Juniper's chassis combines firewall, VPN and IPS

By Joel Snyder, Network World
December 05, 2005 12:02 AM ET

. What's this?

When Juniper shipped the Integrated Security Gateway 2000 late last year, the company said it was more than another low-density NetScreen firewall. In addition to the basic firewall and VPN capability built into the chassis, Juniper said the ISG 2000 could accommodate as many as three other blades providing security applications, such as intrusion prevention, without affecting the performance of the base firewall and VPN.

How we did it
Archive of Network World tests
Subscribe to the Network Product Test Results newsletter

The blades came out in the spring, and we've been testing the ISG 2000 with three IDP (Juniper's intrusion-prevention product) blades on our live network for four months, focusing on hardware, management software and architecture.

Overall, while Juniper got the architecture of the system right, it's got some work to do in terms of maintaining hardware and management software.

Related Content

Hardware: Too hard

The ISG 2000 design doesn't fall in line with Juniper's long-standing reputation of producing maintainable hardware. While port cards, fan modules and power supplies are easy to replace, you cannot hot-swap interface cards. Additionally, getting to the IDP blades and the management module means pulling the chassis out of the rack, unscrewing the top cover, and dealing with slots and boards that were not designed for easy maintenance.

The difficulty of maintaining this hardware was driven home in our tests when one of the blades stopped working properly. Juniper technical support was quick to diagnose the problem, but we had to pull the unit out of our network while we waited for a replacement part to arrive. Had the hardware been more maintainable, we could have quickly pulled the bad board and run on a reduced configuration.

We ran into another hardware-integration problem when we first tried to install the ISG 2000 in our network. Juniper's ScreenOS firewall software is running at either Version 5.2 or 5.3 in all current models - except for the ISG 2000, with Version 5.0. Unfortunately, 5.0 is missing a key feature allowing for asymmetric routing needed to install the ISG 2000 at the edge of a network with multiple ISP connections. Because of the versioning issue, we had to install additional switches to work around the unsupported topology.

Software: Too soft

Click to see: Security Gateways graphic

Management of the chassis with IDP blades installed requires Juniper's NetScreenSecurity Manager, a client-server application for controlling the configuration of and analyzing logs from the ISG 2000. Although managing the firewall and VPN components from this application is stable, the NetScreen-Security Manager doesn't control the IDP blade as well as the single-function management wares shipping with Juniper's stand-alone IPS boxes.

An intrusion-prevention system (IPS) requires frequent configuration to tune, tighten and reduce false positives. Operations that should be easy to do, such as adding an IPS signature to an exception list, require a significant number of steps, take you through a series of modal configuration dialogs and can be frustratingly unpredictable. Even with Juniper on-site, we couldn't figure out whether this unpredictable behavior was caused by bugs or some exceptionally subtle issue of how and where you click.

Simple tasks, such as finding a signature to learn more about it, are difficult to do. When we finally discovered (with the help of technical support) the well-hidden "find" function in the NetScreen-Security Manager GUI, we found a not-so-well-hidden bug: It doesn't find things very often. We were reduced to searching and scrolling through thousands of signatures to get the information we required.