yes  
Yes  
Yes  
Yes  
o
o
Yes  
Yes  
Yes  
NTP  
On-line help  
Broad array of support options  
Support is delivered by a  
single vendor with a single  
support contract  
Yes  
Yes  
VPN Specific  
Yes, utilizing dynamic  
routing and Security  
Zones  
New networks can be easily  
added to the VPN  
Yes,  
oDynamic routing  
automatically finds  
available routes  
oRoute-based  
VPNs can switch  
to alternate routes  
in route table  
Reroute around problems with  
minimal human intervention  
Flexibility to do complex VPN  
configurations (e.g. hybrid full  
mesh, hub and spoke) using:  
o
o
o
Rule-based VPNs  
Route-based  
Dynamic Route-  
Based  
Yes  
Yes  
Yes  
Copyright © 2004, Juniper Networks, Inc.  
16  
 
FW/IPSec VPN Buyer’s Guide  
5. Simple Deployment and Installation  
Delivered as an appliance for  
simple deployment  
Yes  
Delivered as software that has to  
be loaded onto hardware  
Multiple deployment options:  
Can introduce interoperability  
issues  
No  
o
o
Transparent mode  
Route mode  
oBGP  
Yes  
Yes  
Yes  
oOSPF  
Yes  
oNAT  
Yes, can be done on  
per policy basis  
Offers multiple ways to interact  
with the system:  
o
Command Line Interface  
(CLI)  
Yes  
o
o
Web interface  
Graphical User Interface  
(GUI)/central  
Yes  
Yes, Juniper  
Networks NetScreen-  
Security Manager  
management platform  
Wizards to guide an administrator  
through tasks, such as initial  
configuration, policy install, VPN  
set up  
Templates available for consistent  
configuration of multiple devices  
Integrated key networking  
functionality for easy integration  
into a network environment, such  
as:  
Yes  
Yes  
oSupport of DIPs allows  
policy-based address  
translations using pools of  
IP addresses to handle  
overlapping IP addresses.  
oMIPs provide one-to-one  
IP mapping for internal  
servers  
oVIPs provides mapping of  
protocols from one public  
external IP to multiple  
internal private IPs based  
on the port. Allows one IP  
address to support Web,  
FTP, e-mail and other  
servers.  
o
o
Dynamic routing protocols  
Virtual Routers  
oSupport multiple  
routing domains  
Multiple methods of  
address translation  
oDynamic IPs (DIPs)  
Support Mapped  
IPsVLANs (MIPs)  
Support Virtual IPs (VIPs)  
Supports NAT  
Yes  
Yes  
Yes  
o
o
Yes  
Yes  
Yes  
o
o
Yes  
oPolicy-based  
oPAT/NAT capabilities  
Yes  
Yes  
Single patches that apply to the  
platform, OS and applications  
Not possible if applications,  
OS and hardware are not fully  
integrated or from the same  
vendor  
Yes  
Ability to maintain the VPN  
abstraction and continue to  
leverage dynamic routing when  
applying the firewall policy  
Tools and services to facilitate  
migration from other Firewall/VPN  
products  
If the firewall policy requires  
the use of IP addresses then  
the management advantages  
of dynamic routing are lost.  
Yes, through Security  
Zones  
Yes  
Copyright © 2004, Juniper Networks, Inc.  
17  
 
FW/IPSec VPN Buyer’s Guide  
Features for Remote Users and Offices  
Remote User solution including  
VPN, firewall, virus and  
application-level protection  
Provides strong remote site  
security:  
Yes  
Eliminates “weak” links with  
affordable solutions  
o
Integrated functionality  
to apply access control  
to remote traffic  
Ability to protect against  
viruses and application-  
level attacks  
Yes  
Yes  
o
o
o
Split tunneling support  
Separation of corporate  
and personal traffic to  
ensure personal/Internet  
traffic cannot enter the  
corporate network  
Yes  
Yes  
through the VPN  
Supports a dial-back-up option to  
ensure connectivity at a remote  
office  
Yes  
Remote office appliance for easy  
installation  
Yes, purpose-built  
device  
Ability to configure a device at  
the corporate office, so that  
technical resources are not  
needed at a remote site  
Easy to manage to ensure  
security experts don’t need to be  
on site:  
Yes, Rapid  
Deployment  
o
Managed using the  
same console as large  
central site solutions to  
ensure consistent policy  
enforcement is  
consistent  
Can be managed  
centrally  
Yes  
Yes  
o
Features for Wireless  
Can separate wireless traffic and  
apply a security policy to it to  
control access  
See Securing Wireless LANS  
white paper at  
ources/whitepapers/enterpris  
e/  
Yes, Security  
Zones  
*Please see specific product data sheets for individual product features, available on the Web site at  
Copyright © 2004, Juniper Networks, Inc.  
18  
 

Invacare Mobility Aid 1487 User Manual
iSimple Car Satellite Radio System ISFD11 User Manual
JBL Home Theater System SB300 User Manual
Jotul Stove F 500 User Manual
JVC Car Video System TM A13SU User Manual
JVC CRT Television PD Z50DX4 User Manual
JVC Home Theater System RX E12B User Manual
JVC TV Receiver TU DB1SFR User Manual
Karcher Carpet Cleaner KMR 1550 B User Manual
King Canada Sander KC 706L User Manual