juniper
Post on 19-Jul-2015
130 Views
Preview:
TRANSCRIPT
Juniper NetworksPrzegld ofertyPiotr Kdra pkedra@juniper.net
More Than A Decade of Innovation2008 2007 2006 2005 2001 2002 2004 T-1600#789 Acorn
M-Series
MX
EX-series
96
1998
1999
2000
UAC T-Series
10 Gb IDP
corporated
SSG
STRM
Revenue
$500M 1000 1500
$1B
$2B
$2.3B 4800+
$2.8B 5800+
Employees
2500 3500
Junipers Portfolio BreadthRouting Switches Integrated Firewall/VPN Secure Access SSL VPN Intrusion Detection and Prevention UAC WAN Acceleration ManagementDeliver high levels of security, uptime and performance with simplified operations in converged IP and IP/MPLS infrastructures through professional-grade routers based on the advanced, modular JUNOS OS. The EX switches run under the JUNOS software, which provides Layer 2 and Layer 3 switching, routing, and security services. The same JUNOS code base runs on all Juniper Networks routing platforms. Integrated security devices with Stateful firewall and IPSec VPN, including models with integrated IDP for the Data Center and integrated Unified Threat Management at the branch office. Eliminate the need for client access software, changes to internal servers, and costly ongoing maintenance & desktop support while providing added security through endpoint validation agentsStand alone or integrated intrusion prevention with Comprehensive protection against current and emerging threats at both application and network layer. Day Zero protection against worms, Trojans, spyware, keyloggers, and other malware Enables access control for guests, contractors and employees. Provides enforcement using any vendors 802.1X-enabled infrastructure, existing Juniper firewalls or both
Provide a scalable approach to accelerating application performance, increasing WAN capacity, and enabling application prioritization and visibility in speeds from 64 Kbps to 155 Mbps Common management system (NSM, NSMXpress); Log Management and SIEM (Security Information and Event Management) system (STRM)
Gartner Magic QuadrantsFW/VPN SSL VPN
Juniper, a proven leader in all categoriesWAN Optimization
IPS
IPSec
Current TrendsBy 2007, 50% of the companies surveyed will significantly increase their WAN access bandwidth Infonetics More employees working away from main offices 91% of employees in companies of all sizes, work outside of main office Nemertes Research
Security risks continue In 2005, 56% of companies had at least 1 internal attack 65% had at least 1 external attack CSI/FBI 2005 survey
Small to medium business FW opportunity in 2006 = $1 Billion (Infonetics)DMZ Internal security Content protection No IT staff Bandwidth usage Direct Internet Remote mgmt
Wi Fi
Internet
Small to Medium Branch Office / Business CharacteristicsSmaller in scale, but not necessarily less complex than big businesses or HQ sites Multiple local networks More complicated security due to environment, support, etc. Many devices on a per capita basis No local IT help
Range of WAN connections: from DS3 to low speed modem Require protection for owned and non-owned IT assets Firewall, VPN, IPS and File-based AV scanning, Spyware detection Internal network segmentation for attack mitigation, access control100+ Mbps Outbound link = > T1, DSL, DS3 IPSecLocal Apps
InternetUsers WLAN
www
Ideal SolutionProtect the network, stop all manner of attacks with a rich set of proven security features Network, application and content level attack protection
Performance headroom to protect high speed LAN Protect network with processing intensive UTM security apps
Broad range of LAN and WAN connectivity options Interface cards and supporting protocols / encapsulations
Easily managed from centralized location
Secure Service Gateway FamilySecure Services Gateway (SSG) family integrates proven security of ScreenOS and WAN connectivity to deliver secured and assured networking New levels of price/performance and I/O flexibility Unified Threat Management features complement FW, IPSec VPNSSG 5 SSG 20 SSG 140 SSG 320M SSG 350M
Ideal small to medium stand alone business / branch office offerings Can be deployed as a traditional Firewall, as a Site-to-Site VPN and as a Security Router
SSG 520M
SSG 550M
ScreenOS: Proven Enterprise Class SecurityUTM Features / Content SecurityAnti-virus/Anti-spyware Anti- virus/AntiWeb filtering Anti-span AntiIPS (Deep Inspection)
Integrated Unified Threat Management (UTM) security features IPS (Deep Inspection), Antivirus (includes AntiSpyware, Anti-Phishing) Anti-Spam, Web filtering
Network Security FeaturesFW IPSec VPN DoS/DDoS User auth.
