Upload
lamdan
View
233
Download
0
Embed Size (px)
Citation preview
The JUNOS Powered Enterprise
Koen Geusens
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net1
June 11, 2009
JUNOS Strategy
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net2
Multi-year trends in the enterpriseMulti year trends in the enterpriseMega Data
Centers(thousands)
Clients(billions)
Global High-Performance Network
(thousands)
Mobile
Workforce Globalization
ent
erpr
ise
Home
bute
d En
Branch
he D
istr
ib
Data/App Consolidation
Th
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net3
Campus
Juniper’s distributed enterprise visionp p
User
Switching Routing and Enterprise wide access
User Productivity
Switching, Routing and Application Acceleration for delivering converged
applications
Enterprise-wide access control, Adaptive Threat Management and integrated multi-function products
Lower TCO
pp
ManageClient Satisfaction
Customer Retention
Consistent functionality, centralized administration and proactive services
Satisfaction Retention
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net4
IT SERVICES WITHOUT BOUNDARIES
Security, Routing and SwitchingSecurity, Routing and SwitchingMega Data
Centers(thousands)
Clients(billions)
Global High-Performance Network
(thousands)
Mobile
Home
Branch
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net5
Campus
Using high-performance networking to reduce complexityto educe co p e ty
Juniper High-Performance Network Legacy NetworkHigh-performance network
Learn and configure
one OS
OS #1 OS #3 OS #4OS #2Scalable
one OS
Firewall/VPNDynamic
Fast
Use fewer boxes
SwitchRouterVoice gatewayUTM
Dynamic Services Architecture
Firewall/VPNSwitchRouterVoice gatewayUTM
ReliableIPSAccess Control
IPSAccess Control
Secure
Simplifysoftware
management9.49.2 9.3
Simple
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net6
JUNOS Software:The Power of One Operating SystemThe Power of One Operating System
Deployed since 1998p y– First high-performance network operating system
10+ years of innovation and development10 years of innovation and development– Runs routing, switching, and security platforms – Reduces complexity, achieves operational excellence– Evolutionary architecture expands to new services and
extends to new platforms for tomorrow
Serving the most demanding customers– Top 40+ service providers
High performance enterprise and– High-performance enterprise and public sector customers
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net7
JUNOS Software: The Power of One
One OS– Single source code base
L ti d ff t t l d l d t– Less time and effort to plan, deploy, and operate
O R l
4Q08
9.3
3Q08
9.2
2Q08
9.1
One Release– Single software release train– Stable, predictable delivery of new functionalityStable, predictable delivery of new functionality
One ArchitectureModule
X API
One Architecture– Modular software with functional separation– Highly available, scalable, and evolutionary software
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net8
One Operating System
Less Time and Effort to Plan, Deploy, and Operate
Single source code base – Optimized for platform
requirements
OS
PFBG
PM
PLS
IPv6…
Consistent user experience– Common management
interface and toolsC hit t
F P S 6
– Common architecture framework
Consistent implementation of control features
Branch Office
– Ease training– Streamline testing,
qualification, and deploymentR d l i t t
ServiceProvider
Access/Edge
ServiceProvider
CoreCorporate HQ
– Redeploy equipment to new needs
Data
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net9
DataCenter
One Release Train 4Q08
9.3
3Q08
9.2
2Q08
9.1
4Q08
9.3
3Q08
9.2
2Q08
9.1
Disciplined process for developmentDisciplined process for development– New versions build upon the prior, so features remain– Extensive automated regressions and quality metrics for
bl d li l f lstable delivery release after release
Predictable scheduleTen years in a steady release cadence– Ten years in a steady release cadence
– Released for the devices run by JUNOS Software
Streamlines upgrades and reduces upgrade issuesStreamlines upgrades and reduces upgrade issues – Plan resources for upgrades with confidence– Extended End-of-Life for the last release of each year
9.29.19.08.5 9.3
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net10
Q108 Q208 Q308Q407 Q408
Reduce Complexity
Ten Years on Time, Stable Release Delivery
Simple
9 1 9 2 9 3
Simple
Predictable 9.1 9.2 9.3
2Q08 3Q08 4Q08Reliable
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net11
One Open Modular Architecture Module X APIModule X API
Highly Available, Secure and Evolutionary Software
Independent modules– Protected Memory for stability– Contain faults and enablesOpen Management Interfaces Contain faults and enables
rapid isolation– Well-defined interfaces for
expansion of functions/platforms
le nces
men
t
ane
ng
ServiceApp 1
Open Management Interfaces
Separates control frompacket forwarding
– Scales performance, enhances
Mod
ul
Inte
rfa
Man
age
ontr
ol P
la
Rou
ti
aneService
App 2ces
presiliency, enables redundancy
Kernel
Co
rvic
es P
la
ServiceApp 3es
Inte
rfac
Tailored services flexibility– Create customized service
Packet ForwardingPlan
e Open management and development Interfaces
Ser
Serv
ice chains with high-performance
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net12Physical InterfacesD
ata
P p– NETCONF/XML– Partner development platform
ServiceApp n
Operational Excellence
JUNOS Features– Changes made to candidate
Benefits– Avert downtime
d bCommit verifications check fileNo changes made until full configuration is ready
– Hierarchical command structureUser-defined variables, such as policies, for consistent
caused by configuration errors
– Reduce time for configuration and User defined variables, such as policies, for consistent
re-useCommand completion + extensive set of help tools
– Commit scripts customize checks and verificationsMacros minimize line entries
gchanges
– Enforce compliance to policiesAvoid risks ofMacros minimize line entries
– Commit confirmed automates rollback – Rollback restores up to 50 configs
– Avoid risks of transient configuration state
Candidate Active
CommitConfirmed VerifiedCandidate
ConfigurationLoad ActiveConfiguration
R llb kCLI
Ch k
Commit
CommitS i t
VerifiedConfiguration
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net13
RollbackChecksScripts
Solution portfolio
EX8216SRX3000 Series
SRX5000 Series
EX8208
EX8216
MX Series
SRX650
SRX3000 Series
SRX240 EX4200
M SeriesSRX210
J Series
EX3200
EX2200 SRX100
Unified Management (NSM)
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net14
Unified Management (NSM)
Datacenter Positioning
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net15
New Technologies Exacerbate Complexity
Server Virtualization
Storage on Ethernet
LAN SAN
SOA
switch switch
Application Evolution
SAAS
Web 2.0
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net16
Legacy DC Network Infrastructure
Too many devices
Wan EdgeL3 convergence
oo a y de cesand layersApplications subjected tohigh latency EdgeUptime is a challengeTakes too long to deploy anything
CoreTier
Security Sprawl
p y y g
Aggregation TierHard to manage STP in a flat L2 access network
Access Tier
10 GbE (active)
access network
End of Row
Top of Rack
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net17
10 GbE (standby)
1 GbE
10 GbE (active)Top of Rack
Virtual Chassis™ plus line-rate 10GbE
Easy to cable
Wan Edge
asy to cab eand manageFull feature setEfficient use of uplinks Edgeof uplinksVC is One logical switchReduced latency
CoreTier
Aggregation Tier
Access Tier
10 GbE (active)Top of Rack or
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net18
10 GbE (standby)
1 GbE
10 GbE (active)Top of Rack or End of Row deployment
Collapsed Tiers, Consolidated Security
Faster application
Wan Edge
aste app cat oand service deploymentTrue services integration EdgeOperational simplicityReduced power, cooling, and space
CoreTier
g p
Access Tier
10 GbE (active)Top of Rack or
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net19
10 GbE (standby)
1 GbE
10 GbE (active)Top of Rack or End of Row deployment
Lowering Application Latency by Collapsing tiers and Consolidating Security
J i
p g g y
L JuniperLegacy
Server A Server BServer A Server B
• More devices/interconnections• 20-50 us in each chassis
based switchO / l i lti l ti
• Fewer devices/interconnections• EX4200: Lowest 10GbE latency in the
entire industry – 1.96 usO / l i l
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net20
• Open/close sessions multiple times • Open/close sessions only once
SRX SERIES SERVICE GATEWAYS
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net21
Security, Routing and SwitchingData Center (High End)
Enterprise (Branch)
Mobile
Home
Branch
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net22
Campus
High End SRX
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net23
SRX3000 Packet Flow – Fully IntegratedFlow LookupClassification RE
Routing / Network Processing
S 3000 ac et o u y teg ated
DoS/DDoSPolicing
Services
REDevice MGTProcessing Cards
Oversubscrptn1 5
IngressPacket
FW/VPN/IDPNAT/Routing
Oversubscrptn.Control1.5
Packet
Fabr
ic
Fabr
ic
Egress Packet
FF
Services Processing
Cards
Packet
QoS/Shaping
Integrated in SRX 5000 IOC
Input/Output
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net24
CardsQoS/S ap gCards
No Compromise Security:SRX3000-line: The most cost-effective network security solutionSRX3000 line: The most cost effective network security solution
Maximum Flexibility without Sacrificing SecuritySacrificing Security
Unmatched Price / Performance
Powered by JUNOS and Juniper’s Dynamic Services Architecture (DSA)p y ( )
Based on Dynamic services Architecture for accelerated new service deployment
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net25
for accelerated new service deployment
SRX3400S 3 00Hardware
Modular chassis– 7 slots (4 front, 3 rear)– MGT module – dual, hot swap– 3U chassis height
Fixed InterfacesFixed Interfaces– 12 built-in (8-10/100/1000 + 4-SFP)– 2 Ethernet Management Ports
Modular Interfaces FrontModular Interfaces– 16-10/100/1000– 16-SFP– 2-XFP
Performance & Capacities FW – 10/20 Gbps VPN – 6 GbpspIDP – 6 GbpsConcurrent sessions – 1MNew and sustained CPS – 175k
Rear
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net26
New and sustained CPS – 175kConcurrent IPSec VPN tunnels – 10k
SRX3600S 3600Hardware
Modular chassis– 12 slots (6 front, 6 rear)– MGT module – dual, hot swap– 5U chassis height
Fixed InterfacesFixed Interfaces– 12 built-in (8-10/100/1000 + 4-SFP)– 2 Ethernet Management Ports
Modular InterfacesModular Interfaces– 16-10/100/1000– 16-SFP– 2-XFP
Front
Performance & Capacities FW – 10/20/30 Gbps VPN – 10 GbpspIDP – 10 GbpsConcurrent sessions – 2MNew and sustained CPS – 175k
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net27
New and sustained CPS – 175kConcurrent IPSec VPN tunnels – 20k Rear
Sample SRX3000 Base ConfigurationsSa p e S 3000 ase Co gu at o s
SRX3400SRX3400
– Minimal Configuration
SRX3600
Minimal ConfigurationMinimal ConfigurationSRX 34000 Chassis1 SPC1 NPC
– Minimal ConfigurationSRX 3600 Chassis1 SPC
1 NPC– $50,000 (US List)*
1 NPC– $60,000 (US List)*
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net28
*AC power cords are not included. One C19-Straight cable with appropriate wall-plug for the final destination of the system is required for each power supply.
