By Andrew Garcia  |  Posted 2004-01-26 Print this article Print

NetScreen Technologies Inc.s NetScreen-Security Manager offers solid centralized firewall policy and VPN distribution capabilities to companies that have numerous NetScreen firewall/VPN appliances. NetScreen administrators who want to deploy next-generation security services will find NSM to be an indispensable management and deployment tool. However, there are few options for full multiplatform firewall management. NetScreen appliances integrate with NetIQ Corp. firewall forensics solutions, and Solsoft Inc. offers a policy management platform. But eWEEK Labs believes the best bet is to either write a custom application to NetScreens flexible command-line interface or deploy NSM.

NSM, which shipped last month, refreshes the earlier NetScreen Global Pro management product line, adding support for NetScreens ScreenOS 5.0-based appliances and increased management delegation capabilities. ScreenOS 5.0, NetScreens latest appliance firmware, brings application-level deep filtering and anti-virus scanning to the table.

NSM costs $5,995 to manage 10 NetScreen appliances. A single NSM server can manage a maximum of 1,000 devices for $55,995. Companies with active support contracts for NetScreen Global Pro products may convert to NSM free of charge.

The NSM server component consists of a GUI Server; a data store of configuration data and policy information for the managed devices; and a Device Server, which stores the logs generated by the devices. Both components can be installed on the same server or distributed for increased performance.

We installed NSM on a single server running Red Hat Inc.s Red Hat Linux Version 9. NSM can also be installed on Red Hat 8 or Sun Microsystems Inc.s Solaris 8 or 9. The installation did require an update to the RPM component before starting, but NetScreen includes the update with the installation package.

Policy management and the reporting tools are accessed via the Windows-based management application, which we found to be busy and cramped but navigable. The management console communicates with the back-end server via an AES (Advanced Encryption Standard) link over TCP port 7800.

We liked NSMs robust management delegation capabilities. From the management console, we could granularly assign read and write roles for security services, allowing us to distribute management tasks safely among multiple administrators.

In addition to the NSM server and management console, our test environment included two NetScreen 5GT firewall/VPN appliances—one in our San Francisco lab and the other in a remote site, connected to the Internet via asymmetric DSL. After we enabled management via Secure Shell on both appliances, we found NSM captured and deployed data from the devices well, despite the slower link to the remote site.

After defining network objects and protected resources in the console, we easily deployed a site-to-site VPN between our branch locations. Using NSM, its a snap to deploy hub-and-spoke or fully meshed tunnels among various locations.

NSMs Device Server captures logging data from each managed device. Accessing this data from the console gives administrators good insight into activity throughout the full protected network. Using NSMs fine filtering capabilities, it was easy to isolate and investigate suspicious activity, including leaving condition flags about the status of the event.

Technical Analyst Andrew Garcia can be reached at andrew_garcia@ziffdavis.com.

Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for eWEEK.com, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at agarcia@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel