Network Computingwww.networkcomputing.com

If you need a fast performer, the NetScreen-100 is for you. We passed IPsec tunnel modem traffic using 3DES and MD5 at nearly 120 Mbps--that's 1.5 times the speed of any of the VPN devices we tested last year. The NetScreen-100 is equally fast at passing packets, topping out at 154 Mbps. Version 2.0, which is due this quarter, should improve on these performance numbers.

Global Manager, the management GUI that comes with the NetScreen-100, is aimed at managing multiple remote firewalls. Firewalls are added in the left-hand pane, and configuration options are set in the right-hand pane. Although you can add all the firewalls in your network, policy enforcement is still configured manually on a per-firewall basis. For more than a handful of firewalls, initial configuration of widescale changes can become a lengthy procedure. Global Manager does offer a streamlined configuration process: We created a single configuration file and saved it as a storage file in Global Manager. We renamed and then manually edited the file to change site-specific information, such as IP addresses. Next, we configured a second NetScreen-100 by dragging the new configuration file to the new firewall icon. We did find a bug in the NetScreen-100 when configured with the Global Manager: Rules are added by default at the end of the rule list beneath our default deny rule, and we had to move added rules above the default deny rule. However, the new rule wouldn't take effect until the NetScreen-100 was rebooted. The company is aware of the problem and should have a fix by the time you read this.

For the most part, we could reconfigure the NetScreen-100 on the fly through the Web interface. However, some actions, such as interface configuration or changing the administrator password, required a reboot because of the way browsers cache pages. For example, the session secret used to validate HTTP requests and responses changed when the password changed. Since the Web browser pulls from its local cache first, the responses would fail, and the administrator would need to log in again for every page. It's easier to reboot. Changes on the command line are always dynamic.

The NetScreen-100's reporting is on a par with that of the Raptor Firewall--unfortunately, it doesn't tell you much. In fact, in Global Manager, we couldn't tell which log entries were about traffic being passed or about traffic being blocked. In addition, when the NetScreen-100 couldn't find a name for the TCP port being accessed, it would enter "Unknown" for the service rather than the port number. There was no way to track what was happening--we couldn't tell which rule was triggering the event. We had to keep flipping between the reporting tool and the Global Manager, trying to match up the event to the rule.

We were able to break into our IIS Web server through the firewall even though the NetScreen-100 performs mobile code checking. The company's engineers were quick to identify the problem, and they've stated that they will issue a patch to stop this particular attack. The NetScreen-100 can block mobile code only by searching for valid HTML tags indicating Java, JavaScript, ActiveX components and other mobile code. Because we were downloading an executable, it didn't get checked at all.

NetScreen-100 1.66, $9,995 unlimited users, NetScreen Technologies, (800) 638-8296, (408) 330-7800; fax (408) 330-7850. www.netscreen.com or sales@netscreen.com