Component ReviewDual-height SFB
option cover (SRX3600 only)
Co po e t e e
Switch FabricBoard (SFB)Air
IntakeIOC 16xSFP
( y)
IOC 2x10GEServices
ProcessingC d (SPC)
IOC 16xCopper
IOC 16xSFP
Fan tray
Card (SPC)FrontSlot guide
Fan tray doorServices
ProcessingCards (SPC) N k
Routing Engine
Cards (SPC) Network ProcessingCards (NPC) [ or SPCs ]
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net29
g g(RE) Rear
Slot guide
[ or SPCs ]
Branch SRX
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net30
Demand more connectivityy
DCOSCONNECT
SMALL BRANCH
Point products
IOS MIOS
Linux(<50 people)
USE
Resources wastedION 12.2
IOS 12.3R
EXPER
MEDIUM BRANCH(50 500
Too many operating
Cat OS
IOS 12.2R
IENC
E
(50–500 people)
operating systems
Cat OSIOS
IPS
PIX OS
LARGE
Inconsistent user experienceLinux
12.3NX OS
IOS BIN
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net31
LARGE BRANCH(>500 people)
12.4 BIN OS
IOS 12.2
IOS T
More connectivity deliveredy
DCOSCONNECT
SMALL BRANCH( 50 l )
Simplified design with EX
IOS MIOS
LinuxSRX
WX
USER
USE
(<50 people)
Integrated functionality ION
IOS 12.3 12.2
Virtual Chassis
R EXPER
R EXPER
MEDIUM BRANCH(50–500
with SRX
Consistency
Cat OS
IOS 12.2 SRXR
IENC
ER
IENC
E
(50–500 people) with JUNOS
Application i i i
Cat OSIOS
12 3
IPS
PIX OS
EXVirtual Chassis Dist
Switch
LARGE
optimization for consistent experience with WX
Linux
12.3NX OS
IOS BIN
Switch
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net32
BRANCH(>500 people)
with WX12.4 BIN OS
IOS T
IOS 12.2
SRXEX
EXWX
Demand more securityySECURE
USER AND LOCATION
SMALL BRANCH
Location-based security OFFSHORE
POLIC
Y
(<50 people)y
policies with silosPO
LI
MEDIUM BRANCH(50 500
Autonomous devicesPARTNER
ICY
P
Performance or Security?
(50–500 people) No
collaborationCONTRACTOR
POLIC
YLARGE
Performance–Security trade-offs
POLIC
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net33
LARGE BRANCH(>500 people)
trade-offsEMPLOYEE
CY
More security deliveredy
SECUREUSER AND LOCATION
POLIC
YC
ON
SSMALL BRANCH
Enterprise-wide “Follow-me” security OFFSHORE
UAC
POLI
ISTENT “
(<50 people)y
policies
Integrated
UAC
ICY
P“FO
LLOW
MEDIUM BRANCH(50 500
Integrated functionality
Collaborative
PARTNERPerformance or Security?
POLIC
YW
-ME” P
(50–500 people)
Collaborative security and CTC
CONTRACTOR
SRXEX
ADAPTIVE THREAT
POLIC
OLIC
IESLARGE
Award-winning performance
THREAT MANAGEMENT
SOLUTION
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net34
CYLARGE
BRANCH(>500 people)
performanceEMPLOYEE
Demand more manageabilityg yMANAGECNA
SMALL BRANCH
Too many NSMs
DCNM
ASDM
Switch
(<50 people)
SDM
Router
MEDIUM BRANCH(50 500 Manual data
CSM
PIXDM
Antivirus
(50–500 people)
Manual data correlation
LMSOVERLOAD!!! Spyware
LARGE
vFrame
LMS
Antispam
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net35 | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net35
LARGE BRANCH(>500 people)
Ciscoview Firewall
More manageability deliveredg y
MANAGECNA
SMALL BRANCH
Single pane of management
DCNM
ASDM
Switch
STRM
(<50 people)g
with NSMSDM
Router
MEDIUM BRANCH(50 500
Automated log reduction with STRM
CSM
PIXDM
AntivirusNSM
(50–500 people)
Reduce time t i ith
LMSOVERLOAD!!! SpywareAIS
LARGE
to repair with AIS
vFrame
LMS
AntispamIDPJUNIPER SUPPORT
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net36 | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net36
LARGE BRANCH(>500 people)
Ciscoview FirewallGateway
Three key market driversee ey a et d e sUTM
CONSOLIDATION
Antispam AntivirusIPS Web filtering
UAC
FREE
LICENSED
CONSOLIDATIONNetwork migration to multi-service platform—“Secure Router” instead of multiple appliancesSecure Router =
UAC Content Filtering
R ti Ethernet FirewallIPSec VPN
Voice and Data
CONVERGENCE
Secure Router = – Router + Firewall + VPN + Switching– Unified Threat Management
Routing Ethernet Switching
NETWORK SECURITY
VoIP
Analog
Fax WLAN AP
Security Camera
Power Over Ethernet
VoIP Gateway and VoIP handsetsPower over EthernetWireless Access Points
CONNECTIVITYInternet MetroInternet
Metro EthernetWireless WAN 3GPSTN
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net37
3G PSTN MPLSMPLS
New SRX Services GatewaysLeveraging Juniper’s Dynamic Services Architecture
Highly configurable– Fixed semi-modular and
Leveraging Juniper s Dynamic Services Architecture
Up to 80% lower price– Fixed, semi-modular, and modular form factors
– Choice of WAN, wireless, and LAN interfacesAvailable voice media gateway20X IPS performance
p p
– Available voice media gateway Extensive integration
– Full suite of JUNOS routing and switching capabilitiesFull UTM
20X IPS performance
g p– Unmatched security, including
FW, VPN, UTM, UAC, and full IPSExceptional performance and availability16 X Gigabit Ethernetand availability
– Hardware-assisted Content Security Acceleration for ExpressAV and IPSC t l & d t l ti
Model Configuration SIPGateway
ContentSecurity
AccelerationFW/IPS
Performance
SRX100 Fixed No No 600/50 MbpsAdvanced
FW / VPN /ROUTING
g
– Control & data plane separation, redundant processing and power
Priced at $699 , $1099, $2999, and $16000 (list)
SRX210 1 mini PIM slot Optional Optional 750/80 Mbps
SRX240 4 mini PIM slots Optional Optional 1500/250 Mbps
license included
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net38
SRX650 8 GPIM slots Optional Standard 7000/900 Mbps
Roadmap
The SRX Branch portfolio 2009e S a c po t o o 009
SRX 650
+ More LAN slots, dual processors, dual P/S
SRX 240
+ 4 WAN slots, 16 x Gig E
SRX 210
+ WAN slot, 2 x Gig E, PoE
NSM
Centrally managedby NSM
Large Branch/Regional OfficeTelecommuter/Small Office
SRX 100
Small to Medium Office
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net39
Large Branch/Regional OfficeTelecommuter/Small Office Small to Medium Office
Typical Deploymentyp ca ep oy e t
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net40
SRX Series Specification Summary S Se es Spec cat o Su a yFEATURES SRX100 (target) SRX210 SRX240 SRX650On-board Ethernet 8 x FE 2 x GE + 6 x FE 16 x GE 4 x GE
Power over Ethernet (802.3af, 802.3at) None 4 ports—50 W total
16 ports GE, 150 W
48 ports GE, 250 W or 500 W
WAN slots None 1 x mini PIM 4 x SRX mini PIM 8 x GPIMUSB ports (flash) 1 2 2 2 per processorContent Security Acceleration—ExpressAV and Intrusion Detection and Prevention No YES YES YES
JUNOS Software version support JUNOS 9.6 JUNOS 9.5 JUNOS 9.5 JUNOS 9.5Routing Performance 60 Kpps 80Kpps 200Kpps 900KppsFirewall performance (Large Packets) 600 Mbps 750 Mbps 1.5 Gbps 7.0 Gbps
Firewall performance (IMIX) 175 Mbps 250 Mbps 500 Mbps 2.5 GbpsFirewall performance (Firewall + Routing PPS 64byte) 65 Kpps 75 Kpps 150 Kpps 900Kpps
VPN Performance—AES256+SHA-1 3DES+SHA 1 65 Mbps 75 Mbps 250 Mbps 1.5 GbpsIntrusion Prevention System 50 Mbps 80 Mbps 250 Mbps 900 MbpsConnections Per Second (CPS) 2K 2K 9K 35KMaximum Concurrent Sessions (512MB/1GB RAM) 16 K / 32K 32K / 64K 64K / 128K 512 KMaximum Concurrent Sessions (512MB/1GB RAM) 16 K / 32K 32K / 64K 64K / 128K 512 KAntivirus TBD 30 Mbps 85 Mbps 350 Mbps
High Availability A/A or A/P A/A or A/P A/A* or A/PA/A* or A/P,
Hot swap GPIMs,Dual processors*,
D l
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net41
Dual power
* Supported in JUNOS 9.6
SRX100 Q3 2009S 00
Id l f i b hFeatures SRX100 (target)
O b d Eth t 8 FEIdeal for micro-branch, managed telecommuters, SOHOFixed I/O—8 x 10/100 Ethernet portsF ll UTM f t
On-board Ethernet 8 x FE
Power over Ethernet (802.3af, 802.3at) None
WAN slots None
USB ports 1Full UTM features– IDP– Antivirus
Anti spam
p 1
3G Future
Intrusion Prevention System No
JUNOS Software version support JUNOS 9.6– Anti-spam – Web filtering– UAC Enforcement– UTM requires High Memory model
Routing performance 60 Kpps
Firewall performance (Large Packets) 600 Mbps
Firewall performance (IMIX) 175 Mbps– UTM requires High Memory model
(UTM, license), no CSAFirewall performance (Firewall + Routing PPS 64byte) 65 Kpps
VPN Performance—AES256+SHA-1 65 Mbps
VPN Performance —3DES+SHA 1 50 Mbps
Connections Per Second (CPS) 2KMaximum Concurrent Sessions (512MB/1GB RAM) 16 K / 32K
IPS performance TBD
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net42
High Availability A/A or A/P
SRX210 Q2 2009S 0
Ideal for Small branchesFeatures SRX210
O b d Eth t 2 GE 6 FEFull UTM features
– IDP, Antivirus, Anti-spam, Web filtering, Content filtering
On-board Ethernet 2 x GE + 6 x FE
Power over Ethernet (802.3af, 802.3at) 4 ports—50 W total
WAN slots 1 x mini PIM
3G wireless (ExpressCard slot) Yes– UAC Enforcement– UTM requires High Memory model
Available Voice version with
3G wireless (ExpressCard slot) Yes
USB ports (flash) 2
Content Security Accelerator—ExpressAVand Intrusion Detection and Prevention Yes
JUNOS Software version support JUNOS 9.5mini-PIM options—Q3 2009
– Factory-configured voice model (Q3 2009)
JUNOS Software version support JUNOS 9.5
Routing performance 80 Kpps
Firewall performance (Large Packets) 750 Mbps
Firewall performance (IMIX) 250 Mbps
Firewall performance (Firewall + Routing PPS 64byte) 75 Kpps
VPN Performance—AES256+SHA-1 75 Mbps
VPN Performance —3DES+SHA 1 75 Mbps
Connections Per Second (CPS) 2K CPS
Maximum Concurrent Sessions (512MB/1GB RAM) 32K / 64K
IPS performance 80 Mbps
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net43
High Availability A/A or A/P
SRX240 Q2 2009
Id l f ll di b hFeatures SRX240
O b d Eth t 16 GE
S 0
Ideal for small–medium branchesFull UTM features
– IDP, Antivirus, Anti-spam, Web filtering Content filtering
On-board Ethernet 16 x GE
Power over Ethernet (802.3af, 802.3at) 16 ports GE, 150 W
WAN slots 4 x SRX mini PIM
USB ports (flash) 2filtering, Content filtering– UAC Enforcement– UTM requires High Memory model
A il bl V i i ith
p ( )
3G Future
Content Security Accelerator—ExpressAVand Intrusion Detection and Prevention Yes
JUNOS Software version support JUNOS 9 5Available Voice version with mini-PIM options—Q4 2009
– Factory-configured voice model (Q4 2009)
JUNOS Software version support JUNOS 9.5
Routing performance 200 Kpps
Firewall performance (Large Packets) 1.5 Gbps
Firewall performance (IMIX) 500 Mbps(Q4 2009)Firewall performance (Firewall + Routing PPS 64byte) 150 Kpps
VPN Performance—AES256+SHA-1 250 Mbps
VPN Performance —3DES+SHA 1 250 Mbps
Connections Per Second (CPS) 9K CPS
Maximum Concurrent Sessions (512MB/1GB RAM) 64K / 128K
IPS performance 250 Mbps
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net44
p p
High Availability A/A* or A/P
* Supported in JUNOS 9.6
SRX650 Q2 2009S 650
Ideal for regional sites, large branchesFeatures SRX650
O b d Eth t 4 GEg , g
Modular-– LAN switching– Services Routing Processors with optional
redundancy (future)
On-board Ethernet 4 x GE
Power over Ethernet (802.3af, 802.3at) 48 ports GE, 250 or 500 W
WAN slots 8 x GPIMredundancy (future)
– power supplies with optional redundancy (at FRS)
– voice configurations (field upgradable via PIMs in 2010)
USB ports (flash) 2 per processor
3G Future
Content Security Accelerator—ExpressAVand Intrusion Detection and Prevention Yes
PIMs in 2010)Full UTM features
– IDP, Antivirus, Anti-spam, Web filtering, Content filteringUAC E f
JUNOS Software version support JUNOS 9.5
Routing performance 900 Kpps
Firewall performance (Large Packets) 7.0 Gbps
