Docstoc

Tango NetScreen Technologies Innovative Technologies Applied for Network Security Page 1

Document Sample
Tango NetScreen Technologies Innovative Technologies Applied for Network Security Page 1 Powered By Docstoc
					NetScreen Technologies




         Innovative Technologies
         Applied for Network Security




                     Page: 1
Agenda

 • Application scenarios
     –   High speed Internet
     –   Firewall and VPN Central Site
     –   Medium Enterprise
     –   Large Enterprise
     –   Enterprise Data Centre
     –   Internet Data Centre
     –   Multi
 •   Security Innovation
 •   Unique Architectures
 •   Threats and Responses
 •   VPN leadership
 •   Total cost of ownership
 •   VPN and Security Management




                                         Page: 2
Agenda

 • Application scenarios
    –   High speed Internet
    –   Firewall and VPN Central Site
    –   Medium Enterprise
    –   Large Enterprise
    –   Enterprise Data Centre
    –   Internet Data Centre
    –   Multi Department Security
    –   Campus Security

 • VPN and Security Management




                                        Page: 3
   Complete VPN Functionality
 Cost effective remote site VPN            Complete RA VPN Support                     Comprehensive
  – Complete range of HW                    – Remote VPN client                        Authentication Support
  – Hub & Spoke or Full Mesh VPN            – Security Client – Personal FW + VPN       – PKI (versign,…
  – NAT Traversal                           – ANG for centralized & user auth           – Radius
  – VPN Dial backup                         – Certificate & smart card support          – LDAP
                                            – Compatibility w/ Certicom PDA client      – XAUTH
                                                                                        – SecureID




                                                                                     Robust connectivity for major
                                       Internet                                         Sites
                                                                                     – Active-Active HA
                                                                                     – Redundant Gateway VPN
                                                                                        tunnels
                                                                                     – VPN Monitoring
                                                                                     – Full Mesh
Easy deployment & NW
integration                                                                          – OSPF & BGP Routing
  – NAT, NAT-T, Transparent                                                          – Virtual Systems
      Mode                                                                           – 3DES & AES encryption w/
  – Device or policy based                                                              ASIC acceleration
      management                                                                     – Traffic management
                                               Comprehensive Mgmt
  – NAT, DHCP, PPPoE                                                                 – FIPs & ICSA Certified
                                                – Policy Based Mgmt
  – Integrated Firewall
                                                – VPN Monitoring
                                                – Detailed reporting &
                              Global PRO           trending

                                                     Page: 4
Firewall with High Speed Internet
                                      Firewall
           Private                        –   Private Network perceived as “secure”
                     Internet
           Network                        –   RAS for mobile / home office
                                          –   WAN access multiple T1s (>1.5Mbps)
PSTN                                      –   Promotional Web site
 (1-800)
                                          –   All employees “trusted” can access all
                                              parts of the network
Corp HQ
           RAS

                         DMZ



                                      • NetScreen delivers
                                          – Increased Security / Easier Support /
                                            Higher Performance           & Scalability
                                            / Cost effective solution




                                Page: 5
VPN Intranet & Central Site Firewall
                                      Remote Access VPN
                                      •     Private & dial network replaced by VPN
                                            intranet
                                      •     Remote VPN devices provide additional
             Internet                       security because they are also Firewalls
                                      •     Central Firewall turns on VPN
                                      Central Site VPN Acceleration
 Corp HQ                              •      Central Firewall unable to handle VPN traffic
                                             needs acceleration
                                      •      NetScreen device used for VPN termination
                                      •      Leverage advanced features eg Hub & Spoke



                                      Firewall/VPN consolidation
                                      •      NetScreen replaces existing firewall due to
                                             unnecessary duplication of costs
                                             (maintenance, admin, and support)

           NetScreen-Global PRO


                                  Page: 6
Medium Enterprise
Serious Traffic (web) and VPN Requirements
                                                          Integrated VPN, FW and Traffic Mgmt
                                                      –   VPN
                                                            • No Special Licenses or Additional Hardware
                                                            • >100 Remote Sites or RA Users
             Internet                                       • Class leading VPN for Central Site
                                                                    – 1000 tunnels & 185M 3DES
   T1, SDSL, etc                                      –   Firewall
                                                            • Stateful Inspection FW, NAT, PPPoE and DHCP
                                                                client, server & relay
                                                            • Class Leading FW for Central Site
                                                                    – 100K+ sessions & 19K ramp rate
                                                      –   Traffic Management
                               DMZ                          • Reduce BW for non-business critical traffic
                                                            • Better utilize / reduce expensive WAN BW
                                                      –   High Availability
                                     Web & Email            • Stateful fail over FW & VPN
                                         Servers




