netscreen technologies

NetScreen Confidential – Internal Use Only1

NetScreen Technologies

March 2002

Technical Overview

Richard Cassidy, SE EMEA


Resource for Resellers

• Partner Website– All Netscreen Sales Tools

• Presentations, white papers, product sheets, competitive analysis and more

• EMEA Presales Mailing List– For all Netscreen Premier, Authorized and Approved Partners Only!!

• Mailing list, monitored by all EMEA Systems Engineers.

• Support Website– Comprehensive Technical Resource

• TAC online, Manuals and User guides

• Technical Mailing List– Once a month comprehensive Netscreen Technical Update via e-mail

• Latest Product Info and Releases. Technical tools and partner updates.

• Webcasts– Netscreen on-line training courses


NetScreen by design:NetScreen by design:

Enforce Maximum SecurityEnforce Maximum Security without sacrificing: without sacrificing:

PerformancePerformance

ScalabilityScalability

ManageabilityManageability FlexibilityFlexibility

ReliabilityReliability

InteroperabilityInteroperability


NetScreen Product Overview

• Integrated security systems and appliances

– ICSA certified IPSec VPN and stateful inspection firewall, DoS blocking, authentication, PKI, NAT acceleration and traffic management

– 10Mbps to 2Gbps Firewall

– 10Mbps to 1Gbps 3DES IPSec VPN

• Resilient, solid-state solutions with high availability architectures

• Policy-based management of devices and remote users

NetScreen-Global PRO / Global PRO Express

NetScreen Security Mgmt & Client

NetScreen-Remote

NetScreen-5XP

NetScreen-50

NetScreen-200 Series

NetScreen Security Appliances

NetScreen-500

NetScreen-1000

NetScreen Security Systems

NetScreen-25


How it all began …

“Just like ASIC-based switches fought and prevailed in enterprise and service-provider backbones, the software vs. hardware fight is on in the security area. Any network manager looking to secure true high-performance networks better take heed.”

– Kevin Tolly is President and CEO of Tolly Research/The Tolly Group.

Expensive, slow, multi-purpose computers

Purpose-builtHW/SW Appliances

Expensive, slow, multi-purpose computers ASIC-Accelerated

Dedicated Hardware

ASIC-Accelerated Dedicated HardwarePurpose-built

HW/SW Appliances


Where it continues to go …

Software

ASIC-Acceleration

Hardware &Software


The NetScreen Difference

• Industry-leading performance and bulletproof security through next-generation architectures:

– Lightening fast, crypto-accelerating ASIC – Purpose-built, security-optimized ScreenOS™

– Highly-efficient hardware designs combining single and multiple ASICs along with single/multi/parallel RISC-based processors

• Tight Integration of Core Technologies– Stateful Screening Firewall– VPN / PKI– Attack Detection and Protection– Traffic Shaping / Bandwidth Management

• Comprehensive methods of device management• End-to-end solutions offering flexible network architectures• Best-of-Breed partnerships and alliances


At the speed of silicon

NetScreen MegaScreen

NetScreen GigaScreen

Hi/fn 7751

Hi/fn 7811

DES 3DES

250 Mbps 86 Mbps

1200 Mbps 400 Mbps

164 Mbps 83 Mbps

527 Mbps 252 Mbps

MD5 SHA-1

250 Mbps 400 Mbps

1200 Mbps 450 Mbps

96 Mbps 80 Mbps

290 Mbps 244 Mbps

Public Key Accelerator

No Yes

No Yes

Random # Generator

Yes Yes No No

RC4 Firewall

No Policy Engine

200Mbps Policy/NAT

Engine

122 Mbps No

185Mbps No


NetScreen Hardware Architectures

• NS1000 – Mid-plane switching fabric, multi-bus w/fiber interconnects, multi-parallel processors, multi-GigaScreen ASICs

• NS500 – Multi-bus, multi-interface card, single board, GigaScreen ASIC

• NS100/200 Series – Multi-bus, single board, GigaScreen ASIC

• NS25/50 – Single bus & board, GigaScreen ASIC

• NS5xp – Single bus & board, GigaScreen ASIC


NetScreen … Built for Performance

CPU

RAMI/OOutIn

CPU RAM

I/O

Bus

VPNCo-

ProcessorInOut

Traditional Design NetScreen Design

- Multiple passes across the bus- No separation of the data & control planes

- Single pass across the bus- Separation of data & control planes


However, the ASICs aren’t everything ….

EfficientHardwareDesigns

RISC Processors(Management, housekeeping, etc.)

Purpose-builtOperating System

-- ScreenOS


NetScreen Security Solutions

Next GenerationSecurity Systems and Appliances


Managed Security for Small & Medium Enterprises

• Managed security services are growing rapidly among small and medium enterprises– In 1999 it was a $14M market

– Expected to be over $630M by 2005

Source: the Yankee Group, 2000


Product Overview: NetScreen-5xpTelecommuter, SOHO, Small Branch Office

• Integrated Firewall, VPN and Traffic Mgmt.– Stateful inspection firewall– NAT, PPPoE and DHCP client, server

& relay– VPN

• Site to Site & Client to Site• Supports IPSec 3DES, DES & AES

encryption standards• Supports L2TP for Windows

interoperability– Bandwidth reservation and DiffServ

marking• Ships with ScreenOS 3.0

• Performance & Capacity – 10 Mbps firewall – 2000 concurrent sessions– 10 Mbps VPN 3DES– 10 IPSec VPN tunnels

• Award-wining and proven technology since 1999

• 2 port auto-sensing 10/100 Ethernet – Trust, Untrust

• AC power


NS5xp/25/50 Architecture

MPC8xxPower PC

Core

UART

RTC

MAC 1 MAC 3 Flash Boot ROM

SDRAMNetScreen

GigaScreen/ASIC

PHY PHY

32-bit/48MHz busRS23

2

Trusted NS25/50

MAC 2

PHYUntrusted

SRAM

PCMCIAInterface

MAC 4

PHYNS25/50


NetScreen-5XP vs. NetScreen-5

Appliance Features NetScreen-5XP NetScreen-5

ASIC GigaScreen MegaScreen

CPU MPC850 48 MHz MPC850 33 MHz

Redesigned Chassis Cable access from rear

Cable access from front

RAM 32 MB 16 MB

Flash 4 MB 2 MB

Asset Recovery Switch

Yes No

Concurrent sessions 2000 1000

Faster Performance 10 Mbps 3DES 5 Mbps 3DES


NetScreen-5XP Hardware Features

• Proven Hardware Architecture – GigaScreen ASIC

• Broadband enabled– 2 port 10Mbps Full Duplex 10BaseT Ethernet

• Easily Managed– RS232 serial console port for management

– Asset Recovery Switch

• Small Footprint 5L x 6W x 1.25H


NetScreen-5XP Software Features

• Proven Software Architecture

– ScreenOS 2.6.0: shared code base with all NetScreen products

– ICSA Certified, stateful-inspection firewall and IPSec

• Transparent, Route, and NAT modes of operation

• Traffic Management: 8 levels of priority, plus guaranteed & maximum bandwidth, defined by policy

• 10 IPSec VPN Tunnels

• 2000 Firewall Concurrent Sessions


NetScreen-5XP Performance

• Full duplex 10 Mbit line speed • Symmetrical Performance• 10 Mbps 3DES VPN• 10 Mbps Firewall• Latency reached a record low of 380 µSec (or

