Juniper Networks

Document Sample
Juniper Networks Powered By Docstoc
					Juniper Networks
   Przegląd oferty

     Piotr Kędra
     More Than A Decade of Innovation


                                                                     MX             2007


                                   2001                                          T-1600
96           1998   1999                                                  #789
                                                            Acorn                           10 Gb IDP

                                          T-Series                                           STRM

 Revenue                   $500M                     $1B    $2B      $2.3B         $2.8B
Employees                  1000           1500       2500 3500        4800+        5800+
Juniper’s Portfolio Breadth
                     Deliver high levels of security, uptime and performance with simplified
           Routing   operations in converged IP and IP/MPLS infrastructures through
                     professional-grade routers based on the advanced, modular JUNOS OS.
                     The EX switches run under the JUNOS software, which provides Layer 2
         Switches    and Layer 3 switching, routing, and security services. The same JUNOS
                     code base runs on all Juniper Networks routing platforms.

                     Integrated security devices with Stateful firewall and IPSec VPN, including
                     models with integrated IDP for the Data Center and integrated Unified Threat
                     Management at the branch office.

    Secure Access    Eliminate the need for client access software, changes to internal servers,
                     and costly ongoing maintenance & desktop support while providing added
         SSL VPN
                     security through endpoint validation agents
         Intrusion   Stand alone or integrated intrusion prevention with Comprehensive protection
     Detection and   against current and emerging threats at both application and network layer. Day
                     Zero protection against worms, Trojans, spyware, keyloggers, and other malware
                     Enables access control for guests, contractors and employees. Provides
            UAC      enforcement using any vendor’s 802.1X-enabled infrastructure, existing Juniper
                     firewalls or both

             WAN     Provide a scalable approach to accelerating application performance,
      Acceleration   increasing WAN capacity, and enabling application prioritization and
                     visibility in speeds from 64 Kbps to 155 Mbps

      Management     Common management system (NSM, NSMXpress); Log Management and
                     SIEM (Security Information and Event Management) system (STRM)
Gartner Magic Quadrants
Juniper, a proven leader in all categories
     FW/VPN              SSL VPN             WAN Optimization

                IPS                 IPSec
Current Trends
 By 2007, 50% of the companies surveyed will significantly increase
 their WAN access bandwidth – Infonetics
 More employees working away from main offices
  • 91% of employees in companies of all sizes, work outside of main office
    – Nemertes Research
 Security risks continue
  • In 2005, 56% of companies had at least 1 internal attack
        • 65% had at least 1 external attack – CSI/FBI 2005 survey
 Small to medium business FW opportunity in 2006 = $1 Billion (Infonetics)


  Internal security                                  Bandwidth usage
  Content protection         Wi Fi                   Direct Internet          Internet
  No IT staff                                        Remote mgmt
Small to Medium Branch Office /
Business Characteristics
 Smaller in scale, but not necessarily less complex than big businesses
 or HQ sites
  •    Multiple local networks
  •    More complicated security due to environment, support, etc.
  •    Many devices on a per capita basis
  •    No local IT help
 Range of WAN connections: from DS3 to low speed modem
 Require protection for owned and non-owned IT assets
  • Firewall, VPN, IPS and File-based AV scanning, Spyware detection
  • Internal network segmentation for attack mitigation, access control

                   100+ Mbps                    Outbound link = > T1, DSL, DS3

      Local Apps

        Users            WLAN                                        www
Ideal Solution
 Protect the network, stop all manner of attacks with
 a rich set of proven security features
 • Network, application and content level attack protection

 Performance headroom to protect high speed LAN
 • Protect network with processing intensive UTM security apps

 Broad range of LAN and WAN connectivity options
 • Interface cards and supporting protocols / encapsulations

 Easily managed from centralized location
Secure Service Gateway Family
 Secure Services Gateway (SSG) family
 integrates proven security of ScreenOS                  SSG 5

 and WAN connectivity to deliver               SSG 20
 secured and assured networking
 • New levels of price/performance and                    SSG 140
   I/O flexibility
                                         SSG 320M
 • Unified Threat Management features
   complement FW, IPSec VPN                                     SSG 350M
 Ideal small to medium stand alone
 business / branch office offerings
 Can be deployed as a traditional
 Firewall, as a Site-to-Site VPN and
 as a Security Router                               SSG 520M

