> Having done firewall evaluations for several multinational banks, NetScreen
> is pretty much the best thing out there in packet filter land. Much better
> than FW-1 and PIX, especially under heavy load. They're not perfect by any
> means, but they have the best virtual firewall support I've seen, which
> makes them great for consolidation projects or compartmentalizing your
> rules to lower operational risk. They're routing support is pretty good as
> well - if you have ethernet demarc'd WAN connections you can avoid paying
> for a separate routing tier in many cases.

I can't agree enough with Carson and Jon. I've worked extensively with most
major brands of all types. Netscreen is by FAR my favorite out of the Big-3
for several reasons:

- easier to install and upgrade
- great to support
- extensive debugging options
- high performance / scaleable
- feature rich and quite flexible
- more intuitive than the competition

I'm a straight shooter though, and a few of the downsides as I see them are:

- QA can suffer at times as new features are brought in, sometimes old
ones can break. My recommendation around this problem is to NEVER run
bleeding edge code unless you absolutely need a feature. Try to run at
least one major rev back, and stay current on release notes.

- Some concepts you just have to 'get used' to as they may not be
industry standard principles. For instance, the entire NAT philosophy
should be revamped, but in its current state it does work. Cisco (as do
others) have their own share of this so I'm not sure I'd use this as a
pro-con comparison between the two.

- keeping track of all the limitations on the various platforms as new
code upgrades, chipsets, and features come along can be daunting for the
more extensive network setups and buildouts. At times you may run into
limitations you are not aware of depending on your configuration so it may
reuqire a bit more knowledge of the system limits than you'd like. They may
have improved this somewhat, but that has been my experience in the past.

- their VPN client leaves a bit to be desired and is not as user
friendly as Cisco's for the average Joe. You're better off intermixing
Netscreen and Cisco with a VPN-3000 for larger dialup VPN configurations.

None of these are insurmountable and compared to the other major brands,
these are minimal problems to deal with by comparison. As Jon mentioned, I
don't think you'll really find a lot of downsides. That said, your best bet
is to take your specific network configuration and make sure that whatever
vendor you are/not interested in can handle your specific requirements.
I've often found through lab testing that I need to go back to said vendor
and ask them for feature X because of certain unique circumstances.

Now, as for specific vulnerabilities here's a bit of history on the
Netscreen story.

- In the beginning Netscreen would very seldom release security
bulletins for specific vulnerabilities. Rather only a few would make the
cut, generally those that had more public visibility or were more egregious.

- Browsing through the release notes for all the versions of code it was
clear that not everything was getting reported on. You could clearly see
important security issues that were fixed from code version to code version,
but unless you looked in the release notes you would not necessarily be made
aware of them.

- Netscreen changed their tactics at some point and started to release a
few more public vulnerability notices so as to match other vendors. They
reported to a few mailing lists as well as put notices on their website.
This didn't seem to last for very long and still it seemed like certain
vulnerabilities were sneaking through in the upgrade release notes

- Netscreen was bought by a company (Juniper) who prefers to release
their advisories to paying support customers only. This means if you don't
have a login to their site you may not be aware of the security issues
associated with said product.

- Netscreen has always been good at addressing security bug fixes
quickly when notified.

For this reason all the 'ugliness' associated with previous versions of code
may not be readily apparent to the outside world. Still, I prefer them
over all the other competition.

Just my .02c.

-- steve

firewall-wizards mailing list