Network security features / Access control Stateful firewall, IPSec VPN, NAT, DoS protection, user authentication, Auto-Connect VPN
NetworkingSecurity Zones Dynamic Routing Deployment Modes WAN Encapsulations
Rich networking and virtualization capabilities Segmentation (Zones, VLANs) to divide the network into secure segments Combines ScreenOS deployment modes, dynamic routing and high availability with select JUNOS WAN encapsulations
SSG Purpose-Built Hardware PlatformMgmt/Modem LAN & WAN I/O
ScreenOS
Unified Threat Management (UTM) FeaturesStop Common and Emerging Threats
Inbound Threats Juniper IDP detects/stops Worms, Trojans, DoS (L4 & L7), Recon, Scans
Outbound Threats Juniper IDP detects/stops Worms, Trojans SurfControl to block to Spyware / Phishing / Unapproved Site Access
IPS
Web Filtering Kaspersky Lab AV stops Viruses, file-based Trojans, Spyware, Adware, Keyloggers Symantec stops Spam / Phishing Juniper Stateful Firewall, VPN, Access Control
AV
Kaspersky Lab AV stops Viruses, file-based Trojans or spread of Spyware, Adware, Keyloggers
Anti Spam Core Security
Juniper Stateful Firewall, VPN, Access Control
UTM Security Backed by Best-In-Class PartnersIntegrated Kaspersky Antivirus solution blocks thousands of viruses PLUS Spyware / Adware / Keyloggers instant message AV Inspects content of Instant Messaging (chat, file transfers, etc) for worms and viruses in similar fashion as rest of network traffic Integrated or redirect Web filtering with SurfControl blocks outbound access to known Spyware, Phishing, & Virus download sites Integrated via SurfControl or redirect via SurfControl or Websense
Integrated Anti-Spam from Symantec
Brightmail-based database blocks (and/or tags) spam by using robust IP based, constantly updated worldwide list of spammers and phishers
Intrusion Prevention (Deep Inspection) detects several thousand attacks such as Worms, Trojans and other malware for up to 43 protocols Delivered by Juniper in the form of an annual subscription fees Juniper for Support and for Subscription Updates Superior and highly-capable, single, integrated solution with a single Point of Contact
Network SegmentationSecurity zones, VLANs Virtual Routers Divide network into logical, secure domains Protect network with Inter-, Intra-zone policies A single stop Single Policy Between Zones, versus Traditional Router+FW with multiple "stops" for each traffic flow
Security Zones, VLANs, Virtual RoutersTrusted Zone Full access to all resources
DMZ Zone1 Hoteling employees Web, email, key apps
Key benefits Better Security Divide the network into distinct, secure domains Able to assign appropriate levels of security to different user groups
Internet
Competitive differentiator
Zone2 Guests Web access only
Routing and Network Deployment ModesSimplify Network IntegrationDynamic routing and deployment modes Support for transparent, static and dynamic route modes Dynamic routing support across entire product line OSPF, BGP, RIPv1/2 available on all products
WAN encapsulation support FR, MLFR, PPP, MLPPP and HDLC
Benefit Automatically learns network configuration Facilitates security deployment without network configuration changes Simplifies network integration Reduces manual configuration efforts
Facilitates WAN connectivity
Bridge Groups
Interface Configuration FlexibilityReplaces port modes with more flexible means of interface configuration Group Ethernet ports and Wireless ports as L2 Switch with one logical L3 interface no policy between ports apply policy to bgroup As policy dictates, Bridge Group interface can act as L2 switch directing traffic to destinationSrc1 bgroupeth eth eth
bgroupeth eth
Dst1
SSG
Traffic
SSG
eth wireless eth
wireless eth
Server Farm Security Zone
Bridge Groups as a virtual L2 Switch
Bridge Groups as a L3 interface assigned to a Server Farm Security Zone
Secure, Centralized ManagementCentralized control over SSG populationRemote Management Secure, centralized management of firewall, VPN, content security, and routing across all devices Network Security Operations
Rapid Deployment Reduce provisioning time / streamline large deployments
Role-based administration Delegate administrative access to key support people by assigning specific tasks to specific individuals
