Presentation title here - Westcon-Comstorbe.security.westcon.com/documents/42404/SRX and VG… · PPT file · Web viewProduct Update Seminar. Agenda. ... (and Junos Space in the

Product Update Seminar

2 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

AGENDA

13.00 Welcome

13.30 SRX update + Application Aware FW positioning

Value Add proposition having onbox AV (Kaspersky)

MAG SSL/UAC license scenario’s recap

vGW short recap (demo)

15.30 Coffee break

EX technology portfolio update

"The new network is simply connected"

Wireless Newsflash

Westcon Academy Juniper Training update

17.30 Great drinks & Fingerfood @ SKYBAR terrace

Legal Disclaimer: This statement of product direction (formerly called “roadmap”) sets forth Juniper Networks‘ current intention, and is subject to change at any time without notice. No purchases are contingent upon JuniperNetworks delivering any feature or functionality depicted on this statement.

SRX update

Frederick VerduycktSecurity System Engineer


DON'T TAKE OUR WORD FOR IT….

SRX650 wins Best of Interop Award, Infrastructure Category

“Branch Office Swiss Army Knife” that “packs a bunch of

horsepower and features”

SRX210 wins Tokyo Interop Grand Prix (highest honor)

for SMB Infrastructure

“Amazed that high-performance JUNOS software is installed in this small appliance” – the vote

was unanimous!


BRANCH SRX DELIVERS…CONSOLIDATED SECURITY AND NETWORKING

All-in-One

Single device for routing, switching, and security

Comprehensive security

Easy to activate new layers of security

Firewall

VPN

IPS

Anti-Virus

Anti-Spam

Web filtering

Routing / WAN

UTM

LAN, Switching


BRANCH SRX PORTFOLIO

Large Branch/Regional OfficeSmall Office

SRX100/110

Small to Medium Office

SRX210

SRX650

WAN slot, 2 x GigE, PoE

+ More LAN slots, dual processors, dual P/S

SRX240+ 4 WAN slots, 16 x GigE, PoE

SRX220+ 2 WAN slots, 8 x GigE, PoE


SRX SERVICES GATEWAYS

Highly configurable– Fixed, semi-modular, and

modular form factors

– Choice of WAN and LAN interfaces

Extensive integration– Full suite of JUNOS routing and

switching capabilities

– Unmatched security, including FW, VPN, UTM, UAC, and full IPS

Exceptional performance and availability– Hardware-assisted Content Security

Acceleration (CSA) for ExpressAV and IPS

– Control & data plane separation, redundant processing and power

Model Configuration FW/IPSPerformance

SRX100 Fixed 600/60 Mbps

SRX210 1 mini PIM slot 750/80 Mbps

SRX220 2 mini PIM slots 950/100 Mbps

SRX240 4 mini PIM slots 1500/250 Mbps

SRX650 8 GPIM slots 7000/900 Mbps


Max. ValueJunos 10.4 SRX1400 SRX3400 SRX3600 SRX5600 SRX5800

FW Throughput 10 Gbps 20 Gbps 30 Gbps 60 Gbps 150 Gbps

VPN Throughput 2 Gbps 6 Gbps 10 Gbps 15 Gbps 30 Gbps

IPS Throughput 2 Gbps 6 Gbps 10 Gbps 15 Gbps 30 Gbps

Max PPS 1 million 3.5 million 6.5 million 9 million 21 million

Max Sessions( / with add’l license)

0.5 million 2.25 / 3 million 2.25 / 6 million 9 million 12.5 million14 million (with caveats)

New & Sustained CPS( / with add’l license)

45k 175k 175k / 300k 350k 350k

Built-in Interfaces: 10/100/1000Base-T 1000Base-X (HA off / on) 10GBase-F

GE6

6 / 40

XGE6

3 / 13

8

4

8

4

Total I/O PortsGbE (HA off / on)

