NetScreen Firewall/VPN Offers Good Choice for Branch Offices

Organizations looking for an inexpensive, easy-to-set-up firewall/ VPN gateway appliance for small branch offices should consider NetScreen Technologies Inc.'s NetScreen 5XT.

Organizations looking for an inexpensive, easy-to-set-up firewall/ VPN gateway appliance for small branch offices should consider NetScreen Technologies Inc.s NetScreen 5XT.

The 5XT is part of NetScreens line of security appliances, all of which use integrated ASICs to handle IP Security encryption, firewall services and protection against denial-of-service attacks.

The 5XT, released in November, packs plenty of network security features into a small form factor. Weighing less than 2 pounds, the 5XT has one 10/100M-bps Ethernet port for connection to an untrusted network and four 10/100M-bps Ethernet interfaces for connection to the internal trusted network or DMZ. The 5XT also has a console port for management and a modem port for connecting dial-up users to the virtual private network gateway.

NetScreens ScreenOS firmware powers the entire 5XT system and provides applications such as a stateful inspection firewall; an IPSec VPN gateway; traffic management capabilities; high-availability support; and OSPF/ BGP, or Open Shortest Path First/Border Gateway Protocol, dynamic routing.

The 5XT supports 10 site-to-site or remote access VPN tunnels, 20M bps of Triple Data Encryption Standard encryption throughput and 2,000 concurrent sessions. The 5XT is competitively priced, at $695, and is best suited for linking branch offices or providing telecommuters with remote access to the main corporate backbone.

However, although the 5XTs performance and ports will be sufficient for small sites, the appliance is not scalable. Organizations will need to purchase a higher-end system to support more users.

The NetScreen 50 and NetScreen 200 both provide greater throughput and support more users and tunnels than the 5XT. The NetScreen 50, which supports 50M-bps throughput and 100 tunnels, costs about $6,000; the NetScreen 200, which supports 200M-bps throughput and 1,000 tunnels, costs about $10,000.

The NetScreen 5XT competes with small-site VPN gateway systems from vendors including Check Point Software Technologies Ltd., Cisco Systems Inc., SonicWall Inc. and WatchGuard Technologies Inc.

Nokia Corp. security gateway appliances run on Check Points Firewall/ VPN software suite and include features similar to those found in the range of NetScreen products. Check Points systems are priced from $500 to more than $20,000, depending mostly on throughput.

The SonicWall Pro 100, which starts at $1,000, is more expensive than the 5XT but offers comparable performance and supports more VPN tunnels. The SonicWall Pro 100 is a good choice for small companies that want to deploy a remote access VPN.

Setting up the 5XT on eWeek Labs test network was easy, thanks to an intuitive Web interface. We quickly configured the system to run in trust/untrust operation mode. We used the single "untrusted" port for the Internet and the four trusted ports for our internal network. We used Network Address Translation to keep our internal IP address hidden from the Web.

We used the Web interface wizards to easily configure firewall and VPN policies. We also were able to quickly set up a VPN gateway using the interface.

Client setup will be a lot easier for sites that have implemented NetScreen-Global Pro, NetScreens central policy management system, which is priced from $17,000 (the starting price for 25 devices).

The current version of Global Pro does not support the 5XT. NetScreen officials said the next version will provide support for the lower-end gateways such as the 5XT and the 5XP. In addition, VPN users can use the optional NetScreen-Remote desktop client to authenticate to the management system, as well as to download predefined VPN security policies and automatically configure the client system to access network resources dictated by administrators in advance.

NetScreen-Remote costs $345 for 10 licenses plus a desktop firewall; the price for the remote client only is $95.

Without these management capabilities, security policy changes will require that administrators manually configure each client.