1 / 34

NetScreen

NetScreen. Agenda. NetScreen Background & Market Trends NetScreen Security Basics Applications for the Enterprise Security Management for the Enterprise Purpose built vs. general purpose solutions Appendix: Service & Support. About NetScreen. Founded October 1997

crescent
Download Presentation

NetScreen

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. NetScreen

  2. Agenda • NetScreen Background & Market Trends • NetScreen Security Basics • Applications for the Enterprise • Security Management for the Enterprise • Purpose built vs. general purpose solutions • Appendix: Service & Support

  3. About NetScreen • Founded October 1997 • Leading maker of ASIC-based integrated security solutions • Firewall, VPN and traffic management • Fast growing revenue • $40 million in calendar 2000 • $8 million in calendar 1999 • Primary markets: Internet data centers, service providers and enterprises • Employees: > 270 • Pre-IPO: $53 million VC investment • Sequoia, Spectrum, Juniper, Ericsson, WorldCom • Based in Sunnyvale, Calif. USA • Other offices in Boston, UK, Hong Kong, Beijing

  4. NetScreen’s Security Solutions NetScreen Security Systems NetScreen-500 NetScreen-1000 NetScreen Security Appliances NetScreen-100 NetScreen-10 NetScreen-5 NetScreen Security Mgmt & Client NetScreen-Remote Global PRO / Global Manager Integrated security systems and appliances • ICSA certified IPSec VPN and stateful inspection firewall, DoS blocking, authentication, PKI and NAT acceleration • 1Gbps, 700Mbps, (250Mbps), 100Mbps & 10-Mbps hardware firewall and 3DES IPSEC VPN devices • ScreenOS security software – custom OS High availability • Solid state, redundant hardware, HA topologies • Protect against DoS attacks (8 to 10 times faster than software solutions) Powerful management • WebUI, CLI for easy installation and management • Carrier-class central management

  5. Security Market Growth • Firewall and VPN markets in rapid-growth stage • Hardware predominant platform for firewalls and VPNs • Key drivers • Need to protect Internet links and encrypt data • Enterprises looking to outsource or out-task some element of security Worldwide Market Growth (Infonetics Research 2000) $6 Billions $5 $4 $3 $2 $1 $0 2000 2001 2002 2003 2004 Firewall Dedicated VPN hardware

  6. Enterprise Security Trends • Security breaches have a huge economic impact on business • Branch and telecommuter networks tying into corporate via VPNs • Bandwidth requirements in the corporate LAN and WAN environments • The need for a holistic approachto security • Lack of skilled IT workers

  7. NetScreen’s Enterprise Security Solutions • Full suite of products for complete deployment in the enterprise network • NetScreen-5 & -10 for remote offices and telecommuters • NetScreen-100 & -500 for corporate headquarters • Centralized management of all NetScreen appliances and systems • Control security for multi-site device deployments from one location • Security solutions that don’t impede network performance • Firewall & VPN at wire speed • Integrated solution – firewall, VPN and traffic management • to address security and bandwidth requirements • No need to manage multiple vendors • Multi-customer/department architecture • 25 virtual systems (VSYS) with the NetScreen-500

  8. NetScreen’s Solutions for the High-Performance Security Market • Enterprise Networks • Enterprise central site and broadband remote access • Small- to medium enterprises • Internet data centers • E-businesses • Web hosts, ASPs, colocation facilities • Service provider networks • MAN, BLEC, MTU • ISP, DSL providers • Managed Security Service Providers • Integrating security solutions for Internet data centers, service providers and enterprises of all sizes

  9. NetScreen Security Basics • Dedicated OS • No hardening of the OS required • More efficient than a general purpose OS • Stateful Packet Inspection Firewall • A dynamic or "stateful" packet inspection firewall maintains a table of active TCP sessions and UDP "pseudo" sessions. • Allow a particular type of traffic “in” only as a response to an “outgoing” session • NetScreen ASIC accelerates the process • IPSec 3DES VPN • 3DES has become the encryption industry standard • NetScreen appliances come standard with 3DES • NetScreen ASIC accelerates the process • Virtual Systems • Unique policy, address book and management • Firewall and VPN configured per virtual system

  10. NetScreen Virtual Systems Vsys #3 Vsys #1 Vsys #2 • NetScreen Virtual Systems • Per Virtual System - address book, policies and management • Firewall and VPN configured per virtual systems • Able to support multiple security domains or customers without sharing policy

  11. NetScreen Management Interfaces NetScreen Management Interfaces • CLI – familiar command line interface • RS232, Telnet and SSH • Web Interface – embedded Web server • HTTP and SSL • NetScreen Global – proprietary interface • SNMP – Standard MIB & private extension • Syslog – standard traffic reporting and alerts • 3rd Party – WebSense, WebTrends CLI Web UI Global SNMP Syslog 3rd Party

