Firewall Migration. Migrating to Juniper Networks Firewall/VPN Solutions. White Paper

Transcription

1 White Paper Firewall Migration Migrating to Juniper Networks Firewall/VPN Solutions Juniper Networks, Inc North Mathilda Avenue Sunnyvale, California USA JUNIPER Part Number: February 2007

2 Table of Contents Introduction... 3 Drivers for Firewall Migration... 3 Application Performance... 3 Reduce Deployment, Maintenance, and Operations Costs... 4 Reduce Operational Burden... 4 Reduced Number of Firewalls... 5 Evolving Security Threats and Regulatory Compliance... 5 The Plan for a Smooth Firewall Migration... 6 Phase 1: Information Gathering and Audit... 6 Phase 2: Firewall Policy and Configuration Analysis Designing a Zone Configuration Dividing Multi-Zone Object-Groups... 7 Phase 3: Objects and Policy Conversion... 8 Phase 4: Functional Testing and Validation... 8 Phase 5: Production Cutover and Assessment... 8 Conclusion Copyright 2007, Juniper Networks, Inc

3 Introduction Enterprise networks are continually evolving and advancing. As the number and types of business-critical applications increase, so do the performance requirements of the underlying infrastructures. An ever-rising tide of new and more sophisticated security threats, regulatory compliance and general data-protection further impacts infrastructure needs. Add to these issues the pressure to be more cost-efficient, and it becomes apparent why many Security and IT groups are reevaluating the overall effectiveness of their firewall solution. Many of these reevaluations are leading to the decision to migrate to Juniper Networks firewall/ VPN security devices. Juniper Networks platforms provide significant performance, cost, operations, and security benefits over alternate solutions. Additionally, Juniper Networks sales and professional services teams, business partners, and available financial packages help to ensure a smooth and cost-effective migration. This paper outlines the key drivers and benefits of migrating away from existing firewall platforms and presents a structured methodology for a smooth and successful transition to the Juniper Networks solutions. Drivers for Firewall Migration Application Performance Many IT groups are now reassessing the various costs associated with maintaining and supporting separate hardware- and software-based platforms in favor of Juniper Networks firewall/vpn security devices. The Juniper Networks platforms not only offer lower costs, but also offer better performance and functionality over the alternatives. Juniper Networks integrated security devices combine purpose-built hardware with an advanced security-specific operating system (ScreenOS). The concurrently designed and engineered platforms provide excellent small-packet performance, extremely low latency, and high connections per-second rates. Configuration, deployment, management, and maintenance are significantly easier than alternatives, resulting in lower operational expenses, increased security, and reduced downtime. The key drivers and associated advantages that are motivating many migrations to Juniper Networks firewalls include the following: Application performance Reduced total cost of ownership (TCO) Reduced operational burden Reduced number of firewalls Evolving security threats and compliance requirements Acceptable user experience means the underlying network and security infrastructure must meet the specific requirements of each application. The increase in overall traffic from both a general rise in network use and the centralization of servers into fewer places is exceeding the capabilities of older, software-based firewalls to deliver high throughput with low latency. Additionally, some advanced applications, such as VoIP, require performance at real-time or near real-time levels. VoIP users expect quick call setup, as well as clear and consistent audio between the calling parties. To provide a high-quality user experience, the network and security infrastructure must perform well for the latency-sensitive and smaller sized packets of VoIP, while keeping up with the increasing loads of all the other enterprise applications. Copyright 2007, Juniper Networks, Inc 3

