NetScreen Technologies Inc. this week will roll out a security box that plugs a gap in its current firewall/VPN product line and introduced modular hardware that will let users more easily add security functions such as intrusion prevention.
NetScreen-ISG 2000 includes a firewall and VPN support like previous NetScreen appliances, but also has three slots for blades that let customers beef up security over time by adding applications such as virus screening and content filtering. The blades provide independent processing power so adding applications doesn’t slow down the firewall and VPN performance.
One NetScreen customer who has used the company’s earlier NetScreen 500 and NetScreen 5000, which do not have the add-on processor cards, says he prefers the new design.
When Layer 7 packet screening was added to these earlier devices, it noticeably taxed the processors, says Jeff Murphy, senior communication system administrator for the State University of New York at Buffalo. “When we turned it on we took a significant performance hit,” he said. “I like the (ISG 2000) better than the 5000.”
NetScreen’s gear parallels efforts undertaken by Cisco Systems Inc. and Fortinet Inc. to combine intrusion detection and prevention on firewall/VPN devices that sit between the Internet and corporate LANs. Such gear is well suited for midsize businesses that want to keep down the number of devices in their networks and that can’t afford the premium of buying separate devices for each function, says Zeus Kerravala, an analyst with The Yankee Group. Customers still might want to use separate devices to protect key assets such as data centres, he said.
Throughput on the ISG 2000 — 2Gbps for firewall, 1Gbps VPN — falls between that of the NetScreen 500 and NetScreen 5000 appliances. Performance is aided by the security blades as well as a new custom security chip used in the chassis called GigaScreen3. It is capable of supporting a 4Gbps firewall, and will likely support faster NetScreen devices, Kerravala says. The chip also handles proxying SYN requests and shutting down SYN flood attacks.
ISG 2000 supports up to 24 10/100Mbps Ethernet ports to attach to other LAN devices. In combination with its ability to create up to 50 virtual systems — segmenting the device into different logical devices — these ports make it possible to create security barriers between LAN devices as well as between the LAN and WAN, NetScreen says.
Pricing for the NetScreen-ISG 2000 starts at US$38,000 and ranges up to US$115,000, depending on configuration. The intrusion detection and protection modules will be available later this year.