NetScreen Combines Network Scalability with Security

The widespread Internet denial of service attacks that occurred in mid-February demonstrated to all how important the security of our networks has become and how vulnerable they are in this ultra-connected information revolution. NetScreen Technologies Inc. (www.netscreen.com) believes it has the solution for using the Internet to connect multiple intranet sites in the safest possible way. The company's NetScreen-5, NetScreen-10, NetScreen-100, and soon to be released NetScreen-1000 -- together with the NetScreen Remote network client software for Windows 9x/NT and NetScreen Global Manager -- are the pieces of a complete, integrated firewall and virtual private network (VPN) solution that fits any size business and grows with the needs of the organization.

All four security appliances in the NetScreen family provide an integrated solution that extends intranet/extranet security over public networks to remote and branch offices, and provide consistent LAN-to-LAN security. This is accomplished through the encryption of data transferred over the public network using the industry standard IPSec protocol. NetScreen’s IPSec implementation is interoperable with other vendors that have implemented standards-based IPSec. NetScreen also employs a state-driven firewall system that helps prevent hacker attacks from causing permanent damage and a VPN to deliver secure remote access to a corporate intranet through encrypted tunnels. All can be centrally managed with NetScreen Global Manager, which runs on Windows NT, Windows 9x, or individually using any Web browser. Global Manager allows for remote configuration, performance monitoring, and reporting of up to 1,000 NetScreen Internet security appliances from a central location.

The recent boom in the adoption of broadband networking technologies, such as cable modems and DSL, is creating a growing market for simple-to-implement Internet security devices. Long gone are the days when every company that needed this type of security could rely on a local genius to brew up a homegrown solution using spare parts and chewing gum. The off-the-shelf marketplace is ripe with products like NetScreen, that can provide solutions that come out of the box and into production in a matter of minutes.

Enterprise network customers with remote offices are looking to use cable and DSL technologies to replace slow 56 K dial-up remote access solutions and expensive leased-line connections. The price/performance of these broadband technologies is compelling, but they create another management headache for network administrators. Instead of dialing directly into the corporate remote access server, users are now connecting to the Internet using a local ISP, leaving communications unprotected or being blocked out of the company's intranet. Using NetScreen-5 at the remote location and one of the larger NetScreen appliances at the central office, a network administrator can create a VPN that will safely tunnel the corporate network through the Internet into the employee's PC. NetScreen-5 is a breeze to install since it connects between the remote PC and cable/DSL modem. Additional configuration, if needed, is performed with a Web browser.

NetScreen Global Manager groups devices by location, division, or user type. Managers can check the status of multiple NetScreen appliances, monitor performance, troubleshoot existing configurations, or add remote sites to the network from one location. All activities are conducted via VPN tunnels for the highest level of security.

We tested these devices in a network situation for a month. We used the NetScreen-5, -10, and -100 to create a three-site VPN across the Internet. Our primary site was connected via a T1; the secondary site by DSL; the third via cable modem. We found NetScreen’s hardware to be as easy to set up as advertised. Connecting NetScreen-5 to the external cable modem was a no-brainer. The NetScreen-10 and NetScreen-100 were also easy to configure. Devices like this do require some technical knowledge about TCP/IP and internetworking, but these are the easiest devices we’ve ever configured to perform this type of security. The NetScreen appliance acts as the default gateway for network devices, thereby eliminating the need for any desktop workstation changes. The only problem we experienced was the frequent disconnects of client computers using ICQ to the ICQ servers on the Internet. This is a common firewall problem that can be handled with appropriate rules settings.

Most firewalls and VPN systems connect the inside "safe" network to the outside "unsafe" network using separate network connects, as does NetScreen. On the larger appliances, NetScreen-10 and up, NetScreen has a third connector, called the DMZ, for attaching publicly accessible systems, such as Web servers or application servers, using a unique set of security policies. This is a feature we found to be valuable. It makes it easy to segregate the "private" network from the "semi-private" and "public" networks. This is a common networking technique that we’ve used when connecting private networks to the Internet. It’s nice to see appliance manufacturers waking up to this need in the marketplace.

Another feature of the NetScreen product line that we were impressed with is its ability to be set up in a failover mode, ensuring that no single point of failure exists within the network. This lets a larger enterprise to even out the traffic load among a series of NetScreen appliances installed at the incoming access points.

If you are looking for a complete solution, or just individual parts, NetScreen may be worth your time and effort to evaluate.

NetScreen Breakdown

ProductPriceCapacitySuggested use
NetScreen-5$59510 usersSmall or home office
NetScreen-10$1,4954,000 concurrent user sessionsSmall central office or medium remote office
NetScreen-100$9,99532,000 concurrent user sessionsMedium to large central office or large remote office
NetScreen Remote$95 each, $695 for 10 users (discounts available) -- Mobile users
NetScreen Global Manager -- -- Centralized network monitoring and administration of all NetScreen products. Especially useful for enterprise-sized networks.