Why choose Netscreen? 1

[1Drisnil]

I'm looking for some insight. I have inherited a network installation as the companies newest IT professional. Never having exposed to Juniper/Netscreen products before
I am in need of some information.

My location has a Netscreen 5Xp but we need a DMZ port which this model does not have.

Since I neecd to upgrade anyway, why would I chose to replace this with another Netscreen product verus another product like Watchguard technologies or Cisco PIX ?

Would someone shed light on this subject , plz?

-Wei-ji-nu

_______________________________
Aliis si licet, tibi non licet.

 

[Njetscreamer]

Well,

if you need a dmz, as in a fully fledged dmz, then you would be looking at a 5gt with the appropriate license key (extended if i remember correctly) this would be the cheapest option. However I would double check and see how many sessions you think you will require. Another option is the NS25 baseline or extended which is a fully fledged and 4 port completely configurable firewall.

One advantage that you have with a 5GT is that you can have it run DPI and AV for you. Again here a little caution is required as the NetScreen will buffer 20meg for AV scanning and then either drop or permit traffic that cannot be scanned due to the buffer being full depending on how you configure it.

It is a very flexible and for the money powerfull little box which is feature rich, and pretty easy to setup.

With regards to the DMZ specifically its pretty easy to setup MIPS and VIPS to get traffic going where it ought to be headed. Further to this there has been a lot of work put into the predefined services in release 5 and 5.1 which it will ship with making the policy creation process a lot simpler. You don't have to manually add custom policies as much as was the case in the past.

If you have any more queries on it, drop me a response.

Kind regards

Njetscreamer

 

[1Drisnil]

Thanks Njetscreamer,

How does the NS25 compare to the 5GT aside from cost?

Inquiring Minds,
Weijinu

_______________________________
Aliis si licet, tibi non licet.

 

[Njetscreamer]

Weijinu,


I don't have the exact data to hand but there is a difference in the amount of sessions it will handle,
the amound of SA's it can have (tunnels) and the 25 is a more flexible device than the 5gt in as far as its more configurable from a zone point of view.

Both devices can be clustered, both devices have DMZ (5gt may need key) and both devices can perform deep packet inspection.


There are some spec sheets available on the Juniper website at

5gt :

http://www.juniper.net/products/integrated/dsheet/110001.pdf

5GT-ADSL:

http://www.juniper.net/products/integrated/dsheet/110027.pdf

Ns25:

http://www.juniper.net/products/integrated/dsheet/110003.pdf

Hope this helps.

Kind regards

Njetscreamer

 

[1Drisnil]

NJetscreamer,

Its been a while since my last post of this subject, but ther are some additional variables to consider now.

First, to give you an update, I am currently running the NetScreen 5XP Firewall+VPN firmware version: 5.0.0r9.0.

With regards to a DMZ with respect to running a website, it was suggested that instead of a true DMZ, I could port forward to the web server instead. Any thoughts on that approach?

Also, in terms of web traffic statistics, I have none to work with. Our partners that have similar websites to the one we are proposing host the site at a 3rd party and they seem to care little about bandwidth traffic and the similar statistics.

A friend of mine suggested using a Watchguard Firebox X product as its upgradeable if the need arises. Does anyone have thoughts on this appraoch or product?

Thanxs in advance...

 

[Njetscreamer]

Morpth,

you can indeed port forward. On a NetScreen this would require setting a VIP, which forwards inbound traffic to an internal ip address based on port.

e.g. if you have a vip configured on 1.1.1.1 then you could designate that port 80 goes to 192.168.1.10, 25 to 192.168.1.11, 110 to 192.168.1.11 etc etc.

The 5XP is indeed EOL however the replacement products are far more powerfull and will support a 'REAL' DMZ.

Specifically at the entry level we are talking the 5GT series which is available as ethernet only, ethernet ADSL, ethernet + 2 wireless zones, and ethernet + 2 Wireless zones + adsl.

Hence these are really versatile little units. They will also do antivirus scanning on traffic as well as deep packet inspection monitoring the validity of the packet or frame content relative to the port or application associated with it.

The 5 series are pretty cheap , however I could not comment on the differences between the firebox and the 5GT as I have never worked with firebox products and do not know their cost or capability.

I have a 5GT-ADSL at home , and in my personal view, it simply ROCKS, does everything i could want it to do in the form routing ( i also use source based routing and OSPF) and security and VPN infrastructure.

The 5 Series like all NetScreen products does pretty much , if not, everything that the larger units are capable of with the exception that they only provide NSRP basic, meaning that if you cluster them , the run time objects (vpns, sessions etc) are not transferred to the backup unit during operation. This means that a failure of 1 unit will require the vpns and sessions to be rebuilt.

This in the case of a vpn with monitoring enabled takes a couple of seconds.

I hope this gives you some info with which to make an informed decision, if you do need any more information or have specific implementation queries, feel free to drop me a note.

Kind regards

Njetscreamer