Netscreen Technologies: March 2002 Technical Overview Richard Cassidy, Se Emea

NetScreen Technologies
March 2002 Technical Overview Richard Cassidy, SE EMEA
NetScreen Confidential Internal Use Only
Resource for Resellers

Partner Website
All Netscreen Sales Tools
Presentations, white papers, product sheets, competitive analysis and more
EMEA Presales Mailing List

For all Netscreen Premier, Authorized and Approved Partners Only!!
Mailing list, monitored by all EMEA Systems Engineers.
Support Website
Comprehensive Technical Resource
TAC online, Manuals and User guides
Technical Mailing List

Once a month comprehensive Netscreen Technical Update via e-mail
Latest Product Info and Releases. Technical tools and partner updates.
Webcasts
Netscreen on-line training courses
2
NetScreen by design:
Enforce Maximum Security without sacrificing:
Performance
Interoperability
Scalability
Reliability
Manageability
Flexibility
NetScreen Product Overview

NetScreen Security Systems
Integrated security systems and appliances

ICSA certified IPSec VPN and stateful inspection firewall, DoS blocking, authentication, PKI, NAT acceleration and traffic management 10Mbps to 2Gbps Firewall 10Mbps to 1Gbps 3DES IPSec VPN
NetScreen-500 NetScreen-1000
NetScreen Security Appliances

NetScreen-200 Series NetScreen-50 NetScreen-25 NetScreen-5XP
NetScreen Security Mgmt & Client

NetScreen-Remote NetScreen-Global PRO / Global PRO Express
4
Resilient, solid-state solutions with high availability architectures Policy-based management of devices and remote users
How it all began

Just like ASIC-based switches fought and prevailed in enterprise and service-provider backbones, the software vs. hardware fight is on in the security area. Any network manager looking to secure true high-performance networks better take heed. Kevin Tolly is President and CEO of Tolly Research/The Tolly Group.
Expensive, slow, multipurpose computers
Purpose-built HW/SW Appliances
ASIC-Accelerated Dedicated Hardware
Expensive, slow, multipurpose computers
Purpose-built HW/SW Appliances
ASIC-Accelerated Dedicated Hardware
Where it continues to go
ASIC-Acceleration
Hardware & Software

Software
The NetScreen Difference

Industry-leading performance and bulletproof security through next-generation architectures: Lightening fast, crypto-accelerating ASIC Purpose-built, security-optimized ScreenOS Highly-efficient hardware designs combining single and multiple ASICs along with single/multi/parallel RISC-based processors Tight Integration of Core Technologies Stateful Screening Firewall VPN / PKI Attack Detection and Protection Traffic Shaping / Bandwidth Management Comprehensive methods of device management End-to-end solutions offering flexible network architectures Best-of-Breed partnerships and alliances
At the speed of silicon

NetScreen MegaScreen 250 Mbps 86 Mbps 250 Mbps 400 Mbps No Yes No Policy Engine NetScreen GigaScreen 1200 Mbps 400 Mbps 1200 Mbps 450 Mbps Yes Yes 200Mbps Policy/NAT Engine Hi/fn 7751 164 Mbps 83 Mbps 96 Mbps 80 Mbps No No 122 Mbps No Hi/fn 7811 527 Mbps 252 Mbps 290 Mbps 244 Mbps Yes No 185Mbps No
DES 3DES MD5 SHA-1 Public Key Accelerator Random # Generator RC4 Firewall
NetScreen Hardware Architectures

NS1000 Mid-plane switching fabric, multi-bus w/fiber interconnects, multi-parallel processors, multi-GigaScreen ASICs NS500 Multi-bus, multi-interface card, single board, GigaScreen ASIC
NS100/200 Series Multi-bus, single board, GigaScreen ASIC

NS25/50 Single bus & board, GigaScreen ASIC NS5xp Single bus & board, GigaScreen ASIC
NetScreen Built for Performance
Traditional Design
In Out
NetScreen Design
CPU In Out I/O RAM
CPU
I/O
RAM
VPN CoProcessor
Bus
- Multiple passes across the bus - No separation of the data & control planes
- Single pass across the bus - Separation of data & control planes
10
However, the ASICs arent everything .

Efficient Hardware Designs
RISC Processors
(Management, housekeeping, etc.)
Purpose-built Operating System -- ScreenOS

11
NetScreen Security Solutions

Next Generation Security Systems and Appliances
12
Managed Security for Small & Medium Enterprises

Managed security services are growing rapidly among small and medium enterprises
In 1999 it was a $14M market Expected to be over $630M by 2005
Source: the Yankee Group, 2000

13
Product Overview: NetScreen-5xp Telecommuter, SOHO, Small Branch Office
Integrated Firewall, VPN and Traffic Mgmt.

Stateful inspection firewall NAT, PPPoE and DHCP client, server & relay VPN
Site to Site & Client to Site Supports IPSec 3DES, DES & AES encryption standards Supports L2TP for Windows interoperability
Performance & Capacity

10 Mbps firewall 2000 concurrent sessions 10 Mbps VPN 3DES 10 IPSec VPN tunnels
Bandwidth reservation and DiffServ marking
Award-wining and proven technology since 1999 2 port auto-sensing 10/100 Ethernet Trust, Untrust AC power
Ships with ScreenOS 3.0

14
NS5xp/25/50 Architecture
SRAM
MPC8xx
PCMCIA Interface RS232 UART RTC
Power PC Core
SDRAM
NetScreen GigaScreen/ ASIC
32-bit/48MHz bus
MAC 1
PHY
Trusted
15
MAC 2
PHY
Untrusted
MAC 3
PHY
NS25/50
MAC 4
PHY
NS25/50
Flash
Boot ROM
NetScreen-5XP vs. NetScreen-5

Appliance Features NetScreen-5XP ASIC CPU Redesigned Chassis RAM Flash Asset Recovery Switch Concurrent sessions Faster Performance GigaScreen Cable access from rear 32 MB 4 MB Yes 2000 10 Mbps 3DES NetScreen-5 MegaScreen Cable access from front 16 MB 2 MB No 1000 5 Mbps 3DES
MPC850 48 MHz MPC850 33 MHz
16
NetScreen-5XP Hardware Features

Proven Hardware Architecture
GigaScreen ASIC
Broadband enabled
2 port 10Mbps Full Duplex 10BaseT Ethernet
Easily Managed
RS232 serial console port for management Asset Recovery Switch
Small Footprint 5L x 6W x 1.25H
17
NetScreen-5XP Software Features

Proven Software Architecture
ScreenOS 2.6.0: shared code base with all NetScreen products ICSA Certified, stateful-inspection firewall and IPSec
Transparent, Route, and NAT modes of operation Traffic Management: 8 levels of priority, plus guaranteed & maximum bandwidth, defined by policy 10 IPSec VPN Tunnels 2000 Firewall Concurrent Sessions
18
NetScreen-5XP Performance
Full duplex 10 Mbit line speed Symmetrical Performance 10 Mbps 3DES VPN 10 Mbps Firewall Latency reached a record low of 380 Sec (or 0.38 mSec) for support of new applications
VoIP Streaming media
19
NetScreen-5XP Performance
NS-5XP Bi-Directional Performance Results
20.00 18.00 16.00 14.00 12.00 10.00 8.00 6.00 4.00 2.00 0.00
Bandwidth (Mbps)
64
100
200
300
400
500
600
700
800
900 1000 1100 1200 1300 1400 1500 1518
Bytes/Packet
NAT
20
DES
3DES
DES+MD5
3DES+MD5
DES+SHA-1
3DES+SHA-1
NetScreen-5XP Markets & Needs

Multi-site Enterprise Networks Access Service Providers
Need low cost, easy to deploy security solution with the shortage of IT staff Remote offices and telecommuter locations need secure access to central site Need features for broadband service offerings Looking to offer value-added services Want to deliver services with low operating costs and easy to manage multiple sites Need solutions for all customer environments Want to deliver services with low operating costs and easy to manage multiple sites
Managed Security Service Providers
21
Competitive Landscape
Appliance Features Users NetScreen-5XP 10-user/Elite 10 / Unrestricted Cisco 506 10 SonicWALL SOHO2 50 Firewall, VPN
2 10/100 Ethernet
Nokia IP110 50
Nokia IP55 50
Target Functionality Hardware Interfaces Concurrent sessions

VPN tunnels RAM/Flash IPSec 3DES Performance Firewall Performance ASIC based performance
Firewall, VPN, Firewall, VPN Traffic Management

2 10-BaseT Ethernet 2 10-BaseT Ethernet
Check Point Firewall, VPN

3 10/100 Ethernet & 2 Serial V.35
Check Point Firewall only

4 10/100 Ethernet ADSL /G.lite WAN.
2000 10 32MB / 4MB 10 Mbps 10 Mbps Yes
64000 4 32MB / 8MB 6 Mbps 8 Mbps No
6144 10 8MB / 3MB 2 Mbps 70 Mbps No
4500 50 64 MB / NA 2 Mbps 80 Mbps No
NA NA 16MB / 2MB NA 8 Mbps No
List Price
$495 / $995
$1,995
$995
$2,495*
$1,295
*Additional Check point 50 user license fee of $4995 required.

22
Cisco 506
High Price
$1995 list for a 10 user license 4 Tunnels supported vs. NetScreens 10 tunnels.
Low number of VPN tunnels supported for the price No ASIC support for VPN acceleration Hard to configure manage and deploy
Need to understand Cisco IOS/PIX CLI to configure VPNs or any other configuration. GUI support is limited to basic tasks. Limited real time logging and alarm capabilities.
Low performance
Firewall throughput 8 Mbps vs. NS-5XP 10 Mbps 56-bit DES throughput 6 Mbps vs. NS-5XP 10 Mbps 168-bit 3DES throughput 6 Mbps vs. NS-5XP 10 Mbps
23
SonicWALL SOHO2 and TELE2

High Price
TELE2 costs $595 for 5 users with 5 VPN tunnels
SOHO2 costs $990 - $1490 for 10/50 users with 10 VPN tunnels
No ASIC support for VPN acceleration Low VPN Performance

2 Mbps
Anti Virus is not performed at the appliance contrary to perception Lack of Secure Remote Manageability
24
Nokia IP110
High Price
IP110 base cost $2,495 + Check Point 50 user license fee $4995 =$7490.
Low VPN Performance

No Luna VPN accelerator card. IP110 3DES IPSec throughput 2 Mbps compared to 10 Mbps for NetScreen-5XP.
No traffic management. Hard to configure manage and deploy Lack of Single Support Point
25
Nokia IP51 and IP55

Firewall only product
The Nokia IP51 and IP55 small office appliance integrates Check
Point FireWall-1 SmallOffice only
Lack VPN support and Traffic Management capability High Price for limited functionality
IP51 lists for $895, and IP55 lists for $1295; compared to 5XP price of $995 integrating Firewall, VPN and Traffic Shaping.
Do not have ICSA certification on the appliance Lack of Single Support Point
26
Supporting Documentation
This presentation Datasheetnew appliances datasheet New price list with detailed pricing and options Competitive analysis Product FAQ NetScreen-5XP white paper
27
NetScreen-50 and NetScreen-25

Solutions for Branch Office and SME Networks
28
Product Overview: NetScreen-25 Small Enterprise / Small Office


100 Mbps firewall 4,000 concurrent sessions 20 Mbps VPN 25 IPSec VPN tunnels
4 port auto-sensing 10/100 Ethernet

3 ports active today 4th port enabled subsequent software release 1H CY02 4th port will provide 2nd DMZ option No HA support

29
AC power
Product Overview: NetScreen-50 Small/Medium Enterprise / Branch Office


170 Mbps firewall 8,000 concurrent sessions 50 Mbps VPN 100 IPSec VPN tunnels
4 port auto-sensing 10/100 Ethernet

3 ports active today 4th port enabled subsequent software release 1H CY02 4th port will provide high availability or 2nd DMZ option

30
AC power; DC option
The NetScreen-50 and NetScreen-25

Serial Console and Modem DMZ Reserved (Available
1HCY02)
Status LEDs
Compact Flash
Trust
Untrust
31
NetScreen-50 & NetScreen-25 Key Software Features

NAT, Route, and Transparent modes of operation
Includes NAT on a per-policy basis for policy-based address translation
Robust attack prevention including SYN, ICMP, and port scan attacks
3DES and AES encryption using digital certificates or IKE auto-key IPSec NAT traversal
Allowing IPSec VPN tunnels to be established through NAT, PAT, or NAPT devices
Traffic management for bandwidth allocation and traffic prioritization

Allocate bandwidth per policy for the most effective use of available bandwidth
Support for PPPoE and DHCP client

Allows deployments into DSL or cable networks with dynamic IP assignment
DHCP server or DHCP relay agent

High availability with stateful firewall and VPN fail-over*
* Not at initial release and only on the NetScreen-50
32
NetScreen-25 Competitive Matrix

NetScreen-25 SonicWALL PRO Cisco Pix 515R Nokia IP 120(Check Point) WatchGuard Firebox 700
Stateful Inspection Yes Firewall and VPN

Traffic Management Yes
Yes
Requires VPN License for 3DES

No
Yes
Yes
No
No
No
VPN acceleration
NAT traversal Policy-based NAT
Yes
Yes Yes
No
No No
Extra Cost
No Yes
No
CP clients to FW-1 only Yes
No
No No
PPPoE support
DHCP server
Yes
Yes
Yes
Yes
No
No
No
No
Yes
No
33

NetScreen50 Stateful Inspection Firewall and VPN Traffic Management VPN acceleration NAT traversal Policy-based NAT Stateful HA Yes SonicWALL Pro-VX Yes Cisco Pix 515UR Nokia IP Nokia CC 330(CheckPoi 2500 nt) No Requires VPN Requires License for 3DES VPN license No Extra Cost No Yes Firewall Only Requires add. CP License Extra Cost CP clients to FW-1 only Yes Yes
Yes Yes Yes Yes Yes*
No Yes No No No
No Yes Remote client only No VPN Only
PPPoE support
DHCP server
Yes
Yes
No
No
No
No
No
Yes Yes Yes * Available when 4th port is enabled
34
Additional Sales Opportunities: Better Market coverage = More $ales !!!

Customer
Enterprise Branch / Medium Enterprise central site / e-business / web hosting
10/100, High Availability, Price Sensitive
What you used to sell

NetScreen-100
What to sell now !