  12. Enterprise Security Management: Global Manager Global Manager • Central management for multiple NetScreen security appliances • Set policies and configuration options • Define configuration once, apply to multiple devices • Device grouping to simplify administration • Collect and display status information for hundreds of devices • Detailed reporting: configuration, traffic, CPU utilization, logs … • Securely manages via VPN tunnels to devices • Windows NT/2000-based platform Monitoring & Reporting Configuration NetScreen Security Devices

  13. Product Overview: NetScreen-500 • High performance • 250 Mbps 3DES IPSec VPN • 700 Mbps stateful firewall • High capacity • 10,000 IPSec tunnels • 250,000 concurrent sessions • 22,000 new sessions per second • Up to 25 Virtual Systems • Redundant • High availability features • Internal system redundancies (swappable fans, power) • Separate traffic and management bus • Flexible • Multiple ports • AC/DC power

  14. Product Overview:NetScreen Security Appliances • Suite of wire-speed appliances • NetScreen-100: 100-Mbps performance; 128,000 sessions; 1,000 tunnels • NetScreen-10: 10-Mbps performance; 4,000 sessions; 100 tunnels • NetScreen-5: 10-Mbps performance; 1,000 sessions; 10 tunnels • Stateful-inspection firewall • Leading denial of service attack deterrence • NAT (mapped IP, Virtual IP), URL blocking • Line rate IPSec VPNs • IPSec, DES/3DES, MD5, SHA-1, IKE key management • 1,000 tunnels: site to site or remote access • Traffic Management: guaranteed & max bandwidth

  15. Security Applications for the Enterprise • Firewall application only • VPN capabilities added to existing firewall • VPN and firewall, replacing existing firewall • VPN & firewall with increased traffic & remote users • Multi-department firewalls • Multi-department with remote users • Multi-department with campuses • Co location

  16. Firewall with High Speed Internet Firewall • Private Network perceived as “secure” • RAS for mobile / home office • WAN access multiple T1s (>1.5Mbps) • Promotional Web site • All employees “trusted” can access all parts of the network Internet Private Network PSTN (1-800) Corp HQ RAS DMZ • NetScreen delivers • Increased Security / Easier Support / Higher Performance & Scalability / Cost effective solution

  17. VPN Intranet & Central Site Firewall Remote Access VPN • Private & dial network replaced by VPN intranet • Remote VPN devices provide additional security because they are also Firewalls • Central Firewall turns on VPN Internet • Central Site VPN Acceleration • Central Firewall unable to handle VPN traffic needs acceleration • NetScreen device used for VPN termination • Leverage advanced features eg Hub & Spoke Corp HQ • Firewall/VPN consolidation • NetScreen replaces existing firewall due to unnecessary duplication of costs (maintenance, admin, and support)

  18. Central Site Firewall & VPN Intranet Firewall Application • WAN access multiple T1s /T3 • E-business VPN Application • Private network replaced by VPN intranet • Hundreds or thousands of remote offices / users • Extranets • Trust limited to “Need to know” employees Internet Corp HQ DMZ • NetScreen delivers • Increased performance, scalability, flexibility & cost effectiveness of the solution

  19. Multi-Department Security Internet Traditional Solution • Multiple Firewalls required to provide internal security Corp HQ • NetScreen-500 Solution • Virtual Systems employed to provide departmental security • Can also be used for additional DMZs, security domains and for extranets • Trust limited to “Need to know” employees DMZs Finance Dept Engineering Dept M & A Group

  20. Multi-Department with remote users Finance Vsys Firewall • Traffic sent to the Finance dept is firewall-ed by the Finance Vsys • Finance SOHO worker firewall-ed from the Internet VPN • Remote finance workers VPN connections terminate in the Finance Virtual System • Essentially extending the finance intranet to include those workers Internet Finance Dept remote worker Finance Dept mobile worker Corp HQ DMZs Finance Dept

  21. Dept Intranets & Campuses Finance Vsys to Vsys VPN Finance Dept Firewall • Traffic sent to the Finance dept is firewall-ed by the Finance Virtual System VPN • Finance intranet is extended between campus by VPN between the Finance virtual systems Extended Campus DMZs Internet / NSP Net Corp HQ DMZs Finance Dept

  22. Co location Internet Data Center Web Servers Staging Servers Customer Data Application Databases Backend Databases Big Fast Firewall / Updating / content provisioning Web Host / E-business ASP/MSP Web Hosting • Data Center Fast Firewall/VPN • Reduced capital cost • Lower management & support burden • High Bandwidth FW without having load balanced security devices • Integrated VPN Access for Remote Access • Option of using virtual systems for different security domains (front end, back end, staging or for MSPs - customers)

  23. NetScreen vs. general purpose (H/W & S/W) architectures Zero-Loss Throughput Across a "Single-Rule" Firewall with UDP Packets NetScreen-500 Cisco PIX 535 800 800 600 600 400 400 Aggregate Throughput (Mbps)* Aggregate Throughput (Mbps)* 200 200 0 0 5,000 10,000 25,000 5,000 10,000 25,000 Simultaneous UDP Sessions Simultaneous UDP Sessions 64 512 1,024 1,518 64 512 1,024 1,518 Packet size, bytes Packet size, bytes *1% packet loss threshold Superior throughput • Zero packet loss, 100Mbps UDP • Firewall no longer the network bottleneck Higher sustained performance • Sustained large session count • User satisfaction maintained even at peak times Tolly Group - 2000 Tolly Group - 2001

  24. NetScreen vs. general purpose (H/W & S/W) architectures Fast VPN throughput • Integrated 3DES VPN acceleration • Productivity and user satisfaction Great VPN Application throughput • SAP & FTP throughput • Real world apps perform as expected Tolly Group - 2000 Tolly Group - 2000

  25. NetScreen vs. general purpose (H/W & S/W) architectures Rapid ramp rate • Number of new sessions per second • For busy web sites and Denial of Service attacks Low latency • Firewall Latency testing in uSec • Useful for heavily loaded sites, multimedia and voice traffic Tolly Group - 2000 Tolly Group - 2000

  26. Cost Analysis: Small Office <25people • NetScreen-5 • Cisco PIX 506 w 3DES License • Nokia 110 w CP 25 IP VPN-1 Module License (includes Firewall-1 & VPN-1)

  27. Cost Analysis: Branch Office <10Mbps FW&VPN; <100 people • NetScreen-10 • Pix 515R + 3DES license + no DMZ (3rd interface requires UR software) • IP 330 + CP VPN-1 (FW+VPN) Module license for 100 IP addresses

  28. Cost Analysis: Central Site <10Mbps FW&VPN; >100< 250 people • NetScreen-100 • Pix 515UR + 10/100 card + 3DES license • IP 330 + CP VPN-1 (FW+VPN) Module license for 250 IP addresses

  29. Cost Analysis: Central Site >10Mbps FW&VPN; or >250 people • NetScreen-100 • Pix 525R + 10/100 card + VPN Acc card + 3DES License • IP 440 + VPN Acc Card + CP VPN-1 (FW+VPN) Module license for Unlimited IP addresses

  30. Cost Analysis: Central Site >100Mbps FW&VPN; >250 people • NetScreen-500 + 2xGE cards • Pix 535R + 2x GE cards + VPN Acc card + 3DES License • IP 530 + 2x GE cards + VPN Acc Card + CP VPN-1 (FW+VPN) Module license for Unlimited IP addresses • Neither Cisco nor Nokia can exceed 100M VPN

  31. Assumptions • Cisco & Nokia are able to achieve 10M VPN w/o Acc Card • Checkpoint VPN-1 Module pricing was used to be conservative but either all gateway pricing used or one enterprise console version needs included which would add approx $10K to any CP solution. • Again to be conservative NetScreen-100 used for <10Mbps >100<250 people where a NetScreen-10 could have been used. • Cisco & Nokia latest solutions (Pix 535 & IP 530) unable to achieve > 100M VPN (IP 530 can not achieve >50M 3DES) • Nokia IP 530 GE interfaces (not currently available) cost equivalent to Cisco & NetScreen modules ~ $5K

  32. NetScreen-500 - $33,500 (2 x GE cards) Cisco Pix-535R - $78,500 (2x GE cards, VPN Accelerator card, 3DES License) Price / Performance via Purpose Built Architectures Zero-Loss Throughput Across a "Single-Rule" Firewall with UDP Packets NetScreen-500 Cisco PIX 535 800 800 600 600 Aggregate Throughput (Mbps)* Aggregate Throughput (Mbps)* 400 400 200 200 0 0 5,000 10,000 25,000 5,000 10,000 25,000 Simultaneous UDP Sessions Simultaneous UDP Sessions 64 512 1,024 1,518 64 512 1,024 1,518 Packet size, bytes Packet size, bytes Tolly Group - 2001 *1% packet loss threshold

  33. NetScreen’s Enterprise Solution • NetScreen: Empowering Enterprises with new security solutions • Gigabit security systems • Multi-department security systems • Security appliances for moderate-bandwidth environments • Broadband remote access and campus VPN demands • Simple and affordable • Reduced number of devices required • Simplified network architecture, management and licensing • Less expensive than competitive solutions • Easy to deploy and manage

  34. NetScreenBroadband Internet Security Solutions

More Related