10 GbE28/26

225/23

5768 108

12200

40

44088

SRX SERVICES GATEWAYS DATA CENTER SERIESCOMPARISON


SRX210 ENHANCED

Improved SRX210 with faster processor! Increases processor speed to 600MHz from 400MHz Existing SRX210 has 400MHz processor Provides faster J-Web, improved boot-up time,

faster throughput

Provided under new SKUs: SRX210BE, SRX210HE, SRX210HE-POE No change to list price No change to datasheet specs

FIPS & EAL4 Certs submitted with 10.4

End-of-Sale of existing SRX210 will be announced after receiving certifications in 2H 2011

Providing at least 6 month notice for LTB


SRX110 Single box solution for Enterprise and MSP

Fixed form factor 8 10/100MB Ethernet ports

WAN Options VDSL Annex A or VDSL Annex B with ADSL fallback 3G USB Modem port for backup Express slot is being deprecated

Feature rich in Routing, Switching and Security Security – UTM, Stateful Firewall, IPSec VPN Routing – RIP, OSPF, BGP, MPLS, VPLS Switching – Ethernet Switching features parity with SRX 100

External CF for more storage options

SKU Memory & Storage LAN DSL WAN 3G WAN

SRX110H-VA-3G 1GB RAM1GB Flash 8 x FE VDSL Annex A Yes

SRX110H-VB-3G 1GB RAM1GB Flash 8xFE VDSL Annex B Yes

Security & Performance

Routing Performance Est. 100Kpps

Firewall Performance 750Mbps (Large Pkt)250 Mbps (IMIX)

VPN Performance 75 Mbps

IDP Performance 65 Mbps

AV & IDP HW Acceleration NO

High Availability (Q3 ‘11) A/A or A/P


3G/4G FOR SRX – UPDATES

GSM/HSPA+ Modem support in Q3 '11 (Sierra Wireless 319U)

Secure Modem with Modem Cap (2H '11) Recommended for use with SRX

LTE/HSPA modem support in 1H '12 LTE/EVDO Modem support in 1H '12 SRX/Junos based 3G support No USB 3G support on 220/240/650

USB 3G/4G – This is the Future

Worldwide 70+ Modems supported in latest firmware (July '11)

Verizon LTE supported NOW CX111 supports SNMP NOW (v 1.8.2, July 2011) Junos CLI based management Phase-1 release

in Q4 '11

CX111 Bridge

Direct plug-in USB Modem Support for SRX100, SRX110 and SRX210E

CX111 3G/4G Bridge for“ALL” SRX, SSG & J-Series

ROADMAP


SRX550New platform for mid-large branches

Faster than a J6350

Flexible Slots Two mPIM slots for low-speed interfaces Six PIM slots (2 XPIM + 4 GPIM) One ACE slot (future CPU offload)

Support for LAN bypass (ports 4 and 5)

10xGE ports built-in 6xGE 4xSFP

Dual PSU support

Two USB ports

Serial and USB-based Console

External CF/SSD for storage

Beta in 11.4

Routing Performance Est. 700Kpps

Firewall Performance2 Gbps (IMIX)8 Gbps (large

packets)

AV & IDP HW Acceleration Yes

IPSec Performance TBD

Security & Performance Targets

APPSECURE UPDATE


WHERE IS SECURITY HEADED? CONTEXT AWARENESS

Global High-Performance Network

“Location, device and user ” vs. “Source to Destination”

Source to DestinationSource to

Destination

Dat

a C

ente

r

What User

What Application

User Device

User Location

Branch

Campus

Mobile Clients


APPSECURE SOFTWARE SERVICE SUITE

Understand security risks

Address new user behaviors

Application Intelligence from User to Data Center

• Subscription service includes all modules and updates• Juniper Security Lab provides 800+ application signatures