                                                     SSG 550M
ScreenOS: Proven Enterprise Class Security
    UTM Features / Content Security               Integrated Unified Threat Management
Anti- virus/Anti-         Anti-span
                                                  (UTM) security features
Web filtering             IPS (Deep Inspection)    • IPS (Deep Inspection), Antivirus (includes Anti-
                                                     Spyware, Anti-Phishing) Anti-Spam, Web filtering

        Network Security Features                 Network security features / Access control
FW                        DoS/DDoS                 • Stateful firewall, IPSec VPN, NAT, DoS protection,
IPSec VPN                 User auth.                 user authentication, Auto-Connect VPN

                                                  Rich networking and virtualization
Security Zones            Deployment Modes
Dynamic Routing           WAN Encapsulations
                                                   • Segmentation (Zones, VLANs) to divide the
                                                     network into secure segments
SSG Purpose-Built Hardware Platform                • Combines ScreenOS deployment modes,
                                                     dynamic routing and high availability with
   Mgmt/Modem               LAN & WAN I/O
                                                     select JUNOS WAN encapsulations

 Unified Threat Management (UTM) Features
 Stop Common and Emerging Threats

                Inbound Threats                        Outbound Threats

        Juniper IDP detects/stops Worms,       Juniper IDP detects/stops
 IPS                                           Worms, Trojans
        Trojans, DoS (L4 & L7), Recon, Scans

  Web                                          SurfControl to block to Spyware /
Filtering                                      Phishing / Unapproved Site Access

            Kaspersky Lab AV stops Viruses,     Kaspersky Lab AV stops Viruses,
 AV         file-based Trojans, Spyware,        file-based Trojans or spread of
            Adware, Keyloggers                  Spyware, Adware, Keyloggers

            Symantec stops Spam / Phishing
 Core       Juniper Stateful Firewall, VPN,    Juniper Stateful Firewall, VPN,
Security    Access Control                     Access Control
UTM Security Backed by
Best-In-Class Partners
 Integrated Kaspersky Antivirus solution blocks thousands of viruses
 PLUS Spyware / Adware / Keyloggers – instant message AV Inspects
 content of Instant Messaging (chat, file transfers, etc…) for worms
 and viruses in similar fashion as rest of network traffic
 Integrated or redirect Web filtering with SurfControl blocks outbound
 access to known Spyware, Phishing, & Virus download sites
  • Integrated via SurfControl or redirect via SurfControl or Websense
 Integrated Anti-Spam from Symantec
  • Brightmail-based database blocks (and/or tags) spam by using robust IP based,
    constantly updated worldwide list of spammers and phishers
 Intrusion Prevention (Deep Inspection) detects several thousand
 attacks such as Worms, Trojans and other malware for up to
 43 protocols
 Delivered by Juniper in the form of an annual subscription fees
 Juniper for Support and for Subscription Updates
  • Superior and highly-capable, single, integrated solution with a single Point of
Network Segmentation
Security Zones, VLANs, Virtual Routers
 Security zones,
 VLANs Virtual Routers
  • Divide network into logical, secure       Trusted Zone
    domains                                   Full access to all resources
  • Protect network with
    Inter-, Intra-zone policies
  • A single stop
      • Single Policy Between Zones,
        versus Traditional
        Router+FW with multiple                                      Zone1
        "stops" for each traffic flow                                “Hoteling”
 Key benefits                                                        Web, email, key apps
  • Better Security
     • Divide the network into distinct,
       secure domains
     • Able to assign appropriate levels of   Internet
       security to different user groups                          “Guests” Web
                                                                  access only
  • Competitive differentiator
Routing and Network Deployment Modes
Simplify Network Integration
 Dynamic routing and deployment modes
  • Support for transparent, static and dynamic route modes
  • Dynamic routing support across entire product line
       • OSPF, BGP, RIPv1/2 available on all products
  • WAN encapsulation support
       • FR, MLFR, PPP, MLPPP and HDLC
  • Automatically learns network configuration
  • Facilitates security deployment without network configuration
  • Simplifies network integration
       • Reduces manual configuration efforts
  • Facilitates WAN connectivity
Bridge Groups
Interface Configuration Flexibility
 Replaces port modes with more flexible means of interface
 Group Ethernet ports and Wireless ports as L2 Switch with one logical
 L3 interface – no policy between ports – apply policy to bgroup
 As policy dictates, Bridge Group interface can act as L2 switch –
 directing traffic to destination

