Embed Size (px)
Citation preview
Page: 1
NetScreen Technologies
Security Solutions the NetScreen WaySecurity Solutions the NetScreen WayPeter Crowcombe – EMEA Marketing Peter Crowcombe – EMEA Marketing
ManagerManager
Page: 2
Agenda
• About NetScreen• Security Innovation• Unique Architectures• Threats and Responses• VPN leadership• Total cost of ownership • The future of security
Page: 3
About NetScreen
• Leading supplier of network security solutions for large scale and high capacity enterprise and carrier networks– Integrated firewall, VPN and traffic management
• Leading market share– #1, #2 or #3 in key VPN and firewall categories*
* Based on data from Dataquest/Gartner Group, Infonetics Research, International Data Corp.
Page: 4
NetScreen Innovation
NetScreen firsts:• An integrated Firewall and VPN appliance with ASIC
acceleration for FW AND VPN• Virtual system architecture
– With separate policy tables, addressing and management
• Integrated active-active, full mesh, stateful High Availability
• Ship Gigabit Firewall & VPN appliance• Ship 4 Gigabit Firewall appliance
Page: 5
$12.2
$17.2$19.1
$23.0
$26.3
$32.0
$36.4
$0
$10
$20
$30
$40
Sep'00
Dec'00
Mar'01
Jun '01
Sep'01
Dec'01
Mar'02
Jun'02
Resulting in NetScreen Delivering Industry-Leading Growth
$5.9
$26.6
$85.6
$0
$15
$30
$45
$60
$75
$90
FY '99 FY '00 FY '01
$ Millions
$29.0
Page: 6
ScreenOSScreenOSGigaScreen ASIC GigaScreen ASIC ScreenOSScreenOSGigaScreen ASIC GigaScreen ASIC Optimized
Security PlatformOptimized
Security Platform
Superior Security, Performance and Economicscompared with software/processor based
architectures
Global PROGlobal PRO
ScreenOSScreenOSGigaScreen ASIC GigaScreen ASIC Optimized
Security PlatformOptimized
Security Platform
Unique Solution & Technology Platform
GigaScreen ASIC GigaScreen ASIC
Page: 7
GigaScreen-II ASIC Technology
• GigaScreen-II is a security processor – Breakthrough performance
• 2 Gbps firewall; 1 Gbps VPN
– Massive scalability
• Linear scalability when connected to a switched backplane
– Complete security processing
• Complete packet processing with little to no CPU intervention
– Programmability
• Ability to add packet classification and content inspection engines
CPUData Exchange (first packet, IKE etc)
GigaScreen-II ASIC / Flow Processor
Control
Flow Traffic
Management module
Page: 8
NetScreen-5000 Chassis Architecture
FlowControl
First Packet, IKE, etc
32 bit - Bus 0
64 bit - Bus 1
15 Gbps switch fabric
Mgmt Module
Secure Port Module
Secure Port Module
Future Tech. Modules
Back plane• Dual Bus Architecture
– Control Traffic between GigaScreen-II and Management Module
– Data Exchange between the Management Module and the GigaScreen-II via Dual Access High Speed RAM (SRAM)
• 15 Gigabit switch fabric and Multiple Module Slots (5400)
– Slots for Multiple Secure Port Modules or additional new modules
– Packet Flow Traffic between Secure Port Modules or Future modules
Page: 9
Comprehensive Product Line
Network core Central Site Medium Site Small OfficeEnterprise Telecommuter
NetScreen -Remote
NetScreen-500
NetScreen-5XPNetScreen-25
NetScreen-50
NetScreen-200 SeriesNetScreen-1000
NetScreen-5000 Series
NetScreen-Global PRO
NetScreen-Global PRO Express
NetScreen-5XT
Page: 10
Security Deployment Drivers
32%
33%
36%
43%
72%
36%
38%
38%
32%
0% 25% 50% 75%
Addition of an extranet
Business/regulatory requirement
Increase in commercially sensitive traffic
Demand from customers or business partners
Hacking from the inside
Addition of Internet connections
Increase in mobile workers, telecommuters, and day extenders
Addition of applications that require security
Hacking from the outside
Fa
cto
rs
Percent of Respondents Rating 6 or 7
Source Infonetics 2002
Page: 11
Security Threats Are Growing
• Outside attacks that compromise perimeter security
– Denial of service, VPN U-turn attacks
– Trojan horse attacks that penetrate the enterprise
• New application requirements
– Segmentation of departmental resources
• Wireless LANs
Security Incidents Reported to CERT
0
10,000
20,000
30,000
40,000
50,000
60,000
# o
f in
cid
ents
1988: 6 incidents(Kevin Mitnick)
2001: 52,000+ incidents(Code Red, Nimda)
Computer Emergency Response Team (CERT) is a federally funded research and development center specializing in Internet security operated by Carnegie Mellon University.
