Fwvs 0014

Firewall / VPN
Technical
Overview
Student Guide
Firewall / VPN Technical Overview
A-FWVS-0014-EN-03-A01 Page 1
NOTE:
NOTE Please note this Student Guide has been developed from an audio narration. Therefore it will have
conversational English. The purpose of this transcript is to help you follow the online presentation and may
require reference to it.
1. Course Overview
Welcome to the Firewall/VPN Technical Overview.

In the first section we'll talk about our products and services, followed by the Universal Security Gateway
Architecture. We'll then talk about VPNs and their advanced features. Finally, we'll make a brief analysis of
the competitive market.
2. Module Objectives
On completing this course you will be able to

• Explain ScreenOS and the hardware architecture,
• Explain the difference between Interfaces, Zones, and VRs,
• Explain the Transparent Mode vs. Route Mode,
• Discuss Firewall features
• Discuss NAT functionality
• Discuss Site-to-Site and Remote Access IPSec VPNs
• Discuss advanced features – Dynamic Routing, Antivirus and Deep Inspection,
• Contrast Juniper Networks to major competitors, and
• Demonstrate the Juniper Networks Firewall/VPN WebUI Admin Tool.
3. Products and Services
4. Section Objectives
Now, let's discuss the features of the Juniper Networks range of FW/VPN devices.
After completing this section you'll be able to
• Describe current network security requirements.
• Describe Juniper Networks layered security solution.
• Describe the addressing of security requirements by Juniper Networks.
• Describe Juniper Networks purpose-built hardware platform and its performance.
• Describe ScreenOS.
• Describe the Juniper Networks layered security solution.
• Describe the Juniper Networks NetScreen Security Manager, and
• Identify the different Juniper Networks firewall/VPN products and the ideal customer for each.
5. Current Security Requirements

Requirements
Can you imagine a virus, which doubles every eight seconds and deletes a particular file in every machine
on the network? Think of the virus SQL Slammer. It replicated every eight seconds and brought down large
sections of the Internet. It's not difficult to think of the havoc it would create if it started deleting files.
Today's security requirements are very complex. It's no longer sufficient to protect networks from external
attacks. It's important to protect networks against attacks that are launched internally from machines that
have legitimate network access, yet are roaming in an unauthorized manner, or launching a malicious
attack.
The Juniper Networks Firewall/VPN solution has been specifically designed to protect networks against all
types of security weaknesses.
6. Juniper Networks Layered Security Solution
The Juniper Networks broad line of innovative, scalable network security solutions allow networks to be
secured cost-effectively without sacrificing performance. Juniper Networks firewall, VPN and intrusion
prevention solutions use multiple layers of defense to provide networks with security, ensuring that critical
assets are well protected. Juniper Networks has the answer for everyone from service providers looking for
new services to enterprises looking for comprehensive network security solutions.
This image shows Juniper Networks multiple-layered security solutions. Starting from the right, VPNs
secure access from remote locations. Firewall and user access management applied to incoming traffic
from remote locations and the internal network to increase security. The popular in-line network antivirus
solutions are available for the entire Juniper Networks product line. Intrusion Detection and Prevention
devices concentrate their energy looking for known network attack patterns. Instead of concentrating on
reading packet headers, the IDP concentrates more on the data payload itself.
Juniper Networks solutions scale well. Although it is possible to implement a subset of features on one
device, most sophisticated security solutions spread the load and the responsibilities across different
devices located in various strategic locations.
7. Layered Security Solution Overview
Juniper Networks addresses all security concerns in a network with tightly integrated, purpose-built
appliances.
Juniper Networks has a purpose-built network aware security appliance with built-in high availability and
resiliency. This includes a Stateful inspection firewall, an IPSec VPN, denial of service protection, and
access control. Juniper Networks complete line of solutions can be installed at the core infrastructure, in a
regional office, or a remote office, or even in a small business/telecommuter/home office environment.
For remote users, remote office, and partner communications connecting to a Juniper Networks NetScreen
solution, Juniper Networks includes a VPN client and personal firewall to protect the end-user PC.
Intrusion prevention automatically detects and prevents attacks from inflicting damages. With security
zones, the rigid concept of trust, untrust, and DMZ are no longer required. Now, these security zones can
be user defined. This provides IT departments with the ability to easily define and manage internal and
external network segment security policies, with their own firewalls. Network segmentation protects critical
resources from unauthorized roaming users and network attacks.
To protect the internal network, Juniper Networks NetScreen layered security solution combines a high
physical interface density with virtualization capabilities such as security zones, virtual systems, virtual
LANs, and virtual routers. With virtual systems, virtual LANs and virtual routers, IT departments can
become even more granular in their security deployment and management – all within a single box.
Centralized management using the Juniper Networks NetScreen Security Manager across the entire range
of security products simplifies configuration, deployment, and management.
8. How Juniper Addresses Security Requirements

Requirements
Juniper Networks addresses all of today's security requirements. Juniper Networks purpose-built hardware
platform and security specific operating system is geared for high performance. Juniper Networks
integrated set of security applications protects networks with multiple security layers. Of course, the IDP
can also be used separately. A wide range of advanced security functionalities, such as different route
modes, a high physical interface density, and virtual systems ensure security.
Juniper Networks makes performance, reliability and a high return on investment an integral part of
corporate security strategy.
9. Purpose-
Purpose-Built Hardware Platform
Rather than a patchwork solution, Juniper Networks has created an integrated high performance security
solution. "Under the hood" a high performance ASIC is coupled with a RISC CPU and a high speed
communications BUS, all of which are controlled by a security specific, real time operating system. In fact,
the Juniper Networks NetScreen firewall is the first with security functionality embedded into an ASIC to
maximize performance and throughput. By performing computationally intensive tasks in silicon, Juniper
Networks NetScreen security solutions perform far better than software firewalls.
Seamlessly integrated into the operating system are an ICSA certified Stateful inspection firewall and IPSec
VPN, along with traffic management and denial of service protection mechanisms. Additionally, a set of
built-in networking features allows easy integration of Juniper Networks solutions into different networks.
10. Purpose-
Purpose-Built Hardware Platform
Juniper Networks hardware platform eliminates OS hardening and eases network integration. The single
platform solution ensures application interoperability. It also means that, unlike the competition, Juniper
Networks platform, networking functions, OS, and applications can be easily managed from a single,
centralized console. Juniper Networks purpose-built hardware platform will at least match if not exceed all
performance requirements.
11. Performance: Advanced Hardware Design
Most competitor security devices are simply modified conventional network PC/server devices. Such
solutions usually don't perform well and are subject to a wide range of attacks on the underlying platform.
The Juniper Networks firewall optimizes processing in a linear fashion, eliminating processing delays
caused by traversing different APIs. Juniper Networks streamlined processing also helps eliminate
unpredictable behavior.
With other types of solutions, the processing is more convoluted, interacting regularly with the RAM and the
BUS, making performance less predictable and far from optimized.
In short, Juniper Networks hardware design is not only hard-working, it's smart as well.
12. ScreenOS
The ScreenOS is an operating system used to operate and leverage the entire Juniper Networks product
line. The ScreenOS works consistently whatever the activity – configuration of basic network connectivity,
routing protocols, firewall rules, DOS attack thresholds, or complicated IPSEC VPNs. The ScreenOS
removes the hundreds of sub-prompts that represent joined operating systems and different logic patterns
for different configuration areas.
The ScreenOS controls all networking and security functionality. Tightly integrated with the hardware
platform, the ScreenOS was written specifically to perform network security tasks in real-time. It includes
security applications and makes network integration easier, thereby boosting security in typical corporate
networks.
13. ScreenOS
ScreenOS
ScreenOS improves security. It's easy to patch and easy to update.

ScreenOS allows Juniper Networks NetScreen security device to quickly adapt to changing security needs,
improves performance, and speeds up deployment.
ScreenOS is a complete integrated firewall, VPN, attack blocking and traffic management device.
ScreenOS links itself to another identical firewall device and maintains constant connection with it. This
ensures a smooth and complete redundancy if and when any failure occurs.
ScreenOS' dynamic routing protocols can understand and respond to the changing network environment,
thereby increasing network resiliency.
14. ScreenOS
A logical-construct security zone allows the Firewall administrator to apply specific security policies to the
traffic that enters or leaves certain designated areas of the network. One single Juniper Networks firewall
can have multiple security zones. This allows network administrators to sub-divide the internal network and
control internal traffic instead of simply viewing security as an inside vs. outside proposition.
Virtual Routers allow the route table inside the firewall to be sub-divided. This allows only certain networks
to be "routable and reachable", and shields other networks from view. Virtual Routers also simplify
management mapping inside private IP addresses from outside public IP addresses.
15. ScreenOS
The Juniper Networks Firewall can operate either as a Router or Layer-2 Switch and offers a full-range of
Address Translation options, which increases network security.
The ScreenOS allows configurable threshold settings, which determine when to respond to different types
of DOS attacks. Sensitivity levels in ScreenOS can be adjusted independently for each security zone.
The Juniper Networks firewall supports NAT traversal allowing IPSec VPN tunnels to be established through
NAT, PAT, or NAPT devices.
ScreenOS manages traffic by allocating bandwidth and prioritizing traffic, which optimizes bandwidth use.
Most Juniper Networks firewall products can dynamically acquire IP addresses via PPOE and DHCP. This
means that ScreenOS can deploy VPNs with remote clients who have dynamically assigned IP addresses.
16. NetScreen Security Manager
Juniper Networks NetScreen Security Manager is based on a new architecture, which delivers
comprehensive device and policy based management and is designed for security, scalability, and
flexibility.
With comprehensive policy and device-based management, customers receive the benefits of both
approaches, while eliminating drawbacks. The Security Manager:
• Manages every phase of the security lifecycle, including designing, deploying, configuring, monitoring,
maintaining, upgrading, and adjusting,
• Manages all levels including device, networking and security policies,
• Provides the needed power, tools, access and control to the right groups and is good for both experts
and novice users,
• Provides support to perform activities at the device or management level,
• Provides immediate insight into the overall security scenario, from conceptual to detailed device-specific
level,
• Provides flexibility of full device configuration, with the simplicity of policy-based management,
• Allows for creating general rules, and exceptions to rules where required by individual devices, and
• Handles devices and the management system as a dynamic, integrated system, where each component
has a complementary function.
17. NetScreen Security Manager
The Juniper Networks NetScreen Security Manager can be deployed easily without the need for pre-staging
a device, or any technical expertise at the point of installation.
The IDP Security Module on the ISG platform along with the IDP 4.0 sensors can only be managed by NSM.
Also, the Juniper Networks NetScreen Security Manager can deploy new devices into the network at remote
locations. It allows the administrator to generate a configuration file, which is then encrypted and emailed
to the remote site for easy importing into the remote firewall device. After the start up config file is
validated, the configuration is automatically updated.
With the Juniper Networks NetScreen Security Manager, you can get new devices up and running quickly
reducing provisioning time and cost. The Juniper Networks NetScreen Security Manager has reduced
installation to just four clicks.
The Statistical Report Server is used to store information about the managed FW/VPN devices in your
network. It can then use this information to generate reports enabling administrators to further view and
analyze information about your network security deployment.
18. NetScreen Products & Target Market

Juniper Networks has a complete line of Firewall / VPN products to meet every customer's needs.
The Juniper Networks NetScreen 5 is ideal for remote security and small organizations.
The Juniper Networks NetScreen-25 and NetScreen-50 are complete security solutions for enterprise
branch and remote offices, as well as small and medium size companies.
While the Juniper Networks NetScreen-200 series is ideal for mid-sized enterprises, both medium and
large enterprises will find Juniper Networks NetScreen-500 of value.
The Juniper Networks NetScreen SSG 520 and 550 are designed to manage both small and medium size
enterprises and will eventually replace the current NS 25, 50, and 200 series of firewalls.
Juniper Networks NetScreen-ISG 1000 and 2000 provide medium and large organizations with the best
FW, VPN and Intrusion Prevention for secure connectivity and network and application-level attack
protection.
Juniper Networks NetScreen-5000 series delivers high-performance security to large enterprise, carrier,
and data center networks.
19. Section Summary
In this section you've learned to

• Describe current network security requirements.
• Describe the addressing of security requirements by Juniper Networks.
• Describe Juniper Networks purpose-built hardware platform and its performance.
• Describe ScreenOS.
• Describe the Juniper Networks NetScreen Security Manager, and
• Identify the different Juniper Networks firewall/VPN products and the ideal customer for each.
20. Learning Activity #1 Question 1
22. USGA Architecture
Now, let's discuss network security architecture with specific reference to Juniper Networks products and
solutions.
• Describe security architecture components.
• Describe security device requirements.
• Describe the Transparent Mode.