    Src1        bgroup                                     bgroup
                   eth                                      eth

                   eth                                      eth

                   eth       SSG         Traffic   SSG      eth
                 wireless                                 wireless        Server Farm
                                                                          Security Zone
                   eth                                      eth

  Bridge Groups as a virtual L2 Switch            Bridge Groups as a L3 interface
                                              assigned to a Server Farm Security Zone
Secure, Centralized Management
Centralized control over SSG population
  Remote Management                                                        Security
   • Secure, centralized management of firewall, VPN,         Network                 Operations
     content security, and routing across all devices
  Rapid Deployment
   • Reduce provisioning time / streamline large
  Role-based administration
   • Delegate administrative access to key support people
     by assigning specific tasks to specific individuals
  Centralized activation/deactivation of security
   • Application attack protection, Web usage control,         Network            Network
     Payload attack protection, Spam Control
                                                               Security           Security
  SSG Family supported by NSM* now                            Operations         Operations
   • Schema update may be required

                                                   *Some functions (WAN Config) may be CLI only)
Secure Service Gateway Family
 SSG 5 - Six fixed form factor models                   SSG 5
  • 160 Mbps FW / 40 Mbps VPN
                                              SSG 20
 SSG 20 – 2 modular models
  • 160 Mbps FW / 40 Mbps VPN                            SSG 140

 SSG 140                                SSG 320M
  • 350+ Mbps FW / 100 Mbps VPN
 SSG 320M                                                      SSG 350M
  • 450+ Mbps FW / 175 Mbps VPN
 SSG 350M
  • 550+ Mbps FW / 225 Mbps VPN
 SSG 520M
  • 650+ Mbps FW / 300 Mbps VPN                    SSG 520M

 SSG 550M
  • 1+ Gbps FW / 500 Mbps VPN
                                                    SSG 550M
SSG 5 Overview
 Performance and physical             Flexible connectivity
 characteristics                      • Fixed form factor w/ 7 Fast
  • 160 Mbps FW (large packets) /       Ethernet + 1 WAN interface
    90 Mbps FW (IMIX) /                  • Factory configured WAN options
    40 Mbps VPN                            include ISDN BRI S/T or V.92 or
     • Integrated Fan w/Temp Sensor        RS-232 Serial/Aux
       (wireless only)                   • Optional factory configured
                                           Dual radio 802.11a + 802.11 b/g
 Reliability and extensibility
                                         • Six models to choose from
  • External AC power supply
  • Full Active/Passive and
    Active/Active (w/ extended
  • User upgradeable memory
SSG 20 Overview
 Performance and physical             Flexible connectivity
 characteristics                      • 5 Fast Ethernet + 2 Mini I/O slots
  • 160 Mbps FW (large packets) /        • Mini PIM options include
    90 Mbps FW (IMIX) /                    ADSL2+, T1, E1, ISDN BRI S/T,
    40 Mbps VPN                            SFP, serial, and V.92
     • Integrated Fan w/Temp Sensor      • Optional factory configured
       (wireless only)                     Dual radio 802.11a + 802.11 b/g
                                         • Two models to choose from
 Reliability and extensibility
  • External AC power supply
  • Full Active/Passive and
    Active/Active (w/ extended
  • User upgradeable memory
SSG 140 Overview
 350+ Mbps FW (large packets)   Fixed 10/100 and 10/100/1000
 / 300 Mbps FW (IMIX) / 100     interfaces
 Mbps VPN                       (4) interface expansion slots
 Brings high performance        • Existing dual Port T1
 UTM Security features to       • Existing dual Port E1
 the mid-market                 • Existing Dual Port Serial
 Full Active/Passive and
 Active/Active HA

  Front View

                                                         Back View
SSG 140 Interface Support
1. Console and RS-232/Aux interfaces
2. (8) 10/100 interfaces
3. (2) 10/100/1000 interfaces
4. (4) interface expansion slots: 2xT1, 2xE1, 2xSerial, 1xISDN
   BRI S/T, ADSL2+, and G.SHDSL
5. Status LEDs for rear installed I/O cards – visible from front

                                                  Back View

                        5       1   2         3
        Front View
SSG 320M and SSG 350M Overview

 1RU High, Full Rack Width, 15”      Optional Encryption Card
 Depth                               USB, compact flash, Console,
 Three modular PIM slots             AUX
 4-port 10/100/1000 Ethernet ports   400 Mbps firewall (IMIX),
                                     175 Mbps VPN performance

