VPN gear provides customized security

NetScreen Technologies Inc. last week introduced VPN gear that makes it possible for users to tailor-fit protection for specific network resources without having to buy multiple boxes.

Four new NetScreen VPN appliances have at least four 10/100 Ethernet ports, each of which can oversee a separate, independently configured security domain. Some competitors’ gear comes with just three ports, limiting users’ ability to customize protection.

Previously, if NetScreen users wanted to set up more than three zones they would have needed more appliances, says Jeffrey Dell, security officer for Seisint Inc., a data mining company in Boca Raton, Fla., that uses NetScreen firewall/VPN devices. “[The new equipment] allows us to do projects that require a lot of ports and do it for a lot less money.”

NetScreen VPN appliances used to sort traffic and switch it through only three possible ports, each preset for a single type of traffic: trusted, untrusted or traffic destined for an isolated network segment called the demilitarized zone (DMZ) that typically includes mail servers.

The new appliances, NetScreen-204, NetScreen-208, NetScreen-25 and NetScreen-50, all have at least four ports, and the NetScreen-208 has eight. A new version of NetScreen’s operating system, Screen OS 3.1, lets users customize each of these ports with any combination of firewall, VPN and attack-detection.

The four-port boxes could be used to switch among the trusted corporate LAN, the untrusted Internet, the corporate mail server in the DMZ, and a wireless LAN, which is trusted but vulnerable to drive-by hacking.

Ports on other vendors’ equipment, such as Cisco Systems Inc.’s and Nokia Corp.’s, can also be customized. Cisco’s gear is more difficult to configure than the new NetScreen boxes, and Nokia’s attack detection is less flexible, Dell says.

Comparable competitors’ gear, such as Nokia’s IP330, has only three ports. The next size up is Nokia’s modular IP440 that supports up to 16 ports, which may be overkill for some sites.

NetScreen-204 and -208 are fixed-configuration boxes that can handle 1,000 IP Security VPN tunnels and 128,000 total IP sessions. NetScreen-204 handles 200Mbps of VPN encryption and has a firewall speed of 550Mbps. NetScreen-208 has a 400Mbps firewall and encrypts at 200Mbps. Throughput on a Nokia IP440 is 176Mbps.

NetScreen-204 and -208 are available with Screen OS 3.1 and cost US$10,000 and US$15,000, respectively.

NetScreen-25 supports 20Mbps VPN encryption and 100Mbps firewall protection. NetScreen-50 supports 50Mbps VPN and 170Mbps firewall. A SonicWall Pro200 delivers 200Mbps firewall and 25Mbps VPN throughput.

NetScreen-25 and NetScreen-50 cost US$3,500 and US$6,000, respectively, and are available with Screen OS 3.0. They will be available with Version 3.1 by midyear.

NetScreen can be reached at http://www.netscreen.com.