Upload
watson
View
25
Download
0
Embed Size (px)
DESCRIPTION
NetScreen Technologies. March 2002 Technical Overview Richard Cassidy, SE EMEA. Resource for Resellers. Partner Website All Netscreen Sales Tools Presentations, white papers, product sheets, competitive analysis and more EMEA Presales Mailing List - PowerPoint PPT Presentation
Citation preview
NetScreen Confidential – Internal Use Only1
NetScreen Technologies
March 2002
Technical Overview
Richard Cassidy, SE EMEA
NetScreen Confidential – Internal Use Only2
Resource for Resellers
• Partner Website– All Netscreen Sales Tools
• Presentations, white papers, product sheets, competitive analysis and more
• EMEA Presales Mailing List– For all Netscreen Premier, Authorized and Approved Partners Only!!
• Mailing list, monitored by all EMEA Systems Engineers.
• Support Website– Comprehensive Technical Resource
• TAC online, Manuals and User guides
• Technical Mailing List– Once a month comprehensive Netscreen Technical Update via e-mail
• Latest Product Info and Releases. Technical tools and partner updates.
• Webcasts– Netscreen on-line training courses
NetScreen Confidential – Internal Use Only3
NetScreen by design:NetScreen by design:
Enforce Maximum SecurityEnforce Maximum Security without sacrificing: without sacrificing:
PerformancePerformance
ScalabilityScalability
ManageabilityManageability FlexibilityFlexibility
ReliabilityReliability
InteroperabilityInteroperability
NetScreen Confidential – Internal Use Only4
NetScreen Product Overview
• Integrated security systems and appliances
– ICSA certified IPSec VPN and stateful inspection firewall, DoS blocking, authentication, PKI, NAT acceleration and traffic management
– 10Mbps to 2Gbps Firewall
– 10Mbps to 1Gbps 3DES IPSec VPN
• Resilient, solid-state solutions with high availability architectures
• Policy-based management of devices and remote users
NetScreen-Global PRO / Global PRO Express
NetScreen Security Mgmt & Client
NetScreen-Remote
NetScreen-5XP
NetScreen-50
NetScreen-200 Series
NetScreen Security Appliances
NetScreen-500
NetScreen-1000
NetScreen Security Systems
NetScreen-25
NetScreen Confidential – Internal Use Only5
How it all began …
“Just like ASIC-based switches fought and prevailed in enterprise and service-provider backbones, the software vs. hardware fight is on in the security area. Any network manager looking to secure true high-performance networks better take heed.”
– Kevin Tolly is President and CEO of Tolly Research/The Tolly Group.
Expensive, slow, multi-purpose computers
Purpose-builtHW/SW Appliances
Expensive, slow, multi-purpose computers ASIC-Accelerated
Dedicated Hardware
ASIC-Accelerated Dedicated HardwarePurpose-built
HW/SW Appliances
NetScreen Confidential – Internal Use Only6
Where it continues to go …
Software
ASIC-Acceleration
Hardware &Software
NetScreen Confidential – Internal Use Only7
The NetScreen Difference
• Industry-leading performance and bulletproof security through next-generation architectures:
– Lightening fast, crypto-accelerating ASIC – Purpose-built, security-optimized ScreenOS™
– Highly-efficient hardware designs combining single and multiple ASICs along with single/multi/parallel RISC-based processors
• Tight Integration of Core Technologies– Stateful Screening Firewall– VPN / PKI– Attack Detection and Protection– Traffic Shaping / Bandwidth Management
• Comprehensive methods of device management• End-to-end solutions offering flexible network architectures• Best-of-Breed partnerships and alliances
NetScreen Confidential – Internal Use Only8
At the speed of silicon
NetScreen MegaScreen
NetScreen GigaScreen
Hi/fn 7751
Hi/fn 7811
DES 3DES
250 Mbps 86 Mbps
1200 Mbps 400 Mbps
164 Mbps 83 Mbps
527 Mbps 252 Mbps
MD5 SHA-1
250 Mbps 400 Mbps
1200 Mbps 450 Mbps
96 Mbps 80 Mbps
290 Mbps 244 Mbps
Public Key Accelerator
No Yes
No Yes
Random # Generator
Yes Yes No No
RC4 Firewall
No Policy Engine
200Mbps Policy/NAT
Engine
122 Mbps No
185Mbps No
NetScreen Confidential – Internal Use Only9
NetScreen Hardware Architectures
• NS1000 – Mid-plane switching fabric, multi-bus w/fiber interconnects, multi-parallel processors, multi-GigaScreen ASICs
• NS500 – Multi-bus, multi-interface card, single board, GigaScreen ASIC
• NS100/200 Series – Multi-bus, single board, GigaScreen ASIC
• NS25/50 – Single bus & board, GigaScreen ASIC
• NS5xp – Single bus & board, GigaScreen ASIC
NetScreen Confidential – Internal Use Only10
NetScreen … Built for Performance
CPU
RAMI/OOutIn
CPU RAM
I/O
Bus
VPNCo-
ProcessorInOut
Traditional Design NetScreen Design
- Multiple passes across the bus- No separation of the data & control planes
- Single pass across the bus- Separation of data & control planes
NetScreen Confidential – Internal Use Only11
However, the ASICs aren’t everything ….
EfficientHardwareDesigns
RISC Processors(Management, housekeeping, etc.)
Purpose-builtOperating System
-- ScreenOS
NetScreen Confidential – Internal Use Only12
NetScreen Security Solutions
Next GenerationSecurity Systems and Appliances
NetScreen Confidential – Internal Use Only13
Managed Security for Small & Medium Enterprises
• Managed security services are growing rapidly among small and medium enterprises– In 1999 it was a $14M market
– Expected to be over $630M by 2005
Source: the Yankee Group, 2000
NetScreen Confidential – Internal Use Only14
Product Overview: NetScreen-5xpTelecommuter, SOHO, Small Branch Office
• Integrated Firewall, VPN and Traffic Mgmt.– Stateful inspection firewall– NAT, PPPoE and DHCP client, server
& relay– VPN
• Site to Site & Client to Site• Supports IPSec 3DES, DES & AES
encryption standards• Supports L2TP for Windows
interoperability– Bandwidth reservation and DiffServ
marking• Ships with ScreenOS 3.0
• Performance & Capacity – 10 Mbps firewall – 2000 concurrent sessions– 10 Mbps VPN 3DES– 10 IPSec VPN tunnels
• Award-wining and proven technology since 1999
• 2 port auto-sensing 10/100 Ethernet – Trust, Untrust
• AC power
NetScreen Confidential – Internal Use Only15
NS5xp/25/50 Architecture
MPC8xxPower PC
Core
UART
RTC
MAC 1 MAC 3 Flash Boot ROM
SDRAMNetScreen
GigaScreen/ASIC
PHY PHY
32-bit/48MHz busRS23
2
Trusted NS25/50
MAC 2
PHYUntrusted
SRAM
PCMCIAInterface
MAC 4
PHYNS25/50
NetScreen Confidential – Internal Use Only16
NetScreen-5XP vs. NetScreen-5
Appliance Features NetScreen-5XP NetScreen-5
ASIC GigaScreen MegaScreen
CPU MPC850 48 MHz MPC850 33 MHz
Redesigned Chassis Cable access from rear
Cable access from front
RAM 32 MB 16 MB
Flash 4 MB 2 MB
Asset Recovery Switch
Yes No
Concurrent sessions 2000 1000
Faster Performance 10 Mbps 3DES 5 Mbps 3DES
NetScreen Confidential – Internal Use Only17
NetScreen-5XP Hardware Features
• Proven Hardware Architecture – GigaScreen ASIC
• Broadband enabled– 2 port 10Mbps Full Duplex 10BaseT Ethernet
• Easily Managed– RS232 serial console port for management
– Asset Recovery Switch
• Small Footprint 5L x 6W x 1.25H
NetScreen Confidential – Internal Use Only18
NetScreen-5XP Software Features
• Proven Software Architecture
– ScreenOS 2.6.0: shared code base with all NetScreen products
– ICSA Certified, stateful-inspection firewall and IPSec
• Transparent, Route, and NAT modes of operation
• Traffic Management: 8 levels of priority, plus guaranteed & maximum bandwidth, defined by policy
• 10 IPSec VPN Tunnels
• 2000 Firewall Concurrent Sessions
NetScreen Confidential – Internal Use Only19
NetScreen-5XP Performance
• Full duplex 10 Mbit line speed • Symmetrical Performance• 10 Mbps 3DES VPN• 10 Mbps Firewall• Latency reached a record low of 380 µSec (or
0.38 mSec) for support of new applications– VoIP
– Streaming media
NetScreen Confidential – Internal Use Only20
NetScreen-5XP PerformanceNS-5XP Bi-Directional Performance Results
0.00
2.00
4.00
6.00
8.00
10.00
12.00
14.00
16.00
18.00
20.00
64 100 200 300 400 500 600 700 800 900 1000 1100 1200 1300 1400 1500 1518
Bytes/Packet
Ban
dw
idth
(M
bp
s)
NAT DES 3DES DES+MD5 3DES+MD5 DES+SHA-1 3DES+SHA-1
NetScreen Confidential – Internal Use Only21
NetScreen-5XP Markets & Needs
Multi-site Enterprise Networks
• Need low cost, easy to deploy security solution with the shortage of IT staff
• Remote offices and telecommuter locations need secure access to central site
Access Service Providers
• Need features for broadband service offerings
• Looking to offer value-added services
• Want to deliver services with low operating costs and easy to manage multiple sites
Managed Security Service Providers
• Need solutions for all customer environments
• Want to deliver services with low operating costs and easy to manage multiple sites
NetScreen Confidential – Internal Use Only22
Competitive Landscape
Appliance Features
NetScreen-5XP
10-user/EliteCisco 506
SonicWALL SOHO2
Nokia IP110 Nokia IP55
Users 10 / Unrestricted 10 50 50 50
Target Functionality
Firewall, VPN, Traffic Management
Firewall, VPN Firewall, VPNCheck Point
Firewall, VPNCheck Point Firewall only
Hardware Interfaces
2 10-BaseT Ethernet2 10-BaseT
Ethernet2 10/100 Ethernet
3 10/100 Ethernet & 2 Serial V.35
4 10/100 Ethernet ADSL /G.lite WAN.
