350 likes | 594 Views
NetScreen. Agenda. NetScreen Background & Market Trends NetScreen Security Basics Applications for the Enterprise Security Management for the Enterprise Purpose built vs. general purpose solutions Appendix: Service & Support. About NetScreen. Founded October 1997
E N D
Agenda • NetScreen Background & Market Trends • NetScreen Security Basics • Applications for the Enterprise • Security Management for the Enterprise • Purpose built vs. general purpose solutions • Appendix: Service & Support
About NetScreen • Founded October 1997 • Leading maker of ASIC-based integrated security solutions • Firewall, VPN and traffic management • Fast growing revenue • $40 million in calendar 2000 • $8 million in calendar 1999 • Primary markets: Internet data centers, service providers and enterprises • Employees: > 270 • Pre-IPO: $53 million VC investment • Sequoia, Spectrum, Juniper, Ericsson, WorldCom • Based in Sunnyvale, Calif. USA • Other offices in Boston, UK, Hong Kong, Beijing
NetScreen’s Security Solutions NetScreen Security Systems NetScreen-500 NetScreen-1000 NetScreen Security Appliances NetScreen-100 NetScreen-10 NetScreen-5 NetScreen Security Mgmt & Client NetScreen-Remote Global PRO / Global Manager Integrated security systems and appliances • ICSA certified IPSec VPN and stateful inspection firewall, DoS blocking, authentication, PKI and NAT acceleration • 1Gbps, 700Mbps, (250Mbps), 100Mbps & 10-Mbps hardware firewall and 3DES IPSEC VPN devices • ScreenOS security software – custom OS High availability • Solid state, redundant hardware, HA topologies • Protect against DoS attacks (8 to 10 times faster than software solutions) Powerful management • WebUI, CLI for easy installation and management • Carrier-class central management
Security Market Growth • Firewall and VPN markets in rapid-growth stage • Hardware predominant platform for firewalls and VPNs • Key drivers • Need to protect Internet links and encrypt data • Enterprises looking to outsource or out-task some element of security Worldwide Market Growth (Infonetics Research 2000) $6 Billions $5 $4 $3 $2 $1 $0 2000 2001 2002 2003 2004 Firewall Dedicated VPN hardware
Enterprise Security Trends • Security breaches have a huge economic impact on business • Branch and telecommuter networks tying into corporate via VPNs • Bandwidth requirements in the corporate LAN and WAN environments • The need for a holistic approachto security • Lack of skilled IT workers
NetScreen’s Enterprise Security Solutions • Full suite of products for complete deployment in the enterprise network • NetScreen-5 & -10 for remote offices and telecommuters • NetScreen-100 & -500 for corporate headquarters • Centralized management of all NetScreen appliances and systems • Control security for multi-site device deployments from one location • Security solutions that don’t impede network performance • Firewall & VPN at wire speed • Integrated solution – firewall, VPN and traffic management • to address security and bandwidth requirements • No need to manage multiple vendors • Multi-customer/department architecture • 25 virtual systems (VSYS) with the NetScreen-500
NetScreen’s Solutions for the High-Performance Security Market • Enterprise Networks • Enterprise central site and broadband remote access • Small- to medium enterprises • Internet data centers • E-businesses • Web hosts, ASPs, colocation facilities • Service provider networks • MAN, BLEC, MTU • ISP, DSL providers • Managed Security Service Providers • Integrating security solutions for Internet data centers, service providers and enterprises of all sizes
NetScreen Security Basics • Dedicated OS • No hardening of the OS required • More efficient than a general purpose OS • Stateful Packet Inspection Firewall • A dynamic or "stateful" packet inspection firewall maintains a table of active TCP sessions and UDP "pseudo" sessions. • Allow a particular type of traffic “in” only as a response to an “outgoing” session • NetScreen ASIC accelerates the process • IPSec 3DES VPN • 3DES has become the encryption industry standard • NetScreen appliances come standard with 3DES • NetScreen ASIC accelerates the process • Virtual Systems • Unique policy, address book and management • Firewall and VPN configured per virtual system
NetScreen Virtual Systems Vsys #3 Vsys #1 Vsys #2 • NetScreen Virtual Systems • Per Virtual System - address book, policies and management • Firewall and VPN configured per virtual systems • Able to support multiple security domains or customers without sharing policy
