S: My home network currently runs a Linksys BEFSR41 ADSL NAT router, half a dozen XP SP2 systems, and a Linux file server. I'm not comfortable with
the limited outbound control available on the Linksys, and would also like to have some content filtering available.
S: I'm considering purchasing a Netscreen 5GT as it appears to have the
features I'm looking for, and I'm familiar with ScreenOS - but only on their larger boxes.
S: Based on the specifications, I assume the 5GT is a 'drop in' replacement for the Linksys - i.e. it will speak PPPoE to the ADSL modem, serve DHCP to the XP clients etc. Correct? Any gotchas I need to know about?
MQ: If you already have a DSL modem, then you don't need to speak PPPoE. I could be wrong here, but typically that's the poop. You could consider getting rid of the modem altogether and get the 5GT-ADSL model. It rocks, but you have to know more than the average bear to get the DSL up and running.
S: I'm used to defining zones for all traffic on NS boxes, but the 5GT appears to be limited to the built-in zones. Does this effectively turn
the 4 Trust ports into a switch, or can I still define policy per-port using address objects? I assume the latter, but perhaps DHCP gets in the way?
MQ: By default, the box is in a port mode called Trust-Untrust, which puts all 4 ports into one security zone called Trust. You can change that to a Work-Home mode where by it puts two ports in Trust and two ports in a predefined security zone called Home. Home cannot get to Work, a built in policy that cannot be modified prevents that. Work can get to Home by any policy you define. You can also put it in a port mode called Combined, which is a Dual Untrust and Work-Home mode, and then it's possible to have two connections to the Internet and 'load balance' in a way across both links. It's pretty cool. DHCP has nothing to do with anything regarding port mode, other than setting up a DHCP server on each zone.
S: One feature of the 5GT I find appealing is AV scanning on the gateway - particularly as we don't use Trend Micro on the clients. How much does the AV update subscription cost?
MQ: The AV is not protocol agnostic, it's HTTP, SMTP, POP3, FTP and IMAP (in ScreenOS 5.1). Talk to your local reseller regarding pricing. Word.
S: Finally, I'd be interested in feedback on the content filtering feature
- I assume it will allow me to prevent sensitive data (e.g credit card numbers) going outbound in the clear?
MQ: Content filtering has nothing to do with this. This is a problem on whether or not you are connected to a remote site using SSL or not. Content filtering simply permits or denies traffic on the destination website and the type of content on said website. Word.
S: I would really appreciate any 5GT user opinions.
MQ: Buy it and you won't regret it.