Concurrent sessions
2000 64000 6144 4500 NA
VPN tunnels 10 4 10 50 NA
RAM/Flash 32MB / 4MB 32MB / 8MB 8MB / 3MB 64 MB / NA 16MB / 2MB
IPSec 3DES Performance
10 Mbps 6 Mbps 2 Mbps 2 Mbps NA
Firewall Performance
10 Mbps 8 Mbps 70 Mbps 80 Mbps 8 Mbps
ASIC based performance
Yes No No No No
List Price $495 / $995 $1,995 $995 $2,495* $1,295
*Additional Check point 50 user license fee of $4995 required.
NetScreen Confidential – Internal Use Only23
Cisco 506• High Price
- $1995 list for a 10 user license• Low number of VPN tunnels supported for the price
- 4 Tunnels supported vs. NetScreen’s 10 tunnels.
• No ASIC support for VPN acceleration• Hard to configure manage and deploy
- Need to understand Cisco IOS/PIX CLI to configure VPNs or any other configuration.
- GUI support is limited to basic tasks.- Limited real time logging and alarm capabilities.
• Low performance- Firewall throughput 8 Mbps vs. NS-5XP 10 Mbps- 56-bit DES throughput 6 Mbps vs. NS-5XP 10 Mbps- 168-bit 3DES throughput 6 Mbps vs. NS-5XP 10 Mbps
NetScreen Confidential – Internal Use Only24
SonicWALL SOHO2 and TELE2
• High Price- TELE2 costs $595 for 5 users with 5 VPN tunnels
- SOHO2 costs $990 - $1490 for 10/50 users with 10 VPN tunnels
• No ASIC support for VPN acceleration
• Low VPN Performance- 2 Mbps
• Anti Virus is not performed at the appliance contrary to perception
• Lack of Secure Remote Manageability
NetScreen Confidential – Internal Use Only25
Nokia IP110
• High Price– IP110 base cost $2,495 + Check Point 50 user license fee $4995
=$7490.
• Low VPN Performance– No Luna VPN accelerator card. IP110 3DES IPSec throughput
2 Mbps compared to 10 Mbps for NetScreen-5XP.
• No traffic management.
• Hard to configure manage and deploy
• Lack of Single Support Point
NetScreen Confidential – Internal Use Only26
Nokia IP51 and IP55
• Firewall only product– The Nokia IP51 and IP55 small office appliance integrates Check
Point FireWall-1 SmallOffice only
• Lack VPN support and Traffic Management capability
• High Price for limited functionality– IP51 lists for $895, and IP55 lists for $1295; compared to 5XP
price of $995 integrating Firewall, VPN and Traffic Shaping.
• Do not have ICSA certification on the appliance
• Lack of Single Support Point
NetScreen Confidential – Internal Use Only27
Supporting Documentation
• This presentation• Datasheet—new appliances datasheet• New price list with detailed pricing and options• Competitive analysis• Product FAQ• NetScreen-5XP white paper
NetScreen Confidential – Internal Use Only28
NetScreen-50 and NetScreen-25 Solutions for Branch Office and SME Networks
NetScreen Confidential – Internal Use Only29
Product Overview: NetScreen-25 Small Enterprise / Small Office
• Integrated Firewall, VPN and Traffic Mgmt.– Stateful inspection firewall– NAT, PPPoE and DHCP client,
server & relay– VPN
• Site to Site & Client to Site• Supports IPSec 3DES, DES & AES
encryption standards• Supports L2TP for Windows
interoperability
– Bandwidth reservation and DiffServ marking
• Ships with ScreenOS 3.0
• Performance & Capacity – 100 Mbps firewall – 4,000 concurrent sessions– 20 Mbps VPN– 25 IPSec VPN tunnels
• 4 port auto-sensing 10/100 Ethernet– 3 ports active today– 4th port enabled subsequent software
release – 1H CY02– 4th port will provide 2nd DMZ option
– No HA support
• AC power
NetScreen Confidential – Internal Use Only30
Product Overview: NetScreen-50Small/Medium Enterprise / Branch Office
• Integrated Firewall, VPN and Traffic Mgmt.– Stateful inspection firewall– NAT, PPPoE and DHCP client,
server & relay– VPN
• Site to Site & Client to Site• Supports IPSec 3DES, DES &
AES encryption standards• Supports L2TP for Windows
interoperability
– Bandwidth reservation and DiffServ marking
• Ships with ScreenOS 3.0
• Performance & Capacity – 170 Mbps firewall – 8,000 concurrent sessions– 50 Mbps VPN– 100 IPSec VPN tunnels
• 4 port auto-sensing 10/100 Ethernet– 3 ports active today– 4th port enabled subsequent software
release – 1H CY02– 4th port will provide high availability
or 2nd DMZ option
• AC power; DC option
NetScreen Confidential – Internal Use Only31
The NetScreen-50 and NetScreen-25
Compact Flash™
Serial Console and Modem
Status LEDs
Reserved (Available 1HCY02)
Untrust
DMZ
Trust
NetScreen Confidential – Internal Use Only32
NetScreen-50 & NetScreen-25 Key Software Features
• NAT, Route, and Transparent modes of operation– Includes NAT on a per-policy basis for policy-based address translation
• Robust attack prevention including SYN, ICMP, and port scan attacks
• 3DES and AES encryption using digital certificates or IKE auto-key
• IPSec NAT traversal– Allowing IPSec VPN tunnels to be established through NAT, PAT, or NAPT devices
• Traffic management for bandwidth allocation and traffic prioritization– Allocate bandwidth per policy for the most effective use of available bandwidth
• Support for PPPoE and DHCP client – Allows deployments into DSL or cable networks with dynamic IP assignment
• DHCP server or DHCP relay agent
• High availability with stateful firewall and VPN fail-over*
* Not at initial release and only on the NetScreen-50
NetScreen Confidential – Internal Use Only33
NetScreen-25 Competitive Matrix
Stateful Inspection Firewall and VPN
Yes Yes Requires VPN License for 3DES
Yes Yes
Traffic Management
Yes No No No No
VPN acceleration Yes No Extra Cost No No
NAT traversal Yes No No CP clients to FW-1 only
No
Policy-based NAT Yes No Yes Yes No
PPPoE support Yes Yes No No Yes
DHCP server Yes Yes No No No
NetScreen-25 SonicWALL PRO
Cisco Pix 515R
Nokia IP 120(Check Point)
WatchGuard Firebox 700
NetScreen Confidential – Internal Use Only34
NetScreen-50 Competitive Matrix
Stateful Inspection Firewall and VPN
Yes Yes Requires VPN License for 3DES
Requires VPN license
No
Traffic Management
Yes No No Requires add. CP License
No
VPN acceleration Yes Yes Extra Cost Extra Cost Yes
NAT traversal Yes No No CP clients to FW-1 only
Remote client only
Policy-based NAT Yes No Yes Yes No
Stateful HA Yes* No Firewall Only Yes VPN Only
PPPoE support Yes Yes No No No
DHCP server Yes Yes Yes No No
NetScreen-50
SonicWALL Pro-VX
Cisco Pix 515UR
Nokia IP 330(CheckPoint)
Nokia CC 2500
* Available when 4th port is enabled
NetScreen Confidential – Internal Use Only35
Additional Sales Opportunities: Better Market coverage = More $ales !!!
