Copyright © 2015 Juniper Networks, Inc. 1 High End SRX Series Securing the Data Center

Copyright © 2015 Juniper Networks, Inc. 1

High End SRX SeriesSecuring the Data Center


Cybercrime on the Rise… Business Profits and Productivity in Peril

Results in:

• Increased costs

• Lost revenue

• Reputation damage

• Performance degradation

• Heavy fines

• Career limiting

60%Of initial compromises took 1 minute or less time – there is a security incident every 7 minutes

43%Of companies experienced a data breach in the past year – on average, now 6 successful data breaches occurring a day

$20mAverage cost due to data breach – these costs are increasing 10% a year

Source: Verizon 2015 Data Breach Investigations Report(worldwide findings)


Data Center Customer Challenges

Keeping up with unpredictable traffic volumes

Ensuring application availability and business continuity

Securing against cyber attacks


Solving the ProblemTailored Security for Critical Assets in the Data Center

Get maximum PERFORMANCE & easily SCALE to adapt to the future

Stop all types of attacks with BEST-IN-CLASS SECURITY

Ensure your network is always AVAILABLE with easy, secure ACCESS to optimize productivity


CARRIER-GRADE AVAILABILITY

SRX Series Services Gateways for the High EndTailored Security for Critical Assets

BEST-IN-CLASS SECURITY

MAXIMUM PERFORMANCE AND SCALE


100G

Up to 2Tbps IMIX throughput and 100 million concurrent sessions scaling

Common Junos Operating System

Unprecedented ScaleIntegrated Routing, Switching and Security

1G

10G

SRX3400

SRX100SRX210

SRX220SRX240

SRX650

SRX110

SRX550

SRX1400

vSRX (Virtual SRX)

Branch

1T

2T

SRX Series Services GatewaysC

ap

acity

Edge Data Center Data Center Core

SRX3600

SRX5600

SRX5800

SRX5400

SRX300 SRX320SRX340

SRX345

SRX550-M

SRX1500vSRX 2.0

(Virtual SRX)


BEST-IN-CLASS SECURITY

• Enables complete application visibility and control

• Strong, dynamic content security: leveraging intelligence from best-of-breed partners

• Integrates security for physical and virtual data centers

• Open, threat intelligence platform


MAXIMUM PERFORMANCE AND SCALE

• Delivers high-performance, massive session volumes and flexible, large-scale connectivity

• Add security services without service interruptions for business continuity

• Enables “pay as you grow” approach


CARRIER-GRADE AVAILABILITY

• Delivers uptime continuity with in-service hardware and software upgrades

• Enables high availability with redundant components and links

• Built on a carrier-class hardware foundation

• Industry leading six-nines reliability


High End SRX Value

• Carrier grade NGFW• Open Threat

Intelligence platform

• Integrated in network

• Up to 240G per slot• Up to 2TBPS FW

Throughput• Express Path

Software

• Control/Data Plane separation

• Stateful HA• In-service SW/HW

upgrades• Six 9’s reliability

• Low upgrade cost • Operational

Simplicity – No change to security configuration

• Automation

Operational Efficiency

High Resiliency

Best in Class

SecurityHigh

Performance


Advanced Security Solutions


SRX Series Differentiators

HIGH PERFORMANCE and SCALE with

maximum throughput,

session scale, ISSU, and ISHU

OPEN THREAT INTELLIGENCE leveraging threat

feeds from multiple sources

to deliver automated

enforcement

SECURE AND RESILIENT

under attack with separate control and data planes

and multiple processing cores

INTEGRATION of physical and virtual solutions

(vSRX) to deliver visibility, security, and compliance

APPLICATION AWARENESS

with AppSecure and IPS to stop

application borne security threats

and manage application usage


SRX Series: Breadth and Depth of Defense

Enhanced Web Filtering

Stops viruses, file-based trojans or spread of spyware, adware, keyloggers

SSL Proxy

IPS

Firewall, VPN, NAT, UserID tied to FW policiesAllows UserID to apply to all L7 Security

Internal Threats

External ThreatsINTERNET

IDP detects/stops Worms, Trojans, exploits, shellcode, Scans

AppSecure

Core Security with User Role FW

Application level visibility and classificationApplication security policies tied to user roles

