VPN

Juniper’s NetScreen firewall supports all of the standard elements you expect on a VPN device, including:

- Internet key exchange (IKE)

- Authentication header (AH)

- Encapsulating security payload (ESP)

- Tunnel mode

- Transport mode

- Aggressive mode

- Quick mode

- Main mode

- Message Digest Algorithm 5 (MD5)

- Secure Hash Algorithm 1 (SHA-1)

- DES

- 3DES

- AES-128

- Perfect forward secrecy

Juniper provides several options when configuring a firewall on a NetScreen appliance.There are two different methodologies that can be used: a route-based VPN or a policy-based VPN. A policy-based VPN allows for the creation of a VPN through a policy or rule, which gives you a simplified method to create VPNs. A route-based VPN uses a special type of virtual interface, called a tunnel interface, to connect via a VPN.This virtual interface allows you to provide special types of services (e.g., run routing protocols between two virtual interfaces; run OSPF, which requires two devices be directly connected).This would not normally be possible over the Internet, but if you create a route-based VPN between two NetScreen firewalls, the OSPF limitation is removed because of the special virtual interface.

Interface Modes

By default, a NetScreen firewall operates initially as a router. It allows each physical interface to use an IP address, thereby allowing traffic to be forwarded between each interface.A NetScreen firewall, however, is not limited to this traditional type of firewall configuration. A NetScreen firewall allows its physical interfaces to run in a special mode called transparent mode.Transparent mode allows you to put the NetScreen firewall into layer 2 mode, which operates at the network layer, allowing a NetScreen firewall to act as a switch while still providing normal firewall filtering.This serves many purposes. (e.g., if you have a flat network with one subnet and no routing, but still want to separate your network and provide security for a few critical devices, you can install a NetScreen firewall in transparent mode).

Policies

A policy is a statement that allows or denies traffic based on a defined set of specifications. Every brand of firewall has a version of policies; however, the base specifications include the source IP address, destination IP address, source zone, destination zone, and service or port.There are three types of policies: intrazone, interzone, and global. By default, there is an invisible global policy that denies any traffic from passing through the NetScreen.Therefore, if the traffic is not implicitly allowed by another policy, it is denied. Creating policies allows you to perform one of three actions on the traffic: allow, deny, or tunnel. You allow traffic when you let it pass through the firewall.You deny traffic if you want to prevent it from passing through the firewall. Finally, you tunnel traffic when you want to permit traffic and put the traffic into a VPN tunnel. Each NetScreen device has a limited number of policies, which is a license restriction and a capacity restriction.You cannot create new policies once you reach the maximum amount of policies per device. Juniper Networks does this to ensure that the performance numbers are specified for the specification sheets. Other firewalls do not impose this limit; it is up to you to configure your policies to optimize performance. It would not make sense to allow a low-end 5-GT appliance to run 40,000 policies, only to have the performance be at 1Mbps.These restrictions are not modifiable and are on each platform.There are many different elements involved in configuring an advanced policy, including traffic shaping, user authentication, NAT, alarms, URL filtering, and scheduling. Administering policies can be done from the Web User Interface (WebUI), the CLI, or the NetScreen Security Manager (NSM). Each method creates the same end result; however, performing each task is slightly different. On some competitive firewall products, using access lists can be frustrating because of the hassle of reordering, viewing, and managing them. When the NetScreen platform was designed, it was calculated with those hassles in mind.The WebUI of the Netscreen is often touted as the easiest to use in the industry. The NetScreen firewall platform provides three management options:

- CLI Provides the most granular control over the platform through straightforward interaction with the operation system (ScreenOS).

- WebUI A streamlined Web-based application with a user-friendly interface that allows you to easily manage the NetScreen appliance. Both WebUI and CLI are consistent among all of the NetScreen firewall products (i.e., once you learn one firewall model, you can easily apply your knowledge to the other models in the NetScreen firewall product line.

- NSM This is a centralized enterprise class solution that allows you to manage your entire NetScreen firewall infrastructure.The NSM not only provides a central console to manage your firewalls, it also provides consolidated logging and reporting.This great option allows you to see all of your network’s activity from a central location. The NetScreen Firewall Product Line The NetScreen firewall product line has several tiers of products that span over its entire product line. One of the great things about the NetScreen firewall product line is that the configuration of each device remains similar, which allows you to configure each device the same. Every device supports the same three management options; the WebUI, CLI, and NSM configuration of each device is relatively similar. However, the higher up the firewall product line, the more ports and options are available. Every firewall device is configured using the same methods, no matter what tier the device is in. Some vendors offer inconsistent configurations among their devices, but the NetScreen remains unvarying.The architecture on all of the platforms remains very similar, leveraging the power of a RISC processor and ASICs to provide a high-performance OS. Many familiar systems (e.g., Intel-based Pentium systems) use the less efficient complex instruction set computer (CISC) processor. All of the devices use flash memory for the long-term storage option. None of the firewalls rely on hard disks. The NetScreen-Security manager provides lasting storage for the firewall devices, eliminating the need for long-term storage on the devices for logs.You can also stream logs to a syslog server for storage. In Table 4.3, you can see the layout of the product line from the low end to the high end.We concentrate on the hardware and feature differences between the many models. For more information, visit the Juniper Web site (www.juniper.net/products/ glance/) for the latest numbers.

