1 NetScreen. NetScreen Confidential 2 Agenda NetScreen Background & Market Trends NetScreen Security Basics Applications for the Enterprise Security Management

1

NetScreen

NetScreen Confidential2

Agenda

• NetScreen Background & Market Trends• NetScreen Security Basics• Applications for the Enterprise• Security Management for the Enterprise• Purpose built vs. general purpose solutions• Appendix: Service & Support


About NetScreen

• Founded October 1997• Leading maker of ASIC-based integrated security solutions

– Firewall, VPN and traffic management

• Fast growing revenue– $40 million in calendar 2000– $8 million in calendar 1999

• Primary markets: Internet data centers, service providers and enterprises

• Employees: > 270• Pre-IPO: $53 million VC investment

– Sequoia, Spectrum, Juniper, Ericsson, WorldCom

• Based in Sunnyvale, Calif. USA– Other offices in Boston, UK, Hong Kong, Beijing


NetScreen’s Security Solutions

Integrated security systems and appliances

– ICSA certified IPSec VPN and stateful inspection firewall, DoS blocking, authentication, PKI and NAT acceleration

– 1Gbps, 700Mbps, (250Mbps), 100Mbps & 10-Mbps hardware firewall and 3DES IPSEC VPN devices

– ScreenOS security software – custom OS

High availability– Solid state, redundant hardware, HA topologies– Protect against DoS attacks (8 to 10 times faster than

software solutions)

Powerful management– WebUI, CLI for easy installation and management– Carrier-class central management

NetScreen-500

NetScreen-1000

NetScreen Security Systems

Global PRO / Global Manager

NetScreen Security Mgmt & Client

NetScreen-Remote

NetScreen-5

NetScreen-10

NetScreen-100

NetScreen Security Appliances


Security Market Growth

• Firewall and VPN markets in rapid-growth stage– Hardware predominant

platform for firewalls and VPNs

• Key drivers– Need to protect Internet

links and encrypt data

– Enterprises looking to outsource or out-task some element of security

Worldwide Market Growth (Infonetics Research 2000)

$0

$1

$2

$3

$4

$5

$6

2000 2001 2002 2003 2004

Bil

lio

ns

Firewall Dedicated VPN hardware


Enterprise Security Trends

• Security breaches have a huge economic impact on business

• Branch and telecommuter networks tying into corporate via VPNs

• Bandwidth requirements in the corporate LAN and WAN environments

• The need for a holistic approachto security

• Lack of skilled IT workers


NetScreen’s Enterprise Security Solutions

• Full suite of products for complete deployment in the enterprise network

– NetScreen-5 & -10 for remote offices and telecommuters– NetScreen-100 & -500 for corporate headquarters

• Centralized management of all NetScreen appliances and systems

– Control security for multi-site device deployments from one location

• Security solutions that don’t impede network performance– Firewall & VPN at wire speed

• Integrated solution – firewall, VPN and traffic management– to address security and bandwidth requirements– No need to manage multiple vendors

• Multi-customer/department architecture– 25 virtual systems (VSYS) with the NetScreen-500


NetScreen’s Solutions for the High-Performance Security Market

Enterprise Networks•Enterprise central site and broadband

remote access • Small- to medium enterprises

Internet data centers• E-businesses

• Web hosts, ASPs, colocation facilities

Service provider networks• MAN, BLEC, MTU

• ISP, DSL providers

Managed Security Service Providers

• Integrating security solutions for Internet data centers, service providers

and enterprises of all sizes


NetScreen Security Basics

• Dedicated OS– No hardening of the OS required– More efficient than a general purpose OS

• Stateful Packet Inspection Firewall– A dynamic or "stateful" packet inspection firewall maintains a table of active TCP sessions and

UDP "pseudo" sessions.– Allow a particular type of traffic “in” only as a response to an “outgoing” session– NetScreen ASIC accelerates the process

• IPSec 3DES VPN– 3DES has become the encryption industry standard– NetScreen appliances come standard with 3DES– NetScreen ASIC accelerates the process

• Virtual Systems– Unique policy, address book and management– Firewall and VPN configured per virtual system


NetScreen Virtual Systems

• NetScreen Virtual Systems– Per Virtual System - address book,

policies and management

– Firewall and VPN configured per virtual systems

– Able to support multiple security domains or customers without sharing policy

Vsys #1 Vsys #2 Vsys #3


NetScreen Management Interfaces

SNMP

CLI

Web UI

3rd Party

Syslog

Global

NetScreen Management Interfaces

• CLI – familiar command line interface– RS232, Telnet and SSH

• Web Interface – embedded Web server– HTTP and SSL

• NetScreen Global – proprietary interface

• SNMP – Standard MIB & private extension

• Syslog – standard traffic reporting and alerts

• 3rd Party – WebSense, WebTrends


Enterprise Security Management: Global Manager

• Central management for multiple NetScreen security appliances – Set policies and configuration options