Centralized activation/deactivation of security features Application attack protection, Web usage control, Payload attack protection, Spam ControlNetwork Security Operations Network Security Operations
SSG Family supported by NSM* now Schema update may be required
*Some functions (WAN Config) may be CLI only)
Secure Service Gateway FamilySSG 5 - Six fixed form factor models 160 Mbps FW / 40 Mbps VPN SSG 20 2 modular models 160 Mbps FW / 40 Mbps VPN SSG 140 350+ Mbps FW / 100 Mbps VPN SSG 320M 450+ Mbps FW / 175 Mbps VPN SSG 350M 550+ Mbps FW / 225 Mbps VPN SSG 520M 650+ Mbps FW / 300 Mbps VPN SSG 550M 1+ Gbps FW / 500 Mbps VPNSSG 5 SSG 20 SSG 140 SSG 320M SSG 350M
SSG 520M
SSG 550M
SSG 5 OverviewPerformance and physical characteristics 160 Mbps FW (large packets) / 90 Mbps FW (IMIX) / 40 Mbps VPN Integrated Fan w/Temp Sensor (wireless only)
Flexible connectivity Fixed form factor w/ 7 Fast Ethernet + 1 WAN interface Factory configured WAN options include ISDN BRI S/T or V.92 or RS-232 Serial/Aux Optional factory configured Dual radio 802.11a + 802.11 b/g Six models to choose from
Reliability and extensibility External AC power supply Full Active/Passive and Active/Active (w/ extended license) User upgradeable memory
SSG 20 OverviewPerformance and physical characteristics 160 Mbps FW (large packets) / 90 Mbps FW (IMIX) / 40 Mbps VPN Integrated Fan w/Temp Sensor (wireless only)
Flexible connectivity 5 Fast Ethernet + 2 Mini I/O slots Mini PIM options include ADSL2+, T1, E1, ISDN BRI S/T, SFP, serial, and V.92 Optional factory configured Dual radio 802.11a + 802.11 b/g Two models to choose from
Reliability and extensibility External AC power supply Full Active/Passive and Active/Active (w/ extended license) User upgradeable memory
SSG 140 Overview350+ Mbps FW (large packets) / 300 Mbps FW (IMIX) / 100 Mbps VPN Brings high performance UTM Security features to the mid-market Full Active/Passive and Active/Active HA Fixed 10/100 and 10/100/1000 interfaces (4) interface expansion slots Existing dual Port T1 Existing dual Port E1 Existing Dual Port Serial
Front View
Back View
SSG 140 Interface Support1. 2. 3. 4. Console and RS-232/Aux interfaces (8) 10/100 interfaces (2) 10/100/1000 interfaces (4) interface expansion slots: 2xT1, 2xE1, 2xSerial, 1xISDN BRI S/T, ADSL2+, and G.SHDSL 5. Status LEDs for rear installed I/O cards visible from front4
Back View
5 Front View
1
2
3
SSG 320M and SSG 350M Overview
1RU High, Full Rack Width, 15 Depth Three modular PIM slots 4-port 10/100/1000 Ethernet ports
Optional Encryption Card USB, compact flash, Console, AUX 400 Mbps firewall (IMIX), 175 Mbps VPN performance
1.5 RU High, Full Rack Width, 15 Depth Five modular PIM slots
DC Power supply option NEBS compliant 500 Mbps firewall (IMIX), 225 Mbps VPN performance
SSG 500 Series OverviewJuniper Networks SSG 550 / SSG 550M 1 Gbps + FW (large packets) / 1 Gbps FW (IMIX) / 500 Mbps VPN 600K pps 6 I/O Slots 4 are enhanced PIM slots, ideal for additional LAN ports Dual power supplies, DC optional, NEBS optional 128K sessions, 1,000 VPN tunnels
Juniper Networks SSG 520 / SSG 520M 650+ Mbps FW (large packets) / 600 Mbps FW (IMIX) / 300 Mbps VPN 300K pps 6 I/O slots - 2 are enhanced PIM slots, ideal for additional LAN ports Single power supply, AC or DC 64K sessions, 500 VPN tunnels
Common Hardware Features 2U form factor with 4 fixed 10/100/1000 Ports 2 serial RJ45 ports for console access and OOB Management 2 USB ports
uPIMs Universal Physical Interface Modules Supported in ScreenOS 6.0
8 Port 10/100/1000 Copper uPIM Supports Auto negotiation Supports tri-rate (10/100/1000 Mbps) with Half/ Full-Duplex modes
16 Port 10/100/1000 Copper uPIM Supports Auto negotiation Supports tri-rate (10/100/1000 Mbps) with Half/ Full-Duplex modes
6 Port 1000 Optical uPIM Supports both SX, LX, T SFP LC transceiver Supports 1000 Full-Duplex mode
uPIMs work in any slot (PCI/PIM and PCI-E/EPIM)
SSG Family Interface Module SummaryPIM/EPIM/Mini-PIM1 x T1 Mini-PIM 1 x E1 Mini-PIM 1 x ADSL 2+ Mini-PIM 1 x ISDN BRI S/T Mini-PIM 1 x V.92 Mini-PIM 1x SFP Mini-PIM 1x Serial Mini-PIM 1 x ISDN BRI S/T PIM 8 x Gbe copper uPIM 16 x Gbe copper uPIM 6 X Gbe SFP uPIM 2 x T1 PIM 2 x E1 PIM 2 x Serial PIM 1 x ADSL/ADSL2/ADSL2+ PIM 1 x G.SHDSL 1 x E3 PIM 1 x DS3 PIM 4 x FE EPIM 1 x Gbe EPIM 1 x SFP EPIM ---------------------------
