Integrated Firewall/VPN Security It Just Makes Sense by Mark Alexander Redwood City, CA What do you do when you inherit from a recent acquisition new network sites that need to be securely integrated into your own corporate network? When divine, inc., a Chicago-based company dedicated to extending enterprise solutions, acquired the assets of MarchFirst, including 22 new networks, they found only one solution that made sense—NetScreen Technologies' integrated firewall/VPN products. NetScreen provided not only a unique range of security solutions that divine could match to any challenge great or small, but also products whose stability and manageability were unmatched in the industry. In the 20 months that divine has relied on NetScreen, not one network problem was caused by a NetScreen product. Unlike Check Point™ Software Technologies' software-based security, which inserts a performance bottleneck into corporate networks, and Cisco® Systems' RISC-based solutions that reside on general purpose PCs, NetScreen has pioneered a third generation—their own custom silicate, an ASIC architecture that accelerates security performance, combined with a private operating system optimized for firewall/VPN security. "I like appliances that are targeted for specific purposes," says Chuck Horvat, Director of Network Services for divine and a founding member. "With security solutions, I believe in having a custom OS, and hardware with no moving parts. Why have a hard drive for a firewall Mark Alexander – SourceText.Com 1 divine article v.3.0 when you don't need it? Why have unnecessary points of physical failure? NetScreen's appliance-based approach makes sense to me." Amazing Security Integration and Performance In January 2001 divine bought their first NetScreen system level product—the NetScreen 1000, which provides 2 Gbps throughput and up to 25,000 VPN tunnels. With that one box, they managed to segregate all the companies they had under one roof. They found the product easy to deploy with a very intuitive GUI, but application-based security integration proved to be key differentiator for divine. "We love technology and the field of security," says Horvat. "So we like to keep up to date. We could tell from the hardware and software design that some of NetScreen's senior people really knew what was going on in security. For years I had been begging for features and integration that only NetScreen offered. Five years ago I would have died for an appliance-based box under $500 like those offered by NetScreen." Under their original business model, divine needed to isolate more than two dozen companies under one roof. But they had no desire to go out and buy firewalls for each of those companies. Their engineers looked into Check Point and Cisco security solutions, but quickly settled for NetScreen. Why? Only the NetScreen 1000 platform could offer V-LAN trunking of security with multiple security functions integrated into a single device: firewall, VPN, denial of service protection, strong authentication, and traffic management. On top of these features, NetScreen's performance amazed the engineers. "When we first popped a few NetScreen 5s out of the box, we had a tunnel up and running within an hour," says Chad Knupp, Senior Network Engineer for divine. The original NetScreen 5s were entry-level boxes that supported 1,000 concurrent TCP/IP Mark Alexander – SourceText.Com 2 divine article v.3.0 sessions and ten VPN tunnels. "We decided to try out using one NetScreen 5 for the initial test of isolating our mail infrastructure, which obviously in a session count wasn't appropriate, but we thought what the heck. We pumped almost 6 Mbps of DES (Data Encryption Standard) through it, which is pretty impressive performance for such an inexpensive appliance that fits in the palm of your hand." Acquisition Management—Scalability and Costs Several months later when divine decided to change its business model and focus on the extended enterprise, they acquired some of the assets of MarchFirst. In an instant they went from three central sites in the Chicago area to 19 throughout the U.S. Once again they looked at competing security solutions. Because divine believes in moving aggressively as well as smartly, it took Horvat only one week to decide to go with NetScreen. MarchFirst's sites were all disparagent, with their own circuits and with some equipment leased. Complicating matters was the nature of the acquisition: divine did not inherit any network circuits or commitments and shortly after the divine deal MarchFirst filed Chapter 7 bankruptcy. MarchFirst had also been a Check Point VAR at one time, so they had lots of Check Point software. Once the acquisition was a go, Horvat's team had only six weeks to integrate the company and build a secure Wide Area Network from scratch. "It would be a nightmare to manage multiple flavors of firewalls and to have reliable connectivity between those firewalls," says Horvat. "We were moving so aggressively that we didn't have to deal with those kinds of reliability issues. Unlike their competitors, NetScreen had a security solution that was just the right