juniper security products and solutions overview
DESCRIPTION
Juniper Security Products and Solutions Overview. Stephen Philip Senior Director - Product Marketing Security Products Group. Agenda. Juniper leadership in Security Juniper Product Portfolio Juniper Solutions by Location Campus WAN GW Data Center Distributed Organization - PowerPoint PPT PresentationTRANSCRIPT
Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1
Juniper Security Products and
Solutions Overview
Stephen Philip Senior Director - Product Marketing
Security Products Group
2Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 2Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Agenda Juniper leadership in Security Juniper Product Portfolio Juniper Solutions by Location
• Campus• WAN GW• Data Center• Distributed Organization• Extended Organization
3Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 3Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Juniper Leadership in Security
Juniper in the Leadership quadrant for:• Firewall• IPSec VPN• SSL VPN• IPS
# 2 in Network Security• Passed Check Point in Q2
#1 in High End FW/VPN #1 in SSL VPN Growing faster than inline
IPS market
Recognized as leader by GartnerRecognized as leader by Press
U.S. Department of Labor
Recognized as leader by our Customers
Source Infonetics Q2-2006
4Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 4Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Proven, Best-in-Class Innovation
UACIC
AAA
OAC
NSM
Policy,Control &Visibility
Security/VPN
SSG
Routing Application Front End
WAN Optimizatio
n
Secure Access
5Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 5Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Evolving Challenges and Requirements
Campus
Organization
Organization
Need a secure and resilient infrastructure able to deliver differentiated applications and services across the network
• Single IP infrastructure – demanding applications require network performance• Virtual Organizations - dynamic perimeters, different users, devices, locations and trust
levels• Elevated threat environment – application level attacks and worm propagation
• Regulatory compliance (now global) – granular access controls and auditing
6Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 6Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Solutions for the Extended Organization
IP Network
Data Center
U.S. Department of Labor
RA or ExtranetDMZ
Assessment & Containment
• Native checks• Client/Server APIs• Remediation • Cache Cleaner• Virtual Environments• Connection Control
1.Endpoint Assessment & Authentication2. Trusted Xport (IPSec or SSL)
3. Authorize, Enforce & Log
Extended Organization ChallengesDeliver applications securely and appropriately to employees, contractors, partners, suppliers anywhere, anytime
Provision and manage 1000s of endpoints
Handle non-owned devices and networks
Extended Organization SolutionsClient-less model reduces mgmt overhead
SSL VPN per user, per application controls
Endpoint integrity, quarantine, remediation
Application Acceleration (AFE) improves download times & availability
7Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 7Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Juniper’s Coordinated Threat Control
LAN
Business Partner
Telecommuter
Correlated Threat Information Identity
Endpoint
Access history
Detailed traffic & threat information
Comprehensive Threat Detection and Prevention Ability to detect and prevent malicious traffic
Full layer 2-7 visibility into all traffic
Proven, market leading technology
Coordinated Identity-Based Threat Response Manual or automatic response
Multiple response options: terminate, disable, or quarantine user
Supplements IDP’s threat prevention
IDP detects
threat and signals SA
SA identifies user & takes
action on user session Signal
Self-registration technology for
easy configuration
8Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 8Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Solutions for the Campus Campus Challenges
Protect against outside/inside threatsSegment resources, users, departments
Provide secure WLAN accessScaling across large or multiple campuses
Campus SolutionsDepartment & Virtual firewalls protect departmental resources
Intrusion Prevention mitigate and contains threats
802.1X & SSL VPN secured WLANLarge L3 Routed CampusesUnified access control solution