NetScreen-100
Missed Opportunities
NetScreen-10
NetScreen-50
SME or Branch Office
Enterprise Branch Office / Small Medium Enterprise

Low Bandwidth, DMZ, Price Sensitive
Missed Opportunities
NetScreen-25
Small Enterprise or Small Office
Remote Office / Home Office
NetScreen-5XP
NetScreen-5XP
35
Product Overview: NetScreen-100 Medium/Large Enterprise / Branch Office

Stateful inspection firewall NAT, PPPoE and DHCP server & relay, Load-balancing VPN

200 Mbps firewall 128,000 concurrent sessions 185 Mbps VPN 3DES 1000 IPSec VPN tunnels
Award-wining and proven technology since 1998 3 port auto-sensing 10/100 Ethernet Trust, Untrust, DMZ High Availability options
Active/Standby, Active/Active (1H 02)

36
AC power; DC option
NS100 Architecture
SRAM
CPU
(MIPS R5000)
64bit/66MHz bus
SDRAM
Packet Memory
(Dual Port)
NetScreen GigaScreen ASIC & Memory
Host Bridge
(GT64120)
64bit/66MHz bus 32bit/33MHz PCI
Flash MAC 1 PHY

Trusted
MAC 2 PHY
DMZ
MAC 3 PHY
Untrusted
PCMCIA Interface
RTC
UART RS232
37
NetScreen-100 IPSec Performance

Zero-loss Throughput Across an IPSec (3DES, SHA-1) Tunnel: Bidirectional SmartBits 100 Mbit/s Full-duplex Fast Ethernet (UDP Packets)
100%
% of theoretical maximum
95%
80% 65% 60% 40% 20% 15% 0% NetScreen-100 Check Point FireWall-1/ VPN-1 64-byte packets 1,024-byte packets Nokia IP650 Cisco PIX-515 5% 10% 5% 5% 60%
Source: Tolly Group, 2001

38
512-byte packets 1,518-byte packets
NetScreen-100 New Connections per Second

TCP/IP Connection Rate Across a "Single-Rule" Firewall: SmartBits Full-duplex, Fast Ethernet
Average number of TCP connections per second
20,000 15,000 10,000 5,000 0

NetScreen-100
19,048
3,402 1,600
Check Point FireWall-1/VPN-1
Cisco PIX-515
Source: Tolly Group, 2001

39
NetScreen-200 Series
Solutions for Enterprise Central Sites and Service Provider Environments
40
Introducing The NetScreen-204 & NetScreen-208

Integrated Firewall, VPN and Traffic Management Performance & Capacity
550 Mbps firewall NAT (NS-208) 400 Mbps firewall NAT (NS-204) 128,000 concurrent sessions 13,000 new sessions per second 200 Mbps 3DES VPN 1,000 IPSec VPN tunnels
Stateful inspection firewall with advanced firewall and DoS attack protections IPSec VPN with 3DES, DES, L2TP & AES Bandwidth prioritization and reservation and/or DiffServ marking 4 or 8 auto-sensing 10/100 Ethernet Transparent, NAT, and Route mode ports High availability with full FW and All ports active today VPN synchronization Auto-correct to DCE or DTE Ships with ScreenOS 3.1
AC power; DC option available soon

41
NetScreen-200 Series Hardware Features

Six System-status LEDs:
Power, Status, HA, Alarm, Sessions, Flash
CompactFlash slot supporting 96 and 512MB cards
HW-based asset recovery switch
Console and out-ofband modem ports
8 interfaces on the NetScreen-208 4 interfaces on the NetScreen-204
42
NetScreen-200 Series ScreenOS Features

ScreenOS 3.1.0
All interfaces can be used with nearly generic feature support
Firewall attack prevention on every interface VPN tunnels terminating to any interface, providing support for applications such as WLANs Support all physical interfaces
Features from ScreenOS 3.0 VPN Enhancements

NAT Traversal for IPSec Generic IKE IDs Advanced Encryption Standard
Device Management
NetScreen MIBs Logging Enhancements
All interfaces support up to 28 common attacks such as syn flood, port scan, and others Familiar Trust, Untrust, and DMZ security zones available for easeof-use and backward compatibility
43
Certificate Management
Automated Certificate Enrollment (SCEP) Online Certificate Validation (OCSP)

NetScreen-204 Firewall performance 3DES VPN performance # Interfaces Stateful HA Traffic Management NAT traversal VPN to any interface Transparent mode Extras 400 Mbps 200 Mbps 4 Yes Yes Yes Yes Yes N/A Cisco PIX 525R 370 Mbps ~ 70 Mbps with accelerator card 2, up to 6 No, upgrade to UR (FW-only) No No No No 3DES lic.: $3,000 VPN card: $7,500 Nokia IP440 (Check Point) 185 Mbps ~ 45 Mbps with accelerator card 4, up to 16 Yes No CP clients to FW-1 only Yes No VPN card: $1,000 SonicWALL GX 2500 200 Mbps 192 Mbps 3 No No No No Yes N/A
Source: Vendor and third party documentation

44

NetScreen-208 Firewall performance 3DES VPN performance # Interfaces Stateful HA Traffic Management NAT traversal VPN to any interface Transparent mode Extras 550 Mbps 200 Mbps 8 Yes Yes Yes Yes Yes N/A Cisco PIX 525UR 370 Mbps ~ 70 Mbps with accelerator card 2, up to 8 Firewall only No No No No 3DES lic.: $3,000 VPN card: $7,500 Nokia IP530 (Check Point) 550 Mbps 47 Mbps with accelerator card 4, up to 16 Yes No CP clients to FW-1 only Yes No VPN card: $3,000 SonicWALL GX 2500 200 Mbps 192 Mbps 3 No No No No Yes N/A
Source: Vendor and third party documentation

45
NetScreen Virtual Systems

Vsys #1 Vsys #2 Vsys #3
250 Virtual Systems (VSYS) Per Virtual System - address book, policies and management Firewall and VPN configured per VSYS Able to support multiple security domains or customers without sharing policy
46
Virtual Systems
Security Domain Per Customer 250 Security Domains Per NetScreen-1000
Private Links to Customer Cages SW 10/100
Traffic Mapped to VLANs via Virtual Systems
SW 10/100
100/1000
Switch SW 10/100
IEEE 802.1Q VLAN Trunk 500 VLANs
Inbound VPNs or Web Traffic
*Available on the NS500 & NS1000 Security Systems

47
Reduced Infrastructure Deployment and Management

Customers
Internet

Single NetScreen device can handle the needs of 500 or more customers
Traffic Mapped to VLANs via Virtual Systems IEEE 802.1Q VLAN Trunk 100 VLANs Private Links to Customers
Untrust
Trust
Integrated firewall and VPN capabilities Implementation of 802.1q VLANs providing the ability to manage multiple customers from a single security system A Virtual System
Saves rack space Reduces capital cost Eases management and administration Simplifies network architecture
VLAN1
VLAN2
VLAN3
48
Separate Vs shared Virtual Systems for multi-customer deployments

Separate Virtual Systems Customer/Admin mgmt Customer logs
Parse by Vsys
Shared Virtual Systems Provider mgmt only Customer logs

Parse by IP
Unique Firewall & VPN configuration per customer / Vsys
Firewall policy based on IP addr / VPN not practical due VPN authenication issue
49
NetScreen-500
High-performance Security System for Enterprise Central Site and Data Center Environments
50
The NetScreen-500
High security
ICSA-certified firewall and VPN FIPS 140 ready
Redundant
High availability features Internal system redundancies (swappable fans, power) Separate traffic and management bus
High performance
250 Mbps 3DES IPSec VPN 700 Mbps stateful firewall
High capacity
10,000 IPSec tunnels 250,000 concurrent sessions 22,000 new sessions per second
Flexible
Multiple ports AC/DC power Virtual Systems
51
NetScreen-500 Hardware Features

