fwvs0014

8/8/2019 fwvs0014

http://slidepdf.com/reader/full/fwvs0014 1/35

Firewall / VPNFirewall / VPNFirewall / VPNFirewall / VPNTechnicalTechnicalTechnicalTechnicalOOOOverview verview verview verviewStudent Guide

8/8/2019 fwvs0014


Page 1

Firewall / VPN Technical OverviewFirewall / VPN Technical OverviewFirewall / VPN Technical OverviewFirewall / VPN Technical Overview

A-FWVS-0014-EN-03-A01

NOTENOTENOTENOTE: Please note this Student Guide has been developed from an audio narration. Therefore it will haveconversational English. The purpose of this transcript is to help you follow the online presentation and mayrequire reference to it.

1.1.1.1. Course OverviewCourse OverviewCourse OverviewCourse Overview

Welcome to the Firewall/VPN Technical Overview.

In the first section we'll talk about our products and services, followed by the Universal Security GatewayArchitecture. We'll then talk about VPNs and their advanced features. Finally, we'll make a brief analysis of the competitive market.

2.2.2.2. Module ObjectivesModule ObjectivesModule ObjectivesModule Objectives

On completing this course you will be able to

• Explain ScreenOS and the hardware architecture,

• Explain the difference between Interfaces, Zones, and VRs,

• Explain the Transparent Mode vs. Route Mode,

• Discuss Firewall features

• Discuss NAT functionality

• Discuss Site-to-Site and Remote Access IPSec VPNs

• Discuss advanced features – Dynamic Routing, Antivirus and Deep Inspection,

• Contrast Juniper Networks to major competitors, and

• Demonstrate the Juniper Networks Firewall/VPN WebUI Admin Tool.

3.3.3.3. ProductsProductsProductsProducts and Servicesand Servicesand Servicesand Services

4.4.4.4. Section ObjectivesSection ObjectivesSection ObjectivesSection Objectives

Now, let's discuss the features of the Juniper Networks range of FW/VPN devices.

After completing this section you'll be able to

• Describe current network security requirements.

• Describe Juniper Networks layered security solution.

• Describe the addressing of security requirements by Juniper Networks.

• Describe Juniper Networks purpose-built hardware platform and its performance.

• Describe ScreenOS.

• Describe the Juniper Networks layered security solution.

• Describe the Juniper Networks NetScreen Security Manager, and

• Identify the different Juniper Networks firewall/VPN products and the ideal customer for each.

8/8/2019 fwvs0014


Page 2


A-FWVS-0014-EN-03-A01

5.5.5.5. Current Security RequireCurrent Security RequireCurrent Security RequireCurrent Security Requirementsmentsmentsments

Can you imagine a virus, which doubles every eight seconds and deletes a particular file in every machineon the network? Think of the virus SQL Slammer. It replicated every eight seconds and brought down largesections of the Internet. It's not difficult to think of the havoc it would create if it started deleting files.

Today's security requirements are very complex. It's no longer sufficient to protect networks from externalattacks. It's important to protect networks against attacks that are launched internally from machines thathave legitimate network access, yet are roaming in an unauthorized manner, or launching a maliciousattack.

The Juniper Networks Firewall/VPN solution has been specifically designed to protect networks against alltypes of security weaknesses.

6.6.6.6. Juniper Networks Layered Security SolutionJuniper Networks Layered Security SolutionJuniper Networks Layered Security SolutionJuniper Networks Layered Security Solution

The Juniper Networks broad line of innovative, scalable network security solutions allow networks to besecured cost-effectively without sacrificing performance. Juniper Networks firewall, VPN and intrusionprevention solutions use multiple layers of defense to provide networks with security, ensuring that criticalassets are well protected. Juniper Networks has the answer for everyone from service providers looking fornew services to enterprises looking for comprehensive network security solutions.

8/8/2019 fwvs0014


Page 3


A-FWVS-0014-EN-03-A01

This image shows Juniper Networks multiple-layered security solutions. Starting from the right, VPNssecure access from remote locations. Firewall and user access management applied to incoming trafficfrom remote locations and the internal network to increase security. The popular in-line network antivirussolutions are available for the entire Juniper Networks product line. Intrusion Detection and Preventiondevices concentrate their energy looking for known network attack patterns. Instead of concentrating onreading packet headers, the IDP concentrates more on the data payload itself.

Juniper Networks solutions scale well. Although it is possible to implement a subset of features on onedevice, most sophisticated security solutions spread the load and the responsibilities across differentdevices located in various strategic locations.

7.7.7.7. Layered Security Solution OverviewLayered Security Solution OverviewLayered Security Solution OverviewLayered Security Solution Overview

Juniper Networks addresses all security concerns in a network with tightly integrated, purpose-builtappliances.

Juniper Networks has a purpose-built network aware security appliance with built-in high availability andresiliency. This includes a Stateful inspection firewall, an IPSec VPN, denial of service protection, andaccess control. Juniper Networks complete line of solutions can be installed at the core infrastructure, in aregional office, or a remote office, or even in a small business/telecommuter/home office environment.

For remote users, remote office, and partner communications connecting to a Juniper Networks NetScreensolution, Juniper Networks includes a VPN client and personal firewall to protect the end-user PC.

Intrusion prevention automatically detects and prevents attacks from inflicting damages. With securityzones, the rigid concept of trust, untrust, and DMZ are no longer required. Now, these security zones canbe user defined. This provides IT departments with the ability to easily define and manage internal andexternal network segment security policies, with their own firewalls. Network segmentation protects criticalresources from unauthorized roaming users and network attacks.

To protect the internal network, Juniper Networks NetScreen layered security solution combines a highphysical interface density with virtualization capabilities such as security zones, virtual systems, virtualLANs, and virtual routers. With virtual systems, virtual LANs and virtual routers, IT departments canbecome even more granular in their security deployment and management – all within a single box.Centralized management using the Juniper Networks NetScreen Security Manager across the entire rangeof security products simplifies configuration, deployment, and management.

8/8/2019 fwvs0014


Page 4


A-FWVS-0014-EN-03-A01

8.8.8.8. How Juniper Addresses Security RequiremenHow Juniper Addresses Security RequiremenHow Juniper Addresses Security RequiremenHow Juniper Addresses Security Requirements tststs

Juniper Networks addresses all of today's security requirements. Juniper Networks purpose-built hardwareplatform and security specific operating system is geared for high performance. Juniper Networksintegrated set of security applications protects networks with multiple security layers. Of course, the IDPcan also be used separately. A wide range of advanced security functionalities, such as different routemodes, a high physical interface density, and virtual systems ensure security.

Juniper Networks makes performance, reliability and a high return on investment an integral part of corporate security strategy.

9.9.9.9. PurposePurposePurposePurpose- ---Built Hardware PlatformBuilt Hardware PlatformBuilt Hardware PlatformBuilt Hardware Platform

Rather than a patchwork solution, Juniper Networks has created an integrated high performance security

solution. "Under the hood" a high performance ASIC is coupled with a RISC CPU and a high speedcommunications BUS, all of which are controlled by a security specific, real time operating system. In fact,

8/8/2019 fwvs0014


Page 5


A-FWVS-0014-EN-03-A01

the Juniper Networks NetScreen firewall is the first with security functionality embedded into an ASIC tomaximize performance and throughput. By performing computationally intensive tasks in silicon, JuniperNetworks NetScreen security solutions perform far better than software firewalls.

