NetScreen announces deep inspection firewall

Citing an increase in attacks that take advantage of holes in existing firewall technology, NetScreen Technologies Monday said that it will release new "deep packet inspection" features across its line of network firewall products.

The new features build on technology NetScreen acquired in 2002 when it purchased OneSecure, and will enable the Sunnyvale, Calif., company's products to defend customers against a wide range of attacks that hide in traffic that usually passes through firewalls, destined for Web and e-mail servers, among others.

The addition of deep inspection features is the biggest change in firewall technology since the introduction of stateful inspection firewall architecture in the 1990s, according to David Flynn, vice president of marketing at NetScreen.

The term "deep inspection" describes a variety of features that enable security devices to scour individual data packets or streams of packets to spot malicious code or other anomalies that might be part of an attack.

Stateful inspection features enabled firewalls to move beyond just filtering traffic based on the information contained in data packet headers to monitor active firewall connections. Deep packet inspection allows firewalls to dig even deeper into traffic flows, reassembling packet streams to spot hidden attacks on targets like Web, e-mail and DNS servers, he said.

Deep inspection features will be included with a new version of the NetScreen operating system, ScreenOS Version 5.0. That will be available on the NetScreen-5GT, -5XT, -25, -204 and -208 devices in November and for the higher end NetScreen -500, -5200 and -5400 devices in December, NetScreen said. Existing customers will receive the new features as a software upgrade, according to NetScreen.

The new deep inspection features finally make good on NetScreen's promises to integrate OneSecure's intrusion detection and prevention (IDP) features into its ASIC-based hardware, according to Richard Stiennon, vice president of research at Gartner Inc.

The updated firewalls could spell trouble for niche application firewall makers with products that are not suited for more traditional deployments on the network perimeter and puts NetScreen in a position to compete with Check Point and Cisco, he said. Both those companies have made moves to offer similar features in their own products.

In May, for example, Check Point introduced a version of its SmartDefense product with "application intelligence" features that enable it to actively protect applications behind the firewall such as Web servers, e-mail servers and DNS servers.

Also in May, Cisco unveiled its Cisco Security Agent (CSA), making use of behavior-based detection technology it purchased with Okena in January. The CSA resides on servers and desktop machines and analyzes user behavior, thwarting actions that violate established company policy.

While deep packet inspection features are attractive to companies that are worried about infection from the next virulent Internet worm, the intense processing required to do deep inspection still means a decrease in data throughput compared with devices that are not doing deep packet inspection, Flynn said.

The new NetScreen Deep Inspection Firewalls cannot do deep packet inspection at "line speed," and are not capable of the gigabit or multigigabit throughput that is required for deployment in corporate data centers, he said.

When it comes to a choice of performance over security, companies choose performance, Stiennon said. That means that larger companies may wait until vendors like NetScreen redesign their ASIC chips to handle deep packet inspection and can offer better performance before deploying them widely, he said.

In related news, NetScreen said Monday that it will release a new version of its NetScreen-Global PRO network security management product called NetScreen-Security Manager.

The updated management tool will include improved user management features with more user roles and role-based delegation of management tasks. It also has a new graphical user interface that displays information about device and network configuration and as well as security policies, NetScreen said.

NetScreen Deep Inspection Firewall is available as a free software update to customers with active NetScreen support contracts. Those annual contracts usually cost between five and 20 percent of the purchase cost of the NetScreen device they cover, NetScreen said.

The NetScreen Security Manager is available as a free software update for NetScreen-Global PRO customers. For new customers, pricing starts at $5,995 for the first 10 devices managed, the company said.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2003 IDG Communications, Inc.

IT Salary Survey 2021: The results are in