Proven hardware architecture
GigaScreen ASIC Multi-bus architecture: Separate Management & Traffic Bus
Highly resilient design

Dual Hot Swappable Power Supplies (DC or AC) Hot Swappable Fan Tray Redundant 10/100 HA interfaces
Easily managed
2 DB-9 Serial RS-232, Console and Modem Dedicated out-of-band 10/100 management port Programmable LCD and diagnostic LEDs
Versatile form factor

2U, 19 Rack-mountable 4 I/O Module Bays for interface modules
52
NS500 Architecture
53
The NetScreen-500
LCD
Interface Module Bays
Modem
Console
Management
Dual HA
Fan Module
Hot Swappable AC or DC Power Supplies

54
NetScreen-500 Software Features

Proven Software Architecture
ScreenOS 2.6.0: shared code base with all NetScreen products ICSA Certified, stateful-inspection firewall and IPSec
Transparent, Route, and NAT modes of operation Traffic Management: 8 levels of priority, plus guaranteed & maximum bandwidth, defined by policy Up to 25 Virtual Systems and 100 VLANs High Availability (through redundant, dedicated HA links): complete with full session and VPN synchronization
55
NetScreen-500 vs. Cisco PIX 535 & VPN 3080

NetScreen-500 Firewall Performance
(4,000 sessions, 1000-byte packets)
Cisco PIX 535

675 Mbps Max 100 Mbps via $7,500 hardware upgrade
Cisco VPN 3080

No firewall 100 Mbps
700 Mbps 250 Mbps
3DES VPN
VPN Tunnels
Sessions New Sessions/Sec. Virtual Systems
10,000
250,000 22,000 0, 5, 10, 25
2,000; license required

500,000 7,000 No, up to 8 physical interfaces
10,000
No firewall No firewall No, 3 physical interfaces
Transparent Mode
HA w/ Full Session & VPN Synchronization List Price
Yes
Yes $24,995, ES system with 2 10/100 interfaces $34,995, ES system with 2 GBIC interfaces
No
Yes $73,600 with 2 10/100 interfaces.
No
VPN synchronization $75,000 for redundant pair + cost of firewall
Price listed as US List Prices in US$. Appropriate price changes should be made for in-country pricing
56
NetScreen-500 vs. Nokia IP530 & IP650

NetScreen-500 Firewall Performance
(4,000 sessions, 1,000-byte packets) 700 Mbps
Nokia IP530
400 Mbps Check Point license required < 20 Mbps, 50 Mbps with accelerator card 4,500, Check Point license required Est. 2,000 Up to 16 interfaces Yes, not redundant No, AC only $30,985*
Nokia IP650
235 Mbps, Check Point license required < 20 Mbps, 40 Mbps with accelerator card 4,500, Check Point license required Est. 2,000 Up to 20 interfaces Yes, redundant Yes, AC only $34,985*
3DES VPN (1,000-byte

packets)
250 Mbps 10,000 22,000 0, 5, 10, 25 No Yes, DC or AC $24,995, ES system with 2 10/100 interfaces
VPN Tunnels New Sessions/Sec. Virtual Systems Hard Disk Drives Redundant Power List Price
Price listed as US List Prices in US$. Appropriate price changes should be made for in-country pricing *IP530 and IP650 configured with: base chassis, Luna VPN accelerator card, single AC power supply, Check Point license for 250 IP addresses with firewall and VPN functionality. An unlimited IP license requires the central management console to be purchased (about $10,000 extra)
57
NetScreen-500 Firewall Performance Under Session Load

Zero-Loss Throughput Across a "Single-Rule" Firewall with UDP Packets
NetScreen-500
800 800
Cisco PIX 535

Aggregate Throughput (Mbps)*
Aggregate Throughput (Mbps)*
600
600
400
400
200
200
0 5,000 10,000 25,000 Simultaneous UDP Sessions

64 512 1,024 1,518 Packet size, bytes
0 5,000 10,000 25,000 Simultaneous UDP Sessions

64 512 1,024 1,518 Packet size, bytes
Source: The Tolly Group, May 2001

58
*1% packet loss threshold

The NetScreen - 1000
High-performance & High Bandwidth Security System for Demanding Enterprise and Service Provider Environments
59
Product Overview: NetScreen-1000

Gigabit Performance
1 Gbps 3DES IPSec VPN 2 Gbps firewall and NAT
High Capacity
Firewall: Stateful inspection - 500,000 sessions VPN: 25,000 IPSec tunnels
High availability/redundancy
Hot swappable power supplies, fans, cards Mirrored configuration maintains sessions through a failover
Multi-customer architecture for managed security services

Up to 250 virtual systems (VSYS) and 500 VLANs Per VSYS address book, policies and management
60
NetScreen-1000 Target Segments

NetScreen-1000ES (Enterprise System Bundle)
Customer or Managed Security Provider deployments Firewalls for intranets or campuses VPN branch and remote access Metro area firewall / VPN Hosted e-businesses
NetScreen-1000SP (Service Provider Bundle)

Internet data center - managed security services Application infrastructure provider Data center wide deployments with tremendous cost structure advantage
THE SP HAS BEEN SHIPPING SINCE May 2000
61
NetScreen-1000
Switch Card
Security Processor Cards (from 2 to 6) Management Interface Card with Separate OoB HA interfaces
Redundant Power Supplies and Power inputs
Fans
62
NetScreen-1000 Switch II
HA
P r o c e s s o r I n t e r c o n n e c t s 63
2 - Trust Interfaces (MT-RJ) 2 - Untrust Interfaces (GBIC)

SX and LX option (default is SX)
2 - HA Interfaces (MT-RJ) 6 - Processor Board Interconnects Status LEDS

Power and Link
Note: Redundant GE and HA interfaces require new ScreenOS
NetScreen-1000 Switch II Benefits

Greater throughput
HA
P r o c e s s o r I n t e r c o n n e c t s 64
Up to 2 Gbps firewall
Support for LX Interface

Untrusted Interface
Hardware support for future software capabilities e.g.

Meshed network support* Active Active support* Redundant HA links*
* New ScreenOS required
NS1000 Architecture
Each with its own RISC processor and GigaScreen ASIC Backplane Bus (Compact PCI)
Gbit
Processing card Processing card Processing card Processing card Processing card
Trust
Gbit
Gbit
Untrust
Gbit
Switch card
Gbit Gbit Gbit Gbit
1st packet in session forwarded to Master Policy lookup Packet classification Load balanced handoff to processor cards Configure switch
2nd+ packet Session status hand-off from master Packets forwarded by switch card Policy enforcement Encryption, firewall, NAT Hot failover between cards
Processing card
Aux card
100BaseT Management
65 Flash Card
HA
Console
NetScreens Hardware Product Line

