Transcript Draft Enterprise Pitch

NetScreen
1
Agenda
•
•
•
•
•
•
2
NetScreen Background & Market Trends
NetScreen Security Basics
Applications for the Enterprise
Security Management for the Enterprise
Purpose built vs. general purpose solutions
Appendix: Service & Support
NetScreen Confidential
About NetScreen
• Founded October 1997
• Leading maker of ASIC-based integrated security solutions
– Firewall, VPN and traffic management
• Fast growing revenue
– $40 million in calendar 2000
– $8 million in calendar 1999
• Primary markets: Internet data centers, service providers
and enterprises
• Employees: > 270
• Pre-IPO: $53 million VC investment
– Sequoia, Spectrum, Juniper, Ericsson, WorldCom
• Based in Sunnyvale, Calif. USA
– Other offices in Boston, UK, Hong Kong, Beijing
3
NetScreen Confidential
NetScreen’s Security Solutions
NetScreen Security Systems
NetScreen-500
NetScreen-1000
NetScreen Security Appliances
NetScreen-100
NetScreen-10
NetScreen-5
NetScreen Security Mgmt & Client
NetScreen-Remote
Integrated security systems and
appliances
– ICSA certified IPSec VPN and stateful inspection
firewall, DoS blocking, authentication, PKI and NAT
acceleration
– 1Gbps, 700Mbps, (250Mbps), 100Mbps & 10-Mbps
hardware firewall and 3DES IPSEC VPN devices
– ScreenOS security software – custom OS
High availability
– Solid state, redundant hardware, HA topologies
– Protect against DoS attacks (8 to 10 times faster than
software solutions)
Powerful management
– WebUI, CLI for easy installation and management
– Carrier-class central management
Global PRO / Global Manager
4
NetScreen Confidential
Security Market Growth
– Hardware predominant
platform for firewalls and
VPNs
• Key drivers
– Need to protect Internet
links and encrypt data
– Enterprises looking to
outsource or out-task
some element of security
Worldwide Market Growth (Infonetics Research 2000)
Billions
• Firewall and VPN
markets in rapid-growth
stage
$6
$5
$4
$3
$2
$1
$0
2000
2001
Firewall
5
NetScreen Confidential
2002
2003
Dedicated VPN hardware
2004
Enterprise Security Trends
• Security breaches have a huge
economic impact on business
• Branch and telecommuter
networks tying into
corporate via VPNs
• Bandwidth requirements
in the corporate LAN and
WAN environments
• The need for a holistic approach
to security
• Lack of skilled IT workers
6
NetScreen Confidential
NetScreen’s Enterprise Security Solutions
• Full suite of products for complete deployment in the
enterprise network
– NetScreen-5 & -10 for remote offices and telecommuters
– NetScreen-100 & -500 for corporate headquarters
• Centralized management of all NetScreen appliances and
systems
– Control security for multi-site device deployments from one location
• Security solutions that don’t impede network performance
– Firewall & VPN at wire speed
• Integrated solution – firewall, VPN and traffic management
– to address security and bandwidth requirements
– No need to manage multiple vendors
• Multi-customer/department architecture
– 25 virtual systems (VSYS) with the NetScreen-500
7
NetScreen Confidential
NetScreen’s Solutions for the
High-Performance Security Market
Internet data centers
Service provider networks
• E-businesses
• Web hosts, ASPs, colocation facilities
• MAN, BLEC, MTU
• ISP, DSL providers
Managed Security Service
Providers
• Integrating security solutions for
Internet data centers, service providers
and enterprises of all sizes
8
NetScreen Confidential
Enterprise Networks
•Enterprise central site and broadband
remote access
• Small- to medium enterprises
NetScreen Security Basics
• Dedicated OS
– No hardening of the OS required
– More efficient than a general purpose OS
• Stateful Packet Inspection Firewall
– A dynamic or "stateful" packet inspection firewall maintains a table of active TCP
sessions and UDP "pseudo" sessions.