AppTrack AppQoS AppDoS IPS

Block access to risky apps

Allows user tailored policies

Prioritize important apps

Rate limit less important apps

Protect apps from bot attacks

Allow legitimate user traffic

Remediate security threats

Stay current with daily signatures

2H 2011

AppFW


Customer Profile

AppSecure Implementation

APPSECURE USE CASE – COST REDUCTIONCustomer Initiative

AppTrack Identify global use of applications, cloud-based or not

AppFW

AppQoS

Block out-of-policy applications• Facebook

Prioritize business-critical applications• Oracle• GoogleSites

Large technology company with over 100 offices worldwide

IT cost reduction through standardization on a smaller number of supported applications

Lower priority of less essential applications• QuickTime


Customer Profile

AppSecure Implementation

APPSECURE USE CASE – COMPLIANCECustomer Initiative

Identify and permit Microsoft Outlook traffic

Identify and permit access to LinkedIn to enable recruiting productivity

Identify and deny access to LinkedIn’sIn-Mail application

AppFW

US based HR recruiting firm with clients in US and EMEA

Standardize on a single e-mail application to meet compliance guidelines

AppTrack


APPSECURE AVAILABILITY

High End SRX Branch SRX

11.2

11.211.1

11.4 1H12

TBD

AppTrack

AppFW

AppQoS

AppDoS

IPS

User-Roles 12.1 12.1

LOGICAL SYSTEMS UPDATE


WHAT IS LSYS?• Virtualization of many aspects of Junos, especially security policies and enforcement options

• “Complete” separation of a single device into unique virtual instances, including:

• Administrative separation – users in one LSYS have no visibility into or knowledge of any other LSYS instances that may be running on the box

• Traffic Separation – network traffic for a given LSYS cannot cross into another LSYS unless a security and routing policies are configured to allow it

• Resource separation – resources such as sessions, policies, zones, and virtual routers can be budgeted between the various LSYS instances

• An evolution of ScreenOS’s VSYS concept


LSYS VS. VSYS ScreenOS

VSYS

IP

Interface

Zone

Virtual Router

Virtual System

Junos*

LSYS

IP

Interface

Logical System

Int

VR

Int

Zone

*All interfaces in a given zone must be in the same routing instance


LSYS ISN’T A HYPERVISOR-LEVEL VIRTUALIZATION Only one version of Junos is running on the SRX

System daemons have been made ‘LSYS aware’

In some cases, multiple daemons are used, one per LSYS

Akin to “Operating System-Level virtualization”

Looks and feels like a real system

Has resource protection to protect one from another


EXAMPLE

LSYS0

Zone: LRlt

Zone: L1lt

Zone: L2lt

LSYS2

LSYS1

Root

lt0/0/0.0

lt0/0/0.2

lt0/0/0.4

lt0/0/0.3

lt0/0/0.1

lt0/0/0.5

PC1

PC2

PC3

Zone: Inet

Zone: L2SVR

Zone: L2USR

Zone: L1USR


LSYS Management Methods

CLIGlobal

(root) viewLSYS view

WebJWeb Global

ViewJWeb

LSYS View

NMSSpace Third-

party


LSYS: 11.2 CLI

interfaces {...} lsys-profiles {...} applications {...} schedulers {...} routing-instance {...} protocols {...} routing-options {...} security {.

policies {...} zones {...}

nat {...} }

logical-system LSYS1 { profile profile-name-Premium interfaces {...} routing-instance one {...} applications {...} security { policies {...} schedulers {...} zones {...} nat {...} }

Global Configuration View• Root administrator can configure

all elements of the SRX• Must create LSYS and LSYS

users• If desired, all admin can be done

by root

LSYS-Level Configuration View• LSYS administrators see only

LSYS-level configuration details• Includes LSYS-only view of all

logs


JWEB IN 11.2: LSYS MONITORING


JWEB IN 11.2: CONFIGURATION OF LSYS


WHEN TO USE LSYS

Customer Requirements: ✔ Complete separation of traffic

Zones and VRs can also provide this functionality without LSYS

✔ Administrative delegation

✔ Log Separation

✔ Resource Reservation

vGW update


VIRTUALIZATION SPECIFIC REQUIREMENTS Secure VMotion/Live-Migration

VMs may migrate to a unsecured or lower trust-level zone Security should enable both migration and enforcement

Hypervisor Protection New operating system means new attack surface Hypervisor connection attempts should be monitored

Regulatory Compliance Isolating VMs, Access Control, Audit, etc. Segregating administrative duties inside the virtual network Tracking VM security profiles


VIRTUAL NETWORK

SECURITY IMPLICATIONS OF VIRTUAL SERVERSPHYSICAL NETWORK

ESX Host

Physical Security is “Blind” toTraffic Between Virtual Machines

Firewall/IPS InspectsAll Traffic Between Servers

HYPERVISOR

VM1 VM2 VM3


APPROACHES TO SECURING VIRTUAL SERVERS:THREE METHODS

2. Agent-based

Each VM has a software firewall

Drawback: Significant performance implications; Huge management overhead of maintaining software and signature on 1000s of VMs

ESX Host

VM1 VM2 VM3

FW Agents

HYPERVISOR

3. Kernel-based Firewall

VMs can securely share VLANs

Inter-VM traffic always protected

High-performance from implementing firewall in the kernel

Micro-segmenting capabilities

ESX Host

FW as Kernel Module

VM1 VM2 VM3

HYPERVISOR

1. VLAN Segmentation

ESX Host

Each VM in separate VLAN

Inter-VM communications must route through the firewall

Drawback: Possibly complex VLAN networking

HYPERVISOR

VM1 VM2 VM3


VM1 VM2 VM3 ALTOR VM

PolicyLogging

Management

VGW KERNEL IMPLEMENTATION Fully “Fast-Path”

All firewall processing is done within hypervisor High performance, >10Gbps throughput

Designed for ESX Architecture Independent processing firewall policy per-VM Scales up as core count increases

VM1 VM2 VM3

VS

ESX Host

ALTOR VM

PolicyLogging

Management

VMsafe Interface

VMware vSwitch or dvSwitch

Packet /

Data

vGW 4.5Engine Partner Server

(IDS,Syslog,Netflow)

Packet / Data

Altor VF

ESX Kernel

AltorVMsafeKernelModule


VGW ARCHITECTURE3 MAIN MODULES

THE vGW ENGINE

VMVM1 VM2 VM3

VMWARE DVFILTER

VMWARE VSWITCH OR CISCO 1000V

HYPERVISOR

ESX Kernel

ES

X H

ost

THE vGW ENGINE

VMVM1 VM2 VM3

VMWARE DVFILTER

VMWARE VSWITCH OR CISCO 1000V

HYPERVISOR

ESX Kernel

ES

X H

ost

. . . . . . . . . . . .

SECURITY DESIGN VGW• CENTRAL MANAGEMENT• WEB-BASED UI• MANAGEMENT HA• DELIVERED AS VIRTUAL APPLIANCE

VGW SECURITY VM• POLICY FROM MGMT TO ENGINE• LOGGING FROM ENGINE TO MGMT• IDS ENGINE• DEPLOYED AS HA PAIR• DELIVERED AS VIRTUAL APPLIANCE

12

VGW ENGINE• FULL FW IMPLEMENTATION IN

THE KERNEL• STATEFUL FW• PER-VM POLICY

3


STRM

INTEGRATED WITH JUNIPER DATA CENTER SECURITYVM1 VM2 VM3 ALTOR

vGW 4.5

VMware vSphere

Network

Juniper SRX with IPS

Juniper EXSwitch

Policies

Central Policy Management

Firewall Event SyslogsNetflow for Inter-VM Traffic

Zone Synchronization &Traffic Mirroring to IPS


DEMO

http://vgwdemo.juniper.net

http://vgwdemo.juniper.net/

Documents

Presentation title here - Westcon-Comstorbe.security.westcon.com/documents/42404/SRX and VG… · PPT file · Web viewProduct Update Seminar. Agenda. ... (and Junos Space in the