Fi ll f (IMIX) 2 5 Gb– UAC EnforcementMax Gig E 52 ports (2 x 24 GE PIM + 4 integrated ports)
Firewall performance (IMIX) 2.5 Gbps
Firewall performance (Firewall + Routing PPS 64byte) 900 Kpps
VPN Performance—AES256+SHA-1 1.5 Gbps
VPN P f 3DES SHA 1 1 5 GbVPN Performance —3DES+SHA 1 1.5 Gbps
Connections Per Second (CPS) 35K CPS
Maximum Concurrent Sessions (512MB/1GB RAM) 512 K
IPS f 900 Mb
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net45
IPS performance 900 Mbps
High Availability A/A* or A/P Hot swap GPIMs,
Dual processors*, Dual power* Supported in JUNOS 9.6*Supported in JUNOS 9.6
SRX210 with Integrated Convergence Services Q3 2009g g
FXS ports – connect your analog phone or
FAX machine hereFXO ports – connect to your wall phone socket
E1/T1 or FXOs for carrier trunk or FXS for additional analog phones/ fax machinesFAX machine here your wall phone socket phones/ fax machines
SRX Voice ElementsTarget Branch Size (# users)
No. Slots
Base DSP
Channels
Base No. of Ports
Expansion Slots
Survivable SIP serverSIP Media GatewaySIP Security
users)
SRX210 2–25 1 mPIM
8–16 (codec
dependent)2 FXO, 2FXS
T1/E14 FXO
2 FXS + 2 FXOSRX240 10–50 4 30–48 2 FXO, y
Base and expandable voice portsPoE Ports P E P t li ith EX it h
FXOSRX240 10 50 mPIMs 30 48 2 FXS
SRX650 50–200 8 gPIMs
Requires gPIM 0
T1/E1Dual T1/E16 FXO + 2
FXS
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net46
PoE Ports scaling with EX switchg g FXS
2 FXO + 6 FXS
2H 2009Juniper Integrated Convergence ServicesStage 1: Survivable Media Gateway
SERVICE PROVIDER
VOIP
Stage 1: Survivable Media Gateway
SIP Trunking to Failover to PSTN
SIP Soft Switch
Channelized
Local PSTNLocal PSTN
3
SIP Trunking to Corporate to PSTN (typical)
SIP Trunking“V IP t PSTN” S P V IP
5
Failover to PSTN
CORPORATE OFFICE
SRX210 / SRX240
Channelized T-1 / E1/ FXO
INTERNETSIP VoIPhandset
4
4 “VoIP to PSTN” S.P. VoIP
5X
SIP Serverhandset
WANMPLS SIP VoIP
handset to1
22
SIP Trunking
23
3 34
X
Analog
PBX, Key System
Soft PhonesFAX SIP VoIP
handset to digital or analog phone
1SIP Trunking “Toll bypass”, “extension”
Digital
Soft PhonesFAX SIP VoIPhandset
Enterprise choice SIP standards Choice of sip phones SIP Server and SIP
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net47
Enterprise choice and flexibility
SIP standards Choice of sip phones, call servers and applications
Soft switch
3G Wireless WAN 2H 20093G e ess
Deployments-Primary connection where wired broadband is not available HQDatacenteravailableBack up connectivity with wired primary. p yOut of band management, remote deployment.
INTERNET
Available on SRX210 3G Wireless
Dynamic VPN Services
SRX210
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net48
Retail Branch Regional
Ethernet Switchingt e et S tc g
Software Features802.1Q VLAN support
SRX210 SRX240 SRX650
Hardware (Onboard Ethernet)SRX100
SRX100
802.1Q VLAN support– Up to 4,096 VLAN support (platform dependent)– Routed VLAN Interface (RVI)– GARP VLAN Registration Protocol (GVRP)
QOS on VLAN interface
– 8 Fixed 10/100 (Switched or Routed)SRX210
– Fixed 2 10/100/1000 + 6 10/100 (Switched or Routed)– 802.3af optional POE (2FE + 2GE)
SRX240Fi d 16 P t 10/100/1000 (S it h d R t d)– QOS on VLAN interface
L3 Strict priority queuing (LLQ) L3 Smoothed Deficit Weighted Round Robin (SDWRR)L3 Weighted Random Early Discard (WRED)
– Fixed 16 Ports 10/100/1000 (Switched or Routed)– Power over Ethernet (optional all ports)– 802.3af, 802.3at
SRX650– Fixed 4 ports 10/100/1000 (Routed)
Hardware Ethernet PIMs(WRED)L3 Per port and per queue shaping
802.1x Port based Authentication802.3ad (AX) link aggregation*
Hardware Ethernet PIMsSRX Mini-PIM (SRX210/SRX240)
– 1 Port SFP 16 port GigE XPIM for SRX650
– Double-highF ll d l 20 Gb b k lSTP, Spanning Tree Protocol
– 802.1D Spanning Tree Protocol– 802.1S Multiple STP– 802.1w Rapid STP
– Full-duplex 20 Gbps backplane– 16 port GE and optional PoE
24 port GigE including 4 SFP slots XPIM for SRX650– Double-high - double-wide– Optional POE - 24 port GE with PoE incl 4 SFP slots– Full-duplex 20 Gbps backplane
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net49
pJumbo Frame Support (9,216 Byte)*
– Full-duplex 20 Gbps backplaneOptics
– SRX GE SFP LH | SRX GE SFP LX | SRX GE SFP SX |SRX GE SFP 1000 Base-T | SRX FE FX SFP * Not supported on SRX100
SRX Series—Firewall, Zones, and PoliciesS Se es e a , o es, a d o c esZONE “UNTRUST”
Originating ZoneOriginating Zone
INTERNET
Default Policy—Deny AllDefault Policy—Allow All
SRX
Originating Zone
