Review: Juniper Networks' NetScreen ISG 2000

This firewall is built for performance, but suite-integration challenges remain.

July 9, 2004

4 Min Read
NetworkComputing logo in a gray background | NetworkComputing

Juniper Networks recently launched its NetScreen-ISG (Integrated Security Gateway) 2000, the company's first firewall appliance to use its fourth-generation ASIC technology. I tested a beta version of the device at the Neohapsis lab, and kicked the tires of both an early build of the ScreenOS Web interface and the latest NetScreen Security Manager (NSM) management suite. Juniper, which acquired NetScreen in April, has a few overall integration challenges ahead, but I liked what I saw.

The ISG 2000 is a 4u beast, weighing about 60 pounds. Under the hood are Juniper's fourth-generation ASICs, dual power supplies, and four expansion bays for future "blades"--including an IDP (intrusion-prevention platform) blade. Each security module is powered by an additional pair of 1-GHz Power PCs and 2 GB of RAM--the ISG design team clearly had horsepower in mind.

All in One?

Juniper is touting the ISG 2000 as its first purpose-built platform to combine a firewall, VPN and intrusion prevention. Juniper's firewall devices have been playing VPN and firewall roles for years, but I've been waiting for a unit that includes some of NetScreen's acquisitions--such as the OneSecure IDP and the Neoteris SSL VPN platform. There's much industry buzz about inline network intrusion prevention, and Juniper is one of the few companies positioned to put the technology where it belongs: in access-control devices, such as firewalls.

Unfortunately, though the ISG is supposed to deliver this integrated platform, the modular blade for IDP isn't here yet, and Juniper wouldn't comment on its SSL VPN plans.The ISG came with two eight-port 10/100 blades and four 1-Gbps fiber ports. Setting up the ISG was trivial. I used its serial console to supply basic configuration settings--IP address, default gateway and so on. Then I accessed the machine over its Web interface, from which I configured the system quickly and easily.

I ran basic firewall throughput tests using Spirent's WebAvalanche and WebReflector, generating about 1 GB of HTTP traffic between two of the fiber ports. Handling loads of 1,500 64-Kbps NAT'd new sessions per second, the ISG successfully completed the test runs with one caveat: It appeared to struggle during the initial ramping period. I can't give the ISG a full nod on performance until I test final code using a larger test set, but it appears that Juniper is taking steps in the right direction.

Juniper Networks' NetScreen ISG 2000Click to Enlarge

Juniper seems to understand that strong centralized management for multiple devices is crucial for large organizations. Without a good centralized interface, firewall rule sets quickly become unwieldy at a global level. NSM lets administrators configure devices, create firewall objects, such as hosts and IP address ranges, and define rule sets that can be applied to firewalls or groups of firewalls. NSM has two components: a set of management packages that run on Linux or Solaris, and a graphical interface that runs on Linux or Windows.

The interface contains the familiar navigation tree and a primary pane for configuration and reviewing returned information. NSM offers tools for monitoring firewall utilization and system health, and reporting tools for creating data summaries.

Good

Bad

Juniper Networks NetScreen-ISG 2000, starts at $38,495. Juniper Networks, (888) JUNIPER, (408) 745-2000. www.juniper.net

Specialities of the House

One of NSM's unique features is its log-investigator tool, which lets you sort logs dynamically and drill down into firewall event data. This tool uses pivot tables to provide a fluent interface, and its inclusion shows Juniper is taking firewall interface requirements seriously.NSM has other appealing features--it can flag and classify specific log events and lets you add comments to individual firewall rules and log entries.

Where the Holes Are

I ran into some challenges: The log investigator didn't consistently refresh its data set or reliably display updated events. Also, the Critical log event type can't be imported into the investigator tool; it's stored by the general logging mechanism, which the vendor says is an omission.

Plus, NSM can manage only Juniper firewalls. Standalone Juniper devices, such as the IDP, still have their own management framework. It's been more than a year since the OneSecure acquisition--I hope Juniper can centralize management consoles soon. Also, I'd like a full range of CLI commands from the Web console, like Cisco's PIX Device Manager offers.

This new firewall platform was engineered to process extremely heavy traffic loads, and the high-performance nature of its purpose-built, ASIC-based design puts it at an advantage over other approaches. It is a great point solution that solves at least part of the problem.Greg Shipley is the CTO for Chicago security consultancy Neohapsis. Write to him at [email protected].

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights