Netscreen 100 + Zyxel Zywall 10

I've got the opportunity to purchase a Netscreen 100
from a friend who works for a company who no longer is using it,
at a very good price.

I've been looking at a decent hardware firewall for a while now
and this looks like it will fit the bill nicely.

My current config consists of a basic ADSL router, and I'm making
use of the firewall on it. It's in a flatting environment, so
at this stage, I've managed to hit the wall for the amount of
port ranges that I can open (10).

What I would like to know is, in a NAT situation, how many ports
(or port ranges) can I open to allow access to computers
from the untrusted side to the trusted side?

Obviously I'm going to be needing more than 10 to make it worth
considering buying for me.

The other question is, how many custom services can I create?
Obviously this is equally as important, as I'm going to have
several custom ones to cover the service double ups between myself
and the flatmates.


I've also got the opportunity to buy a Zyxel Zywall 10 from the
same person. The above two questions apply, and does anyone have
experience with both to be able to give a comparison (or even if
you only have experience with one of the devices, could you do a
quick write up on why I should buy it).

Thanks,

Vinnie.

Re: Netscreen 100 + Zyxel Zywall 10

In article <46af2480@news.orcon.net.nz>,
Vinnie wrote:
>I've got the opportunity to purchase a Netscreen 100
>from a friend who works for a company who no longer is using it,
>at a very good price.

The Netscreen 100 is EOL and the last ScreenOS was 4.x.
This doc should help getting things setup.

http://www.juniper.net/techpubs/software/screenos/screenos4x /index.html

-alan

Re: Netscreen 100 + Zyxel Zywall 10

After talking further with the friend, they have no idea what version
of ScreenOS its running, nor do they know what the password is.

It was pulled from a location after being in use for an extended period.

I've had a hunt round on Google, and it seems that only certain
versions of ScreenOS will allow you to do a password reset.

Is there anyway (externally) of finding out what version of ScreenOS
this particular device would have been supplied with?

If I can get my hands on a newer ScreenOS version that does support
the password reset, can I load it onto the model and regain control?

Thanks,

Vinnie


Alan Strassberg wrote:

> In article <46af2480@news.orcon.net.nz>,
> Vinnie wrote:
>>I've got the opportunity to purchase a Netscreen 100
>>from a friend who works for a company who no longer is using it,
>>at a very good price.
>
> The Netscreen 100 is EOL and the last ScreenOS was 4.x.
> This doc should help getting things setup.
>
> http://www.juniper.net/techpubs/software/screenos/screenos4x /index.html
>
> -alan

Re: Netscreen 100 + Zyxel Zywall 10

On Aug 1, 3:54 am, Vinnie wrote:
> After talking further with the friend, they have no idea what version
> of ScreenOS its running, nor do they know what the password is.
>
> It was pulled from a location after being in use for an extended period.
>
> I've had a hunt round on Google, and it seems that only certain
> versions of ScreenOS will allow you to do a password reset.
>
> Is there anyway (externally) of finding out what version of ScreenOS
> this particular device would have been supplied with?
>
> If I can get my hands on a newer ScreenOS version that does support
> the password reset, can I load it onto the model and regain control?
>
> Thanks,
>
> Vinnie
>
> Alan Strassberg wrote:
> > In article <46af2...@news.orcon.net.nz>,
> > Vinnie wrote:
> >>I've got the opportunity to purchase a Netscreen 100
> >>from a friend who works for a company who no longer is using it,
> >>at a very good price.
>
> > The Netscreen 100 is EOL and the last ScreenOS was 4.x.
> > This doc should help getting things setup.
>
> >http://www.juniper.net/techpubs/software/screenos/screenos4 x/index.html
>
> > -alan

They all support password reset

Re: Netscreen 100 + Zyxel Zywall 10

AMR schrieb:
> They all support password reset
>

Nope. Some of the very early models had to be shipped back
to be reset. ScreenOs 2.xish, IIRC

Cheers,
Jens

Re: Netscreen 100 + Zyxel Zywall 10

On Aug 1, 12:16 pm, Jens Hoffmann wrote:
> AMR schrieb:
>
> > They all support password reset
>
> Nope. Some of the very early models had to be shipped back
> to be reset. ScreenOs 2.xish, IIRC
>
> Cheers,
> Jens

And what do you think they did to them to reset the password when they
got their hands on it?