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net50
ZONE “TRUST”ZONE “TRUST”
Unified Threat Management (UTM) FeaturesU ed eat a age e t (U ) eatu es
InternalExternal Internal Threats
ExternalThreatsINTERNET
Websense to block to unapproved site Web Filtering
Juniper IDP detects/stops Worms, Trojans, DoS (L4 & L7), Scans
IPS Juniper IDP detects/stops Worms, Trojans, DoS (L4 & L7), Scans
accessg
Kaspersky Lab AV stops Viruses, file-based Trojans, Spyware, Adware, Keyloggers
Kaspersky Lab AV stops viruses, file-based trojans or spread of spyware, adware, keyloggers
Antivirus
j , py , , y gg adware, keyloggers
Symantec stops Spam / PhishingAnti-spam
C
Firewall, VPN, Unified Access ControlCore Security
Firewall VPN Unified Access Control
SRX Series blocks transmission of files for Data Loss Prevention
Content Filtering
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net51
, ,Firewall, VPN, Unified Access Control
Juniper Networks Unified Access Control (UAC)ccess Co t o (U C)
POLICY SERVERPOLICY SERVER
Identity Stores
IC Series
1
A th ti t U
APPLICATIONS
Stores
22 Dynamically
Provision Policy
Authenticate User, Profile Endpoint,
Determine Location 1
Data App InternetISG
3
Control
yEnforcement
UAC Agent EX Series L2 Switch
802.1X Switches & Juniper Firewall
NSSSG
ISGAccess to Protected Resources SRX
802.1X Switches & Access Points
Juniper Firewall Platforms
UAC Enforcement Points
Comprehensive vendor agnostic standards based access control across
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net52
Comprehensive, vendor-agnostic, standards-based access control across heterogeneous environments delivering investment protection
Remote AccessQ2 2009
Dynamic VPN Service –A M Cli tAccess Manager ClientA dynamic IPSEC Client that is automatically downloaded WiredWireless
5-user, 10-user, 25-user, 50-user (SRX240) license option with simultaneous tunnel enforcement
3G WirelessSupported on the SRX100, SRX210, and SRX240Not supported on SRX650 A i li d bili i
3G Wireless
INTERNET
Automatic client upgrade capabilitiesSelf-provisioning from SRX210, SRX240IPS ith TCP b d f llb k f
Dynamic VPN Services
SRX210
IPSec with TCP-based fallback for NAT traversalInitial release to support Windows platforms—XP, Vista, Win 2000
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net53
p , ,
Juniper Unified ManagementJu pe U ed a age e t
UnifiedUnified management across Juniper’s network EMS NMS Visibility Diagnostics
SNMP, Syslog, XMLSNMP, Syslog
network infrastructureNetwork lifecycle
t
EMS NMS Visibility Diagnostics
Security ThreatNetwork & SecurityJUNOScope Advancedmanagement—Provision, Monitor, and Troubleshoot NetConf, DMI, Syslog, Sflow
Security Threat Response Manager
Network & Security Manager (NSM)
JUNOScope Advanced Insight Manager
NETWORK MANAGEMENT
Consistent and Open standards NBI for easy
ONEJUNOS
CLI,
ONE
J Web
Web UI
HTTP / HTTPS XML
Telnet, SSH, XML
integration with 3rd party NMS
JUNOScript J-Web
MX M S i
ISG/IDP
SSL VPN
Infranet C t ll SRX5600
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net54
SwitchingSecurityRoutingSeries Series Controller SRX5600
Network Security Manager et o Secu ty a age
Along with SRX NSM is a great way to CommonAlong with SRX, NSM Manages Juniper’s entire enterprise portfolio*
NSM is a great way to port ScreenOS customers over to a JUNOS solution and to
Common Management also offers huge up-sell
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net55
enterprise portfolio JUNOS solution and to help manage a mixed environment
huge up sell opportunity
Security Threat Response ManagerSecu ty eat espo se a age
STRM supports SRX Series– Intrusion Prevention System (IPS)– 220+ out-of-the box report templatesp p– Fully customizable reporting engine:
creating, branding and scheduling delivery of reports– Compliance reporting packages for PCI, SOX, FISMA, GLBA, and HIPAA
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net56
– Reports based on control frameworks: NIST, ISO and CoBIT
Rapid Deployment Q4 2009ap d ep oy e t
Simplified deployment-2 USB L d t t fi– Eliminate need for-
Pre-staging deviceIT at point of installation
2. USB Loads startup config3. Validation of start up config4. Secure communication to NSM
SRX 210
6. SRX In Serviceinstallation
Reduce -– Provisioning time • A Unique ID for tracking
purposes
1. Generate and export startup config to USB
5. Download Running Config
– Installation cost– No “truck roll”
purposes• Untrust Interface
configuration• Configuration