Infranet Controller, Agent and Enforcer
Departments
Campus #2Campus #1
Departments
Internet
9Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 9Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Unified Access Control Overview
AAA AAA ServersIdentity Stores
Firewall Enforcers
Central Policy Manager
Endpoint profiling, user auth, endpoint policy
Dynamic Role Provisioning
User access to protected resources
Protected Resource
802.1XUser admission to network resources
Agent
10Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 10Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Unified Access Control Overview
Agent
AAA AAA ServersIdentity Stores
Firewall Enforcers
Central Policy Manager
Endpoint profiling, user auth, endpoint policy
Dynamic Role Provisioning
User access to protected resources
Protected Resource
802.1X
User admission to network resources
with SBR
with OAC
11Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 11Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Introducing UAC 2.0
Agent
AAA AAA ServersIdentity Stores
Firewall Enforcers
Central Policy Manager
Endpoint profiling, user auth, endpoint policy
Dynamic Role Provisioning
User access to protected resources
Protected Resource
802.1X
User admission to network resources
with SBR
with OAC
UAC 2.0 interoperates with any 802.1X infrastructure wired or wireless
UAC 2.0 is TNC compliant for truly open architecture
Access control for guests, contractors and employees
UAC 2.0 can be deployed via:•802.1X only•Overlay w/firewall only•Both, for maximum granularity
12Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 12Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Solutions for the Data Center
Data Center ChallengesProtect data, servers, infrastructureMaximize performance, availability, resiliencyConsolidate and simplify architectureTerminate 1000s of VPN connections
Data Center SolutionsHigh performance edge service routers provide 10x over competing solutions
High performance firewall/VPN/security gateway
Intrusion Prevention mitigates threatsSSL for secure accessAFE accelerate applications to usersWAN Optimizer accelerate applications to sites
Web Servers
Internet
App Servers
Data Bases
SLB
WebAccCache
SSLO/L
High performance Routing
Integrated IPS/FW/VPN
Secure Access (SSL)
AFE Application Acceleration
WAN Optimization
13Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 13Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
How the WAN slows applications
Inability to understand application and WAN performance
Lower-priority apps slow down critical
ones
Protocol chattiness
Visibility and Reporting
Acceleration Application ControlMore rich contentCompression, Caching
VoIP
Web
Oracle
SAP
Application Contention
Limited Bandwidt
hLatency
The WAN Pipe
Manageability
Accelerating Applications over the WAN
14Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 14Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Solutions for the WAN Gateway WAN Gateway Challenges
Maximize availability, resiliency, qualityProtect public facing servers and infrastructureOptimal support for broad mix of app & trafficMassive # VPN Connections or Large BW single tunnels
WAN Gateway SolutionsHigh performance Enteprise routersprovide 10x over competing solutions
MPLS for improved quality and traffic engineering
High performance firewall/VPN, security gateway
Intrusion Prevention mitigates threatsSSL VPN Gateway for secure accessWAN Optimization to remote locations
IP Network
Campus Data Center
DMZ
RA or Extranet DMZ
VoIPDMZ
City of Burbank
15Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 15Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
WAN Gateway Requirements
Value & Number of
ConnectionsApplication Awareness / Protection
Ave Packet Size
Latency & Sensitivity
• Provide high performance for large and small packet traffic mix• Make traffic decisions with low latency to ensure applications are not affected• Handle traffic load, complexity & availability requirements as # & value of connections increase• Understand application requirements and prevent/mitigate application-level attacks
Internet
SSL
VPN DMZ
Web
Partner DMZ
FTP
SSL
DMZ
RADIUS
16Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 16Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
ISG 2000
I/O I/O I/O I/O
GigaScreen3 ASIC, 1 GB RAMProgrammable Processors
Network Traffic
