NetScreen Technologies Inc.'s newest firewall and VPN appliance, the NetScreen-500, packs a performance wallop into a small package. With up to four Gigabit Ethernet or up to eight Fast Ethernet interfaces, this box can handle loads up to 720M bit/sec. The VPN performance is fast, with speeds up to 238M bit/sec. And with a list price starting at US$25,000, the NetScreen-500 matches that performance with an aggressive price.
The NetScreen-500 fits nicely between the NetScreen-100 and NetScreen-1000 firewalls. With few significant differences in software functionality across the entire NetScreen firewall/VPN appliance line, the NetScreen-500 is primarily a price/performance package. It is well positioned as a mainstream, enterprise-sized firewall for NetScreen fans that need more power than the NetScreen-100 can deliver.
A major new feature introduced with the NetScreen-500 is interface flexibility. The 2U-high chassis has four slots. Each one can take either a single Gigabit Ethernet connection or dual 10/100 Fast Ethernet connections. Because the Gigabit Ethernet ports are Gigabit Interface Card-based, you have the option of short-distance fiber, long-distance fiber, copper or even one of the proprietary long-distance GBIC connections.
In addition, the NetScreen-500 has a dedicated 10/100 Fast Ethernet port for management, as well as two 10/100 Fast Ethernet ports dedicated to high-availability synchronization. The high-availability ports let you run a pair of NetScreen-500s in a master/slave high-availability configuration. Although the firewall can have up to eight interfaces, the software to handle more than three (trusted, untrusted and demilitarized zone) won't be available until year-end. We tested the current release, Version 2.6.
A second new feature unfamiliar to users of the smaller NetScreen firewalls is virtual systems. Using 802.1Q virtual LAN (VLAN) tagging, the NetScreen-500 can simulate up to 25 separately managed firewalls. Although all the packets share the same physical firewall interface, combining the NetScreen-500 with a VLAN switch lets you assign individual VLANs to different address spaces and security zones. With the NetScreen-500, the virtual system feature makes one trusted physical interface into 25 virtual interfaces, each with their own IP addresses and subnet masks. Each virtual interface has its own management username and password, and its own firewall rule set.
For example, a large company might use this feature to let different groups independently manage the firewall rules for their own servers.
The NetScreen-500's Web-based graphical user interface (GUI) and command-line interface will be familiar to anyone who has used any other NetScreen firewall before. However, the biggest weak spot is the Web-based interface. Serious die-hard security types won't be happy with the fuzzy "trust me" philosophy of the GUI, while anyone who has to manage more than a couple of dozen rules and system groups will find the Web interface difficult to handle.
NetScreen's Web interface continues to walk a fine line between ease-of-use and extreme flexibility. However, in the enterprise, most security managers will find the level of detail about right.
Firewall performance should be sufficient for most enterprise networks and many hosting centers. In our tests, with large packets (the easiest test), the NetScreen-500 screamed in at more than 720M bit/sec, even with 20,000 simultaneous sessions. But in a more typical Internet packet mix, we saw no loss of speeds from 100 to 150M bit/sec, depending on the number of sessions (between 20 and 20,000). Speed wasn't dependent on logging: We got almost identical answers if logging was turned up or off.
The NetScreen-500 also has the strength to set up and tear down those sessions. We could drive up to 13,000 TCP connections per second through the NetScreen-500, pushing it to 100,000 simultaneous open connections before tearing them down.
Combining throughput with session establishment will drop performance numbers, but the speed of the NetScreen-500 should be sufficient to handle a full-speed DS3 circuit - 45M bit/sec full duplex or 90M bit/sec total throughput. When we combined throughput and session establishment benchmarks to stress the firewall as much as possible, it still did quite well.
On the VPN side, the NetScreen-500 is a high-performance central site device in a hub-and-spoke site-to-site network. Although NetScreen didn't make any improvements in its remote access support, the site-to-site IP Security implementation is easy to configure and has an excellent price-performance. With large packets, we saw point-to-point encryption speeds of about 238M bit/sec. With a more typical Internet mix, the NetScreen-500 held down a respectable 100M bit/sec IPSec encryption speed.
Final analysis
Is the NetScreen-500 your next firewall? If you need the speed, you've only got a few choices. Cisco's PIX 535 offers much higher firewall performance with lower VPN speeds at a slightly higher price, but Cisco's command line interface is a far cry from NetScreen's Web GUI. The NetScreen-500 isn't right to protect a hosting center with multiple OC-3 lines, but its virtual system capability does make it an intriguing option. The NetScreen-500 can replace literally two dozen other firewalls, with a per-firewall price that lets you assign a different "virtual" firewall to every application server.
The NetScreen-500's biggest weak spot is the Web GUI. On the other hand, the NetScreen-500's bridge-mode, in which the firewall sits invisibly between the trusted and untrusted networks, gives it unparalleled flexibility. You can slip a firewall in and no one will notice -- except the bad guys.
NetScreen's breadth of product line should also short-list them for any firewall evaluation. The ability to scale from the small office/home office-sized NetScreen-5 up to the NetScreen-1000 makes them an attractive supplier: buy a unit, and if you like it, you can get more in many sizes.
HOW WE DID IT
Testing gigabit firewalls isn't easy, so we turned to Spirent Communications for a SmartBits 2000 with 20 Fast Ethernet ports. We used Extreme Networks' Summit 48 switches to aggregate 10 ports of Fast Ethernet into each Gigabit port on the NetScreen-500. From there, we used Spirent's SmartFlow and SmartTCP applications to generate User Datagram Protocol (UDP) streams and TCP connections. For our "Internet packet size mix" profile, we used data collected from an Internet backbone to build a profile of approximately 50 percent small packets (96 octets or less), 10 percent large packets (1,518 octets, the Ethernet maximum transmission unit), 20 percent 576 octets (a common WAN maximum transmission unit), and 20 percent assorted between 192 and 1,024 octets. We set up 20, 2,000 and then 20,000 sessions with Spirent's SmartFlow through the NetScreen-500, using UDP as the transport protocol and measured loss rates. When loss went above 0.1 percent, we decided that the NetScreen had run out of steam and took the next lower bandwidth measure as total throughput capability. We tested throughput in two ways. For the statistics that are reported as "throughput," we set up a "pretest" that established the sessions before starting high load. For the "combination" tests, we cleared out all sessions and made the NetScreen-500 not only absorb a high data transfer load but also a high session establishment load. We also used Spirent's SmartTCP software to test connection establishment and tear-down rates using TCP. We increased the rate of connection set up and tear down until we had a loss rate above 0.1 percent.
For VPN testing, we used a combination of eight Nokia CC2500 VPN gateways and Alcatel 7137 VPN gateways, with a total combined throughput of 520M bit/sec. These systems established a small number of security associations to encrypt/_decrypt IP Security Triple-DES traffic to the NetScreen-500. We used the same SmartBits setup as in the previous test, but with 16 Fast Ethernet ports instead of 20.
