Juniper NetworksPrzegld ofertyPiotr Kdra pkedra@juniper.net

More Than A Decade of Innovation2008 2007 2006 2005 2001 2002 2004 T-1600#789 Acorn

M-Series

MX

EX-series

96

1998

1999

2000

UAC T-Series

10 Gb IDP

corporated

SSG

STRM

Revenue

$500M 1000 1500

$1B

$2B

$2.3B 4800+

$2.8B 5800+

Employees

2500 3500

Junipers Portfolio BreadthRouting Switches Integrated Firewall/VPN Secure Access SSL VPN Intrusion Detection and Prevention UAC WAN Acceleration ManagementDeliver high levels of security, uptime and performance with simplified operations in converged IP and IP/MPLS infrastructures through professional-grade routers based on the advanced, modular JUNOS OS. The EX switches run under the JUNOS software, which provides Layer 2 and Layer 3 switching, routing, and security services. The same JUNOS code base runs on all Juniper Networks routing platforms. Integrated security devices with Stateful firewall and IPSec VPN, including models with integrated IDP for the Data Center and integrated Unified Threat Management at the branch office. Eliminate the need for client access software, changes to internal servers, and costly ongoing maintenance & desktop support while providing added security through endpoint validation agentsStand alone or integrated intrusion prevention with Comprehensive protection against current and emerging threats at both application and network layer. Day Zero protection against worms, Trojans, spyware, keyloggers, and other malware Enables access control for guests, contractors and employees. Provides enforcement using any vendors 802.1X-enabled infrastructure, existing Juniper firewalls or both

Provide a scalable approach to accelerating application performance, increasing WAN capacity, and enabling application prioritization and visibility in speeds from 64 Kbps to 155 Mbps Common management system (NSM, NSMXpress); Log Management and SIEM (Security Information and Event Management) system (STRM)

Gartner Magic QuadrantsFW/VPN SSL VPN

Juniper, a proven leader in all categoriesWAN Optimization

IPS

IPSec

Current TrendsBy 2007, 50% of the companies surveyed will significantly increase their WAN access bandwidth Infonetics More employees working away from main offices 91% of employees in companies of all sizes, work outside of main office Nemertes Research

Security risks continue In 2005, 56% of companies had at least 1 internal attack 65% had at least 1 external attack CSI/FBI 2005 survey

Small to medium business FW opportunity in 2006 = $1 Billion (Infonetics)DMZ Internal security Content protection No IT staff Bandwidth usage Direct Internet Remote mgmt

Wi Fi

Internet

Small to Medium Branch Office / Business CharacteristicsSmaller in scale, but not necessarily less complex than big businesses or HQ sites Multiple local networks More complicated security due to environment, support, etc. Many devices on a per capita basis No local IT help

Range of WAN connections: from DS3 to low speed modem Require protection for owned and non-owned IT assets Firewall, VPN, IPS and File-based AV scanning, Spyware detection Internal network segmentation for attack mitigation, access control100+ Mbps Outbound link = > T1, DSL, DS3 IPSecLocal Apps

InternetUsers WLAN

www

Ideal SolutionProtect the network, stop all manner of attacks with a rich set of proven security features Network, application and content level attack protection

Performance headroom to protect high speed LAN Protect network with processing intensive UTM security apps

Broad range of LAN and WAN connectivity options Interface cards and supporting protocols / encapsulations

Easily managed from centralized location

Secure Service Gateway FamilySecure Services Gateway (SSG) family integrates proven security of ScreenOS and WAN connectivity to deliver secured and assured networking New levels of price/performance and I/O flexibility Unified Threat Management features complement FW, IPSec VPNSSG 5 SSG 20 SSG 140 SSG 320M SSG 350M

Ideal small to medium stand alone business / branch office offerings Can be deployed as a traditional Firewall, as a Site-to-Site VPN and as a Security Router

SSG 520M

SSG 550M

ScreenOS: Proven Enterprise Class SecurityUTM Features / Content SecurityAnti-virus/Anti-spyware Anti- virus/AntiWeb filtering Anti-span AntiIPS (Deep Inspection)

Integrated Unified Threat Management (UTM) security features IPS (Deep Inspection), Antivirus (includes AntiSpyware, Anti-Phishing) Anti-Spam, Web filtering

Network Security FeaturesFW IPSec VPN DoS/DDoS User auth.

Network security features / Access control Stateful firewall, IPSec VPN, NAT, DoS protection, user authentication, Auto-Connect VPN

NetworkingSecurity Zones Dynamic Routing Deployment Modes WAN Encapsulations

Rich networking and virtualization capabilities Segmentation (Zones, VLANs) to divide the network into secure segments Combines ScreenOS deployment modes, dynamic routing and high availability with select JUNOS WAN encapsulations

SSG Purpose-Built Hardware PlatformMgmt/Modem LAN & WAN I/O

ScreenOS

Unified Threat Management (UTM) FeaturesStop Common and Emerging Threats

Inbound Threats Juniper IDP detects/stops Worms, Trojans, DoS (L4 & L7), Recon, Scans

Outbound Threats Juniper IDP detects/stops Worms, Trojans SurfControl to block to Spyware / Phishing / Unapproved Site Access

IPS

Web Filtering Kaspersky Lab AV stops Viruses, file-based Trojans, Spyware, Adware, Keyloggers Symantec stops Spam / Phishing Juniper Stateful Firewall, VPN, Access Control

AV

Kaspersky Lab AV stops Viruses, file-based Trojans or spread of Spyware, Adware, Keyloggers

Anti Spam Core Security

Juniper Stateful Firewall, VPN, Access Control

UTM Security Backed by Best-In-Class PartnersIntegrated Kaspersky Antivirus solution blocks thousands of viruses PLUS Spyware / Adware / Keyloggers instant message AV Inspects content of Instant Messaging (chat, file transfers, etc) for worms and viruses in similar fashion as rest of network traffic Integrated or redirect Web filtering with SurfControl blocks outbound access to known Spyware, Phishing, & Virus download sites Integrated via SurfControl or redirect via SurfControl or Websense

Integrated Anti-Spam from Symantec

Brightmail-based database blocks (and/or tags) spam by using robust IP based, constantly updated worldwide list of spammers and phishers

Intrusion Prevention (Deep Inspection) detects several thousand attacks such as Worms, Trojans and other malware for up to 43 protocols Delivered by Juniper in the form of an annual subscription fees Juniper for Support and for Subscription Updates Superior and highly-capable, single, integrated solution with a single Point of Contact

Network SegmentationSecurity zones, VLANs Virtual Routers Divide network into logical, secure domains Protect network with Inter-, Intra-zone policies A single stop Single Policy Between Zones, versus Traditional Router+FW with multiple "stops" for each traffic flow

Security Zones, VLANs, Virtual RoutersTrusted Zone Full access to all resources

DMZ Zone1 Hoteling employees Web, email, key apps

Key benefits Better Security Divide the network into distinct, secure domains Able to assign appropriate levels of security to different user groups

Internet

Competitive differentiator

Zone2 Guests Web access only

Routing and Network Deployment ModesSimplify Network IntegrationDynamic routing and deployment modes Support for transparent, static and dynamic route modes Dynamic routing support across entire product line OSPF, BGP, RIPv1/2 available on all products

WAN encapsulation support FR, MLFR, PPP, MLPPP and HDLC

Benefit Automatically learns network configuration Facilitates security deployment without network configuration changes Simplifies network integration Reduces manual configuration efforts

Facilitates WAN connectivity

Bridge Groups

Interface Configuration FlexibilityReplaces port modes with more flexible means of interface configuration Group Ethernet ports and Wireless ports as L2 Switch with one logical L3 interface no policy between ports apply policy to bgroup As policy dictates, Bridge Group interface can act as L2 switch directing traffic to destinationSrc1 bgroupeth eth eth

bgroupeth eth

Dst1

SSG

Traffic

SSG

eth wireless eth

wireless eth

Server Farm Security Zone

Bridge Groups as a virtual L2 Switch

Bridge Groups as a L3 interface assigned to a Server Farm Security Zone

Secure, Centralized ManagementCentralized control over SSG populationRemote Management Secure, centralized management of firewall, VPN, content security, and routing across all devices Network Security Operations

Rapid Deployment Reduce provisioning time / streamline large deployments

Role-based administration Delegate administrative access to key support people by assigning specific tasks to specific individuals

Centralized activation/deactivation of security features Application attack protection, Web usage control, Payload attack protection, Spam ControlNetwork Security Operations Network Security Operations

SSG Family supported by NSM* now Schema update may be required

*Some functions (WAN Config) may be CLI only)

Secure Service Gateway FamilySSG 5 - Six fixed form factor models 160 Mbps FW / 40 Mbps VPN SSG 20 2 modular models 160 Mbps FW / 40 Mbps VPN SSG 140 350+ Mbps FW / 100 Mbps VPN SSG 320M 450+ Mbps FW / 175 Mbps VPN SSG 350M 550+ Mbps FW / 225 Mbps VPN SSG 520M 650+ Mbps FW / 300 Mbps VPN SSG 550M 1+ Gbps FW / 500 Mbps VPNSSG 5 SSG 20 SSG 140 SSG 320M SSG 350M

SSG 520M

SSG 550M

SSG 5 OverviewPerformance and physical characteristics 160 Mbps FW (large packets) / 90 Mbps FW (IMIX) / 40 Mbps VPN Integrated Fan w/Temp Sensor (wireless only)

Flexible connectivity Fixed form factor w/ 7 Fast Ethernet + 1 WAN interface Factory configured WAN options include ISDN BRI S/T or V.92 or RS-232 Serial/Aux Optional factory configured Dual radio 802.11a + 802.11 b/g Six models to choose from

Reliability and extensibility External AC power supply Full Active/Passive and Active/Active (w/ extended license) User upgradeable memory

SSG 20 OverviewPerformance and physical characteristics 160 Mbps FW (large packets) / 90 Mbps FW (IMIX) / 40 Mbps VPN Integrated Fan w/Temp Sensor (wireless only)

Flexible connectivity 5 Fast Ethernet + 2 Mini I/O slots Mini PIM options include ADSL2+, T1, E1, ISDN BRI S/T, SFP, serial, and V.92 Optional factory configured Dual radio 802.11a + 802.11 b/g Two models to choose from

Reliability and extensibility External AC power supply Full Active/Passive and Active/Active (w/ extended license) User upgradeable memory

SSG 140 Overview350+ Mbps FW (large packets) / 300 Mbps FW (IMIX) / 100 Mbps VPN Brings high performance UTM Security features to the mid-market Full Active/Passive and Active/Active HA Fixed 10/100 and 10/100/1000 interfaces (4) interface expansion slots Existing dual Port T1 Existing dual Port E1 Existing Dual Port Serial

Front View

Back View

SSG 140 Interface Support1. 2. 3. 4. Console and RS-232/Aux interfaces (8) 10/100 interfaces (2) 10/100/1000 interfaces (4) interface expansion slots: 2xT1, 2xE1, 2xSerial, 1xISDN BRI S/T, ADSL2+, and G.SHDSL 5. Status LEDs for rear installed I/O cards visible from front4

Back View

5 Front View

1

2

3

SSG 320M and SSG 350M Overview

1RU High, Full Rack Width, 15 Depth Three modular PIM slots 4-port 10/100/1000 Ethernet ports

Optional Encryption Card USB, compact flash, Console, AUX 400 Mbps firewall (IMIX), 175 Mbps VPN performance

1.5 RU High, Full Rack Width, 15 Depth Five modular PIM slots

DC Power supply option NEBS compliant 500 Mbps firewall (IMIX), 225 Mbps VPN performance

SSG 500 Series OverviewJuniper Networks SSG 550 / SSG 550M 1 Gbps + FW (large packets) / 1 Gbps FW (IMIX) / 500 Mbps VPN 600K pps 6 I/O Slots 4 are enhanced PIM slots, ideal for additional LAN ports Dual power supplies, DC optional, NEBS optional 128K sessions, 1,000 VPN tunnels

Juniper Networks SSG 520 / SSG 520M 650+ Mbps FW (large packets) / 600 Mbps FW (IMIX) / 300 Mbps VPN 300K pps 6 I/O slots - 2 are enhanced PIM slots, ideal for additional LAN ports Single power supply, AC or DC 64K sessions, 500 VPN tunnels

Common Hardware Features 2U form factor with 4 fixed 10/100/1000 Ports 2 serial RJ45 ports for console access and OOB Management 2 USB ports

uPIMs Universal Physical Interface Modules Supported in ScreenOS 6.0

8 Port 10/100/1000 Copper uPIM Supports Auto negotiation Supports tri-rate (10/100/1000 Mbps) with Half/ Full-Duplex modes

16 Port 10/100/1000 Copper uPIM Supports Auto negotiation Supports tri-rate (10/100/1000 Mbps) with Half/ Full-Duplex modes

6 Port 1000 Optical uPIM Supports both SX, LX, T SFP LC transceiver Supports 1000 Full-Duplex mode

uPIMs work in any slot (PCI/PIM and PCI-E/EPIM)

SSG Family Interface Module SummaryPIM/EPIM/Mini-PIM1 x T1 Mini-PIM 1 x E1 Mini-PIM 1 x ADSL 2+ Mini-PIM 1 x ISDN BRI S/T Mini-PIM 1 x V.92 Mini-PIM 1x SFP Mini-PIM 1x Serial Mini-PIM 1 x ISDN BRI S/T PIM 8 x Gbe copper uPIM 16 x Gbe copper uPIM 6 X Gbe SFP uPIM 2 x T1 PIM 2 x E1 PIM 2 x Serial PIM 1 x ADSL/ADSL2/ADSL2+ PIM 1 x G.SHDSL 1 x E3 PIM 1 x DS3 PIM 4 x FE EPIM 1 x Gbe EPIM 1 x SFP EPIM ---------------------------

SSG 20

SSG 140------

SSG 320M / SSG 350M------

SSG 520M / SSG 550M------

SSG Family SummarySSG 550M FW Mbps (Large Packets) FW Mbps (IMIX) FW PPS (64 Byte) VPN (1400 Byte) IPS (Deep Inspection FW) Antivirus Anti-spam Web Filtering Modular I/O Routing (RIP/OSPF/BGP) WAN Encapsulations A/A, A/P HA Convertible to JUNOS 1+ Gbps 1 Gbps 600k 500 Mbps Yes Yes Yes Yes Yes Yes Yes Yes Yes SSG 520M 650+ Mbps 600 Mbps 300k 300 Mbps Yes Yes Yes Yes Yes Yes Yes Yes Yes SSG 350M 550+ Mbps 500 Mbps 225k 225 Mbps Yes Yes Yes Yes Yes Yes Yes Yes Yes SSG 320M 450+ Mbps 400 Mbps 175k 175 Mbps Yes Yes Yes Yes Yes Yes Yes Yes Yes SSG 140 350+ Mbps 300 Mbps 100k 100 Mbps Yes Yes Yes Yes Yes Yes Yes Yes No SSG 20 160 Mbps 90 Mbps 30k 40 Mbps Yes Yes Yes Yes Yes Yes Yes Optional No SSG 5 160 Mbps 90 Mbps 30k 40 Mbps Yes Yes Yes Yes No Yes Yes Optional No

SSG & J-Series PortfolioScreenOS= Common Hardware Platforms, JUNOS & ScreenOS

SS G S 551 G 32M 0M S -

Additional M-series, T-series not shown

JUNOSMicro Branch, Small Office, Managed Service Small Branch, SME Branch/Regional, Medium Enterprise Medium Ent to Large HQ

SSG Family SummarySecurity: Proven ScreenOS + Best-in-class UTM Security features without add-on hardware Stateful FW, IPSec VPN, IPS, AV, (including Anti-Phishing, Anti-Spyware), Anti-Spam, Web filtering Network segmentation via security zones and VLANs

Performance: Purpose built platforms that deliver unmatched price/performance to branch office market WAN Connectivity: Widest range of FW platforms with WAN interfaces and protocols Security platforms with LAN and WAN routing capabilities Dynamic routing, virtual routers, VPN, high availability, VLANs New WAN interfaces and encapsulations taken from J-Series & JUNOS

Centralized management with NSM

ISG

ISG OverviewPurpose-built HW and SW Built from the ground up ASIC-based platforms Security-hardened Proprietary ScreenOS Operation System

Network layer security and features Network attack protection Virtualization High-performance IPSec VPN Network features including dynamic routing and ALGs

Application layer security (Optional) Multi-detection methods for mitigating attacks Daily signature updates Zero-day coverage

ISG 1000 and ISG 2000ISG 1000Max Throughput: Firewall Max Throughput: IPSec VPN (3DES/AES) Packets per Second: FW Packets per Second: VPN Max Sessions VPN Tunnels Max Throughput: IDP Supported Security Modules (IDP) Fixed I/O Interfaces Max Interfaces Number of I/O Modules 2 Gbps 1 Gbps 1.5 Million 1.5 Million 500,000 2,000 Up to 1 Gbps Up to 2 Four 10/100/1000 Mbps Up to 20 2

ISG 20004 Gbps 2 Gbps 3 Million 1.5 Million 1 Million 10,000 Up to 2 Gbps Up to 3 0 Up to 28 4

Juniper Networks ISG 2000 & ISG1000 with Integrated IDP

SG 2000 3 Security Blades

ISG 1000 2 Security Blades

Management NetScreen Security Manager

3-Tier ManagementISG with IDP

NSM

SSGs

Common User Interface

Centralized NSM Server

IDP Appliances

Security Management RequirementsDevice Lifecycle

Management Level

Must manage the entire device lifecycle

Deploy SecurityDefine security of entire network

ConfigurePush devicespecific policy out

MonitorAttack Logs Reports Profiler Security Explorer

UpgradeSignature updates Policy adjustment

Needs to accommodate different tasks, management levels Different people within organization need access

Network

VPN modeling L2/L3 Routing

VPN config Route tables Routing VLAN

Device

VPN monitoring Network failure recognition HA monitoring HW monitoring (interfaces up/down, power failure)

VPN changes Adjust routing

Remote installation Initial config

Interfaces Licenses OS version

OS upgrade Device config changes

Network Admin Upper Management

Ops

Security Admin Audit

Design,Deploy Design,Deploy

Complete Investigative Toolkit

Upgrade, Upgrade, Adjust Adjust

The Device Lifecycle

Configure Configure

Monitor, Monitor, Maintain Maintain

Policy

Reports Profiler Log Viewer

Security Explorer Log Investigator

Dashboard

Multiple, integrated tools offer wide variet of information See all firewall and IDP data in one place Jump to policy for Closed Loop Investigation