Juniper Networks' ISG-2000 with IDP

Posted by Mike Jones and Greg Shipley on June 17, 2005

Tags: DMZ,  HTTP,  IDP,  Junipoer,  Neophapsis,  Spirent Avalanche,  Data Networking & Management,  Data Protection,  Firewalls,  Networking and Telecom,  Other,  Security and Privacy,  Software and Web Development,  firewall

Channel: Data Protection, Networking & Mgmt, Other

Juniper's NetScreen Security Manager Click to Enlarge

The ISG-2000 firewall is a hefty unit, coming in at just over 50 lbs. This size accommodates three internal expansion slots. Juniper says each IDP module can support between 500 Mbps and 650 Mbps of traffic, depending on the mix, but traffic loading of the IDP is not an all-or-nothing scenario--you can selectively allocate traffic flows to the IDP and leave others for basic firewalling.

We racked this fully loaded firewall into our test rig and began the brutalization process. Juniper has finally integrated the IDP and firewall management platforms into the beta of the NSM (NetScreen Security Manager) we tested as well, which made configuration much easier.

Adding Ingredients

Using the test environment from our firewall blowout gave us fully loaded internal, external and DMZ network ranges with clients and servers distributed across each. Using two pair of Spirent Avalanche and Reflectors, we created 500 Mbps of multidirectional HTTP traffic (transactions of 4-KB, 16-KB and 64-KB sizes) emulating up to 150 servers and 22,000 clients. We then injected attacks into those streams. The test was harsh: We were flexing state tables from multiple directions, the firewall rule set we deployed had more than 400 rules, and we enabled IDP rules incrementally throughout testing.