0.38 mSec) for support of new applications– VoIP

– Streaming media


NetScreen-5XP PerformanceNS-5XP Bi-Directional Performance Results

0.00

2.00

4.00

6.00

8.00

10.00

12.00

14.00

16.00

18.00

20.00

64 100 200 300 400 500 600 700 800 900 1000 1100 1200 1300 1400 1500 1518

Bytes/Packet

Ban

dw

idth

(M

bp

s)

NAT DES 3DES DES+MD5 3DES+MD5 DES+SHA-1 3DES+SHA-1


NetScreen-5XP Markets & Needs

Multi-site Enterprise Networks

• Need low cost, easy to deploy security solution with the shortage of IT staff

• Remote offices and telecommuter locations need secure access to central site

Access Service Providers

• Need features for broadband service offerings

• Looking to offer value-added services

• Want to deliver services with low operating costs and easy to manage multiple sites

Managed Security Service Providers

• Need solutions for all customer environments

• Want to deliver services with low operating costs and easy to manage multiple sites


Competitive Landscape

Appliance Features

NetScreen-5XP

10-user/EliteCisco 506

SonicWALL SOHO2

Nokia IP110 Nokia IP55

Users 10 / Unrestricted 10 50 50 50

Target Functionality

Firewall, VPN, Traffic Management

Firewall, VPN Firewall, VPNCheck Point

Firewall, VPNCheck Point Firewall only

Hardware Interfaces

2 10-BaseT Ethernet2 10-BaseT

Ethernet2 10/100 Ethernet

3 10/100 Ethernet & 2 Serial V.35

4 10/100 Ethernet ADSL /G.lite WAN.

Concurrent sessions

2000 64000 6144 4500 NA

VPN tunnels 10 4 10 50 NA

RAM/Flash 32MB / 4MB 32MB / 8MB 8MB / 3MB 64 MB / NA 16MB / 2MB

IPSec 3DES Performance

10 Mbps 6 Mbps 2 Mbps 2 Mbps NA

Firewall Performance

10 Mbps 8 Mbps 70 Mbps 80 Mbps 8 Mbps

ASIC based performance

Yes No No No No

List Price $495 / $995 $1,995 $995 $2,495* $1,295

*Additional Check point 50 user license fee of $4995 required.


Cisco 506• High Price

- $1995 list for a 10 user license• Low number of VPN tunnels supported for the price

- 4 Tunnels supported vs. NetScreen’s 10 tunnels.

• No ASIC support for VPN acceleration• Hard to configure manage and deploy

- Need to understand Cisco IOS/PIX CLI to configure VPNs or any other configuration.

- GUI support is limited to basic tasks.- Limited real time logging and alarm capabilities.

• Low performance- Firewall throughput 8 Mbps vs. NS-5XP 10 Mbps- 56-bit DES throughput 6 Mbps vs. NS-5XP 10 Mbps- 168-bit 3DES throughput 6 Mbps vs. NS-5XP 10 Mbps


SonicWALL SOHO2 and TELE2

• High Price- TELE2 costs $595 for 5 users with 5 VPN tunnels

- SOHO2 costs $990 - $1490 for 10/50 users with 10 VPN tunnels

• No ASIC support for VPN acceleration

• Low VPN Performance- 2 Mbps

• Anti Virus is not performed at the appliance contrary to perception

• Lack of Secure Remote Manageability


Nokia IP110

• High Price– IP110 base cost $2,495 + Check Point 50 user license fee $4995

=$7490.

• Low VPN Performance– No Luna VPN accelerator card. IP110 3DES IPSec throughput

2 Mbps compared to 10 Mbps for NetScreen-5XP.

• No traffic management.

• Hard to configure manage and deploy

• Lack of Single Support Point


Nokia IP51 and IP55

• Firewall only product– The Nokia IP51 and IP55 small office appliance integrates Check

Point FireWall-1 SmallOffice only

• Lack VPN support and Traffic Management capability

• High Price for limited functionality– IP51 lists for $895, and IP55 lists for $1295; compared to 5XP

price of $995 integrating Firewall, VPN and Traffic Shaping.

• Do not have ICSA certification on the appliance

• Lack of Single Support Point


Supporting Documentation

• This presentation• Datasheet—new appliances datasheet• New price list with detailed pricing and options• Competitive analysis• Product FAQ• NetScreen-5XP white paper


NetScreen-50 and NetScreen-25 Solutions for Branch Office and SME Networks


Product Overview: NetScreen-25 Small Enterprise / Small Office

• Integrated Firewall, VPN and Traffic Mgmt.– Stateful inspection firewall– NAT, PPPoE and DHCP client,

server & relay– VPN



interoperability

– Bandwidth reservation and DiffServ marking

• Ships with ScreenOS 3.0

• Performance & Capacity – 100 Mbps firewall – 4,000 concurrent sessions– 20 Mbps VPN– 25 IPSec VPN tunnels

• 4 port auto-sensing 10/100 Ethernet– 3 ports active today– 4th port enabled subsequent software

release – 1H CY02– 4th port will provide 2nd DMZ option

– No HA support

• AC power


Product Overview: NetScreen-50Small/Medium Enterprise / Branch Office

• Integrated Firewall, VPN and Traffic Mgmt.– Stateful inspection firewall– NAT, PPPoE and DHCP client,

server & relay– VPN

• Site to Site & Client to Site• Supports IPSec 3DES, DES &

AES encryption standards• Supports L2TP for Windows

interoperability

– Bandwidth reservation and DiffServ marking


• Performance & Capacity – 170 Mbps firewall – 8,000 concurrent sessions– 50 Mbps VPN– 100 IPSec VPN tunnels

• 4 port auto-sensing 10/100 Ethernet– 3 ports active today– 4th port enabled subsequent software

release – 1H CY02– 4th port will provide high availability

or 2nd DMZ option

• AC power; DC option


The NetScreen-50 and NetScreen-25

Compact Flash™

Serial Console and Modem

Status LEDs

Reserved (Available 1HCY02)

Untrust

DMZ

Trust


NetScreen-50 & NetScreen-25 Key Software Features

• NAT, Route, and Transparent modes of operation– Includes NAT on a per-policy basis for policy-based address translation

• Robust attack prevention including SYN, ICMP, and port scan attacks

• 3DES and AES encryption using digital certificates or IKE auto-key

• IPSec NAT traversal– Allowing IPSec VPN tunnels to be established through NAT, PAT, or NAPT devices

• Traffic management for bandwidth allocation and traffic prioritization– Allocate bandwidth per policy for the most effective use of available bandwidth

• Support for PPPoE and DHCP client – Allows deployments into DSL or cable networks with dynamic IP assignment

• DHCP server or DHCP relay agent

• High availability with stateful firewall and VPN fail-over*

* Not at initial release and only on the NetScreen-50


NetScreen-25 Competitive Matrix

Stateful Inspection Firewall and VPN

Yes Yes Requires VPN License for 3DES

Yes Yes

Traffic Management

Yes No No No No

VPN acceleration Yes No Extra Cost No No

NAT traversal Yes No No CP clients to FW-1 only

No

Policy-based NAT Yes No Yes Yes No

PPPoE support Yes Yes No No Yes

DHCP server Yes Yes No No No

NetScreen-25 SonicWALL PRO

Cisco Pix 515R

Nokia IP 120(Check Point)

WatchGuard Firebox 700



Stateful Inspection Firewall and VPN

Yes Yes Requires VPN License for 3DES

Requires VPN license

No

Traffic Management

Yes No No Requires add. CP License

No

VPN acceleration Yes Yes Extra Cost Extra Cost Yes

NAT traversal Yes No No CP clients to FW-1 only

Remote client only

Policy-based NAT Yes No Yes Yes No

Stateful HA Yes* No Firewall Only Yes VPN Only

PPPoE support Yes Yes No No No

DHCP server Yes Yes Yes No No

NetScreen-50

SonicWALL Pro-VX

Cisco Pix 515UR

Nokia IP 330(CheckPoint)

Nokia CC 2500

* Available when 4th port is enabled


Additional Sales Opportunities: Better Market coverage = More $ales !!!

NetScreen-10

NetScreen-100

NetScreen-5XPRemote Office / Home Office

Enterprise Branch Office / Small Medium Enterprise

Enterprise Branch / Medium Enterprise central site / e-business / web hosting

Missed Opportunities

10/100, High Availability, Price Sensitive

Missed OpportunitiesLow Bandwidth, DMZ, Price Sensitive

Customer What you used to sell

NetScreen-25

NetScreen-50

NetScreen-100

NetScreen-5XP

SME or Branch

Office

Small Enterprise or Small Office

What to sell now !


Product Overview: NetScreen-100Medium/Large Enterprise / Branch Office

• Integrated Firewall, VPN and Traffic Mgmt.– Stateful inspection firewall– NAT, PPPoE and DHCP server &

relay, Load-balancing– VPN



interoperability– Bandwidth reservation and DiffServ

marking• Ships with ScreenOS 3.0

• Performance & Capacity – 200 Mbps firewall – 128,000 concurrent sessions– 185 Mbps VPN 3DES– 1000 IPSec VPN tunnels

• Award-wining and proven technology since 1998

• 3 port auto-sensing 10/100 Ethernet – Trust, Untrust, DMZ

• High Availability options– Active/Standby, Active/Active (1H ’02)

• AC power; DC option


NS100 Architecture

Host Bridge(GT64120)

MAC 1 MAC 3Flash

SDRAM

NetScreenGigaScreen

ASIC & Memory

PHY PHY

64bit/66MHz bus

Trusted Untrusted

MAC 2

PHYDMZ

CPU(MIPS R5000)

Packet Memory

(Dual Port)

PCMCIAInterface RTC UART

RS232

64bit/66MHz bus

SRAM

32bit/33MHz PCI


NetScreen-100 IPSec Performance

15%

65%

95%

60%

5%10% 5% 5%

0%

20%

40%

60%

80%

100%

% o

f th

eo

reti

ca

l ma

xim

um

NetScreen-100 Check PointFireWall-1/

VPN-1

Nokia IP650 Cisco PIX-515

Zero-loss Throughput Across an IPSec (3DES, SHA-1) Tunnel: Bidirectional SmartBits 100 Mbit/s Full-duplex Fast Ethernet (UDP Packets)

64-byte packets 512-byte packets1,024-byte packets 1,518-byte packets

Source: Tolly Group, 2001


NetScreen-100 New Connections per Second

19,048

1,6003,402

0

5,000

10,000

15,000

20,000

Ave

rag

e n

um

ber

of

TC

P

con

nec

tio

ns

per

sec

on

d

NetScreen-100 Check PointFireWall-1/VPN-1

Cisco PIX-515

TCP/IP Connection Rate Across a "Single-Rule" Firewall:

SmartBits Full-duplex, Fast Ethernet

Source: Tolly Group, 2001


NetScreen-200 SeriesSolutions for Enterprise Central Sites and Service

Provider Environments


Introducing…The NetScreen-204 & NetScreen-208

• Integrated Firewall, VPN and Traffic Management

– Stateful inspection firewall with advanced firewall and DoS attack protections

– IPSec VPN with 3DES, DES, L2TP & AES

– Bandwidth prioritization and reservation and/or DiffServ marking

– Transparent, NAT, and Route mode– High availability with full FW and

VPN synchronization


• Performance & Capacity – 550 Mbps firewall NAT (NS-208)

– 400 Mbps firewall NAT (NS-204)

– 128,000 concurrent sessions

– 13,000 new sessions per second

– 200 Mbps 3DES VPN

– 1,000 IPSec VPN tunnels

• 4 or 8 auto-sensing 10/100 Ethernet ports

– All ports active today

– Auto-correct to DCE or DTE

• AC power; DC option available soon


NetScreen-200 Series Hardware Features

Six System-status LEDs: Power, Status, HA, Alarm, Sessions, Flash

HW-based asset recovery switch

Console and out-of-band modem ports

CompactFlash™ slot supporting 96 and 512MB cards

8 interfaces on the NetScreen-2084 interfaces on the NetScreen-204


NetScreen-200 Series ScreenOS Features

ScreenOS 3.1.0– All interfaces can be used with

nearly generic feature support• Firewall attack prevention on

every interface

• VPN tunnels terminating to any interface, providing support for applications such as WLANs

• Support all physical interfaces

– All interfaces support up to 28 common attacks such as syn flood, port scan, and others

– Familiar Trust, Untrust, and DMZ security zones available for ease-of-use and backward compatibility

Features from ScreenOS 3.0

– VPN Enhancements• NAT Traversal for IPSec

• Generic IKE IDs

• Advanced Encryption Standard

– Device Management• NetScreen MIBs

• Logging Enhancements

– Certificate Management• Automated Certificate Enrollment

(SCEP)

• Online Certificate Validation (OCSP)



Firewall performance 400 Mbps 370 Mbps 185 Mbps 200 Mbps

3DES VPN performance 200 Mbps ~ 70 Mbps with accelerator card

~ 45 Mbps with accelerator card

192 Mbps

# Interfaces 4 2, up to 6 4, up to 16 3

Stateful HA Yes No, upgrade to UR (FW-only)

Yes No

Traffic Management Yes No No No

NAT traversal Yes No CP clients to FW-1 only

No

VPN to any interface Yes No Yes No

Transparent mode Yes No No Yes

Extras N/A 3DES lic.: $3,000VPN card: $7,500

VPN card: $1,000 N/A

NetScreen-204 Cisco PIX 525R Nokia IP440 (Check Point)

SonicWALLGX 2500

Source: Vendor and third party documentation



Firewall performance 550 Mbps 370 Mbps 550 Mbps 200 Mbps

3DES VPN performance 200 Mbps ~ 70 Mbps with accelerator card

47 Mbps with accelerator card

192 Mbps

# Interfaces 8 2, up to 8 4, up to 16 3

Stateful HA Yes Firewall only Yes No

Traffic Management Yes No No No

NAT traversal Yes No CP clients to FW-1 only

No

VPN to any interface Yes No Yes No

Transparent mode Yes No No Yes

Extras N/A 3DES lic.: $3,000VPN card: $7,500

VPN card: $3,000 N/A

NetScreen-208 Cisco PIX 525UR Nokia IP530 (Check Point)

SonicWALLGX 2500

Source: Vendor and third party documentation


NetScreen Virtual Systems

• NetScreen Virtual Systems– 250 Virtual Systems (VSYS)