                   NetScreen-Global PRO


                                                   Page: 7
   Large Enterprise                                                                          Very
   High Traffic and VPN Requirements
Branch Office               Regional Office
                                                           Integrated VPN, FW and Traffic Mgmt
                                                  –   VPN
                                                        • No Special Licenses or Hardware
                                                        • Thousands of Remote Sites or RA Users
Small Office                                            • Class leading VPN for Central Site
                                                               – 10K tunnels & 250M 3DES
                                                  –   Firewall
                                                        • Stateful Inspection FW, NAT, PPPoE and DHCP client,
                                                            server & relay
                                                        • Class Leading FW for Central Site
                Internet                                       – 250K sessions & 22K ramp rate
                                                  –   Traffic Management
                                                        • Reduce BW for non-business critical traffic
                                                        • Better utilize / reduce expensive WAN BW
                                                  –   High Availability – Active-Active
                                                        • Stateful fail over FW & VPN

                               DMZ

                                   Web & Email
                                       Servers
                NetScreen-Global PRO


                                                 Page: 8
Multi-Department Security
                                                     Traditional Solution
                 Internet
                                                     • Multiple Firewalls required to
                                                        provide internal security
 Corp HQ

                               DMZs
                                                     NetScreen-500 Solution
                                                     • Virtual Systems employed to
                                                       provide departmental security
                                                     • Can also be used for additional
                                                       DMZs, security domains and for
                                                       extranets
                                                     • Trust limited to “Need to know”
                                                       employees

Finance Dept   M & A Group   Engineering
                             Dept




                                           Page: 9
Multi-Department with remote users

                                           • Firewall
                                               – Traffic sent to the Finance dept is
                                                 firewall-ed by the Finance Vsys
Finance Dept    Internet                       – Finance SOHO worker firewall-ed
remote worker              Finance Dept          from the Internet
                           mobile worker
                                           • VPN
 Corp HQ                                       – Remote finance workers VPN
                           DMZs                  connections terminate in the
Finance
 Vsys
                                                 Finance Virtual System
                                               – Essentially extending the finance
                                                 intranet to include those workers




Finance Dept



                                    Page: 10
         Enterprise or Campus Backbone
                                                • Campus Gateway
         Building A                Building B      – Performance = LAN Speeds
                                                   – Segmentation
                                                      • Buildings, Departments,
                                                         Servers & WLAN A/P’s
                                                   – Multi-port
                                                      • Up to 24 GE
       Finance                  Engineering           • Trunked links
                                                   – Vsys & VLANs
                                                      • Mapped to switch
                                                         infrastructure
                                                   – GigE DMZs
                                                      • Web & Email
                                                      • Dept Servers
DMZs
                                                   – High Availability
 Web                             Bonded GE
        Email         Dept       Links
                      Servers



                                     Page: 11
              High Speed WAN access – OC12/GE

                                                • Massive # VPN Connections
                                                   – 1000s of Remote/Branch office
10,000s of    VPN
Connections               Gigabits of VPN       • Large BW single tunnel VPN
                     or
                                  or              connections
                                                   – Fiber based metro services
                                                • Large consolidated Internet access
                                                   – High Profile Public Presence
                             Millions of Hits
                                                • Sophisticated HA
                                                   – Stateful FW & VPN




                                        Page: 12
Enterprise Data Center
         • High Density & Performance
              – Up to 72 FE & 6 GigE or 24 x GigE
              – Superior small packet performance
         •   Internal attack prevention on every interface
         •   Every interface a security zone /unique policy
         •   Stateful High Availability
         •   Bonded Links to Disaster Site
              – which can be Encrypted




                              Page: 13
                                                   Internet Data Center
NS Remote, 5, 25, 200
                                        Customers
                                                                                               • High performance multi-
                                              www
                                             Access                                              customer solution
       Customer
                              Internet                                                             •   Reduced Capital Cost
      Access (VPN)                                             Mirrored Data Center
                                                                                                   •   Rapid Deployment
NS-5200 (Firewall
& VPN)                                               Internet Data                                 •   Low support burden
                         Untrust
                         Trust                          Center                                 • Differentiated services
                                                                                                   •   Customer site VPN
 VLAN 1              VLAN 2   VLAN 3      VLAN 4   VLAN 5
                                                               NetScreen           NetScreen       •   Additional Backend or
                              Front                 Front            200                 500
                               End                   End                                               Database security
                                                                                      Front
                                                                  Front
                                                                   End
                                                                                       End         •   Dedicated VPN and / or FW
                                                                                                       solution
                                                                                                   •   High Bandwidth FW and VPN
 Shared Hosting /                                                                                      without having load balanced
  Core Systems                                NetScreen 25
                                                                                                       security devices
                                                                           BackE
   or Low end
   dedicated
                                 Back                 Back        BackE
                                                                            nd                     •   High speed VPN between
                                 End                  End          nd
   Vsys # 1
                                                                                                       Data Centers

                     Vsys # 2              Vsys # 3

                                                                     Page: 14
Anti-Virus
NetScreen-Trend CSP Solution
                                                  NetScreen-Trend CSP
                     Internet
                                                  1: Email packet arrives at the NetScreen
                                                  device; NetScreen begins hijacking the
                                                  TCP connection
Legitimate traffic
  still allowed                 CSP               2: NetScreen buffers beginning of email
                                                  session and creates CSP session with the
                                                  InterScan server

                                                  3: Email data continues to flow in and is
                                      InterScan   passed to InterScan via CSP