 1.5 RU High, Full Rack Width, 15”   DC Power supply option
 Depth                               NEBS compliant
 Five modular PIM slots              500 Mbps firewall (IMIX),
                                     225 Mbps VPN performance
SSG 500 Series Overview
 Juniper Networks SSG 550 /                Juniper Networks SSG 520 /
 SSG 550M                                  SSG 520M
 • 1 Gbps + FW (large packets) /           • 650+ Mbps FW (large packets) /
   1 Gbps FW (IMIX) / 500 Mbps VPN           600 Mbps FW (IMIX) / 300 Mbps VPN
 • 600K pps
                                           • 300K pps
 • 6 I/O Slots – 4 are enhanced PIM
   slots, ideal for additional LAN ports   • 6 I/O slots - 2 are enhanced PIM slots,
 • Dual power supplies, DC optional,         ideal for additional LAN ports
   NEBS optional                           • Single power supply, AC or DC
 • 128K sessions, 1,000 VPN tunnels        • 64K sessions, 500 VPN tunnels

 Common Hardware Features
 • 2U form factor with 4 fixed 10/100/1000 Ports
 • 2 serial RJ45 ports for console access and OOB Management
 • 2 USB ports
uPIMs – Universal Physical Interface
Modules Supported in ScreenOS 6.0

8 Port 10/100/1000       16 Port 10/100/1000      6 Port 1000
Copper uPIM              Copper uPIM              Optical uPIM
  • Supports Auto          • Supports Auto         • Supports both SX,
    negotiation              negotiation             LX, T SFP LC
  • Supports tri-rate      • Supports tri-rate       transceiver
    (10/100/1000 Mbps)       (10/100/1000 Mbps)    • Supports 1000
    with Half/               with Half/              Full-Duplex mode
    Full-Duplex modes        Full-Duplex modes

    uPIMs work in any slot (PCI/PIM and PCI-E/EPIM)
SSG Family Interface Module Summary
PIM/EPIM/Mini-PIM           SSG 20   SSG 140   SSG 320M / SSG 350M   SSG 520M / SSG 550M
1 x T1 Mini-PIM                         --              --                    --
1 x E1 Mini-PIM                         --              --                    --
1 x ADSL 2+ Mini-PIM                    --              --                    --
1 x ISDN BRI S/T Mini-PIM               --              --                    --
1 x V.92 Mini-PIM                       --              --                    --
1x SFP Mini-PIM
1x Serial Mini-PIM
1 x ISDN BRI S/T PIM          --                        --                    --
8 x Gbe copper uPIM           --
16 x Gbe copper uPIM          --
6 X Gbe SFP uPIM              --
2 x T1 PIM                    --
2 x E1 PIM                    --
2 x Serial PIM                --
1 x ADSL/ADSL2/ADSL2+ PIM     --
1 x G.SHDSL                   --
1 x E3 PIM                    --        --              --
1 x DS3 PIM                   --        --              --
4 x FE EPIM                   --        --              --
1 x Gbe EPIM                  --        --              --
1 x SFP EPIM                  --        --              --
 SSG Family Summary
                           SSG 550M   SSG 520M    SSG 350M    SSG 320M    SSG 140     SSG 20      SSG 5

FW Mbps (Large Packets)    1+ Gbps    650+ Mbps   550+ Mbps   450+ Mbps   350+ Mbps   160 Mbps     160
FW Mbps (IMIX)              1 Gbps    600 Mbps    500 Mbps    400 Mbps    300 Mbps    90 Mbps    90 Mbps

FW PPS (64 Byte)             600k       300k        225k        175k        100k        30k        30k

VPN (1400 Byte)            500 Mbps   300 Mbps    225 Mbps    175 Mbps    100 Mbps    40 Mbps    40 Mbps

IPS (Deep Inspection FW)     Yes        Yes         Yes         Yes         Yes         Yes        Yes

Antivirus                    Yes        Yes         Yes         Yes         Yes         Yes        Yes

Anti-spam                    Yes        Yes         Yes         Yes         Yes         Yes        Yes

Web Filtering                Yes        Yes         Yes         Yes         Yes         Yes        Yes