• Describe the Layer 3 Operations Mode.
• Describe the Firewall/VPN decision process/packet flow.
• Describe Stateful packet inspection, and
• Describe NAT.
24. Security Architecture Components
Let’s quickly review common security architecture components and their functions.
Interfaces are connections to specific subnets. An interface is assigned an IP address and thereby
associated with an IP subnet.
Interfaces and subnets are grouped logically into zones. All devices within a zone share the same security
requirements. Zone configuration can be a simple two-zone setup, where all interfaces within the internal
network are in one zone and all other interfaces are in a different zone. Complicated configurations create
zones based on internal departments and as per external and DMZ connections.
Juniper Networks firewalls use zone-based policies to implement network security. Security policies specify
the parameters that determine which traffic passes through the firewall. Policies are usually implemented
on a zone-by-zone basis.
25. Security Architecture Components
A virtual router or VR is a logical routing construct, which maintains its own routing table and routing logic.
In order for traffic to flow between VRs, inter-VR routing must be configured.
The forwarding table determines the outbound interface for a particular packet. It consists of IP networks if
the device is operating in the Layer 3 mode, and MAC addresses if the device is operating in the Layer 2
mode.
A virtual system or VSYS is a logical division of the network into different administrative areas. Each VSYS
operates its own firewall with its own set of policies. Juniper Networks firewalls are the only firewalls to
support VSYS.
26. Security Device Requirements
Let's quickly review the requirements of various security devices, their components, and functions.
An in-line security device must be able to forward the traffic that it receives. This means that it must be
able to track MAC addresses on a per-port basis so that it can make intelligent forwarding decisions, like
an Ethernet transparent bridge. If the device operates with full IP intelligence, the device must also be able
to participate in IP routing.
Fundamental firewall intelligence implies the ability to filter based on packet header information. When
packets are received by a firewall, they are evaluated and are either allowed to pass through or are
dropped.
Security devices at the edge of a network must also be able to translate private, non-routable addresses
with public addresses before the traffic is sent to the public network.
Security devices used to build VPNs, must be able to
Authenticate the originating device as a part of the VPN.
Encrypt the original packet for additional security on the public network, and
Encapsulate the original traffic in a packet that can be transported over the public network.
27. Transparent Mode
Firewall devices can operate in either Router or Transparent mode. In Transparent mode, no changes are
required in the network. The security device can be simply "dropped in" without changes in the IP
addressing scheme.
In transparent mode, firewall policies are not restricted to directly connected subnets.
Increased security is another plus point with Juniper Networks VPNs because they can be terminated to the
security device. Security is also increased because the network can be segmented into security zones
based upon the sensitivity of resources, thereby providing for greater traffic control.
28. Layer 3 Mode
It is important to note however that the default setting for a firewall device is the layer 3 or route mode.
Unlike the transparent mode, in the layer 3 mode, each interface has its own IP address. Therefore,
forwarding decisions between interfaces are based on IP addresses, instead of MAC addresses.
29. NetScreen
NetScreen Decision Process / Packet Flow
When Juniper Networks firewalls receive an information packet, they have two choices: to forward the
packet or to discard it. The firewall makes up to four evaluations before taking this decision.
If the packet is associated with an existing session, then the information is in the session table and all
traffic from that session is permitted without further evaluation.
If the packet is not associated with any existing session, the firewall checks whether the destination
address is reachable. If the destination is unreachable, the packet is dropped.
If the destination is reachable, the firewall checks to see if the packet will cross zones. If the packet is not
crossing zones, the packet is forwarded and the session is added to the session table.
If the zones are different, the firewall checks if the traffic is permitted by the policy. If the flow information
is not permitted, the packet is dropped. If the flow information from the packet is permitted by the policy, it
is forwarded, and information for this traffic flow is added to the session table so that subsequent packets
for this session are forwarded as efficiently as possible.
30. Stateful Packet Inspection
Juniper Networks devices use Stateful inspection, a dynamic packet filtering method, to secure network
connections. Firewalls use Stateful inspection to collect information from a packet header, such as source
and destination IP addresses, source and destination port numbers, and packet sequence numbers. The
devices maintain the state of each TCP session or UDP pseudo-session and ensure a proper interpretation
of the communication session. When a responding packet arrives, the firewall compares the information in
its header with the state of the associated session in the inspection table. If they match, the responding
packet passes through the firewall; otherwise the packet is dropped.
Juniper Networks firewalls stand out because they secure a network, using Stateful inspection to
determine whether connection attempts crossing an interface are allowed to do so.
31. Network / Port Address Translation
Route and Network Address Translation or NAT options convert private address space to public address.
This allows Juniper Networks integrated firewall/IPSec VPN devices to be deployed with IP addresses
assigned to their interfaces.
Policy-based NAT provides the flexibility to define exactly what address-translation takes place on any given
traffic. Hiding private IP addresses from public view increases security. Juniper Networks integrated
firewall/VPN devices can be used to assign different modes to each interface, leveraging the advantages of
each mode.
Juniper Networks integrated firewall/VPN devices support Static NAT, Dynamic NAT, Static Port-Address
Translation (or PAT) or Dynamic Port-Address Translation.
32. Section Summary
In this section you've learned to:

• Describe security architecture components.
• Describe security device requirements.
• Describe the Transparent Mode.
• Describe the Layer 3 Operations Mode.
• Describe the Firewall/VPN decision process/packet flow.
• Describe Stateful packet inspection, and
• Describe NAT.
35. IPSec VPNs
In this section we'll focus on the Juniper Networks IPSec VPN solutions.
• Discuss different topologies used to set up the IPSec VPNs.
• Explain how policy-based VPNs work.
• Explain how route-based VPNs work, and
• Explain how remote access VPNs work.
37. Background
To begin with, we'll take a look at the connectivity requirements of the business organizations today.
Business networks carry vital and sensitive information between remote sites located across the globe. In
order to keep the information confidential and the resources secure, they require a solution that provides
high-performance connectivity, while maintaining network security.
38. Background
Virtual private networks are widely accepted as a viable connectivity solution. VPNs provide a secure
means of transporting private data over a public network infrastructure, such as the Internet. IP Security is
the most widely used protocol for building VPNs.
Juniper Networks offers cost-effective, flexible IPSec VPN solutions, best suited for remote or branch
offices, telecommuters and fixed partner site-to-site connections, where the users have managed
corporate devices and are coming from a trusted network.
39. IPSec VPNs - Topologies

