Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

divine article v.3.0

advertisement 
Integrated Firewall/VPN Security
It Just Makes Sense
by Mark Alexander
Redwood City, CA
What do you do when you inherit from a recent acquisition new network sites that need to
be securely integrated into your own corporate network? When divine, inc., a Chicago-based
company dedicated to extending enterprise solutions, acquired the assets of MarchFirst,
including 22 new networks, they found only one solution that made sense—NetScreen
Technologies' integrated firewall/VPN products.
NetScreen provided not only a unique range of security solutions that divine could match to
any challenge great or small, but also products whose stability and manageability were
unmatched in the industry. In the 20 months that divine has relied on NetScreen, not one network
problem was caused by a NetScreen product.
Unlike Check Point™ Software Technologies' software-based security, which inserts a
performance bottleneck into corporate networks, and Cisco® Systems' RISC-based solutions that
reside on general purpose PCs, NetScreen has pioneered a third generation—their own custom
silicate, an ASIC architecture that accelerates security performance, combined with a private
operating system optimized for firewall/VPN security.
"I like appliances that are targeted for specific purposes," says Chuck Horvat, Director of
Network Services for divine and a founding member. "With security solutions, I believe in
having a custom OS, and hardware with no moving parts. Why have a hard drive for a firewall
Mark Alexander – SourceText.Com
1
divine article v.3.0
when you don't need it? Why have unnecessary points of physical failure? NetScreen's
appliance-based approach makes sense to me."
Amazing Security Integration and Performance
In January 2001 divine bought their first NetScreen system level product—the NetScreen
1000, which provides 2 Gbps throughput and up to 25,000 VPN tunnels. With that one box, they
managed to segregate all the companies they had under one roof. They found the product easy to
deploy with a very intuitive GUI, but application-based security integration proved to be key
differentiator for divine. "We love technology and the field of security," says Horvat. "So we like
to keep up to date. We could tell from the hardware and software design that some of
NetScreen's senior people really knew what was going on in security. For years I had been
begging for features and integration that only NetScreen offered. Five years ago I would have
died for an appliance-based box under $500 like those offered by NetScreen."
Under their original business model, divine needed to isolate more than two dozen
companies under one roof. But they had no desire to go out and buy firewalls for each of those
companies. Their engineers looked into Check Point and Cisco security solutions, but quickly
settled for NetScreen. Why? Only the NetScreen 1000 platform could offer V-LAN trunking of
security with multiple security functions integrated into a single device: firewall, VPN, denial of
service protection, strong authentication, and traffic management. On top of these features,
NetScreen's performance amazed the engineers.
"When we first popped a few NetScreen 5s out of the box, we had a tunnel up and running
within an hour," says Chad Knupp, Senior Network Engineer for divine.
The original NetScreen 5s were entry-level boxes that supported 1,000 concurrent TCP/IP
Mark Alexander – SourceText.Com
2
divine article v.3.0
sessions and ten VPN tunnels. "We decided to try out using one NetScreen 5 for the initial test of
isolating our mail infrastructure, which obviously in a session count wasn't appropriate, but we
thought what the heck. We pumped almost 6 Mbps of DES (Data Encryption Standard) through
it, which is pretty impressive performance for such an inexpensive appliance that fits in the palm
of your hand."
Acquisition Management—Scalability and Costs
Several months later when divine decided to change its business model and focus on the
extended enterprise, they acquired some of the assets of MarchFirst. In an instant they went from
three central sites in the Chicago area to 19 throughout the U.S. Once again they looked at
competing security solutions. Because divine believes in moving aggressively as well as smartly,
it took Horvat only one week to decide to go with NetScreen.
MarchFirst's sites were all disparagent, with their own circuits and with some equipment
leased. Complicating matters was the nature of the acquisition: divine did not inherit any
network circuits or commitments and shortly after the divine deal MarchFirst filed Chapter 7
bankruptcy. MarchFirst had also been a Check Point VAR at one time, so they had lots of Check
Point software. Once the acquisition was a go, Horvat's team had only six weeks to integrate the
company and build a secure Wide Area Network from scratch.
"It would be a nightmare to manage multiple flavors of firewalls and to have reliable
connectivity between those firewalls," says Horvat. "We were moving so aggressively that we
didn't have to deal with those kinds of reliability issues. Unlike their competitors, NetScreen had
a security solution that was just the right size for each one of the new facilities."
Mark Alexander – SourceText.Com
3
divine article v.3.0
Horvat was impressed, not only by NetScreen's range and depth of products, but also their
overall cost-performance. They looked into the maintenance programs Check Point had for their
products and discovered that Check Point charged for every user, every IP address. With Check
Point, a growing network would continue to add costs. With NetScreen there were no complex
licensing schemes. Charges were not based on the number of IP addresses. Horvat found that
most NetScreen products support an unlimited number of users. "It turned out that the cost for a
new NetScreen box was less than simply renewing the maintenance for Check Point," says
Horvat. "By moving from MarchFirst's frame relay network to NetScreen VPNs and the Internet,
we eliminated about $41,000 each month of cost. That's an impressive savings."
The Real Issues—Flexibility, Stability, and Manageability
NetScreen's broad product line is appealing because it can fit into a variety of application
environments, such as the core of carrier and enterprise networks, all the way down to
telecommuters working from home and needing a secure broadband connection. Having a full
range of products simplifies everything, according to Horvat. Rather than going to one company
for his SOHO products, and another for his data center, and another for his office, he has
everything on one platform, making things so much easier. And he points out how far the
software has come along in a short amount of time. The Web interface has been getting more
flexible and the command line getting more features. Code issues also get turned quickly.
"Some of our offices fell victim to the Code Red virus like so many other companies at that
time," says Horvat. "The infected internal systems were performing a denial of service within our
network just by the nature of their aggressive propagation. NetScreen turned around some code
Mark Alexander – SourceText.Com
4
divine article v.3.0
revisions that dealt with the problem much more quickly than I would have expected. The
support is really excellent."
Senior engineer Knupp is also a fan of NetScreen for its stability. They first deployed an
infrastructure of 25 units with the MarchFirst acquisition and once the units came up online they
stayed up. "They just don't crash," says Knupp. "They are unusually stable, extremely reliable.
Whenever you are pushing out new network products, or anything where buzzwords like 'VPN'
or 'firewall' come into play with users, the first thing they are going to blame when there are
network problems is that product. The VPN is down, they would say. But after a year working
with these units, I have yet to find any issues where I could come back and say the blame is on
Netscreen."
Occasionally, Knupp admits, he will have to do a configuration tweak. But the power of
NetScreen's debugging tools makes it so that he can always find out what the problem actually is
and point people in the right direction to solve their issue. Knupp also likes the fact that when he
is doing an I-IKE tunnel between NetScreen and a third-party product, he can accept any
proposal dynamically. Despite different terminology among firewall vendors, he can get a tunnel
up with any setting proposed by the other firewall and then see exactly what they needed to
configure to lock it down.
NetScreen's sophisticated network management tools allow organizations to manage
NetScreen products using a policy-based management methodology. Rather than having to go
out and manage each device on its own, the network engineer can create security zones for
different departments within an enterprise, or for different customers with a carrier, and then
apply policies to those groups with only a couple of keystrokes.
Mark Alexander – SourceText.Com
5
divine article v.3.0
The network engineering staff at divine is fairly small, with only a handful of engineers.
Therefore, manageability is crucial to Horvat and his team. "A pretty interface is not enough,"
says Horvat. "It's not the look of the software that determines manageability. What matters is
what you can do, how quickly can you do it, and when there's an issue, how quickly you can
figure things out. NetScreen allows us to tie all our units together around the country so that we
can easily change global policies. We don't have to box manage. We can also sub-divide and
compartmentalize our organization and change policies that target specific groups that we can
define. Now that's manageability."
The Need to Move Aggressively
In the last 18 months, divine has acquired 30 different companies. Their business is to find
diamonds in the rough that are strategic to their business model and integrate them as efficiently
and effectively as possible. Horvat's network team is the first in the door of an acquired company
because without that connectivity, without integration, none of the other work can be done.
Horvat explains that one of the most critical steps for a successful integration for any
company acquiring other companies is to get everybody onto the same financial system, so that
management can quickly see the big picture of how those acquisitions are performing
individually and how that overall relates to the entire company. Without that visibility, any
acquisition can be an instant failure. Horvat's team arrives with the right size NetScreen product
on hand to immediately begin installing their own firewall and connecting to their infrastructure,
and depending on the size of the acquisition, moving very aggressively to remove the new
company's firewalls. "Their security system and firewall is probably the only piece of equipment
that we replace point blank," says Horvat.
Mark Alexander – SourceText.Com
6
divine article v.3.0
Today divine is aggressively expanding internationally, into Europe and the Asia Pacific
regions. They now have 27 domestic sites and 30 international sites. So far divine has installed
one NetScreen 1000 for the Chicago hub, two NetScreen 204s in Burlington, and NetScreen 10s
and 25s for the remaining sites. They are implementing a separate data center hub in Europe, but
because of NetScreen's flexibility, whenever they need a dedicated VPN tunnel between any two
points, perhaps between Paris and Chicago, they can easily create one.
It Just Makes Sense—For Everybody
NetScreen's high availability architecture has system level redundancies, able to do subsecond failover in divine's large-scale networks. If divine wants VPN security in a wireless LAN
environment, NetScreen provides and elegant solution, using IPsec encryption rather than WEP
and terminating that traffic on the trusted side of the network on a NetScreen box.
After doing a press release announcing that divine would be implementing NetScreen,
Horvat received many calls from investment companies, wanting to know from a customer
perspective what he and his team thought of NetScreen.
"You know, one of the things you have to factor in when you are partnering on these kinds
of things is the viability of the company," says Horvat. "This was probably the one main concern
we had eighteen months ago when we were first considering NetScreen. We all know that just
because a company has a superior product, that does not guarantee that the company will be
around a year from now. But NetScreen was the only company able to provide the technology
that we needed. And nobody out there has been saying that they have anything that can
outperform NetScreen. Their performance, their depth of product line, and the price point were
Mark Alexander – SourceText.Com
7
divine article v.3.0
all exactly right. So we took a calculated risk. Luckily, since their IPO they have proven their
stability and that they will be around for a while."
Horvat thinks for a minute, and smiles. "You know, in firewalls and security, nobody ever
gets fired for buying Cisco. But I was willing to balance that fact against the fact that NetScreen
provided the best technology for our needs—and at the right price. The appliance model is really
where it's at in security. NetScreen technology just makes sense to me."
Mark Alexander – SourceText.Com
8
divine article v.3.0
SIDEBAR
A Look at NetScreen
NetScreen Technologies, Inc. is headquartered in Sunnyvale, CA, and led by Robert
Thomas, President and CEO. NetScreen develops and sells scalable network security solutions.
Its line of ASIC-based integrated security systems and appliances combine firewall, VPN, traffic
management and other security functions within a purpose-built, high-performance platform.
The company has offices around the world, including Hong Kong, Beijing, Singapore,
Sydney, Seoul, Tokyo, and Hampshire in the U.K.
Last April, NetScreen introduced the NetScreen-5000 Series, the NetScreen-5200 and
NetScreen 5400—integrated security systems that offer unprecedented levels of scalability,
flexibility and performance to meet the security requirements of enterprises and carriers. The
NetScreen-5000 Series, based on NetScreen’s new GigaScreen-II ASIC, sets a new security
performance standard, with firewall speeds of up to 12 Gigabits per second and virtual private
network (VPN) speeds of up to 6 Gbps. The NetScreen-5200 delivers major breakthroughs in
small-packet performance, delivering more than 16 times the firewall performance and more
than 24 times the VPN performance of competing security solutions. The NetScreen-5400 is
designed to perform three times faster than the NetScreen-5200.
Last May NetScreen was awarded the Network Magazine Product of the Year Award in the
firewall/VPN category.
NetScreen makes a scalable line of solutions that are built from the ground up to address
today's pressing security requirements. Unlike legacy security products, NetScreen combines a
custom, real-time operating system, purpose-built hardware designs, and ASIC technology to
deliver unprecedented price-performance and ease-of-deployment to enterprises and service
Mark Alexander – SourceText.Com
9
divine article v.3.0
providers. These custom technologies also provide the security, scalability, flexibility, and
centralized management required to meet traditional as well as emerging security threats.
Mark Alexander – SourceText.Com
10
divine article v.3.0
Related documents
NetScreen-200 Series Getting Started Guide
NetScreen-200 Series Getting Started Guide
When the Emperor Was Divine Chapter 1
When the Emperor Was Divine Chapter 1
Question and Answer - The John H Watson Society
Question and Answer - The John H Watson Society
Oh Holy Night
Oh Holy Night
LOVE DIVINE - PURE Worship Conference
LOVE DIVINE - PURE Worship Conference
Dear Sir/Madam - Benevolent Angels
Dear Sir/Madam - Benevolent Angels
Divine Proportion
Divine Proportion
Math Module II Review
Math Module II Review
Divine Chocolate Poetry 2016 entry form
Divine Chocolate Poetry 2016 entry form
14 th national poetry competition
14 th national poetry competition
Establishment of the VPN connection with the
Establishment of the VPN connection with the
NetScreen-200 Series Installer's Guide
NetScreen-200 Series Installer's Guide
Download
advertisement