1 / 149

NetScreen Technologies

NetScreen Technologies. March 2002 Technical Overview Richard Cassidy, SE EMEA. Resource for Resellers. Partner Website All Netscreen Sales Tools Presentations, white papers, product sheets, competitive analysis and more EMEA Presales Mailing List

watson
Download Presentation

NetScreen Technologies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NetScreen Technologies March 2002 Technical Overview Richard Cassidy, SE EMEA

  2. Resource for Resellers • Partner Website • All Netscreen Sales Tools • Presentations, white papers, product sheets, competitive analysis and more • EMEA Presales Mailing List • For all Netscreen Premier, Authorized and Approved Partners Only!! • Mailing list, monitored by all EMEA Systems Engineers. • Support Website • Comprehensive Technical Resource • TAC online, Manuals and User guides • Technical Mailing List • Once a month comprehensive Netscreen Technical Update via e-mail • Latest Product Info and Releases. Technical tools and partner updates. • Webcasts • Netscreen on-line training courses

  3. NetScreen by design: Enforce Maximum Security without sacrificing: Performance Interoperability Scalability Reliability Manageability Flexibility

  4. NetScreen Product Overview NetScreen Security Systems NetScreen-500 NetScreen-1000 NetScreen Security Mgmt & Client NetScreen-Remote NetScreen-Global PRO / Global PRO Express • Integrated security systems and appliances • ICSA certified IPSec VPN and stateful inspection firewall, DoS blocking, authentication, PKI, NAT acceleration and traffic management • 10Mbps to 2Gbps Firewall • 10Mbps to 1Gbps 3DES IPSec VPN • Resilient, solid-state solutions with high availability architectures • Policy-based management of devices and remote users NetScreen Security Appliances NetScreen-200 Series NetScreen-50 NetScreen-25 NetScreen-5XP

  5. How it all began … Purpose-builtHW/SW Appliances ASIC-Accelerated Dedicated Hardware Expensive, slow, multi-purpose computers Expensive, slow, multi-purpose computers ASIC-Accelerated Dedicated Hardware Purpose-built HW/SW Appliances “Just like ASIC-based switches fought and prevailed in enterprise and service-provider backbones, the software vs. hardware fight is on in the security area. Any network manager looking to secure true high-performance networks better take heed.” • Kevin Tolly is President and CEO of Tolly Research/The Tolly Group. Routers Security

  6. Where it continues to go … ASIC-Acceleration Speed Hardware & Software Software 1st Generation 2nd Generation 3rd Generation

  7. The NetScreen Difference • Industry-leading performance and bulletproof security through next-generation architectures: • Lightening fast, crypto-accelerating ASIC • Purpose-built, security-optimized ScreenOS™ • Highly-efficient hardware designs combining single and multiple ASICs along with single/multi/parallel RISC-based processors • Tight Integration of Core Technologies • Stateful Screening Firewall • VPN / PKI • Attack Detection and Protection • Traffic Shaping / Bandwidth Management • Comprehensive methods of device management • End-to-end solutions offering flexible network architectures • Best-of-Breed partnerships and alliances

  8. At the speed of silicon

  9. NetScreen Hardware Architectures • NS1000 – Mid-plane switching fabric, multi-bus w/fiber interconnects, multi-parallel processors, multi-GigaScreen ASICs • NS500 – Multi-bus, multi-interface card, single board, GigaScreen ASIC • NS100/200 Series – Multi-bus, single board, GigaScreen ASIC • NS25/50 – Single bus & board, GigaScreen ASIC • NS5xp – Single bus & board, GigaScreen ASIC

  10. NetScreen … Built for Performance CPU RAM VPN Co-Processor CPU In In I/O RAM I/O Out Out Bus Traditional Design NetScreen Design • Single pass across the bus • Separation of data & control planes • Multiple passes across the bus • No separation of the data & control planes

  11. However, the ASICs aren’t everything …. Efficient Hardware Designs RISC Processors (Management, housekeeping, etc.) Purpose-built Operating System -- ScreenOS

  12. NetScreen Security Solutions Next GenerationSecurity Systems and Appliances

  13. Managed Security for Small & Medium Enterprises • Managed security services are growing rapidly among small and medium enterprises • In 1999 it was a $14M market • Expected to be over $630M by 2005 Source: the Yankee Group, 2000