Page: 12
Security Threats
Internet
DMZ
Regional Office
Branch Office
Servers
Finance Servers
TelecommuterCompromised
Computer
Worms / Compromised
Server
Unauthorized Wireless User
Unauthorized Wireless User
Unauthorized Personnel
VPN
Firewall
VPN
VPN
VPN
Trojans / Disgruntled /
Dishonest Employee
(((
(((
Page: 13
Internet
DMZ
Regional Office
Finance
Telecommuter
((((
((((
((((
Branch Office
Notebook & PDA (VPN)
WirelessAdmin
Web
Central Site
VPN - Client
VPN - Client
OR
Greater Segmentation & Policy Control
Internal / External threats treated equally
Wireless
Integrated FW/VPN with attack blocking and user authentication
Security Domains
Page: 14
Paybacks and Benefits of VPNs
17%
32%
34%
41%
41%
42%
43%
44%
45%
57%
Ability to carry voice over IP
Increased network uptime
Any to any connectivity
Increased geographic coverage
Improved communications with customers
Ability to quickly add remote access users, sites, or extranet partners
Reduction of operation and management costs
Increased bandwidth using VPNs with DSL, cable, or broadband wireless
Dial-up or dedicated connection cost savings
Increased security
Q. On a scale of 1 to 7, where 1 is “not important” and 7 is “extremely important,” please rate the importance of the following expected paybacks and benefits in your decision to implement VPNs:
Source Infonetics 2002
Page: 15
Leaders in VPN technology
Data Centre/SP NOC
MPLS
Content
Home GPRSInternet
Mobile VPNSmall site,Temp site VPN
Intranet VPN
Partner A
Partner B
Partner C
Overseas GPRS
GRXRemote Access
Content SerAV ServicesIDS ServicesApplication Ser
Page: 16
Frame to IP VPN Migration ScenariosApples to Apples – Equal Bandwidth
Legacy Network IPNetwork
Change
Scenario A: Direct One-to-One Comparison
Small Site Bandwidth (8 sites) 56-64 Kbps 56-64 Kbps No Change
Monthly Cost/Site $280 $75 Save $205
Medium Site Bandwidth (2 sites) 384 Kbps 384 Kbps No Change
Monthly Cost/Site $1,150 $190 Save $960
Central Site Bandwidth (1 site) T-1 T-1 No Change
Monthly Cost/Site $3,275 $1,570 Save $1,705
Total Annual Costs $93,780 $30,600 Save $63,180
Time to pay back initial hardware investment ($6,000 to $10,000): 1.1 – 1.9 Months
The initial hardware purchase is based on average pricing for NetScreen appliances while the bandwidth rates are based on averages derived from multiple carrier offerings. This example does not include network management, installation expense, time to migrate multiple networks, etc.
Source: TeleChoice – Building the business case for IP VPNs
Page: 17
Firewall Features
30%
31%
32%
48%
49%
59%
34%
42%
44%
24%
0% 15% 30% 45% 60%
1G performance
Four or more Ethernetports
Load balancing/QoS/traffic shaping
Appliance-based
Fail-over capability
100M performance
Stateful inspectionengine
Ability to repelDoS/DDoS
Remote softwareupdate
Additional securityfunctionality
Fe
atu
res
Percent of Firewall Respondents Rating 6 or 7
Source Infonetics 2002
Page: 18
IDP - The future of security
• Definitive agreement to acquire OneSecure for $40.3 million
• Innovative intrusion detection and prevention appliance accurately detects attacks, stops attacks and is easy to manage
• Immediately address IDS market with intrusion prevention products
• The best technology, architecture and people to accelerate NetScreen’s delivery of next generation integrated security gateway and management
Milestones•1st device that detects and prevents attacks by dropping malicious packets (patent pending)
•1st to implement Multi-Method Detection to maximize attack detection
•1st to utilize Stateful Signature Detection to help reduce false alarms
•1st centralized, rule-based management of intrusion detection and prevention
Page: 19
Intrusion Prevention - OneSecure
• Innovative intrusion prevention and detection product– Improved intrusion detection accuracy, reducing false alarms and detecting more
attacks• Multi-Method Detection • Stateful Signatures
– True attack prevention to eliminate impact of attack
• In-line operation WebServer
User
Users
FinanceServers
Firewall
CodeRed
MailServer
HR Servers
Page: 20
Intrusion Detection strategies
44%
57%
75%
43%
0% 25% 50% 75% 100%
Intrusion detection in a network device
Host-based Intrusiondetection
software on clients andservers
Standalone intrusion detection appliance
Integrated security appliance
Devic
e T
yp
es
Percent of Intrusion Detection Respondents
Source Infonetics 2002
Page: 21
NetScreen-OneSecure Integration Plan
Introduce & Re-brand OneSecure IDP. Scale performance to gigabit levels
Phase I: At Close
Introduce & Re-brand OneSecure IDP Management
Phase II: 1H03
Integrate key IDP features into ScreenOS. New processing blade NS-5000
Integrate management platforms
Enhance IDP
Phase III
Enhance Management Intelligence
Enhance IDP
Develop silicon & hardware for next-
generation platforms
Page: 22
Innovation in the Security market
“Gartner believes that the primary security gateway, the firewall, should provide for this in-line inspection and action taking. Thus, we see this move by NetScreen as the first market move toward fulfilling our vision of firewalls that look deeper into packet streams and make higher-level decisions. Enterprises will need this capability to implement strong, application-aware edge security on a variety of security platforms..”
Gartner GroupAugust 27, 2002
Page: 23
NetScreenScalable Security Solutions