size for each one of the new facilities." Mark Alexander – SourceText.Com 3 divine article v.3.0 Horvat was impressed, not only by NetScreen's range and depth of products, but also their overall cost-performance. They looked into the maintenance programs Check Point had for their products and discovered that Check Point charged for every user, every IP address. With Check Point, a growing network would continue to add costs. With NetScreen there were no complex licensing schemes. Charges were not based on the number of IP addresses. Horvat found that most NetScreen products support an unlimited number of users. "It turned out that the cost for a new NetScreen box was less than simply renewing the maintenance for Check Point," says Horvat. "By moving from MarchFirst's frame relay network to NetScreen VPNs and the Internet, we eliminated about $41,000 each month of cost. That's an impressive savings." The Real Issues—Flexibility, Stability, and Manageability NetScreen's broad product line is appealing because it can fit into a variety of application environments, such as the core of carrier and enterprise networks, all the way down to telecommuters working from home and needing a secure broadband connection. Having a full range of products simplifies everything, according to Horvat. Rather than going to one company for his SOHO products, and another for his data center, and another for his office, he has everything on one platform, making things so much easier. And he points out how far the software has come along in a short amount of time. The Web interface has been getting more flexible and the command line getting more features. Code issues also get turned quickly. "Some of our offices fell victim to the Code Red virus like so many other companies at that time," says Horvat. "The infected internal systems were performing a denial of service within our network just by the nature of their aggressive propagation. NetScreen turned around some code Mark Alexander – SourceText.Com 4 divine article v.3.0 revisions that dealt with the problem much more quickly than I would have expected. The support is really excellent." Senior engineer Knupp is also a fan of NetScreen for its stability. They first deployed an infrastructure of 25 units with the MarchFirst acquisition and once the units came up online they stayed up. "They just don't crash," says Knupp. "They are unusually stable, extremely reliable. Whenever you are pushing out new network products, or anything where buzzwords like 'VPN' or 'firewall' come into play with users, the first thing they are going to blame when there are network problems is that product. The VPN is down, they would say. But after a year working with these units, I have yet to find any issues where I could come back and say the blame is on Netscreen." Occasionally, Knupp admits, he will have to do a configuration tweak. But the power of NetScreen's debugging tools makes it so that he can always find out what the problem actually is and point people in the right direction to solve their issue. Knupp also likes the fact that when he is doing an I-IKE tunnel between NetScreen and a third-party product, he can accept any proposal dynamically. Despite different terminology among firewall vendors, he can get a tunnel up with any setting proposed by the other firewall and then see exactly what they needed to configure to lock it down. NetScreen's sophisticated network management tools allow organizations to manage NetScreen products using a policy-based management methodology. Rather than having to go out and manage each device on its own, the network engineer can create security zones for different departments within an enterprise, or for different customers with a carrier, and then apply policies to those groups with only a couple of keystrokes. Mark Alexander – SourceText.Com 5 divine article v.3.0 The network engineering staff at divine is fairly small, with only a handful of engineers. Therefore, manageability is crucial to Horvat and his team. "A pretty interface is not enough," says Horvat. "It's not the look of the software that determines manageability. What matters is what you can do, how quickly can you do it, and when there's an issue, how quickly you can figure things out. NetScreen allows us to tie all our units together around the country so that we can easily change global policies. We don't have to box manage. We can also sub-divide and compartmentalize our organization and change policies that target specific groups that we can define. Now that's manageability." The Need to Move Aggressively In the last 18 months, divine has acquired 30 different companies. Their business is to find diamonds in the rough that are strategic to their business model and integrate them as efficiently and effectively as possible. Horvat's network team is the first in the door of an acquired company because without that connectivity, without integration, none of the other work can be done. Horvat explains that one of the most critical steps for a successful integration for any company acquiring other companies is to get everybody onto the same financial system, so that management can quickly see the big picture of how those acquisitions are performing individually and how that overall relates to the entire company. Without that visibility, any acquisition can be an instant failure. Horvat's team arrives with the right size NetScreen product on hand to immediately begin installing their own firewall and connecting to their infrastructure, and depending on the size of the acquisition, moving very aggressively to remove the new company's firewalls. "Their security system and firewall is probably the only piece of equipment that we replace point blank," says Horvat. Mark Alexander – SourceText.Com 6 divine article v.3.0 Today divine is aggressively expanding internationally, into Europe and the Asia Pacific regions. They now have 27 domestic sites and 30 international sites. So far divine has installed one NetScreen 1000 for the Chicago hub, two NetScreen 204s in Burlington, and NetScreen 10s and 25s for the remaining sites. They are implementing a separate data center hub in Europe, but because of NetScreen's flexibility, whenever they need a dedicated VPN tunnel between any two points, perhaps between Paris and Chicago, they can easily create one. It Just Makes Sense—For Everybody NetScreen's high availability architecture has system level redundancies, able to do subsecond failover in divine's large-scale networks. If divine wants VPN security in a wireless LAN environment, NetScreen provides and elegant solution, using IPsec encryption rather than WEP and terminating that traffic on the trusted side of the network on a NetScreen box. After doing a press release announcing that divine would be implementing NetScreen, Horvat received many calls from investment companies, wanting to know from a customer perspective what he and his team thought of NetScreen. "You know, one of the things you have to factor in when you are partnering on these kinds of things is the viability of the company," says Horvat. "This was probably the one main concern we had eighteen months ago when we were first considering NetScreen. We all know that just because a company has a superior product, that does not guarantee that the company will be around a year from now. But NetScreen was the only company able to provide the technology that we needed. And nobody out there has been saying that they have anything that can outperform NetScreen. Their performance, their depth of product line, and the price point were Mark Alexander – SourceText.Com 7 divine article v.3.0 all exactly right. So we took a calculated risk. Luckily, since their IPO they have proven their stability and that they will be around for a while." Horvat thinks for a minute, and smiles. "You know, in firewalls and security, nobody ever gets fired for buying Cisco. But I was willing to balance that fact against the fact that NetScreen provided the best technology for our needs—and at the right price. The appliance model is really where it's at in security. NetScreen technology just makes sense to me." Mark Alexander – SourceText.Com 8 divine article v.3.0 SIDEBAR A Look at NetScreen NetScreen Technologies, Inc. is headquartered in Sunnyvale, CA, and led by Robert Thomas, President and CEO. NetScreen develops and sells scalable network security solutions. Its line of ASIC-based integrated security systems and appliances combine firewall, VPN, traffic management and other security functions within a purpose-built, high-performance platform. The company has offices around the world, including Hong Kong, Beijing, Singapore, Sydney, Seoul, Tokyo, and Hampshire in the U.K. Last April, NetScreen introduced the NetScreen-5000 Series, the NetScreen-5200 and NetScreen 5400—integrated security systems that offer unprecedented levels of scalability, flexibility and performance to meet the security requirements of enterprises and carriers. The NetScreen-5000 Series, based on NetScreen’s new GigaScreen-II ASIC, sets a new security performance standard, with firewall speeds of up to 12 Gigabits per second and virtual private network (VPN) speeds of up to 6 Gbps. The NetScreen-5200 delivers major breakthroughs in small-packet performance, delivering more than 16 times the firewall performance and more than 24 times the VPN performance of competing security solutions. The NetScreen-5400 is designed to perform three times faster than the NetScreen-5200. Last May NetScreen was awarded the Network Magazine Product of the Year Award in the firewall/VPN category. NetScreen makes a scalable line of solutions that are built from the ground up to address today's pressing security requirements. Unlike legacy security products, NetScreen combines a custom, real-time operating system, purpose-built hardware designs, and ASIC technology to deliver unprecedented price-performance and ease-of-deployment to enterprises and service Mark Alexander – SourceText.Com 9 divine article v.3.0 providers. These custom technologies also provide the security, scalability, flexibility, and centralized management required to meet traditional as well as emerging security threats. Mark Alexander – SourceText.Com 10 divine article v.3.0