The Juniper Networks IPSec VPN solutions use the Internet as the transport medium and IP Security
protocol to build the VPNs. The IPSec VPNs can be configured between two sites using security gateways.
There are many different topologies to set up the IPSec VPNs.
Let's look at a basic site-to-site topology of IPSec VPNs. This is the simplest form of a VPN connection that
can be established between two sites of an organization.
IPSec uses a method called tunneling, where a single encrypted tunnel is established between gateways
over which the traffic flows.
The identity of the original IP packet is hidden by encapsulating it with a different IP header. The data that
is encapsulated is encrypted.
Thus, IPSec VPNs provide a secure tunnel across the Internet.
Now let's look at the factors that are to be considered when connecting multiple sites via VPNs. One of the
important factors to understand is the overall layout of the tunnel interconnections. The question is “Which
are the sites in the network that need to communicate with each other?”
One of the options is to use full mesh topology to achieve full interconnectivity between sites.
In a full mesh connection, each site has a VPN to every other site in the network. So, every VPN must be
configured independently. Though this topology provides full connectivity, it's difficult to configure and
maintain for large networks. Furthermore, the Juniper Networks NetScreen-5 series firewall/VPN devices
allow only up to 10 VPNs.
Another way to connect multiple sites is to use the hub and spoke topology. In this case, a number of
remote sites or spokes can be connected to a central site or hub. The remote sites can reach each other by
relaying traffic through the hub.
The Hub and Spoke topology overcomes some of the limitations of full mesh topology. As the hub decrypts
and encrypts the data being relayed, it reduces the number of VPNs that needs to be created.
42. Policy-
Policy-based VPNs
Let's take a look at policy-based VPNs.

Policy based VPNs require a security policy to determine whether the traffic should flow through a tunnel.
In this case, each IPSec gateway adds a security policy into the header of the IP packet. This policy with the
action of tunnel helps to initiate a tunnel between gateways.
The policy must be bi-directional, because the traffic flows in both the directions. If traffic matches the
policy then a VPN tunnel is created, the traffic encrypted, and allowed to pass through the tunnel.
43. Route-
Route-based VPNs
Another approach to setting up site-to-site IPSec VPNs is by using route-based VPNs.

Route-based VPNs require a tunnel interface and a route to dictate the traffic to the protected network. The
use of the tunnel interface is determined by the route table.
The tunnel interface specifies all the tunnel parameters and is bound to the VPN configuration. Since the
traffic direction is based on the routes defined in the route table, policies are used only to allow traffic
based on the tunnel end points. However, policies are not required if the tunnel interface belongs to the
same zone as the protected resources.
44. Remote Access VPNs
Now, we'll discuss how to establish an IPSec VPN connection for the remote or mobile users, where the
users have corporately managed devices and are coming from a trusted network. These users require a
secure connection to the network.
In this example, a telecommuter is trying to access the corporate head quarters. To provide a secure
connection, tunnels are built between a remote user's computer and a VPN hub of the head quarters. As
the user will most likely be using a dynamic address, the VPN tunnel must be initiated by the user. Once
the tunnel is established, traffic can flow in both the directions.
45. Section Summary
In this section, you've learned

• About the different topologies used to set up IPSec VPNs
• About the working of policy-based, route-based, and remote access VPNs

48. Advanced Features - Firewall

Firewall / VPN Products
Next, we'll discuss some of the advanced features of the Juniper Networks firewall products.
After completing this section you'll be able to:
• Explain how embedded antivirus technology works on the Juniper Networks NetScreen-5GT and SSG
appliances.
• Explain how Juniper Networks NetScreen ISG series devices use external antivirus technology.
• Explain how the Juniper Networks Deep Inspection solution works.
• Explain how stateful signatures protect the network from data-level attacks.
• Discuss various routing protocols supported by the Juniper Networks firewall/VPN devices.
• Compare source-based and destination-based routing.
• Explain how dynamic routing works.
• Describe the NSRP, NSRP-Lite, and the high availability configurations supported by these redundancy
protocols.
• Explain how virtual systems operate, and
• Discuss how the Juniper Networks firewall/VPN devices can be managed using the WebUI
administrative tool.
50. Embedded Antivirus Technology
To begin with, we'll talk about the antivirus features offered by the Juniper Networks firewalls.
Today, enterprises are alarmed by the speed at which virus attacks are damaging their critical assets.
These attacks are getting more and more sophisticated and are increasing both in number as well as
complexity.
To address this concern, Juniper Networks supports both internal and external antivirus (AV) scanning on
selected products (5GT and SSG). The embedded AV scan engine requires an additional license where the
external AV does not. Juniper Networks supports two embedded scanning engines, Trend Micro and
Juniper-Kaspersky.
The embedded antivirus engine scans the incoming e-mail and web traffic, including SMTP, POP3, IMAP
and HTTP along with FTP, thus providing a comprehensive virus protection for distributed networks. This is
an ideal solution for small or remote offices and telecommuters that don’t support high volumes of traffic.
51. Embedded Antivirus Technology
In this example, an e-mail with an infected attachment reaches the NetScreen-5GT firewall.
The NetScreen-5GT device scans traffic in-line using Trend Micro's scan engine, and drops the infected e-
mail from the traffic. It then sends a warning to both the sender and the receiver, thus preventing the
viruses from penetrating the network.
52. External Antivirus Solution
Now, let's look at the external antivirus solution offered by Juniper Networks for centralized and regional
sites that deal with large amounts of traffic.
Juniper Networks supports external AV on the ISG products. External AV scanning occurs when the security
device redirects traffic to an external Internet Content Adaptation Protocol (ICAP) AV scan server. External
currently supports ICAP v1.0 and is fully compliant with RFC 3507 and supports the Symantec scan engine
version 5.0 ICAP server.
53. URL Filtering
URL filtering, which is also called web filtering, enables you to manage Internet access and prevent access
to inappropriate web content.
NetScreen provides two URL filtering solutions:
• Integrated URL filtering
• Redirect URL filtering
54. URL Filtering
With integrated URL filtering, you can permit or block access to a requested site by binding a URL filtering
profile to a firewall policy. A URL filtering profile specifies URL categories and the action the NetScreen
device takes (permit or block) when it receives a request to access a URL in each category. URL categories
are either pre-defined and maintained by SurfControl or user-defined.
With redirect URL filtering, the NetScreen device sends the first HTTP request in a TCP connection to either
a Websense server or a SurfControl server, enabling you to block or permit access to different sites based
on their URLs, domain names, and IP addresses.
55. Attack Detection - Overview
Juniper Networks offers its customers end-to-end security solutions that enable them to protect their
networks against different types of attacks.
Some of the screening functions protect the network from common attacks such as Denial of Service and
buffer overflow attacks. By working in conjunction with external servers such as Symantec ICAP server and
Websense URL filter, the firewall devices can block specific viruses and URLs.
Firewalls can prevent access from unauthorized users and block network level attacks that are embedded
within the data. However, they are incapable of looking into or interpreting the application level attacks.
To address this problem, Juniper Networks offers another level of protection called Deep Inspection. The
deep inspection functionality detects these embedded attacks and drops the malicious traffic before it
reaches the network.
56. Deep Packet Inspection
Now, let's look at the Deep Inspection technology in a bit more detail.
Building on the strengths of Stateful inspection and intrusion prevention technologies, the Juniper
Networks Deep Inspection firewalls protect the network against application-level attacks.
The firewalls leverage the efficiency of both technologies in performing network security functions, as well
as analyzing the traffic beyond layer 3 and layer 4 headers.
The Deep Inspection firewalls provide application layer protection at the perimeter of the network for the
most prevalent Internet protocols, such as HTTP, SMTP, IMAP, and so on. They can also make access
control decisions on the traffic, and for the traffic that is accepted, they look deeper for embedded attacks.
The Juniper Networks firewalls perform two types of deep inspection. The first is by using built-in hardware
assisted Application Layer gateways or ALG; certain applications can be processed without impacting CPU
performance. And the second is using a signature database for data-level attacks.
57. Stateful Signatures
The Juniper Networks Deep Inspection firewalls use a signature database to store attack patterns which
are also referred to as signatures.
Stateful signatures can specify the context of the attack signature, the flow to be monitored, and also the
direction of the traffic flow. They look for the attack patterns only in the relevant portion of the traffic. This
significantly reduces false alarms because irrelevant pattern matches are ignored.
For example, an attacker connects to a mail server of a corporate network. He tries to expose the mailing
list using "EXPN root" command during the control portion of the session. The firewall is configured to look
for "EXPN root" signature in the control portion of the session. Stateful signatures can differentiate
between the control portion of the session and the body of the e-mail.
So, if the "EXPN root" is detected in the control portion, then it will be dropped. But, if the attack pattern is
detected anywhere other than the control portion of the session, it is not considered as an attack.
Thus, stateful signatures reduce the chances of false positives, by looking specifically into the relevant
portion of the network.
58. Routing Protocols
Now let's move on to routing capabilities of the Juniper Networks firewalls products.
The firewalls make the forwarding decisions based on Layer 3 addresses. Therefore, there is a need to
build an internal routing table. There are two options for adding routes to the routing table. One is by
manually configuring for static routes and the other is by using dynamic routing protocols to automatically
populate the table.
59. Routing Protocols
The Juniper Networks integrated Firewall/VPN products support a robust set of industry standard routing
protocols including RIPv2, OSPF, and BGP. We'll take a quick look at each of them.
RIPv2 or Routing Information Protocol version 2 is a distance vector routing protocol that is widely-used for
managing router information within a self-contained network such as a corporate LAN or an interconnected
group of such LANs.
BGP or Border Gateway Protocol is used for exchanging routing information between gateway hosts in a
network of autonomous systems. BGP is often the protocol used between gateway hosts on the Internet.
OSPF or Open Shortest Path First is a router protocol used within larger networks in preference to the RIP.
It uses the path that has the best performance and therefore lowest cost to reach the destination.
60. Routing Methods
Next, we'll provide you an overview of different routing methods and the approach used by the Juniper
Networks firewall/VPN devices.
There are certain criteria for creating a route table, upon which the forwarding decisions are based. There
are three methods for routing: policy-based, destination-based, and source-based.
The first method to look at as part of the route lookup is Policy Based Routing (PBR). This method is
transparent to all non-PBR traffic. PBR implements policies that selectively cause a packet to take different
paths. PBR is configured at the interface level and can be bounded to the interface, zone, virtual router or
any combination of these.
The forwarding decisions based on the traffic destination are known as destination-based routing. In this
case, the routing information is inserted into the routing table manually, which defines a static route to that
destination. As the static route does not change, it can result in a broken route if the connection fails.
Another method is source-based routing where the forwarding decisions are based on traffic origin or the
source. In this case, the routing information is inserted into the routing table using a dynamic routing
protocol such as the RIP. The route is learned as it passes through the router. This dynamic nature of the
routing process allows the route to change if the connection is broken.
The Juniper Networks approach is to use source-based routes that support dynamic routing.
61. Dynamic Routing
Now, let's talk about dynamic routing capabilities of The Juniper Networks VPNs.
Dynamic routing is a routing method that automatically learns the network configuration and adjusts to
changing network circumstances by analyzing incoming routing update messages. If the message indicates
that a network change has occurred, the routing protocol recalculates the routes and sends out new
routing messages. These messages direct the routes to re-run their algorithms and change their routing
tables accordingly.
By leveraging the capabilities of dynamic routing, the Juniper Networks VPNs can survive a connection
failure by automatically finding an alternate route.
62. Dynamic Routing
Juniper Networks VPNs provide flexibility for large networks with redundant ISP provisioning. In case of a
link failure, dynamic routing in these VPNs automatically finds optimal paths and traffic is directed through
an available service provider network.
63. Dynamic Routing

Furthermore, the Juniper Networks VPNs offer redundancy at the logical VPN layer. These VPNs support
multiple VPN tunnels that mirror the VPN's security associations, so that it can automatically be associated
with the live tunnel, in case of a connection failure.
Dynamic routing allows these VPNs to automatically learn which networks are accessible through the VPN.
64. NSRP and High Availability
The Juniper Networks VPNs also support device redundancy for high availability.
This high availability of the devices is centered round the NetScreen Redundancy Protocol or NSRP. This
protocol enables Juniper Networks to provide sub-second stateful failover between the firewall devices,
without losing sessions.
The NSRP protocol enables a redundant pair of security devices to be integrated into a high-availability
network architecture.
The devices can be deployed in redundant pairs and they share both static-configuration information, and
dynamic run-time information. As a result, during failures, all the sessions and Security Associations tied to
that failed connection can be automatically re-established with the active device.
The devices can be configured in two different NSRP modes – NSRP active/passive and NSRP
active/active.
In the active/passive mode, one device acts as a master and active, and the other as its backup or
passive. The master sends all its network and configuration settings and the current session information to
the backup. If the master fails, then the backup takes over the traffic processing.
In the active/active mode, both the devices are configured to be active, with each device receiving
approximately 50 percent of the network and VPN traffic. If a failover occurs, all traffic is handled by a
single firewall.
The advantage is that when both the devices are functional, better throughput is achieved. It is important
to configure the overall network so the total load does not exceed the capacity of a single device. This
prevents the device from being overloaded.

It is very important to note that NSRP provides redundancy for Juniper firewalls only. However, if the rest of
the network is not configured for redundancy, failures in switches and routers will affect the traffic flow
regardless of the Juniper firewall capabilities.
To achieve full network connectivity, an active/active full mesh configuration can be used. In this case,
both the devices are configured to be active, with network and traffic flowing through each.
If one device fails, the other becomes the master and continues to handle 100 percent of the traffic. In full
mesh mode, throughput adjustments must be made to ensure that, if a failover occurs, the device
performance is not hindered in any way.
68. NSRP-
NSRP-Lite
Now, let's look at the NSRP-Lite, which is a reduced implementation of the NetScreen Redundancy
Protocol.
The NSRP-Lite uses a subset of the full NSRP to provide a simple high availability solution on some of the
Juniper Networks firewall devices. These include the Juniper Networks NetScreen-50, the NetScreen-25,
and the NetScreen 5-GT extended devices.
When two Juniper devices are configured for NSRP-Lite, one device acts as the master, and the other as its
backup. In this case, only configuration information, and not the run-time object or RTO information, is
synchronized between the devices. If the link or device failover occurs, all user sessions and VPN
connections will be re-established on the new active device. Although this configuration provides
redundancy, it does not effectively provide high availability.
Additionally, In the NRSP-Lite, only one cluster ID and Virtual Security Device or VSD is used. Moreover, only
the trust interface is monitored, so there is no need to set up Virtual Security Interfaces.
69. Virtual Systems
Virtualization is another key feature offered by the Juniper Networks security products. Virtualization allows
enterprises to segment their network. This protects the network from unauthorized roaming users and
network attacks.
Virtual Systems can be used to establish virtual firewalls or VPNs that contain their own address book,
policies, and management mechanism.
Effective uses of Virtual Systems include multiple network operations centers, physical departments,
geographical regions, and customer environments.
The Juniper firewalls such as the Juniper Networks NetScreen-500, the NetScreen-ISG 1000 and 2000,
the NetScreen-5200, and the NetScreen-5400, are capable of supporting up to 500 Virtual Systems.
70. Virtual Systems
Let's see how Virtual Systems operate.

Virtual Systems work as independent firewalls, giving an administrator the ability to define his own policy
while preventing him from affecting any other Virtual System policy.
This functionality uses a single Juniper security system to provide differentiated security services to each
network segment.
For example, each Virtual System could represent a different customer. A single hardware platform can
provide security services for multiple customers in a data center. In a large enterprise, where there is
segmentation between departments, each virtual system could represent different departments.
Additionally, each Virtual System could be managed separately.
The end result is a solution with fewer physical firewalls and fewer administrative resources required to
manage them, resulting in a lower TCO.
71. WebUI Administrative Tool
Next, we'll discuss one of the administrative tools offered by Juniper Networks.
The Juniper Networks firewall/VPN devices can be easily managed using a network-accessible graphical
user interface called the WebUI. This interface requires minimal configuration and is password protected.
Opening a browser window on the PC and navigating to an IP address on the Juniper device will activate
the WebUI.
All Juniper devices ship with a default IP address of 192.168.1.1, which is accessible via either the Trust
interface, E1 interface, E1/1 interface, or the dedicated management interface — depending on platform.
As long as this IP address is reachable, it is easy to navigate to the device and configure it.
However, changing the IP address of the interface that is connected will result in losing the web session.
Therefore, it is recommended to do the initial IP configuration via the command line interface or the CLI,
and then use the browser.
We'll now take a quick look at the Initial Configuration Wizard.

The Initial Configuration Wizard is displayed instead of the login screen, if the Juniper Networks NetScreen-
5XP or NetScreen-5XT or NetScreen-5GT has no configuration saved in Flash.
This Wizard will take an administrator through a series of screens that define the operational mode, assign
the root admin name and password, define the address and subnet mask for selected interfaces, and
enable auxiliary services such as DNS.
The WebUI presentation always opens to the home screen. The page is organized with a navigation panel
on the left and information or configuration panels on the right.
In the left panel, the "toggle menu" button enables the administrator to switch between DHTML and Java
format, when navigating between functions.
The Home screen presents a variety of key system information. Much of the status information is similar to
what would be shown in a get system display at the CLI. In addition, the WebUI also includes administrator
logins, system resource utilization, recent log events, and alarms.
Monitoring system events and system resources can be done conveniently from the Home screen and, as a
result, the screen can be refreshed to show the most current status. The Home screen defaults to manual
Refresh, although refresh can be scheduled in advance for intervals ranging from ten seconds to several
minutes.
Navigation in the WebUI is simple. Clicking on a category title or on the "+" associated with the category
title expands the category and reveals the sub-topics. Once a sub-topic has been selected, the right panel
will update and display the current settings or available configuration options.
74. Section
Section Summary
In this section you've learned about

• Embedded antivirus technology on the Juniper Networks NetScreen-5GT appliance.
• The Juniper Networks Deep Inspection solution and stateful signatures to protect the network from data-
level attacks.
• Various routing protocols supported by the Juniper Networks firewall/VPN devices.
• Source-based and destination-based routing.
• Dynamic routing and how it works.
• Redundancy protocols such as, the NSRP, NSRP-Lite, and the high availability configurations.
• Virtual Systems and their operation, and
• The WebUI administrative tool to manage firewall/VPN devices.
79. Competitive
Competitive Analysis

In this section, we'll look at the Juniper Networks products as compared to those of its competitors.
• State the advantages of the architecture of the Juniper Networks firewall/VPN devices, and
• Compare the product features of Juniper Networks devices with those of its competitors.
81. The Architecture
Let's start with the architecture of Juniper Networks firewall/VPN products.