4 Another example of an application with strict requirements is Web services, which are highly transaction oriented and which use HTTP, a stateless protocol. These characteristics lead to a high volume of connection requests and teardowns (also called connections per second cps, or connection rate), challenging the processing rates of stateful firewalls. These application requirements may not be a problem for the typical switched LAN infrastructure, but many separate hardware- and software-based firewalls are unable to provide the required performance, even under moderate traffic loads. Compare these firewalls to the integrated security devices from Juniper Networks purpose-built hardware with a securityspecific real-time operating system that is fully optimized for high-performance security environments. Robust high performance is sustained across all packet sizes under heavy network loads, providing security without compromise. Reduce Deployment, Maintenance, and Operations Costs Reducing costs without unduly compromising network defenses is an important principle of sound corporate security policy. The challenge is finding the areas to lower costs without forfeiting security protection. Many companies with separate hardware- and software-based firewalls are recognizing the burden placed on their budgets by excessive, recurring licensing and support fees. The need for two software maintenance agreements for updates and fixes one for the hardware platform s operating system and one for the security application itself - is just the beginning of the additional costs. There are also higher technical support/helpdesk contract costs, typically requiring two purchases per install. Purchasing separate hardware and software products can result not only in higher recurring fees, but also in higher initial capital outlay and ongoing operational expenses. Security software that is licensed and priced by the number of protected IP nodes is a more expensive and less flexible offering. Added costs result from the operational burden of having two separate components to install, configure, and manage: the hardware platform and its operating system, and the security application software. Lastly, separate management consoles one for the hardware platform and the other for the security application software require separate management software packages, as well as separate systems to run them. Separate maintenance and support costs apply to each of these components, as well. The Juniper Networks solution lowers direct costs with one integrated device and one support contract. Comparisons show that the initial cost of a Juniper Networks solution can run as much as 50 percent less than alternatives, while ongoing support and operational costs can be as much as 60 percent less. Reduce Operational Burden A critical aspect of the ongoing process of securing an enterprise network is finding ways to reduce the operational burdens to maintain and support the infrastructure. The simplest operations are the best, since fewer steps generally mean fewer possibilities for mistakes. Many companies have experienced the negative impact on security and availability of maintaining and supporting a separate hardware platform, operating system (OS), and security application software. The separate hardware- and software-based system requires different configuration and management interfaces, with little information sharing or correlation between them. Compounding the situation, patches and fixes may be released independently from the hardware and software vendors, creating chaotic support issues and versioning challenges for customers. Configuration mistakes, compatibility issues between the platform and security software, and problem-isolation difficulties easily translate into greater risk, more time isolating and resolving problems, and increased downtime. 4 Copyright 2007, Juniper Networks, Inc

5 Managing annual license renewals for hardware and security software, as well as node-countbased licensing for the software modules, adds to operational complexity. There are two support contracts and two technical support contact centers, each with its own core competence: hardware platform and OS, and security application software. Getting to the bottom of an issue can be a long and frustrating process. Moving to a firewall platform based on fully integrated software/hardware, such as Juniper Networks, addresses these issues inherent to layered systems. Additionally, Juniper s NetScreen- Security Manager (NSM) offers an easy-to-use centralized management solution that controls all aspects of its integrated firewall/vpn and Intrusion Detection and Prevention (IDP) products including device configuration, network settings and security policy. Reduced Number of Firewalls Many organizations leverage virtualization to reduce their total number of firewalls. Instead of implementing a separate, physical firewall for every network segment, virtualization utilizes a single device for all segment security needs, providing a more cost-effective option. Virtualization is key to enhancing security and easing administration, by allowing the easy division of networks into multiple, logical security segments. Segmentation allows administrators to deploy security across multiple domains from a single firewall appliance, thereby lowering capital and operational expenses. Using the various network segmentation technologies within each firewall appliance, administrators can isolate guests and contractors, employees, and database/application servers into unique, secure domains. Each secure segment will have its own security policy, complete with access control and traffic-inspection parameters. The result is tighter security that can help prevent unauthorized access, isolate attacks, and facilitate regulatory compliance. The Juniper Networks firewall/vpn devices support several virtualization technologies, including Security Zones, Virtual LANs, Virtual Routers, and Virtual Systems. These options let security administrators choose the optimum approach to increase interface density without additional hardware expenditures, to lower policy-creation costs, to contain unauthorized users and attacks, and to simplify the management of the firewall/vpn needs. For example, Virtual System support allows partitioning into multiple security domains, each with a unique set of administrators, policies, firewall/vpns, and address books. Evolving Security Threats and Regulatory Compliance As security threats become more sophisticated and pervasive, the consequences of any data or system compromise can be much more serious. Identity and intellectual property theft have significant ramifications for individual employees as well as for a company s self-interest. Regulatory consequences can apply when a company s protected customer information is compromised, or when corporate financial data is breached. In this environment, enterprises are looking to integrate advanced security like intrusion prevention system (IPS) functionality into their firewall infrastructure. Integrating Unified Threat Management (UTM) security features is attractive for both security and cost reasons at sites with lower throughput needs, such as smaller data centers and branch/remote offices. The UTM umbrella includes Antivirus (AntiSpyware, Anti-Adware, Anti-Phishing), Anti-Spam, and Web Filtering to stop worms, Spyware, Trojans, malware, and other emerging attacks. Juniper Networks offers solutions to integrate IPS functions at very large headquarter and data center sites, along with integrated UTM at other sites. The Juniper Networks Integrated Security Gateway (ISG) series offers the option to implement full Intrusion Detection and Prevention (IDP) functionality, with in-depth analysis of application protocols and context to deliver Zero-Day network and application-level attack protection. Juniper Networks Secure Services Gateway (SSG) family is a new class of security appliances which cost-effectively combines performance, bestin-class UTM security features, powerful routing, and LAN/WAN connectivity. Copyright 2007, Juniper Networks, Inc 5

6 The Plan for a Smooth Firewall Migration The benefits and advantages of having a Juniper Networks firewall/vpn based infrastructure are clear, but the idea of replacing in-place systems may seem daunting. Juniper Networks Professional Services has developed a migration methodology and processes to ease the transition and ensure its success. For over four years, our consultants have used and tuned these processes and tools in the field, successfully migrating many networks of varying sizes across all segments. Breaking the migration into small, manageable steps ensures a smooth transition to a more robust security infrastructure that is well worth the effort. The migration process also presents a useful opportunity to audit, assess, and validate overall security policy. In fact, one valuable outcome of the migration can be better understanding and improved coordination between the company s internal functions, along with a more thoroughly understood and documented security infrastructure. Every network is different and has varying complexities, so Juniper Networks or our partner consultant personnel work closely with the customer s IT and Security staff. At each step, the team works to fully characterize and understand the nuances of a particular migration before proceeding through the defined migration phases. Phase 1: Information Gathering and Audit The first phase in the process with the consultant is to gather all of the information about the current firewall infrastructure and its configuration. Capturing this information is fundamental to a sound security program in any case, so the activity is worthwhile beyond the context of the migration. The types of information gathered include: Network topology Addressing schemes and interface configurations Applications and protocols supported through the firewall Current firewall configurations with policy rule-sets VPN configurations Copies of all information and backups of all configuration files are made, representing the starting state of the system. The consultant then performs an initial review of the existing firewall design and configurations. This step verifies the security goals and effectiveness of the current setup and identifies any areas where the policy and configuration can be consolidated and otherwise cleaned up before the actual migration. At the end of this stage, the current state of the existing infrastructure should be logical, precise, and well understood. Phase 2: Firewall Policy and Configuration Analysis Next, the Juniper Networks consultant fully analyzes the existing firewall security policies and configurations and plans out the design and rule-set specifics that map into ScreenOS features and configurations. Any differences in implementation between the existing system and ScreenOS will be accounted for and flagged for special attention. A copy of the existing firewall configuration files is modified to adjust to ScreenOS feature logic, in preparation for the actual migration. Some of the work at this stage is simply to maximize the effectiveness of the automated script tools that will convert the bulk of the policies. It is also during this process that the customer s staff learns more about ScreenOS, becoming intimately familiar with many of the operations and interfaces. Copyright 2007, Juniper Networks, Inc