Seamlessly integrated into the operating system are an ICSA certified Stateful inspection firewall and IPSecVPN, along with traffic management and denial of service protection mechanisms. Additionally, a set of built-in networking features allows easy integration of Juniper Networks solutions into different networks.

10.10.10.10. PurposePurposePurposePurpose- ---Built Hardware PlatformBuilt Hardware PlatformBuilt Hardware PlatformBuilt Hardware Platform

Juniper Networks hardware platform eliminates OS hardening and eases network integration. The singleplatform solution ensures application interoperability. It also means that, unlike the competition, JuniperNetworks platform, networking functions, OS, and applications can be easily managed from a single,centralized console. Juniper Networks purpose-built hardware platform will at least match if not exceed allperformance requirements.

11.11.11.11. Performance: Advanced Hardware DesignPerformance: Advanced Hardware DesignPerformance: Advanced Hardware DesignPerformance: Advanced Hardware Design

Most competitor security devices are simply modified conventional network PC/server devices. Suchsolutions usually don't perform well and are subject to a wide range of attacks on the underlying platform.

The Juniper Networks firewall optimizes processing in a linear fashion, eliminating processing delayscaused by traversing different APIs. Juniper Networks streamlined processing also helps eliminateunpredictable behavior.

With other types of solutions, the processing is more convoluted, interacting regularly with the RAM and theBUS, making performance less predictable and far from optimized.

In short, Juniper Networks hardware design is not only hard-working, it's smart as well.

12.12.12.12. ScreenOSScreenOSScreenOSScreenOS

The ScreenOS is an operating system used to operate and leverage the entire Juniper Networks productline. The ScreenOS works consistently whatever the activity – configuration of basic network connectivity,routing protocols, firewall rules, DOS attack thresholds, or complicated IPSEC VPNs. The ScreenOSremoves the hundreds of sub-prompts that represent joined operating systems and different logic patternsfor different configuration areas.

8/8/2019 fwvs0014


Page 6


A-FWVS-0014-EN-03-A01

The ScreenOS controls all networking and security functionality. Tightly integrated with the hardwareplatform, the ScreenOS was written specifically to perform network security tasks in real-time. It includessecurity applications and makes network integration easier, thereby boosting security in typical corporate

networks.

13.13.13.13. ScrScrScrScreenOSeenOSeenOSeenOS

ScreenOS improves security. It's easy to patch and easy to update.

ScreenOS allows Juniper Networks NetScreen security device to quickly adapt to changing security needs,improves performance, and speeds up deployment.

ScreenOS is a complete integrated firewall, VPN, attack blocking and traffic management device.

ScreenOS links itself to another identical firewall device and maintains constant connection with it. Thisensures a smooth and complete redundancy if and when any failure occurs.

ScreenOS' dynamic routing protocols can understand and respond to the changing network environment,thereby increasing network resiliency.


A logical-construct security zone allows the Firewall administrator to apply specific security policies to thetraffic that enters or leaves certain designated areas of the network. One single Juniper Networks firewallcan have multiple security zones. This allows network administrators to sub-divide the internal network andcontrol internal traffic instead of simply viewing security as an inside vs. outside proposition.

Virtual Routers allow the route table inside the firewall to be sub-divided. This allows only certain networksto be "routable and reachable", and shields other networks from view. Virtual Routers also simplifymanagement mapping inside private IP addresses from outside public IP addresses.


The Juniper Networks Firewall can operate either as a Router or Layer-2 Switch and offers a full-range of Address Translation options, which increases network security.

The ScreenOS allows configurable threshold settings, which determine when to respond to different typesof DOS attacks. Sensitivity levels in ScreenOS can be adjusted independently for each security zone.

The Juniper Networks firewall supports NAT traversal allowing IPSec VPN tunnels to be established throughNAT, PAT, or NAPT devices.

ScreenOS manages traffic by allocating bandwidth and prioritizing traffic, which optimizes bandwidth use.

Most Juniper Networks firewall products can dynamically acquire IP addresses via PPOE and DHCP. Thismeans that ScreenOS can deploy VPNs with remote clients who have dynamically assigned IP addresses.

16.16.16.16. NetScreen Security ManagerNetScreen Security ManagerNetScreen Security ManagerNetScreen Security Manager

Juniper Networks NetScreen Security Manager is based on a new architecture, which deliverscomprehensive device and policy based management and is designed for security, scalability, and

flexibility.

8/8/2019 fwvs0014


Page 7


A-FWVS-0014-EN-03-A01

With comprehensive policy and device-based management, customers receive the benefits of bothapproaches, while eliminating drawbacks. The Security Manager:

• Manages every phase of the security lifecycle, including designing, deploying, configuring, monitoring,maintaining, upgrading, and adjusting,

• Manages all levels including device, networking and security policies,

• Provides the needed power, tools, access and control to the right groups and is good for both expertsand novice users,

• Provides support to perform activities at the device or management level,

• Provides immediate insight into the overall security scenario, from conceptual to detailed device-specificlevel,

• Provides flexibility of full device configuration, with the simplicity of policy-based management,

• Allows for creating general rules, and exceptions to rules where required by individual devices, and

• Handles devices and the management system as a dynamic, integrated system, where each componenthas a complementary function.

17.17.17.17. NetScreen Security ManagerNetScreen Security ManagerNetScreen Security ManagerNetScreen Security Manager

The Juniper Networks NetScreen Security Manager can be deployed easily without the need for pre-staging a device, or any technical expertise at the point of installation.

The IDP Security Module on the ISG platform along with the IDP 4.0 sensors can only be managed by NSM.

Also, the Juniper Networks NetScreen Security Manager can deploy new devices into the network at remotelocations. It allows the administrator to generate a configuration file, which is then encrypted and emailed

to the remote site for easy importing into the remote firewall device. After the start up config file isvalidated, the configuration is automatically updated.

With the Juniper Networks NetScreen Security Manager, you can get new devices up and running quicklyreducing provisioning time and cost. The Juniper Networks NetScreen Security Manager has reducedinstallation to just four clicks.

The Statistical Report Server is used to store information about the managed FW/VPN devices in yournetwork. It can then use this information to generate reports enabling administrators to further view andanalyze information about your network security deployment.

18.18.18.18. NetScreen Products & Target MarketNetScreen Products & Target MarketNetScreen Products & Target MarketNetScreen Products & Target Market

8/8/2019 fwvs0014


Page 8


A-FWVS-0014-EN-03-A01

Juniper Networks has a complete line of Firewall / VPN products to meet every customer's needs.

The Juniper Networks NetScreen 5 is ideal for remote security and small organizations.The Juniper Networks NetScreen-25 and NetScreen-50 are complete security solutions for enterprisebranch and remote offices, as well as small and medium size companies.

While the Juniper Networks NetScreen-200 series is ideal for mid-sized enterprises, both medium andlarge enterprises will find Juniper Networks NetScreen-500 of value.

The Juniper Networks NetScreen SSG 520 and 550 are designed to manage both small and medium sizeenterprises and will eventually replace the current NS 25, 50, and 200 series of firewalls.

