1 NetScreen
NetScreen Confidential2
Agenda
• NetScreen Background & Market Trends• NetScreen Security Basics• Applications for the Enterprise• Security Management for the Enterprise• Purpose built vs. general purpose solutions• Appendix: Service & Support
NetScreen Confidential3
About NetScreen
• Founded October 1997• Leading maker of ASIC-based integrated security solutions
– Firewall, VPN and traffic management
• Fast growing revenue– $40 million in calendar 2000– $8 million in calendar 1999
• Primary markets: Internet data centers, service providers and enterprises
• Employees: > 270• Pre-IPO: $53 million VC investment
– Sequoia, Spectrum, Juniper, Ericsson, WorldCom
• Based in Sunnyvale, Calif. USA– Other offices in Boston, UK, Hong Kong, Beijing
NetScreen Confidential4
NetScreen’s Security Solutions
Integrated security systems and appliances
– ICSA certified IPSec VPN and stateful inspection firewall, DoS blocking, authentication, PKI and NAT acceleration
– 1Gbps, 700Mbps, (250Mbps), 100Mbps & 10-Mbps hardware firewall and 3DES IPSEC VPN devices
– ScreenOS security software – custom OS
High availability– Solid state, redundant hardware, HA topologies– Protect against DoS attacks (8 to 10 times faster than
software solutions)
Powerful management– WebUI, CLI for easy installation and management– Carrier-class central management
NetScreen-500
NetScreen-1000
NetScreen Security Systems
Global PRO / Global Manager
NetScreen Security Mgmt & Client
NetScreen-Remote
NetScreen-5
NetScreen-10
NetScreen-100
NetScreen Security Appliances
NetScreen Confidential5
Security Market Growth
• Firewall and VPN markets in rapid-growth stage– Hardware predominant
platform for firewalls and VPNs
• Key drivers– Need to protect Internet
links and encrypt data
– Enterprises looking to outsource or out-task some element of security
Worldwide Market Growth (Infonetics Research 2000)
$0
$1
$2
$3
$4
$5
$6
2000 2001 2002 2003 2004
Bil
lio
ns
Firewall Dedicated VPN hardware
NetScreen Confidential6
Enterprise Security Trends
• Security breaches have a huge economic impact on business
• Branch and telecommuter networks tying into corporate via VPNs
• Bandwidth requirements in the corporate LAN and WAN environments
• The need for a holistic approachto security
• Lack of skilled IT workers
NetScreen Confidential7
NetScreen’s Enterprise Security Solutions
• Full suite of products for complete deployment in the enterprise network
– NetScreen-5 & -10 for remote offices and telecommuters– NetScreen-100 & -500 for corporate headquarters
• Centralized management of all NetScreen appliances and systems
– Control security for multi-site device deployments from one location
• Security solutions that don’t impede network performance– Firewall & VPN at wire speed
• Integrated solution – firewall, VPN and traffic management– to address security and bandwidth requirements– No need to manage multiple vendors
• Multi-customer/department architecture– 25 virtual systems (VSYS) with the NetScreen-500
NetScreen Confidential8
NetScreen’s Solutions for the High-Performance Security Market
Enterprise Networks•Enterprise central site and broadband
remote access • Small- to medium enterprises
Internet data centers• E-businesses
• Web hosts, ASPs, colocation facilities
Service provider networks• MAN, BLEC, MTU
• ISP, DSL providers
Managed Security Service Providers
• Integrating security solutions for Internet data centers, service providers
and enterprises of all sizes
NetScreen Confidential9
NetScreen Security Basics
• Dedicated OS– No hardening of the OS required– More efficient than a general purpose OS
