• United States

How we did it

Dec 05, 20052 mins

How the Network World Lab Alliance tested Juniper’s ISG 2000.

We installed the ISG 2000 with IDP blades into our production network at its very edge, connected directly to our two upstream routers. With two 45M bit/sec circuits coming into our network, we kept the ISG 2000 busy, but did not stress it. The hardware was specified to operate at speeds far above our load.

Throughout the test, the ISG 2000 ran on Version 5.0 of Juniper’s ScreenOS operating system. The management system was more fluid. We upgraded an existing NetScreen-Security Manager management system to version 2004-IDP (and later to 2005.1 and 2005.2) and proceeded to push our standard firewall policy to the ISG 2000. Because the ISG 2000 was upstream of all our existing firewalls, we combined all of the other firewall policies into a super-policy, adjusted for network topology, and were running within a few hours.

With the ISG 2000, the firewall configuration drives data streams into the intrusion-prevention system (IPS) part of the product. For every firewall rule, you say whether the IPS is enabled. We started with IPS turned on for all traffic, but simply alerting and not dropping or resetting connections.

After studying the false positives over a month, we refined our IPS policy to skip problematic systems and signatures.

Then we put the IPS into block mode, asking it to drop packets or reset connections that triggered its signatures. (A few days after we put the IDP into block mode we discovered one of our IDP boards had failed and was blocking traffic at random.)

For the next three months, we checked in on the management system daily, looking for log entries that might be signs of false positives, and updating and tuning the system. We used the logs several times to track down problems for our help desk. And of course, we had to make a number of changes to the firewall configuration.

During the testing, we worked with Juniper technical support to resolve questions and refine our understanding of the system. Juniper also provided on-site technical support at the end of the test to let us sanity-check our conclusions and to collect feedback.

Return to Juniper ISG 2000 Clear Choice Test