Re: Netscreen 100 + Zyxel Zywall 10

>
> And what do you think they did to them to reset the password when they
> got their hands on it?
>

I do not know, and I don't care much. (Probably remove or add a wirebridge)

We told our distributor back then, that the planned product, centering
around the netscreen, would be launched, when they had replaced the
procedure with somthing field maintainable. Eventually the did, and we
launched our product late.

Anway, back to the thread: Buying an old netscreen is not very advisable
for productive use, it is probably educational or fun ;)

Cheers,
Jens

Re: Netscreen 100 + Zyxel Zywall 10

> Anway, back to the thread: Buying an old netscreen is not very advisable
> for productive use, it is probably educational or fun ;)

For fun and learning use at home.

Anything (even old) has got to be better than the one on my DSL Router which
only supports opening upto 10 port ranges - this doesn't work in a flatting
environment.

Actually, all the consumer grade DSL routers I've had anything to do with
(through personal experience and the ones we have at remote offices for
work) only allow up to 10. Its rather odd that no one seems to offer more
until you're paying large amounts of money :(

Vinnie

Re: Netscreen 100 + Zyxel Zywall 10

Hi,

Vinnie schrieb:
> For fun and learning use at home.

That's ok ;)


>
> Anything (even old) has got to be better than the one on my DSL Router which
> only supports opening upto 10 port ranges - this doesn't work in a flatting
> environment.

Yeah, probably, but you have to get the traffic to the netscreen
unharmed. The old boxes / ScreensOSes don't have a pppoe client AFAIK.

I'd google a bit to find an answer to that question ;)

Cheers,
Jens

Re: Netscreen 100 + Zyxel Zywall 10

Jens Hoffmann wrote:

> Hi,
>
> Vinnie schrieb:
>> For fun and learning use at home.
>
> That's ok ;)
>
>
>>
>> Anything (even old) has got to be better than the one on my DSL Router
>> which only supports opening upto 10 port ranges - this doesn't work in a
>> flatting environment.
>
> Yeah, probably, but you have to get the traffic to the netscreen
> unharmed. The old boxes / ScreensOSes don't have a pppoe client AFAIK.
>
> I'd google a bit to find an answer to that question ;)
>
> Cheers,
> Jens


Huh? I thought it was just a LAN connection from your connecting device
direct to the untrusted port on the Netscreen.

I was just going to put my router into 'Modem' mode (where it doesn't use
its inbuilt firewall and just lets all traffic through), connect it to the
untrusted port on the Netscreen and set it up to do all the firewall
policies.

Vinnie

Re: Netscreen 100 + Zyxel Zywall 10

> Huh? I thought it was just a LAN connection from your connecting device
> direct to the untrusted port on the Netscreen.

It is.


> I was just going to put my router into 'Modem' mode (where it doesn't use
> its inbuilt firewall and just lets all traffic through), connect it to the
> untrusted port on the Netscreen and set it up to do all the firewall
> policies.

You do not have an authentication on our internet line? Then it'll work
fine. (Thought you mentioned ADSL, here you have to authenticate with
pppoe, when using ADSL, in .at it's pppoa, IIRC).

Cheers,
Jens

Re: Netscreen 100 + Zyxel Zywall 10

Jens Hoffmann wrote:

>
>> Huh? I thought it was just a LAN connection from your connecting device
>> direct to the untrusted port on the Netscreen.
>
> It is.
>
>
>> I was just going to put my router into 'Modem' mode (where it doesn't use
>> its inbuilt firewall and just lets all traffic through), connect it to
>> the untrusted port on the Netscreen and set it up to do all the firewall
>> policies.
>
> You do not have an authentication on our internet line? Then it'll work
> fine. (Thought you mentioned ADSL, here you have to authenticate with
> pppoe, when using ADSL, in .at it's pppoa, IIRC).
>
> Cheers,
> Jens


Sorry, yes we do have authentication on the line. It uses pppoa here.

I just assumed that because of the LAN connection being an untrusted RJ45
connection, it would connect to whatever network appliance you use to
connect to the internet (in my case a Netgear DG632 ADSL Router, but I
thought it could be connected to potentially anything).

If I let the Netgear ADSL router handle the internet authentication and
connection, and just put it into 'dumb mode' where it will let all traffic
pass from its internal connection directly to the untrusted port on the
Netscreen, can I just put the Netscreen into a mode where it will accept
this traffic and deal with it? Or am I mistaking how things work with the
Netscreen, and it in itself has to be connected directly to the wall and
neogatiate the connection itself?

Vinnie

Re: Netscreen 100 + Zyxel Zywall 10

Or am I mistaking how things work with the
> Netscreen, and it in itself has to be connected directly to the wall and
> neogatiate the connection itself?

No, but I do not understand the addressing in our network.

The netscreen can run in different modes: a) as a router (with or
without NAT) or as bridge.


Now, taking a look at your setup and the ip addressess:

--------- ---------
--a-| DG632 |-b--c-| ns100 |-d-- LAN
--------- ---------


So, what do you want to do here?

Cheers,
Jens

Re: Netscreen 100 + Zyxel Zywall 10

Jens Hoffmann wrote:

> Or am I mistaking how things work with the
>> Netscreen, and it in itself has to be connected directly to the wall and
>> neogatiate the connection itself?
>
> No, but I do not understand the addressing in our network.
>
> The netscreen can run in different modes: a) as a router (with or
> without NAT) or as bridge.
>
>
> Now, taking a look at your setup and the ip addressess:
>
> --------- ---------
> --a-| DG632 |-b--c-| ns100 |-d-- LAN
> --------- ---------
>
>
> So, what do you want to do here?
>
> Cheers,
> Jens


Basically the setup that is there, is what I want. It gets rather
complicated after that, as currently I have a PC acting as a server and
router between three other networks.

-f--g- 192.168.1.0 (GigE network)
/
---------- /
-d--e-| server |-----h--i- 192.168.2.0 (wireless)
---------- \
\
-j--k- 192.168.192.0 (main wired network)

Network on the internal network side to the server (currently) is 10.1.1.0

Vinnie

Re: Netscreen 100 + Zyxel Zywall 10

>> --------- ---------
>> --a-| DG632 |-b--c-| ns100 |-d-- LAN
>> --------- ---------
>>
>>
>> So, what do you want to do here?
>>
>> Cheers,
>> Jens
>
>
> Basically the setup that is there, is what I want.


None there yet ;))
What are the addresses: a, b, c, and d?

The setup behind the firewall is rather straight forward, once you have
decided on this one.

Usually I would expect (a) to be a public dynamic ip natted to (b). (b)
and (c) forming a tranfer network. the netscreen natting again to (d)
With (b) and (c) private and (d) private and from a different subnet.

Now, when the modem alread does NAT, how does the modem does correct
port forwarding? That was the problem you originally wantd to solve, right?

So, you should use the DG632 as a router and get (b) and (c) as a public
network from your provider routed over (a).

Then you have full control on the netscreen over what you wanted to do.

Do I have a fundamental misunderstanding here?

Cheers,
Jens

Re: Netscreen 100 + Zyxel Zywall 10

Jens Hoffmann wrote:

> You do not have an authentication on our internet line? Then it'll work
> fine. (Thought you mentioned ADSL, here you have to authenticate with
> pppoe, when using ADSL, in .at it's pppoa, IIRC).

nope, it's pptp in .at

M