Recommended Hardware Firewall
Overview
Juniper Networks NetScreen hardware firewall is the recommended hardware firewall appliance for use at the University Pennsylvania. The firewall appliance is a security tool that, when configured correctly, filters traffic between trusted zones (private) and un-trusted zones (PennNet). A firewall allows or blocks network traffic between the trusted and the un-trusted zone based on policies defined by the firewall administrator.
A number of schools and centers (School of Arts and Sciences, the Annenberg School, Facilities Services, Vice Provost for University Life, Law School) have successfully deployed various NetScreen hardware firewalls and have spoken highly of the appliance's reliability, effectiveness and ease of use, especially when deployed in a Layer 2 transparent mode.
There are a number of other hardware firewalls in use on campus such as CISCO PIX, Nokia IP350 and Checkpoint Firewall 1NG. To read more about feedback on the different models of hardware firewall in use on campus please visit the Hardware Firewall Evaluation - Fall 2004.
Juniper NetScreen Firewall Strength and Features
- Well designed and constructed web based administrator interface.
- Highly rated for its management capabilities and interface (Gartner).
- Same operating system used throughout the entire hardware firewall product line.
- Juniper ranked as a leader among Network Firewall vendors (Gartner).
- On campus knowledge and experience.
- Competitive pricing.
- Recommended appliance ships with:
- Support for Layer 2 and Layer 3 operations mode.
- High availability feature - Several firewalls can be linked, and a failover function can be used so that a second firewall takes over if the first one goes down.
- WebAuth authentication - Users must enter username/password before traffic is permitted through the firewall.
- Policy scheduling - Enable or disable policy based on time of day.
- Attack prevention - Blocks DoS-type attacks, simple exploitation/buffer, overflow attacks and URL filtering.
- Virtual Private Network (VPN) connections - Support for VPN tunnels.
- Anti-virus application defense integration.
- Deep Packet inspection integration - A subset of the Deep Inspection functionality has been integrated into the firewall products. NetScreen offers a separate Deep Inspection appliance for network protection.
The table below lists the NetScreen firewall appliances that run on ScreenOS 5.x and that support Layer 2 and Layer 3 operations mode.
Screen OS 6.x
|
Netscreen Firewall |
Interfaces |
Maximum
Throughput |
Maximum
Sessions
|
Maximum
VPN Tunnels |
Maximum
Policies |
SSG 5
|
7-ports 10/100 |
160Mbps |
8,000/16,000 |
25/40 |
200 |
| SSG 140 |
8-ports 10/100
2-ports 10/100/1000
|
300 Mbps |
48,000 |
150 |
1000 |
| SSG 520 |
4x-ports 10/100/1000 |
600 Mbps |
64,000 |
500 |
1000 |
| SSG 550 |
4x-ports 10/100/1000 |
1 Gbps |
128,000 |
1000 |
4000 |
Supported Modes of Operation |
| Layer 2 mode
Transparent bridging. In this mode, the NetScreen firewall functions as a Layer 2 forwarding device or router, allowing quick deployment of the firewall appliance without changes to the existing network topology. Servers can continue to use public PennNet IP addresses. |
Layer 3 mode
- Routing: In this mode, the NetScreen firewall functions as a Layer 3 router, and will require the administrator to manually configure a static routing table.
- Network Address Translation (NAT): In this mode, the appliance is configured so that internal addresses and port number are translated to the outbound public interface with a dynamically-assigned port number. NAT can be configured for NAT-src, NAT-dst with Mapped IP (MIP) and Virtual IP (VIP).
|
Best Practices for Deploying a Hardware Firewall
- Consider firewall design and implementation issues. Where will you place the firewall? Do you intend to create a large perimeter to protect all your servers and desktops?
- Don't rely only on the firewall for your domain security. It's essential to focus on properly configuring, securing, and patching your domain controllers, servers and desktops. Always secure your domain through Microsoft security configuration first, and then use a hardware firewall as another layer of security. Security in depth is recommended.
- Threats exist from all devices allowed through the firewall as well as from external sources. A firewall does not protect a server or desktops on the same side of the firewall, so it is critical that all workstations, printers or other network devices are properly secured and are up to date with operating system security and anti-virus patches.
- Secure and verify laptops and mobile devices. Be aware of threats and vulnerabilities of remote users laptops brought in and connected on the trusted side of the firewall.
- Proper maintenance of the firewall is critical. The firewall operating system must be maintained at the latest release and patch level to address security vulnerabilities.
- Backup firewall configuration. Store a copy of the configuration file on an external device to facilitate restoration of the file in case of disaster.
- Enable traffic log monitoring. Use traffic logs to monitor session activities to verify the effectiveness of policies.
- When a firewall is used with a vLAN, a firewall administrator can establish a large secure perimeter around systems by limiting the flow of traffic. All network traffic between the private vLAN and PennNet is examined by the firewall to see if it meets certain criteria defined by policy. Criteria commonly used to allow or block traffic are IP addresses/ranges and the network ports which support specific services.
OSI Model
The OSI, or Open System Interconnection, model defines a networking framework for implementing protocols in seven layers. Control is passed from one layer to the next, starting at the application layer in one station, proceeding to the bottom layer, over the channel to the next station and back up the hierarchy. See Webopedia, the online dictionary, for an explanation of the 7 Layers of the OSI Model.
Related Resources
|
