A pretty interface is not enough: integrated firewall and VPN security just make sense - Cover Story

Communications News, Sept, 2002 by Mark Alexander

When divine Inc. acquire the assets of MarchFirst-three central sites in the Chicago area and 19 throughout the United States-Chuck Horvat, a founding member of Chicago-based divine and its director of network services, wondered how to securely integrate these 22 new networks into the existing corporate network. He had no desire to buy firewalls for each. So, Horvat and his engineers looked into security solutions, and found one that made sense--an integrated firewall/virtual private network (VPN) appliance.

Shortly after the acquisition, MarchFirst filed Chapter 7 bankruptcy. The divine network services team had only six weeks to integrate the company and build a secure wide area network from scratch. Complicating matters was the nature of the acquisition: divine did not inherit ally established network circuits or commitments. MarchFirst's sites were geographically dispersed, with their own circuits and with some leased equipment.

Prior to the acquisition and under its original business model, divine's entry-level boxes supported only 1,000 concurrent TCP/ IP sessions and 10 VPN tunnels. "We decided to try using one NetScreen 5 from NetScreen Technologies of Sunnyvale, CA, for the initial test of isolating our mail infrastructure, which obviously in a session count wasn't appropriate, but we thought, "what the heck," says Chad Knupp, senior network engineer. "We had a tunnel up and running within an hour. We pumped almost 6 Mbps of DES (data encryption standard) through it, which is pretty impressive performance for an inexpensive appliance that fits in the palm of your hand."

FULL RANGE OF SECURITY FUNCTIONS

Early in 2001, based on the success of that trial, divine bought its first firewall/VPN system-level product. Horvat and his team settled on the NetScreen 1000 platform, which offered virtual local area network trunking of security with multiple security functions integrated into a single device. The purpose-built security appliances included VPN, firewall, denial-of-service (DoS) protection and authentication. While the product was easy to deploy and has an intuitive GUI, application-based security integration proved to be a key differentiator.

"We like to keep up to date," says Horvat. "For years, I had been begging for features and integration that we now have in this appliance-based box for under $500.

"I like appliances that are targeted for specific purposes," he says. "With security solutions, I believe in having a custom operating system, and hardware with no moving parts. Why have a hard drive for a firewall when you don't need it? Why have unnecessary points of physical failure? An appliance-based approach makes sense to me."

Using a custom operating system and application-specific integrated circuit (ASIC) technology to accelerate firewall/ VPN security and optimize network performance, the appliances eliminate traditional performance choke points experienced by software-based security solutions running on general-purpose PCs.

A COMPLETE SECURITY CHANGEOVER

"It would be a nightmare to manage multiple flavors of firewalls and expect to have reliable connectivity among those firewalls," says Horvat. "We were moving so aggressively that we didn't have time to deal with those kinds of reliability issues. NetScreen had a security solution that was just the right size for each one of the new facilities."

divine, which provides enterprises with content management, managed hosting, customer relationship management and consulting services, installed one NetScreen 1000 for the Chicago hub. The appliance provides 2-Gbps throughput and up to 25,000 VPN tunnels. Its performance impressed the engineers, as did its stability and manageability. With only a handful of engineers at divine, manageability is crucial.

The company also installed two NetScreen 204s in Burlington, and NetScreen 10s and 25s for the remaining sites. According to Horvat, the systems offer good overall cost-performance and no complex licensing schemes--charges were not based on the number of IP addresses. Most NetScreen products support an unlimited number of users.

"The cost for a new box was less than simply renewing the maintenance for the previous vendor used by MarchFirst," says Horvat. "By moving from that frame relay network to NetScreen VPNs and the Internet, we eliminated about $41,000 in monthly costs."

Having a full range of products from which to choose under one vendor simplifies everything, says Horvat. In addition, the Web interface has been getting more flexible and the command line getting more features. Code issues also get immediate attention. "When some of our offices fell victim to the Code Red virus," says Horvat. "the infected internal systems were performing a DoS within our network. NetScreen turned around some code revisions that dealt with the problem quickly."

SOLUTION PROVES ITS STABILITY

When divine first deployed the infrastructure, once the 25 units came up online, they stayed up. "They just don't crash," says Knupp. "They are unusually stable, extremely reliable." Occasionally, Knupp admits he has to do a configuration tweak, but the debugging tools facilitate finding the problem and solving the issue. Knupp also likes the fact that when he is doing an I-IKE (Internet key exchange) tunnel between the VPN appliance and a third-party product, he can accept any proposal dynamically. Despite different terminology among firewall vendors, he can get a tunnel up with any setting proposed by the other firewall and then see exactly what configuration is needed to lock it down.