1 / 54

Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono

Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono (ComputerLinks Frankfurt). The Magic Quadrants of the Gartner Group The fundamental architecture of Juniper ScreenOS Configuration of Zone, Interfaces, Policies

gella
Télécharger la présentation

Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ComparingandContrasting Check Point NGX withJuniperScreenOS Firewalls Yasushi Kono (ComputerLinks Frankfurt)

  2. The Magic Quadrantsofthe Gartner Group The fundamental architectureofJuniperScreenOS Configurationof Zone, Interfaces, Policies The featuresofScreenOScomparedto Check Point  Conclusion Agenda

  3. Ability to Execute: Product/Service Overall Viability Sales Execution/Pricing Market Responsiveness Market Execution Customer Experience

  4. Completeness of Vision Market Understanding Marketing Strategy Sales Strategy Business Model Innovation Geographic Strategy

  5. Now, let‘shave a lookatthe Fundamentals oftheJuniperScreenOSArchitecture:

  6. The Framework Configuration: Virtual Router

  7. The Framework Configuration: • Security Zone Virtual Router

  8. The Framework Configuration: Interface Security Zone Virtual Router

  9. The Framework Configuration: IP Address Interface Security Zone Virtual Router

  10. Ofcourse, you will have multiple • IP Addresses, • Interfaces, • Security Zones within a JuniperNetscreen Security Device….

  11. The Framework Configuration:IP Addresses Interfaces Security Zones Virtual Router

  12. The virtualrouteractsas a parentcontainerwhichholdstheelementsofthehierarchicalstructure. The nextlayerconsistsofthe so-called Security Zone. The purposeofthat Security Zone istoconfigure Security Policiesbased on the Security Zone as Source Zone and Destination Zone, respectively. The Security Zone holdsthe Interface(s) Finally, youcanconfigurethe IP address on thatinterface.

  13. The Configuration Order iscrucial in ScreenOS. First, createoneormore Security Zones on top oftheexisting Virtual Router (namelytrust-vr). Thiscanbeeasilydone via the CLI ofthe Security Device: setzonenamesales setzonenameinternet

  14. Then, youhavetoassociate Interfaces tothese Security Zones: setinterface eth0 zonesales setinterface eth1 zoneinternet

  15. Andnow, youcan bind IP addressesto Interfaces: setinterface eth0 ip 10.20.30.1/24 setinterface eth1 dhcpclientenable or setinterface eth1 ip 195.1.1.1/24

  16. Then, youhavetoconfigureyour Default Gateway: setvroutertrust-vr route 0.0.0.0/0 gateway 195.1.1.254

  17. Now, you a readytoconfigure a Security Policy…

  18. A Security Policyregulatesthetrafficbetweenzones: setpolicyfromsalestointernetanyanyanypermit Shouldyouneed Dynamic NAT: set pol fromsalestointernetanyanyanynatsrcpermit

  19. Shouldyou miss granularity: setaddresssales PC_Sales01 10.1.1.20/32 setpolicyfromsalestointernet PC_Sales01 anydnsnatsrcpermit log

  20. Howto manage Security in ScreenOS?

  21. Therearethreewaysofmanaging a ScreenOSinfrastructure: Configuration via CLI Configuration via WebUI Configuation via NSM (Network and Security Manager)

  22. BenefitsofConfiguring via CLI: Easy to understand Youcanpreparethecommandswith an editorandpasteitontoyourproductionenvironment Noneedof MS Internet Explorer

  23. BenefitsofConfiguring via WebUI: Noneedtomemorize CLI commands Intuitive Somepeoplelovetouse Internet Explorer

  24. BenefitsofConfiguring via NSM: Manage multiple Security Devices centrally Noneedtomemorize CLI commands Analyzing log entriescentrally

  25. PossibleDrawbackswith CLI Management of Security on a per Device Basis AnalyzingLogging per Device is not appropriate in Enterprise Environments Youhavetomemorize lots ofcommands

  26. PossibleDrawbackswithWebUI Management of Security on a per Device Basis AnalyzingLogging per Device is not appropriate in Enterprise Environments Somepeoplehatemice!

  27. PossibleDrawbackswith NSM Limitation of a maximumnumberof Devices, whenusingtheNSMXpress Appliance! OnlyRed Hat Linux issupportedas NSM Host Operating System Youhavetohave in depth Linux expertise You still need a mouse!

  28. Introducingsome Features offeredbyJuniperNetscreen: Policy-based Routing Source-based Routing Source-interfacebased Routing Configuring Dynamic Routing Protocols Desaster Recovery Virtual System (VSYS) NSRP (NetScreenRedundancy Protocol)

  29. Policy-Based Routing: PBR enablesyoutoimplementpoliciesthatselectivelycausepacketstotake different paths. Youusethefollowingbuildingblockstocreate a PBR policy: Extended Access List Match Group Action Group

  30. Extended Access List: Lists thematchcriteriayoudefinefor PBR policies. Match criteriainclude: Source IP Destination IP Source Port Destination Port Protocol QoSPriority

  31. Match Group: Match Groups provide a waytoorganizeextendedaccesslists. Itassociates an extended ACL ID numberwith a uniquematchgroupnameand a match-group ID number.

