Juniper Networks' NetScreen ISG 2000

All in One?

Juniper is touting the ISG 2000 as its first purpose-built platform to combine a firewall, VPN and intrusion prevention. Juniper's firewall devices have been playing VPN and firewall roles for years, but I've been waiting for a unit that includes some of NetScreen's acquisitions--such as the OneSecure IDP and the Neoteris SSL VPN platform. There's much industry buzz about inline network intrusion prevention, and Juniper is one of the few companies positioned to put the technology where it belongs: in access-control devices, such as firewalls.

Unfortunately, though the ISG is supposed to deliver this integrated platform, the modular blade for IDP isn't here yet, and Juniper wouldn't comment on its SSL VPN plans.

The ISG came with two eight-port 10/100 blades and four 1-Gbps fiber ports. Setting up the ISG was trivial. I used its serial console to supply basic configuration settings--IP address, default gateway and so on. Then I accessed the machine over its Web interface, from which I configured the system quickly and easily.

I ran basic firewall throughput tests using Spirent's WebAvalanche and WebReflector, generating about 1 GB of HTTP traffic between two of the fiber ports. Handling loads of 1,500 64-Kbps NAT'd new sessions per second, the ISG successfully completed the test runs with one caveat: It appeared to struggle during the initial ramping period. I can't give the ISG a full nod on performance until I test final code using a larger test set, but it appears that Juniper is taking steps in the right direction.

Juniper seems to understand that strong centralized management for multiple devices is crucial for large organizations. Without a good centralized interface, firewall rule sets quickly become unwieldy at a global level. NSM lets administrators configure devices, create firewall objects, such as hosts and IP address ranges, and define rule sets that can be applied to firewalls or groups of firewalls. NSM has two components: a set of management packages that run on Linux or Solaris, and a graphical interface that runs on Linux or Windows.

The interface contains the familiar navigation tree and a primary pane for configuration and reviewing returned information. NSM offers tools for monitoring firewall utilization and system health, and reporting tools for creating data summaries.

Specialities of the House

One of NSM's unique features is its log-investigator tool, which lets you sort logs dynamically and drill down into firewall event data. This tool uses pivot tables to provide a fluent interface, and its inclusion shows Juniper is taking firewall interface requirements seriously.

NSM has other appealing features--it can flag and classify specific log events and lets you add comments to individual firewall rules and log entries.

Where the Holes AreI ran into some challenges: The log investigator didn't consistently refresh its data set or reliably display updated events. Also, the Critical log event type can't be imported into the investigator tool; it's stored by the general logging mechanism, which the vendor says is an omission.

Plus, NSM can manage only Juniper firewalls. Standalone Juniper devices, such as the IDP, still have their own management framework. It's been more than a year since the OneSecure acquisition--I hope Juniper can centralize management consoles soon. Also, I'd like a full range of CLI commands from the Web console, like Cisco's PIX Device Manager offers.

This new firewall platform was engineered to process extremely heavy traffic loads, and the high-performance nature of its purpose-built, ASIC-based design puts it at an advantage over other approaches. It is a great point solution that solves at least part of the problem.

Greg Shipley is the CTO for Chicago security consultancy Neohapsis. Write to him at [email protected].