NetScreen Management Interfaces NetScreen Management Interfaces • CLI – familiar command line interface • RS232, Telnet and SSH • Web Interface – embedded Web server • HTTP and SSL • NetScreen Global – proprietary interface • SNMP – Standard MIB & private extension • Syslog – standard traffic reporting and alerts • 3rd Party – WebSense, WebTrends CLI Web UI Global SNMP Syslog 3rd Party
Enterprise Security Management: Global Manager Global Manager • Central management for multiple NetScreen security appliances • Set policies and configuration options • Define configuration once, apply to multiple devices • Device grouping to simplify administration • Collect and display status information for hundreds of devices • Detailed reporting: configuration, traffic, CPU utilization, logs … • Securely manages via VPN tunnels to devices • Windows NT/2000-based platform Monitoring & Reporting Configuration NetScreen Security Devices
Product Overview: NetScreen-500 • High performance • 250 Mbps 3DES IPSec VPN • 700 Mbps stateful firewall • High capacity • 10,000 IPSec tunnels • 250,000 concurrent sessions • 22,000 new sessions per second • Up to 25 Virtual Systems • Redundant • High availability features • Internal system redundancies (swappable fans, power) • Separate traffic and management bus • Flexible • Multiple ports • AC/DC power
Product Overview:NetScreen Security Appliances • Suite of wire-speed appliances • NetScreen-100: 100-Mbps performance; 128,000 sessions; 1,000 tunnels • NetScreen-10: 10-Mbps performance; 4,000 sessions; 100 tunnels • NetScreen-5: 10-Mbps performance; 1,000 sessions; 10 tunnels • Stateful-inspection firewall • Leading denial of service attack deterrence • NAT (mapped IP, Virtual IP), URL blocking • Line rate IPSec VPNs • IPSec, DES/3DES, MD5, SHA-1, IKE key management • 1,000 tunnels: site to site or remote access • Traffic Management: guaranteed & max bandwidth
Security Applications for the Enterprise • Firewall application only • VPN capabilities added to existing firewall • VPN and firewall, replacing existing firewall • VPN & firewall with increased traffic & remote users • Multi-department firewalls • Multi-department with remote users • Multi-department with campuses • Co location
Firewall with High Speed Internet Firewall • Private Network perceived as “secure” • RAS for mobile / home office • WAN access multiple T1s (>1.5Mbps) • Promotional Web site • All employees “trusted” can access all parts of the network Internet Private Network PSTN (1-800) Corp HQ RAS DMZ • NetScreen delivers • Increased Security / Easier Support / Higher Performance & Scalability / Cost effective solution
VPN Intranet & Central Site Firewall Remote Access VPN • Private & dial network replaced by VPN intranet • Remote VPN devices provide additional security because they are also Firewalls • Central Firewall turns on VPN Internet • Central Site VPN Acceleration • Central Firewall unable to handle VPN traffic needs acceleration • NetScreen device used for VPN termination • Leverage advanced features eg Hub & Spoke Corp HQ • Firewall/VPN consolidation • NetScreen replaces existing firewall due to unnecessary duplication of costs (maintenance, admin, and support)
Central Site Firewall & VPN Intranet Firewall Application • WAN access multiple T1s /T3 • E-business VPN Application • Private network replaced by VPN intranet • Hundreds or thousands of remote offices / users • Extranets • Trust limited to “Need to know” employees Internet Corp HQ DMZ • NetScreen delivers • Increased performance, scalability, flexibility & cost effectiveness of the solution
Multi-Department Security Internet Traditional Solution • Multiple Firewalls required to provide internal security Corp HQ • NetScreen-500 Solution • Virtual Systems employed to provide departmental security • Can also be used for additional DMZs, security domains and for extranets • Trust limited to “Need to know” employees DMZs Finance Dept Engineering Dept M & A Group
Multi-Department with remote users Finance Vsys Firewall • Traffic sent to the Finance dept is firewall-ed by the Finance Vsys • Finance SOHO worker firewall-ed from the Internet VPN • Remote finance workers VPN connections terminate in the Finance Virtual System • Essentially extending the finance intranet to include those workers Internet Finance Dept remote worker Finance Dept mobile worker Corp HQ DMZs Finance Dept
Dept Intranets & Campuses Finance Vsys to Vsys VPN Finance Dept Firewall • Traffic sent to the Finance dept is firewall-ed by the Finance Virtual System VPN • Finance intranet is extended between campus by VPN between the Finance virtual systems Extended Campus DMZs Internet / NSP Net Corp HQ DMZs Finance Dept
