NetScreen firewall: Five-star security

I’ve been using and configuring firewalls for 10-plus years -- perimeter, software, hardware, Windows, Linux, and BSD variants. Until recently, I’ve never had occasion to try or use a Juniper Networks NetScreen firewall, although it always gets good reports on security mail lists. I’ve used many similar firewalls, and found little difference among vendors or their products. But after one experience with the NetScreen, I’ll never use another vendor’s firewall. Let me tell you why.

It starts with an excellent, versatile product. I was installing the NetScreen-5GT model. At first glance, it looks like the typical firewall with VPN and UTM (unified threat management) capabilities. UTM comes with a moderate amount of built-in protocol anomaly detection events (LAND, Tear drop, SYN flood, and others); Anti-Virus, Anti-Adware, Anti-Phishing, Anti-Spam, and Web Filtering are additional optional features. You can also create custom “attack” filters and determine whether to log or drop recognized malicious traffic. Most firewalls’ threat detection routines are hard coded and can’t be expanded.

You connect to and configure the NetScreen-5GT using a Web interface (HTTP or HTTPS), serially, or using SSH or Telnet. You can change the default listening ports for any of those (except the serial interface), something I have strongly advocated for years. When using HTTPS or SSH, you can even choose among various ciphers.

NetScreen’s customization is buttressed by the allowed versatility of the five Ethernet ports. They can be configured a variety of ways, including the normal trust versus untrust zones mode. Multiple security zones can be created using any combination of the five ports -- a distinction from many other firewalls that only allow three security zones (such as internal, DMZ, and external) to be created. In the NetScreen, you can create additional security zones (as many as six in the 5GT model), call them whatever you want, include the networks and machines you want, and define at either OSI layer 2 or 3.

After that's done, you define the zone polices and enforce how traffic is treated between zones. NetScreen’s firewall rules options contain most of the common settings you can find in any perimeter firewall, with three minor improvements. First, if you avoid the helpful wizard feature, you can set and view the entire rule on one screen. Most firewalls have multiple screens to wade through to define even just one rule. It’s nice to be able to see all the settings in one place, including whether logging is turned on or off, and whether to include a software proxy and deep packet inspection.

Second, NetScreen allows you to define source ports, if that is ever needed. Many firewalls only allow destination ports to be monitored.

The third improvement, and one that every firewall vendor needs to figure out how to emulate, is that any firewall rule can be enabled or disabled immediately with a single mouse click. No need to wait impatiently for a screen update or to recompile or reboot the firewall service; just select or unselect the checkbox preceding the rule and the action applies immediately.

I’m used to firewalls that take 10 to 15 seconds or longer between every rule change. I have always assumed whatever the firewall was doing while the hourglass cursor displayed was necessary to make the firewall process traffic faster. The NetScreen proves this is not so.