Firewall Wizards mailing list archives
Re: Netscreen firewalls
From: Stephen Gill <gillsr () cymru com>
Date: Sat, 16 Dec 2006 11:02:24 -0700
Having done firewall evaluations for several multinational banks, NetScreen is pretty much the best thing out there in packet filter land. Much better than FW-1 and PIX, especially under heavy load. They're not perfect by any means, but they have the best virtual firewall support I've seen, which makes them great for consolidation projects or compartmentalizing your rules to lower operational risk. They're routing support is pretty good as well - if you have ethernet demarc'd WAN connections you can avoid paying for a separate routing tier in many cases.
I can't agree enough with Carson and Jon. I've worked extensively with most major brands of all types. Netscreen is by FAR my favorite out of the Big-3 for several reasons: - easier to install and upgrade - great to support - extensive debugging options - high performance / scaleable - feature rich and quite flexible - more intuitive than the competition I'm a straight shooter though, and a few of the downsides as I see them are: - QA can suffer at times as new features are brought in, sometimes old ones can break. My recommendation around this problem is to NEVER run bleeding edge code unless you absolutely need a feature. Try to run at least one major rev back, and stay current on release notes. - Some concepts you just have to 'get used' to as they may not be industry standard principles. For instance, the entire NAT philosophy should be revamped, but in its current state it does work. Cisco (as do others) have their own share of this so I'm not sure I'd use this as a pro-con comparison between the two. - keeping track of all the limitations on the various platforms as new code upgrades, chipsets, and features come along can be daunting for the more extensive network setups and buildouts. At times you may run into limitations you are not aware of depending on your configuration so it may reuqire a bit more knowledge of the system limits than you'd like. They may have improved this somewhat, but that has been my experience in the past. - their VPN client leaves a bit to be desired and is not as user friendly as Cisco's for the average Joe. You're better off intermixing Netscreen and Cisco with a VPN-3000 for larger dialup VPN configurations. None of these are insurmountable and compared to the other major brands, these are minimal problems to deal with by comparison. As Jon mentioned, I don't think you'll really find a lot of downsides. That said, your best bet is to take your specific network configuration and make sure that whatever vendor you are/not interested in can handle your specific requirements. I've often found through lab testing that I need to go back to said vendor and ask them for feature X because of certain unique circumstances. Now, as for specific vulnerabilities here's a bit of history on the Netscreen story. - In the beginning Netscreen would very seldom release security bulletins for specific vulnerabilities. Rather only a few would make the cut, generally those that had more public visibility or were more egregious. - Browsing through the release notes for all the versions of code it was clear that not everything was getting reported on. You could clearly see important security issues that were fixed from code version to code version, but unless you looked in the release notes you would not necessarily be made aware of them. - Netscreen changed their tactics at some point and started to release a few more public vulnerability notices so as to match other vendors. They reported to a few mailing lists as well as put notices on their website. This didn't seem to last for very long and still it seemed like certain vulnerabilities were sneaking through in the upgrade release notes unannounced. - Netscreen was bought by a company (Juniper) who prefers to release their advisories to paying support customers only. This means if you don't have a login to their site you may not be aware of the security issues associated with said product. - Netscreen has always been good at addressing security bug fixes quickly when notified. For this reason all the 'ugliness' associated with previous versions of code may not be readily apparent to the outside world. Still, I prefer them over all the other competition. Just my .02c. Cheers, -- steve _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Netscreen firewalls Stephen Gill (Dec 17)
- <Possible follow-ups>
- Re: Netscreen firewalls Stephen Gill (Dec 19)
- Re: Netscreen firewalls Montgomery, Scott (Dec 21)