– Allow a particular type of traffic “in” only as a response to an “outgoing” session
– NetScreen ASIC accelerates the process
• IPSec 3DES VPN
– 3DES has become the encryption industry standard
– NetScreen appliances come standard with 3DES
– NetScreen ASIC accelerates the process
• Virtual Systems
– Unique policy, address book and management
– Firewall and VPN configured per virtual system
9
NetScreen Confidential
NetScreen Virtual Systems
• NetScreen Virtual Systems
Vsys #1 Vsys #2 Vsys #3
10
– Per Virtual System - address book,
policies and management
– Firewall and VPN configured per
virtual systems
– Able to support multiple security
domains or customers without
sharing policy
NetScreen Confidential
NetScreen Management Interfaces
NetScreen Management Interfaces
• CLI – familiar command line interface
CLI
Web UI
– RS232, Telnet and SSH
• Web Interface – embedded Web server
– HTTP and SSL
Global
SNMP
Syslog
• NetScreen Global – proprietary interface
• SNMP – Standard MIB & private
extension
• Syslog – standard traffic reporting and
alerts
• 3rd Party – WebSense, WebTrends
3rd Party
11
NetScreen Confidential
Enterprise Security Management:
Global Manager
Global
Manager
Monitoring &
Reporting
Configuration
• Central management for multiple NetScreen
security appliances
– Set policies and configuration options
– Define configuration once, apply to multiple
devices
– Device grouping to simplify administration
• Collect and display status information for
hundreds of devices
– Detailed reporting: configuration, traffic,
CPU utilization, logs …
• Securely manages via VPN tunnels to
devices
• Windows NT/2000-based platform
NetScreen Security Devices
12
NetScreen Confidential
Product Overview: NetScreen-500
• Redundant
• High performance
– High availability features
– Internal system redundancies
(swappable fans, power)
– Separate traffic and
management bus
– 250 Mbps 3DES IPSec VPN
– 700 Mbps stateful firewall
• High capacity
– 10,000 IPSec tunnels
– 250,000 concurrent sessions
– 22,000 new sessions per second
• Flexible
• Up to 25 Virtual Systems
13
NetScreen Confidential
– Multiple ports
– AC/DC power
Product Overview:
NetScreen Security Appliances
• Suite of wire-speed appliances
– NetScreen-100: 100-Mbps performance; 128,000 sessions; 1,000 tunnels
– NetScreen-10: 10-Mbps performance; 4,000 sessions; 100 tunnels
– NetScreen-5: 10-Mbps performance; 1,000 sessions; 10 tunnels
• Stateful-inspection firewall
– Leading denial of service attack deterrence
• NAT (mapped IP, Virtual IP), URL blocking
• Line rate IPSec VPNs
– IPSec, DES/3DES, MD5, SHA-1, IKE key management
– 1,000 tunnels: site to site or remote access
• Traffic Management: guaranteed & max bandwidth
14
NetScreen Confidential
Security Applications for the Enterprise
•
•
•
•
•
•
•
•
15
Firewall application only
VPN capabilities added to existing firewall
VPN and firewall, replacing existing firewall
VPN & firewall with increased traffic & remote users
Multi-department firewalls
Multi-department with remote users
Multi-department with campuses
Co location
NetScreen Confidential
Firewall with High Speed Internet
Firewall
Private
Network
– Private Network perceived as
“secure”
– RAS for mobile / home office
– WAN access multiple T1s
(>1.5Mbps)
– Promotional Web site
– All employees “trusted” can
access all parts of the network
Internet
PSTN
(1-800)
Corp HQ
RAS
DMZ
• NetScreen delivers
– Increased Security / Easier
Support / Higher Performance
& Scalability / Cost effective
solution
16
NetScreen Confidential
VPN Intranet & Central Site Firewall
Remote Access VPN
•
•
Internet
•
Private & dial network replaced by VPN