Juniper Networks offers purpose-built hardware platforms. The performance and reliability of the security
solutions are derived from a tightly integrated set of advanced hardware and software components.
The purpose-built hardware platform has been designed to perform computationally intensive security
functions, without compromising throughput. Juniper Networks is the first vendor to embed security
functionality directly into an ASIC. The ASIC is one of the components that allow Juniper Networks to offer
multi-Gig VPN and Stateful inspection firewall performance.
The ASIC is linked to a RISC CPU by a high-speed interface.
To control the hardware platform, Juniper created a real-time, security specific operating system, the
ScreenOS, with a rich set of networking and reliability features.
This high performance architecture delivers several advantages. It eliminates OS hardening; facilitates
network integration; ensures application interoperability; maximizes uptime; simplifies management and
finally, matches or exceeds the performance requirements of the enterprises today.
Now let's take a look at the alternative solutions, offered by Juniper Networks competitors, and their
disadvantages.
First, we'll talk about the general purpose platform architecture. This architecture does not support an
integrated networking platform, and is often supported by multiple vendors. As a result, customers are
forced to compromise on key issues like security, performance, and costs.
First and foremost, the platform is not hardened, and there is potential vulnerability due to the separation
of security software and the underlying operating system. This requires regular patching. Additionally, there
are interoperability issues between the OS and the software. Furthermore, since the network integration is
done by the OS and not the software, it requires significant network re-engineering.
The next critical issue is the performance. The platforms based on this architecture offer limited
functionality and have integration issues. In addition to this, the platforms are subject to performance
degradation under load or attack.
Another key concern area is manageability. This architecture lacks integrated management capability. As a
result, configuring, managing and monitoring the platforms add to the complexity.
Finally, there are additional operational and support costs associated with this architecture. These factors
result in a very high total cost of ownership.
Next, we'll take a look at another solution which is based on pseudo-appliance architecture.
The architecture supports pre-configured platforms with separate security applications and the operating
system. Although the OS and the software are provided by the same vendor, the device, system, and
applications are managed separately. Additionally, this solution does not provide integrated firewall and
VPN capabilities.
As a result, the customers face several issues regarding security, performance, and costs. The security
functionality is limited to Stateful firewall, Intrusion detection systems, and VPN.
In addition to this, the performance is platform dependent. So, the enterprises are forced to compromise
networking capabilities under load. Furthermore, this solution lacks centralized management. As a result,
there are higher management costs and ultimately a high total cost of ownership.
84. Juniper Networks – Advantages
Now, let's take a quick look at the specific advantages of the Juniper Networks firewall/VPN devices.
The Juniper Networks security devices:
• Integrate both firewall and VPN capabilities in a single solution.
• Support purpose-built architecture with a specific operating system which is capable of performing
computationally intensive security functions.
• Support transport mode of operation, which allows enterprises to deploy the devices without
having to change the network.
• Support dynamic routing protocols and dynamic route based VPNs.
• Support Security Zones that divide the physical network into virtual sections, to establish various
levels of trust.
• Effectively use antivirus solutions and Deep Inspection technologies, to protect the network from
different kinds of attacks.
• Deliver true attack prevention using IDP solutions to drop the malicious traffic and connections
during attacks.
85. Juniper Networks – Advantages
• Offer high availability to ensure maximum network availability with active/active and full mesh
configurations.
• Offer integrated traffic management capabilities for optimizing bandwidth.
• Offer robust high performance with low latency for time sensitive applications, and finally
• Can be effectively configured and managed using centralized management solutions, the Security
Manager and the IDP manager.
86. Feature Comparison
Now let's focus on specific product features of the Juniper Networks security products.
We'll compare the product features of key competitors including Cisco Systems, Nokia, SonicWALL,
Fortinet, Symantec and WatchGuard.
87. Feature Comparison

Listed here are the Juniper Networks NetScreen security products. By clicking on each device, the
corresponding competitive matrix will be displayed for you. You can always get the latest collateral, selling
documents, and competitive information about Juniper Networks Security Products here:
https://www.juniper.net/partners/partner_center/content/reseller/products/fw-vpn_advsec_kit.jsp
Click on each device to get the corresponding competitive matrix.
88. Feature Comparison – NetScreen 5GT
The Juniper Networks NetScreen-5GT is fully capable of securing a remote office, retail outlet, or a
broadband telecommuter.
This matrix compares the NetScreen-5GT with products from competitors including Cisco, SonicWALL,
Sofaware S-box, and WatchGuard.
Please note that the NetScreen-5GT supports embedded antivirus to help eliminate virus threats from the
network, while the other products do not support this feature.
In addition to this, only the NetScreen-5GT and Cisco's PIX firewall support redundant VPN Gateways.
89. Feature Comparison – NetScreen 25
The Juniper Networks NetScreen-25 offers a complete security solution for enterprise branch and remote
offices, as well as small and medium size companies. The key competitors for this product are Cisco,
Nokia, and SonicWALL.
The key difference is the Juniper devices have the ability to run in Transparent mode and they also support
policy-based Network address translation, unlike the competitors.
The Juniper Networks NetScreen-50 can also be targeted at enterprise branch and remote offices, and
small to medium size companies. The key competitors for this product are Cisco, Nokia, and SonicWALL.
Besides supporting transparent mode and policy based NAT, this product also has the ability to run NSRP
and support more concurrent sessions and VPN tunnels.
The Juniper Networks NetScreen-204 and 208 are targeted at medium and large enterprise offices, e-
business sites, data centers, and carrier infrastructure.
This product competes with the products of Cisco, Nokia, and SonicWALL.
The key differentiator is the ability of this product to run in transparent mode and the firewall performance
is considerably higher.
The NetScreen-208 device increases the number of ports available from 4 to 8 and the performance of up
to 800 Mbps.
92. Feature Comparison – SSG 520 / 550