7 Designing a Zone Configuration The Security Zone is the basis of the ScreenOS security policy architecture. Zones represent a fundamental difference from other vendors security approaches. During this stage, it is important to define the Security Zone layout on the Juniper Networks firewalls to ensure that the foundation of the new security infrastructure will meet current and future needs from usability, functionality, and security perspectives. The final design of the Security Zone configuration dictates how the current firewall technology s security policy and supporting objects are to be migrated to the ScreenOS-based security policy and objects. Dividing Multi-Zone Object-Groups One of the administrative benefits of the Juniper Networks appliance is the Security Zone architecture, which greatly simplifies policy creation and review. Figures 1 and 2 present the simple modification of an existing firewall configuration that makes the actual policy conversion more straightforward. Group Name Object Zone Server-Objects Server-1 Trust Server-2 Trust Server-3 Trust Server-4 Server-5 Server-6 Figure 1. Flat Object Database for Servers in Existing Firewall With Security Zone architecture, it is possible to group servers logically, so that security policies can be applied more quickly and uniformly, with minimal configuration effort. Group Name Object Zone Trust-Server-Objects Server-1 Trust Server-2 Trust Server-3 Trust -Server-Objects Server-4 Server-5 Server-6 Figure 2. Modification of Object Configuration Modification to the object configuration changes nothing substantive on the existing firewall, but allows it to automatically script into the ScreenOS configuration, thus enabling Security Zone logic. Other, more complex aspects of the firewall configuration and operation such as High Availability, VPN configurations, and Network Address Translation (NAT) are closely examined and mapped into the new architecture, for easier implementation during the actual conversion and cutover. Copyright 2007, Juniper Networks, Inc 7

8 Phase 3: Objects and Policy Conversion In Phase 3, the Juniper Networks consulting engineer employs a set of both automated and manual methods to convert the existing configurations and security policy rule-sets into ScreenOS security policies and configurations. The output of this process is a corresponding ScreenOS configuration file for the replacement firewall/ipsec VPN device. These files are visually verified and loaded into the devices, which are then initially tested for desired functionality. Specific areas of the new configurations include service book and service group definitions, a zone classified address book, and a full set of zone-based security rules. User authentication, NAT configurations, and the local user database may also be included, if used by the particular firewall. Phase 4: Functional Testing and Validation In a fully functional test bed, extensive testing of the Juniper Networks firewall/ipsec VPN infrastructure is performed by the consulting engineer to validate the configurations. Verification covers all operational aspects from security policy rule-sets, NAT, routing policies, and VPN configurations. Additionally, any HA failover scenarios are fully tested and verified, since they may be difficult to test after the cutover to production. Phase 5: Production Cutover and Assessment A plan is developed for the cutover of systems to the production environment, and the consulting engineer works onsite to personally execute and oversee the effort. Assessment and some additional nondisruptive testing may be performed on the production network after cutover, to verify operation and provide any additional fine-tuning that may be required. Conclusion The move is on toward Juniper Networks firewall/ VPN solutions. Enterprises that seek to lower costs and operational burdens while increasing the security and performance of their networks are migrating away from separate hardware/software-based systems and installing Juniper Networks security appliances. The transition is made even more compelling by the firewall migration programs offered by Juniper Networks Professional Services organization and its Service Affiliate partners, which help companies plan and execute a smooth migration to next-generation technologies. Migration and trade-in incentive programs from Juniper Networks and our partners further enhance the financial package. In addition to the core firewall/vpn devices, Juniper Networks offers a full range of advanced security functionalities such as intrusion prevention, Unified Threat Management (inclusive of Antivirus, AntiSpyware, Anti-Spam, Web filtering), LAN Access control, and secure remote SSL VPN access. Juniper Networks also has a full range of routing, WAN, and application acceleration/ optimization products. For more information on Juniper Networks products and solutions or firewall migration benefits and programs, contact your local partner or representative. Copyright 2007, Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. 8 Copyright 2007, Juniper Networks, Inc