Citing an increase in attacks that take advantage of holes in existing firewall technology, NetScreen Technologies Inc. Said on Monday that it will release new 'deep packet inspection' features across its line of network firewall products. The new features build on technology NetScreen acquired in 2002 when it purchased OneSecure Inc., and will enable the Sunnyvale, California, company's products to defend customers against a wide range of attacks that hide in traffic that usually passes through firewalls, destined for Web and e-mail servers, among others. The addition of deep inspection features is the biggest change in firewall technology since the introduction of stateful inspection firewall architecture in the 1990s, according to David Flynn, vice president of marketing at NetScreen.
Also on InfoWorld:. The term 'deep inspection' describes a variety of features that enable security devices to scour individual data packets or streams of packets to spot malicious code or other anomalies that might be part of an attack. Stateful inspection features enabled firewalls to move beyond just filtering traffic based on the information contained in data packet headers to monitor active firewall connections. Deep packet inspection allows firewalls to dig even deeper into traffic flows, reassembling packet streams to spot hidden attacks on targets like Web, e-mail and DNS (Domain Name System) servers, he said. Deep inspection features will be included with a new version of the NetScreen operating system, ScreenOS Version 5.0.
NetScreen firewalls use a “security zone-based” model in which the network is separated into areas, or zones, that are distinct and separate from one another (see Chapter 4 —this is an important and unique feature of NetScreen appliances).
That will be available on the NetScreen-5GT, -5XT, -25, -204 and -208 devices in November and for the higher end NetScreen -500, -5200 and -5400 devices in December, NetScreen said. Existing customers will receive the new features as a software upgrade, according to NetScreen. The new deep inspection features finally make good on NetScreen's promises to integrate OneSecure's intrusion detection and prevention (IDP) features into its ASIC (Application Specific Integrated Circuit) -based hardware, according to Richard Stiennon, vice president of research at Gartner Inc.
The updated firewalls could spell trouble for niche application firewall makers with products that are not suited for more traditional deployments on the network perimeter and puts NetScreen in a position to compete with Check Point Software Technologies Ltd. And Cisco Systems Inc., he said. Both those companies have made moves to offer similar features in their own products. In May, for example, Check Point introduced a version of its SmartDefense product with 'application intelligence' features that enable it to actively protect applications behind the firewall such as Web servers, e-mail servers and DNS (domain name system) servers. Also in May, Cisco unveiled its Cisco Security Agent (CSA), making use of behavior-based detection technology it purchased with Okena Inc. The CSA resides on servers and desktop machines and analyzes user behavior, thwarting actions that violate established company policy. While deep packet inspection features are attractive to companies that are worried about infection from the next virulent Internet worm, the intense processing required to do deep inspection still means a decrease in data throughput compared with devices that are not doing deep packet inspection, Flynn said.
The new NetScreen Deep Inspection firewalls cannot do deep packet inspection at 'line speed,' and are not capable of the gigabit or multigigabit throughput that is required for deployment in corporate data centers, he said. When it comes to a choice of performance over security, companies choose performance, Stiennon said. That means that larger companies may wait until vendors like NetScreen redesign their ASIC chips to handle deep packet inspection and can offer better performance before deploying them widely, he said. In related news, NetScreen said Monday that it will release a new version of its NetScreen-Global PRO network security management product called NetScreen-Security Manager. The updated management tool will include improved user management features with more user roles and role-based delegation of management tasks. It also has a new graphical user interface that displays information about device and network configuration and as well as security policies, NetScreen said.
NetScreen Deep Inspection Firewall is available as a free software update to customers with active NetScreen support contracts. Those annual contracts usually cost between five and 20 percent of the purchase cost of the NetScreen device they cover, NetScreen said. The NetScreen Security Manager is available as a free software update for NetScreen-Global PRO customers. For new customers, pricing starts at $5,995 for the first 10 devices managed, the company said.
![Netscreen firewall dos vulnerability Netscreen firewall dos vulnerability](/uploads/1/2/5/3/125380727/280613134.gif)
This section describes the Netscreen Tunnel Interface model type (nsTunnelIf) and its functionality. Tunnel Interfaces This section describes CA Spectrum support for monitoring NetScreen Firewall tunnel interfaces. Model Tunnel Interfaces Various attributes control whether the site-to-site Tunnel Interfaces are modeled on your Netscreen device. You can model other types of tunnel interfaces by using the following procedure.
By default CA Spectrum does not model Dialup Tunnels or Tunnels whose monitor state is set to OFF. To enable the modeling of these types of tunnels, use the Model Type Editor.
Follow these steps:. Shut down the SpectroSERVER and start the Model Type Editor. To enable modeling of Dialup Tunnels, use the Search text box on the Attributes tab to find the TunnelFilterTypes attribute (0x12a17) of the NSFirewallVPN model type.
Remove the value 1 from the list of values for this attribute. To enable modeling of tunnels whose monitor state is OFF, use the Search text box on the Attributes tab to find the TunnelFilterStates attribute (0x12a19) of the NSFirewallVPN model type. Remove the value 0 from the list of values for this attribute. Save your changes in the Model Type Editor, and restart the SpectroSERVER. Reconfigure the Netscreen models using the Manually Poll Device option that is available for each device model. The tunnel interfaces are modeled. Tunnel Interface “Stacking” Tunnel interface models are created as subinterfaces of the physical interface whose IP address matches the local address of the tunnel.
This behavior is indicated in the VPN-MON.mib. Because NetScreen devices do not support the ifStackTable, this mechanism for determining the lower-layer interface is necessary and effective.
Automatic Connectivity Mapping A tunnel interface model activates for the first time during initial device modeling or during an interface reconfiguration. Then CA Spectrum searches for a tunnel interface model that represents the other end point of the tunnel. If such a model is found, the connection between these two interfaces is modeled. CA Spectrum uses the local address and remote address that are indicated in the VPN-MON.mib to find the other end point of the tunnel.
Interface Model Identification You can identify a Tunnel interface model by its local address and remote address, as indicated in the VPN-MON.mib. This identification method lets CA Spectrum preserve the interface model if the ifIndex of the interface changes. Status Monitoring of Tunnel Interfaces On the NetScreen device, the ifOperStatus of a tunnel interface entry is always 'UP until it disappears from the ifTable. If a tunnel model becomes 'stale', and no link down trap is processed for the tunnel, CA Spectrum generates a red alarm on the model. This alarm is suppressed in the following cases:. If the physical interface is down (the same case in which a link down trap alarm is suppressed). If the 'Suppress Linked Port Alarms' setting of the Live Pipes model is set to True, and either of the following conditions are met:.
The connected device is unreachable (by the SpectroSERVER). The 'linked' tunnel interface model has an alarm (red) This status monitoring functionality is only available when Live Links are enabled for the port that is associated with the tunnel interface. For information about enabling Live Links, see the section. The model tunnel interfaces steps above need to be made more clear in two areas.
The first is with the model type, it should be stated to search and select the model type NSFirewallVPN, then in the attribute view search and select the TunnelFilterStatus attribute 0x00012a19. The instructions say to remove the current default value from the list, however this can't be done because the MTE gives an error that there has to be a value vs a blank table entry. Replacing the default value with something else, i.e. 0 to 1 works. Customers should also select the preserve flag so that they do not lose this change when upgrading Spectrum. Step 6 says to save the changes, it should state to commit the changes via the File - Commit changes to DB menu selection. It should also be noted that this MTE change will be needed on all SpectroSERVER catelogs, or a catelog save can be done and loaded on all SpectroSERVERs.