Juniper Networks NetScreen-ISG 1000 and 2000 provide medium and large organizations with the bestFW, VPN and Intrusion Prevention for secure connectivity and network and application-level attackprotection.

Juniper Networks NetScreen-5000 series delivers high-performance security to large enterprise, carrier,and data center networks.

19.19.19.19. Section SummarySection SummarySection SummarySection Summary

In this section you've learned to

• Describe current network security requirements.


• Describe the addressing of security requirements by Juniper Networks.

• Describe Juniper Networks purpose-built hardware platform and its performance.• Describe ScreenOS.


• Describe the Juniper Networks NetScreen Security Manager, and

• Identify the different Juniper Networks firewall/VPN products and the ideal customer for each.

20.20.20.20. Learning Activity #1 Question 1Learning Activity #1 Question 1Learning Activity #1 Question 1Learning Activity #1 Question 1


22.22.22.22. USGA ArchitectureUSGA ArchitectureUSGA ArchitectureUSGA Architecture


Now, let's discuss network security architecture with specific reference to Juniper Networks products andsolutions.


• Describe security architecture components.

• Describe security device requirements.

8/8/2019 fwvs0014


Page 9


A-FWVS-0014-EN-03-A01

• Describe the Transparent Mode.

• Describe the Layer 3 Operations Mode.

• Describe the Firewall/VPN decision process/packet flow.• Describe Stateful packet inspection, and

• Describe NAT.

24.24.24.24. Security Architecture ComponentsSecurity Architecture ComponentsSecurity Architecture ComponentsSecurity Architecture Components

Let’s quickly review common security architecture components and their functions.

Interfaces are connections to specific subnets. An interface is assigned an IP address and therebyassociated with an IP subnet.

Interfaces and subnets are grouped logically into zones. All devices within a zone share the same securityrequirements. Zone configuration can be a simple two-zone setup, where all interfaces within the internalnetwork are in one zone and all other interfaces are in a different zone. Complicated configurations createzones based on internal departments and as per external and DMZ connections.

Juniper Networks firewalls use zone-based policies to implement network security. Security policies specifythe parameters that determine which traffic passes through the firewall. Policies are usually implementedon a zone-by-zone basis.

25.25.25.25. Security Architecture ComponentsSecurity Architecture ComponentsSecurity Architecture ComponentsSecurity Architecture Components

A virtual router or VR is a logical routing construct, which maintains its own routing table and routing logic.In order for traffic to flow between VRs, inter-VR routing must be configured.

The forwarding table determines the outbound interface for a particular packet. It consists of IP networks if the device is operating in the Layer 3 mode, and MAC addresses if the device is operating in the Layer 2mode.

A virtual system or VSYS is a logical division of the network into different administrative areas. Each VSYSoperates its own firewall with its own set of policies. Juniper Networks firewalls are the only firewalls tosupport VSYS.

26.26.26.26. Security Device RequirementsSecurity Device RequirementsSecurity Device RequirementsSecurity Device Requirements

Let's quickly review the requirements of various security devices, their components, and functions.

An in-line security device must be able to forward the traffic that it receives. This means that it must beable to track MAC addresses on a per-port basis so that it can make intelligent forwarding decisions, likean Ethernet transparent bridge. If the device operates with full IP intelligence, the device must also be ableto participate in IP routing.

Fundamental firewall intelligence implies the ability to filter based on packet header information. Whenpackets are received by a firewall, they are evaluated and are either allowed to pass through or aredropped.

Security devices at the edge of a network must also be able to translate private, non-routable addresseswith public addresses before the traffic is sent to the public network.

Security devices used to build VPNs, must be able toAuthenticate the originating device as a part of the VPN.

8/8/2019 fwvs0014


Page 10


A-FWVS-0014-EN-03-A01

Encrypt the original packet for additional security on the public network, and

Encapsulate the original traffic in a packet that can be transported over the public network.

27.27.27.27. Transparent ModeTransparent ModeTransparent ModeTransparent Mode

Firewall devices can operate in either Router or Transparent mode. In Transparent mode, no changes arerequired in the network. The security device can be simply "dropped in" without changes in the IPaddressing scheme.

In transparent mode, firewall policies are not restricted to directly connected subnets.

Increased security is another plus point with Juniper Networks VPNs because they can be terminated to thesecurity device. Security is also increased because the network can be segmented into security zonesbased upon the sensitivity of resources, thereby providing for greater traffic control.

28.28.28.28. Layer 3 ModeLayer 3 ModeLayer 3 ModeLayer 3 Mode

It is important to note however that the default setting for a firewall device is the layer 3 or route mode.Unlike the transparent mode, in the layer 3 mode, each interface has its own IP address. Therefore,forwarding decisions between interfaces are based on IP addresses, instead of MAC addresses.

29.29.29.29. NetNetNetNetScreen Decision Process / Packet FlowScreen Decision Process / Packet FlowScreen Decision Process / Packet FlowScreen Decision Process / Packet Flow

When Juniper Networks firewalls receive an information packet, they have two choices: to forward thepacket or to discard it. The firewall makes up to four evaluations before taking this decision.

If the packet is associated with an existing session, then the information is in the session table and alltraffic from that session is permitted without further evaluation.

If the packet is not associated with any existing session, the firewall checks whether the destinationaddress is reachable. If the destination is unreachable, the packet is dropped.

If the destination is reachable, the firewall checks to see if the packet will cross zones. If the packet is notcrossing zones, the packet is forwarded and the session is added to the session table.

If the zones are different, the firewall checks if the traffic is permitted by the policy. If the flow informationis not permitted, the packet is dropped. If the flow information from the packet is permitted by the policy, itis forwarded, and information for this traffic flow is added to the session table so that subsequent packets

for this session are forwarded as efficiently as possible.

30.30.30.30. Stateful Packet InspectionStateful Packet InspectionStateful Packet InspectionStateful Packet Inspection

Juniper Networks devices use Stateful inspection, a dynamic packet filtering method, to secure networkconnections. Firewalls use Stateful inspection to collect information from a packet header, such as sourceand destination IP addresses, source and destination port numbers, and packet sequence numbers. Thedevices maintain the state of each TCP session or UDP pseudo-session and ensure a proper interpretationof the communication session. When a responding packet arrives, the firewall compares the information inits header with the state of the associated session in the inspection table. If they match, the responding packet passes through the firewall; otherwise the packet is dropped.

Juniper Networks firewalls stand out because they secure a network, using Stateful inspection todetermine whether connection attempts crossing an interface are allowed to do so.

8/8/2019 fwvs0014


Page 11


A-FWVS-0014-EN-03-A01

31.31.31.31. Network / Port Address TranslationNetwork / Port Address TranslationNetwork / Port Address TranslationNetwork / Port Address Translation

Route and Network Address Translation or NAT options convert private address space to public address.This allows Juniper Networks integrated firewall/IPSec VPN devices to be deployed with IP addressesassigned to their interfaces.

Policy-based NAT provides the flexibility to define exactly what address-translation takes place on any giventraffic. Hiding private IP addresses from public view increases security. Juniper Networks integratedfirewall/VPN devices can be used to assign different modes to each interface, leveraging the advantages of each mode.

