Security /

Review: NetScreen-500 firewall/VPN appliance

NetScreen-500 firewall/VPN appliance packs a price/performance punch.

By Joel Snyder
Network World, 07/16/01

NetScreen's newest firewall and VPN appliance, the NetScreen-500, packs a performance wallop into a small package. With up to four Gigabit Ethernet or up to eight Fast Ethernet interfaces, this box can handle loads up to 720M bit/sec. The VPN performance is fast, with speeds up to 238M bit/sec. And with a list price starting at $25,000, the NetScreen-500 matches that performance with an aggressive price.

The NetScreen-500 fits nicely between the NetScreen-100 and NetScreen-1000 firewalls. With few significant differences in software functionality across the entire NetScreen firewall/VPN appliance line, the NetScreen-500 is primarily a price/performance package. It is well positioned as a mainstream, enterprise-sized firewall for NetScreen fans that need more power than the NetScreen-100 can deliver.

A major new feature introduced with the NetScreen-500 is interface flexibility. The 2U-high chassis has four slots. Each one can take either a single Gigabit Ethernet connection or dual 10/100 Fast Ethernet connections. Because the Gigabit Ethernet ports are Gigabit Interface Card-based, you have the option of short-distance fiber, long-distance fiber, copper or even one of the proprietary long-distance GBIC connections.

In addition, the NetScreen-500 has a dedicated 10/100 Fast Ethernet port for management, as well as two 10/100 Fast Ethernet ports dedicated to high-availability synchronization. The high-availability ports let you run a pair of NetScreen-500s in a master/slave high-availability configuration. Although the firewall can have up to eight interfaces, the software to handle more than three (trusted, untrusted and demilitarized zone) won't be available until year-end. We tested the current release, Version 2.6.

A second new feature unfamiliar to users of the smaller NetScreen firewalls is virtual systems. Using 802.1Q virtual LAN (VLAN) tagging, the NetScreen-500 can simulate up to 25 separately managed firewalls. Although all the packets share the same physical firewall interface, combining the NetScreen-500 with a VLAN switch lets you assign individual VLANs to different address spaces and security zones. With the NetScreen-500, the virtual system feature makes one trusted physical interface into 25 virtual interfaces, each with their own IP addresses and subnet masks. Each virtual interface has its own management username and password, and its own firewall rule set.

For example, a large company might use this feature to let different groups independently manage the firewall rules for their own servers.

The NetScreen-500's Web-based graphical user interface (GUI) and command-line interface will be familiar to anyone who has used any other NetScreen firewall before. However, the biggest weak spot is the Web-based interface. Serious die-hard security types won't be happy with the fuzzy "trust me" philosophy of the GUI, while anyone who has to manage more than a couple of dozen rules and system groups will find the Web interface difficult to handle.

NetScreen's Web interface continues to walk a fine line between ease-of-use and extreme flexibility. However, in the enterprise, most security managers will find the level of detail about right.

Firewall performance should be sufficient for most enterprise networks and many hosting centers. In our tests, with large packets (the easiest test), the NetScreen-500 screamed in at more than 720M bit/sec, even with 20,000 simultaneous sessions. But in a more typical Internet packet mix, we saw no loss of speeds from 100 to 150M bit/sec, depending on the number of sessions (between 20 and 20,000). Speed wasn't dependent on logging: We got almost identical answers if logging was turned up or off.

The NetScreen-500 also has the strength to set up and tear down those sessions. We could drive up to 13,000 TCP connections per second through the NetScreen-500, pushing it to 100,000 simultaneous open connections before tearing them down.

Combining throughput with session establishment will drop performance numbers, but the speed of the NetScreen-500 should be sufficient to handle a full-speed DS3 circuit - 45M bit/sec full duplex or 90M bit/sec total throughput. When we combined throughput and session establishment benchmarks to stress the firewall as much as possible, it still did quite well.

On the VPN side, the NetScreen-500 is a high-performance central site device in a hub-and-spoke site-to-site network. Although NetScreen didn't make any improvements in its remote access support, the site-to-site IP Security implementation is easy to configure and has an excellent price-performance. With large packets, we saw point-to-point encryption speeds of about 238M bit/sec. With a more typical Internet mix, the NetScreen-500 held down a respectable 100M bit/sec IPSec encryption speed.

Final analysis

Is the NetScreen-500 your next firewall? If you need the speed, you've only got a few choices. Cisco's PIX 535 offers much higher firewall performance with lower VPN speeds at a slightly higher price, but Cisco's command line interface is a far cry from NetScreen's Web GUI. The NetScreen-500 isn't right to protect a hosting center with multiple OC-3 lines, but its virtual system capability does make it an intriguing option. The NetScreen-500 can replace literally two dozen other firewalls, with a per-firewall price that lets you assign a different "virtual" firewall to every application server.

The NetScreen-500's biggest weak spot is the Web GUI. On the other hand, the NetScreen-500's bridge-mode, in which the firewall sits invisibly between the trusted and untrusted networks, gives it unparalleled flexibility. You can slip a firewall in and no one will notice - except the bad guys.

NetScreen's breadth of product line should also short-list them for any firewall evaluation. The ability to scale from the small office/home office-sized NetScreen-5 up to the NetScreen-1000 makes them an attractive supplier: buy a unit, and if you like it, you can get more in many sizes.