NetScreen Technologies

1
NetScreen Technologies

• Innovative Technologies
• Applied for Network Security

2
Agenda

• Application scenarios
• High speed Internet
• Firewall and VPN Central Site
• Medium Enterprise
• Large Enterprise
• Enterprise Data Centre
• Internet Data Centre
• Multi
• Security Innovation
• Unique Architectures
• Threats and Responses
• VPN leadership
• Total cost of ownership
• VPN and Security Management

3
Agenda

• Application scenarios
• High speed Internet
• Firewall and VPN Central Site
• Medium Enterprise
• Large Enterprise
• Enterprise Data Centre
• Internet Data Centre
• Multi Department Security
• Campus Security
• VPN and Security Management

4
Complete VPN Functionality

• Complete RA VPN Support
• Remote VPN client
• Security Client Personal FW VPN
• ANG for centralized user auth
• Certificate smart card support
• Compatibility w/ Certicom PDA client

• Cost effective remote site VPN
• Complete range of HW
• Hub Spoke or Full Mesh VPN
• NAT Traversal
• VPN Dial backup

• Comprehensive Authentication Support
• PKI (versign,
• Radius
• LDAP
• XAUTH
• SecureID

• Robust connectivity for major Sites
• Active-Active HA
• Redundant Gateway VPN tunnels
• VPN Monitoring
• Full Mesh
• OSPF BGP Routing
• Virtual Systems
• 3DES AES encryption w/ ASIC acceleration
• Traffic management
• FIPs ICSA Certified

Internet

• Easy deployment NW integration
• NAT, NAT-T, Transparent Mode
• Device or policy based management
• NAT, DHCP, PPPoE
• Integrated Firewall

• Comprehensive Mgmt
• Policy Based Mgmt
• VPN Monitoring
• Detailed reporting trending

Global PRO
5
Firewall with High Speed Internet

• Firewall
• Private Network perceived as secure
• RAS for mobile / home office
• WAN access multiple T1s (gt1.5Mbps)
• Promotional Web site
• All employees trusted can access all parts of
  the network

Internet
Private Network
PSTN (1-800)
Corp HQ
RAS
DMZ

• NetScreen delivers
• Increased Security / Easier Support / Higher
  Performance Scalability / Cost
  effective solution

6
VPN Intranet Central Site Firewall

• Remote Access VPN
• Private dial network replaced by VPN intranet
• Remote VPN devices provide additional security
  because they are also Firewalls
• Central Firewall turns on VPN

Internet

• Central Site VPN Acceleration
• Central Firewall unable to handle VPN traffic
  needs acceleration
• NetScreen device used for VPN termination
• Leverage advanced features eg Hub Spoke

Corp HQ

• Firewall/VPN consolidation
• NetScreen replaces existing firewall due to
  unnecessary duplication of costs (maintenance,
  admin, and support)

NetScreen-Global PRO
7
Medium Enterprise Serious
Traffic (web) and VPN Requirements

• Integrated VPN, FW and Traffic Mgmt
• VPN
• No Special Licenses or Additional Hardware
• gt100 Remote Sites or RA Users
• Class leading VPN for Central Site
• 1000 tunnels 185M 3DES
• Firewall
• Stateful Inspection FW, NAT, PPPoE and DHCP
  client, server relay
• Class Leading FW for Central Site
• 100K sessions 19K ramp rate
• Traffic Management
• Reduce BW for non-business critical traffic
• Better utilize / reduce expensive WAN BW
• High Availability
• Stateful fail over FW VPN

Internet
T1, SDSL, etc
DMZ
Web Email Servers
NetScreen-Global PRO
8
Large Enterprise Very
High Traffic and VPN Requirements
Branch Office
Regional Office

• Integrated VPN, FW and Traffic Mgmt
• VPN
• No Special Licenses or Hardware
• Thousands of Remote Sites or RA Users
• Class leading VPN for Central Site
• 10K tunnels 250M 3DES
• Firewall
• Stateful Inspection FW, NAT, PPPoE and DHCP
  client, server relay
• Class Leading FW for Central Site
• 250K sessions 22K ramp rate
• Traffic Management
• Reduce BW for non-business critical traffic
• Better utilize / reduce expensive WAN BW
• High Availability Active-Active
• Stateful fail over FW VPN

Small Office
Internet
DMZ
Web Email Servers
NetScreen-Global PRO
9
Multi-Department Security
Internet

• Traditional Solution
• Multiple Firewalls required to provide internal
  security

Corp HQ

• NetScreen-500 Solution
• Virtual Systems employed to provide departmental
  security
• Can also be used for additional DMZs, security
  domains and for extranets
• Trust limited to Need to know employees

DMZs
Finance Dept
Engineering Dept
M A Group
10
Multi-Department with remote users

• Firewall
• Traffic sent to the Finance dept is firewall-ed
  by the Finance Vsys
• Finance SOHO worker firewall-ed from the Internet
• VPN
• Remote finance workers VPN connections terminate
  in the Finance Virtual System
• Essentially extending the finance intranet to
  include those workers

Internet
Finance Dept remote worker
Finance Dept mobile worker
Corp HQ
DMZs
Finance Dept
11
Enterprise or Campus Backbone

• Campus Gateway
• Performance LAN Speeds
• Segmentation
• Buildings, Departments, Servers WLAN A/Ps
• Multi-port
• Up to 24 GE
• Trunked links
• Vsys VLANs
• Mapped to switch infrastructure
• GigE DMZs
• Web Email
• Dept Servers
• High Availability

Finance
Engineering
12
High Speed WAN access OC12/GE

• Massive VPN Connections
• 1000s of Remote/Branch office
• Large BW single tunnel VPN connections
• Fiber based metro services
• Large consolidated Internet access
• High Profile Public Presence
• Sophisticated HA
• Stateful FW VPN

13
Enterprise Data Center

• High Density Performance
• Up to 72 FE 6 GigE or 24 x GigE
• Superior small packet performance
• Internal attack prevention on every interface
• Every interface a security zone /unique policy
• Stateful High Availability
• Bonded Links to Disaster Site
• which can be Encrypted

14
Internet Data Center

• High performance multi-customer solution
• Reduced Capital Cost
• Rapid Deployment
• Low support burden

Customers
www Access

• Differentiated services
• Customer site VPN

• Additional Backend or Database security

Internet

• High Bandwidth FW and VPN without having load
  balanced security devices

• Dedicated VPN and / or FW solution

NS-5200 (Firewall VPN)
Internet Data Center
Untrust
Trust
VLAN 4
VLAN 1
VLAN 2
VLAN 3
VLAN 5
Front End
Front End
Shared Hosting / Core Systems

• High speed VPN between Data Centers

BackEnd
BackEnd
Vsys 1
Vsys 2
Vsys 3
15
Anti-VirusNetScreen-Trend CSP Solution
NetScreen-Trend CSP 1 Email packet arrives at
the NetScreen device NetScreen begins hijacking
the TCP connection 2 NetScreen buffers
beginning of email session and creates CSP
session with the InterScan server 3 Email data
continues to flow in and is passed to InterScan
via CSP 4 InterScan receives entire Email
session including file and scans file and replies
with scan result 5 NetScreen creates Email
session with destination email gateway
Internet
Legitimate traffic still allowed
CSP
InterScan
16
Global PRO Deployments NetScreen-Global PRO
Express NetScreen-Global PRO Architecture
Global PRO UI

• Global PRO Global PRO Express
• Complete turnkey management solution
• Configuration/policy management, real time
  monitoring
• Integrated NetScreen-Remote VPN client management
• Multi-admin/role-based admin
• Pre-installed and configured on a Sun Netra
  Server
• Global PRO
• Sophisticated historical reporting
• Log data correlation/reduction
• Designed to scale to 10,000 devices
• Extensible Web-based report templates 3rd party
  report integration, i.e. HP/OV

Configuration
Monitoring
Policy Manager server
17
Global PRO DeploymentsPoint Click Policy
Management
Small Offices / Branch Offices
Regional Offices

• Ability to add devices or users to network
  quickly easily
• All required VPN and firewall rules are created
  automatically
• Allows for rapid response to attacks
• Quickly create full mesh, hub spoke, and
  site-to-site VPNs

All boxes in VPN updated with new configurations
Teleworkers
Internet
New device added to policy group
Remote Users
Web Email Servers
DMZ
Firewall VPN polices automatically applied to
the new device
NetScreen-Global PRO
18
Global PRO Deployments Managing Remote Client
VPN Policies
Improved in Global PRO 3.1

• Remote user launches NetScreen-Remote login to
  connect
• User authenticates to NetScreen-Global PRO or
  NetScreen-Global PRO Express
• External authentication servers may be queried
• Users VPN policy securely downloaded to
  NetScreen-Remote client via SSL
• VPN tunnels established to NetScreen devices
• Upon logout, VPN policy and keys are purged from
  users PC
• Add new users through RADIUS

Users authenticate to NetScreen-Global PRO
Internet
NetScreen-Remote Users
VPN
VPN tunnels established
DMZ
Private LAN
SSL
Web Email
Users policy retrieved
RADIUS Server NT Domain
NetScreen-Global PRO
External authentication server queried
19
Global PRO Deployments Threat Mitigation,
Analysis Response
Branch Offices
Regional Offices

• Suspicious activity detected via NetScreen-Global
  PRO Real-time Monitor
• Push appropriate Deny policy to all devices
• Assess and analyze threat
• Push out new or revised security policies

Remote Offices
Remote Users
Internet
Web Email Servers
DMZ
NetScreen-Global PRO
20
NetScreens Security Product Line
Product Max Throughput Max Sessions Max VPN tunnels Max Policies Max Vsys HA
NetScreen- 5400 12G FW 6G VPN 1,000,000 25,000 40,000 500 Yes A/P
NetScreen-5200 4G FW 2G VPN 1,000,000 25,000 40,000 500 Yes A/A
NetScreen-500 700M FW 250M VPN 250,000 10,000 20,000 25 Yes A/A
NetScreen-204/208 550M/400M FW 200M VPN 128,000 1,000 4,000 NA Yes A/A
NetScreen-100 200 FW 185 VPN 128,000/ 64,000 1,000 4,000 NA Yes A/A
NetScreen-50 170M FW 50M VPN 8,000 100 1,000 NA Yes A/P
NetScreen-25 100M FW 20M VPN 4,000 25 500 NA No
NetScreen-5XT 70M FW 20M VPN 2,000 10 100 NA No
NetScreen-5XP 20M FW 13M VPN 2,000 10 100 NA No
NetScreen-RemoteVPN Security Clients Varies by PC NA 1 NA NA No
To be updated to Active-Active 1HCY03
A/A Active-Active High Availability A/P
Active-Passive High Availability
21
NetScreenScalable Security Solutions