Juniper Networks

Przegld oferty
Piotr Kdra pkedra@juniper.net

More Than A Decade of Innovation

2008 2007 2006 2005 2001 2002 2004 T-1600
#789 Acorn

M-Series

MX

EX-series

96

1998

1999

2000

UAC T-Series

10 Gb IDP

corporated

SSG

STRM

Revenue

$500M 1000 1500

$1B

$2B

$2.3B 4800+

$2.8B 5800+

Employees

2500 3500

Junipers Portfolio Breadth

Routing Switches Integrated Firewall/VPN Secure Access SSL VPN Intrusion Detection and Prevention UAC WAN Acceleration Management
Deliver high levels of security, uptime and performance with simplified operations in converged IP and IP/MPLS infrastructures through professional-grade routers based on the advanced, modular JUNOS OS. The EX switches run under the JUNOS software, which provides Layer 2 and Layer 3 switching, routing, and security services. The same JUNOS code base runs on all Juniper Networks routing platforms. Integrated security devices with Stateful firewall and IPSec VPN, including models with integrated IDP for the Data Center and integrated Unified Threat Management at the branch office. Eliminate the need for client access software, changes to internal servers, and costly ongoing maintenance & desktop support while providing added security through endpoint validation agents
Stand alone or integrated intrusion prevention with Comprehensive protection against current and emerging threats at both application and network layer. Day Zero protection against worms, Trojans, spyware, keyloggers, and other malware Enables access control for guests, contractors and employees. Provides enforcement using any vendors 802.1X-enabled infrastructure, existing Juniper firewalls or both

Provide a scalable approach to accelerating application performance, increasing WAN capacity, and enabling application prioritization and visibility in speeds from 64 Kbps to 155 Mbps Common management system (NSM, NSMXpress); Log Management and SIEM (Security Information and Event Management) system (STRM)

Gartner Magic Quadrants

FW/VPN SSL VPN

Juniper, a proven leader in all categories

WAN Optimization

IPS

IPSec

Current Trends
By 2007, 50% of the companies surveyed will significantly increase their WAN access bandwidth Infonetics More employees working away from main offices
91% of employees in companies of all sizes, work outside of main office Nemertes Research

Security risks continue

In 2005, 56% of companies had at least 1 internal attack
65% had at least 1 external attack CSI/FBI 2005 survey

Small to medium business FW opportunity in 2006 = $1 Billion (Infonetics)

DMZ Internal security Content protection No IT staff Bandwidth usage Direct Internet Remote mgmt

Wi Fi

Internet

Small to Medium Branch Office / Business Characteristics

Smaller in scale, but not necessarily less complex than big businesses or HQ sites
Multiple local networks More complicated security due to environment, support, etc. Many devices on a per capita basis No local IT help

Range of WAN connections: from DS3 to low speed modem Require protection for owned and non-owned IT assets
Firewall, VPN, IPS and File-based AV scanning, Spyware detection Internal network segmentation for attack mitigation, access control
100+ Mbps Outbound link = > T1, DSL, DS3 IPSec
Local Apps

Internet
Users WLAN

www

Ideal Solution
Protect the network, stop all manner of attacks with a rich set of proven security features
Network, application and content level attack protection

Performance headroom to protect high speed LAN

Protect network with processing intensive UTM security apps

Broad range of LAN and WAN connectivity options

Interface cards and supporting protocols / encapsulations

Easily managed from centralized location

Secure Service Gateway Family

Secure Services Gateway (SSG) family integrates proven security of ScreenOS and WAN connectivity to deliver secured and assured networking
New levels of price/performance and I/O flexibility Unified Threat Management features complement FW, IPSec VPN
SSG 5 SSG 20 SSG 140 SSG 320M SSG 350M

Ideal small to medium stand alone business / branch office offerings Can be deployed as a traditional Firewall, as a Site-to-Site VPN and as a Security Router

SSG 520M

SSG 550M

ScreenOS: Proven Enterprise Class Security

UTM Features / Content Security
Anti-virus/Anti-spyware Anti- virus/AntiWeb filtering Anti-span AntiIPS (Deep Inspection)

Integrated Unified Threat Management (UTM) security features

IPS (Deep Inspection), Antivirus (includes AntiSpyware, Anti-Phishing) Anti-Spam, Web filtering

Network Security Features

FW IPSec VPN DoS/DDoS User auth.