NetScreen-10
NetScreen-100
NetScreen-5XPRemote Office / Home Office
Enterprise Branch Office / Small Medium Enterprise
Enterprise Branch / Medium Enterprise central site / e-business / web hosting
Missed Opportunities
10/100, High Availability, Price Sensitive
Missed OpportunitiesLow Bandwidth, DMZ, Price Sensitive
Customer What you used to sell
NetScreen-25
NetScreen-50
NetScreen-100
NetScreen-5XP
SME or Branch
Office
Small Enterprise or Small Office
What to sell now !
NetScreen Confidential – Internal Use Only36
Product Overview: NetScreen-100Medium/Large Enterprise / Branch Office
• Integrated Firewall, VPN and Traffic Mgmt.– Stateful inspection firewall– NAT, PPPoE and DHCP server &
relay, Load-balancing– VPN
• Site to Site & Client to Site• Supports IPSec 3DES, DES & AES
encryption standards• Supports L2TP for Windows
interoperability– Bandwidth reservation and DiffServ
marking• Ships with ScreenOS 3.0
• Performance & Capacity – 200 Mbps firewall – 128,000 concurrent sessions– 185 Mbps VPN 3DES– 1000 IPSec VPN tunnels
• Award-wining and proven technology since 1998
• 3 port auto-sensing 10/100 Ethernet – Trust, Untrust, DMZ
• High Availability options– Active/Standby, Active/Active (1H ’02)
• AC power; DC option
NetScreen Confidential – Internal Use Only37
NS100 Architecture
Host Bridge(GT64120)
MAC 1 MAC 3Flash
SDRAM
NetScreenGigaScreen
ASIC & Memory
PHY PHY
64bit/66MHz bus
Trusted Untrusted
MAC 2
PHYDMZ
CPU(MIPS R5000)
Packet Memory
(Dual Port)
PCMCIAInterface RTC UART
RS232
64bit/66MHz bus
SRAM
32bit/33MHz PCI
NetScreen Confidential – Internal Use Only38
NetScreen-100 IPSec Performance
15%
65%
95%
60%
5%10% 5% 5%
0%
20%
40%
60%
80%
100%
% o
f th
eo
reti
ca
l ma
xim
um
NetScreen-100 Check PointFireWall-1/
VPN-1
Nokia IP650 Cisco PIX-515
Zero-loss Throughput Across an IPSec (3DES, SHA-1) Tunnel: Bidirectional SmartBits 100 Mbit/s Full-duplex Fast Ethernet (UDP Packets)
64-byte packets 512-byte packets1,024-byte packets 1,518-byte packets
Source: Tolly Group, 2001
NetScreen Confidential – Internal Use Only39
NetScreen-100 New Connections per Second
19,048
1,6003,402
0
5,000
10,000
15,000
20,000
Ave
rag
e n
um
ber
of
TC
P
con
nec
tio
ns
per
sec
on
d
NetScreen-100 Check PointFireWall-1/VPN-1
Cisco PIX-515
TCP/IP Connection Rate Across a "Single-Rule" Firewall:
SmartBits Full-duplex, Fast Ethernet
Source: Tolly Group, 2001
NetScreen Confidential – Internal Use Only40
NetScreen-200 SeriesSolutions for Enterprise Central Sites and Service
Provider Environments
NetScreen Confidential – Internal Use Only41
Introducing…The NetScreen-204 & NetScreen-208
• Integrated Firewall, VPN and Traffic Management
– Stateful inspection firewall with advanced firewall and DoS attack protections
– IPSec VPN with 3DES, DES, L2TP & AES
– Bandwidth prioritization and reservation and/or DiffServ marking
– Transparent, NAT, and Route mode– High availability with full FW and
VPN synchronization
• Ships with ScreenOS 3.1
• Performance & Capacity – 550 Mbps firewall NAT (NS-208)
– 400 Mbps firewall NAT (NS-204)
– 128,000 concurrent sessions
– 13,000 new sessions per second
– 200 Mbps 3DES VPN
– 1,000 IPSec VPN tunnels
• 4 or 8 auto-sensing 10/100 Ethernet ports
– All ports active today
– Auto-correct to DCE or DTE
• AC power; DC option available soon
NetScreen Confidential – Internal Use Only42
NetScreen-200 Series Hardware Features
Six System-status LEDs: Power, Status, HA, Alarm, Sessions, Flash
HW-based asset recovery switch
Console and out-of-band modem ports
CompactFlash™ slot supporting 96 and 512MB cards
8 interfaces on the NetScreen-2084 interfaces on the NetScreen-204
NetScreen Confidential – Internal Use Only43
NetScreen-200 Series ScreenOS Features
ScreenOS 3.1.0– All interfaces can be used with
nearly generic feature support• Firewall attack prevention on
every interface
• VPN tunnels terminating to any interface, providing support for applications such as WLANs
• Support all physical interfaces
– All interfaces support up to 28 common attacks such as syn flood, port scan, and others
– Familiar Trust, Untrust, and DMZ security zones available for ease-of-use and backward compatibility
Features from ScreenOS 3.0
– VPN Enhancements• NAT Traversal for IPSec
• Generic IKE IDs
• Advanced Encryption Standard
– Device Management• NetScreen MIBs
• Logging Enhancements
– Certificate Management• Automated Certificate Enrollment
(SCEP)
• Online Certificate Validation (OCSP)
NetScreen Confidential – Internal Use Only44
NetScreen-204 Competitive Matrix
Firewall performance 400 Mbps 370 Mbps 185 Mbps 200 Mbps
3DES VPN performance 200 Mbps ~ 70 Mbps with accelerator card
~ 45 Mbps with accelerator card
192 Mbps
# Interfaces 4 2, up to 6 4, up to 16 3
Stateful HA Yes No, upgrade to UR (FW-only)
Yes No
Traffic Management Yes No No No
NAT traversal Yes No CP clients to FW-1 only
No
VPN to any interface Yes No Yes No
Transparent mode Yes No No Yes
Extras N/A 3DES lic.: $3,000VPN card: $7,500
VPN card: $1,000 N/A
NetScreen-204 Cisco PIX 525R Nokia IP440 (Check Point)
SonicWALLGX 2500
Source: Vendor and third party documentation
NetScreen Confidential – Internal Use Only45
NetScreen-208 Competitive Matrix
Firewall performance 550 Mbps 370 Mbps 550 Mbps 200 Mbps
3DES VPN performance 200 Mbps ~ 70 Mbps with accelerator card
47 Mbps with accelerator card
192 Mbps
# Interfaces 8 2, up to 8 4, up to 16 3
Stateful HA Yes Firewall only Yes No
Traffic Management Yes No No No
NAT traversal Yes No CP clients to FW-1 only
No
VPN to any interface Yes No Yes No
Transparent mode Yes No No Yes
Extras N/A 3DES lic.: $3,000VPN card: $7,500
VPN card: $3,000 N/A
NetScreen-208 Cisco PIX 525UR Nokia IP530 (Check Point)
SonicWALLGX 2500
Source: Vendor and third party documentation
NetScreen Confidential – Internal Use Only46
NetScreen Virtual Systems
• NetScreen Virtual Systems– 250 Virtual Systems (VSYS)
– Per Virtual System - address book, policies and management
– Firewall and VPN configured per VSYS
– Able to support multiple security domains or customers without sharing policy
Vsys #1 Vsys #2 Vsys #3
NetScreen Confidential – Internal Use Only47
Virtual Systems
100/1000
Switch
SW 10/100
SW 10/100
SW 10/100
IEEE 802.1Q VLAN Trunk500 VLANs
Traffic Mapped to VLANs via Virtual Systems
Security DomainPer Customer
Private Links to Customer Cages
Inbound VPNsor
Web Traffic
250 Security DomainsPer NetScreen-1000
*Available on the NS500 & NS1000 Security Systems
NetScreen Confidential – Internal Use Only48
Reduced Infrastructure Deployment and Management
• NetScreen Virtual Systems– Single NetScreen device can handle the
needs of 500 or more customers
– Integrated firewall and VPN capabilities – Implementation of 802.1q VLANs
providing the ability to manage multiple customers from a single security system
– A Virtual System• Saves rack space• Reduces capital cost• Eases management and administration• Simplifies network architecture
VLAN1 VLAN2 VLAN3
Internet
Customers
Private Links to Customers
IEEE 802.1Q VLAN Trunk 100 VLANs
Traffic Mapped to VLANs via Virtual Systems
Trust
Untrust
NetScreen Confidential – Internal Use Only49
Separate V’s shared Virtual Systems for multi-customer deployments
