Requirements Map:
Hardware Installation:

• Turnkey hardware solution: All NetScreen devices are appliances with all software pre-installed. New version can be downloaded directly from the NetScreen Partner Web site.
• No truck roll required for existing accounts: All NetScreen devices can be pre-configured and shipped to the destination for installation by a non-security specialist. The person only needs to know how to connect 2 or 3 Ethernet ports and turn the device on.
• Remote configuration of all but basic network parameters: All NetScreen devices can be configured remotely using either:
  1. The Web User interface that operates on the device, which can be used in HTTP or in HTTPS mode. An SSL certificate must e purchased and installed for HTTPS operation. This can be accessed in-band from either the Untrusted or Trusted ports.
  2. The Command Line Interface (CLI) that can be accessed in-band via the Untrusted or Trusted ports or via the serial port using a direct connection or an external modem for out-of-band control.
  3. The NetScreen Global Manager and Global Pro management systems that allow creating all configuration parameters off-line and pushing them to several devices concurrently.
  4. NetScreen provides Online help functions for all of its management interfaces.
• Remote activation of add-on features: There are no options in NetScreen devices. All features are delivered on all devices, except one option to upgrade a NetScreen-5 to a NetScreen-5 Elite) which can be upgraded remotely. There are no licenses to manage, so a firewall will never stop because a license has expired.

(Back to top)

Software/Policy Installation:

• Central (ISP) policy definition and update: The NetScreen Global Pro is the recommended product for ISPs since it can manage several customers centrally. Global provides a tabular representation of security associations, connections and sessions managed. The information management is object oriented, allowing the ISP to build standard tools and associations to increase productivity. Objects can be dragged and dropped between objects and customers, allowing complex but typical configurations to be created in minutes. The ISP can allow Role Based access by customer staff to view and/or change some of the data in the device configurations.
• Central (ISP) software update: Global Pro provides software release tracking and centrally managed updating.
• IPSec client support for all Windows OSS: NetScreen Remote operates on all Windows platforms.

Physical:

• 2 or more 10BaseT or 10/100 ports:
  NetScreen-5 has 2 10baseT ports and 1 serial
  NetScreen-10 has 3 10baseT ports and 1 serial
  NetScreen-100 has 3 10/100baseT ports and 1 serial
  
• Support for both DSL bridging modem and router environments: All NetScreen devices interface to any Ethernet demarcation device. The NetScreen-5 also provides DHCP Client with or without PPPoE authentication.
• AC Power: All NetScreen devices are available in AC power.
• Enclosure should be tamper-resistant: All NetScreen devices are enclosed, appliance devices, offering a certain degree of tamper protection. Of course, common sense requires that the device be installed in a secure closet if this is a concern.

The Serial port is password protected and will cause an SNMP trap and Global Pro alarm if anyone tries to connect to it.

Since NetScreen runs its own OS, all security information is stored in a protected flash memory that cannot be accessed except through the management interface.

(Back to top)

Management:

• Enable secure remote management by ISP NOC: All NetScreen devices can be managed via the following methods: Web Browser, Telnet Client, SCS (sometimes referred to as SSH) client, NetScreen's Global Manager Client, Console Port (Serial Connection)
• Some method of out-of-band management in case of failure: All NetScreen devices have a serial port that can be addressed via modem or direct connection.
• Configuration backup/restore: The NetScreen configuration can be backed up and restored either in-band or out-of band using the Web or CLI interfaces. A new configuration can be rolled back if something goes wrong during the download.
• Remote diagnostics: NetScreen has extensive remote test capabilities, including ping and trace route response. These can be configured to respond only to certain source addresses so as not to expose the firewall to Ping flood attacks.
• Enable customer management of remote access user accounts: NetScreen Global Pro has Role Based access to its management system, allowing the ISP to define what the customer can access and what rights they have.
• Single-point administration of multiple devices from ISP NOC: All the management information is held in one central database system, that provides access from several management stations (both are NT based for now).
• Configuration change audit trail: All NetScreen device changes are logged in a separate log that requires a higher security clearance to access.

Monitoring:

• Enable remote monitoring from ISP NOC: All NetScreen devices support SNMP through a private and public MIB. NetScreen also provides monitoring services in Global Pro.
• For site-to-site tunnels, traffic stats: NetScreen devices can record response times either using Ping or by recording time information with each log record. The Traffic Shaping feature also provides bandwidth management decision statistics.
• For remote user tunnels, user session stats: Same as site-to-site except that all the recording is done at the NetScreen device level. The Remote VPN does not log performance information.
• Configurable real-time alerts: Each security policy rule can cause an SNMP Trap and/or cause a pager alert to be called by the SNMP station or the Global Pro management console.
• Event logging, stored locally and aggregated centrally: NetScreen devices collect their data locally and send the data to a standard SysLog. The information contained in the log provides ample information to identify attack profiles and to implement usage accounting at the user or group level.

(Back to top)

Firewall Features:

• Stateful inspection and/or application proxy firewall: NetScreen is a fully configured Stateful Inspection firewall that also uses application specific Proxies. Some Proxies only kick-in when the firewall's IDS functions detect the possibility of DOS attack.
• ICSA certification: All NetScreen devices are ICSA and VPNC certified and are current in their test standings.
• Network/Port address translation: NetScreen supports NAT and PAT. It also supports N-to-M address and port mapping, which is used for VPN relay.
• DMZ option: All NetScreen devices except the NetScreen-5 are delivered with built-in DMZ support.

VPN Features:

• IPSec support for ESP, 3DES, SHA-1, and Diffie-Helman Group2: All NetScreen devices are fully IKE IPSec compliant, supporting:
  1. ESP
  2. DES and 3DES
  3. SHA-1 and MD5
  4. Diffie Helman Group 2
• IKE automated key management
• IPSec or IPSec/L2TP for remote access
• IPSec/IKE-level diagnostic tools: All NetScreen devices support SNMP requests to test a tunnel using a Ping, and reports the status. This test can be recurring to assure continuous status verification and to keep the tunnel active when there is no traffic, for faster startup when traffic does happen. Global Pro also provides similar tunnel verification capability.
• VPN Authentication: VPN tunnels can be created using:
  1. Manual IPSec
  2. IKE using shared secrets
  3. IKE using X.509 certificates

  Currently, certificates can be cut-and-pasted into the device's VPN configuration.
  

• Authentication: Pre-Shared Secret, X.509, and RADIUS (for remote users)

Authentication:

• Authentication services: use the following methods:
  1. NetScreen built-in database
  2. Radius server
  3. RSA Secure-ID Server (NetScreen has a built-in Ace Client)
  4. LDAP database
  5. X.509 Certificates, which has been verified with the major CAs.
  6. VPN Authentication: VPN tunnels can be created using:
  7. Manual IPSec
  8. IKE using shared secrets
  9. IKE using X.509 certificates
     
  Currently, certificates can be cut-and-pasted into the device's VPN configuration.

(Back to top)

A La Carte Options:

• Content-filtering plug-in: No - NetScreen considers that Anti-Virus and Content Filtering are better implemented beyond the firewall, allowing the firewall to operate without causing a bottleneck. Most solutions have server, Proxy or Promiscuous Mode versions that can be implemented independently of the firewall.
• Intrusion detection plug-in: No - but NetScreen built-in support for 16 of the main intrusions provides about twice as many built-in IDS detection services as compared to other firewall products. If the customer needs greater protection, they should purchase a full-function IDS.
• Antivirus scanning plug-in: No - Same as Content filtering above.
• URL Filtering plug-in: NetScreen has a WebSense interface.
• Prices: Bundled Hardware, Software & Support Program: Product prices are very simple since there are no options in NetScreen devices. These are:

We understand that IPRVnet intends to pass capital equipment costs along to customers by incorporating CPE purchase as a line item in service activation fees. We therefore recommend that IPRVnet should become a full-fledged NetScreen reseller, with all the responsibilities and privileges that this entails.

Being that this is a public document, we will leave the discounts out at this time. Needless to say that these are industry standard.

• Unbundled fees: The fixed cost maintenance options are:
  1. HW maintenance at 5% of equipment price,
  2. Annual SW subscription service at 15% of equipment price,
  3. 24X7 telephone support at 10% of equipment price.
• Available upgrades:
  Software updates are available through the yearly Software Support program. Major software releases can also be purchased separately. There is no Hardware Upgrade policy at this time.
• Vendor rated capacity:
  • Site-to-site tunnels: Most site-to-site links are established using VPN since it is sometimes difficult to predict what type of valuable corporate data will be exchanged. However, if there is a need for speed and the data is less critical, the NetScreen devices can operate in non-encrypted mode at line speed. You could also use DES which will almost be at line speed.
  • Remote access tunnels: These are generally limited by the line speed because both the PC and the NetScreen device have much more processing power than the line allows, even if the user is on a fast Ethernet link.
  • Encrypted throughput: Certain links could be established without Site to site speed depends on the devices being used. The 3DES/SHA-1 performance for each of these devices is:

• Deployment:
  • Equipment pre-configuration: Devices can be rapidly pre-configured by downloading a standard config and an IP address in less than 5 minutes.
  • Plug and play by non-technical staff: Non-technical staff should be able to plug these devices in since there a re only 2 or 3 ports, which are properly labeled.
  • Defective Device Swap-out Strategy: Devices are on warranty for the first 90 days.

NetScreen Technologies RFP:
< Introduction < Solution Sets   Requirements Map	ISP Support Programs & References > Summary >