  14. Product Overview: NetScreen-5xpTelecommuter, SOHO, Small Branch Office • Integrated Firewall, VPN and Traffic Mgmt. • Stateful inspection firewall • NAT, PPPoE and DHCP client, server & relay • VPN • Site to Site & Client to Site • Supports IPSec 3DES, DES & AES encryption standards • Supports L2TP for Windows interoperability • Bandwidth reservation and DiffServ marking • Ships with ScreenOS 3.0 • Performance & Capacity • 10 Mbps firewall • 2000 concurrent sessions • 10 Mbps VPN 3DES • 10 IPSec VPN tunnels • Award-wining and proven technology since 1999 • 2 port auto-sensing 10/100 Ethernet – Trust, Untrust • AC power

  15. NS5xp/25/50 Architecture SRAM MPC8xx NetScreen GigaScreen/ ASIC Power PC Core PCMCIA Interface SDRAM UART RS232 32-bit/48MHz bus RTC Flash Boot ROM MAC 1 MAC 2 MAC 3 MAC 4 PHY PHY PHY PHY Trusted Untrusted NS25/50 NS25/50

  16. NetScreen-5XP vs. NetScreen-5

  17. NetScreen-5XP Hardware Features • Proven Hardware Architecture • GigaScreen ASIC • Broadband enabled • 2 port 10Mbps Full Duplex 10BaseT Ethernet • Easily Managed • RS232 serial console port for management • Asset Recovery Switch • Small Footprint 5L x 6W x 1.25H

  18. NetScreen-5XP Software Features • Proven Software Architecture • ScreenOS 2.6.0: shared code base with all NetScreen products • ICSA Certified, stateful-inspection firewall and IPSec • Transparent, Route, and NAT modes of operation • Traffic Management: 8 levels of priority, plus guaranteed & maximum bandwidth, defined by policy • 10 IPSec VPN Tunnels • 2000 Firewall Concurrent Sessions

  19. NetScreen-5XP Performance • Full duplex 10 Mbit line speed • Symmetrical Performance • 10 Mbps 3DES VPN • 10 Mbps Firewall • Latency reached a record lowof 380 µSec (or 0.38 mSec) for support of new applications • VoIP • Streaming media

  20. NetScreen-5XP Performance

  21. NetScreen-5XP Markets & Needs

  22. Competitive Landscape *Additional Check point 50 user license fee of $4995 required.

  23. Cisco 506 • High Price • $1995 list for a 10 user license • Low number of VPN tunnels supported for the price • 4 Tunnels supported vs. NetScreen’s 10 tunnels. • No ASIC support for VPN acceleration • Hard to configure manage and deploy • Need to understand Cisco IOS/PIX CLI to configure VPNs or any other configuration. • GUI support is limited to basic tasks. • Limited real time logging and alarm capabilities. • Low performance • Firewall throughput 8 Mbps vs. NS-5XP 10 Mbps • 56-bit DES throughput 6 Mbps vs. NS-5XP 10 Mbps • 168-bit 3DES throughput 6 Mbps vs. NS-5XP 10 Mbps

  24. SonicWALL SOHO2 and TELE2 • High Price • TELE2 costs $595 for 5 users with 5 VPN tunnels • SOHO2 costs $990 - $1490 for 10/50 users with 10 VPN tunnels • No ASIC support for VPN acceleration • Low VPN Performance • 2 Mbps • Anti Virus is not performed at the appliance contrary to perception • Lack of Secure Remote Manageability

  25. Nokia IP110 • High Price • IP110 base cost $2,495 + Check Point 50 user license fee $4995 =$7490.   • Low VPN Performance • No Luna VPN accelerator card. IP110 3DES IPSec throughput 2 Mbps compared to 10 Mbps for NetScreen-5XP. • No traffic management. • Hard to configure manage and deploy • Lack of Single Support Point

  26. Nokia IP51 and IP55 • Firewall only product • The Nokia IP51 and IP55 small office appliance integrates Check Point FireWall-1 SmallOffice only • Lack VPN support and Traffic Management capability • High Pricefor limited functionality • IP51 lists for $895, and IP55 lists for $1295; compared to 5XP price of $995 integrating Firewall, VPN and Traffic Shaping. • Do not have ICSA certification on the appliance • Lack of Single Support Point

  27. Supporting Documentation • This presentation • Datasheet—new appliances datasheet • New price list with detailed pricing and options • Competitive analysis • Product FAQ • NetScreen-5XP white paper

  28. NetScreen-50 and NetScreen-25 Solutions for Branch Office and SME Networks

  29. Product Overview: NetScreen-25 Small Enterprise / Small Office • Integrated Firewall, VPN and Traffic Mgmt. • Stateful inspection firewall • NAT, PPPoE and DHCP client, server & relay • VPN • Site to Site & Client to Site • Supports IPSec 3DES, DES & AES encryption standards • Supports L2TP for Windows interoperability • Bandwidth reservation and DiffServ marking • Ships with ScreenOS 3.0 • Performance & Capacity • 100 Mbps firewall • 4,000 concurrent sessions • 20 Mbps VPN • 25 IPSec VPN tunnels • 4 port auto-sensing 10/100 Ethernet • 3 ports active today • 4th port enabled subsequent software release – 1H CY02 • 4th port will provide 2nd DMZ option – No HA support • AC power

  30. Product Overview: NetScreen-50Small/Medium Enterprise / Branch Office • Integrated Firewall, VPN and Traffic Mgmt. • Stateful inspection firewall • NAT, PPPoE and DHCP client, server & relay • VPN • Site to Site & Client to Site • Supports IPSec 3DES, DES & AES encryption standards • Supports L2TP for Windows interoperability • Bandwidth reservation and DiffServ marking • Ships with ScreenOS 3.0 • Performance & Capacity • 170 Mbps firewall • 8,000 concurrent sessions • 50 Mbps VPN • 100 IPSec VPN tunnels • 4 port auto-sensing 10/100 Ethernet • 3 ports active today • 4th port enabled subsequent software release – 1H CY02 • 4th port will provide high availability or 2nd DMZ option • AC power; DC option

  31. The NetScreen-50 and NetScreen-25 Reserved (Available 1HCY02) Serial Console and Modem DMZ Status LEDs Compact Flash™ Trust Untrust

  32. NetScreen-50 & NetScreen-25 Key Software Features • NAT, Route, and Transparent modes of operation • Includes NAT on a per-policy basis for policy-based address translation • Robust attack prevention including SYN, ICMP, and port scan attacks • 3DES and AES encryption using digital certificates or IKE auto-key • IPSec NAT traversal • Allowing IPSec VPN tunnels to be established through NAT, PAT, or NAPT devices • Traffic management for bandwidth allocation and traffic prioritization • Allocate bandwidth per policy for the most effective use of available bandwidth • Support for PPPoE and DHCP client • Allows deployments into DSL or cable networks with dynamic IP assignment • DHCP server or DHCP relay agent • High availability with stateful firewall and VPN fail-over* * Not at initial release and only on the NetScreen-50

  33. NetScreen-25 Competitive Matrix

  34. NetScreen-50 Competitive Matrix * Available when 4th port is enabled

  35. Additional Sales Opportunities: Better Market coverage = More $ales !!! What to sell now ! NetScreen-100 SME or Branch Office Missed Opportunities 10/100, High Availability, Price Sensitive NetScreen-50 Small Enterprise or Small Office NetScreen-25 Missed Opportunities Low Bandwidth, DMZ, Price Sensitive NetScreen-5XP What you used to sell Customer Enterprise Branch / Medium Enterprise central site / e-business / web hosting NetScreen-100 Enterprise Branch Office / Small Medium Enterprise NetScreen-10 Remote Office / Home Office NetScreen-5XP

  36. Product Overview: NetScreen-100Medium/Large Enterprise / Branch Office • Integrated Firewall, VPN and Traffic Mgmt. • Stateful inspection firewall • NAT, PPPoE and DHCP server & relay, Load-balancing • VPN • Site to Site & Client to Site • Supports IPSec 3DES, DES & AES encryption standards • Supports L2TP for Windows interoperability • Bandwidth reservation and DiffServ marking • Ships with ScreenOS 3.0 • Performance & Capacity • 200 Mbps firewall • 128,000 concurrent sessions • 185 Mbps VPN 3DES • 1000 IPSec VPN tunnels • Award-wining and proven technology since 1998 • 3 port auto-sensing 10/100 Ethernet – Trust, Untrust, DMZ • High Availability options • Active/Standby, Active/Active (1H ’02) • AC power; DC option