intranet
Remote VPN devices provide additional
security because they are also Firewalls
Central Firewall turns on VPN
Central Site VPN Acceleration
Corp HQ
•
•
•
Central Firewall unable to handle VPN traffic
needs acceleration
NetScreen device used for VPN termination
Leverage advanced features eg Hub & Spoke
Firewall/VPN consolidation
•
17
NetScreen Confidential
NetScreen replaces existing firewall due to
unnecessary duplication of costs
(maintenance, admin, and support)
Central Site Firewall & VPN Intranet
Firewall Application
•
•
WAN access multiple T1s /T3
E-business
VPN Application
Internet
•
•
Corp HQ
DMZ
•
•
Private network replaced by VPN intranet
Hundreds or thousands of remote offices /
users
Extranets
Trust limited to “Need to know”
employees
NetScreen delivers
•
18
NetScreen Confidential
Increased performance, scalability,
flexibility & cost effectiveness of the
solution
Multi-Department Security
Traditional Solution
• Multiple Firewalls required to
provide internal security
Internet
Corp HQ
DMZs
Finance Dept
19
M & A Group
Engineering
Dept
NetScreen Confidential
NetScreen-500 Solution
• Virtual Systems employed to
provide departmental security
• Can also be used for
additional DMZs, security
domains and for extranets
• Trust limited to “Need to
know” employees
Multi-Department with remote users
Finance Dept
remote worker
Internet
Finance Dept
mobile worker
Corp HQ
Finance
Vsys
DMZs
Firewall
• Traffic sent to the Finance
dept is firewall-ed by the
Finance Vsys
• Finance SOHO worker
firewall-ed from the Internet
VPN
• Remote finance workers VPN
connections terminate in the
Finance Virtual System
• Essentially extending the
finance intranet to include
those workers
Finance Dept
20
NetScreen Confidential
Dept Intranets & Campuses
Finance Vsys
to Vsys VPN
Extended
Campus
DMZs
Finance Dept
Internet /
NSP Net
Corp HQ
Firewall
DMZs
– Traffic sent to the Finance dept is firewall-ed by
the Finance Virtual System
VPN
– Finance intranet is extended between campus by
VPN between the Finance virtual systems
Finance Dept
21
NetScreen Confidential
Co location
Internet Data
Center
Staging
Servers
Web Host / Ebusiness
Big Fast Firewall /
Updating / content
provisioning
Web
Servers
Backend
Databases
Web Hosting
Customer
Data
Application
Databases
ASP/MSP
Data Center Fast Firewall/VPN
•
•
•
•
•
22
Reduced capital cost
Lower management & support burden
High Bandwidth FW without having load balanced security devices
Integrated VPN Access for Remote Access
Option of using virtual systems for different security domains (front
end, back end, staging or for MSPs - customers)
NetScreen Confidential
NetScreen vs. general purpose
(H/W & S/W) architectures
Steady-State, Bidirectional, Zero-Loss* UDP Packets % of Theoretical
Maximum Offered Load Throughput for Full-Duplex 100 Mbit/s
Ethernet 'Single Rule' Firewall Processing
100%
100%
100%
% of Theoretical
Maximum
Superior throughput
100%
– Zero packet loss, 100Mbps UDP
– Firewall no longer the network
bottleneck
85%
80%
70%
55%
60%
40%
40%
40%
20%
5%
5%
5%
0%
Baseline
NetScreen- Check Point Cisco PIX100
FireWall-1
515
Tolly Group - 2000
64-byte packets
512-byte packets
1,024-byte packets
1,518-byte packets
Higher sustained performance
Zero-Loss Throughput Across a "Single-Rule" Firewall with UDP Packets
Tolly Group - 2001
NetScreen-500
Cisco PIX 535
800
800
600
600
Aggregate Throughput (Mbps)*
Aggregate Throughput (Mbps)*
Nokia
IP650*
400
200
– Sustained large session count
– User satisfaction maintained even at
peak times
400
200
0
0
5,000
10,000
25,000
5,000
Simultaneous UDP Sessions
64
512
1,024
Packet size, bytes
23
10,000
25,000
Simultaneous UDP Sessions
1,518
64
*1% packet loss threshold
512
1,024
1,518
Packet size, bytes
NetScreen Confidential
NetScreen vs. general purpose
(H/W & S/W) architectures
Steady-State, Zero-Loss* Bidirectional IPSec Gateway (DES-3, SHA-1) % of Theoretical
Maximum Offered Load Throughput via Full-duplex Fast Ethernet (100 Mbit/s)
95%
100%
65%
80%
% of Theoretical
M aximum
Fast VPN throughput
– Integrated 3DES VPN acceleration
– Productivity and user satisfaction
60%
60%
40%
15%
5% 10%
20%
5%
5%
0%
NetScreen-100
Tolly Group - 2000
Check Point
FireWall-1
64-bytes
512-bytes
Nokia IP650
1024-bytes
Cisco PIX-515
1518-bytes
Bidirectional IPSec Gateway (DES-3, SHA-1) Application (Chariot) Throughput
via Full-duplex Fast Ethernet (100 Mbit/s)
Throughput (Mbit/s)
200.00
163.24
Great VPN Application
throughput
134.05
150.00
100.00
60.19
58.70
42.81
24.27 15.6813.07
50.00
– SAP & FTP throughput
– Real world apps perform as
expected
9.01 7.23
0.00
Baseline
Tolly Group - 2000
24
NetScreen- Check Point Nokia IP650 Cisco PIX100
FireWall-1
515
FTP
SAP R/3
NetScreen Confidential
NetScreen vs. general purpose
(H/W & S/W) architectures
Maximum TCP Session-Processing Rate Per Second of 'Single
Rule' Processing Firewall
Rapid ramp rate
19,048
– Number of new sessions per
second
– For busy web sites and Denial of
Service attacks
TCP Connections Per
Second
20,000
15,000
10,000
3,402
1,600
5,000
0
NetScreen-100
Cisco PIX-515
Check Point
FireWall-1
Tolly Group - 2000
Nokia IP650*
Steady-State, Bidirectional Latency 'Single Rule' Processing Firewall via Full-duplex,
Fast Ethernet (100 Mbit/s)
Low latency
– Firewall Latency testing in uSec
– Useful for heavily loaded sites,
multimedia and voice traffic
319.4
Latency in microseconds
350
291.3
300
225.1
250
200
150
100
85.1
41.2
50
0
Baseline
Tolly Group - 2000
25
NetScreen-100
Check Point
FireWall-1
Cisco PIX-515
Nokia IP650
NetScreen Confidential
Cost Analysis: Small Office <25people
Implementation and Maintenance Costs
NetScreen-5 Cisco PIX 506
(Dollars)
(Dollars)
Hardware Costs
Firewall platform
VPN platform
Software Costs
Firewall platform
VPN platform
Maintenance and System Support Costs
Hardware maintenance
Software maintenance
System support services
Total Implementation and Maintenance Costs
$995
$0
$1,950
$0
$2,495
$0
$0
$0
$0
$250
$1,499
$0
$200
$0
$0
$1,195
$304
$0
$205
$2,709
$0
$225
$1,115
$5,334
• NetScreen-5
• Cisco PIX 506 w 3DES License
• Nokia 110 w CP 25 IP VPN-1 Module License (includes
Firewall-1 & VPN-1)
26
CheckPoint/
Nokia IP110
(Dollars)
NetScreen Confidential
Cost Analysis: Branch Office
<10Mbps FW&VPN; <100 people
Implementation and Maintenance Costs
Hardware Costs
Firewall platform
VPN platform
Software Costs
Firewall platform
VPN platform
Maintenance and System Support Costs
Hardware maintenance
Software maintenance
System support services
Total Implementation and Maintenance Costs
NetScreen-10
(Dollars)
Cisco PIX 515
(Dollars)
CheckPoint/
Nokia IP330
(Dollars)
$3,995
$0
$5,000
$0
$4,950
$0
$0
$0
$0
$1,000
$5,995
$0
$800
$0
$0
$4,795
$700
$0
$325
$7,025
$0
$899
$2,225
$14,069
• NetScreen-10
• Pix 515R + 3DES license + no DMZ (3rd interface requires UR software)
• IP 330 + CP VPN-1 (FW+VPN) Module license for 100 IP addresses
27
NetScreen Confidential
Cost Analysis: Central Site
<10Mbps FW&VPN; >100< 250 people
Implementation and Maintenance Costs
NetScreen-100 Cisco PIX 515
(Dollars)
(Dollars)
Hardware Costs
Firewall platform
VPN platform
Software Costs
Firewall platform
VPN platform
Maintenance and System Support Costs
Hardware maintenance
Software maintenance
System support services
Total Implementation and Maintenance Costs
