Table of Contents
Advertisement
Network and Security Manager Administration Guide
Determining Your VPN Members and Topology
530
VPN Topology—What do you want to connect? How many devices? How do you want
these devices to communicate? Will you have users as VPN members?
Data Protection—How much security do you need? Do you need encryption,
authentication, or both? Is security more or less important than performance?
Tunnel Type—Do you want an always-on connection or traffic-based connection?
VPN Manager or Device-Level—How do you want to create the VPN? Maintain the
VPN?
The following sections provide information to help you make these decisions.
You can use a VPN to connect:
Security devices—Create a VPN between two or more security devices to establish
secure communication between separate networks.
Network components—Create a VPN between a two or more network components to
establish secure communication between specific machines.
Remote users—Create a VPN between a user and a security device to enable secure
access to protected networks.
NOTE: In NSM, remote users are known as remote access service (RAS) users.
Each device, component, and RAS user in a VPN is considered a VPN node. The VPN
connects each node to other nodes using a VPN tunnel. VPN tunnel termination points
are the end points of the tunnel; traffic enters and departs the VPN tunnel through these
end points. Each tunnel has two termination points: a source and destination, which are
the source and destination zones on security device.
Using Network Address Translation (NAT)
Network Address Translation (NAT) maps private IP addresses to public,
Internet-routeable IP addresses. Because your security device is also a NAT server, you
can use private, unregistered IP addresses for your internal network, minimizing the
number of registered IP addresses you must buy and use.
If you enable NAT, when an internal system connects to the Internet, the security device
translates the unregistered IP address in the outbound data packets to the registered
address of the security device. The security device also relays responses back to the
original system. Additionally, because your internal systems do not have a valid Internet
IP address, your systems are invisible to the outside Internet, meaning that attackers
cannot discover the IP addresses in use on your network.
Site-to-Site
Site-to-site VPNs are the most common type of VPN. Typically, each remote site is an
individual security device or RAS user that connects to a central security device.
Advantages—Simple, easy to configure.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
Need help?
Do you have a question about the NETWORK AND SECURITY MANAGER 2010.2 - ADMINISTRATION GUIDE REV1 and is the answer not in the manual?
Questions and answers