The Juniper Networks Secure Services Gateway 500 Series (SSG) represents a new class of purpose-built
security appliance that delivers a perfect mix of high performance, security and LAN/WAN connectivity for
regional and branch office deployments.
This product competes with Cisco, Nokia and Fortinet.
93. Feature Comparison – ISG 2000
Juniper Networks Integrated Security Gateway, the NetScreen-ISG 1000 and 2000, is a purpose-built, high-
performance system, designed to deliver scalable network and application security for large enterprise,
carrier, and data center networks. This product competes with Cisco, Fortinet, Symantec, and ISS.
Other than the NetScreen-ISG 2000 and Fortinet's FG4000, all the other products only offer lower firewall
performance. In addition, these products offers Deep Inspection and IDP features for greater security.
The Juniper Networks NetScreen-5000 Series is a line of purpose built, high-performance security systems
targeted at large enterprise, carrier, and data center networks.
The key competitors for this product are Cisco and Nokia.
As you can observe, there are significant performance differences between the Juniper product and the
competitors. It also supports 1 million concurrent sessions and 25,000 concurrent VPN tunnels.
Furthermore, this product can run in transparent mode and support policy-based NAT.
95. Section Summary
In this section you've learned about

• The advantages of the architecture of the Juniper Networks firewall/VPN devices, and
• The product features of Juniper Networks devices as compared to those of its competitors.
96. Learning Activity #5 Question

Question 1
97. Course Summary
98. Summary
We have now come to the end of this course on the Juniper Networks firewall/VPN System Engineering
training.
Let’s summarize what we have covered in this course.
The Juniper Networks Firewall/VPN solutions use multiple layers of defense to provide networks with
security. The Juniper Networks purpose-built hardware platform and security specific operating system is
geared for high performance. The Juniper Networks ScreenOS operates and leverages the entire Juniper
Networks product line.
Juniper Networks has Firewall/VPN solutions that meet every customer’s needs: small organizations,
medium size companies, large organizations, carriers, and data center networks.
99. Summary
The Juniper Networks security devices can work in both Transparent and Layer 3 mode. Intelligent use of
interfaces, zones, policies, virtual routers, and virtual systems increase network security as does Stateful
packet inspection and NAT.
100. Summary
We also covered advanced features of the Juniper Networks firewall/VPN devices.

Juniper Networks offers the embedded antivirus on the NetScreen-5GT device that scans traffic in-line with
Trend Micro scan engine.
The Juniper Networks security devices have the dynamic routing capabilities to automatically understand
the network configuration, and find the best available path. This capability enables the devices to survive
connection failures at all levels.
We discussed the Virtual Systems functionality offered by the Juniper Networks products that facilitates
network segmentation. It uses a single device to provide differentiated security services to each network
segment.
The WebUI administrative tool can be used to manage the Juniper Networks firewall/VPN devices, easily
and effectively.
Finally, Juniper Networks offers purpose-built platforms which offer many benefits to its customers.
Whereas, the general purpose or the pseudo-appliance architecture provided by the competitors have
numerous disadvantages, which force their customers to compromise on security, performance, and costs.
We also compared the product features of the Juniper security devices with that of the competitors and
found that those Juniper Networks devices are far superior in providing a high-performance, reliable, and
secure connectivity solution.
101. Juniper’s Virtual Lab
As you proceed through the certification process, take advantage of Juniper’s Virtual Labs which are
available to you twenty four hours a day, seven days a week.
The URL is shown on the slide, or click the button to visit Juniper Networks Virtual Lab.
Presently six lab setups are available: Router/Firewall, IDP, SSL VPN, DX, WX and UAC 2.0.
More labs are being created and deployed and will be available for your training and practice.
Each of these labs consists of at least one Juniper device and a PC to configure and test.
102. Evaluation and Survey
You have now reached the end of this Juniper eLearning module.
Take the practice exam to gauge your knowledge of the material covered in this course. After you’ve
finished, the result will be displayed for you.
Also, please take a few moments to give us your feedback regarding this course by answering the survey
questions.
103. Copyright © 2007

2007
Copyright © 2007 Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered
trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered
trademarks, or registered service marks in this document are the property of Juniper Networks or their respective owners. All
specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document
or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or
otherwise revise this publication without notice.

Fwvs 0014

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fwvs 0014

Uploaded by

Copyright:

Available Formats

Firewall / VPN

Welcome to the Firewall/VPN Technical Overview.

On completing this course you will be able to

3. Products and Services

5. Current Security Requirements

6. Juniper Networks Layered Security Solution

7. Layered Security Solution Overview

8. How Juniper Addresses Security Requirements

11. Performance: Advanced Hardware Design

ScreenOS improves security. It's easy to patch and easy to update.

16. NetScreen Security Manager

17. NetScreen Security Manager

18. NetScreen Products & Target Market

19. Section Summary

In this section you've learned to

20. Learning Activity #1 Question 1

21. Learning Activity #1 Question 2

22. USGA Architecture

23. Section Objectives

• Describe the Transparent Mode.

24. Security Architecture Components

25. Security Architecture Components

26. Security Device Requirements

27. Transparent Mode

28. Layer 3 Mode

30. Stateful Packet Inspection

31. Network / Port Address Translation

32. Section Summary

In this section you've learned to:

33. Learning Activity #2 Question 1

34. Learning Activity #2 Question 2

35. IPSec VPNs

36. Section Objectives

39. IPSec VPNs - Topologies

40. IPSec VPNs - Topologies

41. IPSec VPNs - Topologies

Let's take a look at policy-based VPNs.

Another approach to setting up site-to-site IPSec VPNs is by using route-based VPNs.

44. Remote Access VPNs

45. Section Summary

In this section, you've learned

46. Learning Activity #3 Question 1

47. Learning Activity #3 Question 2

48. Advanced Features - Firewall

49. Section Objectives

50. Embedded Antivirus Technology

51. Embedded Antivirus Technology

52. External Antivirus Solution

53. URL Filtering

54. URL Filtering

55. Attack Detection - Overview

56. Deep Packet Inspection

57. Stateful Signatures

58. Routing Protocols

59. Routing Protocols

60. Routing Methods

61. Dynamic Routing

62. Dynamic Routing

63. Dynamic Routing

64. NSRP and High Availability

65. NSRP and High Availability

66. NSRP and High Availability