CheckPoint/
Nokia IP330
(Dollars)
$9,995
$0
$12,200
$0
$4,950
$0
$0
$0
$0
$1,000
$7,495
$0
$2,000
$0
$0
$11,995
$1,680
$0
$780
$15,660
$0
$1,124
$2,225
$15,794
• NetScreen-100
• Pix 515UR + 10/100 card + 3DES license
• IP 330 + CP VPN-1 (FW+VPN) Module license for 250 IP addresses
28
NetScreen Confidential
Cost Analysis: Central Site
>10Mbps FW&VPN; or >250 people
Implementation and Maintenance Costs
NetScreen-100 Cisco PIX 525
(Dollars)
(Dollars)
Hardware Costs
Firewall platform
VPN platform
Software Costs
Firewall platform
VPN platform
Maintenance and System Support Costs
Hardware maintenance
Software maintenance
System support services
Total Implementation and Maintenance Costs
CheckPoint/
Nokia IP440
(Dollars)
$9,995
$0
$16,200
$7,500
$12,495
$2,995
$0
$0
$0
$1,000
$9,495
$0
$2,000
$0
$0
$11,995
$2,496
$0
$1,680
$28,876
$1,495
$1,424
$0
$27,904
• NetScreen-100
• Pix 525R + 10/100 card + VPN Acc card + 3DES License
• IP 440 + VPN Acc Card + CP VPN-1 (FW+VPN) Module license for
Unlimited IP addresses
29
NetScreen Confidential
Cost Analysis: Central Site
>100Mbps FW&VPN; >250 people
Implementation and Maintenance Costs
NetScreen-500 Cisco PIX 535
(Dollars)
(Dollars)
Hardware Costs
Firewall platform
VPN platform
Software Costs
Firewall platform
VPN platform
Maintenance and System Support Costs
Hardware maintenance
Software maintenance
System support services
Total Implementation and Maintenance Costs
CheckPoint/
Nokia IP530
(Dollars)
$33,500
$0
$70,000
$7,500
$26,495
$2,995
$0
$0
$0
$1,000
$9,495
$0
$7,500
$0
$0
$41,000
$9,360
$0
$2,925
$90,785
$0
$1,424
$6,480
$46,889
• NetScreen-500 + 2xGE cards
• Pix 535R + 2x GE cards + VPN Acc card + 3DES License
• IP 530 + 2x GE cards + VPN Acc Card + CP VPN-1 (FW+VPN)
Module license for Unlimited IP addresses
• Neither Cisco nor Nokia can exceed 100M VPN
30
NetScreen Confidential
Assumptions
• Cisco & Nokia are able to achieve 10M VPN w/o Acc Card
• Checkpoint VPN-1 Module pricing was used to be
conservative but either all gateway pricing used or one
enterprise console version needs included which would add
approx $10K to any CP solution.
• Again to be conservative NetScreen-100 used for <10Mbps
>100<250 people where a NetScreen-10 could have been
used.
• Cisco & Nokia latest solutions (Pix 535 & IP 530) unable to
achieve > 100M VPN (IP 530 can not achieve >50M 3DES)
• Nokia IP 530 GE interfaces (not currently available) cost
equivalent to Cisco & NetScreen modules ~ $5K
31
NetScreen Confidential
Price / Performance via
Purpose Built Architectures
Aggregate Throughput (Mbps)*
Aggregate Throughput (Mbps)*
Zero-Loss Throughput Across a "Single-Rule" Firewall with UDP Packets
NetScreen-500
800
600
400
200
Cisco PIX 535
800
600
400
200
0
0
5,000
10,000
25,000
5,000
25,000
Simultaneous UDP Sessions
Simultaneous UDP Sessions
64
64
512
1,024
1,518
Packet size, bytes
Tolly Group - 2001
512
1,024
1,518
Packet size, bytes
*1% packet loss threshold
NetScreen-500 - $33,500
Cisco Pix-535R - $78,500
– (2 x GE cards)
32
10,000
– (2x GE cards, VPN Accelerator card,
3DES License)
NetScreen Confidential
NetScreen’s Enterprise Solution
• NetScreen: Empowering Enterprises with new
security solutions
–
–
–
–
Gigabit security systems
Multi-department security systems
Security appliances for moderate-bandwidth environments
Broadband remote access and campus VPN demands
• Simple and affordable
–
–
–
–
33
Reduced number of devices required
Simplified network architecture, management and licensing
Less expensive than competitive solutions
Easy to deploy and manage
NetScreen Confidential
NetScreen
Broadband Internet Security Solutions
34
NetScreen Confidential