  37. NS100 Architecture SRAM CPU (MIPS R5000) 64bit/66MHz bus NetScreen GigaScreen ASIC & Memory SDRAM Packet Memory (Dual Port) Host Bridge (GT64120) 64bit/66MHz bus 32bit/33MHz PCI Flash PCMCIA Interface RTC UART MAC 1 MAC 2 MAC 3 RS232 PHY PHY PHY Trusted DMZ Untrusted

  38. NetScreen-100 IPSec Performance Source: Tolly Group, 2001

  39. NetScreen-100 New Connections per Second Source: Tolly Group, 2001

  40. NetScreen-200 SeriesSolutions for Enterprise Central Sites and Service Provider Environments

  41. Integrated Firewall, VPN and Traffic Management Stateful inspection firewall with advanced firewall and DoS attack protections IPSec VPN with 3DES, DES, L2TP & AES Bandwidth prioritization and reservation and/or DiffServ marking Transparent, NAT, and Route mode High availability with full FW and VPN synchronization Ships with ScreenOS 3.1 Performance & Capacity 550 Mbps firewall NAT (NS-208) 400 Mbps firewall NAT (NS-204) 128,000 concurrent sessions 13,000 new sessions per second 200 Mbps 3DES VPN 1,000 IPSec VPN tunnels 4 or 8 auto-sensing 10/100 Ethernet ports All ports active today Auto-correct to DCE or DTE AC power; DC option available soon Introducing…The NetScreen-204 & NetScreen-208

  42. NetScreen-200 Series Hardware Features Six System-status LEDs: Power, Status, HA, Alarm, Sessions, Flash CompactFlash™ slot supporting 96 and 512MB cards 8 interfaces on the NetScreen-208 4 interfaces on the NetScreen-204 HW-based asset recovery switch Console and out-of-band modem ports

  43. ScreenOS 3.1.0 All interfaces can be used with nearly generic feature support Firewall attack prevention on every interface VPN tunnels terminating to any interface, providing support for applications such as WLANs Support all physical interfaces All interfaces support up to 28 common attacks such as syn flood, port scan, and others Familiar Trust, Untrust, and DMZ security zones available for ease-of-use and backward compatibility Features from ScreenOS 3.0 VPN Enhancements NAT Traversal for IPSec Generic IKE IDs Advanced Encryption Standard Device Management NetScreen MIBs Logging Enhancements Certificate Management Automated Certificate Enrollment (SCEP) Online Certificate Validation (OCSP) NetScreen-200 Series ScreenOS Features

  44. NetScreen-204 Competitive Matrix Source: Vendor and third party documentation

  45. NetScreen-208 Competitive Matrix Source: Vendor and third party documentation

  46. NetScreen Virtual Systems Vsys #3 Vsys #1 Vsys #2 • NetScreen Virtual Systems • 250 Virtual Systems (VSYS) • Per Virtual System - address book, policies and management • Firewall and VPN configured per VSYS • Able to support multiple security domains or customers without sharing policy

  47. Virtual Systems Security Domain Per Customer 250 Security Domains Per NetScreen-1000 Traffic Mapped to VLANs via Virtual Systems Private Links to Customer Cages SW 10/100 100/1000 Switch SW 10/100 IEEE 802.1Q VLAN Trunk 500 VLANs SW 10/100 Inbound VPNs or Web Traffic *Available on the NS500 & NS1000 Security Systems

  48. Reduced Infrastructure Deployment and Management Customers • NetScreen Virtual Systems • Single NetScreen device can handle the needs of 500 or more customers • Integrated firewall and VPN capabilities • Implementation of 802.1q VLANs providing the ability to manage multiple customers from a single security system • A Virtual System • Saves rack space • Reduces capital cost • Eases management and administration • Simplifies network architecture Internet Traffic Mapped to VLANs via Virtual Systems Untrust Trust IEEE 802.1Q VLAN Trunk 100 VLANs Private Links to Customers VLAN1 VLAN2 VLAN3

  49. Separate Virtual Systems Customer/Admin mgmt Customer logs Parse by Vsys Unique Firewall & VPN configuration per customer / Vsys Shared Virtual Systems Provider mgmt only Customer logs Parse by IP Firewall policy based on IP addr / VPN not practical due VPN authenication issue Separate V’s shared Virtual Systems for multi-customer deployments

  50. NetScreen-500 High-performance Security System for Enterprise Central Site and Data Center Environments

More Related