Inspect Encrypted Traffic

Antivirus

Block access to unapproved sitesReal time threat score for each URL


APPSECURE:Next Generation Firewall Overview

• Intelligent software services delivers smarter NGFW policies on SRX gateways

• Integrates application traffic control, with user control, and threat remediation

• Provides network visibility with correlated application and threat event tracking

• Application Identification 2.0• 3000+ applications• Detects evasive, P2P, nested apps• Best accuracy


Application Identification 2.0

AppID 1.0 AppID 2.0

Applications ~1700 3000+

Implementation Pattern Matching Decoder (loadable)

Evasive Apps (TOR, UltraSurf etc) No Yes

P2P Apps (Bit torrents etc) Limited Yes

Accuracy Good Best

Nested App for non HTTP No Yes

App ALGs (SIP, RTP codecs) No Yes


Integrated User Firewall

Windows ADs

Client

SRX Series

Corporate Data CenterApps

Data

Finance

Video

Internet

1 2

3

4

1Doman user logins into domain from domain member device

User attempts to make a connection through SRX

1. SRX checks local tables to see if user is already authenticated.

2. If so user continues. 3. No local auth, SRX queries AD4. AD has an entry it will be used. 5. No AD entry, fallback to captive portal

Authenticated user traffic is evaluated against configured policy for that user

2

3

4

17 Juniper Networks Confidential

Best of Breed UTM Security

• Protection from respected AV experts

• Reputation-enhanced capabilities

• Filter out extraneous or malicious content

• Maintain bandwidth for essential traffic

• Multilayered spam protection from security experts

• Protection against APTs

• Block malicious URLs

• Prevent lost productivity

Anti-Virus Web Filtering Content FilteringAnti Spam


SRX Series

SRX

Hypervisor

vSRX

VM VM VM VM

Virtual Network

MANAGEMENT AND SECURITY SERVICES

SecurityDirector

Juniper Secure Analytics JSA

SERVICES VSRX

Firewall

UTM

DoS Prevention

AppSecure, IPS

DoS

Integrated Physical and Virtual Security


Firewall management

IPsec VPN management

Network Address Translation (NAT) management

Intrusion prevention (IPS) signature management

Application-level and UTM policy management

Publish WorkFlow: Manage policy work by role for better accuracy+

Scalable Security Management• Security Director

• Delivers scalable, responsive, and accurate policy management

• Enables intuitive web-based policy lifecycle management

• Secure Analytics• Collects, archives, reports and correlates

events, flow data, and application data• Analyzes network behavior for anomalies

AUTOMATES

Threat intelligence enforcement


Security Director – Newly Enhanced

Firewall Policy

Threat Map

Events and Logs

Application Visibility

Dashboard


Juniper Secure AnalyticsExtensive analysis of data and events for real time analysis and anomaly detection in the network

Servers and mainframes

Network and virtual activity

Application activity

Data activity

Configuration information

Vulnerabilities and threats

Users and identities

Global threat intelligence

Security devices

Embedded Intelligence

AutomatedOffense

Identification

Extensive Data Sources… … Suspected Incidents

True Offenses• Automated data collection, asset discovery and profiling

• Automated, real-time, and integrated analytics

• Massive data reduction

• Activity baselining and anomaly detection

• Out-of-the box rules and templates


Open Threat Intelligence Platform

Copyright © 2015 Juniper Networks, Inc. 23 Copyright © 2015 Juniper Networks, Inc. 23

Sources of Threat Intelligence

On-Premises Appliances/Services(Best of Breed)

SIEM AnalyticsCustom Whitelist/Blacklist

(e.g., CSIRT-generated Data)

Malware Sources


Delivering Open, Actionable Intelligence

Meaningful coverage

across use cases with data

relevant to enforcement

Capacity that can meet the customer’s demand for

high volumes of intelligence.

