|
Netscreen 5000 Series
At a glance
Multi-function security system
Integrated network security solution with stateful inspection firewall, robust Denial of Service (DoS) protections, high performance IPSec VPN, and traffic management capabilities
Modular, chassis-based systems
Family of purpose-built, high performance, integrated security systems offering flexible and scalable solutions for large enterprises and carriers
Industry leading performance
Firewall performance scales to 12 Gbps and VPN performance to 6 Gbps
Virtualization Logical partitioning of the system into separate entities for traffic, policy, and management segmentation enables multidepartmental or multi-customer security enforcement from a single system
Product overview
The NetScreen-5000 Series is a line of purpose built, high-performance security systems designed to deliver a new level of high-performance capabilities for large enterprise, carrier, and data center networks. The NetScreen-5000 Series consists of two products, the 2-slot NetScreen- 5200 and the 4-slot NetScreen-5400. The NetScreen-5000 Series security systems integrate firewall, DoS and DDoS protection, VPN, and traffic management functionality in low-profile modular chassis.
Built around NetScreen’s third generation security ASIC and distributed system architecture, the NetScreen-5000 Series offers excellent scalability and flexibility while providing high levels of security through NetScreen’s custom operating system, NetScreen ScreenOS. The NetScreen-5000 Series employs a switch fabric for data exchange and separate multi-bus channel for control information, delivering scalable performance for the most demanding environments.
NetScreen’s GigaScreen-II ASIC
NetScreen’s third-generation security ASIC, the GigaScreen-II, is capable of independent operation and can provide advanced f unctionality at gigabit throughput rates as a full packet processing engine, including packet parsing, classification, encryption, decryption, Network Address Translation (NAT) and session matching. Combined with its ability to directly connect internally to switch fabrics, the GigaScreen II delivers a truly scalable security solution in NetScreen-5000 systems.
Secure Port Modules (SPM)
The NetScreen-5000 Series offers two Secure Port Modules, the 8 GigE SPM and the 2 GigE 24FE SPM, providing highly flexible solutions for varying network requirements. Both modules are built around the GigaScreen-II ASIC to provide accelerated stateful inspection firewall and IPSec VPN capabilities. Individual ports may also be combined into trunk groups using Link Aggregation to deliver multi-gigabit connections to adjacent network elements.
Management module
Each product in the NetScreen-5000 Series is equipped with a management module providing overall control and configuration of the system. Access to management functions is provided through two serial ports and one 10/100 Ethernet port dedicated to management functions. Comprehensive management options may also be accessed in-band through one or more interfaces on the secure port modules. The management module additionally provides external compact flash for general storage of logs, configurations, and firmware images, as well as two dedicated GigE ports for High Availability (HA) traffic when used in redundant network topologies.
NetScreen ScreenOS
NetScreen ScreenOS firmware powers the entire system. At its core is a custom-designed, real time operating system built from the outset to deliver a very high level of security and performance. ScreenOS provides an integrated, easy-to-use platform for its many functions, including:
ICSA certified stateful inspection firewall
ICSA certified IPSec VPN gateway
Virtualization of security, network, and management functions
High Availability to ensure maximum network reliability
Rich set of management interfaces, including CLI, WebUI, and centralised management
Transparent, Route, and NAT modes and VLAN support to ease integration of security into existing networks
Comprehensive management
NetScreen’s security systems include robust management capabilities, allowing network administrators to securely and cost affectively manage up to 10,000 devices and thousands of remote VPN clients. Since VPN functionality is built-in, all management can be encrypted for truly secure remote management. Management capabilities and features include:
Browser-based management with the built-in WebUI (HTTP and HTTPS)
Command Line Interface (CLI) accessible via Secure Command Shell (SSH v1.5 compatible), Telnet, and console port
E-mail alerts, SNMP alarms
Integration with Syslog or WebTrends™ for external logging, monitoring, and analysis
Up to 20 administrators with three levels of access: root admin, admin, and read-only, with more granular control available when used in conjunction with NetScreen’s policy based management, NetScreen-Global PRO and NetScreen-Global PRO Express
A unique administrative login per Virtual System, allowing a root administrator to partition management access to the WebUI or CLI
Policy-based centralised management and monitoring using NetScreen-Global PRO or NetScreen-Global PRO Express*
*Supported with the NetScreen-5200 8G today: supported in the future with the NetScreen-5200 2G24FE and the NetScreen-5400)
Firewall
NetScreen’s full-featured firewall uses stateful inspection-based technology to provide security against external and internal attacks. All interfaces – physical and virtual – support Denial of Service (DoS) and attack mitigation features. This provides added flexibility and security for today’s networks through:
Fully integrated solution with securityoptimized hardware, operating system, and firewall providing a higher level of security and performance than loosely-coupled software-based solutions
Extensive DoS and attack prevention capabilities including SYN attack, ICMP flood, Port Scan, and others; combined with hardware accelerated session initiation, provides protection even in highstress network environments
Route mode – standard Layer 3 mode of operation
NAT, Port Address Translation (PAT) – which shield internal, non-routable IP addresses
Transparent mode – where the device functions as a Layer 2 IP security bridge
Virtual Private Network (VPN)
In addition to a stateful inspection firewall, the NetScreen-5000 Series is a full-featured VPN solution. VPN tunnels can be initiated and/or terminated on any interface, allowing advanced VPN deployments, such as securing wireless LANs with IPSec for encryption and authentication. The integrated nature of the ScreenOS allows VPN traffic to be fully inspected after decryption and then encrypted again, if necessary, for final delivery. The NetScreen-5000 Series delivers robust VPN solutions, providing support for redundant, reliable IPSec VPN networks (in addition to High Availability between two devices), including:
Redundant VPN gateways, allowing an administrator to configure multiple gateway definitions for a given VPN tunnel with automated fail-over of gateways when one becomes unreachable
VPN tunnel interfaces allowing dynamic routing to choose the appropriate tunnel based on routing decisions
Comprehensive remote access VPN support, including support for XAUTH for user authentication of dial-up users
Virtualization (Virtual Systems, VLANs, and Security Zones)
NetScreen’s security systems provide several virtualization features allowing logical partitioning of the system into separate security domains for traffic, policy, and management separation. Traffic segmentation is achieved at the interface level, through 802.1Q VLANs, or with IP address subnets. Security Zones group interfaces (both virtual and/or physical) into an internal, logical network. Policies are then applied between zones or within each Security Zone between interfaces. Virtual Systems add an additional layer of segmentation, allowing the NetScreen-5000 Series to be partitioned into multiple security domains, each with a unique set of administrators, policies, VPNs, and address books. Together, these virtualization techniques allow multiple customers or enterprise departments to be secured by a single system for simplified deployment and management without sacrificing the security of separate devices.
High Availability
The NetScreen-5000 Series provides the most comprehensive integrated High Availability solution available for security solutions today. With the NetScreen Redundancy Protocol (NSRPv2), the NetScreen-5000 Series can be deployed in fully meshed network environments as well as in Active/Active (load sharing) redundancy groups with stateful firewall and VPN fail-over. Benefits include:
Sub-second fail-over between interfaces or devices
Active/Active provides for higher burst capacity than Active/Passive, and ensures both devices are working properly and passing traffic
Full mesh configurations allow for redundant physical paths in the network
Provides leaderless clustering to prevent a single point of failure
Note: Active/Active High Availability available with ScreenOS 4.0
Traffic Management
The NetScreen-5000 provides hardware rate limiting for each secure port module interface, allowing network administrators to ensure that bandwidth is properly shared at aggregation points in the network. The DiffServ stamp in IP headers can be set under policy control, allowing the classification engine to provide QoS information about individual packets to the remainder of the network.
NetScreen product warranty and services
NetScreen’s standard warranty provides one year of hardware support, and 90 days of software support. A portfolio of annual maintenance offerings are available, and are recommended to ensure the system is kept updated with the latest software enhancements and to ensure high availability for end users. NetScreen also offers training and certifications programs as well as Professional Services for consulting, installation, and configuration support.
|