Co location Internet Data Center Web Servers Staging Servers Customer Data Application Databases Backend Databases Big Fast Firewall / Updating / content provisioning Web Host / E-business ASP/MSP Web Hosting • Data Center Fast Firewall/VPN • Reduced capital cost • Lower management & support burden • High Bandwidth FW without having load balanced security devices • Integrated VPN Access for Remote Access • Option of using virtual systems for different security domains (front end, back end, staging or for MSPs - customers)
NetScreen vs. general purpose (H/W & S/W) architectures Zero-Loss Throughput Across a "Single-Rule" Firewall with UDP Packets NetScreen-500 Cisco PIX 535 800 800 600 600 400 400 Aggregate Throughput (Mbps)* Aggregate Throughput (Mbps)* 200 200 0 0 5,000 10,000 25,000 5,000 10,000 25,000 Simultaneous UDP Sessions Simultaneous UDP Sessions 64 512 1,024 1,518 64 512 1,024 1,518 Packet size, bytes Packet size, bytes *1% packet loss threshold Superior throughput • Zero packet loss, 100Mbps UDP • Firewall no longer the network bottleneck Higher sustained performance • Sustained large session count • User satisfaction maintained even at peak times Tolly Group - 2000 Tolly Group - 2001
NetScreen vs. general purpose (H/W & S/W) architectures Fast VPN throughput • Integrated 3DES VPN acceleration • Productivity and user satisfaction Great VPN Application throughput • SAP & FTP throughput • Real world apps perform as expected Tolly Group - 2000 Tolly Group - 2000
NetScreen vs. general purpose (H/W & S/W) architectures Rapid ramp rate • Number of new sessions per second • For busy web sites and Denial of Service attacks Low latency • Firewall Latency testing in uSec • Useful for heavily loaded sites, multimedia and voice traffic Tolly Group - 2000 Tolly Group - 2000
Cost Analysis: Small Office <25people • NetScreen-5 • Cisco PIX 506 w 3DES License • Nokia 110 w CP 25 IP VPN-1 Module License (includes Firewall-1 & VPN-1)
Cost Analysis: Branch Office <10Mbps FW&VPN; <100 people • NetScreen-10 • Pix 515R + 3DES license + no DMZ (3rd interface requires UR software) • IP 330 + CP VPN-1 (FW+VPN) Module license for 100 IP addresses
Cost Analysis: Central Site <10Mbps FW&VPN; >100< 250 people • NetScreen-100 • Pix 515UR + 10/100 card + 3DES license • IP 330 + CP VPN-1 (FW+VPN) Module license for 250 IP addresses
Cost Analysis: Central Site >10Mbps FW&VPN; or >250 people • NetScreen-100 • Pix 525R + 10/100 card + VPN Acc card + 3DES License • IP 440 + VPN Acc Card + CP VPN-1 (FW+VPN) Module license for Unlimited IP addresses
Cost Analysis: Central Site >100Mbps FW&VPN; >250 people • NetScreen-500 + 2xGE cards • Pix 535R + 2x GE cards + VPN Acc card + 3DES License • IP 530 + 2x GE cards + VPN Acc Card + CP VPN-1 (FW+VPN) Module license for Unlimited IP addresses • Neither Cisco nor Nokia can exceed 100M VPN
Assumptions • Cisco & Nokia are able to achieve 10M VPN w/o Acc Card • Checkpoint VPN-1 Module pricing was used to be conservative but either all gateway pricing used or one enterprise console version needs included which would add approx $10K to any CP solution. • Again to be conservative NetScreen-100 used for <10Mbps >100<250 people where a NetScreen-10 could have been used. • Cisco & Nokia latest solutions (Pix 535 & IP 530) unable to achieve > 100M VPN (IP 530 can not achieve >50M 3DES) • Nokia IP 530 GE interfaces (not currently available) cost equivalent to Cisco & NetScreen modules ~ $5K
NetScreen-500 - $33,500 (2 x GE cards) Cisco Pix-535R - $78,500 (2x GE cards, VPN Accelerator card, 3DES License) Price / Performance via Purpose Built Architectures Zero-Loss Throughput Across a "Single-Rule" Firewall with UDP Packets NetScreen-500 Cisco PIX 535 800 800 600 600 Aggregate Throughput (Mbps)* Aggregate Throughput (Mbps)* 400 400 200 200 0 0 5,000 10,000 25,000 5,000 10,000 25,000 Simultaneous UDP Sessions Simultaneous UDP Sessions 64 512 1,024 1,518 64 512 1,024 1,518 Packet size, bytes Packet size, bytes Tolly Group - 2001 *1% packet loss threshold
NetScreen’s Enterprise Solution • NetScreen: Empowering Enterprises with new security solutions • Gigabit security systems • Multi-department security systems • Security appliances for moderate-bandwidth environments • Broadband remote access and campus VPN demands • Simple and affordable • Reduced number of devices required • Simplified network architecture, management and licensing • Less expensive than competitive solutions • Easy to deploy and manage