Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential 1 Secure Services Gateway (SSG)Family Overview SSG 5, SSG 20, SSG 140

Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1

Secure Services Gateway (SSG)Family

Overview

SSG 5, SSG 20, SSG 140

2Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net

Key Security and Routing Features

SSG Family Specifications

Deployment Examples

Agenda


Internal security Content protection

No IT staff

Current Trends

By 2007, 50% of the companies surveyed will significantly increase their WAN access bandwidth – Infonetics

More employees working away from main offices

• 91% of employees in companies of all sizes, work outside of main office – Nemertes Research

Security risks continue

• In 2005, 56% of companies had at least 1 internal attack

• 65% had at least 1 external attack – CSI/FBI 2005 survey

Small to medium business FW opportunity in 2006 = $1 Billion (Infonetics)

Wi Fi

DMZ

Bandwidth usageDirect Internet Remote mgmt


Small to Medium Branch Office / Business Characteristics

Smaller in scale, but not necessarily less complex than big businesses or HQ sites

• Multiple local networks

• More complicated security due to environment, support, etc

• Many devices on a per capita basis

• No local IT help Range of WAN connections: from DS3 to low speed modem Require protection for owned and non-owned IT assets

• Firewall, VPN, IPS and File-based AV scanning, Spyware detection

• Internal network segmentation for attack mitigation, access control

Outbound link = > T1, DSL, DS3

Local Apps

Users

WLAN

IPSec

www

100+ Mbps


Secure Service Gateway Family

Secure Services Gateway (SSG) family integrates proven security of ScreenOS and WAN connectivity to deliver secured and assured networking• New levels of price/performance and I/O

flexibility

• Unified Threat Management features complement FW, IPSec VPN

Ideal small to medium stand alone business / branch office offerings

Can be deployed as a traditional Firewall, as a Site to Site VPN and as a Security Router

SSG 5

SSG 20

SSG 140

SSG 550/SSG 550M

SSG 520SSG 520M


ScreenOS: Proven Enterprise Class Security

SSG Purpose-Built Hardware Platform

LAN & WAN I/O

Mgmt/Modem

Rich networking and virtualization capabilities • Segmentation (Zones, VLANs) to divide

the network into secure segments

• Combines ScreenOS deployment modes, dynamic routing and high availability with select JUNOS WAN encapsulations

Security Zones LAN Routing

Deployment Modes WAN Encapsulations

Networking

Network security features / Access control• Stateful firewall, IPSec VPN, NAT, DoS

protection, user authentication FW IPSec VPN

DoS/DDoS User auth.

Network Security Features

ScreenOS

UTM Features / Content Security Antivirus/Anti-

Spyware Web filtering

Anti-Spam IPS (Deep

Inspection)

Integrated Unified Threat Management (UTM) security features • IPS (Deep Inspection), Antivirus

(includes Anti-Spyware, Anti-Phishing) Anti-Spam, Web filtering


Unified Threat Management Features Stop Common and Emerging Threats

Inbound Threats Outbound Threats

SurfControl to block Spyware Site Access / Phishing Site Access

Web Filtering

Kaspersky Lab AV stops Viruses, file-based Trojans Spyware, Adware, Keyloggers

Viruses, file-based TrojansAV

Symantec stops Spam / Phishing

Anti Spam

Worms, TrojansWorms, Trojans, DoS (L4 & L7), Recon, Scans

IPS/DI

Stateful Firewall


UTM Security Backed by Best-In-Class Partners

Integrated Kaspersky Antivirus solution blocks thousands of viruses PLUS Spyware / Adware / Keyloggers

Integrated or redirect Web filtering with SurfControl blocks outbound access to known Spyware, Phishing, & Virus download sites

• Integrated via SurfControl or redirect via SurfControl or Websense

Integrated Anti-Spam from Symantec

• Brightmail-based database blocks (and/or tags) spam by using robust IP based, constantly updated worldwide list of spammers and phishers

Intrusion Prevention (Deep Inspection) detects several thousand attacks such as Worms, Trojans and other malware for up to 43 protocols

Delivered in the form of an annual subscription fee


Network Segmentation Security Zones, VLANs, Virtual Routers

Security zones, VLANs Virtual Routers• Divide network into logical, secure

domains

• Protect network with Inter-, Intra- zone policies

Key benefits:• Better Security

• Divide the network into distinct, secure domains

• Able to assign appropriate levels of security to different user groups

• Competitive differentiator

DMZ

Trusted Zone Full access to all resources

Zone2“Guests” Web access only

Zone1“Hoteling” employeesWeb, email, key apps


Routing and Network Deployment ModesSimplify Network Integration

Dynamic routing and deployment modes • Support for transparent, static and dynamic route modes

• Dynamic routing support across entire product line• OSPF, BGP, RIPv1/2 available on all products

• WAN encapsulation support • FR, MLFR, PPP, MLPPP and HDLC

Benefit:• Automatically learns network configuration

• Facilitates security deployment without network configuration changes

• Simplifies network integration • Reduces manual configuration efforts

• Facilitates WAN connectivity

• Increases network resiliency – especially for VPNs


SSG 5 or

SSG 20

Bridge Groups Interface Configuration Flexibility

Replaces Port Modes (SSG 5 / SSG 20 only) with more flexible means of interface configuration

Group Ethernet ports and Wireless ports as L2 Switch with one logical L3 interface – no policy between ports - apply policy to bgroup

As policy dictates, Bridge Group interface can act as L2 switch – directing traffic to destination

eth

eth

wireless

eth

bgroupSrc1

Dst1

Bridge Groups as a virtual L2 Switch

eth

Server Farm Security Zone

Traffic

eth

eth

eth

wireless

eth

bgroup

Bridge Groups as a L3 interface assigned to a Server Farm Security Zone

SSG 5 or

SSG 20


Secure, Centralized Management

Centralized control over SSG population• Remote Management

• Secure, centralized management of firewall, VPN, content security, and routing across all devices

• Rapid Deployment• Reduce provisioning time / streamline large

deployments

• Role-based administration• Delegate administrative access to key support

people by assigning specific tasks to specific individuals

• Centralized activation/deactivation of security features

• Application attack protection, Web usage control, Payload attack protection, Spam Control

• SSG Family supported by NSM* now• Schema update may be required

* Some functions (WAN Config) may be CLI only

NetworkSecurity

Operations

Network

Securit

y

Operatio

nsNetwork

Securit

y

Operatio

ns




Deployment Examples

Agenda


Secure Service Gateway Family

SSG 5 - Six fixed form factor models

• 160 Mbps FW / 40 Mbps VPN

SSG 20 – 2 modular models

• 160 Mbps FW / 40 Mbps VPN

SSG 140

• 350+ Mbps FW / 100 Mbps VPN

• 8 FE + 2 GE Interfaces + 4 WAN PIM slots

SSG 520/SSG 520M

• 650+ Mbps FW / 300 Mbps VPN

SSG 550/SSG 550M

• 1+ Gbps FW / 500 Mbps VPN

SSG 550/SSG 550M

SSG 520/SSG 520M

SSG 5

SSG 20

SSG 140


SSG 5 Overview

Performance and physical characteristics

160 Mbps FW (large packets)/ 90 Mbps FW (IMIX) / 40 Mbps VPN

• Integrated Fan w/ Temp Sensor (wireless only)

Reliability and extensibility External AC power supply Full Active/Passive (w/ Extended

license) User upgradeable memory

Flexible connectivity Fixed form factor w/ 7 Fast Ethernet

+ 1 WAN interface

• Factory configured WAN options include ISDN BRI S/T or V.92 or RS-232 Serial/Aux

• Optional factory configured Dual radio 802.11a + 802.11 b/g

• Six models to choose from


SSG 20 Overview

Performance and physical characteristics

160 Mbps FW (large packets)/ 90 Mbps FW (IMIX) / 40 Mbps VPN

• Integrated Fan w/ Temp Sensor (wireless only)

Reliability and extensibility

External AC power supply

Full Active/Passive (w/ Extended license)

User upgradeable memory

Flexible connectivity

5 Fast Ethernet + 2 Mini I/O slots

• Mini PIM options include ADSL2+, T1, E1, ISDN BRI S/T, V.92 at FCS

• Optional factory configured Dual radio 802.11a + 802.11 b/g

• Two models to choose from


SSG 20 I/O Extensibility

Mini-PIMS are small form factor• Size of a deck of cards

• Not compatible with any other SSG or J series

ADSL 2/2+

TX/RX

SY NC

V.92

CD

TX/RX

E1

CD

LOOP BACK

ALARM

T1

CD

LOOP BACK

ALARM

ISDN (BRI)

Channel B2

Channel B1

ADSL 2+

V.92

E1

T1

ISDN BRI S/T

(2) I/O expansion slots


SSG 140 Overview

350+ Mbps FW (large packets)/ 300 Mbps FW (IMIX) / 100 Mbps VPN

Brings high performance UTM Security features to the mid-market

Full Active/Passive HA

Fixed 10/100 and 10/100/1000 interfaces

(4) interface expansion slots

• Existing dual Port T1

• Existing dual Port E1

• Existing Dual Port Serial

New Interfaces at FCS

• Single Port ISDN

Front View

Back View


SSG 140 Interface Support

1. Console and RS-232/Aux interfaces2. (8) 10/100 interfaces3. (2) 10/100/1000 interfaces4. (4) interface expansion slots: 2xT1, 2xE1, 2xSerial, 1xISDN BRI

S/T5. Status LEDs for rear installed I/O cards – visible from front

1 2 3FrontView

4 BackView

5


SSG Family Summary

SSG 5 SSG 20 SSG 140

FW Mbps (Large Packets) 160 Mbps 160 Mbps 350+ Mbps

FW Mbps (IMIX) 90 Mbps 90 Mbps 300 Mbps

FW PPS (64 Byte) 30k 30k 100k

VPN (1400 Byte) 40 Mbps 40 Mbps 100 Mbps

IPS (Deep Inspection FW) Yes Yes Yes

Antivirus Yes Yes Yes

Anti-spam Yes Yes Yes

Web Filtering Yes Yes Yes

Modular I/O No Yes Yes

Routing (RIP/OSPF/BGP) Yes Yes Yes

WAN Encapsulations Yes Yes Yes

HA Optional Optional Yes


SSG Family PositioningAvailability

Full Mesh / Active-Active,

Redundant Power

Capacity, Performance and Features

Active-Passive

Optional

Active-Passive

(w Ext Lic)

>2x FW Perf & Sessions

>2x VPN Perf & Tunnels

>2x Zones & VLANs

Stateful HA ( AP )GigE interfaces

~2x FW Perf & Sessions

~1.5x VPN Perf & Tunnels

AA Full Mesh HARedundant

Power

Modular I/O2 x Mini-PIM’s

~2x FW Perf & Sessions

>3x VPN Perf & Tunnels

Modular LAN (GigE)

10M+ UTM 25M+ UTM 100M+ UTM 200M+ UTMPerformance Recommendations


SSG Family Interface Module SummaryPIM/EPIM/Mini-PIM SSG 20 SSG 140 SSG 550

SSG 550M

SSG 550 SSG 550M

1 x T1 Mini-PIM -- -- --

1 x E1 Mini-PIM -- -- --

1 x ADSL 2+ Mini-PIM -- -- --

1 x V.92 Mini-PIM -- -- --

1 x ISDN BRI S/T Mini-PIM -- -- --

2 x T1 PIM* -- 2 x E1 PIM* -- 2 x Serial PIM* -- 1 x ISDN BRI S/T PIM -- -- --

1 x DS3 PIM* -- -- 4 x FE EPIM -- -- 1 x Gbe EPIM -- -- 1 x SFP EPIM -- -- * I/O card also compatible with J Series routers


SSG Product Family Fit

Small Branch, Small Business, Telecommuters

Regional Office,Medium Enterprise

Performance

Improved performance & processing

Wider range of platforms with UTM

Modular (Expandable) Memory

Improved connectivity


SSG Family Summary

Security: Proven ScreenOS + Best-in-class UTM Security features without add-on hardware• Stateful FW, IPSec VPN, IPS, AV, (incl. Anti-Phishing,Anti-Spyware), Anti-Spam,

Web filtering• Network segmentation via security zones and VLANs

Performance: Purpose built platforms that deliver unmatched price/performance to branch office market

WAN Connectivity: Widest range of FW platforms with WAN interfaces and protocols• Security platforms with LAN and WAN routing capabilities

• Dynamic routing, virtual routers, VPN, high availability, VLANs

• New WAN interfaces and encapsulations taken from J-Series and JUNOS

Centralized management with NSM


Agenda



Deployment Examples


Secure Services Gateway Deployment Options

As a security device 1. Firewall protecting the network

using ScreenOS stateful FW

2. Site-to-site IPsec VPN using ScreenOS VPN dynamic, route based VPN

3. Multifunction security platform using FW plus best-in-class UTM security features, proven in NetScreen-5GT• Antivirus, Web filtering, Anti-Spam,

IPS

As a security router Security features = FW, IPSec VPN,

UTM features Branch office routing: Broad range of

LAN + WAN connectivity• 10/100, 10/100/1000, SFP supported by

OSPF, BGP, RIPv1/2

• DS3, T1, E1, ADSL 2+, ISDN, V.92 supported by PPP, MLPPP, FR, MLFR, HDLC

HQ

WWW


Small Business Deployment ExampleSSG 5

Primary Link = External DSL modem ISP

Back up options = ISDN S/T or V.92 or Modem connected to Serial interface

Internet

Wireless Zone

Server Zone

Small Business

SSG 5• Fixed format appliance: 7x10/100 – connected to DSL modem

• Factory configured back up I/O options: V.92 or ISDN or Serial

• Factory configured Wireless option: 802.11 a/b/g


Small/Medium Office Deployment ExampleSSG 20

InternetPrimary Link = ADSL or

T1 I/O module

Backup = ISDN S/T or V.92 I/O module or externally connected

modem

Wireless Zone

Server Zone

Small Business

SSG 20• Modular appliance: 5x10/100 + 2 I/O slots

• ADSL 2+, T1, E1, V.92, ISDN BRI/S/T

• Factory configured Wireless option: 802.11 a/b/g

ISP

Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 29

Thank you

Documents

Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential 1 Secure Services Gateway (SSG)Family Overview SSG 5, SSG 20, SSG 140