– Define configuration once, apply to multiple devices

– Device grouping to simplify administration

• Collect and display status information for hundreds of devices– Detailed reporting: configuration, traffic,

CPU utilization, logs …

• Securely manages via VPN tunnels to devices

• Windows NT/2000-based platform

Global Manager

Configuration

Monitoring & Reporting

NetScreen Security Devices


Product Overview: NetScreen-500

• High performance– 250 Mbps 3DES IPSec VPN

– 700 Mbps stateful firewall

• High capacity– 10,000 IPSec tunnels

– 250,000 concurrent sessions

– 22,000 new sessions per second

• Up to 25 Virtual Systems

• Redundant– High availability features– Internal system redundancies

(swappable fans, power)– Separate traffic and

management bus

• Flexible– Multiple ports– AC/DC power


Product Overview:NetScreen Security Appliances

• Suite of wire-speed appliances– NetScreen-100: 100-Mbps performance; 128,000 sessions; 1,000 tunnels– NetScreen-10: 10-Mbps performance; 4,000 sessions; 100 tunnels– NetScreen-5: 10-Mbps performance; 1,000 sessions; 10 tunnels

• Stateful-inspection firewall– Leading denial of service attack deterrence

• NAT (mapped IP, Virtual IP), URL blocking• Line rate IPSec VPNs

– IPSec, DES/3DES, MD5, SHA-1, IKE key management– 1,000 tunnels: site to site or remote access

• Traffic Management: guaranteed & max bandwidth


Security Applications for the Enterprise

• Firewall application only

• VPN capabilities added to existing firewall

• VPN and firewall, replacing existing firewall

• VPN & firewall with increased traffic & remote users

• Multi-department firewalls

• Multi-department with remote users

• Multi-department with campuses

• Co location


Firewall with High Speed Internet

Firewall– Private Network perceived as

“secure”

– RAS for mobile / home office

– WAN access multiple T1s (>1.5Mbps)

– Promotional Web site

– All employees “trusted” can access all parts of the network

Internet

Corp HQ

DMZ

Private Network

• NetScreen delivers – Increased Security / Easier

Support / Higher Performance & Scalability / Cost effective solution

PSTN (1-800)

RAS


VPN Intranet & Central Site Firewall

Remote Access VPN• Private & dial network replaced by VPN

intranet• Remote VPN devices provide additional

security because they are also Firewalls• Central Firewall turns on VPN

Internet

Corp HQ

Central Site VPN Acceleration• Central Firewall unable to handle VPN traffic

needs acceleration

• NetScreen device used for VPN termination

• Leverage advanced features eg Hub & Spoke

Firewall/VPN consolidation• NetScreen replaces existing firewall due to

unnecessary duplication of costs (maintenance, admin, and support)


Central Site Firewall & VPN Intranet

Firewall Application• WAN access multiple T1s /T3• E-business

VPN Application• Private network replaced by VPN intranet• Hundreds or thousands of remote offices /

users• Extranets• Trust limited to “Need to know”

employees

Internet

Corp HQ

DMZ

NetScreen delivers• Increased performance, scalability,

flexibility & cost effectiveness of the solution


Multi-Department Security

Internet

Corp HQ

Finance Dept M & A Group Engineering Dept

DMZs

Traditional Solution

• Multiple Firewalls required to provide internal security

NetScreen-500 Solution• Virtual Systems employed to

provide departmental security• Can also be used for

additional DMZs, security domains and for extranets

• Trust limited to “Need to know” employees


Multi-Department with remote users

Internet

Corp HQ

DMZs

Finance Dept

Finance Dept mobile worker

Finance Vsys

Finance Dept remote worker

Firewall• Traffic sent to the Finance dept is

firewall-ed by the Finance Vsys• Finance SOHO worker firewall-ed from

the InternetVPN• Remote finance workers VPN

connections terminate in the Finance Virtual System

• Essentially extending the finance intranet to include those workers


Dept Intranets & Campuses

Internet / NSP Net

Corp HQ

DMZs

Finance Dept

Extended Campus

DMZsFinance Dept

Finance Vsys to Vsys VPN

Firewall– Traffic sent to the Finance dept is firewall-ed by

the Finance Virtual System

VPN– Finance intranet is extended between campus by

VPN between the Finance virtual systems


Co location

Backend Databases

Staging Servers

Web Servers

Internet Data Center

Application Databases

Customer Data

Big Fast Firewall / Updating / content provisioning Web Hosting

ASP/MSPWeb Host / E-business

Data Center Fast Firewall/VPN• Reduced capital cost• Lower management & support burden• High Bandwidth FW without having load balanced security devices• Integrated VPN Access for Remote Access• Option of using virtual systems for different security domains (front

end, back end, staging or for MSPs - customers)


NetScreen vs. general purpose (H/W & S/W) architectures

Superior throughput– Zero packet loss, 100Mbps UDP

– Firewall no longer the network bottleneck

Higher sustained performance– Sustained large session count

– User satisfaction maintained even at peak times

0

200

400

600

800

Ag

gre

gat

e T

hro

ug

hp

ut

(Mb

ps)

*

5,000 10,000 25,000

Simultaneous UDP Sessions

64 512 1,024 1,518

Packet size, bytes

NetScreen-500

0

200

400

600

800

Ag

gre

gat

e T

hro

ug

hp

ut

(Mb

ps)

*

5,000 10,000 25,000


64 512 1,024 1,518

Packet size, bytes

Cisco PIX 535

*1% packet loss threshold

Zero-Loss Throughput Across a "Single-Rule" Firewall with UDP Packets

100%

40%

100%

5%

55%

100%

5%

40%

70%

85%

5%

0%

20%

40%

60%

80%

100%

% o

f T

he

ore

tic

al

Ma

xim

um

Baseline NetScreen-100

Check PointFireWall-1

Cisco PIX-515

NokiaIP650*

Steady-State, Bidirectional, Zero-Loss* UDP Packets % of Theoretical Maximum Offered Load Throughput for Full-Duplex 100 Mbit/s

Ethernet 'Single Rule' Firewall Processing

64-byte packets 512-byte packets 1,024-byte packets 1,518-byte packets

Tolly Group - 2000

Tolly Group - 2001



Fast VPN throughput– Integrated 3DES VPN acceleration

– Productivity and user satisfaction

Great VPN Application throughput– SAP & FTP throughput

– Real world apps perform as expected

15%

65%

95%

60%

5% 10% 5% 5%

0%

20%

40%

60%

80%

100%

% o

f The

oret

ical

M

axim

um

NetScreen-100 Check PointFireWall-1

Nokia IP650 Cisco PIX-515

Steady-State, Zero-Loss* Bidirectional IPSec Gateway (DES-3, SHA-1) % of Theoretical Maximum Offered Load Throughput via Full-duplex Fast Ethernet (100 Mbit/s)

64-bytes 512-bytes 1024-bytes 1518-bytes

163.24

60.19

134.05

58.70 42.8124.27 15.6813.07 9.01 7.23

0.00

50.00

100.00

150.00

200.00

Thro

ughp

ut (M

bit/s

)

Baseline NetScreen-100

Check PointFireWall-1

Nokia IP650 Cisco PIX-515

Bidirectional IPSec Gateway (DES-3, SHA-1) Application (Chariot) Throughput via Full-duplex Fast Ethernet (100 Mbit/s)

FTP SAP R/3

Tolly Group - 2000

Tolly Group - 2000


Rapid ramp rate– Number of new sessions per

second

– For busy web sites and Denial of Service attacks

Low latency– Firewall Latency testing in uSec

– Useful for heavily loaded sites, multimedia and voice traffic

19,048

3,402 1,600

0

5,000

10,000

15,000

20,000

TCP

Con

nect

ions

Per

S

econ

d

NetScreen-100 Cisco PIX-515 Check PointFireWall-1

Nokia IP650*

Maximum TCP Session-Processing Rate Per Second of 'Single Rule' Processing Firewall


41.2

85.1

225.1

291.3

319.4

0

50

100

150

200

250

300

350

Late

ncy

in m

icro

seco

nds

Baseline NetScreen-100 Check PointFireWall-1

Cisco PIX-515 Nokia IP650

Steady-State, Bidirectional Latency 'Single Rule' Processing Firewall via Full-duplex, Fast Ethernet (100 Mbit/s)

Tolly Group - 2000

Tolly Group - 2000


Cost Analysis: Small Office <25people

• NetScreen-5• Cisco PIX 506 w 3DES License• Nokia 110 w CP 25 IP VPN-1 Module License (includes Firewall-1 & VPN-

1)

CheckPoint/Implementation and Maintenance Costs NetScreen-5 Cisco PIX 506 Nokia IP110