• Stateful Packet Inspection Firewall– A dynamic or "stateful" packet inspection firewall maintains a table of active TCP sessions and
UDP "pseudo" sessions.– Allow a particular type of traffic “in” only as a response to an “outgoing” session– NetScreen ASIC accelerates the process
• IPSec 3DES VPN– 3DES has become the encryption industry standard– NetScreen appliances come standard with 3DES– NetScreen ASIC accelerates the process
• Virtual Systems– Unique policy, address book and management– Firewall and VPN configured per virtual system
NetScreen Confidential10
NetScreen Virtual Systems
• NetScreen Virtual Systems– Per Virtual System - address book,
policies and management
– Firewall and VPN configured per virtual systems
– Able to support multiple security domains or customers without sharing policy
Vsys #1 Vsys #2 Vsys #3
NetScreen Confidential11
NetScreen Management Interfaces
SNMP
CLI
Web UI
3rd Party
Syslog
Global
NetScreen Management Interfaces
• CLI – familiar command line interface– RS232, Telnet and SSH
• Web Interface – embedded Web server– HTTP and SSL
• NetScreen Global – proprietary interface
• SNMP – Standard MIB & private extension
• Syslog – standard traffic reporting and alerts
• 3rd Party – WebSense, WebTrends
NetScreen Confidential12
Enterprise Security Management: Global Manager
• Central management for multiple NetScreen security appliances – Set policies and configuration options
– Define configuration once, apply to multiple devices
– Device grouping to simplify administration
• Collect and display status information for hundreds of devices– Detailed reporting: configuration, traffic,
CPU utilization, logs …
• Securely manages via VPN tunnels to devices
• Windows NT/2000-based platform
Global Manager
Configuration
Monitoring & Reporting
NetScreen Security Devices
NetScreen Confidential13
Product Overview: NetScreen-500
• High performance– 250 Mbps 3DES IPSec VPN
– 700 Mbps stateful firewall
• High capacity– 10,000 IPSec tunnels
– 250,000 concurrent sessions
– 22,000 new sessions per second
• Up to 25 Virtual Systems
• Redundant– High availability features– Internal system redundancies
(swappable fans, power)– Separate traffic and
management bus
• Flexible– Multiple ports– AC/DC power
NetScreen Confidential14
Product Overview:NetScreen Security Appliances
• Suite of wire-speed appliances– NetScreen-100: 100-Mbps performance; 128,000 sessions; 1,000 tunnels– NetScreen-10: 10-Mbps performance; 4,000 sessions; 100 tunnels– NetScreen-5: 10-Mbps performance; 1,000 sessions; 10 tunnels
• Stateful-inspection firewall– Leading denial of service attack deterrence
• NAT (mapped IP, Virtual IP), URL blocking• Line rate IPSec VPNs
– IPSec, DES/3DES, MD5, SHA-1, IKE key management– 1,000 tunnels: site to site or remote access
• Traffic Management: guaranteed & max bandwidth
NetScreen Confidential15
Security Applications for the Enterprise
• Firewall application only
• VPN capabilities added to existing firewall
• VPN and firewall, replacing existing firewall
• VPN & firewall with increased traffic & remote users
• Multi-department firewalls
• Multi-department with remote users
• Multi-department with campuses
• Co location
NetScreen Confidential16
Firewall with High Speed Internet
Firewall– Private Network perceived as
“secure”
– RAS for mobile / home office
– WAN access multiple T1s (>1.5Mbps)
– Promotional Web site
– All employees “trusted” can access all parts of the network
Internet
Corp HQ
DMZ
Private Network
• NetScreen delivers – Increased Security / Easier
Support / Higher Performance & Scalability / Cost effective solution
PSTN (1-800)
RAS
NetScreen Confidential17
VPN Intranet & Central Site Firewall
Remote Access VPN• Private & dial network replaced by VPN
intranet• Remote VPN devices provide additional
security because they are also Firewalls• Central Firewall turns on VPN
Internet
Corp HQ
Central Site VPN Acceleration• Central Firewall unable to handle VPN traffic
needs acceleration
• NetScreen device used for VPN termination
• Leverage advanced features eg Hub & Spoke
Firewall/VPN consolidation• NetScreen replaces existing firewall due to
unnecessary duplication of costs (maintenance, admin, and support)
NetScreen Confidential18
Central Site Firewall & VPN Intranet
Firewall Application• WAN access multiple T1s /T3• E-business
VPN Application• Private network replaced by VPN intranet• Hundreds or thousands of remote offices /
users• Extranets• Trust limited to “Need to know”
employees
Internet
Corp HQ
DMZ
NetScreen delivers• Increased performance, scalability,
flexibility & cost effectiveness of the solution
NetScreen Confidential19
Multi-Department Security
Internet
Corp HQ
Finance Dept M & A Group Engineering Dept
DMZs
Traditional Solution
• Multiple Firewalls required to provide internal security
NetScreen-500 Solution• Virtual Systems employed to
provide departmental security• Can also be used for
additional DMZs, security domains and for extranets
• Trust limited to “Need to know” employees
NetScreen Confidential20
Multi-Department with remote users
Internet
Corp HQ
DMZs
Finance Dept
Finance Dept mobile worker
Finance Vsys
Finance Dept remote worker
Firewall• Traffic sent to the Finance dept is
firewall-ed by the Finance Vsys• Finance SOHO worker firewall-ed from
the InternetVPN• Remote finance workers VPN
connections terminate in the Finance Virtual System
• Essentially extending the finance intranet to include those workers
NetScreen Confidential21
Dept Intranets & Campuses
Internet / NSP Net
Corp HQ
DMZs
Finance Dept
Extended Campus
DMZsFinance Dept
Finance Vsys to Vsys VPN
Firewall– Traffic sent to the Finance dept is firewall-ed by
the Finance Virtual System
VPN– Finance intranet is extended between campus by
VPN between the Finance virtual systems
NetScreen Confidential22
Co location
Backend Databases
Staging Servers
Web Servers
Internet Data Center
Application Databases
Customer Data
Big Fast Firewall / Updating / content provisioning Web Hosting
ASP/MSPWeb Host / E-business
Data Center Fast Firewall/VPN• Reduced capital cost• Lower management & support burden• High Bandwidth FW without having load balanced security devices• Integrated VPN Access for Remote Access• Option of using virtual systems for different security domains (front
end, back end, staging or for MSPs - customers)
NetScreen Confidential23
NetScreen vs. general purpose (H/W & S/W) architectures
Superior throughput– Zero packet loss, 100Mbps UDP
– Firewall no longer the network bottleneck
Higher sustained performance– Sustained large session count
– User satisfaction maintained even at peak times
0
200
400
600
800
Ag
gre
gat
e T
hro
ug
hp
ut
(Mb
ps)
*
5,000 10,000 25,000
Simultaneous UDP Sessions
64 512 1,024 1,518
Packet size, bytes
NetScreen-500
0
200
400
600
800
Ag
gre
gat
e T
hro
ug
hp
ut
(Mb
ps)
*
5,000 10,000 25,000
Simultaneous UDP Sessions
64 512 1,024 1,518
Packet size, bytes
Cisco PIX 535
*1% packet loss threshold
Zero-Loss Throughput Across a "Single-Rule" Firewall with UDP Packets
100%
40%
100%
5%
55%
100%
5%
40%
70%
85%
5%
0%
20%
40%
60%
80%
100%
% o
f T
he
ore
tic
al
Ma
xim
um
Baseline NetScreen-100
Check PointFireWall-1
Cisco PIX-515
NokiaIP650*
Steady-State, Bidirectional, Zero-Loss* UDP Packets % of Theoretical Maximum Offered Load Throughput for Full-Duplex 100 Mbit/s
