Educause Security Discussion mailing list archives
Re: Firewall recommendations
From: "Avdagic, Indir" <indir_avdagic () WSU EDU>
Date: Tue, 18 Mar 2008 11:48:23 -0700
Juniper's ScreenOS supports IPv6 standards for their firewall/VPN appliances, but not on all platforms. Below are the platforms that support IPv6 listed by ScreenOS software versions: 5.0 (specific IPv6 software build) NS-5XT NS200 NS500 NS5200 with MGT (management module 1) 5.4 ISG2000* 6.0r1 ISG2000* SSG5** SSG20** NS5000 with MGT2 (management module 2) 6.0r2 ISG1000* ISG2000 SSG5** SSG20** NS5000 with MGT2 (management module 2) 6.1r1 SSG-140 SSG-320M SSG-350M SSG-520 SSG-520M SSG-550 SSG-550M ISG1000 ISG2000 NS5000 with MGT2 (management module 2) WAN Interface support*** * IPv6 is not supported with IDP Security Module. ** Only for Ethernet interfaces *** WAN interface support included for E1/T1, E3/T3, and 2M Serial interfaces for SSG devices only. Also, Juniper Networks provide multiple best practices and guidance for transitioning Federal Agencies to IPv6: http://www.juniper.net/company/presscenter/pr/2005/pr-051208.html http://www.juniper.net/solutions/literature/white_papers/200212.pdf http://www.juniper.net/solutions/literature/solutionbriefs/351137.pdf http://www.juniper.net/company/presscenter/pr/2008/pr-080220.html http://www.juniper.net/solutions/literature/solutionbriefs/351045.pdf _________________________________ Indir Avdagic, CISSP, ACSA, TICSA Network Security Engineer Washington State University indir_avdagic () wsu edu Phone: (509) 335-3279 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Richard Kunert Sent: Tuesday, March 18, 2008 9:31 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Firewall recommendations Things to consider... You should evaluate whether IPv6 will be important to you within the life of this firewall. A lot of current firewalls don't support it and if they do it's only partial support. For example, Netscreens and the Cisco FWSM only support it in route mode (not transparent mode). My understanding is that it's supported directly by the CPU, not the ASICs in both cases. This is bad in terms of performance. Frankly I'm not aware of any firewall that supports IPv6 really well yet, but I would want to know where it is on the vendor's roadmap. I would not buy a Netscreen at this point, though I might consider other Juniper products (SSG series). Why? I have a Netscreen 50 (mostly decommissioned, it's running as a VPN concentrator behind a FWSM). It's fine for what it can do, but I'm really surprised that the same model I bought in 2002 is still for sale. I think most of Netscreen models currently for sale were designed at or before that time, before the Juniper buyout. They were very advanced for their time but they're showing their age. -- Richard Kunert Information Systems Manager University of WI Biotechnology Center
Current thread:
- Re: Firewall recommendations, (continued)
- Re: Firewall recommendations Jarrod Millman (Feb 29)
- Re: Firewall recommendations Constantakos, William (Mar 01)
- Re: Firewall recommendations Ramon Hermida (Mar 03)
- Re: Firewall recommendations Joey Rego (Mar 03)
- Re: Firewall recommendations Ramon Hermida (Mar 03)
- Re: Firewall recommendations Charlie Prothero (Mar 03)
- Re: Firewall recommendations Perry, Jeff (Mar 03)
- Re: Firewall recommendations Soliwoda, Andrzej (Mar 14)
- Re: Firewall recommendations Richard Kunert (Mar 18)
- Re: Firewall recommendations Jon Hanny (Mar 18)
- Re: Firewall recommendations Avdagic, Indir (Mar 18)