– Per Virtual System - address book, policies and management

– Firewall and VPN configured per VSYS

– Able to support multiple security domains or customers without sharing policy

Vsys #1 Vsys #2 Vsys #3


Virtual Systems

100/1000

Switch

SW 10/100

SW 10/100

SW 10/100

IEEE 802.1Q VLAN Trunk500 VLANs

Traffic Mapped to VLANs via Virtual Systems

Security DomainPer Customer

Private Links to Customer Cages

Inbound VPNsor

Web Traffic

250 Security DomainsPer NetScreen-1000

*Available on the NS500 & NS1000 Security Systems


Reduced Infrastructure Deployment and Management

• NetScreen Virtual Systems– Single NetScreen device can handle the

needs of 500 or more customers

– Integrated firewall and VPN capabilities – Implementation of 802.1q VLANs

providing the ability to manage multiple customers from a single security system

– A Virtual System• Saves rack space• Reduces capital cost• Eases management and administration• Simplifies network architecture

VLAN1 VLAN2 VLAN3

Internet

Customers

Private Links to Customers

IEEE 802.1Q VLAN Trunk 100 VLANs

Traffic Mapped to VLANs via Virtual Systems

Trust

Untrust


Separate V’s shared Virtual Systems for multi-customer deployments

Separate Virtual Systems

• Customer/Admin mgmt

• Customer logs– Parse by Vsys

• Unique Firewall & VPN configuration per customer / Vsys

Shared Virtual Systems

• Provider mgmt only

• Customer logs– Parse by IP

• Firewall policy based on IP addr / VPN not practical due VPN authenication issue


NetScreen-500

High-performance Security System for Enterprise Central Site and Data Center Environments


The NetScreen-500

• High security– ICSA-certified firewall

and VPN

– FIPS 140 ready

• High performance– 250 Mbps 3DES IPSec VPN

– 700 Mbps stateful firewall

• High capacity– 10,000 IPSec tunnels

– 250,000 concurrent sessions

– 22,000 new sessionsper second

• Redundant– High availability features– Internal system

redundancies (swappable fans, power)

– Separate traffic and management bus

• Flexible– Multiple ports– AC/DC power– Virtual Systems


NetScreen-500 Hardware Features

• Proven hardware architecture– GigaScreen ASIC– Multi-bus architecture: Separate Management & Traffic Bus

• Highly resilient design– Dual Hot Swappable Power Supplies (DC or AC)– Hot Swappable Fan Tray– Redundant 10/100 HA interfaces

• Easily managed– 2 DB-9 Serial RS-232, Console and Modem– Dedicated “out-of-band” 10/100 management port– Programmable LCD and diagnostic LEDs

• Versatile form factor– 2U, 19” Rack-mountable– 4 I/O Module Bays for interface modules


NS500 Architecture


The NetScreen-500

LCDInterface Module Bays

Hot SwappableAC or DC Power Supplies

Fan Module

Dual HAManagementModem Console


NetScreen-500 Software Features

• Proven Software Architecture

– ScreenOS 2.6.0: shared code base with all NetScreen products

– ICSA Certified, stateful-inspection firewall and IPSec

• Transparent, Route, and NAT modes of operation

• Traffic Management: 8 levels of priority, plus guaranteed & maximum bandwidth, defined by policy

• Up to 25 Virtual Systems and 100 VLANs

• High Availability (through redundant, dedicated HA links): complete with full session and VPN synchronization


NetScreen-500 vs. Cisco PIX 535 & VPN 3080

NetScreen-500 Cisco PIX 535 Cisco VPN 3080

Firewall Performance (4,000 sessions, 1000-byte packets)

700 Mbps 675 Mbps No firewall

3DES VPN 250 Mbps Max 100 Mbps via $7,500 hardware upgrade

100 Mbps

VPN Tunnels 10,000 2,000; license required 10,000

Sessions 250,000 “500,000” No firewall

New Sessions/Sec. 22,000 7,000 No firewall

Virtual Systems 0, 5, 10, 25 No, up to 8 physical interfaces

No, 3 physical interfaces

Transparent Mode Yes No No

HA w/ Full Session & VPN Synchronization

Yes Yes VPN synchronization

List Price $24,995, ES system with 2 10/100

interfaces

$34,995, ES system with 2 GBIC interfaces

$73,600 with 2 10/100 interfaces.

$75,000 for redundant pair + cost of firewall

Price listed as US List Prices in US$. Appropriate price changesshould be made for in-country pricing


NetScreen-500 vs. Nokia IP530 & IP650

NetScreen-500 Nokia IP530 Nokia IP650

Firewall Performance (4,000 sessions, 1,000-byte packets)

700 Mbps 400 Mbps Check Point license required

235 Mbps, Check Point license required

3DES VPN (1,000-byte packets)

250 Mbps < 20 Mbps, 50 Mbps with accelerator card

< 20 Mbps, 40 Mbps with accelerator card

VPN Tunnels 10,000 4,500, Check Point license required

4,500, Check Point license required

New Sessions/Sec. 22,000 Est. 2,000 Est. 2,000

Virtual Systems 0, 5, 10, 25 Up to 16 interfaces Up to 20 interfaces

Hard Disk Drives No Yes, not redundant Yes, redundant

Redundant Power Yes, DC or AC No, AC only Yes, AC only

List Price $24,995, ES system with 2 10/100 interfaces

$30,985* $34,985*

*IP530 and IP650 configured with: base chassis, Luna VPN accelerator card, single AC power supply, Check Point license for 250 IP addresses with firewall and VPN functionality. An unlimited IP license requires the central management console to be purchased (about $10,000 extra)

Price listed as US List Prices in US$. Appropriate price changes should be made for in-country pricing


NetScreen-500 Firewall Performance Under Session Load

Source: The Tolly Group, May 2001

0

200

400

600

800

Ag

gre

gat

e T

hro

ug

hp

ut

(Mb

ps)

*

5,000 10,000 25,000

Simultaneous UDP Sessions

64 512 1,024 1,518

Packet size, bytes

NetScreen-500

0

200

400

600

800

Ag

gre

gat

e T

hro

ug

hp

ut

(Mb

ps)

*5,000 10,000 25,000

Simultaneous UDP Sessions

64 512 1,024 1,518

Packet size, bytes

Cisco PIX 535

*1% packet loss threshold

Zero-Loss Throughput Across a "Single-Rule" Firewall with UDP Packets


High-performance & High Bandwidth Security System for Demanding Enterprise and Service Provider

Environments

The NetScreen - 1000


Product Overview: NetScreen-1000

• Gigabit Performance– 1 Gbps 3DES IPSec VPN– 2 Gbps firewall and NAT

• High Capacity– Firewall: Stateful inspection - 500,000 sessions– VPN: 25,000 IPSec tunnels

• High availability/redundancy– Hot swappable power supplies, fans, cards– Mirrored configuration maintains sessions through a failover

• “Multi-customer” architecture – for managed security services– Up to 250 virtual systems (VSYS) and 500 VLANs– Per VSYS address book, policies and management


NetScreen-1000 Target Segments

• NetScreen-1000ES (Enterprise System Bundle)– Customer or Managed Security Provider deployments

• Firewalls for intranets or campuses• VPN branch and remote access• Metro area firewall / VPN• Hosted e-businesses

• NetScreen-1000SP (Service Provider Bundle)• Internet data center - managed security services• Application infrastructure provider• Data center wide deployments with

tremendous cost structure advantage

THE SP HAS BEEN SHIPPING SINCE May 2000


NetScreen-1000

SecurityProcessor

Cards (from 2 to 6)