Juniper Networks integrated firewall/VPN devices support Static NAT, Dynamic NAT, Static Port-AddressTranslation (or PAT) or Dynamic Port-Address Translation.

32.32.32.32. Section SummarySection SummarySection SummarySection Summary

In this section you've learned to:

• Describe security architecture components.

• Describe security device requirements.

• Describe the Transparent Mode.

• Describe the Layer 3 Operations Mode.

• Describe the Firewall/VPN decision process/packet flow.

• Describe Stateful packet inspection, and• Describe NAT.



35.35.35.35. IPSec VPNsIPSec VPNsIPSec VPNsIPSec VPNs


In this section we'll focus on the Juniper Networks IPSec VPN solutions.


• Discuss different topologies used to set up the IPSec VPNs.

• Explain how policy-based VPNs work.

• Explain how route-based VPNs work, and

• Explain how remote access VPNs work.

8/8/2019 fwvs0014


Page 12


A-FWVS-0014-EN-03-A01

37.37.37.37. BackgroundBackgroundBackgroundBackground

To begin with, we'll take a look at the connectivity requirements of the business organizations today.

Business networks carry vital and sensitive information between remote sites located across the globe. Inorder to keep the information confidential and the resources secure, they require a solution that provideshigh-performance connectivity, while maintaining network security.

38.38.38.38. BackgroundBackgroundBackgroundBackground

....

Virtual private networks are widely accepted as a viable connectivity solution. VPNs provide a securemeans of transporting private data over a public network infrastructure, such as the Internet. IP Security isthe most widely used protocol for building VPNs.

Juniper Networks offers cost-effective, flexible IPSec VPN solutions, best suited for remote or branchoffices, telecommuters and fixed partner site-to-site connections, where the users have managedcorporate devices and are coming from a trusted network.

39.39.39.39. IPSec VPNsIPSec VPNsIPSec VPNsIPSec VPNs - --- TopologiesTopologiesTopologiesTopologies

8/8/2019 fwvs0014


Page 13


A-FWVS-0014-EN-03-A01

The Juniper Networks IPSec VPN solutions use the Internet as the transport medium and IP Securityprotocol to build the VPNs. The IPSec VPNs can be configured between two sites using security gateways.There are many different topologies to set up the IPSec VPNs.

Let's look at a basic site-to-site topology of IPSec VPNs. This is the simplest form of a VPN connection thatcan be established between two sites of an organization.

IPSec uses a method called tunneling, where a single encrypted tunnel is established between gatewaysover which the traffic flows.

The identity of the original IP packet is hidden by encapsulating it with a different IP header. The data thatis encapsulated is encrypted.

Thus, IPSec VPNs provide a secure tunnel across the Internet.


Now let's look at the factors that are to be considered when connecting multiple sites via VPNs. One of theimportant factors to understand is the overall layout of the tunnel interconnections. The question is “Whichare the sites in the network that need to communicate with each other?”

One of the options is to use full mesh topology to achieve full interconnectivity between sites.

In a full mesh connection, each site has a VPN to every other site in the network. So, every VPN must beconfigured independently. Though this topology provides full connectivity, it's difficult to configure andmaintain for large networks. Furthermore, the Juniper Networks NetScreen-5 series firewall/VPN devicesallow only up to 10 VPNs.

8/8/2019 fwvs0014


Page 14


A-FWVS-0014-EN-03-A01


Another way to connect multiple sites is to use the hub and spoke topology. In this case, a number of remote sites or spokes can be connected to a central site or hub. The remote sites can reach each other byrelaying traffic through the hub.

The Hub and Spoke topology overcomes some of the limitations of full mesh topology. As the hub decryptsand encrypts the data being relayed, it reduces the number of VPNs that needs to be created.

42.42.42.42. PolicyPolicyPolicyPolicy----based VPNsbased VPNsbased VPNsbased VPNs

Let's take a look at policy-based VPNs.Policy based VPNs require a security policy to determine whether the traffic should flow through a tunnel.In this case, each IPSec gateway adds a security policy into the header of the IP packet. This policy with theaction of tunnel helps to initiate a tunnel between gateways.

The policy must be bi-directional, because the traffic flows in both the directions. If traffic matches thepolicy then a VPN tunnel is created, the traffic encrypted, and allowed to pass through the tunnel.

43.43.43.43. RouteRouteRouteRoute- ---based VPNsbased VPNsbased VPNsbased VPNs

Another approach to setting up site-to-site IPSec VPNs is by using route-based VPNs.

8/8/2019 fwvs0014


Page 15


A-FWVS-0014-EN-03-A01

Route-based VPNs require a tunnel interface and a route to dictate the traffic to the protected network. Theuse of the tunnel interface is determined by the route table.

The tunnel interface specifies all the tunnel parameters and is bound to the VPN configuration. Since thetraffic direction is based on the routes defined in the route table, policies are used only to allow trafficbased on the tunnel end points. However, policies are not required if the tunnel interface belongs to thesame zone as the protected resources.

44.44.44.44. Remote Access VPNsRemote Access VPNsRemote Access VPNsRemote Access VPNs

Now, we'll discuss how to establish an IPSec VPN connection for the remote or mobile users, where theusers have corporately managed devices and are coming from a trusted network. These users require asecure connection to the network.

In this example, a telecommuter is trying to access the corporate head quarters. To provide a secureconnection, tunnels are built between a remote user's computer and a VPN hub of the head quarters. Asthe user will most likely be using a dynamic address, the VPN tunnel must be initiated by the user. Oncethe tunnel is established, traffic can flow in both the directions.

45.45.45.45. SectionSectionSectionSection SummarySummarySummarySummary

In this section, you've learned

• About the different topologies used to set up IPSec VPNs

• About the working of policy-based, route-based, and remote access VPNs


8/8/2019 fwvs0014


Page 16


A-FWVS-0014-EN-03-A01


48.48.48.48. Advanced FeaturesAdvanced FeaturesAdvanced FeaturesAdvanced Features - --- FFFFirewall / VPN Productsirewall / VPN Productsirewall / VPN Productsirewall / VPN Products


Next, we'll discuss some of the advanced features of the Juniper Networks firewall products.

After completing this section you'll be able to:

• Explain how embedded antivirus technology works on the Juniper Networks NetScreen-5GT and SSGappliances.

• Explain how Juniper Networks NetScreen ISG series devices use external antivirus technology.

• Explain how the Juniper Networks Deep Inspection solution works.

• Explain how stateful signatures protect the network from data-level attacks.

• Discuss various routing protocols supported by the Juniper Networks firewall/VPN devices.

• Compare source-based and destination-based routing.

• Explain how dynamic routing works.

• Describe the NSRP, NSRP-Lite, and the high availability configurations supported by these redundancyprotocols.

• Explain how virtual systems operate, and

• Discuss how the Juniper Networks firewall/VPN devices can be managed using the WebUIadministrative tool.

50.50.50.50. Embedded Antivirus TechnologyEmbedded Antivirus TechnologyEmbedded Antivirus TechnologyEmbedded Antivirus Technology

To begin with, we'll talk about the antivirus features offered by the Juniper Networks firewalls.

Today, enterprises are alarmed by the speed at which virus attacks are damaging their critical assets.These attacks are getting more and more sophisticated and are increasing both in number as well ascomplexity.

