Post on 18-Dec-2015
transcript
Page: 1
NetScreen Technologies
Innovative TechnologiesInnovative TechnologiesApplied for Network SecurityApplied for Network Security
Page: 2
Agenda
• Application scenarios– High speed Internet– Firewall and VPN Central Site– Medium Enterprise– Large Enterprise– Enterprise Data Centre– Internet Data Centre– Multi
• Security Innovation• Unique Architectures• Threats and Responses• VPN leadership• Total cost of ownership • VPN and Security Management
Page: 3
Agenda
• Application scenarios– High speed Internet– Firewall and VPN Central Site– Medium Enterprise– Large Enterprise– Enterprise Data Centre– Internet Data Centre– Multi Department Security– Campus Security
• VPN and Security Management
Page: 4
Internet
Complete VPN Functionality
Complete RA VPN Support– Remote VPN client– Security Client – Personal FW + VPN– ANG for centralized & user auth– Certificate & smart card support– Compatibility w/ Certicom PDA client
Global PRO
Robust connectivity for major Sites– Active-Active HA– Redundant Gateway VPN tunnels– VPN Monitoring– Full Mesh – OSPF & BGP Routing– Virtual Systems– 3DES & AES encryption w/ ASIC acceleration– Traffic management– FIPs & ICSA Certified
Cost effective remote site VPN– Complete range of HW– Hub & Spoke or Full Mesh VPN– NAT Traversal– VPN Dial backup
Easy deployment & NW integration– NAT, NAT-T, Transparent Mode– Device or policy based
management– NAT, DHCP, PPPoE– Integrated Firewall
Comprehensive Mgmt– Policy Based Mgmt– VPN Monitoring– Detailed reporting &
trending
Comprehensive Authentication Support
– PKI (versign,…– Radius– LDAP– XAUTH– SecureID
Page: 5
Firewall with High Speed Internet
Firewall– Private Network perceived as “secure”– RAS for mobile / home office– WAN access multiple T1s (>1.5Mbps)– Promotional Web site– All employees “trusted” can access all
parts of the network
Internet
Corp HQ
DMZ
Private Network
• NetScreen delivers – Increased Security / Easier Support /
Higher Performance & Scalability / Cost effective solution
PSTN (1-800)
RAS
Page: 6
VPN Intranet & Central Site FirewallRemote Access VPN• Private & dial network replaced by VPN
intranet• Remote VPN devices provide additional
security because they are also Firewalls• Central Firewall turns on VPN
Internet
Corp HQ
Central Site VPN Acceleration• Central Firewall unable to handle VPN traffic
needs acceleration• NetScreen device used for VPN termination• Leverage advanced features eg Hub & Spoke
Firewall/VPN consolidation• NetScreen replaces existing firewall due to
unnecessary duplication of costs (maintenance, admin, and support)
NetScreen-Global PRO
Page: 7
Medium Enterprise Serious Traffic (web) and VPN Requirements
Integrated VPN, FW and Traffic Mgmt– VPN
• No Special Licenses or Additional Hardware• >100 Remote Sites or RA Users• Class leading VPN for Central Site
– 1000 tunnels & 185M 3DES– Firewall
• Stateful Inspection FW, NAT, PPPoE and DHCP client, server & relay
• Class Leading FW for Central Site – 100K+ sessions & 19K ramp rate
– Traffic Management• Reduce BW for non-business critical traffic• Better utilize / reduce expensive WAN BW
– High Availability• Stateful fail over FW & VPN
Internet
DMZ
T1, SDSL, etc
Web & Email Servers
NetScreen-Global PRO
Page: 8
Large Enterprise Very High Traffic and VPN Requirements
Integrated VPN, FW and Traffic Mgmt– VPN
• No Special Licenses or Hardware• Thousands of Remote Sites or RA Users• Class leading VPN for Central Site
– 10K tunnels & 250M 3DES– Firewall
• Stateful Inspection FW, NAT, PPPoE and DHCP client, server & relay
• Class Leading FW for Central Site– 250K sessions & 22K ramp rate
– Traffic Management• Reduce BW for non-business critical traffic• Better utilize / reduce expensive WAN BW
– High Availability – Active-Active• Stateful fail over FW & VPN
Internet
DMZ
Regional OfficeBranch Office
Small Office
Web & Email Servers
NetScreen-Global PRO
Page: 9
Multi-Department Security
Internet
Corp HQ
Finance Dept M & A Group Engineering Dept
DMZs
Traditional Solution • Multiple Firewalls required to
provide internal security
NetScreen-500 Solution• Virtual Systems employed to
provide departmental security• Can also be used for additional
DMZs, security domains and for extranets
• Trust limited to “Need to know” employees
Page: 10
Multi-Department with remote users
Internet
Corp HQ
DMZs
Finance Dept
Finance Dept mobile worker
Finance Vsys
Finance Dept remote worker
• Firewall– Traffic sent to the Finance dept is
firewall-ed by the Finance Vsys– Finance SOHO worker firewall-ed
from the Internet
• VPN– Remote finance workers VPN
connections terminate in the Finance Virtual System
– Essentially extending the finance intranet to include those workers
Page: 11
Enterprise or Campus Backbone
• Campus Gateway– Performance = LAN Speeds– Segmentation
• Buildings, Departments, Servers & WLAN A/P’s
– Multi-port• Up to 24 GE• Trunked links
– Vsys & VLANs• Mapped to switch
infrastructure– GigE DMZs
• Web & Email• Dept Servers
– High AvailabilityDMZs
WebEmail Dept
Servers
Bonded GE Links
Building A
Building B
Finance Engineering
Page: 12
High Speed WAN access – OC12/GE