Separate Virtual Systems
• Customer/Admin mgmt
• Customer logs– Parse by Vsys
• Unique Firewall & VPN configuration per customer / Vsys
Shared Virtual Systems
• Provider mgmt only
• Customer logs– Parse by IP
• Firewall policy based on IP addr / VPN not practical due VPN authenication issue
NetScreen Confidential – Internal Use Only50
NetScreen-500
High-performance Security System for Enterprise Central Site and Data Center Environments
NetScreen Confidential – Internal Use Only51
The NetScreen-500
• High security– ICSA-certified firewall
and VPN
– FIPS 140 ready
• High performance– 250 Mbps 3DES IPSec VPN
– 700 Mbps stateful firewall
• High capacity– 10,000 IPSec tunnels
– 250,000 concurrent sessions
– 22,000 new sessionsper second
• Redundant– High availability features– Internal system
redundancies (swappable fans, power)
– Separate traffic and management bus
• Flexible– Multiple ports– AC/DC power– Virtual Systems
NetScreen Confidential – Internal Use Only52
NetScreen-500 Hardware Features
• Proven hardware architecture– GigaScreen ASIC– Multi-bus architecture: Separate Management & Traffic Bus
• Highly resilient design– Dual Hot Swappable Power Supplies (DC or AC)– Hot Swappable Fan Tray– Redundant 10/100 HA interfaces
• Easily managed– 2 DB-9 Serial RS-232, Console and Modem– Dedicated “out-of-band” 10/100 management port– Programmable LCD and diagnostic LEDs
• Versatile form factor– 2U, 19” Rack-mountable– 4 I/O Module Bays for interface modules
NetScreen Confidential – Internal Use Only53
NS500 Architecture
NetScreen Confidential – Internal Use Only54
The NetScreen-500
LCDInterface Module Bays
Hot SwappableAC or DC Power Supplies
Fan Module
Dual HAManagementModem Console
NetScreen Confidential – Internal Use Only55
NetScreen-500 Software Features
• Proven Software Architecture
– ScreenOS 2.6.0: shared code base with all NetScreen products
– ICSA Certified, stateful-inspection firewall and IPSec
• Transparent, Route, and NAT modes of operation
• Traffic Management: 8 levels of priority, plus guaranteed & maximum bandwidth, defined by policy
• Up to 25 Virtual Systems and 100 VLANs
• High Availability (through redundant, dedicated HA links): complete with full session and VPN synchronization
NetScreen Confidential – Internal Use Only56
NetScreen-500 vs. Cisco PIX 535 & VPN 3080
NetScreen-500 Cisco PIX 535 Cisco VPN 3080
Firewall Performance (4,000 sessions, 1000-byte packets)
700 Mbps 675 Mbps No firewall
3DES VPN 250 Mbps Max 100 Mbps via $7,500 hardware upgrade
100 Mbps
VPN Tunnels 10,000 2,000; license required 10,000
Sessions 250,000 “500,000” No firewall
New Sessions/Sec. 22,000 7,000 No firewall
Virtual Systems 0, 5, 10, 25 No, up to 8 physical interfaces
No, 3 physical interfaces
Transparent Mode Yes No No
HA w/ Full Session & VPN Synchronization
Yes Yes VPN synchronization
List Price $24,995, ES system with 2 10/100
interfaces
$34,995, ES system with 2 GBIC interfaces
$73,600 with 2 10/100 interfaces.
$75,000 for redundant pair + cost of firewall
Price listed as US List Prices in US$. Appropriate price changesshould be made for in-country pricing
NetScreen Confidential – Internal Use Only57
NetScreen-500 vs. Nokia IP530 & IP650
NetScreen-500 Nokia IP530 Nokia IP650
Firewall Performance (4,000 sessions, 1,000-byte packets)
700 Mbps 400 Mbps Check Point license required
235 Mbps, Check Point license required
3DES VPN (1,000-byte packets)
250 Mbps < 20 Mbps, 50 Mbps with accelerator card
< 20 Mbps, 40 Mbps with accelerator card
VPN Tunnels 10,000 4,500, Check Point license required
4,500, Check Point license required
New Sessions/Sec. 22,000 Est. 2,000 Est. 2,000
Virtual Systems 0, 5, 10, 25 Up to 16 interfaces Up to 20 interfaces
Hard Disk Drives No Yes, not redundant Yes, redundant
Redundant Power Yes, DC or AC No, AC only Yes, AC only
List Price $24,995, ES system with 2 10/100 interfaces
$30,985* $34,985*
*IP530 and IP650 configured with: base chassis, Luna VPN accelerator card, single AC power supply, Check Point license for 250 IP addresses with firewall and VPN functionality. An unlimited IP license requires the central management console to be purchased (about $10,000 extra)
Price listed as US List Prices in US$. Appropriate price changes should be made for in-country pricing
NetScreen Confidential – Internal Use Only58
NetScreen-500 Firewall Performance Under Session Load
Source: The Tolly Group, May 2001
0
200
400
600
800
Ag
gre
gat
e T
hro
ug
hp
ut
(Mb
ps)
*
5,000 10,000 25,000
Simultaneous UDP Sessions
64 512 1,024 1,518
Packet size, bytes
NetScreen-500
0
200
400
600
800
Ag
gre
gat
e T
hro
ug
hp
ut
(Mb
ps)
*5,000 10,000 25,000
Simultaneous UDP Sessions
64 512 1,024 1,518
Packet size, bytes
Cisco PIX 535
*1% packet loss threshold
Zero-Loss Throughput Across a "Single-Rule" Firewall with UDP Packets
NetScreen Confidential – Internal Use Only59
High-performance & High Bandwidth Security System for Demanding Enterprise and Service Provider
Environments
The NetScreen - 1000
NetScreen Confidential – Internal Use Only60
Product Overview: NetScreen-1000
• Gigabit Performance– 1 Gbps 3DES IPSec VPN– 2 Gbps firewall and NAT
• High Capacity– Firewall: Stateful inspection - 500,000 sessions– VPN: 25,000 IPSec tunnels
• High availability/redundancy– Hot swappable power supplies, fans, cards– Mirrored configuration maintains sessions through a failover
• “Multi-customer” architecture – for managed security services– Up to 250 virtual systems (VSYS) and 500 VLANs– Per VSYS address book, policies and management
NetScreen Confidential – Internal Use Only61
NetScreen-1000 Target Segments
• NetScreen-1000ES (Enterprise System Bundle)– Customer or Managed Security Provider deployments
• Firewalls for intranets or campuses• VPN branch and remote access• Metro area firewall / VPN• Hosted e-businesses
• NetScreen-1000SP (Service Provider Bundle)• Internet data center - managed security services• Application infrastructure provider• Data center wide deployments with
tremendous cost structure advantage
THE SP HAS BEEN SHIPPING SINCE May 2000
NetScreen Confidential – Internal Use Only62
NetScreen-1000
SecurityProcessor
Cards (from 2 to 6)
SwitchCard
ManagementInterface Card
withSeparate OoBHA interfaces
RedundantPower
Suppliesand
Power inputs
Fans
NetScreen Confidential – Internal Use Only63
NetScreen-1000 Switch II
• 2 - Trust Interfaces (MT-RJ)• 2 - Untrust Interfaces (GBIC)
– SX and LX option (default is SX)
• 2 - HA Interfaces (MT-RJ)• 6 - Processor Board
Interconnects• Status LEDS
– Power and Link
• Note: Redundant GE and HA interfaces require new ScreenOS
HA
Processor
Interconnects
NetScreen Confidential – Internal Use Only64
NetScreen-1000 Switch II Benefits
• Greater throughput– Up to 2 Gbps firewall
• Support for LX Interface – Untrusted Interface
• Hardware support for future software capabilities e.g.– Meshed network support*
– Active – Active support*
– Redundant HA links*
* New ScreenOS required
HA
Processor
Interconnects
NetScreen Confidential – Internal Use Only65
NS1000 Architecture
Processing card
Switch card
Trust
Untrust
100BaseT
Flash Card
Console
Gbit
