Netscreen 5GT for home network?

S: My home network currently runs a Linksys BEFSR41 ADSL NAT router, half a dozen XP SP2 systems, and a Linux file server. I'm not comfortable with

the limited outbound control available on the Linksys, and would also like to have some content filtering available.

S: I'm considering purchasing a Netscreen 5GT as it appears to have the

features I'm looking for, and I'm familiar with ScreenOS - but only on their larger boxes.

S: Based on the specifications, I assume the 5GT is a 'drop in' replacement for the Linksys - i.e. it will speak PPPoE to the ADSL modem, serve DHCP to the XP clients etc. Correct? Any gotchas I need to know about?

MQ: If you already have a DSL modem, then you don't need to speak PPPoE. I could be wrong here, but typically that's the poop. You could consider getting rid of the modem altogether and get the 5GT-ADSL model. It rocks, but you have to know more than the average bear to get the DSL up and running.

S: I'm used to defining zones for all traffic on NS boxes, but the 5GT appears to be limited to the built-in zones. Does this effectively turn

the 4 Trust ports into a switch, or can I still define policy per-port using address objects? I assume the latter, but perhaps DHCP gets in the way?

MQ: By default, the box is in a port mode called Trust-Untrust, which puts all 4 ports into one security zone called Trust. You can change that to a Work-Home mode where by it puts two ports in Trust and two ports in a predefined security zone called Home. Home cannot get to Work, a built in policy that cannot be modified prevents that. Work can get to Home by any policy you define. You can also put it in a port mode called Combined, which is a Dual Untrust and Work-Home mode, and then it's possible to have two connections to the Internet and 'load balance' in a way across both links. It's pretty cool. DHCP has nothing to do with anything regarding port mode, other than setting up a DHCP server on each zone.

S: One feature of the 5GT I find appealing is AV scanning on the gateway - particularly as we don't use Trend Micro on the clients. How much does the AV update subscription cost?

MQ: The AV is not protocol agnostic, it's HTTP, SMTP, POP3, FTP and IMAP (in ScreenOS 5.1). Talk to your local reseller regarding pricing. Word.

S: Finally, I'd be interested in feedback on the content filtering feature

- I assume it will allow me to prevent sensitive data (e.g credit card numbers) going outbound in the clear?

MQ: Content filtering has nothing to do with this. This is a problem on whether or not you are connected to a remote site using SSL or not. Content filtering simply permits or denies traffic on the destination website and the type of content on said website. Word.

S: I would really appreciate any 5GT user opinions.

MQ: Buy it and you won't regret it.

The 5GT-ADSL will do PPPoA and PPPoE. The others will only do PPPoE. I'm not aware of any differences between functionality that would make a difference in your description. Most of the time I would encourage people to use the ADSL model and just hold on to the other POS that they provide for troubleshooting. Qwest likes to NAT behind their POS Actiontec, and I have only ONCE got it to actually route, but that was freakin' painful and I hated every second of it. If you're not being NAT'd good for you. But for those who are and if you dump your DSL on to the box then you route / NAT / transparent mode that mophucka any way you want.

Use DHCP reservations and then setup your policies.

DI is a lighter version of Intrusion Detection. It also is NOT protocol agnostic on the firewall. They want to sell more IDP. And yes, naturally web filtering and content management or not protocol anomoly detection / malicious packets as DI is.

-Word out to my bruthas in the struggle, stay strong and never give up the fight-

Munpe Q

The way I did it for mine was to use DHCP reservation to fix the IP for all the hosts that need special policies. You can create then object that represent that fix IP and define policies just for those IPs.

I prefer to keep the DSL modem as the provider supplies it and refuses to troubleshoot DSL outages if you aren't using it. Also, the ADSL model drops several features according to the datasheet.

Whatever the protocol is, am I correct in assuming the 5GT can authenticate to the ISP, obtain it's public IP, and send keepalives - just as the Linksys does? My understanding is this stuff is done using PPPoE, while the modem speaks PPPoA (PPP over ATM) - but I could be wrong here too :-)

Thanks for the explanation, but how do I do per-client policies when DHCP is in use? For example, the file server only needs NTP to the Internet, while other clients need more services - but not neccessarily the same services on each.

The datasheet lists 'Integrated Web Filtering' and 'Content Inspection' as separate features (in addition to Deep Inspection). I guess I don't understand the difference.

That's one vote in favour :-)

According to the datasheet, the 5GT-ADSL differences are:

- transparent mode not supported

- no DI for IM or P2P or SMB

- no AV for FTP

- around 400 fewer DI signatures

- integrated web filtering is "future"

- VOIP support is "future"

You're right, no show stoppers but there are a few nice to haves.

No, I'm not NATed. The DSL modem has decent diagnostic LEDs and has never been a problem - I think I'll keep it.

Gotcha - thanks! You can't do reservations on the Linksys, there's another reason to get the 5GT.

Sunny

I'm surprised -sort of- about transparent mode, but some of those features were a 5.1 thing, which the ADSL is not at yet.

Palabra.

I own a 5GT - $270 NIB on eBay ;-)

Shipping will take a few days, but it will seem longer...

Sunny

Hi Sunny !!

It exists many port mode on the Netscreen NS5GT, not only Trust Untrust Port Mode, also other modes like Home Work Port Mode. Whatever u cannot affect even in that mode a policy per each physical Ethernet Port even if there is in that port mode a segmentation more powerful than the classical Trust Untrust port Mode.

Try to connect maybe to the

website and have a look in the knowledge base, maybe u will find more infos

See ya

Olivier

Sunny a écrit :

replacement

per-port

feature

Well first off, I've already said that. Second, and if I'm reading this terrible English correctly, you CAN in fact implement intrazone policies. So, if you have four interfaces in Trust, you can block traffic from one device on the same zone from getting to another device on the same zone that is on a different physical interface.

You just cannot move ports like you can in a higher end model, which is a big 'duh'...

Word to your mothers. Especially today. Fools.

5.2 is out, looks like 5GT and 5GT ADSL now use the same firmware - at least it's the same filename. I decided to wait a bit...

My box arrived today (plain 10 user 5GT), currently running 5.1.0r3a. It feels a bit restrictive compared to the big boxes, but works perfectly as a Linksys BEFSR41 replacement pretty much out of the box. I have work to do to lock it down.

One thing that doesn't work like the Linksys is logging of connection requests from outside. I added:

set policy id 2 from "Untrust" to "Trust" "Any" "Any" "ANY" deny log count set policy id 3 from "Untrust" to "Global" "Any" "Any" "ANY" deny log count

.... but I get no hits. What am I missing?

Sunny

set firewall log-self

That gets me syslogs for denied connections from outside, e.g.:

ns5gt: NetScreen device_id=ns5gt system-notification-00257(traffic): start_time="2005-05-18 00:35:25" duration=0 policy_id=320001 service=msrpc Endpoint Mapper(tcp) proto=6 src zone=Null dst zone=self action=Deny sent=0 rcvd=48 src=69.158.101.49 dst=69.158.114.171 src_port=4037 dst_port=135

But still doesn't hit my deny policies. policy_id=320001 ?