Solutions that scale

Confidence in feed data & reduced noise due to

fewer false positives/negatives

Feeds that are Optimized for SRX lead to

efficient resource utilization

BREADTH SCALE ACCURACY PRIORITIZATION

Closing the loop with policy enforcement on the SRX Firewall


Threat Intelligence Platform

Customer-provided or3rd Party Threat Data

Command & ControlGeoIP

Additional Intelligence

Local Applianceor Service

1

2

3

45

SRX Firewalls

Aggregated & optimized cloud-based threat intelligence1

Juniper-provided threat intelligence to customer premise2

Local/Customer data incorporated into solution3

Centrally managed by Junos Space Security Director4

Intelligence distributed to SRX enforcement points5

Spotlight Secure

Security Director

a framework that uses information frommultiple sources to deliver improved security


Optimizing Threat Intelligence for the SRX

• Consolidate data• Weed out false positives• Add/normalize threat scores• Prioritize based on current

threat landscape

192.168.3.101 10

BadGuy.com 5

http://xyz.com/exploit 3…

The Juniper Threat Feed

• Juniper threat feeds are designed to maximize enforcement point resources

• Policy can be fine-tuned using threat scores

• Robust coverage IP, Domain Name, URL

Not all threat intelligence is created equal

The Optimization Process

Threat intelligence iscollected from a

variety of sources

Sourcing Threat Data

• Juniper is committed to delivering focused threat intelligence (C&C, botnet)

• We utilize a variety of threat data sources and techniques to ensure intelligence is current and actionable

• All data sources are carefully evaluated by Juniper’s threat research team

Rinse & Repeat

Optimize

Generate Feed

Source Data

• Threats change often• Refresh all data sources at

regular intervals• Spotlight Secure ensures that

data is fresh and actionable


Spotlight Secure Cloud

Threat Intelligence Architecture

Command & ControlOther threat intelligence

Security Director

Spotlight Secure Connector

Firewall estate

GeoIP feed

Open platform delivers more value

Scalable to ensure full enterprise or service provider deployment

Built for expansive data capacity

Improved efficacy through threat scores and tuning

Adaptive: from the data source, to data normalization, to syndication at the firewall


High End SRX Solutions


Juniper Security Architecture Overview

VR

VR

Virtualized ServersMulti Tenant

Hypervisor

VM VM

vSRXvSRX

Virtualized HostSingle Tenant

vSRX

VR

Hypervisor

MX

Enterprise Branch SRXWAN

Hybrid Cloud

MX

Security Director/ Virtual Director/Log Director

Internet

OSS/BSS

High End SRX Cluster

VM VM

CustomerPortal

VM VM


Architecture:Separate Data and Control Plane

Con

trol

Pla

neD

ata

Pla

ne

Physical Interfaces

PACKET FORWARDING

DOS & DDOS ATTACKS

Attacks overwhelm the boxAdministrator loses management access – your network is down

Attacks can be thwartedUnder attack, administrator maintains management access to modify policy, disallow bad traffic, and process good traffic – your network stays up

SHARED PLANE

MO

DU

LE

N

INT

ER

FA

CE

S

MA

NA

GE

ME

NT

RO

UT

ING

…KERNEL

DA

TA

MA

NA

GE

ME

NT

RO

UT

ING

DOS & DDOS ATTACKS


SRX1400

• Ideal for small to mid-size data centers, enterprise, and Service Provider networks

• Software Security Services• AppSecure and IPS• AV and web filtering• Threat intelligence

• Combination IOC/SPC card

SRX1400

On-board Ethernet 6 10/100/1000 + 6 SFP or 6 10/100/1000 + 3 SFP and 3 10GbE (on board) 16 SFP

GbE, 16 10/100/1000, or 2 XFP 10GbE

JUNOS Software Version Support JUNOS 12.1X46

Firewall Performance (Large Packets) 10 Gbps

Firewall Performance (IMIX) 5 Gbps

Firewall Performance (Firewall + Routing PPS 64byte)

1.5 Mpps

VPN Performance – AES256+SHA-1 or 3DES+SHA 1

4 Gbps

AppSecure 6.5 Gbps

Intrusion Prevention System 3 Gbps

Connections Per Second (CPS) 70 K

Maximum Concurrent Sessions 1.5 M

High Availability A/A or A/P

fan vent slot coverline cards


SRX3400 • Ideal for medium to large enterprises

and Service Provider networks



SRX3400

On-board Ethernet 8 10/100/1000 + 4 SFP (on-board) 16 SFP GbE,

16 10/100/1000, or 2 XFP 10 GB (SR or L)





3.5 Mpps


8 Gbps

AppSecure 16 Gbps



Maximum Concurrent Sessions 3 M


line cards

slot coverpower supply






SRX3600

On-board Ethernet 8 10/100/1000 + 4 SFP (on-board) 16 SFP GbE,

16 10/100/1000, or 2 XFP 10 GB (SR or LR)





6.5 Mpps


15 Gbps

AppSecure 24 Gbps





line cards slot cover

power supply





• Next-generation, high-performance line cards

SRX5400

On-board Ethernet 10X10GE-SFPP

Optional Ethernet

1GE - SFP10GE – SFPP40GE – QSFP100GE - CFP

JUNOS Software Version Support JUNOS 15.1X49-D10

Firewall Performance (large Packets)* 480 Gbps

Firewall Performance (IMIX)* 468 Gbps


9.9 Mpps


40 Gbps

AppSecure (NGFW) 50 Gbps





slot cover

power supply

SPC2 Card

IOC2 card

SCB and RE card

*Performance with Express Path enabled; throughput without Express Path: 65 Gbps


SRX5600 • Ideal for large enterprise, Service Provider,

and public sector networks



SRX5600

Optional Ethernet

1GE - SFP10GE – SFPP, XFP

40GE – QSFP100GE - CFP

Onboard Ethernet None


Firewall Performance (large Packets)* 960 Gbps

Firewall Performance (IMIX)* 936 Gbps


20 Mpps


75 Gbps






SPC2 Card

IOC2 card

SCBE and RE card

*Performance with Express Path enabled; throughput without Express Path: 130Gbps


*

SRX5800

• Ideal for large enterprise, Service Provider, and public sector networks



SPC2 card

SRX5800

Optional Ethernet

1GE - SFP10GE – SFPP, XFP

40GE - QSFP100GE – CFP

Onboard Ethernet None


Firewall Performance (Large Packets)* 2 Tbps

Firewall Performance (IMIX)* 2 Tbps


50 Mpps


130 Gbps






IOC2 Card

SCBE and RE card

*Performance with Express Path enabled; throughput without Express Path: 320 Gbps


High Availability: Chassis Clustering

Features• Single System View

• Stateful fail-over

• Monitoring

Cluster

Primary Node1Node0

Control Plane

Data Plane

Secondary

The estimated hardware downtime per pair corresponds to an availability of greater than 99.9999% (six-nines)

*Telcordia Reliability Analysis Report


Ease of Hardware and Software Upgrades

• ISHU – In Service Hardware Upgrade• Replace hardware or add/remove cards on cluster• Example: Adding SPC to SRX

• ISSU – In Service Software Upgrade• SRX node SW upgrade while it is in service• Upgrade software to higher version, no hardware change• Single command to trigger ISSU (without manual intervention)• Minimal traffic loss (~1sec*) at every failover


SRX5000 – New Announcements in 2015


Express Path for SRX5000 Series

• Now available on SRX5000 Series next generation IOC hardware Provides low latency and high throughput solution• 7 – 9.5 microseconds latency• Scales up to 2Tbps on SRX5800• Support for Big Data Flows of 40 Gbps and 100Gbps

• Prioritization of certain traffic types for very high speeds• Both latency-sensitive and normal traffic can be mixed on the same platform• Express Path is configurable per I/O Card:

• Can run certain physical ports in Express Path mode• Other ports in regular firewall mode with high touch services (IPS, IPSec, etc.)

running on SPCs


Industry leading 2 Terabits per Second IMIX Throughput Third generation IOC3

240Gbps Fabric and 2X bandwidth increase over prior card SCB3 Enhanced midplane Express Path

Differentiated throughput levels delivered by custom HW and optimized SW

Operational simplicity and agility Deployed in mixed configurations with existing and new cards Modular throughput and scale for investment protection

Introducing Industry’s Fastest Firewall SRX5800


Why It’s Important

This unprecedented increase in throughput and scale enhances the ability of enterprises and service providers to securely deploy high performance and latency sensitive business applications

at the speed of the business, simply and cost effectively.