Management
Backplane Bus (Compact PCI)
Processing card
Processing card
Processing card
Processing card
Processing card
Aux card
Gbit
Gbit
Gbit
Gbit
Gbit
Gbit
Gbit
HA
1st packet in session forwarded to “Master”
•Policy lookup•Packet classification•Load balanced handoff to processor cards
•Configure switch
2nd+ packet •Session status hand-off from master
•Packets forwarded by switch card
•Policy enforcement•Encryption, firewall, NAT•Hot failover between cards
Each with its own RISC processor and GigaScreen ASIC
NetScreen Confidential – Internal Use Only66
NetScreen’s Hardware Product LineProduct Max Throughput Max
SessionsMax # VPN
tunnelsMax #
PoliciesMax # Vsys
HA
NetScreen-1000
2G FW &1G VPN
500,000 25,000 40,000 250 Yes A/A
NetScreen-500 750M FW & 250M VPN
250,000 10,000 20,000 25 Yes A/A
NetScreen-208 550M FW & 200M VPN
128,000 1,000 4,000 NA YesA/P **
NetScreen-204 400M FW & 200M VPN
128,000 1,000 4,000 NA Yes A/P **
NetScreen-100 200 FW &185 VPN
128,000 1,000 4,000 NA YesA/P **
NetScreen-50 170M FW 50M VPN
8,000 100 1,000 NA Yes A/P *
NetScreen-25 100M FW 20M VPN
4,000 25 500 NA No
NetScreen-5XP 10M FW & VPN 2,000 10 100 NA No
NetScreen-Remote
Varies by PC NA 1 NA NA No
* Available when 4th port is enabled
** To be updated to Active-Active – 1HCY02
A/A = Active-Active High Availability
A/P = Active-Passive High Availability
NetScreen Confidential – Internal Use Only67
Bottom Line …
• NetScreen Security Systems have been built from the ground-up with the purpose of removing the performance factor from the equation to allow decision-makers to concentrate on solving the real problem of conquering security challenges and network management issues.
NetScreen Confidential – Internal Use Only68
Resource for Resellers
• Partner Website– All Netscreen Sales Tools
• Presentations, white papers, product sheets, competitive analysis and more
• EMEA Presales Mailing List– For all Netscreen Premier, Authorized and Approved Partners Only!!
• Mailing list, monitored by all EMEA Systems Engineers.
• Support Website– Comprehensive Technical Resource
• TAC online, Manuals and User guides
• Technical Mailing List– Once a month comprehensive Netscreen Technical Update via e-mail
• Latest Product Info and Releases. Technical tools and partner updates.
• Webcasts– Netscreen on-line training courses
NetScreen Confidential – Internal Use Only69
Questions
NetScreen Confidential – Internal Use Only70
NetScreen Systems & Appliances Features
NetScreen Confidential – Internal Use Only71
Stateful Screening
Next Generation“Stateful Inspection”
NetScreen Confidential – Internal Use Only72
Screening
• Alternatives– Access Control Lists
– Application Proxies
• NetScreen’s Architecture– Policy-based stateful screening
NetScreen Confidential – Internal Use Only73
Stateful Inspection
Policy classification includes:
• Security zones
• IP addresses
• Transport protocol
• Transport ports
• Applications
Policy actions include:
• Deny
• Permit
• Authenticate
• Log
• Count
NetScreen Confidential – Internal Use Only74
Packet Flows
• Classified by PROTO• Identified by SIP, DIP• Session is “bundle” of
forward and reverse flows
InitiatingFlow
RespondingFlow
NetScreen Confidential – Internal Use Only75
IP Packet
• Blue = Normal Flow Classifiers• Yellow = Fragment Flow Classifiers
0 7 8 15 16 23 24 31Ver Hdr Len Service Type Total Length
Identification Flags Fragment OffsetTime To Live Protocol
Destination IP Address
Header Checksum
IP Options (If Any) Padding
Source IP Address
Data…
NetScreen Confidential – Internal Use Only76
UDP Packet
0 7 8 15 16 23 24 31Source Port Destination Port
Length ChecksumData…
• Blue = Normal Flow Classifiers
NetScreen Confidential – Internal Use Only77
TCP Packet
• Blue: Normal Flow Classifiers• Yellow: TCP State and Sequence Check
Source Port Destination Port
…Data
Checksum Urgent PointerOptions
Sequence Number
Padding
Acknowledgement NumberWindowHdr Len Reserved Code Bits
NetScreen Confidential – Internal Use Only78
Packet Walk
SessionLookup
SessionLookup
CreateSession
CreateSession
Yes
No
Yes
PolicyLookup
PolicyLookup
No
DropDrop
ScreenPacket
ScreenPacket SendSend
PathLookup
PathLookup
No
DropDrop
HashClassifiers
HashClassifiersReceiveReceive
Yes
NS-1000HardwareOperation
NS-1000HardwareOperation
NS-1000FirmwareOperation
NS-1000FirmwareOperation
NetScreen Confidential – Internal Use Only79
Key Stateful Screening Benefits
Full-Featured Stateful Inspection
Layer 3-7 Inspection
Well-Known, Proven Technology
Scalable Algorithms
ASIC Accelerated Session Setup
Questions?
NetScreen Confidential – Internal Use Only80
Traffic Management
Next GenerationQuality of Service
NetScreen Confidential – Internal Use Only81
Traffic Shaping
Alternatives– Priority Queuing– Class-Based Queuing (CBQ)– TCP Rate Control– ATM Generic Cell Rate Algorithm (GCRA)
NetScreen’s Architecture– Bandwidth Guarantees, Maximums, Priorities– Hardware Accelerated Algorithms
NetScreen Confidential – Internal Use Only82
ATM Generic Cell Rate Algorithm
• Leaky Bucket Algorithm• Proven High Traffic• Wasteful Bursts
NetScreen Confidential – Internal Use Only83
Double Token Bucket
• Shares Excess Tokens• Priority Allocation of
Shared Tokens• 8 Priority Classes
NetScreen Confidential – Internal Use Only84
NetScreen Algorithm
• Double Token Bucket Algorithm
• Controlled by Guaranteed Bandwidth (GBW), Maximum Bandwidth (MBW) and Priority
• Per Policy Classification and Queues
NetScreen Confidential – Internal Use Only85
Integrated Policy Management
NetScreen Confidential – Internal Use Only86
Key Traffic Management Benefits
Edge-to-Edge ClassificationDiffServ TOS Bit Marking
ASIC Accelerated ClassificationEnd-to-End Quality of Service
Service Level Agreements
White Paper: http://www.netscreen.comProducts->White Papers
NetScreen Confidential – Internal Use Only87
Questions
NetScreen Confidential – Internal Use Only88
Transparent Mode – All Interfaces
• No changes required on any end station, router or server• Routing protocols and VLAN tags can be configured to pass
through the NetScreen in transparent mode• The NetScreen offers full firewall and VPN capabilities
Intranet Web2.2.2.5
Corp Mail2.2.2.6
Intranet DNS2.2.2.7
AdminPC 12.2.2.13
AdminPC 22.2.2.18
AdminPC 32.2.2.33
2.2.10.0Sales
2.2.20.0Support
2.2.30.0Marketing
CorporateWeb2.2.2.2
DMZ DNS2.2.2.4
Mail Relay2.2.2.3
InternetDMZ
0.0.0.0
Trust 0.0.0.0 Untrust 0.0.0.0
Internet Router2.2.2.254NetScreen
NetScreen Confidential – Internal Use Only89
VPN/PKI
Next GenerationPrivacy and Authentication
NetScreen Confidential – Internal Use Only90
VPN FEATURES
• IPSEC – Netscreen is ICSA certified (www.icsa.net)• Manual Keys, IKE, and Group IKE• X.509 Certificate (PKI) support• Policy based VPN’s (Full firewall control of traffic through tunnel)• Hub and Spoke VPN’s• Support of NAT within the VPN tunnel• Support of Dynamically addressed VPN gateways (and dial users)• L2TP/IPSEC – for Win2K native VPN dial support• Redundant Gateways• SCEP and OCSP
NetScreen Confidential – Internal Use Only91
IPSEC Interoperability
• Real world implementations with:– Checkpoint, Cisco, Nortel, Sonic Wall, WatchGuard, Microsoft, etc.