Ethernet 'Single Rule' Firewall Processing
64-byte packets 512-byte packets 1,024-byte packets 1,518-byte packets
Tolly Group - 2000
Tolly Group - 2001
NetScreen Confidential24
NetScreen vs. general purpose (H/W & S/W) architectures
Fast VPN throughput– Integrated 3DES VPN acceleration
– Productivity and user satisfaction
Great VPN Application throughput– SAP & FTP throughput
– Real world apps perform as expected
15%
65%
95%
60%
5% 10% 5% 5%
0%
20%
40%
60%
80%
100%
% o
f The
oret
ical
M
axim
um
NetScreen-100 Check PointFireWall-1
Nokia IP650 Cisco PIX-515
Steady-State, Zero-Loss* Bidirectional IPSec Gateway (DES-3, SHA-1) % of Theoretical Maximum Offered Load Throughput via Full-duplex Fast Ethernet (100 Mbit/s)
64-bytes 512-bytes 1024-bytes 1518-bytes
163.24
60.19
134.05
58.70 42.8124.27 15.6813.07 9.01 7.23
0.00
50.00
100.00
150.00
200.00
Thro
ughp
ut (M
bit/s
)
Baseline NetScreen-100
Check PointFireWall-1
Nokia IP650 Cisco PIX-515
Bidirectional IPSec Gateway (DES-3, SHA-1) Application (Chariot) Throughput via Full-duplex Fast Ethernet (100 Mbit/s)
FTP SAP R/3
Tolly Group - 2000
Tolly Group - 2000
NetScreen Confidential25
Rapid ramp rate– Number of new sessions per
second
– For busy web sites and Denial of Service attacks
Low latency– Firewall Latency testing in uSec
– Useful for heavily loaded sites, multimedia and voice traffic
19,048
3,402 1,600
0
5,000
10,000
15,000
20,000
TCP
Con
nect
ions
Per
S
econ
d
NetScreen-100 Cisco PIX-515 Check PointFireWall-1
Nokia IP650*
Maximum TCP Session-Processing Rate Per Second of 'Single Rule' Processing Firewall
NetScreen vs. general purpose (H/W & S/W) architectures
41.2
85.1
225.1
291.3
319.4
0
50
100
150
200
250
300
350
Late
ncy
in m
icro
seco
nds
Baseline NetScreen-100 Check PointFireWall-1
Cisco PIX-515 Nokia IP650
Steady-State, Bidirectional Latency 'Single Rule' Processing Firewall via Full-duplex, Fast Ethernet (100 Mbit/s)
Tolly Group - 2000
Tolly Group - 2000
NetScreen Confidential26
Cost Analysis: Small Office <25people
• NetScreen-5• Cisco PIX 506 w 3DES License• Nokia 110 w CP 25 IP VPN-1 Module License (includes Firewall-1 & VPN-
1)
CheckPoint/Implementation and Maintenance Costs NetScreen-5 Cisco PIX 506 Nokia IP110
(Dollars) (Dollars) (Dollars)Hardware Costs
$995 $1,950 $2,495$0 $0 $0
Software Costs$0 $0 $1,499$0 $250 $0
Maintenance and System Support Costs$200 $304 $0$0 $0 $225$0 $205 $1,115
$1,195 $2,709 $5,334System support services
Total Implementation and Maintenance Costs
Hardware maintenanceSoftware maintenance
Firewall platformVPN platform
Firewall platformVPN platform
NetScreen Confidential27
• NetScreen-10• Pix 515R + 3DES license + no DMZ (3rd interface requires UR software)• IP 330 + CP VPN-1 (FW+VPN) Module license for 100 IP addresses
Cost Analysis: Branch Office <10Mbps FW&VPN; <100 people
CheckPoint/Implementation and Maintenance Costs NetScreen-10 Cisco PIX 515 Nokia IP330
(Dollars) (Dollars) (Dollars)Hardware Costs
$3,995 $5,000 $4,950$0 $0 $0
Software Costs$0 $0 $5,995$0 $1,000 $0
Maintenance and System Support Costs$800 $700 $0
$0 $0 $899$0 $325 $2,225
$4,795 $7,025 $14,069System support services
Total Implementation and Maintenance Costs
Hardware maintenanceSoftware maintenance
Firewall platformVPN platform
Firewall platformVPN platform
NetScreen Confidential28
Cost Analysis: Central Site <10Mbps FW&VPN; >100< 250 people
• NetScreen-100• Pix 515UR + 10/100 card + 3DES license• IP 330 + CP VPN-1 (FW+VPN) Module license for 250 IP addresses
CheckPoint/Implementation and Maintenance Costs NetScreen-100 Cisco PIX 515 Nokia IP330
