Core Technologies

- Ground-up Design The NetScreen hardware architecture was developed to be a purpose-built device. Developed from the ground up to provide exceptional throughput, the firewall devices provide an amazing device that leads the pack in firewall design. Juniper Network’s NetScreen firewall product line is a layered architecture, designed to provide optimal performance for critical security applications.The top layer of the NetScreen firewall architecture is the integrated security application, which integrated with the OS to provide a hardened security solution.The integrated security application provides all of the VPN, firewalling, Denial of Service (DoS), and traffic management.

- Dedicated OS The second layer in the NetScreen firewall platform is the OS.The OS for the NetScreen firewall product is called ScreenOS, which is designed as a Real-time Operating System (RTOS).An RTOS is defined as an OS that can respond to external world events in a time frame defined by the external world. Because only one task can run at a time for each CPU, the idea is to minimize the time it takes to set up and begin executing a task. A large challenge for RTOS is memory allocation. Allocating memory takes time, which can slow down the OS from executing a task. ScreenOS reallocates memory to ensure that it has enough memory to provide a sustained rate of service. Some people argue that ScreenOS is more secure than open source OSs, because the general public cannot review the source code for vulnerabilities.The OS on a NetScreen firewall provides services such as dynamic routing, HA, management, and the ability to virtualize a single device into multiple virtual devices.

- High-speed Hardware The third layer in the NetScreen architecture is the hardware components.The NetScreen firewalls are based on a custombuilt architecture consisting of Application-Specific Integrated Circuit (ASIC) technology. ASIC is designed to perform a specific task at a higher performance level than a general-purpose processor. ASIC connects over a high-speed bus interface to the core processor of the firewall unit; a reduced instruction set computer (RISC) CPU.The firewall connects all of its components together with a high-speed multi-bus configuration.The bus connects each ASIC with a RISC processor, Synchronous Dynamic Random Access Memory (SDRAM), and the network interfaces. An ASIC is a chip designed for a single purpose, which allows that single purpose to be performed much faster than if you were using a general-purpose microprocessor.

- Stateful Inspection The NetScreen firewall core is based on the stateful inspection technology. Stateful inspection provides a connection-oriented security model by verifying the validity of every connection while providing a high-performance architecture.

- Deep Inspection The firewall platform also contains additional technologies to increase your network’s security. First, the products support deep inspection.This technology allows you to inspect traffic at the application level to look for attacks.This can help prevent the next worm from attacking your Web servers, or someone from trying to send illegal commands to your SMTP server.The inspection technology includes a regularly updated database as well as the ability to create your own regular expression-based signatures. Deep inspection technology is the next step in the evolution of firewalls. It allows you to inspect traffic at the application layer, relying on regular expressions (Regex) to determine what content in a packet is malicious (e.g., if a worm on the Internet attempts to exploit your Internet Information Server (IIS) Web server vulnerabilities by sending a specific string of characters to your Web server, a custom signature can be written to identify that attack string. By applying the custom signature to a policy, the traffic in that policy would be inspected for that specific string). A smaller network may not have the same management needs and financial means to gainfully install an Intrusion and Detection and Protection (IDP) device. The integration of application-level inspection may be a better fit. Application-level scanning in an integrated device can also be used to provide a second level of protection to your network by blocking specific attacks. All of the appliances include the ability to create IPSec VPNs to secure your traffic.The integrated VPN technology has received both the Common Criteria certificate and the ICSA (www.icsalabs.com) Firewall certificate, which means that the IPSec VPN technologies have good cross-compatibility and standards compliance. Juniper Networks also offers two client VPN solutions to pair with the NetScreen firewall.The NetScreen-Remote provides the ability to create an IPSec connection to any NetScreen firewall or any IPSec-compliant device.The NetScreen-Security client creates IPSec tunnels and also includes a personal firewall to secure the end user’s system. The NetScreen firewall product line leverages the technologies of Trend Micro’s industry-leading antivirus software, which allows you to scan traffic as it passes directly through the firewall, thus mitigating the risks of viruses.

Zones

Zones are the core of the NetScreen architecture and one of the unique features of the Netscreen firewall series. A zone is defined as a logical area, and several types of zones can exist on a NetScreen firewall.The most commonly used zone is the security zone, which is the segment of the network space where security measures are applied.These measures are used to determine the different network locations assigned to a NetScreen firewall.The two most commonly used security zones are trust and untrust.The trust zone is assigned to the internal local area network [LAN] and the untrust zone is assigned to the Internet.The name of the zone is arbitrary, but is used to help the administrator determine what the zone is used for. Security zones are a key component in policy configuration. A security zone can encompass any number of physical or virtual interfaces, including VPN tunnels, which permit an administrator to join the Finance or Marketing departments in various subnets and locations under a single protection policy.

The Finance department in the main office, the Cashier’s office, and the Finance department located in a remote city connected via VPN, can all be in the same zone with the same rule set. If you add a second remote office connected by a second VPN to the zone, and the rule set is automatically applied no further configuration is necessary. Juniper Networks is the only company that provides this type of functionality, which is what sets the NetScreen apart from other firewalls and provides a unique functionality that makes administration much easier. Another zone type is the tunnel zone, which is used in conjunction with tunnel interfaces.Tunnel zones are defined as a logical segment where the VPN tunnel interface is bound. The last type of zone is a function zone, which specifies that an interface is used only for management traffic and will not allow traffic to be routed over it. A function zone is defined as a physical or logical entity that performs a specific function.The use of zones allows you to clearly define the separation between two or more areas. Virtual Routers A firewall is nothing more than a glorified router. It essentially sends traffic from one location to another, determining the best path based on its routing table. What makes a firewall different from a standard router is its ability to allow or deny traffic. The NetScreen firewall provides simple routing services and more. A normal device that uses IP has a single routing table, which contains all of the known or learned routes. A NetScreen device uses a virtual router (VR), which are most important in the high-end firewalls such as the NetScreen 200 series and above.