NetScreen firewall: Five-star security

Juniper's product and service has Roger proclaiming 'I will never use another vendor’s firewall'

I’ve been using and configuring firewalls for 10-plus years -- perimeter, software, hardware, Windows, Linux, and BSD variants. Until recently, I’ve never had occasion to try or use a Juniper Networks NetScreen firewall, although it always gets good reports on security mail lists. I’ve used many similar firewalls, and found little difference among vendors or their products. But after one experience with the NetScreen, I’ll never use another vendor’s firewall. Let me tell you why.

It starts with an excellent, versatile product. I was installing the NetScreen-5GT model. At first glance, it looks like the typical firewall with VPN and UTM (unified threat management) capabilities. UTM comes with a moderate amount of built-in protocol anomaly detection events (LAND, Tear drop, SYN flood, and others); Anti-Virus, Anti-Adware, Anti-Phishing, Anti-Spam, and Web Filtering are additional optional features. You can also create custom “attack” filters and determine whether to log or drop recognized malicious traffic. Most firewalls’ threat detection routines are hard coded and can’t be expanded.

You connect to and configure the NetScreen-5GT using a Web interface (HTTP or HTTPS), serially, or using SSH or Telnet. You can change the default listening ports for any of those (except the serial interface), something I have strongly advocated for years. When using HTTPS or SSH, you can even choose among various ciphers.

NetScreen’s customization is buttressed by the allowed versatility of the five Ethernet ports. They can be configured a variety of ways, including the normal trust versus untrust zones mode. Multiple security zones can be created using any combination of the five ports -- a distinction from many other firewalls that only allow three security zones (such as internal, DMZ, and external) to be created. In the NetScreen, you can create additional security zones (as many as six in the 5GT model), call them whatever you want, include the networks and machines you want, and define at either OSI layer 2 or 3.

After that's done, you define the zone polices and enforce how traffic is treated between zones. NetScreen’s firewall rules options contain most of the common settings you can find in any perimeter firewall, with three minor improvements. First, if you avoid the helpful wizard feature, you can set and view the entire rule on one screen. Most firewalls have multiple screens to wade through to define even just one rule. It’s nice to be able to see all the settings in one place, including whether logging is turned on or off, and whether to include a software proxy and deep packet inspection.

Second, NetScreen allows you to define source ports, if that is ever needed. Many firewalls only allow destination ports to be monitored.

The third improvement, and one that every firewall vendor needs to figure out how to emulate, is that any firewall rule can be enabled or disabled immediately with a single mouse click. No need to wait impatiently for a screen update or to recompile or reboot the firewall service; just select or unselect the checkbox preceding the rule and the action applies immediately.

I’m used to firewalls that take 10 to 15 seconds or longer between every rule change. I have always assumed whatever the firewall was doing while the hourglass cursor displayed was necessary to make the firewall process traffic faster. The NetScreen proves this is not so.

Rules can be scheduled to apply only during certain days of the week or minutes of the day. You can even create one-time rules. That’s great for allowing something like a one time FTP file transfer without worrying about whether you would remember to delete the rule after the FTP transfer was completed.

Of course, increased versatility and functionality comes at a price. The NetScreen installation isn’t easy enough to do without a little reading. I’ve been able to install many firewalls without ever touching them -- this isn’t one of them.

The NetScreen product, however, comes with hundreds of pages of documentation located on the Web site or the included CD-ROM. The documentation includes incredible amounts of useful information, summarizing each feature before getting into the details. It includes lots of steps, examples, and pictures.

The configuration examples are what really bring the learning together, and are usually missing in other vendor’s instructions. The NetScreen’s documentation is simply the best documentation I’ve ever seen for any computer product, period.

But what will make me a customer for life (if it doesn’t change), is the fact that each technical support call (remember, I’m new to this firewall so I made a handful of calls over a period of days because of an overly complicated network environment) resulted in contact with an intelligent, cheerful, easy-to-understand technical support person in one to five minutes. No communication problems, no long waits on complicated phone menu trees. It’s human and not outsourced to the cheapest provider.

Dell, Microsoft, and every Juniper competitor: Are you listening?

Does the NetScreen appliance have room for improvement? Sure. I’m not thrilled with the anti-spam solution chosen for UTM. Policies for NAT and port address translation to internally hosted servers could be easier to set up. I don’t like how individual IP addresses have to be specifically identified with the /32 CIDR mask (it's confusing to first-time installers). Nothing’s perfect, but this solution and its vendor come close.

So, in summary, the NetScreen firewall is an excellent, versatile product. It has the best documentation of any computer product I’ve ever worked with, and Juniper offers quick, easy-to-understand, human, technical support in minutes.

I will never use another perimeter firewall product!