Verdict

Juniper Networks is without doubt one of the largest vendors of security appliances and the NetScreen-5GT represents the starting point of this extended family. It delivers an impressive array of defence mechanisms aimed primarily at small businesses and remote offices, home workers using broadband and other areas such as retail outlets.

The price depends on the features you require and starts at £250 for the basic unit which includes support for 10 IP addresses on the LAN, an SPI firewall, up to 10 site-to-site VPN tunnels, DoS protection and traffic management capabilities. Integrated anti-virus scanning comes courtesy of Trend Micro which costs an extra £100 for a yearly subscription while web content filtering from SurfControl adds a further £170 to the asking price. Alternatively, for around £600 you can go for the Plus model which has no restrictions on the number of users and includes anti-virus scanning and Juniper’s Deep Inspection technology which uses a signature database to detect and block Internet-borne attacks.

Despite its compact dimensions the 5GT packs a fair punch in the hardware department with a 400MHz Intel IXP425 network processor accompanied by 64MB of SDRAM and 32MB of Flash memory. The WAN port can be used to connect the device to an ADSL or cable modem or be used for a direct link to a router and four Fast Ethernet ports are provided for the LAN connections. The serial port can be used as an Internet backup modem link but this is only available in the Plus version.

Initial installation is straightforward and the well designed browser interface fires up a quick start up wizard that helps choose transparent Layer 2 bridging or Layer 3 routing. We opted to use the latter mode as it meant that the appliance could perform NAT on all LAN IP addresses. The first feature that makes the 5GT stand out is security zones which are used to create physical network segments where different policies can be applied. The WAN port, for example, can be bound to an untrusted zone while the LAN ports can be placed in a trusted zone. This allows various port mode combinations to be offered for different working scenarios. Home workers could select the Home-Work mode which uses three zones to allow Internet access but segregates work related traffic from personal usage. With an ActionTec intelligent ADSL modem connected to the untrusted port we left the internal DHCP server to dish out IP addresses and had Internet access available for our test clients in a few minutes.

Inbound and outbound traffic is managed by policies which determine what should be allowed through. These can be applied to all clients or specific addresses and the appliance maintains a customisable address book for each security zone. Essentially, policies are applied to a traffic direction, a set of addresses and a service and contain an action that can be either to permit or deny the traffic or, where a VPN connection between appliances exists, to tunnel it. Each policy can include service groups and the 5GT also contains specific entries for the SIP (session initiation protocol) allowing policies to be created to guarantee bandwidth for VoIP (Voice over IP) applications.

The Screening menu toughens things up even more with defences against a variety of flood attacks, protection against DoS attacks and blocks on ActiveX and Java content along with downloads of executable and ZIP files. Web content filtering doesn’t get any better and this can be handled by either SurfControl or WebSense – two heavyweight service providers. For SurfControl you can either use your own internal database or select the feature which redirects web requests to an externally hosted service as used by the Watchguard Firebox X15w. You can use the entire database to block all objectionable content or create custom profiles containing selected SurfControl categories which can be blocked or permitted. As we’ve found in previous tests there’s little that gets past SurfControl and users who attempt to access banned sites receive a curt warning message in their browser and the attempt is logged by the appliance.

The Trend Micro anti-virus scanner receives automatic signature updates and along with all the other security features can be activated in different policies depending on what traffic you want scanned. We found it comparatively fiddly to set up but email and web content can be scanned; infected content will be dropped and a warning message placed in a web page or dodgy email. For VPN support you get a licence for up to ten site-to-site tunnels and although dial-up VPNs are supported the client packs for this also add more to the total with ten costing around £250. However, Juniper does provide plenty of wizard based help and extensive documentation to aid set up.

”’Verdict”’

The NetScreen-5GT is undoubtedly a powerful little security appliance that does offer overall good value as its wealth of optional features can be customised to suit just about any requirement. However, very small businesses with limited IT skills may find it overly complex to configure and would be better off with simpler, lower cost products such as those offered by SonicWALL or Watchguard.

Trusted Score