• Massive # VPN Connections– 1000s of Remote/Branch office
• Large BW single tunnel VPN connections– Fiber based metro services
• Large consolidated Internet access– High Profile Public Presence
• Sophisticated HA– Stateful FW & VPN
10,000s of VPN Connections Gigabits of VPN
Millions of Hits
or or
Page: 13
Enterprise Data Center
• High Density & Performance– Up to 72 FE & 6 GigE or 24 x GigE– Superior small packet performance
• Internal attack prevention on every interface• Every interface a security zone /unique policy• Stateful High Availability• Bonded Links to Disaster Site
– which can be Encrypted
Page: 14
• Dedicated VPN and / or FW solution
• High Bandwidth FW and VPN without having load balanced security devices
• Additional Backend or Database security
• High performance multi-customer solution
• Reduced Capital Cost• Rapid Deployment• Low support burden
• Differentiated services• Customer site VPN
• High speed VPN between Data Centers
Internet Data Center
Trust
Untrust
Internet
Internet Data Center
Front End
BackEnd
VLAN 2 VLAN 3
NS-5200 (Firewall & VPN)
Front End
BackEnd
VLAN 4 VLAN 5
Customers
www Access
Shared Hosting / Core Systems
VLAN 1
or Low end dedicated
NS Remote, 5, 25, 200
Customer Access (VPN)
NetScreen 25
Front End
BackEnd
NetScreen 200
BackEnd
Front End
NetScreen 500
Vsys # 1
Vsys # 2 Vsys # 3
Mirrored Data Center
Page: 15
Anti-VirusNetScreen-Trend CSP Solution
NetScreen-Trend CSP 1: Email packet arrives at the NetScreen device; NetScreen begins hijacking the TCP connection
2: NetScreen buffers beginning of email session and creates CSP session with the InterScan server
3: Email data continues to flow in and is passed to InterScan via CSP
4: InterScan receives entire Email session including file and scans file and replies with scan result
5: NetScreen creates Email session with destination email gateway
Legitimate trafficstill allowed
Internet
CSP
InterScan
Page: 16
• Global PRO & Global PRO Express– Complete turnkey management solution– Configuration/policy management, real
time monitoring– Integrated NetScreen-Remote VPN client
management– Multi-admin/role-based admin– Pre-installed and configured on a Sun
Netra Server• Global PRO
– Sophisticated historical reporting– Log data correlation/reduction– Designed to scale to
10,000 devices– Extensible Web-based report templates;
3rd party report integration, i.e. HP/OV
Global PRO Deployments NetScreen-Global PRO Express & NetScreen-Global PRO Architecture
Monitoring
Configuration
Global PRO UI
Policy Manager server
Monitoring
Reporting
Historical Report ServerData Collector(s)
Oracle DB
Page: 17
Global PRO DeploymentsPoint & Click Policy Management
• Ability to add devices or users to network quickly & easily
• All required VPN and firewall rules are created automatically
• Allows for rapid response to attacks
• Quickly create full mesh, hub & spoke, and site-to-site VPNs
DMZ
Regional OfficesSmall Offices / Branch Offices
Teleworkers
Web & Email Servers
InternetRemote Users
NetScreen-Global PRO
Firewall & VPN polices automatically applied to the
new device
New device added to
policy group
All boxes in VPN updated with new
configurations
Page: 18
VPNVPN
Global PRO Deployments Managing Remote Client VPN Policies
• Remote user launches NetScreen-Remote login to connect
– User authenticates to NetScreen-Global PRO or NetScreen-Global PRO Express
– External authentication servers may be queried
• Users VPN policy securely downloaded to NetScreen-Remote client via SSL
• VPN tunnels established to NetScreen devices
• Upon logout, VPN policy and keys are purged from users PC
• Add new users through RADIUS
Internet
DMZ
Web & Email
NetScreen-Global PRO
Users authenticate to NetScreen-Global
PRO
Users policy retrieved
VPN tunnels established
Private LAN
RADIUS Server NT Domain
SSL
External authentication server queried
NetScreen-Remote Users
Improved in
Global PRO 3.1
Page: 19
Global PRO Deployments Threat Mitigation, Analysis & Response
• Suspicious activity detected via NetScreen-Global PRO Real-time Monitor
• Push appropriate “Deny” policy to all devices
• Assess and analyze threat• Push out new or revised
security policies
DMZ
Regional OfficesBranch Offices
Remote Offices
Web & Email Servers
Internet
Remote Users
NetScreen-Global PRO
Hacker
Page: 20
NetScreen’s Security Product Line
* To be updated to Active-Active – 1HCY03A/A = Active-Active High AvailabilityA/P = Active-Passive High Availability
Product Max Throughput Max Sessions Max # VPN tunnels Max # Policies
Max # Vsys HA
NetScreen-5400
12G FW &6G VPN
1,000,000 25,000 40,000 500 YesA/P*
NetScreen-5200 4G FW &2G VPN
1,000,000 25,000 40,000 500 Yes A/A
NetScreen-500
700M FW &250M VPN
250,000 10,000 20,000 25 Yes A/A
NetScreen-204/208 550M/400M FW& 200M VPN
128,000 1,000 4,000 NA Yes A/A
NetScreen-100 200 FW &185 VPN
128,000/64,000
1,000 4,000 NA Yes A/A
NetScreen-50 170M FW 50M VPN
8,000 100 1,000 NA Yes A/P
NetScreen-25 100M FW 20M VPN
4,000 25 500 NA No
NetScreen-5XT 70M FW 20M VPN
2,000 10 100 NA No
NetScreen-5XP 20M FW 13M VPN
2,000 10 100 NA No
NetScreen-RemoteVPN & Security Clients
Varies by PC NA 1 NA NA No
Page: 21
NetScreenScalable Security Solutions