The SRX5000 Series achieves 7 µsec latency, 100 million concurrent sessions, six-nines reliability and 2Tbps throughput.


Financial Data Center Challenges

• High MTBF: Downtime is not an option

• Low Latency & Jitter: Every micro-second counts• High frequency trading, Algorithmic trading

• Small packet size and Micro-bursts

41%

35%

6% 5%

3%

2%9% 0-64

65-128

129-256

257-512

513-1024

1025-1480

1481-1520

Sample Packet Distribution


Low Latency, Predictable Performance Solution

• Business objectives• High frequency trading,

equities and market data systems

• Unique needs• Low latency & highly reliable• Predictable/scalable

performance

• SRX differentiators• Express Path solution• Six-nines reliability


Increased Security for High Performance Computing Applications

• Dramatically increasing secured traffic flow with extremely high capacity flows for express downloads and data transfer

• Firewalls traditionally support only small flows

• SRX supports big data flows of up to 100 Gbps!

10G/40G/100G links

Site/Campus LAN

Data Transfer Cluster

SRX5000

Project Y DTN

Project X Data Transfer Node

Science DMZ Switch/Router

Area Border Router Enterprise Border Firewall

Site/Campus Access to Science DMZ resources

10G/40G/100G links


Secure Transfer of Big Data Flows

• SRX supports high bandwidth data flows of 100 Gbps/40Gbps• Dramatically increasing secured traffic flow with extremely high capacity

flows for express downloads and data transfer

• No Sacrifice of Security• SRX inspects the traffic to ensure policy compliance• No sacrifice of policy enforced security for performance

• Meets Govt/Public sector, Research, Pharmaceuticals and Energy requirements to secure fast transfers of very large amounts of data


Dramatically increases secured traffic with extremely high bandwidth flows

Suitable for express downloads and data transfers of large amounts of data

Reduces packet path latency

Price/Performance gains

Example Deployment (Science DMZ)

10G/40G/100G links

Site/Campus LAN

Data Transfer Cluster

SRX5000

Project Y DTN

Project X Data Transfer Node

Science DMZ Switch/Router

Area Border Router Enterprise Border Firewall

Site/Campus Access to Science DMZ resources

10G/40G/100G links


Data Center Use Cases


Enterprise IT Datacenter

• Business objectives• Corporate cost center delivering

internal business applications and services

• Unique needs• I/O convergence at the rack• Robust HA and multi-site business

continuity• Traffic isolation and security services

• SRX strengths:• IPSEC with automatic route insertion

or AutoVPN• Full suite of NGFW capabilities; IPS

DMZ

Applications

IPS/AppID

Log Director/JSA

Internet

Secure from outside to inside

High End SRX

Secure from internal threats

Internal LAN

User

Policy

USE CASE


High Performance Computing Data Center

• Business objectives• Dedicated application

compute network

• Unique needs• High throughput; low latency• System resiliency and reliability

• SRX differentiators• 99.99995% system availability • HA with in-service software/

hardware upgrades• Single, high bandwidth flows of

40G, 100G

USE CASE

VR

VR


Hypervisor

VM VM

FireflyFirefly


VR

Hypervisor

MX

EnterpriseBranch

SRXWAN

Hybrid Cloud

MX

Security Director/Virtual Director/Log Director

Internet

OSS/BSS


VM VM

CustomerPortal

VM VM

Firefly


Transactional Data Center

• Business objectives• Financial trading and market

data systems, high speed transactions

• Unique needs• Low latency and highly reliable• Logical/virtual security separation

• SRX differentiators• Express path low latency solution• Logical separation;

routing-instances, LSYS

VR

VR


Hypervisor

VM VM

FireflyFirefly


Firefly

VR

Hypervisor

MX

EnterpriseBranch

SRXWAN

Hybrid Cloud

MX

Security Director/Virtual Director/Log Director

Internet

OSS/BSS


VM VM

CustomerPortal

VM VM

USE CASE


Content/Service Delivery Datacenter

• Business objectives• Revenue-generating content

and service delivery

• Unique needs• Modular Scalability without redesign• HA and QoS to enable SLAs• Advanced and virtualized security