(Dollars) (Dollars) (Dollars)Hardware Costs
$9,995 $12,200 $4,950$0 $0 $0
Software Costs$0 $0 $7,495$0 $1,000 $0
Maintenance and System Support Costs$2,000 $1,680 $0
$0 $0 $1,124$0 $780 $2,225
$11,995 $15,660 $15,794System support services
Total Implementation and Maintenance Costs
Hardware maintenanceSoftware maintenance
Firewall platformVPN platform
Firewall platformVPN platform
NetScreen Confidential29
Cost Analysis: Central Site >10Mbps FW&VPN; or >250 people
• NetScreen-100• Pix 525R + 10/100 card + VPN Acc card + 3DES License• IP 440 + VPN Acc Card + CP VPN-1 (FW+VPN) Module license for Unlimited IP addresses
CheckPoint/Implementation and Maintenance Costs NetScreen-100 Cisco PIX 525 Nokia IP440
(Dollars) (Dollars) (Dollars)Hardware Costs
$9,995 $16,200 $12,495$0 $7,500 $2,995
Software Costs$0 $0 $9,495$0 $1,000 $0
Maintenance and System Support Costs$2,000 $2,496 $1,495
$0 $0 $1,424$0 $1,680 $0
$11,995 $28,876 $27,904
Firewall platformVPN platform
Firewall platformVPN platform
System support servicesTotal Implementation and Maintenance Costs
Hardware maintenanceSoftware maintenance
NetScreen Confidential30
Cost Analysis: Central Site >100Mbps FW&VPN; >250 people
• NetScreen-500 + 2xGE cards• Pix 535R + 2x GE cards + VPN Acc card + 3DES License• IP 530 + 2x GE cards + VPN Acc Card + CP VPN-1 (FW+VPN) Module license for Unlimited IP addresses• Neither Cisco nor Nokia can exceed 100M VPN
CheckPoint/Implementation and Maintenance Costs NetScreen-500 Cisco PIX 535 Nokia IP530
(Dollars) (Dollars) (Dollars)Hardware Costs
$33,500 $70,000 $26,495$0 $7,500 $2,995
Software Costs$0 $0 $9,495$0 $1,000 $0
Maintenance and System Support Costs$7,500 $9,360 $0
$0 $0 $1,424$0 $2,925 $6,480
$41,000 $90,785 $46,889
Firewall platformVPN platform
Firewall platformVPN platform
System support servicesTotal Implementation and Maintenance Costs
Hardware maintenanceSoftware maintenance
NetScreen Confidential31
Assumptions
• Cisco & Nokia are able to achieve 10M VPN w/o Acc Card• Checkpoint VPN-1 Module pricing was used to be
conservative but either all gateway pricing used or one enterprise console version needs included which would add approx $10K to any CP solution.
• Again to be conservative NetScreen-100 used for <10Mbps >100<250 people where a NetScreen-10 could have been used.
• Cisco & Nokia latest solutions (Pix 535 & IP 530) unable to achieve > 100M VPN (IP 530 can not achieve >50M 3DES)
• Nokia IP 530 GE interfaces (not currently available) cost equivalent to Cisco & NetScreen modules ~ $5K
NetScreen Confidential32
Price / Performance via Purpose Built Architectures
NetScreen-500 - $33,500– (2 x GE cards)
Cisco Pix-535R - $78,500– (2x GE cards, VPN Accelerator card,
3DES License)
0
200
400
600
800
Ag
gre
ga
te T
hro
ug
hp
ut
(Mb
ps
)*
5,000 10,000 25,000
Simultaneous UDP Sessions
64 512 1,024 1,518
Packet size, bytes
NetScreen-500
0
200
400
600
800
Ag
gre
ga
te T
hro
ug
hp
ut
(Mb
ps
)*
5,000 10,000 25,000
Simultaneous UDP Sessions
64 512 1,024 1,518
Packet size, bytes
Cisco PIX 535
*1% packet loss threshold
Zero-Loss Throughput Across a "Single-Rule" Firewall with UDP Packets
Tolly Group - 2001
NetScreen Confidential33
• NetScreen: Empowering Enterprises with new security solutions– Gigabit security systems
– Multi-department security systems
– Security appliances for moderate-bandwidth environments
– Broadband remote access and campus VPN demands
• Simple and affordable– Reduced number of devices required
– Simplified network architecture, management and licensing
– Less expensive than competitive solutions
– Easy to deploy and manage
NetScreen’s Enterprise Solution