(Dollars) (Dollars) (Dollars)Hardware Costs

$995 $1,950 $2,495$0 $0 $0

Software Costs$0 $0 $1,499$0 $250 $0

Maintenance and System Support Costs$200 $304 $0$0 $0 $225$0 $205 $1,115

$1,195 $2,709 $5,334System support services

Total Implementation and Maintenance Costs

Hardware maintenanceSoftware maintenance

Firewall platformVPN platform



• NetScreen-10• Pix 515R + 3DES license + no DMZ (3rd interface requires UR software)• IP 330 + CP VPN-1 (FW+VPN) Module license for 100 IP addresses

Cost Analysis: Branch Office <10Mbps FW&VPN; <100 people



$3,995 $5,000 $4,950$0 $0 $0

Software Costs$0 $0 $5,995$0 $1,000 $0

Maintenance and System Support Costs$800 $700 $0

$0 $0 $899$0 $325 $2,225







Cost Analysis: Central Site <10Mbps FW&VPN; >100< 250 people

• NetScreen-100• Pix 515UR + 10/100 card + 3DES license• IP 330 + CP VPN-1 (FW+VPN) Module license for 250 IP addresses



$9,995 $12,200 $4,950$0 $0 $0

Software Costs$0 $0 $7,495$0 $1,000 $0

Maintenance and System Support Costs$2,000 $1,680 $0

$0 $0 $1,124$0 $780 $2,225







Cost Analysis: Central Site >10Mbps FW&VPN; or >250 people

• NetScreen-100• Pix 525R + 10/100 card + VPN Acc card + 3DES License• IP 440 + VPN Acc Card + CP VPN-1 (FW+VPN) Module license for Unlimited IP addresses



$9,995 $16,200 $12,495$0 $7,500 $2,995

Software Costs$0 $0 $9,495$0 $1,000 $0

Maintenance and System Support Costs$2,000 $2,496 $1,495

$0 $0 $1,424$0 $1,680 $0

$11,995 $28,876 $27,904



System support servicesTotal Implementation and Maintenance Costs



Cost Analysis: Central Site >100Mbps FW&VPN; >250 people

• NetScreen-500 + 2xGE cards• Pix 535R + 2x GE cards + VPN Acc card + 3DES License• IP 530 + 2x GE cards + VPN Acc Card + CP VPN-1 (FW+VPN) Module license for Unlimited IP addresses• Neither Cisco nor Nokia can exceed 100M VPN



$33,500 $70,000 $26,495$0 $7,500 $2,995

Software Costs$0 $0 $9,495$0 $1,000 $0

Maintenance and System Support Costs$7,500 $9,360 $0

$0 $0 $1,424$0 $2,925 $6,480

$41,000 $90,785 $46,889



System support servicesTotal Implementation and Maintenance Costs



Assumptions

• Cisco & Nokia are able to achieve 10M VPN w/o Acc Card• Checkpoint VPN-1 Module pricing was used to be

conservative but either all gateway pricing used or one enterprise console version needs included which would add approx $10K to any CP solution.

• Again to be conservative NetScreen-100 used for <10Mbps >100<250 people where a NetScreen-10 could have been used.

• Cisco & Nokia latest solutions (Pix 535 & IP 530) unable to achieve > 100M VPN (IP 530 can not achieve >50M 3DES)

• Nokia IP 530 GE interfaces (not currently available) cost equivalent to Cisco & NetScreen modules ~ $5K


Price / Performance via Purpose Built Architectures

NetScreen-500 - $33,500– (2 x GE cards)

Cisco Pix-535R - $78,500– (2x GE cards, VPN Accelerator card,

3DES License)

0

200

400

600

800

Ag

gre

ga

te T

hro

ug

hp

ut

(Mb

ps

)*

5,000 10,000 25,000


64 512 1,024 1,518

Packet size, bytes

NetScreen-500

0

200

400

600

800

Ag

gre

ga

te T

hro

ug

hp

ut

(Mb

ps

)*

5,000 10,000 25,000


64 512 1,024 1,518

Packet size, bytes

Cisco PIX 535

*1% packet loss threshold

Zero-Loss Throughput Across a "Single-Rule" Firewall with UDP Packets

Tolly Group - 2001


• NetScreen: Empowering Enterprises with new security solutions– Gigabit security systems

– Multi-department security systems

– Security appliances for moderate-bandwidth environments

– Broadband remote access and campus VPN demands

• Simple and affordable– Reduced number of devices required

– Simplified network architecture, management and licensing

– Less expensive than competitive solutions

– Easy to deploy and manage

NetScreen’s Enterprise Solution


NetScreenBroadband Internet Security Solutions

Documents

1 NetScreen. NetScreen Confidential 2 Agenda NetScreen Background & Market Trends NetScreen Security Basics Applications for the Enterprise Security Management