Network security features / Access control

Stateful firewall, IPSec VPN, NAT, DoS protection, user authentication, Auto-Connect VPN

Networking
Security Zones Dynamic Routing Deployment Modes WAN Encapsulations

Rich networking and virtualization capabilities

Segmentation (Zones, VLANs) to divide the network into secure segments Combines ScreenOS deployment modes, dynamic routing and high availability with select JUNOS WAN encapsulations

SSG Purpose-Built Hardware Platform

Mgmt/Modem LAN & WAN I/O

ScreenOS

Unified Threat Management (UTM) Features

Stop Common and Emerging Threats

Inbound Threats Juniper IDP detects/stops Worms, Trojans, DoS (L4 & L7), Recon, Scans

Outbound Threats Juniper IDP detects/stops Worms, Trojans SurfControl to block to Spyware / Phishing / Unapproved Site Access

IPS

Web Filtering Kaspersky Lab AV stops Viruses, file-based Trojans, Spyware, Adware, Keyloggers Symantec stops Spam / Phishing Juniper Stateful Firewall, VPN, Access Control

AV

Kaspersky Lab AV stops Viruses, file-based Trojans or spread of Spyware, Adware, Keyloggers

Anti Spam Core Security

Juniper Stateful Firewall, VPN, Access Control

UTM Security Backed by Best-In-Class Partners

Integrated Kaspersky Antivirus solution blocks thousands of viruses PLUS Spyware / Adware / Keyloggers instant message AV Inspects content of Instant Messaging (chat, file transfers, etc) for worms and viruses in similar fashion as rest of network traffic Integrated or redirect Web filtering with SurfControl blocks outbound access to known Spyware, Phishing, & Virus download sites
Integrated via SurfControl or redirect via SurfControl or Websense

Integrated Anti-Spam from Symantec

Brightmail-based database blocks (and/or tags) spam by using robust IP based, constantly updated worldwide list of spammers and phishers

Intrusion Prevention (Deep Inspection) detects several thousand attacks such as Worms, Trojans and other malware for up to 43 protocols Delivered by Juniper in the form of an annual subscription fees Juniper for Support and for Subscription Updates
Superior and highly-capable, single, integrated solution with a single Point of Contact

Network Segmentation
Security zones, VLANs Virtual Routers
Divide network into logical, secure domains Protect network with Inter-, Intra-zone policies A single stop Single Policy Between Zones, versus Traditional Router+FW with multiple "stops" for each traffic flow

Security Zones, VLANs, Virtual Routers

Trusted Zone Full access to all resources

DMZ Zone1 Hoteling employees Web, email, key apps

Key benefits
Better Security
Divide the network into distinct, secure domains Able to assign appropriate levels of security to different user groups

Internet

Competitive differentiator

Zone2 Guests Web access only

Routing and Network Deployment Modes

Simplify Network Integration
Dynamic routing and deployment modes
Support for transparent, static and dynamic route modes Dynamic routing support across entire product line
OSPF, BGP, RIPv1/2 available on all products

WAN encapsulation support

FR, MLFR, PPP, MLPPP and HDLC

Benefit
Automatically learns network configuration Facilitates security deployment without network configuration changes Simplifies network integration
Reduces manual configuration efforts

Facilitates WAN connectivity

Bridge Groups

Interface Configuration Flexibility

Replaces port modes with more flexible means of interface configuration Group Ethernet ports and Wireless ports as L2 Switch with one logical L3 interface no policy between ports apply policy to bgroup As policy dictates, Bridge Group interface can act as L2 switch directing traffic to destination
Src1 bgroup
eth eth eth

bgroup
eth eth

Dst1

SSG

Traffic

SSG

eth wireless eth

wireless eth

Server Farm Security Zone

Bridge Groups as a virtual L2 Switch

Bridge Groups as a L3 interface assigned to a Server Farm Security Zone

Secure, Centralized Management

Centralized control over SSG population
Remote Management
Secure, centralized management of firewall, VPN, content security, and routing across all devices Network Security Operations

Rapid Deployment
Reduce provisioning time / streamline large deployments

Role-based administration
Delegate administrative access to key support people by assigning specific tasks to specific individuals

Centralized activation/deactivation of security features

Application attack protection, Web usage control, Payload attack protection, Spam Control
Network Security Operations Network Security Operations

SSG Family supported by NSM* now

Schema update may be required

*Some functions (WAN Config) may be CLI only)

Secure Service Gateway Family

SSG 5 - Six fixed form factor models 160 Mbps FW / 40 Mbps VPN SSG 20 2 modular models 160 Mbps FW / 40 Mbps VPN SSG 140 350+ Mbps FW / 100 Mbps VPN SSG 320M 450+ Mbps FW / 175 Mbps VPN SSG 350M 550+ Mbps FW / 225 Mbps VPN SSG 520M 650+ Mbps FW / 300 Mbps VPN SSG 550M 1+ Gbps FW / 500 Mbps VPN
SSG 5 SSG 20 SSG 140 SSG 320M SSG 350M

SSG 520M

SSG 550M

SSG 5 Overview
Performance and physical characteristics
160 Mbps FW (large packets) / 90 Mbps FW (IMIX) / 40 Mbps VPN
Integrated Fan w/Temp Sensor (wireless only)

