|
Netscreen 500 Series
At a glance
Multi-function Security System
Integrated network security solution with stateful inspection firewall, robust DoS protections, highperformance IPSec VPN, and traffic management capabilities
Modular, Flexible System
Purpose-built, high-performance, integrated security system offering flexible and scalable solutions for medium to large enterprises and carriers
Reliable Performance
Firewall performance scales to 700 Mbps and 3DES VPN performance to 250 Mbps, even under heavy traffic, large concurrent sessions, or a large number of VPN tunnels
Virtual Systems
Logical partitioning of the system into separate firewall and/or VPN domains for traffic, policy, and management segmentation enables multi-departmental or multi-customer security enforcement from a single system
Product overview
The NetScreen-500 is a purpose-built, highperformance security system designed to provide a flexible, high performance solution to medium and large enterprise central sites and service providers. The NetScreen-500 security system integrates firewall, VPN, and traffic management functionality in a low-profile, modular chassis. The NetScreen-500 is built around NetScreen’s custom, purpose-built GigaScreen ASIC, which provides accelerated encryption algorithms and policy look ups. In addition, there are two high speed busses to off-load management traffic from application traffic processing. This prevents High Availability and other management traffic from impacting throughput performance
NetScreen’s GigaScreen ASIC
NetScreen’s GigaScreen security ASIC accelerates the firewall policy lookups and encryption and authentication algorithms in hardware, which is a significantly faster approach than in software and one that frees the CPU to manage data flow. This security-accelerating ASIC is tightly integrated with NetScreen’s ScreenOS system software to eliminate unnecessary software layers and security holes found in security products built on general-purpose commercial operating systems.
Built-in management
The NetScreen-500 security system provides many built-in hardware features to enable extensive management of the device. Integral to the NetScreen-500 are two 10/100 Fast Ethernet High Availability (HA) interfaces, an out-of-band 10/100 Fast Ethernet management interface, a DB-9 console port, and a DB-9 modem port for an external modem. In addition, there is a builtin PCMCIA card for extra storage of additional configuration files and log files, and an LCD for device configuration and monitoring.
Interface modules
Three different interface modules are available on the NetScreen-500, designed to provide interface flexibility for varying network connectivity requirements and future growth requirements
Dual port, 10/100 Fast Ethernet
Single port, GBIC optical gigabit Ethernet
Dual port, mini-GBIC optical gigabit Ethernet
NetScreen ScreenOS
NetScreen ScreenOS firmware powers the entire system. At its core is a custom-designed, real time operating system built from the outset to deliver a very high level of security and performance. ScreenOS provides an integrated, easy-to-use platform for its many functions, including:
ICSA certified stateful inspection firewall
ICSA certified IPSec VPN gateway
Traffic Management capabilities for maximising limited bandwidth
Virtualization of security, network, and management functions
High Availability to ensure maximum network reliability
Rich set of management interfaces, both internal and external
Dynamic routing and VLAN support to ease integration of security into existing networks
Comprehensive management
NetScreen’s security systems include robust management capabilities, allowing network administrators to securely and cost affectively manage up to 10,000 devices and thousands of remote VPN clients. Since VPN functionality is built-in, all management can be encrypted for truly secure remote management. Management capabilities and features include:
Browser-based management with the built-in WebUI (HTTP and HTTPS)
Command line interface (CLI) accessible via Secure Command Shell (SSH v1.5 compatible), Telnet, and console port
E-mail alerts, SNMP alarms
Integration with Syslog or WebTrends™ for external logging, monitoring, and analysis
Up to 20 administrators with 3 levels of access: root admin, admin, and read-only, with more granular control available when used in conjunction with NetScreen’s policy based management, NetScreen-Global PRO and NetScreen-Global PRO Express
Aunique administrative login per Virtual System, allowing a root administrator to partition management access to the WebUI or CLI
Policy-based centralised management and monitoring using NetScreen-Global PRO or NetScreen-Global PRO Express
Firewall
NetScreen’s full-featured firewall uses stateful inspection-based technology to provide security against external and internal attacks. All interfaces – physical and virtual – support Denial-of- Service (DoS) and attack-prevention features. This provides added flexibility and security for today’s networks through:
Fully integrated solution with securityoptimized hardware, operating system, and firewall providing a higher level of security and performance than loosely coupled software-based solutions
Extensive DoS and attack prevention capabilities including SYN attack, ICMP flood, Port Scan, and others; combined with hardware-accelerated session initiation, provides protection even in high-stress network environments
Network Address Translation (NAT), Port Address Translation (PAT) – which shield internal, non-routable IP addresses – as well as transparent mode, where the device functions as a Layer-2 IP security bridge
Virtual Private Network (VPN)
In addition to a stateful inspection firewall, the NetScreen-500 is a full-featured VPN solution. VPN tunnels can be initiated and/or terminated on any interface, allowing advanced VPN deployments, such as securing wireless LANs with IPSec for encryption and authentication. The integrated nature of the ScreenOS allows VPN traffic to be fully inspected after decryption and then encrypted again, if necessary, for final delivery.
The NetScreen-500 delivers robust VPN solutions, providing support for redundant, reliable IPSec VPN networks (in addition to High Availability between two devices), including:
Redundant VPN gateways, allowing an administrator to configure multiple gateway definitions for a given VPN tunnel with automated fail-over of gateways when one becomes unreachable
VPN tunnel interfaces allowing dynamic routing to choose the appropriate tunnel based on routing decisions
Comprehensive remote access VPN support, including support for XAUTH for user authentication of dial-up users
Traffic management
The NetScreen-500 empowers a network administrator to monitor, analyse, and allocate bandwidth utilised by various types of network traffic in real-time, helping to ensure that business-critical traffic isn’t impacted by web surfing or other non-critical applications. In service provider environments, this also allows an administrator to provide differentiated services when there is a shared connection. Traffic Management is configurable on a per policy basis, based on IP address, user, application, or time of day. For each policy, guaranteed bandwidth, maximum bandwidth, and prioritisation levels can be set. In addition, DiffServ packet marking is supported, allowing a NetScreen-500 to signal QoS to an MPLS network.
Virtualization (Virtual Systems, VLANs, and Security Zones)
NetScreen’s security systems provide several Virtualization features allowing logical partitioning of the system into separate security domains for traffic, policy, and management separation. Traffic segmentation is achieved at the interface level, through 802.1Q VLANs, or with IP address subnets and Virtual Systems. Security Zones group interfaces – both virtual and/or physical – into an internal, logical network. Policies are then applied between zones or within each Security Zone between interfaces. Virtual Systems add an additional layer of segmentation, allowing the NetScreen- 500 to be partitioned into multiple security domains, each with a unique set of administrators, policies, VPNs, and address books. Together, these virtualization techniques allow multiple customers or enterprise departments to be secured by a single system for simplified deployment and management without sacrificing the security of separate devices.
High Availability
The NetScreen-500 provides the most comprehensive integrated High Availability solution available for security solutions today. With the NetScreen Redundancy Protocol (NSRPv2), the NetScreen-500 can be deployed in fully meshed network environments as well as in Active/Active (load sharing) redundancy groups with stateful firewall and VPN fail-over. Benefits include:
Sub-second fail-over between interfaces or devices
Active/Active provides for higher burst capacity than Active/Passive, and ensures both devices are working properly and passing traffic
Full mesh configurations allow for redundant physical paths in the network
Provides leaderless clustering to prevent a single point of failure
NetScreen product warranty and services
Every NetScreen product includes standard warranty features that assure the customer can deploy them confidently. E-mail based technical assistance is available on NetScreen appliances, systems and management products for one year. Hardware products come with a full year of standard RMA coverage in the unlikely event of failure. Both hardware and software products come with a short-term software service that provides any software feature releases or maintenance releases within 90 days of purchase.
|