Modular I/O                  Yes        Yes         Yes         Yes         Yes         Yes        No

Routing (RIP/OSPF/BGP)       Yes        Yes         Yes         Yes         Yes         Yes        Yes

WAN Encapsulations           Yes        Yes         Yes         Yes         Yes         Yes        Yes

A/A, A/P HA                  Yes        Yes         Yes         Yes         Yes       Optional   Optional

Convertible to JUNOS         Yes        Yes         Yes         Yes          No         No         No
SSG & J-Series Portfolio

      = Common Hardware
       Platforms, JUNOS
          & ScreenOS

                       SS G
                     551 G
                        0M S
                                                                 Additional M-series,
                                                                 T-series not shown


  Micro Branch,
                   Small Branch,   Branch/Regional,    Medium Ent to Large HQ
  Small Office,
                      SME          Medium Enterprise
 Managed Service
SSG Family Summary
 Security: Proven ScreenOS + Best-in-class UTM Security
 features without add-on hardware
 • Stateful FW, IPSec VPN, IPS, AV, (including Anti-Phishing,
   Anti-Spyware), Anti-Spam, Web filtering
 • Network segmentation via security zones and VLANs
 Performance: Purpose built platforms that deliver
 unmatched price/performance to branch office market
 WAN Connectivity: Widest range of FW platforms with
 WAN interfaces and protocols
 • Security platforms with LAN and WAN routing capabilities
    • Dynamic routing, virtual routers, VPN, high availability, VLANs
    • New WAN interfaces and encapsulations taken from J-Series & JUNOS
 Centralized management with NSM
ISG Overview
               Purpose-built HW and SW
               • Built from the ground up
               • ASIC-based platforms
               • Security-hardened Proprietary ScreenOS
                 Operation System
               Network layer security and features
               •   Network attack protection
               •   Virtualization
               •   High-performance IPSec VPN
               •   Network features including dynamic routing and
               Application layer security (Optional)
               • Multi-detection methods for mitigating attacks
               • Daily signature updates
               • Zero-day coverage
ISG 1000 and ISG 2000

                                           ISG 1000            ISG 2000
Max Throughput: Firewall                      2 Gbps             4 Gbps

Max Throughput: IPSec VPN (3DES/AES)          1 Gbps             2 Gbps

Packets per Second: FW                       1.5 Million         3 Million

Packets per Second: VPN                      1.5 Million        1.5 Million

Max Sessions                                  500,000            1 Million

VPN Tunnels                                    2,000              10,000

Max Throughput: IDP                        Up to 1 Gbps        Up to 2 Gbps

Supported Security Modules (IDP)              Up to 2            Up to 3

Fixed I/O Interfaces                   Four 10/100/1000 Mbps        0

Max Interfaces                               Up to 20            Up to 28

Number of I/O Modules                            2                  4
  Juniper Networks ISG 2000 & ISG1000 with
  Integrated IDP

SG 2000 – 3 Security Blades

ISG 1000 – 2 Security Blades
NetScreen Security Manager
3-Tier Management
                            ISG with IDP


Common User                 IDP Appliances
              NSM Server
Security Management Requirements
                                                                     Device Lifecycle

Must manage                                          Deploy        Configure           Monitor         Upgrade
the entire device                                   Define         Push device-       Attack Logs      Signature
lifecycle                                           security of    specific policy    Reports

                      Management Level
                                         Security   entire         out
                                                                                      Security         adjustment
                                                    network                           Explorer

                                                    VPN            VPN config         VPN              VPN
Needs to                                 Network    modeling
                                                                   Route tables
accommodate                                         Routing        VLAN               failure

different tasks,                                                                      HA
management levels                         Device    Remote         Interfaces         HW               OS upgrade
                                                    installation   Licenses           monitoring       Device
                                                    Initial        OS version         (interfaces      config
                                                    config                            up/down,         changes
Different people
                                                                                      power failure)
                                                       Network Admin                 Ops    Security
within organization                                     Upper                                Admin
need access                                           Management                           Audit

  Complete Investigative Toolkit                                               The      Configure
                                                                 Upgrade,   Lifecycle



                                             Log Viewer
                                                          integrated tools
                                                          offer wide variet
                                                          of information
Security Explorer
                                                          See all firewall
                                                          and IDP data in
                                Log Investigator          one place
                                                          Jump to policy
                                                          for Closed Loop

Shared By: