Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
iPhone 5 rumors for the week ending May 18
Cisco's wireless unit shifts emphasis to "mobility"
Comcast ditches flat 250GB bandwidth cap for tiered service approach
Open-source messaging at (nearly) the speed of light
Social media a boon for businesses, but creates security quagmire
Academics propose groundbreaking uses for Watson
With Verizon pushing more into data caps, Sprint touts unlimited option
J*******k: Dirty word disappears from Apple iTunes store
Survey: BYOD sparks enterprise investment in Unified Communication and Collaboration
Privacy advocates fear CISPA
Doctors warned not to use social media with patients
Cisco mobility bundles target BYOD, mobile virtual desktop
iPhone 5 said, again, to have 4-inch display
Ethernet switching gets specialized
'Thelma & Louise,' 'Beetlejuice' star Geena Davis wins major telecom award
/

NetScreen's Global Pro 3

Revamped management suite offers simultaneous control of NetScreen security gear.

Related linksToday's breaking news
Send to a friendFeedback

By Joel Synder
Network World, 01/07/02

NetScreen's revamped Global Pro 3.0 management suite gives network professionals a way to simultaneously manage a network of NetScreen firewalls. While our tests show NetScreen hasn't exactly hit a home run with this product, the company has managed to load the bases with some serious firewall and VPN management and configuration tools.

Released in November, Global Pro 3.0 takes network executives out of the tedious position of managing individual firewalls, and moves them into the realm of policy-based security management.

Before now, NetScreen had fallen behind competitors including Check Point Software, Avaya, and Nokia because it didn't offer centralized policy-based configuration.

Global Pro 3.0 comes in two flavors. The Express version, which we evaluated, can manage up to 100 devices. This version lacks some of the aggregate reporting tools available in the higher-end full version, which scales up to 10,000 devices, sports an Oracle database back-end and offers some fault tolerance.

How we did it
Scorecard and Net Results

For the Global Pro Express 3.0, you get quite a bit of management machinery for $6,000. It comes standard on a dedicated Sun server with a 500-MHz Sun Netra T1 processor with 512M bytes of RAM. To install, hook up a terminal and give it an IP address. The management server comes prebuilt with a firewall and can be placed anywhere inside your network.

Management is controlled from any Windows NT 4.0 or Windows 2000 system. The Management Server has a small Web server installed, largely to feed Windows the Java-based management graphical user interface (GUI) that communicates with the management server. We drove the GUI from a dual 650-MHz Win 2000 system with 512M bytes of RAM. Things weren't intolerably slow, but with that much hardware underneath the hood, it should have provided a better showing.

When we started to dump firewalls into the management system, there was no way to import the current configuration from an existing firewall. Existing NetScreen customers with complex configurations might find this aggravating.

Security policies are key to Global Pro 3.0. There are 13 types of security policies, ranging from the prosaic (such as where to send SYSLOG messages) to the critical (such as what traffic gets in and what traffic does not). Policies are defined using a simple interface and then applied to as many firewalls or firewall groups as you'd like.

We defined a policy listing all our corporate mail servers and stating that the Internet could connect to our corporate mail servers, but only for the purpose of sending us mail. The policy also let the mail servers send mail out to the Internet. Once the policy was defined, we used the policy editor to add the relevant firewall groups to it, pushed changes, and we were done.

The beautiful thing about NetScreen's policy-based management is that if a new firewall was added into one of the groups already attached to the policy, Global Pro 3.0 would automatically build a policy for that firewall that includes all the policies for that group. The same thing is true of changes to the policy. If a new mail server was added, all it would have taken is a push to all firewalls to make them aware of the change in policy.

VPN configuration a dream

One of the areas where Global Pro 3.0 really steps up to the plate is in building large VPNs. To build a mesh or hub-and-spoke VPN, select all of the protected networks, add them into the VPN, specify Internet Key Exchange and IP Security policies, and you're done. Global Pro 3.0 already knows which gateways protect which networks based on the configuration information provided when the firewall was installed, and downloads appropriate policies to each one.