• ICSA certified Netscreen as a reference member with the following products:– Lucent, Brick– Network Associates, Gauntlet– Nortel, Contivity– SafeNet, Soft-PK Client– Secure Computing, SideWinder– Others……
NetScreen Confidential – Internal Use Only92
Multiple Hub and Spoke VPN
Flexible VPN Network ArchitecturesThe Hub and Spoke is not limited to a single hub. Several branch or regional hubs can be interconnected via a full mesh, or even another hub.
NetScreen-100Central office
NetScreen-5Broadband telecommuterVPN Tunnels
Encrypted Traffic
NetScreen-5Small office
NetScreen-5Small office NetScreen-10
Branch office 1
NetScreen-5Broadband telecommuter
NetScreen-5Small office
NetScreen-10Branch office 2
NetScreen-5Broadband telecommuter
NetScreen Confidential – Internal Use Only93
Policy NAT For Dial-up VPN
1.1.1.1
NetScreen Remote VPN clients
2.2.2.2
3.3.3.3Dial-Up NAT Pool
10.1.1.0/241.1.1.1 -> 10.1.1.12.2.2.2 -> 10.1.1.23.3.3.3 -> 10.1.1.3
Internet Corp Net
• NAT Pool is defined as subnet of trusted network• Each client is dynamically assigned an IP address in
subnet 10.1.1/24 for duration of VPN session• Policy on client sends all traffic to corporate network
(10.0.0.0/8) through VPN• Dial-up client can access all services at corporate net• If Hub and Spoke is setup, client can
access services at other sites
10.0.0.0/8
Default Route
NetScreen Confidential – Internal Use Only94
Policy NAT For ASP or Extranet
Internet ASPNetwork
10.1/16 for servers
10.2.1/24 for Cust 1 clients
10.2.2.24 for Cust 2 clients
Cust B
10.1.1.0/8
Cust A
10.1/16
NAT Pool for VPN is
10.2.1.0/24
NAT Pool for VPN is
10.2.2.0/24
• NAT each customers’ client addresses into unique subnet of ASP network
• If server address overlaps customer address space, provide MIP within VPN for the server that is unused by customer
10.1.1.1MIP for server
set to 10.250.1.1 in VPN B
NetScreen Confidential – Internal Use Only95
• CA signed ID/Public Key binding• Electronic Credentials
– Specially prepared cryptographic files– Tamper-proof ID and signature
• Issued by Certification Authority– Public or private communities
• Provides Key Trust Components – Verifies identity of holder– Enables privacy– Creates model for legal recourse
Digital IDDigital ID
6
Digital X.509 Certificates
NetScreen Confidential – Internal Use Only96
Making it even easier: SCEP & OCSP
• Automated Certificate Enrollment (SCEP)– Much easier than present manual certificate process– Can be used to automatically request a certificate from a Certificate Authority
and install in a NetScreen device – This feature supports only VeriSign Certificate Authorities in this release
• Online Certificate Validation (OCSP)– Augments Static CRL (Certificate Revocation List) with dynamic protocol
(OCSP, Online Certificate Status Protocol) to validate certificates– Closes window of vulnerability between certificate revocation and CRL Update– This feature supports only VeriSign Certificate Authorities in this release
• Supported in ScreenOS 3.0 and NetScreen Remote v5.1.3 +
NetScreen Confidential – Internal Use Only97
Certificate Authorities
BaltimoreEntrust
MicrosoftNetscape (iPlanet)
RSAVerisign
NetScreen Confidential – Internal Use Only98
CorporateLAN
• Use Case: If my primary VPN connection goes down, use an alternative VPN to get to the destination network.
• Up to 8 different VPN paths to a destination network may be defined per policy
• VPN Tunnels to each gateway remains up continuously– IKE based Keep-Alive messages are used to keep tunnels alive– If a tunnel dies unexpectedly, Phase I is retried again after specific interval
Backup VPN Gateways
NetScreen Confidential – Internal Use Only99
Redundant VPN Gateways
A.0
B.0
A.1
B.1
SAM=1
SAM=2
Hub A
SAM=2
SAM=1
Hub B
Spoke A
Spoke B
•Redundant VPN
•Provides Geographic Fail-Over for VPN
•Covers Data Center Failures:
–Entire Site Outage (power, war, etc.)
–Internal Network Failures (Trust side link down)
–Internet Connectivity Blackouts
NetScreen Confidential – Internal Use Only100
• Without NAT-Traversal IPSec packets that are modified by a NAT-Device fail packet authentication checks, and are thus dropped by VPN Gateway as illegal packets.
NAT-Device
IPSec Client
VPN Gateway
NAT-Device Modifies IP and UDP Header of IPSec & IKE Packets source IP address & port
Packet is Received by VPN Gateway, ESP checksum don’t match indicating packet has been modified in transit. Normal IPSec will drop packet
NAT-Traversal
NetScreen Confidential – Internal Use Only101
Generic IKE ID - Definition
Company A
Building 1 Building 2
Sales SalesEngineering Engineering
• One IKE policy can be shared by many users in a specified group
• Admin defines groups with specific fields and number of users allowed to login
• Any user offering a certificate with fields matching all defined values will be accepted as an instance of a defined user
• In this example, anyone in the Sales group for Company A is defined as a user
NetScreen Confidential – Internal Use Only102
Generic IKE ID - Behavior
Certificate containsCompany A, Bldg1, Sales
Certificate containsCompany A, Bldg2, Sales
Certificate containsCompany B, Sales
Denied
• Example 1: User in the Sales group for Company A; Access is permitted
• Example 2: User in the Sales group for Company A; Access is permitted; Building number is not defined value
• Example 3: User in the Sales Group for Company B; Access is denied
X
NetScreen Confidential – Internal Use Only103
• Enabled IKE Identities to be matched with specific DN fields in peer’s cert
• Enables multiple connections from hosts using the same IKE Identity
In this example any user who’s certificate credentials match the following will be authenticated as an IKE User for a specific VPN
Screenshot: Group IKE IDs
NetScreen Confidential – Internal Use Only104
NetScreen Confidential – Internal Use Only105
NetScreen Remote 7.0
• Enhancements– New Deterministic Network Driver improves NIC
compatibility– New virtual adapter improves DHCP and NT Domain
support– New InstallShield Install/Uninstall method eases
deployment– Full Windows 95/98/98SE/NT/ME/2000/XP Support
• Major New Features– Includes support for NAT-Traversal (explained in next few
slides)– New “Auth and Go” works in conjunction with Global Pro
3.0 Policy Manager
NetScreen Confidential – Internal Use Only106
• “Auth and Go” is an application bundled with NetScreen Remote which allows direct integration with NetScreen’s Policy Manager
• The purpose of “Auth and Go” is to allow secure, easy VPN Policy deployment for environments with a large number of clients.
• “Auth and Go” prompts the user with a login dialog, requesting username and password.
Authenticate and Go
NetScreen Confidential – Internal Use Only107
With an:IntegratedPersonalFirewall
Negotiations UnderwayWith leading vendors.Seamless IntegrationTarget FCS CY H1 02
NetScreen Remote Future
NetScreen Confidential – Internal Use Only108
NetScreen Redundancy Protocol (NSRP)High-Availability Solutions
NetScreen Confidential – Internal Use Only109
Overview
• NetScreen’s High Availability Security Solution built to match high performance requirements of mission critical networks – Designed for
• Enterprise and Service Provider Gateways & Data Centers • Carrier Access Networks
– Provides the availability, redundancy and performance of Switched and Routed Networks + providing Stateful Security
NetScreen Confidential – Internal Use Only110
Overview - Continued
• NetScreen enhances high availability, resilience and performance– Redundancy protocol support - NSRP v2 (Similar to VRRP + being stateful)– Stateful Fail-over for Firewall and VPN – Redundant Interfaces for participation in full mesh topologies with or without
Load-balancing switches– Active – Active load sharing for Multi-Gigabit throughput– Sub Second Fail-over
• Utilizes new and existing NetScreen hardware– New NetScreen-1000 switching module – with redundant Trust and Untrust
Gigabit interfaces– Dual interface NetScreen-500 modules – 10/100 & GigE
NetScreen Confidential – Internal Use Only111
Network Security Redundancy Good / Better / Best
4 Gbps
SW1
4 Gbps
SW1
2 Gbps
SW1
System Redundancy Active / Passive
System Redundancy Active / Active
System Redundancy Active / Active / Full Mesh
2 Gbps2 Gbps
NetScreen Confidential – Internal Use Only112
Stateful - Active / ActiveFull Mesh High Availability
Total Throughput = 4 Gbps
SW1
• Stateful fail-over between NetScreen devices– Sessions, VPN Tunnels and Security Associations
maintained• Option for both NetScreen devices to be active
simultaneously– Peak throughput can be doubled– Second System always under test
• Option to use Redundant Interfaces– Trust / Untrust & HA Interfaces – Full Mesh Solution, each layer has redundant
connections• Path monitor from NetScreen device rapidly
identifies upstream & down stream failures
NetScreen Confidential – Internal Use Only113
Stateless Fail-over
Full Mesh
Device Redundancy
Stateful Fail-over
Active/ActiveVPN & FW
Core Routers & Switches
High Availability Landscape
Active/PassiveVPN & FW
+ 3rd party
FW
VPN
Full Mesh
VPN OnlyVPN FW
NetScreen Confidential – Internal Use Only114
HA Competitive Matrix
Stateful Firewall FailOver Yes Yes Yes Yes No No Yes No
Stateful VPN FailOver Yes Yes Yes No Yes Yes No No
Active Active Firewall Yes No Yes No No No No No
Active Active VPN Yes No Yes No Yes Yes No No
Redundant HA ports Yes No No No No No No No
Fully Meshed Trust / Untrust Interfaces
Yes Yes Yes No No No Yes No
Path Monitor (conn / health) Yes No Yes No No No No No
Sub Second Failover Yes No No No No Yes No No
NetScreen 500 & 1000
Check Point HA
Check Point Rainfinity
Cisco Pix 535
Cisco VPN 3080
Nokia CC5205
Nokia IP-740
SonicWall ProVX
NetScreen Confidential – Internal Use Only115
Conclusion
• NetScreen takes a leadership position in High Availability Security Solutions– Stateful Fail-over VPN and Firewall including (Vsys)– Active – Active Load Sharing– Interface Redundancy for full mesh topologies and additional levels of
resilience• Redundant Trust & Untrust Interfaces• Redundant HA interface
– Path monitoring – Sub Second Fail-over– Multi-Gigabit clusters
NetScreen Confidential – Internal Use Only116
ScreenOSPurpose-built for Maximum Security & Performance
NetScreen Confidential – Internal Use Only117
ScreenOSScreenOS 2.8r1 - Supported on the NS-1000
Has NSRPv2 - Active / Active Failover Features Adds NAT Traversal, L2TP in root and VSYS, and Generic IKE ID
ScreenOS 3.0r2 - Supported on the NS-5XP, NS-10, NS-25, NS-50, NS-100, NS-500
Adds NAT Traversal, Generic IKE IDs, 38 new MIBs, SCEP, OCSP, and Secondary IP Addresses
Mainstream ScreenOS code for most customers Not supported on the NS-5 Please note ScreenOS 3.0r2 adds a few new minor features.
Read the release notes!
ScreenOS 3.1r1 - Supported on the NS-204, NS-208 and NS-500 Only
Combines ScreenOS 3.0 Features with the USGA Architecture Allows support for all physical interfaces on NS-500 New architecture - Allows almost all features on all ports or VSYS
NetScreen Confidential – Internal Use Only118
Screen OS – Current Beta ProgramsScreenOS with Trend Micro AntiVirus Support - Platforms
Supported TBD Allows email redirection to a Trend Micro AntiVirus server Exact features and NetScreen platforms supported can be learned
from your NetScreen SE Please contact your SE if you are interested in participating in this
beta
ScreenOS 3.0.0 with User Authentication Extended Features - Supported on NS-100 and NS-500
Multiple Authentication Servers External User-Groups Firewall Authentication Enhancements Custom Authentication Banner messages Admin Authentication Enhancements L2TP IP Pool / RADIUS Enhancements NetScreen RADIUS Attributes Available on beta.netscreen.com
NetScreen Confidential – Internal Use Only119
Major New Features in 3.0
• VPN Enhancements– NAT Traversal for IPSec– Generic IKE IDs– Advanced Encryption
Standard
• Device Management– NetScreen MIBs– Logging Enhancements
• Certificate Management– Automated Certificate
Enrollment (SCEP)– Online Certificate
Validation (OCSP)
• Other New Features– Public Key Authentication
for SCS– Clear Session– Secondary IP Addresses– H.323 Gatekeeper Support– Malicious URL Detection– Session Thresholds
NetScreen Confidential – Internal Use Only120
Device Management Features
• NetScreen Management Information Bases (MIBs)– Enhanced monitoring of NetScreen devices through new custom SNMP
management information bases (MIBs)– Provides access to virtually every counter, statistic and configuration
within NetScreen devices through standard network management platforms used to monitor the rest of network devices
• Logging Enhancements– Now support a standardized format for log messages - including the
reporting module, the message severity, and a timestamp – Admin has much more granular control over the destination(s) of specific
severity messages
NetScreen Confidential – Internal Use Only121
Logging Enhancement
NetScreen Confidential – Internal Use Only122
Structured Logging
NetScreen Confidential – Internal Use Only123
Other New Features
• SCS Public Key Authentication– Eases automated CLI administration of NetScreen devices– No longer required to store usernames/passwords in script files
• Clear Session– Provides admin with more control over what active sessions to display or
clear from the active tables– Can specify matching sessions to display or clear by
• Source and/or destination IP• Source and/or destination port numbers• Source and/or destination MAC address
– When command completes, displays total number of sessions cleared
NetScreen Confidential – Internal Use Only124
Other New Features• Secondary IP addresses
– Up to 4 (NetScreen-5XP, NetScreen-10) or 8 (NetScreen-100, NetScreen-500) per interface on the Trust and DMZ Interfaces only
– Defining a secondary IP address on the Trusted or DMZ interfaces allows customers to route traffic between two subnets and use the NetScreen device as the default gateway rather than add a router
• H.323 Gatekeeper Support– Allows customers to use H.323 Gatekeepers on different interfaces of the NetScreen from
the H.323 terminals– Previously, the gatekeepers and terminals had to be on the same side of the NetScreen
device – This release allows for more flexible placement of the terminals and gatekeepers within an
organization• Example: Terminals on the Trusted side of a NetScreen device can communicate with a
Gatekeeper on the Untrusted side
NetScreen Confidential – Internal Use Only125
Other New Features
• Internet Worm Attack Protection– Malicious URL Detection: When enabled, NetScreen device monitors all
HTTP packets looking for portion of the URL used to exploit target web server
• If packet is detected, it will be dropped and an alarm is generated
– Session Threshold Per Source IP Address: When enabled, the NetScreen will limit the number of sessions that any one trusted or DMZ IP can occupy on the NetScreen box
• Prevents sessions table from becoming full when web server infected with worm tries to access other web servers
NetScreen Confidential – Internal Use Only126
Screen OS 3.1 (USGA)
NetScreen Confidential – Internal Use Only127
Universal Security Gateway Architecture
• New architectural foundation for ScreenOS in support of NetScreen’s next generation platforms and services delivery
• Designed to deliver today’s security features in a more flexible manner on NetScreen platforms, removing current restriction of certain services to specific interfaces
• Enhanced to provide additional user configurability• Ready to deliver new features in a flexible manner,
including dynamic routing, new security features, and other customer requested capabilities
NetScreen Confidential – Internal Use Only128
Zone Based Security
• Security zone is an entity for grouping interfaces that carry traffic at equivalent security level
• Traffic between zones, being of different security levels, must be approved by security policy
• ScreenOS currently provides – 3 well known zones: trust, untrust and DMZ
– 4 policy sets, Incoming, Outgoing, ToDMZ and From DMZ for policy enforcement of traffic between zones
• USGA will provide– User defined zones in addition to the well know, system defined zones
– Separate, directional policy set for each pair of zones, e.g. trust-to-DMZ, for policy enforcement of traffic from zone to zone
NetScreen Confidential – Internal Use Only129
Zone Based Security in USGA
• Zones include three pre-defined and arbitrary user defined
• Policy Engine controls traffic between zones
• Policy sets explicitly list from and to zones
UntrustPermitted TrafficUnchecked Traffic
From \ To Untrust Trust DMZ Mkt Eng
Untrust N/ A UntToTrust UntToDMZ UntToMkt UntToEng
Trust TrustToUnt N/A TrustToDMZ TruToMkt TruToEng
DMZ DMZtoTun DMZToTrust N/A DMZToMkt DMZToEng
Mkt MktToUnt MktToTru MktToDMZ N/A MktToEng
Eng EngToUnt EngToTru EngToDMZ EngToMkt N/A
Mkt Eng
DMZTrust PolicyEngine
NetScreen Confidential – Internal Use Only130
Reserved Zones
• Management zone for support of out-of-band management interfaces and tunnels for management traffic
• HA zone for HA interfaces, NSRP, etc.• Specific VLAN zones for trust, untrust and DMZ
for transparent mode, backward compatibility• Specific tunnel zones for trust, untrust and DMZ
for transparent mode, backward compatibility
NetScreen Confidential – Internal Use Only131
Security Zone Configuration
NetScreen Confidential – Internal Use Only132
Hardware Interfaces
• ScreenOS currently supports – 3 well known interfaces, trust, untrust and DMZ
– Each individual interface permanently bound to like named security zone
• USGA will provide– Support for additional network interfaces (>3) in
NetScreen products
– More generic naming of physical interfaces
– User defined binding of interfaces to security zones
– Binding of multiple interfaces to a single security zone
– Some pre-defined, special purpose interfaces, like HA
NetScreen Confidential – Internal Use Only133
Hardware Interfaces in USGA
• Each interface can be bound to only a single zone
• Multiple interfaces may be bound to single zone, such as for untrust/internet zone where redundant ISP links are used
• The pre-defined zones may be used (or not) as desired
Untrust
Mkt Eng
ITFinance PolicyEngine
Ether1/1 Ether1/2
Ether2/1
Ether2/2 Ether3/2
Ether3/1
Ether4/1
NetScreen Confidential – Internal Use Only134
NetScreen-500 With USGA
Ethernet1/1
Ethernet 3/1Default “Trust” Int
Ethernet1/2Default “Untrust” Int
Ethernet2/1
Ethernet2/2Default “DMZ” Int
HA2HA1MGT
NetScreen Confidential – Internal Use Only135
Listing Interfaces
NetScreen Confidential – Internal Use Only136
Configuration of Interfaces
NetScreen Confidential – Internal Use Only137
Sub-interfaces
• ScreenOS currently supports – Sub-interfaces, each bound to a 802.1q VLAN, on trust
and untrust interfaces– Usable only on Vsys enabled systems– Trust sub-interface must be bound to trust security zone
in Vsys
• USGA will provide– Sub-interfaces on any physical interface– Binding of sub-interface to any zone, not just the same
zone as its physical interface– Availability of sub-interfaces without necessity of
enabling Vsys
NetScreen Confidential – Internal Use Only138
Sub-Interfaces in USGA
• Sub- interfaces will extend physical interface name with .Z to denote the sub-interface number of a given physical interface
• Sub-interfaces may be bound to any security zone, they are not restricted to the same zone as the physical interface.
• Multiple Interfaces, physical, sub, or combination can be bound to a security zone
Untrust
Service Eng
ITCorp PolicyEngine
Ether1/1 Ether1/2
Ether2/1
Ether2/1.1
Ether2/1.3
Ether 2/2
Sales/Mkt
Ether2/1.2
Ether2/1.4Ether 3/1
NetScreen Confidential – Internal Use Only139
Configuration of Sub-Interfaces
NetScreen Confidential – Internal Use Only140
Routing
• Currently in ScreenOS– Single route domain
– Routing of inbound packets used to determine intended outbound interface/zone to limit policy search
– No overlapping networks allowed
– Limited u-turn traffic support with-in zone
• Routing in USGA– Multiple virtual routers
– Security zones bound to virtual routers
– Controlled route re-distribution between virtual routers
NetScreen Confidential – Internal Use Only141
Routing in USGA
• Zones bound to one of 2 routing domains• Each routing domain is independent, including the ability to run separate routing protocols
or areas in different domains• Controlled redistribution of routing information to tie the two together
– E.g. - redistribute “default route” from 2 to 1 so inside hosts can reach outside hosts• Routing is performed for traffic between interfaces within same zone without policy
search, between zones in same domain still engages policy engine
Untrust
Service Eng
DMZ
Corp
Ether1/1 Ether1/2
Ether2/1
Ether2/1.1
Ether2/1.3
Ether 2/2
Sales/Mkt
Ether2/1.2
Ether2/1.4Ether 3/1
RoutingDomain 2
RoutingDomain 1
Route Redistribution
NetScreen Confidential – Internal Use Only142
Configure Routes
NetScreen Confidential – Internal Use Only143
Virtual Systems
• ScreenOS currently provides for each Vsys– Private trust zone
– Single virtual router
– Multiple sub-interfaces
• USGA– Multiple security zones
– Physical or sub-interfaces bound to Vsys
– Single virtual router
NetScreen Confidential – Internal Use Only144
Untrust
Policy Engine
Ether2/2.1Ether2/1.1
DMZ
Ether4/1.1 Ether1/1.5
TrustRoute
Domain 1
Vsys In USGA
Untrust
Policy Engine
Ether2/2.1Ether2/1.1
DMZ2
Ether1/1.3 Ether1/1.4
DMZ1
LocalVsys
Router
Vsys 1
Untrust
Cust 1
PolicyEngine
Ether3/2Ether3/1LocalVsys
Router
Ether1/1.2
Vsys 2
RouteDomain 2
NetScreen Confidential – Internal Use Only145
ether1
VPN Tunnels in USGA Policy Based
• VPN policy has same behavior as before
• IPSec tunnel specification now includes physical interface or sub interface to use as gateway as multiple interfaces may be bound to security zone
Untrust
Traffic
PolicyEngine
TrustEther2
Encrypted Traffic
ether3
NetScreen Confidential – Internal Use Only146
VPN Tunnels in USGADynamic Tunnel Selection
• IPSec tunnels may be bound to a specific tunnel interface
• Tunnel interface is treated like other interfaces, physical or virtual in that – It may be bound to any security zone
– It may participate as interface in routing
– It may have NAT/NAPT services
• Traffic directed to tunnel interface is encrypted and sent through tunnel bound to that tunnel interface
• Tunnel to tunnel interface binding is one-to-one
Tunnel Bound
To Physical Interface
Ether1.1
Internet
Traffic
PolicyEngine
ITEther2
Encrypted Tunnel
Ether3.1
Tunnel1Corp
Ether4
ExNetTunnel Bound
To Tunnel Interface
Tunnel not bound to tunnel interface accessible by static
policy only
Tunnel2
ether5
Routing Domain 1
Routing Domain 2
Tunnel3
NetScreen Confidential – Internal Use Only147
DoS and other System Services Today
• DHCP Server/Relay
• NAT
• IPSec tunnel traffic
Untrust
Untrust
DMZDMZPolicyEngineTrustTrust
• PPPoE/DHCP Client
• DoS Protections
• MIP/VIP
• IPSec Tunnel termination
• IPSec tunnel traffic
• Centrally configured for system
• Delivered on specific interfaces only
NetScreen Confidential – Internal Use Only148
DoS and Services in USGA
• Intended to be configurable on per interface basis, physical or sub• First Release Per Physical Interface
• DoS Protections
• NAT
• MIP
• DHCP Relay
UntrustPermitted TrafficReceived Traffic
Mkt Eng
ITFinance PolicyEngine
Ether1/1 Ether1/2
Ether2/1
Ether2/2 Ether3/2
Ether3/1
DoS Protection
MIP
DoS Protection
DHCP Relay
DHCP Relay
DoS Protection
DHCP Relay
MIP
NetScreen Confidential – Internal Use Only149
Questions