SwitchCard

ManagementInterface Card

withSeparate OoBHA interfaces

RedundantPower

Suppliesand

Power inputs

Fans


NetScreen-1000 Switch II

• 2 - Trust Interfaces (MT-RJ)• 2 - Untrust Interfaces (GBIC)

– SX and LX option (default is SX)

• 2 - HA Interfaces (MT-RJ)• 6 - Processor Board

Interconnects• Status LEDS

– Power and Link

• Note: Redundant GE and HA interfaces require new ScreenOS

HA

Processor

Interconnects


NetScreen-1000 Switch II Benefits

• Greater throughput– Up to 2 Gbps firewall

• Support for LX Interface – Untrusted Interface

• Hardware support for future software capabilities e.g.– Meshed network support*

– Active – Active support*

– Redundant HA links*

* New ScreenOS required

HA

Processor

Interconnects


NS1000 Architecture

Processing card

Switch card

Trust

Untrust

100BaseT

Flash Card

Console

Gbit

Management

Backplane Bus (Compact PCI)

Processing card

Processing card

Processing card

Processing card

Processing card

Aux card

Gbit

Gbit

Gbit

Gbit

Gbit

Gbit

Gbit

HA

1st packet in session forwarded to “Master”

•Policy lookup•Packet classification•Load balanced handoff to processor cards

•Configure switch

2nd+ packet •Session status hand-off from master

•Packets forwarded by switch card

•Policy enforcement•Encryption, firewall, NAT•Hot failover between cards

Each with its own RISC processor and GigaScreen ASIC


NetScreen’s Hardware Product LineProduct Max Throughput Max

SessionsMax # VPN

tunnelsMax #

PoliciesMax # Vsys

HA

NetScreen-1000

2G FW &1G VPN

500,000 25,000 40,000 250 Yes A/A

NetScreen-500 750M FW & 250M VPN

250,000 10,000 20,000 25 Yes A/A


128,000 1,000 4,000 NA YesA/P **


128,000 1,000 4,000 NA Yes A/P **

NetScreen-100 200 FW &185 VPN

128,000 1,000 4,000 NA YesA/P **

NetScreen-50 170M FW 50M VPN

8,000 100 1,000 NA Yes A/P *

NetScreen-25 100M FW 20M VPN

4,000 25 500 NA No

NetScreen-5XP 10M FW & VPN 2,000 10 100 NA No

NetScreen-Remote

Varies by PC NA 1 NA NA No

* Available when 4th port is enabled

** To be updated to Active-Active – 1HCY02

A/A = Active-Active High Availability

A/P = Active-Passive High Availability


Bottom Line …

• NetScreen Security Systems have been built from the ground-up with the purpose of removing the performance factor from the equation to allow decision-makers to concentrate on solving the real problem of conquering security challenges and network management issues.


Resource for Resellers

• Partner Website– All Netscreen Sales Tools

• Presentations, white papers, product sheets, competitive analysis and more

• EMEA Presales Mailing List– For all Netscreen Premier, Authorized and Approved Partners Only!!

• Mailing list, monitored by all EMEA Systems Engineers.

• Support Website– Comprehensive Technical Resource

• TAC online, Manuals and User guides

• Technical Mailing List– Once a month comprehensive Netscreen Technical Update via e-mail

• Latest Product Info and Releases. Technical tools and partner updates.

• Webcasts– Netscreen on-line training courses


Questions


NetScreen Systems & Appliances Features


Stateful Screening

Next Generation“Stateful Inspection”


Screening

• Alternatives– Access Control Lists

– Application Proxies

• NetScreen’s Architecture– Policy-based stateful screening


Stateful Inspection

Policy classification includes:

• Security zones

• IP addresses

• Transport protocol

• Transport ports

• Applications

Policy actions include:

• Deny

• Permit

• Authenticate

• Log

• Count


Packet Flows

• Classified by PROTO• Identified by SIP, DIP• Session is “bundle” of

forward and reverse flows

InitiatingFlow

RespondingFlow


IP Packet

• Blue = Normal Flow Classifiers• Yellow = Fragment Flow Classifiers

0 7 8 15 16 23 24 31Ver Hdr Len Service Type Total Length

Identification Flags Fragment OffsetTime To Live Protocol

Destination IP Address

Header Checksum

IP Options (If Any) Padding

Source IP Address

Data…


UDP Packet

0 7 8 15 16 23 24 31Source Port Destination Port

Length ChecksumData…

• Blue = Normal Flow Classifiers


TCP Packet

• Blue: Normal Flow Classifiers• Yellow: TCP State and Sequence Check

Source Port Destination Port

…Data

Checksum Urgent PointerOptions

Sequence Number

Padding

Acknowledgement NumberWindowHdr Len Reserved Code Bits


Packet Walk

SessionLookup

SessionLookup

CreateSession

CreateSession

Yes

No

Yes

PolicyLookup

PolicyLookup

No

DropDrop

ScreenPacket

ScreenPacket SendSend

PathLookup

PathLookup

No

DropDrop

HashClassifiers

HashClassifiersReceiveReceive

Yes

NS-1000HardwareOperation

NS-1000HardwareOperation

NS-1000FirmwareOperation

NS-1000FirmwareOperation


Key Stateful Screening Benefits

Full-Featured Stateful Inspection

Layer 3-7 Inspection

Well-Known, Proven Technology

Scalable Algorithms

ASIC Accelerated Session Setup

Questions?


Traffic Management

Next GenerationQuality of Service


Traffic Shaping

Alternatives– Priority Queuing– Class-Based Queuing (CBQ)– TCP Rate Control– ATM Generic Cell Rate Algorithm (GCRA)

NetScreen’s Architecture– Bandwidth Guarantees, Maximums, Priorities– Hardware Accelerated Algorithms


ATM Generic Cell Rate Algorithm

• Leaky Bucket Algorithm• Proven High Traffic• Wasteful Bursts


Double Token Bucket

• Shares Excess Tokens• Priority Allocation of

Shared Tokens• 8 Priority Classes


NetScreen Algorithm

• Double Token Bucket Algorithm

• Controlled by Guaranteed Bandwidth (GBW), Maximum Bandwidth (MBW) and Priority

• Per Policy Classification and Queues


Integrated Policy Management


Key Traffic Management Benefits

Edge-to-Edge ClassificationDiffServ TOS Bit Marking

ASIC Accelerated ClassificationEnd-to-End Quality of Service

Service Level Agreements

White Paper: http://www.netscreen.comProducts->White Papers


Questions


Transparent Mode – All Interfaces

• No changes required on any end station, router or server• Routing protocols and VLAN tags can be configured to pass

through the NetScreen in transparent mode• The NetScreen offers full firewall and VPN capabilities

Intranet Web2.2.2.5

Corp Mail2.2.2.6

Intranet DNS2.2.2.7

AdminPC 12.2.2.13

AdminPC 22.2.2.18

AdminPC 32.2.2.33

2.2.10.0Sales

2.2.20.0Support

2.2.30.0Marketing

CorporateWeb2.2.2.2

DMZ DNS2.2.2.4

Mail Relay2.2.2.3

InternetDMZ

0.0.0.0

Trust 0.0.0.0 Untrust 0.0.0.0

Internet Router2.2.2.254NetScreen


VPN/PKI

Next GenerationPrivacy and Authentication


VPN FEATURES

• IPSEC – Netscreen is ICSA certified (www.icsa.net)• Manual Keys, IKE, and Group IKE• X.509 Certificate (PKI) support• Policy based VPN’s (Full firewall control of traffic through tunnel)• Hub and Spoke VPN’s• Support of NAT within the VPN tunnel• Support of Dynamically addressed VPN gateways (and dial users)• L2TP/IPSEC – for Win2K native VPN dial support• Redundant Gateways• SCEP and OCSP


IPSEC Interoperability

• Real world implementations with:– Checkpoint, Cisco, Nortel, Sonic Wall, WatchGuard, Microsoft, etc.