Flexible connectivity
Fixed form factor w/ 7 Fast Ethernet + 1 WAN interface
Factory configured WAN options include ISDN BRI S/T or V.92 or RS-232 Serial/Aux Optional factory configured Dual radio 802.11a + 802.11 b/g Six models to choose from

Reliability and extensibility

External AC power supply Full Active/Passive and Active/Active (w/ extended license) User upgradeable memory

SSG 20 Overview
Performance and physical characteristics
160 Mbps FW (large packets) / 90 Mbps FW (IMIX) / 40 Mbps VPN
Integrated Fan w/Temp Sensor (wireless only)

Flexible connectivity
5 Fast Ethernet + 2 Mini I/O slots
Mini PIM options include ADSL2+, T1, E1, ISDN BRI S/T, SFP, serial, and V.92 Optional factory configured Dual radio 802.11a + 802.11 b/g Two models to choose from

Reliability and extensibility

External AC power supply Full Active/Passive and Active/Active (w/ extended license) User upgradeable memory

SSG 140 Overview

350+ Mbps FW (large packets) / 300 Mbps FW (IMIX) / 100 Mbps VPN Brings high performance UTM Security features to the mid-market Full Active/Passive and Active/Active HA Fixed 10/100 and 10/100/1000 interfaces (4) interface expansion slots
Existing dual Port T1 Existing dual Port E1 Existing Dual Port Serial

Front View

Back View

SSG 140 Interface Support

1. 2. 3. 4. Console and RS-232/Aux interfaces (8) 10/100 interfaces (2) 10/100/1000 interfaces (4) interface expansion slots: 2xT1, 2xE1, 2xSerial, 1xISDN BRI S/T, ADSL2+, and G.SHDSL 5. Status LEDs for rear installed I/O cards visible from front
4

Back View

5 Front View

SSG 320M and SSG 350M Overview

1RU High, Full Rack Width, 15 Depth Three modular PIM slots 4-port 10/100/1000 Ethernet ports

Optional Encryption Card USB, compact flash, Console, AUX 400 Mbps firewall (IMIX), 175 Mbps VPN performance

1.5 RU High, Full Rack Width, 15 Depth Five modular PIM slots

DC Power supply option NEBS compliant 500 Mbps firewall (IMIX), 225 Mbps VPN performance

SSG 500 Series Overview

Juniper Networks SSG 550 / SSG 550M
1 Gbps + FW (large packets) / 1 Gbps FW (IMIX) / 500 Mbps VPN 600K pps 6 I/O Slots 4 are enhanced PIM slots, ideal for additional LAN ports Dual power supplies, DC optional, NEBS optional 128K sessions, 1,000 VPN tunnels

Juniper Networks SSG 520 / SSG 520M

650+ Mbps FW (large packets) / 600 Mbps FW (IMIX) / 300 Mbps VPN 300K pps 6 I/O slots - 2 are enhanced PIM slots, ideal for additional LAN ports Single power supply, AC or DC 64K sessions, 500 VPN tunnels

Common Hardware Features

2U form factor with 4 fixed 10/100/1000 Ports 2 serial RJ45 ports for console access and OOB Management 2 USB ports

uPIMs Universal Physical Interface Modules Supported in ScreenOS 6.0

8 Port 10/100/1000 Copper uPIM

Supports Auto negotiation Supports tri-rate (10/100/1000 Mbps) with Half/ Full-Duplex modes

16 Port 10/100/1000 Copper uPIM

Supports Auto negotiation Supports tri-rate (10/100/1000 Mbps) with Half/ Full-Duplex modes

6 Port 1000 Optical uPIM

Supports both SX, LX, T SFP LC transceiver Supports 1000 Full-Duplex mode

uPIMs work in any slot (PCI/PIM and PCI-E/EPIM)

SSG Family Interface Module Summary

PIM/EPIM/Mini-PIM
1 x T1 Mini-PIM 1 x E1 Mini-PIM 1 x ADSL 2+ Mini-PIM 1 x ISDN BRI S/T Mini-PIM 1 x V.92 Mini-PIM 1x SFP Mini-PIM 1x Serial Mini-PIM 1 x ISDN BRI S/T PIM 8 x Gbe copper uPIM 16 x Gbe copper uPIM 6 X Gbe SFP uPIM 2 x T1 PIM 2 x E1 PIM 2 x Serial PIM 1 x ADSL/ADSL2/ADSL2+ PIM 1 x G.SHDSL 1 x E3 PIM 1 x DS3 PIM 4 x FE EPIM 1 x Gbe EPIM 1 x SFP EPIM ---------------------------

