NetScreen 5000 Integrated IPS

> Hi Dale,
>
> I think you better take an ISG 2000 with 3 security modules (IDP cards).
>
> Using the ISG 2000 Juniper states that you'll have 2Gig throughput.
> I think the DI feature in the 5400 is just a software feature.
> I believe it will degrade you firewall performance by 50% or more
> depending on what you activate.
>
>
> Greetings
> Joris
>
> -----Original Message-----
> From: nn-bounces@... [mailto:nn-bounces@...] On Behalf
> Of Dale Shaw
> Sent: dinsdag 11 september 2007 7:26
> To: nn@...
> Subject: [nn] NetScreen 5000 Integrated IPS
>
> Hi all,
>
> I'm looking for "real" info on the functionality and performance of
> the "Integrated IPS (Deep Inspection)" feature available as an option
> on the NetScreen 5000 platform.
>
> The data sheet says: "Prevents application level attacks from flooding
> the network using a combination of stateful signatures and protocol
> anomaly detection mechanisms. IPS is annually licensed."
>
> To remove any doubt, I'm talking about the NS-DI-5400 and NS-DI-5400-R
> parts (annual subscription).
>
> I suppose I'm after the cold hard reality of this feature. What impact
> does it have on forwarding performance? How "rich" is the feature set
> enabled by this license over and above what the device can do without
> it? How does it compare to, say, the IDP1100 device?
>
> How are the signatures updated? (HTTP? is use of a proxy supported?
> use of a proxy that requires authentication?)
>
> I'm just trying to figure out if it's worth it. I need to deploy a
> high throughput firewall solution and, ideally, line rate intrusion
> prevention (I'm looking at feeding the NS-5400s with 10-gig interfaces
> and Juniper don't currently have an IDP box that does 10-gig.
>
> cheers,
> Dale

> G'day Joris,
>
> I've received conflicting information regarding the ISG 2000 and the
> ability to stack up IDP cards.
>
> One person from Juniper told me you can add three and get up to 6Gbps
> throughput. Another person told me you get 2Gbps max irrespective of
> the number of cards, and that multiple units is the only way to get
> more throughput.
>
> I was also told that the ISG2000 has a 4Gbps box/ASIC limit.
>
> In the end, given all the conflicting advice and lack of good info
> available online, I decided the NS5000 was a better firewall platform
> for me now, and that I'd leave IDS/IPS as an option.
>
> I acknowledge that the DI feature is software-based. I hoped there was
> some good anecdotal information out there about its impact on
> performance.
>
> cheers,
> Dale
>
> On 9/11/07, Van Deuren, Joris <joris.van_deuren@...> wrote:
>  
>> Hi Dale,
>>
>> I think you better take an ISG 2000 with 3 security modules (IDP cards).
>>
>> Using the ISG 2000 Juniper states that you'll have 2Gig throughput.
>> I think the DI feature in the 5400 is just a software feature.
>> I believe it will degrade you firewall performance by 50% or more
>> depending on what you activate.
>>
>>
>> Greetings
>> Joris
>>
>> -----Original Message-----
>> From: nn-bounces@... [mailto:nn-bounces@...] On Behalf
>> Of Dale Shaw
>> Sent: dinsdag 11 september 2007 7:26
>> To: nn@...
>> Subject: [nn] NetScreen 5000 Integrated IPS
>>
>> Hi all,
>>
>> I'm looking for "real" info on the functionality and performance of
>> the "Integrated IPS (Deep Inspection)" feature available as an option
>> on the NetScreen 5000 platform.
>>
>> The data sheet says: "Prevents application level attacks from flooding
>> the network using a combination of stateful signatures and protocol
>> anomaly detection mechanisms. IPS is annually licensed."
>>
>> To remove any doubt, I'm talking about the NS-DI-5400 and NS-DI-5400-R
>> parts (annual subscription).
>>
>> I suppose I'm after the cold hard reality of this feature. What impact
>> does it have on forwarding performance? How "rich" is the feature set
>> enabled by this license over and above what the device can do without
>> it? How does it compare to, say, the IDP1100 device?
>>
>> How are the signatures updated? (HTTP? is use of a proxy supported?
>> use of a proxy that requires authentication?)
>>
>> I'm just trying to figure out if it's worth it. I need to deploy a
>> high throughput firewall solution and, ideally, line rate intrusion
>> prevention (I'm looking at feeding the NS-5400s with 10-gig interfaces
>> and Juniper don't currently have an IDP box that does 10-gig.
>>
>> cheers,
>> Dale
>>    
> _______________________________________________
> nn mailing list
> nn@...
> http://www.compsoc.com/cgi-bin/mailman/listinfo/nn
>
>  

> I was someone in the know, up until about a year ago.  Read into that
> what you will.
>
> For starters, DI on a 5x00 is going to kill your performance.  The best
> you can hope for is about 300Mb/sec thruput on DI inspected traffic.
> And that would be the total thruput for an entire 5400 because DI is
> done on the management blade, not on a port module.  No Juniper SE
> should ever have recommended DI on this platform, they used to be told
> not to.
>
> The straight dope on the the ISG2000 w/IDP is this.  Each IDP module can
> handle about 750Mb/sec giving you just over 2Gb/sec on a fully populated
> unit which matches the original specs of the ISG2000.  The true benfit
> here, is that you have real IDP using all of the techniques available on
> the stand-alone IDP platform not the crappy signature based DI.
>
> DI was implemented as a way to offer small customers some Intrusion
> Prevention, if you need Gigabit firewalling you should either use the
> ISG w/IDP or the 5x00 with a standalone IDP in serial.
>
> Hope this helps, because it is not anecdotal evidence, it is simply the
> facts.
>
>
> /dh
>
> p.s. I have no affiliation with Juniper or their resellers at the time
> of this writing.
>
> Dale Shaw wrote:
> > G'day Joris,
> >
> > I've received conflicting information regarding the ISG 2000 and the
> > ability to stack up IDP cards.
> >
> > One person from Juniper told me you can add three and get up to 6Gbps
> > throughput. Another person told me you get 2Gbps max irrespective of
> > the number of cards, and that multiple units is the only way to get
> > more throughput.
> >
> > I was also told that the ISG2000 has a 4Gbps box/ASIC limit.
> >
> > In the end, given all the conflicting advice and lack of good info
> > available online, I decided the NS5000 was a better firewall platform
> > for me now, and that I'd leave IDS/IPS as an option.
> >
> > I acknowledge that the DI feature is software-based. I hoped there was
> > some good anecdotal information out there about its impact on
> > performance.
> >
> > cheers,
> > Dale
> >
> > On 9/11/07, Van Deuren, Joris <joris.van_deuren@...> wrote:
> >> Hi Dale,
> >>
> >> I think you better take an ISG 2000 with 3 security modules (IDP cards).
> >>
> >> Using the ISG 2000 Juniper states that you'll have 2Gig throughput.
> >> I think the DI feature in the 5400 is just a software feature.
> >> I believe it will degrade you firewall performance by 50% or more
> >> depending on what you activate.
> >>
> >>
> >> Greetings
> >> Joris
> >>
> >> -----Original Message-----
> >> From: nn-bounces@... [mailto:nn-bounces@...] On Behalf
> >> Of Dale Shaw
> >> Sent: dinsdag 11 september 2007 7:26
> >> To: nn@...
> >> Subject: [nn] NetScreen 5000 Integrated IPS
> >>
> >> Hi all,
> >>
> >> I'm looking for "real" info on the functionality and performance of
> >> the "Integrated IPS (Deep Inspection)" feature available as an option
> >> on the NetScreen 5000 platform.
> >>
> >> The data sheet says: "Prevents application level attacks from flooding
> >> the network using a combination of stateful signatures and protocol
> >> anomaly detection mechanisms. IPS is annually licensed."
> >>
> >> To remove any doubt, I'm talking about the NS-DI-5400 and NS-DI-5400-R
> >> parts (annual subscription).
> >>
> >> I suppose I'm after the cold hard reality of this feature. What impact
> >> does it have on forwarding performance? How "rich" is the feature set
> >> enabled by this license over and above what the device can do without
> >> it? How does it compare to, say, the IDP1100 device?
> >>
> >> How are the signatures updated? (HTTP? is use of a proxy supported?
> >> use of a proxy that requires authentication?)
> >>
> >> I'm just trying to figure out if it's worth it. I need to deploy a
> >> high throughput firewall solution and, ideally, line rate intrusion
> >> prevention (I'm looking at feeding the NS-5400s with 10-gig interfaces
> >> and Juniper don't currently have an IDP box that does 10-gig.
> >>
> >> cheers,
> >> Dale
> >
> > _______________________________________________
> > nn mailing list
> > nn@...
> > http://www.compsoc.com/cgi-bin/mailman/listinfo/nn
>
> _______________________________________________
> nn mailing list
> nn@...
> http://www.compsoc.com/cgi-bin/mailman/listinfo/nn