SSG 20
SSG 140------
SSG 320M / SSG 350M------
SSG 520M / SSG 550M------
SSG Family SummarySSG 550M FW Mbps (Large Packets) FW Mbps (IMIX) FW PPS (64 Byte) VPN (1400 Byte) IPS (Deep Inspection FW) Antivirus Anti-spam Web Filtering Modular I/O Routing (RIP/OSPF/BGP) WAN Encapsulations A/A, A/P HA Convertible to JUNOS 1+ Gbps 1 Gbps 600k 500 Mbps Yes Yes Yes Yes Yes Yes Yes Yes Yes SSG 520M 650+ Mbps 600 Mbps 300k 300 Mbps Yes Yes Yes Yes Yes Yes Yes Yes Yes SSG 350M 550+ Mbps 500 Mbps 225k 225 Mbps Yes Yes Yes Yes Yes Yes Yes Yes Yes SSG 320M 450+ Mbps 400 Mbps 175k 175 Mbps Yes Yes Yes Yes Yes Yes Yes Yes Yes SSG 140 350+ Mbps 300 Mbps 100k 100 Mbps Yes Yes Yes Yes Yes Yes Yes Yes No SSG 20 160 Mbps 90 Mbps 30k 40 Mbps Yes Yes Yes Yes Yes Yes Yes Optional No SSG 5 160 Mbps 90 Mbps 30k 40 Mbps Yes Yes Yes Yes No Yes Yes Optional No
SSG & J-Series PortfolioScreenOS= Common Hardware Platforms, JUNOS & ScreenOS
SS G S 551 G 32M 0M S -
Additional M-series, T-series not shown
JUNOSMicro Branch, Small Office, Managed Service Small Branch, SME Branch/Regional, Medium Enterprise Medium Ent to Large HQ
SSG Family SummarySecurity: Proven ScreenOS + Best-in-class UTM Security features without add-on hardware Stateful FW, IPSec VPN, IPS, AV, (including Anti-Phishing, Anti-Spyware), Anti-Spam, Web filtering Network segmentation via security zones and VLANs
Performance: Purpose built platforms that deliver unmatched price/performance to branch office market WAN Connectivity: Widest range of FW platforms with WAN interfaces and protocols Security platforms with LAN and WAN routing capabilities Dynamic routing, virtual routers, VPN, high availability, VLANs New WAN interfaces and encapsulations taken from J-Series & JUNOS
Centralized management with NSM
ISG
ISG OverviewPurpose-built HW and SW Built from the ground up ASIC-based platforms Security-hardened Proprietary ScreenOS Operation System
Network layer security and features Network attack protection Virtualization High-performance IPSec VPN Network features including dynamic routing and ALGs
Application layer security (Optional) Multi-detection methods for mitigating attacks Daily signature updates Zero-day coverage
ISG 1000 and ISG 2000ISG 1000Max Throughput: Firewall Max Throughput: IPSec VPN (3DES/AES) Packets per Second: FW Packets per Second: VPN Max Sessions VPN Tunnels Max Throughput: IDP Supported Security Modules (IDP) Fixed I/O Interfaces Max Interfaces Number of I/O Modules 2 Gbps 1 Gbps 1.5 Million 1.5 Million 500,000 2,000 Up to 1 Gbps Up to 2 Four 10/100/1000 Mbps Up to 20 2
ISG 20004 Gbps 2 Gbps 3 Million 1.5 Million 1 Million 10,000 Up to 2 Gbps Up to 3 0 Up to 28 4
Juniper Networks ISG 2000 & ISG1000 with Integrated IDP
SG 2000 3 Security Blades
ISG 1000 2 Security Blades
Management NetScreen Security Manager
3-Tier ManagementISG with IDP
NSM
SSGs
Common User Interface
Centralized NSM Server
IDP Appliances
Security Management RequirementsDevice Lifecycle
Management Level
Must manage the entire device lifecycle
Deploy SecurityDefine security of entire network
ConfigurePush devicespecific policy out
MonitorAttack Logs Reports Profiler Security Explorer
UpgradeSignature updates Policy adjustment
Needs to accommodate different tasks, management levels Different people within organization need access
Network
VPN modeling L2/L3 Routing
VPN config Route tables Routing VLAN
Device
VPN monitoring Network failure recognition HA monitoring HW monitoring (interfaces up/down, power failure)
VPN changes Adjust routing
Remote installation Initial config
Interfaces Licenses OS version
OS upgrade Device config changes
Network Admin Upper Management
Ops
Security Admin Audit
Design,Deploy Design,Deploy
Complete Investigative Toolkit
Upgrade, Upgrade, Adjust Adjust
The Device Lifecycle
Configure Configure
Monitor, Monitor, Maintain Maintain
Policy
Reports Profiler Log Viewer
Security Explorer Log Investigator
Dashboard
Multiple, integrated tools offer wide variet of information See all firewall and IDP data in one place Jump to policy for Closed Loop Investigation
top related