Exclusive look shows performance improvement but uncovers a few rough edges.
Original article from Network World web site
NetScreen Technologies has released brand-new hardware products and software upgrades. Hardware that yields throughput over the gigabit mark for firewall and VPN performance, coupled with a revision of its ScreenOS security operating system, makes NetScreen ready to challenge its competition for enterprise business. In this exclusive review, we looked at two hardware platforms - the eight-port Fast Ethernet NetScreen-208 and a beta of the eight-port Gigabit Ethernet NetScreen-5200 security appliances - and evaluated them when loaded with ScreenOS 3.1.
This new version of the underlying operating system lets NetScreen hardware support a larger variety of firewall and VPN configuration options, lifting a restriction inherent in all previous versions of NetScreen's products and in most other appliance-style firewall products.
While NetScreen has come a long way with new hardware and software in terms of speed and usability, it still has quite a few rough edges to smooth out on these products.
NetScreen-5200, which was released last month, is an expandable chassis with two slots. One slot is reserved for the management card and central processor. Other slots can be filled with eight-port Gigabit Ethernet cards available now or 24-port Fast Ethernet/two-port Gigabit Ethernet cards to ship later this year.
The architecture on the 5000-series chassis is radically different from that on previous systems. NetScreen's new GigaScreen-II ASICs run independently of the main CPU, checking in only when necessary to evaluate firewall and VPN rules. Once a session is set up and approved by the firewall rules on the main CPU, the GigaScreen-II ASIC takes off by itself. The eight-port Gigabit Ethernet card we tested had two GigaScreen-II ASICs, each handling four of the Gigabit Ethernet ports.
The benefit of this new hardware platform is performance. NetScreen's internal benchmarks show the 5200 capable of 4G bit/sec of firewall and 2G bit/sec of VPN throughput. Our network is limited to pushing firewall and VPN performance up to 1G bit/sec throughput, which in our experience is plenty in most enterprise networks, and these boxes handled that load easily (see How we did it)
This loosely coupled multiprocessor architecture is complex and has serious bug potential, as we found out. During our VPN testing, there were instances when the Secure Port Module CPU got out of sync with the main CPU. NetScreen says it fixed this problem before the ship date. However, early adopters might expect to see some subtle problems related to synchronization.
Although the 5200 seems positioned to replace NetScreen-1000, at a similar price with better performance, there is a major difference - the active-active high availability features in NetScreen-1000 and NetScreen-500 are not in the 5000 series and won't be until ScreenOS 4.0 is released in July.
Active-active high availability can give higher performance, utilizing all systems rather than having half the infrastructure sit idle, and can reduce failover time and vulnerability by spreading load across more systems. Also, NetScreen's Global Express management software does not yet support the 5000 series.
While the 5000-series hardware is impressive, end users not interested in spending $100,000 on this high-end firewall will be much more interested in ScreenOS 3.1, supported on the NetScreen-200 and 500-series systems. ScreenOS 4.0 will bring Version 3.1's new features to all of the NetScreen product line.
Before Version 3.1, NetScreen's hardware was limited to three firewall/VPN interfaces, locking firewall rules into the trusted, untrusted and demilitarized zone (DMZ) model.
ScreenOS 3.1 introduces the concept of zones, which can be a physical interface on the network, a VPN interface or a virtual LAN (VLAN), or a collection of all these things. Each zone consists of a set of security policies for all other zones, defining what is permitted and what is blocked. In effect, NetScreen has generalized its firewall rules architecture to handle as many interfaces, VLANs and VPNs as you care to create.
We installed the NetScreen-208, which began shipping in January, in our production network to test the new operating system and found the zones simple to configure and easy to map to our security policy. With only a few minutes of practice, we replaced our old three-interface firewall with the eight-interface NetScreen-208 and built a much more secure network. We took several interfaces together, called them the DMZ and prohibited traffic from crossing within the zone. That cleaned up a longtime worry that systems in our DMZ would be vulnerable to each other if any of them were hacked.
While zones are a welcome enhancement to ScreenOS 3.1, other new features are not as polished. Virtual routers and VPN interfaces are two other new features, and we'd advise you to stay away from them. For now, virtual routers are used to maintain separate routing tables within a single system, which can help alleviate IP address problems. VPN interfaces are another routing-friendly feature that treat VPN tunnels as interfaces so the routing fabric of your network can dynamically route or reroute traffic over VPNs.
While both features look promising, we feel they are really just placeholders for full dynamic routing (Border Gateway Protocol and Open Shortest Path First) to be included in ScreenOS 4.0. Using VPN interfaces instead of the old-style easier-to-understand VPN tunnels means visiting four different parts of the configuration graphical user interface and then building a policy, a process that is anything but intuitive. Fortunately, you don't have to use these pieces - the old routing rules and VPN policies will still work just fine in Version 3.1.
NetScreen's new hardware platforms and software upgrade are critical steps for the company to pursue its goal of playing with the big boys of the VPN and firewall business. While these early releases still have some bugs, NetScreen is aggressively filling out its product line in exactly the right way.
Joel M. Snyder is a senior partner at Opus One, in Tucson, Ariz.