Product review: NetScreen

NetScreen Technologies Inc.’s revamped Global Pro 3.0 management suite gives network professionals a way to simultaneously manage a network of NetScreen firewalls. While our tests show NetScreen hasn’t exactly hit a home run with this product, the company has managed to load the bases with some serious firewall and VPN management and configuration tools.

Released in November, Global Pro 3.0 takes network executives out of the tedious position of managing individual firewalls, and moves them into the realm of policy-based security management.

Before now, NetScreen had fallen behind competitors including Check Point Software Technologies Ltd., Avaya Inc., and Nokia Corp. because it didn’t offer centralized policy-based configuration.

Global Pro 3.0 comes in two flavours. The Express version, which we evaluated, can manage up to 100 devices. This version lacks some of the aggregate reporting tools available in the higher-end full version, which scales up to 10,000 devices, sports an Oracle database back-end and offers some fault tolerance.

For the Global Pro Express 3.0, you get quite a bit of management machinery for US$6,000. It comes standard on a dedicated Sun Microsystems Inc. server with a 500MHz Sun Netra T1 processor with 512MB of RAM. To install, hook up a terminal and give it an IP address. The management server comes prebuilt with a firewall and can be placed anywhere inside your network.

Management is controlled from any Windows NT 4.0 or Windows 2000 system. The Management Server has a small Web server installed, largely to feed Windows the Java-based management graphical user interface (GUI) that communicates with the management server. We drove the GUI from a dual 650MHz Win 2000 system with 512MB of RAM. Things weren’t intolerably slow, but with that much hardware underneath the hood, it should have provided a better showing.

When we started to dump firewalls into the management system, there was no way to import the current configuration from an existing firewall. Existing NetScreen customers with complex configurations might find this aggravating.

Security policies are key to Global Pro 3.0. There are 13 types of security policies, ranging from the prosaic (such as where to send SYSLOG messages) to the critical (such as what traffic gets in and what traffic does not). Policies are defined using a simple interface and then applied to as many firewalls or firewall groups as you’d like.

We defined a policy listing all our corporate mail servers and stating that the Internet could connect to our corporate mail servers, but only for the purpose of sending us mail. The policy also let the mail servers send mail out to the Internet. Once the policy was defined, we used the policy editor to add the relevant firewall groups to it, pushed changes, and we were done.

The beautiful thing about NetScreen’s policy-based management is that if a new firewall was added into one of the groups already attached to the policy, Global Pro 3.0 would automatically build a policy for that firewall that includes all the policies for that group. The same thing is true of changes to the policy. If a new mail server was added, all it would have taken is a push to all firewalls to make them aware of the change in policy.

VPN Configuration a Dream

One of the areas where Global Pro 3.0 really steps up to the plate is in building large VPNs. To build a mesh or hub-and-spoke VPN, select all of the protected networks, add them into the VPN, specify Internet Key Exchange and IP Security policies, and you’re done. Global Pro 3.0 already knows which gateways protect which networks based on the configuration information provided when the firewall was installed, and downloads appropriate policies to each one.

We built VPNs not only between NetScreen firewalls, but also among third-party gateways. The connection was easy to do, something we found difficult for many vendors in our last VPN review.

Because Global Pro 3.0 doesn’t do anything that the NetScreen firewall can’t do, there are no new capabilities in the VPN (or firewall) side of the house. But some things are omitted. For example, NetScreen VPNs can do bandwidth management through a tunnel, but this has been left out of the Global Pro 3.0 VPN configuration.

Enterprise Readiness

Features like real-time monitoring and alerting are built into the product, as is a powerful set of delegated management functions. With the ability to partition the management function across multiple servers, NetScreen’s architecture looks as if it can scale to thousands of firewalls.

Because monitoring was a feature of NetScreen’s earlier management console, that feature has been brought forward largely unchanged into this new Global Pro 3.0 deployment. The links between the configuration tool and the monitoring tool are a little weak, requiring some active export and import functions to move information between the two parts of the product.

Global Pro 3.0 could go a lot further in showing the big picture of your network. Global Pro 3.0 has a summary report that gives you a partial view of the enterprise firewall configuration, but the report was not as complete as we wanted.

There are other problems that may raise issues in large deployments. For example, when you change policy, it can affect a number of firewalls. But there is no way to tell which firewalls need to have the policy pushed to them. Your alternatives are to guess (and hope you catch all the ones with changes) or just to push to everything – which could take a long time if you have hundreds of firewalls.

There are some inconsistencies in what can be done with policies. You can define DNS servers, but not Network Time Protocol (NTP) servers. To set up NTP, you have to go to the Web-based configuration on each device.

NetScreen clearly has some work to do on Global Pro. Still, it’s an outstanding first effort and NetScreen clearly has strong insight into the way network executives want to handle policy-based security management.

How We Did It

We installed Global Pro’s management client on a Windows 2000 system with a dual 650MHz processors and 512MB of RAM communicating with the Global Pro 3.0 server provided by NetScreen. We used Global Pro 3.0 Policy Manager to deploy and configure three NetScreen100 and one NetScreen5XP appliances. We built typical enterprise and service provider security policies, and set up several Virtual Private Networks between all of the systems. We also used our VPN test lab to build a VPN between the NetScreen appliance and a Cisco PIX firewall and a Nokia CryptoCluster 2500 gateway using the Global Pro 3.0 configuration tool. We used the Global Pro 3.0 Realtime Monitor Console to report and alert on our VPN and firewall network.

Joel Snyder is a senior partner at Opus One Inc. in Tucson, Ariz. He can be reached