Hello,
Our company is well connected to Internet with a firewall. We are now building some VPN's over the Internet and the idea is to use Juniper Networks NetScreen-25 for this. Any experiences about that or any opinions? The existing firewall is dual-homed and I'd like to install the NetScreen-25 not as a second 'firewall', but inside in the LAN and tunnel somehow the traffic through the existing firewall like we do with OpenVPN, comments on this?
Thx
matthias
them a lot. There are no moving parts, no disks, no fans, so they hardly ever fail. You can make a Netscreen VPN work with about any other brand of firewall as well.
If you are thinking site to site VPNs, I'd go for route-based (tunnel interface). I managed to NAT both source and destination on packets going through a tunnel on my box, so this is very handy if you have overlapping IP-addresses on both sides of the tunnel. If you start using the virtual routers in the Netscreen combined with tunnel interfaces, things can really get interesting.
If you are talking about dial-up VPNs, the Juniper client has had some recent problems with Windows XP SP2 and other stuff. We always tell our customers it's Bills fault if it does not work. This might be true, because I never saw a problem on a clean PC.
I would not recommend putting the Netscreen on the LAN. I'd just replace the existing one with the Netscreen to avoid routing problems, but if you can make it work with OpenVPN you'd probably also be able to do it with a Netscreen.
Why not put the 25 as your main gateway as Matthias suggested? It's a very reliable, high performance stateful firewall and VPN concentrator.
You can put it on your inside LAN if you want. You'll need to forward Protocol 50 (ESP) and UDP 500 traffic to it on an outside IP from your existing firewall. Then you'll need to make sure you don't try to assign virtual IPs to the clients, or if you do, you'll need to add static routing statements to your main firewall to makes sure traffic gets to them if you want to contact them from the inside (which is why you'd assign them virtual IPs). Otherwise, without a virtual IP, they will come on the LAN looking like they come from the NetScreen's inside interface, which works fine, but any traffic/event analysis tools you have running on the network/servers won't be able to tell who is doing this traffic, it will all look like it comes from the NS.
However if the NS is your default gateway, it's much simpler, virtual IPs are fine, return traffic goes where it needs to, you can then identify each remote host by looking at the logs, etc. etc. Nor forwarding rules on your main firewall, site-to-site vpns don't have to NAT, etc. etc.
For site-to-site VPN's definately use a route based VPN as Matthias suggested, they are much nicer to work with once you figure them out and much easier to limit/filter via policy.
Of course if it were me I'd put in a Fortigate so that I could do IPS and AV on all the traffic coming in from these remote hosts, but everybody knows that by now :-) I like the Forticlient *way* better than the SafeNet (Netscreen) client, but either are functional.
-Russ.
...
Hi, Only to make that clear. it was me (the original poster) who wanted to put the NetScreen-25 inside my LAN and not outside the firewall. I don't like in general to have a firewall (it's based on UNIX and IPFilter) and other equipment which is providing somehow a second entry into the LAN which is protected by the firewall, even if the NetScreen is very reliable. It is a second point for attacs and one is already enough, don't you agree?
matthias
Unless you really know what you are doing with IPFilter, my guess would be a Netscreen 25 is much harder to get by. I've not seen any serious vulnerabilities for Netscreen in recent years.
No, I don't actually agree. You're proposing to put the NetScreen *behind* your main firewall, giving the VPN clients access to your internal network. Is that worse than having it protect from the outside? You're in fact creating two 2 access points when you could just have one to secure and correctly configure.
Your unix box is more likely to get compromised than your NetScreen, but if you prefer to base the security of your business on a homemade firewall vs a purpose built certified security appliance, then I'm sure your talents will ensure that it stays up to date and correctly configured.
Myself, if I owned a NS25, I certainly wouldn't be using open source on my perimeter.
-Russ.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.