  32. Action Group: An Action Group specifiesthe route thatyouwant a packet totake. Youspecifytheactionforthe route bydefiningthenextinterface, thenexthop, orboth

  33. PBR Policy: After configuringthe Extended Access List, the Match Group, andthe Action Group, youhavetoconfigurethe PBR Policywhichisdonewithinthevirtualroutercontext.

  34. Source-Based Routing: With Source-Based Routing, youareabletospecifythe route to a destinationbased on the Source IP oftheclient.

  35. Source Interface-based Routing: With Source Interface-Based Routing, youareabletospecifythe route to a destinationbased on the Ingress Interface ofthe Security Device usedby a client.

  36. Dynamic Routing: On a JuniperNetscreen Security Device, youcanuse Dynamic Routing Protocolswithoutthenecessityofconfiguring VPN or VTIs. Itismucheasiertoconfigure OSPF astheroutingprotocol (a matter ofminutes).

  37. Sample OSPF Configuration: Juniper->setvroutertrust-vr Juniper(trust-vr)->setrouter-id 172.23.103.11 Juniper(trust-vr)-> setprotocolospf Juniper(trust-vr/ospf)-> setenable Juniper(trust-vr/ospf)-> setarea 10.0.0.0 Juniper(trust-vr/ospf)->exit Juniper(trust-vr)->exit Juniper->setinterface eth0 protocolospfarea 0.0.0.0 Juniper->setinterface eth0 protocolospfenable Juniper->setinterface bgroup0 protocolospfarea 10.0.0.0 Juniper->setinterface bgroup0 protocolospfenable

  38. Desaster Recovery: On someoftheJuniper Security Devices, youcan save therunningconfigurationto an USB stick. save configfromflashtousb juniperconfig.txt Shouldyourunintotrouble, just plugthe USB stick andcopytheconfiguration back tothedevice. save configfromusbtoflash juniperconfig.txt On otherdevices (without USB support) use a TFTP serverinstead. save configfromflashtotftp 10.20.30.1 juniperconfig.txt Per CLI, youcan also copyandpaste a savedconfigurationfromyoureditortothe Terminal window.

  39. So, Desaster Recoveryis a matter ofsecondsratherthanminutes.

  40. Virtual Systems (VSYS) The high-end securitydevices in theScreenOSfamilyprovidetheabilitytocreate Virtual Systems. A Virtual System is a logicalinstanceof a securitydevicewithitsownroutingtable, administrators, zones, policies, and VPN.

  41. Howtoconfigure a VSYS? root->setvsyssales root(sales)->setadminnamesalesadmin root(sales)->setadminpassword juniper1 root(sales)->setzonenamesales root(sales)->setint eth2.11 tag 11 zonesales root(sales)->setvroutertrust-vr route 10.51.1.0/24 vrsales-vr root(sales)->setaddresssaleswebserver 10.51.1.22/32 root(sales)->set pol fromuntrusttosalesanywebserver http permit log root(sales)->set pol fromsalestountrustanyanyanynatsrcpermit log root(sales)->save config root(sales)->exit

  42. Basically, toconfigure a VSYS you will usethecommandsusedforconfiguring non-VSYS systems! Itisthat easy! Noneedtoconfigurevirtualswitchesorvirtualrouters „What in the hell are Warp Interfaces???“

  43. NSRP (NetScreen Remote Protocol)Juniper‘s HA Solution for Gateway High Availability.Quitesimilar in functionalityto Nokia VRRP.Difference: Nounique IP addressestobeconfigured on clusterinterfaces.No IP addressesassignedtoSync InterfaceOnlytwonodessupported per Cluster!

  44. NSRP ConfigurationExample:1. Setting upthe HA Link:setinterface eth2 zone ha2. Configuring Cluster Settings:setnsrpclusterid 0setnsrpclustername ISG_HAsetnsrparp 43. Setting Interfaces forMonitoring:setnsrpmonitorinterface eth0setnsrpmonitorinterface bgroup04. Adjusting VSD Settings:setnsrpvsdid 0 priority 80setnsrpvsdid 0 preemptsetnsrpvdsid 0 preempt hold-down 55. Enabling RTO Synchronization:setnsrprto-mirrorsync

  45. ConclusionSomefeatures (Policy-based Routing, Source-based Routing, Interface-based Routing, …) areofferedbyJuniperwithoutcounterpartat Check Point.Itit easy togetstartedwithJuniperandyoucanimmediatelyconfigureinterfaces, securityzone, routing, addressbookentriesandsecuritypolicies.Itis easy toconfgure VSYS sinceyouare not forcedtolearnnewcommands.

  46. Some Features of Check Point on theotherhand:Youcanuse IKE Main Mode with VPN Clients with Dynamic IP Addresses.The Check Point SecureClientisthebettersolutioncomparedtoJuniper‘sNetscreen Remote Client (morefeature, moresecurity, moreusability)!SMART is smart! WithSmartViewTracker, youcanseethe log informationofthewhole Enterprise at a glance!WithSmartView Monitor, youcansee all Status informationof all firewallswithinyourinfrastructureat a glance!WithSmartUpdate, youcan manage licensescentrally!

  47. Some Features of Check Point on theotherhand (cont.):Before Check Point compilestheRule Base, itdoes a syntaxchecking!ClusterXL, Nokia IP Clustering or Nokia VRRP issupportingmorethantwoclusternodes!

  48. So, whoisthewinneroftheEnterprise Firewall Functionality Contest?

  49. No Winner!

More Related