Product NetScreen1000 NetScreen-500 NetScreen-208 NetScreen-204 NetScreen-100 NetScreen-50 NetScreen-25 NetScreen-5XP NetScreenRemote
66
Max Throughput 2G FW & 1G VPN 750M FW & 250M VPN 550M FW & 200M VPN 400M FW & 200M VPN 200 FW & 185 VPN 170M FW 50M VPN 100M FW 20M VPN 10M FW & VPN Varies by PC
Max Sessions 500,000 250,000 128,000 128,000 128,000 8,000 4,000 2,000 NA
Max # VPN tunnels 25,000 10,000 1,000 1,000 1,000 100 25 10 1
Max # Policies 40,000 20,000 4,000 4,000 4,000 1,000 500 100 NA
Max # Vsys 250 25 NA NA NA NA NA NA NA
HA Yes A/A Yes A/A Yes A/P ** Yes A/P ** Yes A/P ** Yes A/P * No No No
A/A = Active-Active High Availability * Available when 4th port is enabled NetScreen Confidential Internal Use Only A/P = Active-Passive High Availability ** To be updated to Active-Active 1HCY02
Bottom Line
NetScreen Security Systems have been built from the ground-up with the purpose of removing the performance factor from the equation to allow decision-makers to concentrate on solving the real problem of conquering security challenges and network management issues.
67
Resource for Resellers

Partner Website
All Netscreen Sales Tools
Presentations, white papers, product sheets, competitive analysis and more
EMEA Presales Mailing List

For all Netscreen Premier, Authorized and Approved Partners Only!!
Mailing list, monitored by all EMEA Systems Engineers.
Support Website
Comprehensive Technical Resource
TAC online, Manuals and User guides
Technical Mailing List

Once a month comprehensive Netscreen Technical Update via e-mail
Latest Product Info and Releases. Technical tools and partner updates.
Webcasts
Netscreen on-line training courses
68
Questions
69
NetScreen Systems & Appliances Features
70
Stateful Screening
Next Generation Stateful Inspection
71
Screening
Alternatives
Access Control Lists Application Proxies
NetScreens Architecture
Policy-based stateful screening
72
Stateful Inspection
Policy classification includes: Security zones IP addresses Transport protocol Transport ports Applications Policy actions include: Deny Permit Authenticate Log Count
73
Packet Flows
Classified by PROTO Identified by SIP, DIP Session is bundle of forward and reverse flows
Initiating Flow
Responding Flow
74
IP Packet
0 Ver 7 8 15 16 Hdr Len Service Type Identification Flags Time To Live Protocol Source IP Address Destination IP Address IP Options (If Any) Data 23 24 Total Length Fragment Offset Header Checksum 31
Padding
Blue = Normal Flow Classifiers Yellow = Fragment Flow Classifiers
75
UDP Packet
0 7 8 Source Port Length 15 16 23 24 Destination Port Checksum 31
Data
Blue = Normal Flow Classifiers
76
TCP Packet
Source Port Destination Port Sequence Number Acknowledgement Number Code Bits Options Data
Hdr Len
Reserved Checksum
Window Urgent Pointer Padding
Blue: Normal Flow Classifiers Yellow: TCP State and Sequence Check
77
Packet Walk
Receive
Hash Classifiers
Session Lookup
No
Yes
Screen Packet
Send
NS-1000 Firmware Operation

NS-1000 Hardware Operation
Path Lookup
No
Yes
Policy Lookup
No
Yes
Create Session
Drop
Drop
78
Key Stateful Screening Benefits

Full-Featured Stateful Inspection Layer 3-7 Inspection Well-Known, Proven Technology Scalable Algorithms ASIC Accelerated Session Setup Questions?
79
Traffic Management
Next Generation Quality of Service
80
Traffic Shaping
Alternatives
Priority Queuing Class-Based Queuing (CBQ) TCP Rate Control ATM Generic Cell Rate Algorithm (GCRA)
NetScreens Architecture
Bandwidth Guarantees, Maximums, Priorities Hardware Accelerated Algorithms
81
ATM Generic Cell Rate Algorithm

Leaky Bucket Algorithm Proven High Traffic Wasteful Bursts
82
Double Token Bucket

Shares Excess Tokens Priority Allocation of Shared Tokens 8 Priority Classes
83
NetScreen Algorithm
Double Token Bucket Algorithm Controlled by Guaranteed Bandwidth (GBW), Maximum Bandwidth (MBW) and Priority Per Policy Classification and Queues
84
Integrated Policy Management
85
Key Traffic Management Benefits

Edge-to-Edge Classification DiffServ TOS Bit Marking ASIC Accelerated Classification End-to-End Quality of Service Service Level Agreements White Paper: http://www.netscreen.com Products->White Papers
86
Questions
87
Transparent Mode All Interfaces

No changes required on any end station, router or server Routing protocols and VLAN tags can be configured to pass through the NetScreen in transparent mode The NetScreen offers full firewall and VPN capabilities
Intranet Web 2.2.2.5 Trust 0.0.0.0 Untrust 0.0.0.0
Internet
Corp Mail 2.2.2.6

Intranet DNS 2.2.2.7 AdminPC 1 2.2.2.13 AdminPC 2 2.2.2.18 AdminPC 3 2.2.2.33
88
NetScreen
DMZ 0.0.0.0
Corporate Web 2.2.2.2 Mail Relay 2.2.2.3 DMZ DNS 2.2.2.4
Internet Router 2.2.2.254
2.2.10.0 2.2.20.0 2.2.30.0 Sales Support Marketing
VPN/PKI
Next Generation Privacy and Authentication
89
VPN FEATURES
IPSEC Netscreen is ICSA certified (www.icsa.net) Manual Keys, IKE, and Group IKE X.509 Certificate (PKI) support Policy based VPNs (Full firewall control of traffic through tunnel) Hub and Spoke VPNs Support of NAT within the VPN tunnel Support of Dynamically addressed VPN gateways (and dial users) L2TP/IPSEC for Win2K native VPN dial support Redundant Gateways SCEP and OCSP
90
IPSEC Interoperability
Real world implementations with:
Checkpoint, Cisco, Nortel, Sonic Wall, WatchGuard, Microsoft, etc.
ICSA certified Netscreen as a reference member with the following products:

Lucent, Brick Network Associates, Gauntlet Nortel, Contivity SafeNet, Soft-PK Client Secure Computing, SideWinder Others
91
Multiple Hub and Spoke VPN

Flexible VPN Network Architectures The Hub and Spoke is not limited to a single hub. Several branch or regional hubs can be interconnected via a full mesh, or even another hub.
NetScreen-5 Small office NetScreen-10 Branch office 1
NetScreen-5 Small office
NetScreen-5 Broadband telecommuter NetScreen-5 Small office NetScreen-100 Central office
VPN Tunnels NetScreen-5 Broadband telecommuter

92
NetScreen-5 Broadband telecommuter
NetScreen-10 Branch office 2
Encrypted Traffic
Policy NAT For Dial-up VPN

1.1.1.1 10.0.0.0/8 2.2.2.2
Internet
Dial-Up NAT Pool 10.1.1.0/24 1.1.1.1 -> 10.1.1.1 2.2.2.2 -> 10.1.1.2 3.3.3.3 -> 10.1.1.3
Corp Net
3.3.3.3 NetScreen Remote VPN clients
NAT Pool is defined as subnet of trusted network Each client is dynamically assigned an IP address in subnet 10.1.1/24 for duration of VPN session Policy on client sends all traffic to corporate network (10.0.0.0/8) through VPN Dial-up client can access all services at corporate net If Hub and Spoke is setup, client can access services at other sites
93
Default Route
Policy NAT For ASP or Extranet

NAT Pool for VPN is 10.2.1.0/24 Cust A
10.1.1.0/8 10.1/16 for servers 10.2.1/24 for Cust 1 clients 10.2.2.24 for Cust 2 clients
Internet
ASP Network
Cust B
10.1/16
NAT Pool for VPN is 10.2.2.0/24
MIP for server set to 10.250.1.1 in VPN B
10.1.1.1
NAT each customers client addresses into unique subnet of ASP network If server address overlaps customer address space, provide MIP within VPN for the server that is unused by customer
94
Digital X.509 Certificates

CA signed ID/Public Key binding Electronic Credentials
Specially prepared cryptographic files Tamper-proof ID and signature
Issued by Certification Authority

Public or private communities
Digital ID
Provides Key Trust Components

Verifies identity of holder Enables privacy Creates model for legal recourse
95
Making it even easier: SCEP & OCSP

Automated Certificate Enrollment (SCEP)
Much easier than present manual certificate process Can be used to automatically request a certificate from a Certificate Authority and install in a NetScreen device This feature supports only VeriSign Certificate Authorities in this release
Online Certificate Validation (OCSP)

Augments Static CRL (Certificate Revocation List) with dynamic protocol (OCSP, Online Certificate Status Protocol) to validate certificates Closes window of vulnerability between certificate revocation and CRL Update This feature supports only VeriSign Certificate Authorities in this release
Supported in ScreenOS 3.0 and NetScreen Remote v5.1.3 +

96
Certificate Authorities
Baltimore Entrust Microsoft Netscape (iPlanet) RSA Verisign
97
Backup VPN Gateways

Use Case: If my primary VPN connection goes down, use an alternative VPN to get to the destination network.
Up to 8 different VPN paths to a destination network may be defined per policy

VPN Tunnels to each gateway remains up continuously IKE based Keep-Alive messages are used to keep tunnels alive If a tunnel dies unexpectedly, Phase I is retried again after specific interval
Corporate LAN
98
Redundant VPN Gateways

Redundant VPN Provides Geographic Fail-Over for VPN
Spoke A A.1 SA M=2
Covers Data Center Failures:
SA M=1 A.0
Entire Site Outage (power, war, etc.)
Hub A
Internal Network Failures (Trust side link down)

Internet Connectivity Blackouts
SA M=2 Spoke B B.1 SA M=1
B.0 Hub B
99
NAT-Traversal
Without NAT-Traversal IPSec packets that are modified by a NAT-Device fail packet authentication checks, and are thus dropped by VPN Gateway as illegal packets.
NAT-Device Modifies IP and UDP Header of IPSec & IKE Packets source IP address & port Packet is Received by VPN Gateway, ESP checksum dont match indicating packet has been modified in transit. Normal IPSec will drop packet
NAT-Device
VPN Gateway
IPSec Client
100
Generic IKE ID - Definition

Company A Building 1 Building 2
One IKE policy can be shared by many users in a specified group

Admin defines groups with specific fields and number of users allowed to login
Sales
Engineering
Sales
Engineering
Any user offering a certificate with fields matching all defined values will be accepted as an instance of a defined user
In this example, anyone in the Sales group for Company A is defined as a user
101
Generic IKE ID - Behavior

Certificate contains Company B, Sales
Example 1: User in the Sales group for Company A; Access is permitted Example 2: User in the Sales group for Company A; Access is permitted; Building number is not defined value Example 3: User in the Sales Group for Company B; Access is denied
Denied
Certificate contains Company A, Bldg1, Sales
Certificate contains Company A, Bldg2, Sales
102
Screenshot: Group IKE IDs

Enabled IKE Identities to be matched with specific DN fields in peers cert Enables multiple connections from hosts using the same IKE Identity
In this example any user whos certificate credentials match the following will be authenticated as an IKE User for a specific VPN
103
104
NetScreen Remote 7.0

Enhancements New Deterministic Network Driver improves NIC compatibility New virtual adapter improves DHCP and NT Domain support New InstallShield Install/Uninstall method eases deployment Full Windows 95/98/98SE/NT/ME/2000/XP Support
Major New Features Includes support for NAT-Traversal (explained in next few slides) New Auth and Go works in conjunction with Global Pro 3.0 Policy Manager
105
Authenticate and Go
Auth and Go is an application bundled with NetScreen Remote which allows direct integration with NetScreens Policy Manager The purpose of Auth and Go is to allow secure, easy VPN Policy deployment for environments with a large number of clients. Auth and Go prompts the user with a login dialog, requesting username and password.
106
NetScreen Remote Future

With an: Integrated Personal Firewall
Negotiations Underway With leading vendors. Seamless Integration Target FCS CY H1 02
107
NetScreen Redundancy Protocol (NSRP)

High-Availability Solutions
108
Overview
NetScreens High Availability Security Solution built to match high performance requirements of mission critical networks
Designed for Enterprise and Service Provider Gateways & Data Centers Carrier Access Networks Provides the availability, redundancy and performance of Switched and Routed Networks + providing Stateful Security
109
Overview - Continued
NetScreen enhances high availability, resilience and performance
Redundancy protocol support - NSRP v2 (Similar to VRRP + being stateful) Stateful Fail-over for Firewall and VPN Redundant Interfaces for participation in full mesh topologies with or without Load-balancing switches Active Active load sharing for Multi-Gigabit throughput Sub Second Fail-over
Utilizes new and existing NetScreen hardware

New NetScreen-1000 switching module with redundant Trust and Untrust Gigabit interfaces Dual interface NetScreen-500 modules 10/100 & GigE
110
Network Security Redundancy

Good / Better / Best
System Redundancy
Active / Passive
System Redundancy
Active / Active
System Redundancy
Active / Active / Full Mesh
SW1
SW1
SW1
2 Gbps
4 Gbps 2 Gbps
4 Gbps 2 Gbps
111
Stateful - Active / Active Full Mesh High Availability

Stateful fail-over between NetScreen devices
Sessions, VPN Tunnels and Security Associations maintained
Option for both NetScreen devices to be active simultaneously

SW1
Peak throughput can be doubled Second System always under test

Total Throughput = 4 Gbps
Option to use Redundant Interfaces

Trust / Untrust & HA Interfaces Full Mesh Solution, each layer has redundant connections
Path monitor from NetScreen device rapidly identifies upstream & down stream failures
112
High Availability Landscape

Active/Active VPN & FW
Full Mesh
Core Routers & Switches
+ 3rd party
Full Mesh
FW
Device Redundancy
VPN FW
Active/Passive VPN & FW
VPN
VPN Only
Stateless Fail-over
113
Stateful Fail-over
HA Competitive Matrix
NetScreen 500 & 1000 Check Point HA Check Point Rainfinity Cisco Pix 535 Cisco VPN 3080 Nokia CC5205 Nokia IP-740 SonicWall ProVX
Stateful Firewall FailOver Stateful VPN FailOver Active Active Firewall Active Active VPN
Yes Yes Yes Yes
Yes Yes No No
Yes Yes Yes Yes
Yes No No No
No Yes No Yes
No Yes No Yes
Yes No No No
No No No No
Redundant HA ports
Fully Meshed Trust / Untrust Interfaces Path Monitor (conn / health)
Yes
Yes Yes
No
Yes No
No
Yes Yes
No
No No
No
No No
No
No No
No
Yes No
No
No No
Sub Second Failover
Yes
No
No
No
No
Yes
No
No
114
Conclusion
NetScreen takes a leadership position in High Availability Security Solutions
Stateful Fail-over VPN and Firewall including (Vsys) Active Active Load Sharing Interface Redundancy for full mesh topologies and additional levels of resilience
Redundant Trust & Untrust Interfaces Redundant HA interface
Path monitoring Sub Second Fail-over Multi-Gigabit clusters
115
ScreenOS
Purpose-built for Maximum Security & Performance
116
ScreenOS
ScreenOS 2.8r1 - Supported on the NS-1000
Has NSRPv2 - Active / Active Failover Features Adds NAT Traversal, L2TP in root and VSYS, and Generic IKE ID
ScreenOS 3.0r2 - Supported on the NS-5XP, NS-10, NS-25, NS-50, NS-100, NS-500
Adds NAT Traversal, Generic IKE IDs, 38 new MIBs, SCEP, OCSP, and Secondary IP Addresses Mainstream ScreenOS code for most customers Not supported on the NS-5 Please note ScreenOS 3.0r2 adds a few new minor features. Read the release notes!
ScreenOS 3.1r1 - Supported on the NS-204, NS-208 and NS-500 Only

Combines ScreenOS 3.0 Features with the USGA Architecture Allows support for all physical interfaces on NS-500 New architecture - Allows almost all features on all ports or VSYS
117
Screen OS Current Beta Programs

ScreenOS with Trend Micro AntiVirus Support Platforms Supported TBD
Allows email redirection to a Trend Micro AntiVirus server Exact features and NetScreen platforms supported can be learned from your NetScreen SE Please contact your SE if you are interested in participating in this beta
ScreenOS 3.0.0 with User Authentication Extended Features - Supported on NS-100 and NS-500

118
Multiple Authentication Servers External User-Groups Firewall Authentication Enhancements Custom Authentication Banner messages Admin Authentication Enhancements L2TP IP Pool / RADIUS Enhancements NetScreen RADIUS Attributes
Available on
beta.netscreen.com
Major New Features in 3.0

VPN Enhancements
NAT Traversal for IPSec Generic IKE IDs Advanced Encryption Standard
Other New Features

Public Key Authentication for SCS Clear Session Secondary IP Addresses H.323 Gatekeeper Support Malicious URL Detection Session Thresholds
Device Management
NetScreen MIBs Logging Enhancements
Certificate Management
Automated Certificate Enrollment (SCEP) Online Certificate Validation (OCSP)
119
Device Management Features

NetScreen Management Information Bases (MIBs)
Enhanced monitoring of NetScreen devices through new custom SNMP management information bases (MIBs) Provides access to virtually every counter, statistic and configuration within NetScreen devices through standard network management platforms used to monitor the rest of network devices
Logging Enhancements
Now support a standardized format for log messages - including the reporting module, the message severity, and a timestamp Admin has much more granular control over the destination(s) of specific severity messages
120
Logging Enhancement
121
Structured Logging
122
Other New Features

SCS Public Key Authentication
Eases automated CLI administration of NetScreen devices No longer required to store usernames/passwords in script files
Clear Session
Provides admin with more control over what active sessions to display or clear from the active tables Can specify matching sessions to display or clear by
Source and/or destination IP Source and/or destination port numbers Source and/or destination MAC address
When command completes, displays total number of sessions cleared
123
Other New Features

Secondary IP addresses
Up to 4 (NetScreen-5XP, NetScreen-10) or 8 (NetScreen-100, NetScreen500) per interface on the Trust and DMZ Interfaces only Defining a secondary IP address on the Trusted or DMZ interfaces allows customers to route traffic between two subnets and use the NetScreen device as the default gateway rather than add a router
H.323 Gatekeeper Support

Allows customers to use H.323 Gatekeepers on different interfaces of the NetScreen from the H.323 terminals Previously, the gatekeepers and terminals had to be on the same side of the NetScreen device This release allows for more flexible placement of the terminals and gatekeepers within an organization
Example: Terminals on the Trusted side of a NetScreen device can communicate with a Gatekeeper on the Untrusted side
124
Other New Features

Internet Worm Attack Protection
Malicious URL Detection: When enabled, NetScreen device monitors all HTTP packets looking for portion of the URL used to exploit target web server
If packet is detected, it will be dropped and an alarm is generated
Session Threshold Per Source IP Address: When enabled, the NetScreen will limit the number of sessions that any one trusted or DMZ IP can occupy on the NetScreen box
Prevents sessions table from becoming full when web server infected with worm tries to access other web servers
125
Screen OS 3.1 (USGA)
126
Universal Security Gateway Architecture

New architectural foundation for ScreenOS in support of NetScreens next generation platforms and services delivery Designed to deliver todays security features in a more flexible manner on NetScreen platforms, removing current restriction of certain services to specific interfaces Enhanced to provide additional user configurability Ready to deliver new features in a flexible manner, including dynamic routing, new security features, and other customer requested capabilities
127
Zone Based Security

Security zone is an entity for grouping interfaces that carry traffic at equivalent security level Traffic between zones, being of different security levels, must be approved by security policy ScreenOS currently provides
3 well known zones: trust, untrust and DMZ 4 policy sets, Incoming, Outgoing, ToDMZ and From DMZ for policy enforcement of traffic between zones
USGA will provide

User defined zones in addition to the well know, system defined zones Separate, directional policy set for each pair of zones, e.g. trust-to-DMZ, for policy enforcement of traffic from zone to zone
128
Zone Based Security in USGA

Permitted Traffic Unchecked Traffic
Untrust
Trust
Policy Engine
DMZ
Mkt
Eng
Zones include three predefined and arbitrary user defined Policy Engine controls traffic between zones Policy sets explicitly list from and to zones
Mkt UntToMkt TruToMkt DMZToMkt N/A EngToMkt Eng UntToEng TruToEng DMZToEng MktToEng N/A
From \ To Untrust Trust DMZ Mkt Eng
Untrust N/ A TrustToUnt DMZtoTun MktToUnt EngToUnt
Trust UntToTrust N/A DMZToTrust MktToTru EngToTru
DMZ UntToDMZ TrustToDMZ N/A MktToDMZ EngToDMZ
129
Reserved Zones
Management zone for support of out-of-band management interfaces and tunnels for management traffic HA zone for HA interfaces, NSRP, etc. Specific VLAN zones for trust, untrust and DMZ for transparent mode, backward compatibility Specific tunnel zones for trust, untrust and DMZ for transparent mode, backward compatibility
130
Security Zone Configuration
131
Hardware Interfaces
ScreenOS currently supports
3 well known interfaces, trust, untrust and DMZ Each individual interface permanently bound to like named security zone
USGA will provide

Support for additional network interfaces (>3) in NetScreen products More generic naming of physical interfaces User defined binding of interfaces to security zones Binding of multiple interfaces to a single security zone Some pre-defined, special purpose interfaces, like HA
132
Hardware Interfaces in USGA

Ether1/1 Ether1/2
Untrust
Ether4/1 Ether2/1
Finance
Policy Engine
IT
Ether3/1
Ether2/2
Mkt
Eng
Ether3/2
Each interface can be bound to only a single zone Multiple interfaces may be bound to single zone, such as for untrust/internet zone where redundant ISP links are used The pre-defined zones may be used (or not) as desired
133
NetScreen-500 With USGA

Ethernet1/1
Ethernet1/2 Default Untrust Int Ethernet 3/1 Default Trust Int
Ethernet2/1 Ethernet2/2 Default DMZ Int
MGT
HA1
HA2
134
Listing Interfaces
135
Configuration of Interfaces
136
Sub-interfaces
ScreenOS currently supports
Sub-interfaces, each bound to a 802.1q VLAN, on trust and untrust interfaces Usable only on Vsys enabled systems Trust sub-interface must be bound to trust security zone in Vsys
USGA will provide

Sub-interfaces on any physical interface Binding of sub-interface to any zone, not just the same zone as its physical interface Availability of sub-interfaces without necessity of enabling Vsys
137
Sub-Interfaces in USGA
Ether1/1 Ether1/2
Untrust
Ether2/1
Corp
Policy Engine
IT
Ether 2/2
Ether2/1.1
Service
Sales/Mkt
Ether2/1.2
Eng
Ether 3/1
Ether2/1.3 Ether2/1.4
Sub- interfaces will extend physical interface name with .Z to denote the sub-interface number of a given physical interface Sub-interfaces may be bound to any security zone, they are not restricted to the same zone as the physical interface. Multiple Interfaces, physical, sub, or combination can be bound to a security zone
138
Configuration of Sub-Interfaces
139
Routing
Currently in ScreenOS
Single route domain Routing of inbound packets used to determine intended outbound interface/zone to limit policy search No overlapping networks allowed Limited u-turn traffic support with-in zone
Routing in USGA
Multiple virtual routers Security zones bound to virtual routers Controlled route re-distribution between virtual routers
140
Routing in USGA
Ether1/1 Ether1/2
Untrust Routing Domain 1

Route Redistribution
DMZ Routing Domain 2

Ether2/1.3
Ether 2/2
Ether2/1
Corp
Ether2/1.1
Service
Eng
Sales/Mkt
Ether2/1.2
Ether 3/1
Ether2/1.4
Zones bound to one of 2 routing domains Each routing domain is independent, including the ability to run separate routing protocols or areas in different domains Controlled redistribution of routing information to tie the two together E.g. - redistribute default route from 2 to 1 so inside hosts can reach outside hosts Routing is performed for traffic between interfaces within same zone without policy search, between zones in same domain still engages policy engine
141
Configure Routes
142
Virtual Systems
ScreenOS currently provides for each Vsys
Private trust zone Single virtual router Multiple sub-interfaces
USGA
Multiple security zones Physical or sub-interfaces bound to Vsys Single virtual router
143
Vsys In USGA
Route Domain 2
Ether4/1.1 Ether1/1.5 Ether1/1.3 Ether1/1.4
Ether1/1.2
Untrust Policy Engine Cust 1

Ether3/1
Untrust Policy Engine Route Domain 1 DMZ Trust

Untrust
Policy Engine Local Vsys DMZ1 Router DMZ2
Local Vsys Router
Ether3/2
Vsys 1
Vsys 2
144
VPN Tunnels in USGA Policy Based

VPN policy has same behavior as before IPSec tunnel specification now includes physical interface or sub interface to use as gateway as multiple interfaces may be bound to security zone
ether1
ether3
Untrust Policy Engine Trust

Ether2
Traffic Encrypted Traffic
145
VPN Tunnels in USGA Dynamic Tunnel Selection

Tunnel not bound to tunnel interface accessible by static policy only
Tunnel Bound To Physical Interface
Routing Domain 2
Ether1.1 Ether3.1 ether5
IPSec tunnels may be bound to a specific tunnel interface Tunnel interface is treated like other interfaces, physical or virtual in that
It may be bound to any security zone It may participate as interface in routing It may have NAT/NAPT services
Internet Policy Engine

Tunnel1
Tunnel Bound To Tunnel Interface
ExNet Tunnel2
Tunnel3 Routing Domain 1
IT
Ether2
Corp
Ether4
Traffic directed to tunnel interface is encrypted and sent through tunnel bound to that tunnel interface Tunnel to tunnel interface binding is oneto-one
Traffic Encrypted Tunnel
146
DoS and other System Services Today

Untrust
Untrust
PPPoE/DHCP Client DoS Protections MIP/VIP IPSec Tunnel termination

DMZ
DMZ
Trust
Trust
Policy Engine
DHCP Server/Relay NAT IPSec tunnel traffic
IPSec tunnel traffic
Centrally configured for system Delivered on specific interfaces only

147
DoS and Services in USGA

Ether1/1 Ether1/2
Permitted Traffic Received Traffic
Untrust
DoS Protection MIP
DHCP Relay
Ether2/1
Finance
Policy Engine
IT
Ether3/1
MIP
DoS Protection
Ether2/2
Mkt
Eng
Ether3/2
DoS Protection DHCP Relay
DHCP Relay
Intended to be configurable on per interface basis, physical or sub

First Release Per Physical Interface

148
DoS Protections NAT MIP DHCP Relay

Questions
149

Netscreen Technologies: March 2002 Technical Overview Richard Cassidy, Se Emea

Uploaded by

Copyright:

Available Formats

Netscreen Technologies: March 2002 Technical Overview Richard Cassidy, Se Emea

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Netscreen Technologies: March 2002 Technical Overview Richard Cassidy, Se Emea

Uploaded by

Copyright:

Available Formats

NetScreen Technologies

March 2002 Technical Overview Richard Cassidy, SE EMEA

NetScreen Confidential Internal Use Only

Resource for Resellers

EMEA Presales Mailing List

Technical Mailing List

NetScreen Confidential Internal Use Only

NetScreen Product Overview

Integrated security systems and appliances

NetScreen Security Appliances

NetScreen Security Mgmt & Client

How it all began

Expensive, slow, multipurpose computers

Purpose-built HW/SW Appliances

ASIC-Accelerated Dedicated Hardware

Expensive, slow, multipurpose computers

Purpose-built HW/SW Appliances

ASIC-Accelerated Dedicated Hardware

NetScreen Confidential Internal Use Only

Hardware & Software

NetScreen Confidential Internal Use Only

The NetScreen Difference

NetScreen Confidential Internal Use Only

At the speed of silicon

NetScreen Confidential Internal Use Only

NetScreen Hardware Architectures

NS100/200 Series Multi-bus, single board, GigaScreen ASIC

NetScreen Confidential Internal Use Only

NetScreen Built for Performance

NetScreen Confidential Internal Use Only

However, the ASICs arent everything .

Purpose-built Operating System -- ScreenOS

NetScreen Security Solutions

NetScreen Confidential Internal Use Only

Managed Security for Small & Medium Enterprises

Source: the Yankee Group, 2000

Product Overview: NetScreen-5xp Telecommuter, SOHO, Small Branch Office

Integrated Firewall, VPN and Traffic Mgmt.

Performance & Capacity

Bandwidth reservation and DiffServ marking

Ships with ScreenOS 3.0

NetScreen GigaScreen/ ASIC

NetScreen Confidential Internal Use Only

NetScreen-5XP vs. NetScreen-5

MPC850 48 MHz MPC850 33 MHz

NetScreen Confidential Internal Use Only

NetScreen-5XP Hardware Features

Small Footprint 5L x 6W x 1.25H

NetScreen Confidential Internal Use Only

NetScreen-5XP Software Features

NetScreen Confidential Internal Use Only

NetScreen Confidential Internal Use Only

900 1000 1100 1200 1300 1400 1500 1518

NetScreen Confidential Internal Use Only

NetScreen-5XP Markets & Needs

Managed Security Service Providers

NetScreen Confidential Internal Use Only

Target Functionality Hardware Interfaces Concurrent sessions

Firewall, VPN, Firewall, VPN Traffic Management