Product Review: Netscreen finds the zone

Netscreen Technologies Inc. has successfully competed with Check Point Software Technologies Ltd. in the firewall market due to its fast, easy-to-use, and cost-efficient firewall and VPN appliances. The release of Netscreen’s latest product line, the 200 series, makes the company an even stronger competitor. We tested the Netscreen 208, a firewall/VPN appliance aimed at midsize corporations or satellite offices.

The Netscreen 208 provides a wealth of security features that its forerunner, the Netscreen 100, lacked. Our old favourites are still here, including traffic-shaping capabilities, attack detection, and IPSec VPNs. But the Netscreen 208 also supports NAT Traversal, and it has eight ports that can be used for any function; the previously standard trusted ports, untrusted ports, and DMZ (demilitarized zone) ports are no longer required.

The Netscreen 208 also comes with the newest ScreenOS, Version 3.1. In addition to providing support for using any interface as a trusted port, untrusted port, or DMZ port, the unit allows administrators to implement attack blocking and terminate VPN tunnels on any port (not just the untrusted interface as in the past).

The most useful feature in the Netscreen appliance is the capability to define security zones to establish security parameters and policies for specific networks. For example, you may want an engineering network to be accessible only by systems on that network to help prevent unauthorized access to source code design drawings. You can enforce this by creating an engineering zone and applying a policy that does not allow inbound connections. Each network interface can be a separate security zone or several interfaces can be included in a single security zone.

To test the solution, we installed two Netscreen 208 devices in our labs, configured for fail-over.

Out of the box, the Netscreen 208 does not allow any inbound or outbound traffic through any security zone. So we first created a policy allowing outbound traffic from our trusted security zone to the untrusted Internet. We then created a policy allowing outbound traffic from our engineering security zone to the untrusted Internet and to our trusted network. Because we did not define a policy allowing inbound traffic from the trusted zone to the engineering zone, this traffic should not be allowed to pass – and indeed, when we attempted to access one of the systems in the engineering zone, Netscreen did not allow it. We then enabled user authentication through RADIUS (Remote Authentication Dial-In User Service) for the engineering zone, and the next time we tried to access the zone, we were prompted for our userid and password.

We also tested Netscreen’s attack-detection capabilities. After enabling all attack detection on each interface, we launched a port scan against the untrusted interface and the Netscreen 208 quickly picked up on it.

Overall, the Netscreen 208 can detect about 28 different attacks, including port scans, syn attacks, UDP floods, land attacks, ping sweeps and floods, and tear-drop attacks.

Finally, we configured HA between our two Netscreen 208 devices. Defining one device as the primary and the second device as the backup, configured to take over when the primary failed, we started a continuous ping from a system in the engineering zone to a system in the trusted zone. We then disconnected the cable from the engineering interface and watched the backup Netscreen take over. Only one ping response failed.

The Netscreen 208’s ease of use, power, and flexibility make it an ideal security solution for any organization. With internal network security becoming more and more important, the Netscreen security zones make implementation and enforcement of an internal access policy relatively simple.


Netscreen 208

Business Case: Enforcing security policy is difficult, but this firewall/VPN appliance provides an easy, cost-effective means of doing so through the capability of creating security zones.

Technology Case: With the capability to configure security zones on each network interface as well as terminate VPN tunnels, the Netscreen 208 provides the flexibility and depth lacking in many security products on the market today.


+ Allows administrators to enforce policies through security zones

+ Provides flexible interface assignments


– None significant

Cost: US$14,995

Company: Netscreen;