Comparing and Contrasting
Check Point NGX with
Juniper ScreenOS Firewalls
Yasushi Kono
(ComputerLinks Frankfurt)
Agenda
 The Magic Quadrants of the Gartner Group
 The fundamental architecture of Juniper
ScreenOS
 Configuration of Zone, Interfaces, Policies
 The features of ScreenOS compared to
Check Point
 Conclusion
• Ability to Execute:
– Product/Service
– Overall Viability
– Sales Execution/Pricing
– Market Responsiveness
– Market Execution
– Customer Experience
• Completeness of Vision
– Market Understanding
– Marketing Strategy
– Sales Strategy
– Business Model
– Innovation
– Geographic Strategy
Now, let‘s have a look at the
Fundamentals
of the Juniper ScreenOS Architecture:
• The Framework Configuration:
»
Virtual Router
•The Framework Configuration:
Security Zone
Virtual Router
• The Framework Configuration:
»
Interface
Security Zone
Virtual Router
• The Framework Configuration:
»
»
IP Address
Interface
Security Zone
»
Virtual Router
Of course, you will have multiple
• IP Addresses,
• Interfaces,
• Security Zones
within a Juniper Netscreen
Security Device….
• The Framework Configuration:
IP Addresses
Interfaces
Security Zones
Virtual Router
The virtual router acts as a parent container
which holds the elements of the hierarchical
structure.
The next layer consists of the so-called Security Zone.
The purpose of that Security Zone is to configure Security
Policies based on the Security Zone as Source Zone and
Destination Zone, respectively.
The Security Zone holds the Interface(s)
Finally, you can configure the IP address on that interface.
The Configuration Order is crucial in ScreenOS.
• First, create one or more Security Zones on top of
the existing Virtual Router (namely trust-vr).
This can be easily done via the CLI of the Security
Device:
set zone name sales
set zone name internet
Then, you have to associate
Interfaces to these Security Zones:
set interface eth0 zone sales
set interface eth1 zone internet
And now, you can bind IP
addresses to Interfaces:
set interface eth0 ip 10.20.30.1/24
set interface eth1 dhcp client enable
or
set interface eth1 ip 195.1.1.1/24
• Then, you have to configure your
Default Gateway:
set vrouter trust-vr route 0.0.0.0/0
gateway 195.1.1.254
• Now, you a ready to configure a
Security Policy…
• A Security Policy regulates the
traffic between zones:
set policy from sales to internet any any any permit
Should you need Dynamic NAT:
set pol from sales to internet any any any nat src permit
• Should you miss granularity:
set address sales PC_Sales01 10.1.1.20/32
set policy from sales to internet PC_Sales01 any
dns nat src permit log
How to manage Security in
ScreenOS?
There are three ways of managing a
ScreenOS infrastructure:
• Configuration via CLI
• Configuration via WebUI
• Configuation via NSM (Network and Security
Manager)
Benefits of Configuring via CLI:
•
•
•
Easy to understand
You can prepare the commands with an editor
and paste it onto your production environment
No need of MS Internet Explorer
Benefits of Configuring via WebUI:
•
•
•
No need to memorize CLI commands
Intuitive
Some people love to use Internet Explorer
Benefits of Configuring via NSM:
•
•
•
Manage multiple Security Devices centrally
No need to memorize CLI commands
Analyzing log entries centrally
Possible Drawbacks with CLI
•
•
•
Management of Security on a per Device Basis
Analyzing Logging per Device is not
appropriate in Enterprise Environments
You have to memorize lots of commands
Possible Drawbacks with WebUI
•
•
•
Management of Security on a per Device Basis
Analyzing Logging per Device is not
appropriate in Enterprise Environments
Some people hate mice!
Possible Drawbacks with NSM
•
•
•
•
Limitation of a maximum number of Devices,
when using the NSMXpress Appliance!
Only Red Hat Linux is supported as NSM Host
Operating System
You have to have in depth Linux expertise
You still need a mouse!
Introducing some Features offered
by Juniper Netscreen:
Policy-based Routing
Source-based Routing
Source-interface based Routing
Configuring Dynamic Routing Protocols
Desaster Recovery
Virtual System (VSYS)
NSRP (NetScreen Redundancy Protocol)
Policy-Based Routing:
•
•
•
PBR enables you to implement policies that
selectively cause packets to take different
paths. You use the following building blocks
to create a PBR policy:
Extended Access List
Match Group
Action Group
Extended Access List:
•
•
•
•
•
•
Lists the match criteria you define for PBR
policies. Match criteria include:
Source IP
Destination IP
Source Port
Destination Port
Protocol
QoS Priority
Match Group:
Match Groups provide a way to organize extended
access lists. It associates an extended ACL ID number
with a unique match group name and a match-group ID
number.
Action Group:
An Action Group specifies the route that you want a
packet to take. You specify the action for the route by
defining the next interface, the next hop, or both
PBR Policy:
After configuring the Extended Access List, the Match
Group, and the Action Group, you have to configure the
PBR Policy which is done within the virtual router
context.
Source-Based Routing:
With Source-Based Routing, you are able to specify the
route to a destination based on the Source IP of the
client.
Source Interface-based Routing:
With Source Interface-Based Routing, you are able to
specify the route to a destination based on the Ingress
Interface of the Security Device used by a client.
Dynamic Routing:
On a Juniper Netscreen Security Device, you can use
Dynamic Routing Protocols without the necessity of
configuring VPN or VTIs. It is much easier to configure
OSPF as the routing protocol (a matter of minutes).
Sample OSPF Configuration:
Juniper->set vrouter trust-vr
Juniper(trust-vr)->set router-id 172.23.103.11
Juniper(trust-vr)-> set protocol ospf
Juniper(trust-vr/ospf)-> set enable
Juniper(trust-vr/ospf)-> set area 10.0.0.0
Juniper(trust-vr/ospf)->exit
Juniper(trust-vr)->exit
Juniper->set interface eth0 protocol ospf area 0.0.0.0
Juniper->set interface eth0 protocol ospf enable
Juniper->set interface bgroup0 protocol ospf area 10.0.0.0
Juniper->set interface bgroup0 protocol ospf enable
Desaster Recovery:
On some of the Juniper Security Devices, you can save the
running configuration to an USB stick.
save config from flash to usb juniperconfig.txt
Should you run into trouble, just plug the USB stick and
copy the configuration back to the device.
save config from usb to flash juniperconfig.txt
On other devices (without USB support) use a TFTP server
instead.
save config from flash to tftp 10.20.30.1 juniperconfig.txt
Per CLI, you can also copy and paste a saved configuration
from your editor to the Terminal window.
So, Desaster Recovery is a matter
of seconds rather than minutes.
Virtual Systems (VSYS)
The high-end security devices in the
ScreenOS family provide the ability to
create Virtual Systems.
A Virtual System is a logical instance of a
security device with its own routing
table, administrators, zones, policies,
and VPN.
How to configure a VSYS?
root->set vsys sales
root(sales)->set admin name salesadmin
root(sales)->set admin password juniper1
root(sales)->set zone name sales
root(sales)->set int eth2.11 tag 11 zone sales
root(sales)->set vrouter trust-vr route 10.51.1.0/24 vr sales-vr
root(sales)->set address sales webserver 10.51.1.22/32
root(sales)->set pol from untrust to sales any webserver http
permit log
root(sales)->set pol from sales to untrust any any any nat src
permit log
root(sales)->save config
root(sales)->exit
Basically, to configure a VSYS you will
use the commands used for configuring
non-VSYS systems!
It is that easy!
No need to configure virtual switches or
virtual routers
„What in the hell are Warp
Interfaces???“
NSRP (NetScreen Remote
Protocol)
Juniper‘s HA Solution for Gateway High
Availability.
Quite similar in functionality to Nokia VRRP.
Difference: No unique IP addresses to be
configured on cluster interfaces.
No IP addresses assigned to Sync Interface
Only two nodes supported per Cluster!
NSRP Configuration Example:
1. Setting up the HA Link:
set interface eth2 zone ha
2. Configuring Cluster Settings:
set nsrp cluster id 0
set nsrp cluster name ISG_HA
set nsrp arp 4
3. Setting Interfaces for Monitoring:
set nsrp monitor interface eth0
set nsrp monitor interface bgroup0
4. Adjusting VSD Settings:
set nsrp vsd id 0 priority 80
set nsrp vsd id 0 preempt
set nsrp vds id 0 preempt hold-down 5
5. Enabling RTO Synchronization:
set nsrp rto-mirror sync
Conclusion
Some features (Policy-based Routing, Source-based
Routing, Interface-based Routing, …) are offered by
Juniper without counterpart at Check Point.
It it easy to get started with Juniper and you can
immediately configure interfaces, security zone, routing,
address book entries and security policies.
It is easy to confgure VSYS since you are not forced to
learn new commands.
Some Features of Check Point on the
other hand:
You can use IKE Main Mode with VPN Clients with Dynamic IP
Addresses.
The Check Point SecureClient is the better solution compared to
Juniper‘s Netscreen Remote Client (more feature, more security,
more usability)!
SMART is smart!
With SmartView Tracker, you can see the log information of the
whole Enterprise at a glance!
With SmartView Monitor, you can see all Status information of all
firewalls within your infrastructure at a glance!
With SmartUpdate, you can manage licenses centrally!
Some Features of Check Point on the
other hand (cont.):
Before Check Point compiles the Rule Base, it does a syntax
checking!
ClusterXL, Nokia IP Clustering or Nokia VRRP is supporting
more than two cluster nodes!
So, who is the winner of the
Enterprise Firewall
Functionality Contest?
No Winner!
Any Questions?
Thanks a lot for
your attention!
Should you have questions:
[email protected]