                                                  4: InterScan receives entire Email
                                                  session including file and scans file and
                                                  replies with scan result

                                                  5: NetScreen creates Email session with
                                                  destination email gateway




                                      Page: 15
Global PRO Deployments
NetScreen-Global PRO Express & NetScreen-Global PRO Architecture

                          Global PRO UI               • Global PRO & Global PRO Express
                                  Reporting
                                                            – Complete turnkey management solution
                                                            – Configuration/policy management, real
                                                              time monitoring
                                                            – Integrated NetScreen-Remote VPN client
  Configuration                                               management
                   Monitoring
                                                            – Multi-admin/role-based admin
Policy
Manager
                                                            – Pre-installed and configured on a Sun
server
                                                   Oracle     Netra Server
                                                      •
                                                     DB     Global PRO
Monitoring              Historical Report Server            – Sophisticated historical reporting
                        Data Collector(s)                   – Log data correlation/reduction
                                                            – Designed to scale to
                                                              10,000 devices
                                                            – Extensible Web-based report templates;
                                                              3rd party report integration, i.e. HP/OV




                                              Page: 16
     Global PRO Deployments
     Point & Click Policy Management
        Small Offices /
        Branch Offices                Regional Offices


                                                                             • Ability to add devices or
                                                          All boxes in VPN
       Teleworkers                                        updated with new     users to network quickly &
                                                           configurations
                                                                               easily
                                                                             • All required VPN and
        New device
          added to             Internet                                        firewall rules are created
        policy group                                     Remote Users
                                                                               automatically
                                                   Web & Email
                                                                             • Allows for rapid response
                                                       Servers                 to attacks
                                                                             • Quickly create full mesh,
                                           DMZ
                                                                               hub & spoke, and site-to-
                                                                               site VPNs
  Firewall & VPN polices
automatically applied to the
       new device                     NetScreen-Global PRO
                                                           Page: 17
Global PRO Deployments                                                                        Improved
                                                                                              in Global
Managing Remote Client VPN Policies                                                            PRO 3.1



                                                                   •   Remote user launches
                                           Users authenticate to
                                            NetScreen-Global
                                                                       NetScreen-Remote login to connect
                                                   PRO                  – User authenticates to NetScreen-
                 Internet
                                                                          Global PRO or NetScreen-Global
                                        NetScreen-Remote Users
                VPN                                                       PRO Express
 VPN tunnels                                                            – External authentication servers may
 established
                                                                          be queried
                                                                   •   Users VPN policy securely
                                  DMZ
                                                                       downloaded to NetScreen-Remote
  Private LAN
                                                                       client via SSL
                                                                   •   VPN tunnels established to
                                                                       NetScreen devices
                            SSL

                                    Web & Email
                                                                   •   Upon logout, VPN policy and keys are
                                                                       purged from users PC
                                        Users policy
         RADIUS Server NT                retrieved                 •   Add new users through RADIUS
                  Domain
                            NetScreen-Global PRO
             External
          authentication
          server queried
                                                   Page: 18
Global PRO Deployments
Threat Mitigation, Analysis & Response
   Branch Offices                Regional Offices
                                                                  • Suspicious activity detected via
                                                                    NetScreen-Global PRO Real-
                                                                    time Monitor
   Remote Offices                 Remote Users                    • Push appropriate “Deny” policy
                                                                    to all devices
                                                                  • Assess and analyze threat
                      Internet
                                                                  • Push out new or revised
 Hacker                                                             security policies
                                              Web & Email
                                                  Servers




                                     DMZ




                    NetScreen-Global PRO
                                                       Page: 19
NetScreen’s Security Product Line
             Product                 Max Throughput      Max Sessions    Max # VPN tunnels    Max #     Max # Vsys     HA
                                                                                             Policies

NetScreen-                              12G FW &          1,000,000           25,000          40,000       500        Yes
5400                                     6G VPN                                                                       A/P*

NetScreen-5200                          4G FW &           1,000,000           25,000          40,000       500       Yes A/A
                                        2G VPN

NetScreen                              700M FW &           250,000            10,000          20,000        25       Yes A/A
-500                                   250M VPN

NetScreen-204/208                    550M/400M FW          128,000             1,000          4,000        NA        Yes A/A
                                      & 200M VPN

NetScreen-100                           200 FW &           128,000/            1,000          4,000        NA        Yes A/A
                                        185 VPN             64,000

NetScreen-50                            170M FW             8,000              100            1,000        NA        Yes A/P
                                        50M VPN

NetScreen-25                            100M FW             4,000               25             500         NA          No
                                        20M VPN

NetScreen-5XT                           70M FW              2,000               10             100         NA          No
                                        20M VPN

NetScreen-5XP                           20M FW              2,000               10             100         NA          No
                                        13M VPN
NetScreen-Remote                       Varies by PC          NA                 1              NA          NA          No
VPN & Security
Clients


                A/A = Active-Active High Availability                   * To be updated to Active-Active – 1HCY03
                A/P = Active-Passive High Availability      Page: 20
 NetScreen
Scalable Security Solutions




           Page: 21

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:15
posted:4/8/2011
language:English
pages:21