To address this concern, Juniper Networks supports both internal and external antivirus (AV) scanning onselected products (5GT and SSG). The embedded AV scan engine requires an additional license where theexternal AV does not. Juniper Networks supports two embedded scanning engines, Trend Micro andJuniper-Kaspersky.

The embedded antivirus engine scans the incoming e-mail and web traffic, including SMTP, POP3, IMAPand HTTP along with FTP, thus providing a comprehensive virus protection for distributed networks. This isan ideal solution for small or remote offices and telecommuters that don’t support high volumes of traffic.

51.51.51.51. Embedded Antivirus TechnologyEmbedded Antivirus TechnologyEmbedded Antivirus TechnologyEmbedded Antivirus Technology

In this example, an e-mail with an infected attachment reaches the NetScreen-5GT firewall.

8/8/2019 fwvs0014


Page 17


A-FWVS-0014-EN-03-A01

The NetScreen-5GT device scans traffic in-line using Trend Micro's scan engine, and drops the infected e-mail from the traffic. It then sends a warning to both the sender and the receiver, thus preventing theviruses from penetrating the network.

52.52.52.52. External Antivirus SolutionExternal Antivirus SolutionExternal Antivirus SolutionExternal Antivirus Solution

Now, let's look at the external antivirus solution offered by Juniper Networks for centralized and regional

sites that deal with large amounts of traffic.

Juniper Networks supports external AV on the ISG products. External AV scanning occurs when the securitydevice redirects traffic to an external Internet Content Adaptation Protocol (ICAP) AV scan server. Externalcurrently supports ICAP v1.0 and is fully compliant with RFC 3507 and supports the Symantec scan engineversion 5.0 ICAP server.

53.53.53.53. URL Filtering URL Filtering URL Filtering URL Filtering

URL filtering, which is also called web filtering, enables you to manage Internet access and prevent accessto inappropriate web content.

NetScreen provides two URL filtering solutions:• Integrated URL filtering

• Redirect URL filtering

54.54.54.54. URL Filtering URL Filtering URL Filtering URL Filtering

With integrated URL filtering, you can permit or block access to a requested site by binding a URL filtering profile to a firewall policy. A URL filtering profile specifies URL categories and the action the NetScreendevice takes (permit or block) when it receives a request to access a URL in each category. URL categoriesare either pre-defined and maintained by SurfControl or user-defined.

8/8/2019 fwvs0014


Page 18


A-FWVS-0014-EN-03-A01

With redirect URL filtering, the NetScreen device sends the first HTTP request in a TCP connection to eithera Websense server or a SurfControl server, enabling you to block or permit access to different sites basedon their URLs, domain names, and IP addresses.

55.55.55.55. Attack DetectionAttack DetectionAttack DetectionAttack Detection - --- OverviewOverviewOverviewOverview

Juniper Networks offers its customers end-to-end security solutions that enable them to protect theirnetworks against different types of attacks.

Some of the screening functions protect the network from common attacks such as Denial of Service andbuffer overflow attacks. By working in conjunction with external servers such as Symantec ICAP server andWebsense URL filter, the firewall devices can block specific viruses and URLs.

Firewalls can prevent access from unauthorized users and block network level attacks that are embeddedwithin the data. However, they are incapable of looking into or interpreting the application level attacks.

To address this problem, Juniper Networks offers another level of protection called Deep Inspection. Thedeep inspection functionality detects these embedded attacks and drops the malicious traffic before itreaches the network.

56.56.56.56. Deep Packet InspectionDeep Packet InspectionDeep Packet InspectionDeep Packet Inspection

Now, let's look at the Deep Inspection technology in a bit more detail.

Building on the strengths of Stateful inspection and intrusion prevention technologies, the JuniperNetworks Deep Inspection firewalls protect the network against application-level attacks.

The firewalls leverage the efficiency of both technologies in performing network security functions, as wellas analyzing the traffic beyond layer 3 and layer 4 headers.

The Deep Inspection firewalls provide application layer protection at the perimeter of the network for themost prevalent Internet protocols, such as HTTP, SMTP, IMAP, and so on. They can also make accesscontrol decisions on the traffic, and for the traffic that is accepted, they look deeper for embedded attacks.

The Juniper Networks firewalls perform two types of deep inspection. The first is by using built-in hardwareassisted Application Layer gateways or ALG; certain applications can be processed without impacting CPUperformance. And the second is using a signature database for data-level attacks.

57.57.57.57. Stateful SignaturesStateful SignaturesStateful SignaturesStateful Signatures

The Juniper Networks Deep Inspection firewalls use a signature database to store attack patterns whichare also referred to as signatures.

Stateful signatures can specify the context of the attack signature, the flow to be monitored, and also thedirection of the traffic flow. They look for the attack patterns only in the relevant portion of the traffic. Thissignificantly reduces false alarms because irrelevant pattern matches are ignored.

For example, an attacker connects to a mail server of a corporate network. He tries to expose the mailing list using "EXPN root" command during the control portion of the session. The firewall is configured to lookfor "EXPN root" signature in the control portion of the session. Stateful signatures can differentiatebetween the control portion of the session and the body of the e-mail.

So, if the "EXPN root" is detected in the control portion, then it will be dropped. But, if the attack pattern isdetected anywhere other than the control portion of the session, it is not considered as an attack.

Thus, stateful signatures reduce the chances of false positives, by looking specifically into the relevantportion of the network.

8/8/2019 fwvs0014


Page 19


A-FWVS-0014-EN-03-A01

58.58.58.58. Routing ProtocolsRouting ProtocolsRouting ProtocolsRouting Protocols

Now let's move on to routing capabilities of the Juniper Networks firewalls products.

The firewalls make the forwarding decisions based on Layer 3 addresses. Therefore, there is a need tobuild an internal routing table. There are two options for adding routes to the routing table. One is bymanually configuring for static routes and the other is by using dynamic routing protocols to automaticallypopulate the table.

59.59.59.59. Routing ProtocolsRouting ProtocolsRouting ProtocolsRouting Protocols

The Juniper Networks integrated Firewall/VPN products support a robust set of industry standard routing

protocols including RIPv2, OSPF, and BGP. We'll take a quick look at each of them.RIPv2 or Routing Information Protocol version 2 is a distance vector routing protocol that is widely-used formanaging router information within a self-contained network such as a corporate LAN or an interconnectedgroup of such LANs.

BGP or Border Gateway Protocol is used for exchanging routing information between gateway hosts in anetwork of autonomous systems. BGP is often the protocol used between gateway hosts on the Internet.

OSPF or Open Shortest Path First is a router protocol used within larger networks in preference to the RIP.It uses the path that has the best performance and therefore lowest cost to reach the destination.

60.60.60.60. Routing MethodsRouting MethodsRouting MethodsRouting Methods

Next, we'll provide you an overview of different routing methods and the approach used by the JuniperNetworks firewall/VPN devices.

There are certain criteria for creating a route table, upon which the forwarding decisions are based. Thereare three methods for routing: policy-based, destination-based, and source-based.

