Firewall Wizards mailing list archives
Re: Netscreen firewalls
From: "Montgomery, Scott" <Scott_Montgomery () securecomputing com>
Date: Thu, 21 Dec 2006 09:40:16 -0600
Several positives (I agree with Carson on the layer 2-4 aspect, NSCN is tops) - the transparent bridge mode is quite good, making the device truly transparent to the network; there are a limited number of deployments where this is useful, but where it is it's incredibly well thought out - I like the UI better than CHKP (this isn't objective, just my two cents) - the virtualization mode is also useful if you're trying to do separation of functions, or so that you can back-charge different departments for their throughput, etc. I think more xSP deployments would find this useful than enterprise, but YMMV. If you're trying to conserve on devices/power/rack space, virtualization is pretty groovy - when you're doing nothing but packet forwarding, the performance is excellent Several negatives - the default, out of the box transport mechanism is packet forwarding only, you have to actually *enable* stateful packet inspection - only the negative model of security can be enforced, meaning that a comparison against a signature is typically the way that enforcement is attempted; there is little to no way to enforce a positive model, meaning that unless the traffic conforms to the intended protocol it isn't supported; further, until someone somewhere has been compromised, signatures don't typically exist which is fine unless you're the guy that causes the signature to be created in the first place - many of the inspection policies are global, meaning even if you want to turn something on for only one rule, that's not possible; it's all or nothing for every rule - when using signatures the performance drops to nil; even on the 12Gb throughput box the performance drops to sub 300 Mb, a 96% reduction in performance (this is directly from their documentation and my field testing) - call me a dinosaur but I still believe that a proxy is the best method for enforcing perimeter security; you get separate TCP stacks for client and server, preventing direct connections, allowing you to re-write the packet according to your own needs and policies rather than whatever garbage the client is trying to down or upload to your resources or as reply data into your network, providing masking, etc -----Original Message----- From: firewall-wizards-bounces () listserv cybertrust com [mailto:firewall-wizards-bounces () listserv cybertrust com] On Behalf Of Carson Gaspar Sent: Friday, December 15, 2006 9:20 PM To: Firewall Wizards Security Mailing List Subject: Re: [fw-wiz] Netscreen firewalls --On Friday, December 15, 2006 12:43 PM -0500 Mike LeBlanc <mlinfosec () comcast net> wrote:
All, I'm looking for guidance on vulnerabilities/downsides to the Netscreen firewalls. I am not looking to start a flamefest on Netscreen but simply am looking for the downside. We currently are a cisco pix shop and have monitoring and change management built around cisco. I have done a google on Netscreen vulnerabilities and issues but didn't find much current data. Any information is appreciated in advance, including links to current data. Additionally if you have personal expereince, positive or negative, with Netscreen I would like to hear it.. off list if so desired. Thanks in advance for any information you can provide, Mike LeBlanc, CISSP VP/Infosec officer for multinational bank
Having done firewall evaluations for several multinational banks, NetScreen is pretty much the best thing out there in packet filter land. Much better than FW-1 and PIX, especially under heavy load. They're not perfect by any means, but they have the best virtual firewall support I've seen, which makes them great for consolidation projects or compartmentalizing your rules to lower operational risk. They're routing support is pretty good as well - if you have ethernet demarc'd WAN connections you can avoid paying for a separate routing tier in many cases. -- Carson _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Netscreen firewalls Stephen Gill (Dec 17)
- <Possible follow-ups>
- Re: Netscreen firewalls Stephen Gill (Dec 19)
- Re: Netscreen firewalls Montgomery, Scott (Dec 21)