• ICSA certified Netscreen as a reference member with the following products:– Lucent, Brick– Network Associates, Gauntlet– Nortel, Contivity– SafeNet, Soft-PK Client– Secure Computing, SideWinder– Others……


Multiple Hub and Spoke VPN

Flexible VPN Network ArchitecturesThe Hub and Spoke is not limited to a single hub. Several branch or regional hubs can be interconnected via a full mesh, or even another hub.

NetScreen-100Central office

NetScreen-5Broadband telecommuterVPN Tunnels

Encrypted Traffic

NetScreen-5Small office

NetScreen-5Small office NetScreen-10

Branch office 1

NetScreen-5Broadband telecommuter

NetScreen-5Small office

NetScreen-10Branch office 2

NetScreen-5Broadband telecommuter


Policy NAT For Dial-up VPN

1.1.1.1

NetScreen Remote VPN clients

2.2.2.2

3.3.3.3Dial-Up NAT Pool

10.1.1.0/241.1.1.1 -> 10.1.1.12.2.2.2 -> 10.1.1.23.3.3.3 -> 10.1.1.3

Internet Corp Net

• NAT Pool is defined as subnet of trusted network• Each client is dynamically assigned an IP address in

subnet 10.1.1/24 for duration of VPN session• Policy on client sends all traffic to corporate network

(10.0.0.0/8) through VPN• Dial-up client can access all services at corporate net• If Hub and Spoke is setup, client can

access services at other sites

10.0.0.0/8

Default Route


Policy NAT For ASP or Extranet

Internet ASPNetwork

10.1/16 for servers

10.2.1/24 for Cust 1 clients

10.2.2.24 for Cust 2 clients

Cust B

10.1.1.0/8

Cust A

10.1/16

NAT Pool for VPN is

10.2.1.0/24

NAT Pool for VPN is

10.2.2.0/24

• NAT each customers’ client addresses into unique subnet of ASP network

• If server address overlaps customer address space, provide MIP within VPN for the server that is unused by customer

10.1.1.1MIP for server

set to 10.250.1.1 in VPN B


• CA signed ID/Public Key binding• Electronic Credentials

– Specially prepared cryptographic files– Tamper-proof ID and signature

• Issued by Certification Authority– Public or private communities

• Provides Key Trust Components – Verifies identity of holder– Enables privacy– Creates model for legal recourse

Digital IDDigital ID

6

Digital X.509 Certificates


Making it even easier: SCEP & OCSP

• Automated Certificate Enrollment (SCEP)– Much easier than present manual certificate process– Can be used to automatically request a certificate from a Certificate Authority

and install in a NetScreen device – This feature supports only VeriSign Certificate Authorities in this release

• Online Certificate Validation (OCSP)– Augments Static CRL (Certificate Revocation List) with dynamic protocol

(OCSP, Online Certificate Status Protocol) to validate certificates– Closes window of vulnerability between certificate revocation and CRL Update– This feature supports only VeriSign Certificate Authorities in this release

• Supported in ScreenOS 3.0 and NetScreen Remote v5.1.3 +


Certificate Authorities

BaltimoreEntrust

MicrosoftNetscape (iPlanet)

RSAVerisign


CorporateLAN

• Use Case: If my primary VPN connection goes down, use an alternative VPN to get to the destination network.

• Up to 8 different VPN paths to a destination network may be defined per policy

• VPN Tunnels to each gateway remains up continuously– IKE based Keep-Alive messages are used to keep tunnels alive– If a tunnel dies unexpectedly, Phase I is retried again after specific interval

Backup VPN Gateways


Redundant VPN Gateways

A.0

B.0

A.1

B.1

SAM=1

SAM=2

Hub A

SAM=2

SAM=1

Hub B

Spoke A

Spoke B

•Redundant VPN

•Provides Geographic Fail-Over for VPN

•Covers Data Center Failures:

–Entire Site Outage (power, war, etc.)

–Internal Network Failures (Trust side link down)

–Internet Connectivity Blackouts


• Without NAT-Traversal IPSec packets that are modified by a NAT-Device fail packet authentication checks, and are thus dropped by VPN Gateway as illegal packets.

NAT-Device

IPSec Client

VPN Gateway

NAT-Device Modifies IP and UDP Header of IPSec & IKE Packets source IP address & port

Packet is Received by VPN Gateway, ESP checksum don’t match indicating packet has been modified in transit. Normal IPSec will drop packet

NAT-Traversal


Generic IKE ID - Definition

Company A

Building 1 Building 2

Sales SalesEngineering Engineering

• One IKE policy can be shared by many users in a specified group

• Admin defines groups with specific fields and number of users allowed to login

• Any user offering a certificate with fields matching all defined values will be accepted as an instance of a defined user

• In this example, anyone in the Sales group for Company A is defined as a user


Generic IKE ID - Behavior

Certificate containsCompany A, Bldg1, Sales

Certificate containsCompany A, Bldg2, Sales

Certificate containsCompany B, Sales

Denied

• Example 1: User in the Sales group for Company A; Access is permitted

• Example 2: User in the Sales group for Company A; Access is permitted; Building number is not defined value

• Example 3: User in the Sales Group for Company B; Access is denied

X


• Enabled IKE Identities to be matched with specific DN fields in peer’s cert

• Enables multiple connections from hosts using the same IKE Identity

In this example any user who’s certificate credentials match the following will be authenticated as an IKE User for a specific VPN

Screenshot: Group IKE IDs


NetScreen Remote 7.0

• Enhancements– New Deterministic Network Driver improves NIC

compatibility– New virtual adapter improves DHCP and NT Domain

support– New InstallShield Install/Uninstall method eases

deployment– Full Windows 95/98/98SE/NT/ME/2000/XP Support

• Major New Features– Includes support for NAT-Traversal (explained in next few

slides)– New “Auth and Go” works in conjunction with Global Pro

3.0 Policy Manager


• “Auth and Go” is an application bundled with NetScreen Remote which allows direct integration with NetScreen’s Policy Manager

• The purpose of “Auth and Go” is to allow secure, easy VPN Policy deployment for environments with a large number of clients.

• “Auth and Go” prompts the user with a login dialog, requesting username and password.

