Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Firewall recommendations

From: "Avdagic, Indir" <indir_avdagic () WSU EDU>
Date: Tue, 18 Mar 2008 11:48:23 -0700
Juniper's ScreenOS supports IPv6 standards for their firewall/VPN
appliances, but not on all platforms.

Below are the platforms that support IPv6 listed by ScreenOS software
versions:

 5.0 
(specific IPv6 software build)
   NS-5XT
  NS200
  NS500
  NS5200 with MGT (management  module 1) 
 5.4 
   ISG2000* 
 
 6.0r1   ISG2000*
  SSG5**
  SSG20**
  NS5000 with MGT2 (management module 2) 
 
 6.0r2
   ISG1000*
  ISG2000
  SSG5**
  SSG20**
  NS5000 with MGT2 (management module 2) 
 
6.1r1   SSG-140
  SSG-320M
  SSG-350M
  SSG-520
  SSG-520M
  SSG-550
  SSG-550M
  ISG1000
  ISG2000
  NS5000 with MGT2 (management module 2)
  WAN Interface support***

*   IPv6 is not supported with IDP Security Module.
**  Only for Ethernet interfaces
*** WAN interface support included for E1/T1, E3/T3, and 2M Serial
interfaces for SSG devices only.


Also, Juniper Networks provide multiple best practices and guidance for
transitioning Federal Agencies to IPv6:

http://www.juniper.net/company/presscenter/pr/2005/pr-051208.html

http://www.juniper.net/solutions/literature/white_papers/200212.pdf

http://www.juniper.net/solutions/literature/solutionbriefs/351137.pdf

http://www.juniper.net/company/presscenter/pr/2008/pr-080220.html

http://www.juniper.net/solutions/literature/solutionbriefs/351045.pdf


_________________________________
Indir Avdagic, CISSP, ACSA, TICSA
Network Security Engineer
Washington State University 
indir_avdagic () wsu edu
Phone: (509) 335-3279



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Richard Kunert
Sent: Tuesday, March 18, 2008 9:31 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Firewall recommendations

Things to consider...

You should evaluate whether IPv6 will be important to you within the  
life of this firewall. A lot of current firewalls don't support it and  
if they do it's only partial support. For example, Netscreens and the  
Cisco FWSM only support it in route mode (not transparent mode). My  
understanding is that it's supported directly by the CPU, not the  
ASICs in both cases. This is bad in terms of performance. Frankly I'm  
not aware of any firewall that supports IPv6 really well yet, but I  
would want to know where it is on the vendor's roadmap.

I would not buy a Netscreen at this point, though I might consider  
other Juniper products (SSG series). Why? I have a Netscreen 50  
(mostly decommissioned, it's running as a VPN concentrator behind a  
FWSM). It's fine for what it can do, but I'm really surprised that the  
same model I bought in 2002 is still for sale. I think most of  
Netscreen models currently for sale were designed at or before that  
time, before the Juniper buyout. They were very advanced for their  
time but they're showing their age.

--
Richard Kunert
Information Systems Manager
University of WI Biotechnology Center
Previous By Date Next
Previous By Thread Next

Current thread: