Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Intrusion Prevention: Juniper Networks' ISG 2000 with IDP

Juniper Networks' ISG 2000 with IDP

This article can also be found in the Premium Editorial Download: Information Security magazine: Tips for navigating the maze of global security regulations


ISG 2000 with IDP

Juniper Networks
Price: Starts at $42,500



The marriage of firewalls and intrusion prevention makes good sense, as IPS technology matures and gets serious enterprise interest. Juniper Networks' ISG 2000 appliance combines firewall, VPN and its latest intrusion detection and prevention software in an effective, high-performance package.

Installation/Configuration B+  
The ISG 2000 is a multigigabit integrated firewall/VPN system with a modular architecture, enabling high scalability and flexibility. To add IDP, the organization has to get an advanced license, possibly buy extra memory and purchase up to three security modules, depending on their usage and throughput requirement.

ISG with IDP tightly integrates the software available on standalone IDP products with ScreenOS 5.4.0r2, a security-specific operating system with the capacity to handle high-speed, high-volume traffic inspection.

Although the appliance offers a console for configuration, the best way is to use the Netscreen Security Manager (NSM), a dedicated Red Hat Linux or Solaris console for managing Juniper security products. The user interface or the management client is the final component that is installed on an administrator's machine (Windows or Linux) to configure the ISG and any other ScreenOS-based devices in the network.

The user interface is designed well but still complex because of the number of settings and features available. When the device is added, NSM automatically detects the OS and the installed license, and enables/disables appropriate features accordingly. Adding IDP rules is easy and similar to adding firewall/VPN rules. Juniper provides a rich database of checks that can be used to match and drop, or just log the attack traffic between specified sources and destinations.

Effectiveness/Performance A  
Juniper Networks' Multi-Method Detection (MMD) technology uses up to eight different intrusion detection methods, including stateful signature, protocol and traffic anomaly detection, and backdoor detection.

We tried--without success--to dupe the ISG 2000 using a variety of detection-evasion techniques such as splicing and fragmentation, while executing DoS and OS exploit attacks. We were amazed to see how little all those attacks affected the performance of this beast, which leverages a fourth-generation security ASIC, the GigaScreen3, along with high-speed processors.

NSM lets you view the code of the current checks and create your own checks within the IDP database.

Administration B  
Like any access control system, it is imperative that the IDP rules be verified and updated on regular intervals on the basis of the normal traffic flow. It's easy to set up daily updates and many other tasks, such as importing updated configurations and rebooting devices. The management interface can be used to specify actions like SNMP, syslog or email alerts when specified criteria are matched. Because NSM stores all the information required on the server, you can take care of device and log backups like any other system.

Reporting B+  
NSM's reporting module is a powerful and intuitive tool, with multiple predefined reports grouped by type of data, including firewall/VPN, IDP and administration. Each grouping includes many report templates for top attacks, attackers and targets, giving comprehensive information with graphs. You can also create custom report queries and run them automatically. Reports can be exported only in HTML format.

ISG 2000 with IDP is an excellent appliance that offers a powerful combination of effectiveness and performance, flexibility and manageability, and low cost of ownership.

Testing methodology: We set up a lab with Windows and Linux PCs sending legitimate as well as malicious traffic back and forth through ISG 2000.

This was last published in February 2007

Dig Deeper on Network intrusion detection and prevention (IDS-IPS)

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.