We built VPNs not only between NetScreen firewalls, but also among third-party gateways (see 'How we did it'). The connection was easy to do, something we found difficult for many vendors in our last VPN review.

Because Global Pro 3.0 doesn't do anything that the NetScreen firewall can't do, there are no new capabilities in the VPN (or firewall) side of the house.But some things are omitted. For example, NetScreen VPNs can do bandwidth management through a tunnel, but this has been left out of the Global Pro 3.0 VPN configuration.

Enterprise readiness

Features like real-time monitoring and alerting are built into the product, as is a powerful set of delegated management functions. With the ability to partition the management function across multiple servers, NetScreen's architecture looks as if it can scale to thousands of firewalls.

Because monitoring was a feature of NetScreen's earlier management console, that feature has been brought forward largely unchanged into this new Global Pro 3.0 deployment. The links between the configuration tool and the monitoring tool are a little weak, requiring some active export and import functions to move information between the two parts of the product.

Global Pro 3.0 could go a lot further in showing the big picture of your network. Global Pro 3.0 has a summary report that gives you a partial view of the enterprise firewall configuration, but the report was not as complete as we wanted.

There are other problems that may raise issues in large deployments. For example, when you change policy, it can affect a number of firewalls. But there is no way to tell which firewalls need to have the policy pushed to them. Your alternatives are to guess (and hope you catch all the ones with changes) or just to push to everything - which could take a long time if you have hundreds of firewalls.

There are some inconsistencies in what can be done with policies. You can define DNS servers, but not Network Time Protocol (NTP) servers.To set up NTP, you have to go to the Web-based configuration on each device.

NetScreen clearly has some work to do on Global Pro. Still, it's an outstanding first effort and NetScreen clearly has strong insight into the way network executives want to handle policy-based security management.

NetScreen Global Pro Express v3.0
3.65
Rating		 Company: NetScreen www.netscreen.com Cost: Price as tested: $6,000 (25 devices). Pros: Outstanding architectural base. Preinstalled and preconfigured management platform to simplify implementation and reduce ongoing operations tasks. Handles firewall and VPN tasks from a policy point of view. Cons: Centralized configuration not available for all tasks. Bugs and inconsistencies in the configuration and documentation areas need work. Usability and performance could be better.  
NetScreen Global Pro Express v3.0


Enterprise-quality config. 30%


4

 


Ease of use/documentation 25%


3.5

  


Scalability 20%


4

  


Management 15%


3.5

  


Performance 10%


2.5

  


TOTAL SCORE


3.65

 
Individual category scores are based on a scale of 1 to 5. Percentages are the weight given each category in determining the total score. Scoring Key: 5: Exceptional showing in this category. Defines the standard of excellence; 4: Very good showing. Although there may be room for improvement, this product was much better than the average; 3: Average showing in this category. Product was neither especially good nor exceptionally bad; 2: Below average. Lacked some features or lower performance than other products or than expected; 1: Consistently subpar, or lacking features being reviewed.

Back to top

RELATED LINKS

Snyder is a senior partner at Opus One in Tucson, Ariz. He can be reached at Joel.Snyder@opus1.com.


NW Test Alliance

Global Test Alliance

Snyder is also a member of the Network World Global Test Alliance, a cooperative of the premier reviewers in the network industry, each bringing to bear years of practical experience on every review. For more Test Alliance information, including what it takes to become a member, go to www.nwfusion.com/alliance.

How we did it
Our testing methods revealed.

Review: NetScreen-500 firewall/VPN appliance
NetScreen's newest firewall and VPN appliance, the NetScreen-500, packs a performance wallop into a small package.
Network World, 07/16/01.

NetScreen, RedCreek aim for more reliable VPNs
NetScreen and RedCreek Communications this week will make separate announcements that address the problem of backing up firewall/VPN sessions.
Network World, 09/10/01.

NetScreen partners to boost security
With an eye toward improving security by integrating with third-party products rather than developing new ones, NetScreen Technologies Monday announced its Global Alliance Program.
IDG News Service, 10/22/01.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.