Re: [fw-wiz] Netscreen firewalls

Several positives (I agree with Carson on the layer 2-4 aspect, NSCN is

- the transparent bridge mode is quite good, making the device truly
transparent to the network; there are a limited number of deployments where
this is useful, but where it is it's incredibly well thought out
- I like the UI better than CHKP (this isn't objective, just my two cents)
- the virtualization mode is also useful if you're trying to do separation
of functions, or so that you can back-charge different departments for their
throughput, etc. I think more xSP deployments would find this useful than
enterprise, but YMMV. If you're trying to conserve on devices/power/rack
space, virtualization is pretty groovy
- when you're doing nothing but packet forwarding, the performance is

Several negatives
- the default, out of the box transport mechanism is packet forwarding only,
you have to actually *enable* stateful packet inspection
- only the negative model of security can be enforced, meaning that a
comparison against a signature is typically the way that enforcement is
attempted; there is little to no way to enforce a positive model, meaning
that unless the traffic conforms to the intended protocol it isn't
supported; further, until someone somewhere has been compromised, signatures
don't typically exist which is fine unless you're the guy that causes the
signature to be created in the first place
- many of the inspection policies are global, meaning even if you want to
turn something on for only one rule, that's not possible; it's all or
nothing for every rule
- when using signatures the performance drops to nil; even on the 12Gb
throughput box the performance drops to sub 300 Mb, a 96% reduction in
performance (this is directly from their documentation and my field testing)
- call me a dinosaur but I still believe that a proxy is the best method for
enforcing perimeter security; you get separate TCP stacks for client and
server, preventing direct connections, allowing you to re-write the packet
according to your own needs and policies rather than whatever garbage the
client is trying to down or upload to your resources or as reply data into
your network, providing masking, etc

-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of
Carson Gaspar
Sent: Friday, December 15, 2006 9:20 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Netscreen firewalls

--On Friday, December 15, 2006 12:43 PM -0500 Mike LeBlanc
<mlinfosec@xxxxxxxxxxx> wrote:

I'm looking for guidance on vulnerabilities/downsides to the Netscreen
firewalls. I am
not looking to start a flamefest on Netscreen but simply am looking for
the downside.
We currently are a cisco pix shop and have monitoring and change
management built
around cisco. I have done a google on Netscreen vulnerabilities and
issues but
didn't find much current data. Any information is appreciated in advance,
links to current data. Additionally if you have personal expereince,
positive or
negative, with Netscreen I would like to hear it.. off list if so desired.

Thanks in advance for any information you can provide,

Mike LeBlanc, CISSP
VP/Infosec officer for multinational bank

Having done firewall evaluations for several multinational banks, NetScreen
is pretty much the best thing out there in packet filter land. Much better
than FW-1 and PIX, especially under heavy load. They're not perfect by any
means, but they have the best virtual firewall support I've seen, which
makes them great for consolidation projects or compartmentalizing your
rules to lower operational risk. They're routing support is pretty good as
well - if you have ethernet demarc'd WAN connections you can avoid paying
for a separate routing tier in many cases.

firewall-wizards mailing list

firewall-wizards mailing list