• SRX strengths• 40G-100G modular scalability• Open IPS signature set and threat

intelligence• Comprehensive QoS feature set• Full suite of security services

DMZ

Applications

IPS

Log Director/JSA

Internet

Secure from outside to inside

High End SRX

Secure from internal threats

Internal LAN

User

Policy

USE CASE


IDENTIFY NEW OPPORTUNITIES

Realize Networks That Know with Juniper Professional Services

ACCELERATE INNOVATION

ACCELERATE DEPLOYMENT

LEVERAGE PROVEN EXPERTISE

CREATE ROADMAP FOR EVOLUTION

PLAN FOR THE FUTURE

PROTECT YOUR INVESTMENT

MITIGATE RISK


Juniper Professional Services

Accelerate innovation

Plan for the future

Leverage Proven Expertise

Design an effective network

Maximize performance

Mitigate risk

Juniper Professional Services help you to identify new opportunities for creating a foundation for innovation across your business.

Your network needs to do more than meet your needs of today. We assist you in building a roadmap for how your system can evolve and grow over the long term.

Juniper Professional Services provide the assessment, design, deployment, and migration expertise on how you can optimize your selected technology. We follow proven methodologies that accelerate the process without compromising quality. As you move forward, Juniper PS is available to provide assistance in areas such as high and low-level design, migration planning and execution.

We understand how to integrate and optimize solutions from other vendors into an open, cohesive networking environment that enables innovation

We can configure your entire network for optimal resiliency, reliability, security and speed. We create effective multi-vendor networks that work seamlessly.

We understand that with innovation may come concerns about risk - Juniper PS services enable you to optimize your potential for innovation while mitigating the risk to:• Your investment • Disruption to your existing infrastructure• Disruption to existing services


Automation: Unique to SRX

OSS integrationWorkflow automationNetOps & SecOps tools

“off-box”

Audits & complianceChange controlTroubleshooting & event response

“on-box”

XML API

On the Device Across the Network


Automation: Why It Matters

Provisioning and deployment

Change management

Event response

Uses

Deliver new services faster

Improve staff efficiency

Simplify auditing

Reduce downtime from human errors

Drivers / Benefits

Core Junos Differentiation


What Analysts Are Saying…

MAXIMUM PERFORMANCE AND SCALABILITY

OPERATIONAL EFFICIENCY

“Good options exist for high-throughput, purpose-built appliances, especially in the higher end SRX models.”

Greg Young, Gartner MQ for Enterprise Network Firewalls 2013

“Junos “achieved a 40% reduction in operation costs…[including] planning and provision, deployment, and planned and unplanned network events…Positive financial payback within 0.8 years or 9 months.”

“The Total Economic Impact of Juniper Networks JUNOS Network Operating System,” Michael Speyer, Forrester Research

COMPREHENSIVE THREAT PREVENTION“Juniper is also the only solution with all the advanced features in this evaluation.”

Info-Tech, “Vendor Landscape: Next Generation Firewalls,” James Quin


ESG Lab Review

“Juniper is focused on delivering comprehensive security services that provide the maximum amount of performance and scale, while optimizing productivity in a highly available, always-on cluster with easy, secure access. ESG Lab validated that the latest release of the Juniper SRX5400, with its unique architectural approach, next-generation IOCs and SPCs, and Express Path, achieves just that. If you’re considering a next-generation data center firewall and have strict performance requirements for throughput and latency, ESG Lab suggests taking a look at the Juniper SRX5400.”

Jon Oltsik, ESG Senior Principal Analyst

*ESG Lab Review - Juniper SRX5400 – March 2015

PERFORMANCE AND SCALABILITY WITH THE SRX5400*


THE POWER OF A CONNECTED WORLDCONNECT EVERYTHING. EMPOWER EVERYONE.

THANK YOU

Documents

Copyright © 2015 Juniper Networks, Inc. 1 High End SRX Series Securing the Data Center