The first method to look at as part of the route lookup is Policy Based Routing (PBR). This method istransparent to all non-PBR traffic. PBR implements policies that selectively cause a packet to take differentpaths. PBR is configured at the interface level and can be bounded to the interface, zone, virtual router orany combination of these.

The forwarding decisions based on the traffic destination are known as destination-based routing. In thiscase, the routing information is inserted into the routing table manually, which defines a static route to that

destination. As the static route does not change, it can result in a broken route if the connection fails.

Another method is source-based routing where the forwarding decisions are based on traffic origin or thesource. In this case, the routing information is inserted into the routing table using a dynamic routing protocol such as the RIP. The route is learned as it passes through the router. This dynamic nature of therouting process allows the route to change if the connection is broken.

The Juniper Networks approach is to use source-based routes that support dynamic routing.

61.61.61.61. Dynamic Routing Dynamic Routing Dynamic Routing Dynamic Routing

Now, let's talk about dynamic routing capabilities of The Juniper Networks VPNs.

8/8/2019 fwvs0014


Page 20


A-FWVS-0014-EN-03-A01

Dynamic routing is a routing method that automatically learns the network configuration and adjusts tochanging network circumstances by analyzing incoming routing update messages. If the message indicatesthat a network change has occurred, the routing protocol recalculates the routes and sends out newrouting messages. These messages direct the routes to re-run their algorithms and change their routing tables accordingly.

By leveraging the capabilities of dynamic routing, the Juniper Networks VPNs can survive a connectionfailure by automatically finding an alternate route.


Juniper Networks VPNs provide flexibility for large networks with redundant ISP provisioning. In case of alink failure, dynamic routing in these VPNs automatically finds optimal paths and traffic is directed throughan available service provider network.


8/8/2019 fwvs0014


Page 21


A-FWVS-0014-EN-03-A01

Furthermore, the Juniper Networks VPNs offer redundancy at the logical VPN layer. These VPNs supportmultiple VPN tunnels that mirror the VPN's security associations, so that it can automatically be associatedwith the live tunnel, in case of a connection failure.

Dynamic routing allows these VPNs to automatically learn which networks are accessible through the VPN.

64.64.64.64. NSRP and High AvailabilityNSRP and High AvailabilityNSRP and High AvailabilityNSRP and High Availability

The Juniper Networks VPNs also support device redundancy for high availability.

This high availability of the devices is centered round the NetScreen Redundancy Protocol or NSRP. This

protocol enables Juniper Networks to provide sub-second stateful failover between the firewall devices,without losing sessions.

The NSRP protocol enables a redundant pair of security devices to be integrated into a high-availabilitynetwork architecture.

The devices can be deployed in redundant pairs and they share both static-configuration information, anddynamic run-time information. As a result, during failures, all the sessions and Security Associations tied tothat failed connection can be automatically re-established with the active device.

8/8/2019 fwvs0014


Page 22


A-FWVS-0014-EN-03-A01


The devices can be configured in two different NSRP modes – NSRP active/passive and NSRPactive/active.

In the active/passive mode, one device acts as a master and active, and the other as its backup orpassive. The master sends all its network and configuration settings and the current session information tothe backup. If the master fails, then the backup takes over the traffic processing.

In the active/active mode, both the devices are configured to be active, with each device receiving

approximately 50 percent of the network and VPN traffic. If a failover occurs, all traffic is handled by asingle firewall.

The advantage is that when both the devices are functional, better throughput is achieved. It is importantto configure the overall network so the total load does not exceed the capacity of a single device. Thisprevents the device from being overloaded.


8/8/2019 fwvs0014


Page 23


A-FWVS-0014-EN-03-A01

It is very important to note that NSRP provides redundancy for Juniper firewalls only. However, if the rest of the network is not configured for redundancy, failures in switches and routers will affect the traffic flowregardless of the Juniper firewall capabilities.


To achieve full network connectivity, an active/active full mesh configuration can be used. In this case,both the devices are configured to be active, with network and traffic flowing through each.

If one device fails, the other becomes the master and continues to handle 100 percent of the traffic. In fullmesh mode, throughput adjustments must be made to ensure that, if a failover occurs, the device

performance is not hindered in any way.

68.68.68.68. NSRPNSRPNSRPNSRP----LiteLiteLiteLite

Now, let's look at the NSRP-Lite, which is a reduced implementation of the NetScreen RedundancyProtocol.

The NSRP-Lite uses a subset of the full NSRP to provide a simple high availability solution on some of theJuniper Networks firewall devices. These include the Juniper Networks NetScreen-50, the NetScreen-25,and the NetScreen 5-GT extended devices.

When two Juniper devices are configured for NSRP-Lite, one device acts as the master, and the other as its

backup. In this case, only configuration information, and not the run-time object or RTO information, issynchronized between the devices. If the link or device failover occurs, all user sessions and VPNconnections will be re-established on the new active device. Although this configuration providesredundancy, it does not effectively provide high availability.

Additionally, In the NRSP-Lite, only one cluster ID and Virtual Security Device or VSD is used. Moreover, onlythe trust interface is monitored, so there is no need to set up Virtual Security Interfaces.

69.69.69.69. Virtual SystemsVirtual SystemsVirtual SystemsVirtual Systems

Virtualization is another key feature offered by the Juniper Networks security products. Virtualization allowsenterprises to segment their network. This protects the network from unauthorized roaming users andnetwork attacks.

8/8/2019 fwvs0014


Page 24


A-FWVS-0014-EN-03-A01

Virtual Systems can be used to establish virtual firewalls or VPNs that contain their own address book,policies, and management mechanism.

Effective uses of Virtual Systems include multiple network operations centers, physical departments,geographical regions, and customer environments.

The Juniper firewalls such as the Juniper Networks NetScreen-500, the NetScreen-ISG 1000 and 2000,the NetScreen-5200, and the NetScreen-5400, are capable of supporting up to 500 Virtual Systems.

70.70.70.70. Virtual SystemsVirtual SystemsVirtual SystemsVirtual Systems

Let's see how Virtual Systems operate.

Virtual Systems work as independent firewalls, giving an administrator the ability to define his own policywhile preventing him from affecting any other Virtual System policy.

This functionality uses a single Juniper security system to provide differentiated security services to eachnetwork segment.

For example, each Virtual System could represent a different customer. A single hardware platform canprovide security services for multiple customers in a data center. In a large enterprise, where there issegmentation between departments, each virtual system could represent different departments.Additionally, each Virtual System could be managed separately.

The end result is a solution with fewer physical firewalls and fewer administrative resources required tomanage them, resulting in a lower TCO.

71.71.71.71. WebUI Administrative ToolWebUI Administrative ToolWebUI Administrative ToolWebUI Administrative Tool

Next, we'll discuss one of the administrative tools offered by Juniper Networks.

The Juniper Networks firewall/VPN devices can be easily managed using a network-accessible graphicaluser interface called the WebUI. This interface requires minimal configuration and is password protected.

Opening a browser window on the PC and navigating to an IP address on the Juniper device will activatethe WebUI.

All Juniper devices ship with a default IP address of 192.168.1.1, which is accessible via either the Trustinterface, E1 interface, E1/1 interface, or the dedicated management interface — depending on platform.As long as this IP address is reachable, it is easy to navigate to the device and configure it.

