Screen OS

 View Only
last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Upgrade from Netscreen NS5GT

    This message was posted by a user wishing to remain anonymous
    Posted 04-25-2022 13:39
    This message was posted by a user wishing to remain anonymous

    I currently own a Juniper NS5GT firewall device. The unit only supports 10 users/devices.  Other than purchasing a license for additional users on this specific device, I was considering my options. One is, I was wondering what would be some other Juniper firewall device models that would be considered a slight upgrade to the NS5GT and that would support at least 25 users/devices? My needs are not great, just a small home office with a dozen or more devices that need screening. I'd like something more modern (this NS5GT is nearly 20 years old), but the alternative models that I'm looking for do not have to be recent models. A 5 or 10-year old device would be fine for my needs.

    Thanks in adavance.



  • 2.  RE: Upgrade from Netscreen NS5GT

    Posted 04-26-2022 05:44
    Juniper and most firewall vendors stopped the numbered user based licensing a while ago, so there is a number of options that would support 25 devices.  I'll outline the series starting with the replacements for the NS series going forward.  There is no engineering or software support for these first ones as they are End of life just as the NS series is.

    SSG series were the direct replacements for the NS series and are running the same style ScreenOS software you are familiar with.  The web interface is also strong but different than the NS.  The SSG5 is the smallest and would still meet your needs for users but only has 100M interfaces if you wanted to get GE larger units would be needed.  These went end of life about 3 years back.

    The Netscreen devices were replaced by Junos ones after this series.  The web interface is an add on that must be enabled and is not full featured.  So if you get deep in the configs some cli use would be required.

    The SRX100 marks the change from ScreenOS to Junos and is the same basic size and capacity as the SSG5 and could also handle your 25 devices.  This is also just 100M interfaces but only just went EOL about a year ago.  

    Some of the SRX200 series allow for expansion cards and add some number of GE ports and more local bandwidth.  These are also EOL for most models but a few are still supported.

    The SRX300 series would be the current generation and are much more capacity and GE ports and options.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------

    Original Message


  • 3.  RE: Upgrade from Netscreen NS5GT

    Posted 04-26-2022 09:23
    Thank you for your response and suggestions on upgrades from the NS5GT.

    Regarding the SSG series, if I were to purchase a used SSG model, would I have to worry about the Dual_EC_DRBG algorithm backdoor that was later discovered that was found in Juniper firewalls?  Would a used SSG be susceptible?

    How about the NS5GT?
    Original Message


  • 4.  RE: Upgrade from Netscreen NS5GT

    Posted 04-27-2022 05:46
    Yes, with the SSG you need to confirm you are not on a vulnerable ScreenOS version and it has been updated to one removing the backdoor.
    Critical ScreenOS Security Flaw:
    6.2.0r15 through 6.2.0r18 and
    6.3.0r12 through 6.3.0r20

    Juniper does make the version available to all here with the search for SSG model.  You will need to create a support account and might need and admin service case to unlock the download but there is no charge.
    https://support.juniper.net/support/downloads/?f=netscreen

    More details
    http://puluka.com/home/networking/screenos/critical-screenos-security-flaw/


    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------

    Original Message


  • 5.  RE: Upgrade from Netscreen NS5GT

    Posted 04-27-2022 10:06
    My firmware is 5.3.0r6.0.  Is this BEFORE the backdoor flaw and hence fine to stick with?

    Or is this flaw only a threat in a business environment where an untrusted employee has access to the internal network?  If this device is in a home office environment, with only 2 people using the LAN, is the backdoor flaw a non-issue?  I assume the backdoor flaw isn't an issue if an external hacker can't even get past the firewall into the trusted zone.
    Original Message


  • 6.  RE: Upgrade from Netscreen NS5GT

    Posted 04-28-2022 05:43
    There are two issues.

    One vulnerability allows the attacker to take control of the firewall over ssh or telnet.  So they would need access to a port where one of those services is enabled.

    The second allows the attacker with access to decrypt and read all vpn traffic send by the device.

    The US government believes these were introduced into the code by Chinese government sponsored agents as spy tools.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------

    Original Message


  • 7.  RE: Upgrade from Netscreen NS5GT

    Posted 04-26-2022 09:23
    I guess the 10user/device is for user vpn, If you need more end users connecting through vpn, I would suggest using a openvpn vm/server in your environment & terminate the client vpns to the openvpn vm instead of the juniper firewall.

    ------------------------------
    John Simon
    ------------------------------

    Original Message


  • 8.  RE: Upgrade from Netscreen NS5GT

    Posted 04-26-2022 18:36
    I do not use VPN.  I am trying to protect a web server/email server behind the NS5GT.
    Original Message


  • 9.  RE: Upgrade from Netscreen NS5GT

    Posted 04-27-2022 05:48
    Yes, these old license models from SMB firewalls used to actually count the connected mac addresses and limit the number allowed to the license level.  It was a real pain and fortunately everyone gave this up after a few years as not worth the effort.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------

    Original Message