Authenticate and Go


With an:IntegratedPersonalFirewall

Negotiations UnderwayWith leading vendors.Seamless IntegrationTarget FCS CY H1 02

NetScreen Remote Future


NetScreen Redundancy Protocol (NSRP)High-Availability Solutions


Overview

• NetScreen’s High Availability Security Solution built to match high performance requirements of mission critical networks – Designed for

• Enterprise and Service Provider Gateways & Data Centers • Carrier Access Networks

– Provides the availability, redundancy and performance of Switched and Routed Networks + providing Stateful Security


Overview - Continued

• NetScreen enhances high availability, resilience and performance– Redundancy protocol support - NSRP v2 (Similar to VRRP + being stateful)– Stateful Fail-over for Firewall and VPN – Redundant Interfaces for participation in full mesh topologies with or without

Load-balancing switches– Active – Active load sharing for Multi-Gigabit throughput– Sub Second Fail-over

• Utilizes new and existing NetScreen hardware– New NetScreen-1000 switching module – with redundant Trust and Untrust

Gigabit interfaces– Dual interface NetScreen-500 modules – 10/100 & GigE


Network Security Redundancy Good / Better / Best

4 Gbps

SW1

4 Gbps

SW1

2 Gbps

SW1

System Redundancy Active / Passive

System Redundancy Active / Active

System Redundancy Active / Active / Full Mesh

2 Gbps2 Gbps


Stateful - Active / ActiveFull Mesh High Availability

Total Throughput = 4 Gbps

SW1

• Stateful fail-over between NetScreen devices– Sessions, VPN Tunnels and Security Associations

maintained• Option for both NetScreen devices to be active

simultaneously– Peak throughput can be doubled– Second System always under test

• Option to use Redundant Interfaces– Trust / Untrust & HA Interfaces – Full Mesh Solution, each layer has redundant

connections• Path monitor from NetScreen device rapidly

identifies upstream & down stream failures


Stateless Fail-over

Full Mesh

Device Redundancy

Stateful Fail-over

Active/ActiveVPN & FW

Core Routers & Switches

High Availability Landscape

Active/PassiveVPN & FW

+ 3rd party

FW

VPN

Full Mesh

VPN OnlyVPN FW


HA Competitive Matrix

Stateful Firewall FailOver Yes Yes Yes Yes No No Yes No

Stateful VPN FailOver Yes Yes Yes No Yes Yes No No

Active Active Firewall Yes No Yes No No No No No

Active Active VPN Yes No Yes No Yes Yes No No

Redundant HA ports Yes No No No No No No No

Fully Meshed Trust / Untrust Interfaces

Yes Yes Yes No No No Yes No

Path Monitor (conn / health) Yes No Yes No No No No No

Sub Second Failover Yes No No No No Yes No No

NetScreen 500 & 1000

Check Point HA

Check Point Rainfinity

Cisco Pix 535

Cisco VPN 3080

Nokia CC5205

Nokia IP-740

SonicWall ProVX


Conclusion

• NetScreen takes a leadership position in High Availability Security Solutions– Stateful Fail-over VPN and Firewall including (Vsys)– Active – Active Load Sharing– Interface Redundancy for full mesh topologies and additional levels of

resilience• Redundant Trust & Untrust Interfaces• Redundant HA interface

– Path monitoring – Sub Second Fail-over– Multi-Gigabit clusters


ScreenOSPurpose-built for Maximum Security & Performance


ScreenOSScreenOS 2.8r1 - Supported on the NS-1000

Has NSRPv2 - Active / Active Failover Features Adds NAT Traversal, L2TP in root and VSYS, and Generic IKE ID

ScreenOS 3.0r2 - Supported on the NS-5XP, NS-10, NS-25, NS-50, NS-100, NS-500

Adds NAT Traversal, Generic IKE IDs, 38 new MIBs, SCEP, OCSP, and Secondary IP Addresses

Mainstream ScreenOS code for most customers Not supported on the NS-5 Please note ScreenOS 3.0r2 adds a few new minor features.

Read the release notes!

ScreenOS 3.1r1 - Supported on the NS-204, NS-208 and NS-500 Only

Combines ScreenOS 3.0 Features with the USGA Architecture Allows support for all physical interfaces on NS-500 New architecture - Allows almost all features on all ports or VSYS


Screen OS – Current Beta ProgramsScreenOS with Trend Micro AntiVirus Support - Platforms

Supported TBD Allows email redirection to a Trend Micro AntiVirus server Exact features and NetScreen platforms supported can be learned

from your NetScreen SE Please contact your SE if you are interested in participating in this

beta

ScreenOS 3.0.0 with User Authentication Extended Features - Supported on NS-100 and NS-500

Multiple Authentication Servers External User-Groups Firewall Authentication Enhancements Custom Authentication Banner messages Admin Authentication Enhancements L2TP IP Pool / RADIUS Enhancements NetScreen RADIUS Attributes Available on beta.netscreen.com


Major New Features in 3.0

• VPN Enhancements– NAT Traversal for IPSec– Generic IKE IDs– Advanced Encryption

Standard

• Device Management– NetScreen MIBs– Logging Enhancements

• Certificate Management– Automated Certificate

Enrollment (SCEP)– Online Certificate

Validation (OCSP)

• Other New Features– Public Key Authentication

for SCS– Clear Session– Secondary IP Addresses– H.323 Gatekeeper Support– Malicious URL Detection– Session Thresholds


Device Management Features

• NetScreen Management Information Bases (MIBs)– Enhanced monitoring of NetScreen devices through new custom SNMP

management information bases (MIBs)– Provides access to virtually every counter, statistic and configuration

within NetScreen devices through standard network management platforms used to monitor the rest of network devices

• Logging Enhancements– Now support a standardized format for log messages - including the

reporting module, the message severity, and a timestamp – Admin has much more granular control over the destination(s) of specific

severity messages


Logging Enhancement


Structured Logging


Other New Features

• SCS Public Key Authentication– Eases automated CLI administration of NetScreen devices– No longer required to store usernames/passwords in script files

• Clear Session– Provides admin with more control over what active sessions to display or

clear from the active tables– Can specify matching sessions to display or clear by

• Source and/or destination IP• Source and/or destination port numbers• Source and/or destination MAC address

– When command completes, displays total number of sessions cleared


Other New Features• Secondary IP addresses

– Up to 4 (NetScreen-5XP, NetScreen-10) or 8 (NetScreen-100, NetScreen-500) per interface on the Trust and DMZ Interfaces only

– Defining a secondary IP address on the Trusted or DMZ interfaces allows customers to route traffic between two subnets and use the NetScreen device as the default gateway rather than add a router

• H.323 Gatekeeper Support– Allows customers to use H.323 Gatekeepers on different interfaces of the NetScreen from

the H.323 terminals– Previously, the gatekeepers and terminals had to be on the same side of the NetScreen

device – This release allows for more flexible placement of the terminals and gatekeepers within an

organization• Example: Terminals on the Trusted side of a NetScreen device can communicate with a

Gatekeeper on the Untrusted side


Other New Features

• Internet Worm Attack Protection– Malicious URL Detection: When enabled, NetScreen device monitors all

HTTP packets looking for portion of the URL used to exploit target web server

• If packet is detected, it will be dropped and an alarm is generated

– Session Threshold Per Source IP Address: When enabled, the NetScreen will limit the number of sessions that any one trusted or DMZ IP can occupy on the NetScreen box

• Prevents sessions table from becoming full when web server infected with worm tries to access other web servers


Screen OS 3.1 (USGA)


Universal Security Gateway Architecture

• New architectural foundation for ScreenOS in support of NetScreen’s next generation platforms and services delivery

• Designed to deliver today’s security features in a more flexible manner on NetScreen platforms, removing current restriction of certain services to specific interfaces

• Enhanced to provide additional user configurability• Ready to deliver new features in a flexible manner,

including dynamic routing, new security features, and other customer requested capabilities


Zone Based Security

• Security zone is an entity for grouping interfaces that carry traffic at equivalent security level

• Traffic between zones, being of different security levels, must be approved by security policy

• ScreenOS currently provides – 3 well known zones: trust, untrust and DMZ

– 4 policy sets, Incoming, Outgoing, ToDMZ and From DMZ for policy enforcement of traffic between zones