However, changing the IP address of the interface that is connected will result in losing the web session.Therefore, it is recommended to do the initial IP configuration via the command line interface or the CLI,

and then use the browser.


We'll now take a quick look at the Initial Configuration Wizard.

The Initial Configuration Wizard is displayed instead of the login screen, if the Juniper Networks NetScreen-5XP or NetScreen-5XT or NetScreen-5GT has no configuration saved in Flash.

This Wizard will take an administrator through a series of screens that define the operational mode, assignthe root admin name and password, define the address and subnet mask for selected interfaces, andenable auxiliary services such as DNS.

8/8/2019 fwvs0014


Page 25


A-FWVS-0014-EN-03-A01


The WebUI presentation always opens to the home screen. The page is organized with a navigation panelon the left and information or configuration panels on the right.

In the left panel, the "toggle menu" button enables the administrator to switch between DHTML and Javaformat, when navigating between functions.

The Home screen presents a variety of key system information. Much of the status information is similar towhat would be shown in a get system display at the CLI. In addition, the WebUI also includes administratorlogins, system resource utilization, recent log events, and alarms.

Monitoring system events and system resources can be done conveniently from the Home screen and, as aresult, the screen can be refreshed to show the most current status. The Home screen defaults to manualRefresh, although refresh can be scheduled in advance for intervals ranging from ten seconds to severalminutes.

Navigation in the WebUI is simple. Clicking on a category title or on the "+" associated with the categorytitle expands the category and reveals the sub-topics. Once a sub-topic has been selected, the right panelwill update and display the current settings or available configuration options.

74.74.74.74. SecSecSecSection Summarytion Summarytion Summarytion Summary

In this section you've learned about

• Embedded antivirus technology on the Juniper Networks NetScreen-5GT appliance.

• The Juniper Networks Deep Inspection solution and stateful signatures to protect the network from data-level attacks.

• Various routing protocols supported by the Juniper Networks firewall/VPN devices.

• Source-based and destination-based routing.

• Dynamic routing and how it works.

• Redundancy protocols such as, the NSRP, NSRP-Lite, and the high availability configurations.

• Virtual Systems and their operation, and

• The WebUI administrative tool to manage firewall/VPN devices.





79.79.79.79. CompetCompetCompetCompetitive Analysisitive Analysisitive Analysisitive Analysis


8/8/2019 fwvs0014


Page 26


A-FWVS-0014-EN-03-A01

In this section, we'll look at the Juniper Networks products as compared to those of its competitors.

After completing this section you'll be able to• State the advantages of the architecture of the Juniper Networks firewall/VPN devices, and

• Compare the product features of Juniper Networks devices with those of its competitors.

81.81.81.81. The ArchitectureThe ArchitectureThe ArchitectureThe Architecture

Let's start with the architecture of Juniper Networks firewall/VPN products.

Juniper Networks offers purpose-built hardware platforms. The performance and reliability of the securitysolutions are derived from a tightly integrated set of advanced hardware and software components.

The purpose-built hardware platform has been designed to perform computationally intensive securityfunctions, without compromising throughput. Juniper Networks is the first vendor to embed securityfunctionality directly into an ASIC. The ASIC is one of the components that allow Juniper Networks to offermulti-Gig VPN and Stateful inspection firewall performance.

The ASIC is linked to a RISC CPU by a high-speed interface.

To control the hardware platform, Juniper created a real-time, security specific operating system, theScreenOS, with a rich set of networking and reliability features.

This high performance architecture delivers several advantages. It eliminates OS hardening; facilitatesnetwork integration; ensures application interoperability; maximizes uptime; simplifies management andfinally, matches or exceeds the performance requirements of the enterprises today.


Now let's take a look at the alternative solutions, offered by Juniper Networks competitors, and theirdisadvantages.

First, we'll talk about the general purpose platform architecture. This architecture does not support anintegrated networking platform, and is often supported by multiple vendors. As a result, customers areforced to compromise on key issues like security, performance, and costs.

First and foremost, the platform is not hardened, and there is potential vulnerability due to the separationof security software and the underlying operating system. This requires regular patching. Additionally, thereare interoperability issues between the OS and the software. Furthermore, since the network integration is

done by the OS and not the software, it requires significant network re-engineering.The next critical issue is the performance. The platforms based on this architecture offer limitedfunctionality and have integration issues. In addition to this, the platforms are subject to performancedegradation under load or attack.

Another key concern area is manageability. This architecture lacks integrated management capability. As aresult, configuring, managing and monitoring the platforms add to the complexity.

Finally, there are additional operational and support costs associated with this architecture. These factorsresult in a very high total cost of ownership.


Next, we'll take a look at another solution which is based on pseudo-appliance architecture.

8/8/2019 fwvs0014


Page 27


A-FWVS-0014-EN-03-A01

The architecture supports pre-configured platforms with separate security applications and the operating system. Although the OS and the software are provided by the same vendor, the device, system, andapplications are managed separately. Additionally, this solution does not provide integrated firewall and

VPN capabilities.As a result, the customers face several issues regarding security, performance, and costs. The securityfunctionality is limited to Stateful firewall, Intrusion detection systems, and VPN.

In addition to this, the performance is platform dependent. So, the enterprises are forced to compromisenetworking capabilities under load. Furthermore, this solution lacks centralized management. As a result,there are higher management costs and ultimately a high total cost of ownership.

84.84.84.84. Juniper NetworksJuniper NetworksJuniper NetworksJuniper Networks – ––– AdvantagesAdvantagesAdvantagesAdvantages

Now, let's take a quick look at the specific advantages of the Juniper Networks firewall/VPN devices.

The Juniper Networks security devices:

• Integrate both firewall and VPN capabilities in a single solution.

• Support purpose-built architecture with a specific operating system which is capable of performing computationally intensive security functions.

• Support transport mode of operation, which allows enterprises to deploy the devices withouthaving to change the network.

• Support dynamic routing protocols and dynamic route based VPNs.

• Support Security Zones that divide the physical network into virtual sections, to establish variouslevels of trust.

• Effectively use antivirus solutions and Deep Inspection technologies, to protect the network fromdifferent kinds of attacks.

• Deliver true attack prevention using IDP solutions to drop the malicious traffic and connectionsduring attacks.

85.85.85.85. Juniper NetworksJuniper NetworksJuniper NetworksJuniper Networks – ––– AdvantagesAdvantagesAdvantagesAdvantages

• Offer high availability to ensure maximum network availability with active/active and full meshconfigurations.

• Offer integrated traffic management capabilities for optimizing bandwidth.

• Offer robust high performance with low latency for time sensitive applications, and finally

• Can be effectively configured and managed using centralized management solutions, the SecurityManager and the IDP manager.

86.86.86.86. Feature ComparisonFeature ComparisonFeature ComparisonFeature Comparison

Now let's focus on specific product features of the Juniper Networks security products.

We'll compare the product features of key competitors including Cisco Systems, Nokia, SonicWALL,Fortinet, Symantec and WatchGuard.

87.87.87.87. Feature ComparisonFeature ComparisonFeature ComparisonFeature Comparison

8/8/2019 fwvs0014


Page 28


A-FWVS-0014-EN-03-A01

Listed here are the Juniper Networks NetScreen security products. By clicking on each device, thecorresponding competitive matrix will be displayed for you. You can always get the latest collateral, selling documents, and competitive information about Juniper Networks Security Products here:https://www.juniper.net/partners/partner_center/content/reseller/products/fw-vpn_advsec_kit.jsp

Click on each device to get the corresponding competitive matrix.

88.88.88.88. Feature ComparisonFeature ComparisonFeature ComparisonFeature Comparison – ––– NetScreen 5GTNetScreen 5GTNetScreen 5GTNetScreen 5GT

The Juniper Networks NetScreen-5GT is fully capable of securing a remote office, retail outlet, or abroadband telecommuter.

This matrix compares the NetScreen-5GT with products from competitors including Cisco, SonicWALL,Sofaware S-box, and WatchGuard.

Please note that the NetScreen-5GT supports embedded antivirus to help eliminate virus threats from thenetwork, while the other products do not support this feature.

In addition to this, only the NetScreen-5GT and Cisco's PIX firewall support redundant VPN Gateways.

89.89.89.89. Feature ComparisonFeature ComparisonFeature ComparisonFeature Comparison – ––– NetScreen 25NetScreen 25NetScreen 25NetScreen 25

The Juniper Networks NetScreen-25 offers a complete security solution for enterprise branch and remoteoffices, as well as small and medium size companies. The key competitors for this product are Cisco,Nokia, and SonicWALL.

The key difference is the Juniper devices have the ability to run in Transparent mode and they also supportpolicy-based Network address translation, unlike the competitors.

8/8/2019 fwvs0014


8/8/2019 fwvs0014


Page 30


A-FWVS-0014-EN-03-A01


The Juniper Networks NetScreen-204 and 208 are targeted at medium and large enterprise offices, e-business sites, data centers, and carrier infrastructure.

This product competes with the products of Cisco, Nokia, and SonicWALL.

The key differentiator is the ability of this product to run in transparent mode and the firewall performanceis considerably higher.

The NetScreen-208 device increases the number of ports available from 4 to 8 and the performance of upto 800 Mbps.

92.92.92.92. Feature ComparisonFeature ComparisonFeature ComparisonFeature Comparison – ––– SSG 520 / 550SSG 520 / 550SSG 520 / 550SSG 520 / 550

8/8/2019 fwvs0014


Page 31


A-FWVS-0014-EN-03-A01

The Juniper Networks Secure Services Gateway 500 Series (SSG) represents a new class of purpose-builtsecurity appliance that delivers a perfect mix of high performance, security and LAN/WAN connectivity forregional and branch office deployments.

This product competes with Cisco, Nokia and Fortinet.

93.93.93.93. Feature ComparisonFeature ComparisonFeature ComparisonFeature Comparison – ––– ISG 2000ISG 2000ISG 2000ISG 2000

Juniper Networks Integrated Security Gateway, the NetScreen-ISG 1000 and 2000, is a purpose-built, high-performance system, designed to deliver scalable network and application security for large enterprise,carrier, and data center networks. This product competes with Cisco, Fortinet, Symantec, and ISS.

Other than the NetScreen-ISG 2000 and Fortinet's FG4000, all the other products only offer lower firewallperformance. In addition, these products offers Deep Inspection and IDP features for greater security.


The Juniper Networks NetScreen-5000 Series is a line of purpose built , high-performance security systemstargeted at large enterprise, carrier, and data center networks.

The key competitors for this product are Cisco and Nokia.

As you can observe, there are significant performance differences between the Juniper product and thecompetitors. It also supports 1 million concurrent sessions and 25,000 concurrent VPN tunnels.

Furthermore, this product can run in transparent mode and support policy-based NAT.

8/8/2019 fwvs0014


Page 32


A-FWVS-0014-EN-03-A01

95.95.95.95. SectionSectionSectionSection SummarySummarySummarySummary

In this section you've learned about

• The advantages of the architecture of the Juniper Networks firewall/VPN devices, and

• The product features of Juniper Networks devices as compared to those of its competitors.

96.96.96.96. Learning Activity #5 QuestLearning Activity #5 QuestLearning Activity #5 QuestLearning Activity #5 Question 1ion 1ion 1ion 1

97.97.97.97. Course SummaryCourse SummaryCourse SummaryCourse Summary

98.98.98.98. SummarySummarySummarySummary

We have now come to the end of this course on the Juniper Networks firewall/VPN System Engineering training.

Let’s summarize what we have covered in this course.

The Juniper Networks Firewall/VPN solutions use multiple layers of defense to provide networks withsecurity. The Juniper Networks purpose-built hardware platform and security specific operating system isgeared for high performance. The Juniper Networks ScreenOS operates and leverages the entire JuniperNetworks product line.

Juniper Networks has Firewall/VPN solutions that meet every customer’s needs: small organizations,medium size companies, large organizations, carriers, and data center networks.


8/8/2019 fwvs0014


Page 33


A-FWVS-0014-EN-03-A01

The Juniper Networks security devices can work in both Transparent and Layer 3 mode. Intelligent use of interfaces, zones, policies, virtual routers, and virtual systems increase network security as does Statefulpacket inspection and NAT.


We also covered advanced features of the Juniper Networks firewall/VPN devices.

Juniper Networks offers the embedded antivirus on the NetScreen-5GT device that scans traffic in-line withTrend Micro scan engine.

The Juniper Networks security devices have the dynamic routing capabilities to automatically understandthe network configuration, and find the best available path. This capability enables the devices to surviveconnection failures at all levels.

We discussed the Virtual Systems functionality offered by the Juniper Networks products that facilitatesnetwork segmentation. It uses a single device to provide differentiated security services to each networksegment.

The WebUI administrative tool can be used to manage the Juniper Networks firewall/VPN devices, easilyand effectively.

Finally, Juniper Networks offers purpose-built platforms which offer many benefits to its customers.Whereas, the general purpose or the pseudo-appliance architecture provided by the competitors havenumerous disadvantages, which force their customers to compromise on security, performance, and costs.

We also compared the product features of the Juniper security devices with that of the competitors andfound that those Juniper Networks devices are far superior in providing a high-performance, reliable, andsecure connectivity solution.

101.101.101.101. Juniper’s Virtual LabJuniper’s Virtual LabJuniper’s Virtual LabJuniper’s Virtual Lab

As you proceed through the certification process, take advantage of Juniper’s Virtual Labs which areavailable to you twenty four hours a day, seven days a week.

The URL is shown on the slide, or click the button to visit Juniper Networks Virtual Lab.

Presently six lab setups are available: Router/Firewall, IDP, SSL VPN, DX, WX and UAC 2.0.

More labs are being created and deployed and will be available for your training and practice.

Each of these labs consists of at least one Juniper device and a PC to configure and test.

102.102.102.102. Evaluation and SurveyEvaluation and SurveyEvaluation and SurveyEvaluation and Survey

You have now reached the end of this Juniper eLearning module.

Take the practice exam to gauge your knowledge of the material covered in this course. After you’vefinished, the result will be displayed for you.

Also, please take a few moments to give us your feedback regarding this course by answering the surveyquestions.

103.103.103.103. Copyright © 200Copyright © 200Copyright © 200Copyright © 2007 777

fwvs0014

Documents

Transcript of fwvs0014