- NetScreen-Remote Client NetScreen-Remote VPN Client and NetScreen-Remote Security ClientRemote access to company resources is a requirement for most organizations. Company resources have to be accessible away from the office in a secure manner. For remote access security, Juniper Networks offers NetScreen-Remote VPN Client and NetScreen- Remote Security Client, which provide an easy-to-use interface to configure and connect to IPSec gateway endpoints.You are not limited to client access of the NetScreen-based VPN firewalls; it is capable of connecting to any IPSec gateway. NetScreen-RemoteVPN Client also supports the Extended Authentication (XAuth) protocol. XAuth supports distribution of IP address and DNS settings to a virtual interface on the client.The remote VPN client is capable of supporting up to 100 concurrent IPSec VPN tunnels.The NetScreen-Remote VPN and Security clients provide easy, secure access to your mobile workforce.The NetScreen-Remote Security client has an integrated client firewall to protect remote user systems, and allows end users to connect securely to the enterprise network over IPSec.The client interface allows user’s to quickly configure a VPN connection. It also provides administrator’s with the ability to create, export, and deploy a VPN policy to all remote users. Another feature of the security client is the integrated firewall. While not available natively on most OSs (Linux, Mac, and Windows), this firewall allows you to protect the end user’s system using centrally configured policies.This is especially handy for stand-alone machines that are not part of a managed domain such as Windows Active Directory (AD).

- SOHO NetScreen-Hardware Security Client and NetScreen 5GT For remote locations or remote users that need a dedicated security appliance, the SOHO line of NetScreen firewall appliances provide enterpriseclass security at a low-cost entry point.This product line has a small footprint, which is ideal for offices where space is at a premium. The NetScreen-Hardware Security Client is currently at the low end of NetScreen’s firewall product line, and was designed as a hardware-based version of the remote software client.The Hardware Security Client can easily support the fastest residence-installed broadband connection. Protecting home users from viruses is easy with this device, because it includes Trend Micro’s scan engine embedded directly into the device.This allows you to scan Post Office Protocol 3 (POP3), SMTP, and HTTP Web mail in real time to protect users from viruses.This is a great way to reduce infections on home machines and prevent infected home users from spreading viruses to the company’s network. Deep inspection is supported to help protect against application-level attacks and vulnerabilities.The NetScreen-Hardware Security Client must be managed from a NetScreen Security Manager. The NetScreen 5-GT is the answer to your needs if you want a lowend remote appliance.The only things low-end about this device are the price and the model number. Anti-phishing and anti-spyware are supported on the Juniper-Kaspersky Antivirus engine and standard antivirus filtering comes embedded.This device has five 10/100 Ethernet ports and comes in an Ethernet-only model, an Asymmetric Digital Subscriber Line (ADSL) model, and a wireless model, which allow two Internet-connected interfaces to provide redundant connectivity in case one Internet Service Provider (ISP) experiences a failure. HA Lite is an option where you can have two 5-GT’s with configuration synchronization and maintain a connection if one of the devices fail. However, it doesn’t allow you to fail all of your active sessions. All active sessions are lost when one device fails over to the backup device when using an HA Lite configuration.

- Mid-Range NetScreen-25 and NetScreen-50 The NetScreen-25 and NetScreen-50 are the next step up the NetScreen ladder.These devices are a perfect fit for branch and remote offices, or for medium- and small-size companies.The only difference between these two devices is the performance they provide. Both devices are physically identical.These devices and all higher level devices also provide deep inspection scanning. (In some cases, this is only an option with advanced licensing and not included in the baseline license.) The NetScreen-25 is the weaker of the two devices in the mid-range category. It has slower performance, but like the NetScreen-50, it has a total of four 10/100 Ethernet ports, a console port, and a modem port.The console port provides access for console CLI management.The modem port allows you to connect a modem for out-of-band management capabilities. The NetScreen-25 (and all devices upward) allows you to configure the network ports to your liking.This gives you total control over the network, providing for multiple configuration options.You can have four separate security zones for these interfaces.The NetScreen-25 device only allows for HA Lite mode. In both models, an external Trend Micro antivirus server does the antivirus scanning. The NetScreen-50 is the performer of the two devices in the midrange category.With faster throughput, the NetScreen-50 device also allows for HA in active/passive mode.This mode provides for failover in case of a hardware failure; however, it would also failover all of your sessions for a seamless failover.

- High-Range NetScreen-204 and NetScreen-208 The NetScreen 200 series is the first model of high-end NetScreen features, which is the first series of devices designed that support an active/active HA configuration. This allows both of the NetScreen appliances in an HA cluster to be active at the same time, allowing for higher throughput and maximum capacity.This class of firewall is typically required for one of three reasons: it requires four or more interfaces; a higher throughput is needed on these devices; and, to take advantage of the advanced features available for the NetScreen-200 series. The NetScreen-204 provides double the performance of the NetScreen-50. Much like the other devices of the same form factor, this device provides four 10/100Base-T ports, as well as the console and modem ports for out-of-band management.This is the first platform that allows a function in active/passive mode or active/active mode. An external Trend Micro antivirus server does the antivirus scanning on both models. The NetScreen-208 comes with a similar one-rack unit form factor, but it is the first device to have over four physical interfaces.The NetScreen-208 has the capability to easily support an e-commerce type of deployment.This device provides eight 10/100Base-T ports. An additional feature of the 208 is the ability to use a Personal Computer Memory Card International Association (PCMCIA) CompactFlash card to back up your configuration.This model adds the active/active full mesh configuration to the active/passive and active/active configurations.

- Enterprise Class SSG-520 and SSG-550 If you are looking for high performance and HA, the Enterprise class of NetScreen products is where you should browse. Both systems are the first devices in the NetScreen firewall line to provide redundant power supplies.This is a great option when uptime is crucial. Both devices also have interchangeable interface modules, which allow you to have up to eight 10/100 base-T ports or four gigabit fiber ports. Presently, there is only support for fiber connections; copper gigabit ports are unsupported at this time. The SSG-500 series are Enterprise class devices capable of providing a highly available firewall scenario. Redundant power supplies combined with redundant support components (e.g., fans) are essential when managing a network that requires 99 percent or better uptime. As far as HA modes go, the SSG-550 supports all three modes: active/passive, active/active, and active/active full mesh, while the SSG 520 only supports active/passive. When using a NetScreen device in HA mode, you must have ports dedicated to enable both a heartbeat and the passing of session synchronization information.The SSG-500 series provides these two dedicated ports. The SSG-550 ships with a feature called Virtual Systems (VSYS0, which allows you to segment a device into several virtual systems.These virtual systems allow you to have a completely separate management domain provide virtual firewalls within the single physical device. Finally, the 500 series is expected to have embedded antivirus, including anti-phishing and anti-spyware, in the second half of 2006, which will eliminate the need for an additional server to house the antivirus software.

- Next Generation Enterprise Class NetScreen-ISG 1000 and ISG 2000 The NetScreen Integrated Security Gateway 2000 or NetScreen ISG-2000 is Juniper Network’s next generation firewall.This device is built on fourth-generation ASICs, and the chips are specialized for performing specific tasks. Its architecture is designed for more then just firewall security purposes, and it has four expansion ports that permit adding more interfaces. In the future, it will allow users to add products such as the NetScreen IDP to allow for application-level scanning of all traffic.The IDP module will be ASIC-based, and will provide excellent performance while scanning at the application layer. These devices have two important features that put them at the top of their class: enormous throughput and port density.The throughput of the Integrated Security Gateway (ISG) series is one of the highest in the industry.The NetScreen-ISG 2000’s four expansion slots allow you to combine any of the following: four-port 10/100 Ethernet module, eight-port 10/100 Ethernet module, or a dual-port mini-Gigabit Interface Converter (GBIC) module to provide the exact interface configuration you require. In the advanced license model, the NetScreen-ISG 2000 supports the active/passive, active/active, and active/active full mesh HA configurations. It can also support up to 50 virtual systems, 512,000 concurrent sessions, and 10,000 concurrent VPN tunnels.

- Carrier Class NetScreen-5200 and NetScreen-5400 Welcome to the top of the NetScreen firewall product line. While impressive, these devices are only suitable for the most demanding environments. Both devices are nearly identical except for two things: port density and throughput.The NetScreen-5200 series appliance can have a maximum of eight mini-GBIC ports or two mini-GBIC ports and 24 10/100BaseT Ethernet ports. It has a maximum throughput of 4 gigabits per second firewall inspection. The NetScreen-5400 has even more impressive performance and port density.This device can have either a maximum of 24 mini-GBIC ports, or six mini-GBIC ports and 72 10/100BaseT Ethernet ports. For the most part, these two appliances have identical performance statistics.The NetScreen-5000 product line can support up to one million concurrent sessions. In addition, they can support up to 25,000 VPN tunnels, a total of 500 virtual systems, and up to 4,000 VLANs. Both devices can support all three modes of HA active/passive, active/active and active/active full mesh. Both devices come equipped with HA ports to provide both heartbeat and session synchronization. Sonicwall SonicWALL offers a variety of firewall products designed to meet the needs of anyone from the home office to the enterprise. Since coming to the market in 1991, SonicWALL has become one of the top players in the industry.Today, with over a half-million units in the field, they continue to be touted as one of the best firewall appliances on the market.