SSG 20

SSG 140
------

SSG 320M / SSG 350M

------

SSG 520M / SSG 550M

------

SSG Family Summary

SSG 550M FW Mbps (Large Packets) FW Mbps (IMIX) FW PPS (64 Byte) VPN (1400 Byte) IPS (Deep Inspection FW) Antivirus Anti-spam Web Filtering Modular I/O Routing (RIP/OSPF/BGP) WAN Encapsulations A/A, A/P HA Convertible to JUNOS 1+ Gbps 1 Gbps 600k 500 Mbps Yes Yes Yes Yes Yes Yes Yes Yes Yes SSG 520M 650+ Mbps 600 Mbps 300k 300 Mbps Yes Yes Yes Yes Yes Yes Yes Yes Yes SSG 350M 550+ Mbps 500 Mbps 225k 225 Mbps Yes Yes Yes Yes Yes Yes Yes Yes Yes SSG 320M 450+ Mbps 400 Mbps 175k 175 Mbps Yes Yes Yes Yes Yes Yes Yes Yes Yes SSG 140 350+ Mbps 300 Mbps 100k 100 Mbps Yes Yes Yes Yes Yes Yes Yes Yes No SSG 20 160 Mbps 90 Mbps 30k 40 Mbps Yes Yes Yes Yes Yes Yes Yes Optional No SSG 5 160 Mbps 90 Mbps 30k 40 Mbps Yes Yes Yes Yes No Yes Yes Optional No

SSG & J-Series Portfolio

ScreenOS
= Common Hardware Platforms, JUNOS & ScreenOS

SS G S 551 G 32M 0M S -

Additional M-series, T-series not shown

JUNOS
Micro Branch, Small Office, Managed Service Small Branch, SME Branch/Regional, Medium Enterprise Medium Ent to Large HQ

SSG Family Summary

Security: Proven ScreenOS + Best-in-class UTM Security features without add-on hardware
Stateful FW, IPSec VPN, IPS, AV, (including Anti-Phishing, Anti-Spyware), Anti-Spam, Web filtering Network segmentation via security zones and VLANs

Performance: Purpose built platforms that deliver unmatched price/performance to branch office market WAN Connectivity: Widest range of FW platforms with WAN interfaces and protocols
Security platforms with LAN and WAN routing capabilities
Dynamic routing, virtual routers, VPN, high availability, VLANs New WAN interfaces and encapsulations taken from J-Series & JUNOS

Centralized management with NSM

ISG

ISG Overview
Purpose-built HW and SW
Built from the ground up ASIC-based platforms Security-hardened Proprietary ScreenOS Operation System

Network layer security and features

Network attack protection Virtualization High-performance IPSec VPN Network features including dynamic routing and ALGs

Application layer security (Optional)

Multi-detection methods for mitigating attacks Daily signature updates Zero-day coverage

ISG 1000 and ISG 2000

ISG 1000
Max Throughput: Firewall Max Throughput: IPSec VPN (3DES/AES) Packets per Second: FW Packets per Second: VPN Max Sessions VPN Tunnels Max Throughput: IDP Supported Security Modules (IDP) Fixed I/O Interfaces Max Interfaces Number of I/O Modules 2 Gbps 1 Gbps 1.5 Million 1.5 Million 500,000 2,000 Up to 1 Gbps Up to 2 Four 10/100/1000 Mbps Up to 20 2

ISG 2000
4 Gbps 2 Gbps 3 Million 1.5 Million 1 Million 10,000 Up to 2 Gbps Up to 3 0 Up to 28 4

Juniper Networks ISG 2000 & ISG1000 with Integrated IDP

SG 2000 3 Security Blades

ISG 1000 2 Security Blades

Management NetScreen Security Manager

3-Tier Management
ISG with IDP

NSM

SSGs

Common User Interface

Centralized NSM Server

IDP Appliances

Security Management Requirements

Device Lifecycle

Management Level

Must manage the entire device lifecycle

Deploy Security
Define security of entire network

Configure
Push devicespecific policy out

Monitor
Attack Logs Reports Profiler Security Explorer

Upgrade
Signature updates Policy adjustment

Needs to accommodate different tasks, management levels Different people within organization need access

Network

VPN modeling L2/L3 Routing

VPN config Route tables Routing VLAN

Device

VPN monitoring Network failure recognition HA monitoring HW monitoring (interfaces up/down, power failure)

VPN changes Adjust routing

Remote installation Initial config

Interfaces Licenses OS version

OS upgrade Device config changes

Network Admin Upper Management

Ops

Security Admin Audit

Design,Deploy Design,Deploy

Complete Investigative Toolkit

Upgrade, Upgrade, Adjust Adjust

The Device Lifecycle

Configure Configure

Monitor, Monitor, Maintain Maintain

Policy

Reports Profiler Log Viewer

Security Explorer Log Investigator

Dashboard

Multiple, integrated tools offer wide variet of information See all firewall and IDP data in one place Jump to policy for Closed Loop Investigation