Juniper Networks' ISG-2000 with IDP

The ISG-2000 firewall is a hefty unit, coming in at just over 50 lbs. This size accommodates three internal expansion slots. Juniper says each IDP module can support between 500 Mbps and 650 Mbps of traffic, depending on the mix, but traffic loading of the IDP is not an all-or-nothing scenario--you can selectively allocate traffic flows to the IDP and leave others for basic firewalling.

We racked this fully loaded firewall into our test rig and began the brutalization process. Juniper has finally integrated the IDP and firewall management platforms into the beta of the NSM (NetScreen Security Manager) we tested as well, which made configuration much easier.

Adding Ingredients

Using the test environment from our firewall blowout gave us fully loaded internal, external and DMZ network ranges with clients and servers distributed across each. Using two pair of Spirent Avalanche and Reflectors, we created 500 Mbps of multidirectional HTTP traffic (transactions of 4-KB, 16-KB and 64-KB sizes) emulating up to 150 servers and 22,000 clients. We then injected attacks into those streams. The test was harsh: We were flexing state tables from multiple directions, the firewall rule set we deployed had more than 400 rules, and we enabled IDP rules incrementally throughout testing.

Our goal wasn't to pummel the firewall, but to measure the impact that enabling the IDP functions would have on the device. An IDP-enabled Juniper firewall lets you flag any firewall rule you create for further IDP-level inspection by enabling a rule option that sends that specific rule's traffic to the IDP module for further inspection.

Another interesting twist: You can put the IDP-bound traffic in inline mode, which forces the device to process it and make a decision before forwarding, or passive mode, which functions more like an IDS. Flipping modes is as easy as a simple rule change, and you can place rules in alerting mode before migrating them to blocking mode. You can then define signature subsets based on those rules, letting you limit the Port 80 Web rules to only HTTP and spyware-based signatures, for instance. The granular control over inspection levels and dropping capabilities is ahead of any product on the market.Future Recipes

We pushed the device to just shy of 600 Mbps with a subset going to the IDP modules and found that the product essentially works. We didn't spot any catastrophic failures and we look forward to really pushing production code. We also were impressed performance didn't suffer because of heavier inspection, and latency increases were virtually undetectable with the IDP rules enabled.

The only problem we had was when we accidentally enabled an ActiveX inspector on all traffic, which heavily affected performance. We also uncovered a series of quirks that might prove annoying if not addressed. For example, while we applaud the advances in the NSM console, the monitoring functionality was confusing and, in some cases, completely broken; we couldn't get some device-monitoring tabs to work, while others presented confusing measurements like "1.4E10" for traffic volumes. We also noticed that a few signatures appeared to be dropped from the legacy IDP product. A notable one was the IIS UNICODE attack that was behind the Code Red worm.

Other features like real-time firewall health monitoring, support for large rule sets, rule-set commenting, table-based log viewers and the ability to get at full packet dumps from the management console with only a few mouse clicks put Juniper closer to an ideal management framework. We hope by the full release some of the rough edges will be smoothed out, making this high-end IDP platform one to really watch.

Michael Jones is a lab technologist and Greg Shipley is the CTO at Neohapsis, an information security consultancy and enterprise IT product-testing lab. Write to them at [email protected].The integrated firewall and network intrusion-prevention platform has been a long time coming, dating back to Netscreen's (now part of Juniper) original acquisition of OneSecure in 2002. That acquisition became Juniper's IDP (intrusion detection and prevention) product line, a midrange Intel-based line of standalone network appliances. Juniper made some initial progress by integrating basic deep-inspection functionality into its ScreenOS firewall code, but the heavier intrusion-prevention features like full signature sets and wide Layer 7 protocol support remained IDP only--that is, until now.