Domain: netscreen.com
Stories and comments across the archive that link to netscreen.com.
Comments · 8
-
I use a Netscreen25 and Netgear ProSafe FVL328
I'm the systems admin (domain admin. donning asbestos suit.) for a small/medium busines in New Orleans. We use one Netscreen25 in our main office downtown. That gives us granular control over individual users' security policies if desired, but I'm in the process of moving them all to a single policy to ease administration. The box can maintain 125 concurent tunnels. It can do quite a bit of other craziness as well, but I haven't worked here long enough to get deep into it. Too much other stuff to do. Not absolutely certain about the cross-platform client, so you can look that up yourself.
;)In addition to the individual user VPNs, the Netscreen maintains persistant tunnels to two remote sites. They're equipped with Netgear ProSafe FVL328 routers. Less capable with low(er) throughput, but the branch end has to deal with a whole lot less traffic. The NS downtown maintains security with its lesser peers, too.
-
Re:Yes but one fact remains
However, firewalls with that kind of capacity aren't terribly expensive. (50k packets/s)
50K connections/second was what they were able to handle (and the more I think about it, it seems like it was definately a firewall that was getting hit). Could they have bought a more expensive firewall? Sure. They probably have, by now. But I wouldn't call someone incompetent for not buying such a firewall off the bat.
But, if the firewall was puking about the syn-flood that would also mean that it would be slow to establish connections to the ftp server?
Probably not. If the firewall is built properly it's not going to let an attack on one server affect others.
I believe most vendors use a common connection table for all inside hosts. (Wouldn't be practical for a seperate connection table for every inside ip)
Most firewalls only implement SYN protection when a host is being hit by more than a certain threshold of SYNs per second. See this, for instance.
NetScreen devices can impose a limit on the number of SYN packets per second permitted to pass through the firewall. When that threshold is reached, the NetScreen device starts proxying incoming SYN packets, sending out SYN/ACK responses for the host and storing the incomplete connections in a connection queue.
So until the FTP server started getting attacked, the firewall would pass the SYNs right through.
It seems to me that SCO did have a firewall, and that firewall's SYN protection was limited to 50,000 connections per second. That would explain why the rest of the subnet remained up. And it also explains why the backscatter kept coming after the server was taken down.
-
Re:What do you mean "hardware firewall?"
Like, give me an example?
How about this? NetScreen makes purpose built ASIC based Firewall/VPN devices, and has been doing so for years... -
Netscreen
Netscreen has a product that will supposedly do what you want. I haven't had a chance to play with one yet, so I can't give you firsthand knowledge of it.
One of the things you'll notice, is that with that much traffic, you are going to get amazing amounts of false alarms. The Netscreen product has some cool features to reduce or eliminate false alarms altogether.
I used a couple of different IDS systems on a 135Mb/sec link, and ISS and Snort could not handle it. 100% CPU all the time. Netscreen is also planning on integrating their IP ASIC into the unit to give it even higher throughput.
-
Inline IDS is the answerWhat you're basically asking for is an IDS product which sits inline of the data-stream and can make policy decisions based up the content of the packets rather then the protocol (which is what a firewall does). Being inline is important because alternative solutions such as sending TCP resets or modifying a firewall/router rulebase aren't always effective as the Slammer/Sapphire worm illustrates (it was both UDP and contained in a single packet).
Some important things to consider when looking at an inline IDS are:
- Accuracy. Since you're dropping traffic, false positives are much more problematic then with a sniffer based IDS.
- Management. You'll end up wanting to tune the IDS policy more then with a traditional IDS. Look for something which scales for your organization and makes it easy to specify: where to look, what to look for, and what to do about it. Remember, the best technology is worthless if you can't effectively manage it.
- Scalablity. Sensors must be able to scale to your traffic needs and the management system needs to be able to scale to the number of sensors you need.
- HA. If it's inline, you're going to need some kind of failover or high-availabilty option, not to mention make upgrades less stressful.
- Updates. Some vendors update their signatures once a week. Others once every few months. Most fall somewhere in between. Be sure to ask before you buy.
- Stability. Not just the sensor stability, but the company behind it. A lot of the inline IDS's available today aren't sold by the well known IDS players but by smallers startups who may or may not have the $$$ to last.
Now for the shameless plug, NetScreen sells a kickass inline IDS which I, as an employee/developer highly suggest you check out:
http://www.netscreen.com/products/idp.html -
Re:5x more secure?
The fact is, security solutions aren't one-size-fits-all, and they're not something you can build a plug-n-play device around.
my netscreen firewall comes out of the box perfectly secure for most peoples needs. it allows everything out and nothing back in that wasn't requested. it's perfect for joe blow, even has a nice neat web interface for mr. blow. security out of the box CAN be designed, it just may take awhile. -
Re:Stop the ride! I want off!
-
All-in-one... For a price
If you are looking for a small-scale NAT/VPN/Firewalling device, I HIGHLY recommend a product from Netscreen Technologies. I have played with the Netscreen 5 and have been VERY pleased. However, don't expect to get all those cool features without a little $$$ up front. I think the Netscreen 5 ran the company 300 bucks or so.