• USGA will provide– User defined zones in addition to the well know, system defined zones

– Separate, directional policy set for each pair of zones, e.g. trust-to-DMZ, for policy enforcement of traffic from zone to zone


Zone Based Security in USGA

• Zones include three pre-defined and arbitrary user defined

• Policy Engine controls traffic between zones

• Policy sets explicitly list from and to zones

UntrustPermitted TrafficUnchecked Traffic

From \ To Untrust Trust DMZ Mkt Eng

Untrust N/ A UntToTrust UntToDMZ UntToMkt UntToEng

Trust TrustToUnt N/A TrustToDMZ TruToMkt TruToEng

DMZ DMZtoTun DMZToTrust N/A DMZToMkt DMZToEng

Mkt MktToUnt MktToTru MktToDMZ N/A MktToEng

Eng EngToUnt EngToTru EngToDMZ EngToMkt N/A

Mkt Eng

DMZTrust PolicyEngine


Reserved Zones

• Management zone for support of out-of-band management interfaces and tunnels for management traffic

• HA zone for HA interfaces, NSRP, etc.• Specific VLAN zones for trust, untrust and DMZ

for transparent mode, backward compatibility• Specific tunnel zones for trust, untrust and DMZ

for transparent mode, backward compatibility


Security Zone Configuration


Hardware Interfaces

• ScreenOS currently supports – 3 well known interfaces, trust, untrust and DMZ

– Each individual interface permanently bound to like named security zone

• USGA will provide– Support for additional network interfaces (>3) in

NetScreen products

– More generic naming of physical interfaces

– User defined binding of interfaces to security zones

– Binding of multiple interfaces to a single security zone

– Some pre-defined, special purpose interfaces, like HA


Hardware Interfaces in USGA

• Each interface can be bound to only a single zone

• Multiple interfaces may be bound to single zone, such as for untrust/internet zone where redundant ISP links are used

• The pre-defined zones may be used (or not) as desired

Untrust

Mkt Eng

ITFinance PolicyEngine

Ether1/1 Ether1/2

Ether2/1

Ether2/2 Ether3/2

Ether3/1

Ether4/1


NetScreen-500 With USGA

Ethernet1/1

Ethernet 3/1Default “Trust” Int

Ethernet1/2Default “Untrust” Int

Ethernet2/1

Ethernet2/2Default “DMZ” Int

HA2HA1MGT


Listing Interfaces


Configuration of Interfaces


Sub-interfaces

• ScreenOS currently supports – Sub-interfaces, each bound to a 802.1q VLAN, on trust

and untrust interfaces– Usable only on Vsys enabled systems– Trust sub-interface must be bound to trust security zone

in Vsys

• USGA will provide– Sub-interfaces on any physical interface– Binding of sub-interface to any zone, not just the same

zone as its physical interface– Availability of sub-interfaces without necessity of

enabling Vsys


Sub-Interfaces in USGA

• Sub- interfaces will extend physical interface name with .Z to denote the sub-interface number of a given physical interface

• Sub-interfaces may be bound to any security zone, they are not restricted to the same zone as the physical interface.

• Multiple Interfaces, physical, sub, or combination can be bound to a security zone

Untrust

Service Eng

ITCorp PolicyEngine

Ether1/1 Ether1/2

Ether2/1

Ether2/1.1

Ether2/1.3

Ether 2/2

Sales/Mkt

Ether2/1.2

Ether2/1.4Ether 3/1


Configuration of Sub-Interfaces


Routing

• Currently in ScreenOS– Single route domain

– Routing of inbound packets used to determine intended outbound interface/zone to limit policy search

– No overlapping networks allowed

– Limited u-turn traffic support with-in zone

• Routing in USGA– Multiple virtual routers

– Security zones bound to virtual routers

– Controlled route re-distribution between virtual routers


Routing in USGA

• Zones bound to one of 2 routing domains• Each routing domain is independent, including the ability to run separate routing protocols

or areas in different domains• Controlled redistribution of routing information to tie the two together

– E.g. - redistribute “default route” from 2 to 1 so inside hosts can reach outside hosts• Routing is performed for traffic between interfaces within same zone without policy

search, between zones in same domain still engages policy engine

Untrust

Service Eng

DMZ

Corp

Ether1/1 Ether1/2

Ether2/1

Ether2/1.1

Ether2/1.3

Ether 2/2

Sales/Mkt

Ether2/1.2

Ether2/1.4Ether 3/1

RoutingDomain 2

RoutingDomain 1

Route Redistribution


Configure Routes


Virtual Systems

• ScreenOS currently provides for each Vsys– Private trust zone

– Single virtual router

– Multiple sub-interfaces

• USGA– Multiple security zones

– Physical or sub-interfaces bound to Vsys

– Single virtual router


Untrust

Policy Engine

Ether2/2.1Ether2/1.1

DMZ

Ether4/1.1 Ether1/1.5

TrustRoute

Domain 1

Vsys In USGA

Untrust

Policy Engine

Ether2/2.1Ether2/1.1

DMZ2

Ether1/1.3 Ether1/1.4

DMZ1

LocalVsys

Router

Vsys 1

Untrust

Cust 1

PolicyEngine

Ether3/2Ether3/1LocalVsys

Router

Ether1/1.2

Vsys 2

RouteDomain 2


ether1

VPN Tunnels in USGA Policy Based

• VPN policy has same behavior as before

• IPSec tunnel specification now includes physical interface or sub interface to use as gateway as multiple interfaces may be bound to security zone

Untrust

Traffic

PolicyEngine

TrustEther2

Encrypted Traffic

ether3


VPN Tunnels in USGADynamic Tunnel Selection

• IPSec tunnels may be bound to a specific tunnel interface

• Tunnel interface is treated like other interfaces, physical or virtual in that – It may be bound to any security zone

– It may participate as interface in routing

– It may have NAT/NAPT services

• Traffic directed to tunnel interface is encrypted and sent through tunnel bound to that tunnel interface

• Tunnel to tunnel interface binding is one-to-one

Tunnel Bound

To Physical Interface

Ether1.1

Internet

Traffic

PolicyEngine

ITEther2

Encrypted Tunnel

Ether3.1

Tunnel1Corp

Ether4

ExNetTunnel Bound

To Tunnel Interface

Tunnel not bound to tunnel interface accessible by static

policy only

Tunnel2

ether5

Routing Domain 1

Routing Domain 2

Tunnel3


DoS and other System Services Today

• DHCP Server/Relay

• NAT

• IPSec tunnel traffic

Untrust

Untrust

DMZDMZPolicyEngineTrustTrust

• PPPoE/DHCP Client

• DoS Protections

• MIP/VIP

• IPSec Tunnel termination

• IPSec tunnel traffic

• Centrally configured for system

• Delivered on specific interfaces only


DoS and Services in USGA

• Intended to be configurable on per interface basis, physical or sub• First Release Per Physical Interface

• DoS Protections

• NAT

• MIP

• DHCP Relay

UntrustPermitted TrafficReceived Traffic

Mkt Eng

ITFinance PolicyEngine

Ether1/1 Ether1/2

Ether2/1

Ether2/2 Ether3/2

Ether3/1

DoS Protection

MIP

DoS Protection

DHCP Relay

DHCP Relay

DoS Protection

DHCP Relay

MIP


Questions

netscreen technologies

Documents