Dual 1GHz PowerPC CPU2 GB RAM, FPGA
Dual 1GHz PowerPC CPU2 GB RAM, FPGA
Dual 1GHz PowerPC CPU2 GB RAM, FPGA
Dual 1GHz PowerPC CPU2 GB RAM
ASIC Module
Security Modules(for IPS)
Management Module
I/O Modules Fixed I/O I/O
Network Traffic
GigaScreen3 ASIC, 1 GB RAMProgrammable Processors
Dual 1GHz PowerPC CPU2 GB RAM, FPGA
Dual 1GHz PowerPC CPU2 GB RAM, FPGA
ISG 1000
Dual 1GHz PowerPC CPU2 GB RAM
Juniper Networks ISG Ground-up Design
1
3
21
2
Processing power unmatched by any competitive offering
17Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 17Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Internet Back-hauled Branch
Solutions for the Distributed Organization Distributed Organization
ChallengesProtect data, servers, infrastructureImprove application performanceMaximize availability, resiliencySimplify architecture, management
Distributed Organization SolutionsIntrusion Prevention mitigates threats
Dedicated & multi-function firewallsWAN Optimization for branch officesResilient, secure VPN to branch offices
MPLS VPN for QoS and traffic engineering to regional offices
IP/MPLS Network
HQ
Regional Office
Regional Office
Small Branch (1000s) w Split Tunnels
Retail Office (1000s) WiFi Access
Remote Campusw Split Tunnel
18Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 18Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Best in Class Security – Secure Services Gateway
SSG 5 - Six fixed form factor models• 7 Fast Ethernet + 1 WAN interface
• ISDN BRI S/T, V.92, Serial• Dual radio 802.11a + 802.11 b/g variants of each
• 160 Mbps FW / 40 Mbps VPN
SSG 20 – 2 modular models• 5 Fast Ethernet + 2 Mini I/O slots
• Mini PIM options include ADSL2+, T1, E1, ISDN BRI S/T, V.92 at FCS
• Dual radio 802.11a + 802.11 b/g variant
• 160 Mbps FW / 40 Mbps VPN
SSG 140• 8 FE and 2 GE Interfaces• 4 WAN PIM slots
• Standard J Series WAN interfaces• ISDN, Dual E1 and Dual T1
• 350 Mbps FW / 100 Mbps VPN
SSG 550/520• 4 on-board 10/100/1000 ports
• 6 WAN/LAN I/O expansion slots
• Up to 1 Gbps FW/NAT / 500Mbps IPSec / 500 Mbps IPS (DI)
STATUS-2FLASHSTATUS-1SESSIONPOWERALARMCONSOLEMODEMCOMPACT FLASH110/100TX/RXLINK210/100TX/RXLINK310/100TX/RXLINK410/100TX/RXLINKNetScreen –25
O
I
1
2 4
Juniper Networks
Model #
Serial #
3
SSG 250CONSOLE AUXUSB
POWER
ALARM PIM 4
PIM 3
0/8TX/RX LINK
0/9TX/RX LINK
0/2TX/RX LINK
0/0TX/RX LINK
0/1TX/RX LINK TX/RX LINK
RESET
0/3 0/6TX/RX LINK
0/4TX/RX LINK
0/5TX/RX LINK TX/RX LINK
0/7
HA PIM 1
PIM 2STATUS 10/100 10/100/1000
New Secure Services Gateway Models
Advanced Security - Integrated Branch Routing and WAN interfaces
• FW, VPN , AV (including - phishing, - spyware) & Anti SPAM
• ADSL2+, T1, E1, ISDN BRI S/T, V.92, Gig E
19Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 19Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Deploy Once – Add Services later
Choose WAN connection & Deploy Device
Base System Cost + WAN I/F
Access Routing & VPN Service
Firewall Service
20Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 20Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Deploy Once – Add Services later
IPS Service
Web Filtering Service (SurfControl)
AV Service (Kaspersky)
Spam (Symantec)
Additional license cost
Choose WAN connection & Deploy Device
Base System Cost + WAN I/F
Access Routing & VPN Service
Firewall Service
21Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 21Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Deploy Once – Add Services later
IPS Service
Web Filtering Service (SurfControl)
AV Service (Kaspersky)
Spam (Symantec)
Additional license cost
Additional HW Requirements = None
Choose WAN connection & Deploy Device
Base System Cost + WAN I/F
Access Routing & VPN Service
Firewall Service
22Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 22Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Network
Centralized Management
Centralized control over Integrated Security Devices• Remote Management
• Secure remote management of firewall, VPN, content security, and routing across all devices from one location
• Role-based administration• Delegate administrative access to
key support people with Assign specific tasks to specific individuals
• Centralized activation/deactivation of security features
• Application attack protection, Web usage control, Payload attack protection, Spam Control
SecurityOperations
Network
Securit
y
Operatio
nsNetw
ork
Securit
y
Operatio
ns