parameters to enable “registration” of device gto management server
• User/Password• Management Server IP
Address/Domain Name• One time password
Network Security Manager
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net57
Juniper Branch ProductsSSG, SRX, and J Series ProductsSSG, SRX, and J Series Products
SSG F il J S iSRX
U ifi d Th t M tSSG FamilyFW, VPN, NAT, UAC
IPv6 Security Wireless (WLAN)
J SeriesFW, VPN, NAT, UAC
Routing, Switching, QOS, MPLSWX—ISM 200 Application
Unified Threat Management– Full IDP—Juniper– Antivirus—Kaspersky– Web filtering—WebsenseWireless (WLAN)
Unified Threat Management
– Intrusion Prevention: DI
WX ISM 200 Application AccelerationVoIP—Avaya Integ. GwayUnified Threat Management
– Full IDP—Juniper
g– Anti-spam—Symantec
VoIP– Juniper OpenCommunications
– Antivirus—Kaspersky– Web filtering—Websense– Anti-spam—Symantec
Full IDP Juniper– Antivirus—Kaspersky– Web filtering—Websense– Anti-spam—Symantec
Juniper OpenCommunications– Power over Ethernet
FW, VPN, NAT, UAC
SSG320M
SSG5 Wireless
SSG20 Wireless J2320
J2350SSG140
SRX 100
SRX 210
SSG350M
SSG520SSG520M
J6350SSG550
J4350SRX 240
SRX 650
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net58
J6350SSG550SSG550M
SRX 650
Branch: Positioning Your Customera c os t o g ou Custo eNew Customers
– Consider an all-JUNOS routing, switching, and security network for consistently highConsider an all JUNOS routing, switching, and security network for consistently high performance and consistently easy operations
SSG-series supports security features not available elsewhere in the Juniper portfolio
Existing JUNOS Customers– Juniper’s strategic investments in JUNOS security capabilities deliver integrated,
consistent security capabilities– JUNOS is the platform for service delivery across the network infrastructure– Educate customers: security services of JUNOS leverage the strengths of ScreenOSEducate customers: security services of JUNOS leverage the strengths of ScreenOS
Existing ScreenOS Customers– ScreenOS has a long life ahead– When appropriate, selling JUNOS today creates future routing & switching salesWhen appropriate, selling JUNOS today creates future routing & switching sales
opportunitiesSelect SSG platforms can run JUNOS with a software upgrade
Regulatory-Sensitive Customers– Reassure with longevity of ScreenOS development and support– Government or regulation-sensitive customers
Certifications (e.g. CC EAL4, FIPS, JTIC, NEBS)
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net59
High-End: Positioning Your Customerg d os t o g ou Custo e
JUNOS Best for Customers WhenC d OS ti l ffi i i– Converged OS = operational efficiencies
– Native routing, firewall, IPSec VPN, IDP, QoS, and more– Performance requirements >30 Gbps FW throughput– Only solution scalable > 100 Gbps FW on a single productOnly solution scalable > 100 Gbps FW on a single product– Only solution scalable w/no downtime– Service provider / large data centers which need
segmentation, IDP, and QoSto maximize IO port density/scalability
ScreenOS Best for Customers WhenR i tifi ti f ISG d NS 5000 i– Require certifications for ISG and NS-5000 series
– IPv6 environments – r.6.2 includes IPv6 support for ISG with IDP– Rich perimeter security heritage – throughput performance & capacities
align bestalign best– Mixed deployment with current ScreenOS products address all
segments of the network– Management simplicity with NSM
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net60
– Management simplicity with NSM
Call To ActionCa o ct oSell ScreenOS with confidence!
J i l t l i f S OS– Juniper plans to release new versions of ScreenOS– Public sector sales require a long life for ScreenOS
Invest in JUNOS todayInvest in JUNOS today– Positions you for a broader portfolio sale tomorrow
integrate networking & security i
Sell JUNOS to… Sell ScreenOS to…customers requiring industry &
servicesmaximize performancereduce complexity with a single
government certificationsIPv6 environmentsfull-feature security appliancesp y g
box for routing, firewall, IPSec VPN, & QoS
existing JUNOS customers
full feature security appliancesexisting ScreenOS customers
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net61
g
JUNOS Adoption Tools & TrainingJU OS dopt o oo s & a g
PROGRAMSCourse Description Target Audience URL
JSL JUNOS As a Second Language Networking Engineers (IOS JUNOS) http://www.juniper.net/training/elearning/jsl.html
PROGRAMSFast Track – subsidized exam for
JUNOS certification ($2-3K USD)
COLLATERALJUNOS Software Partner
OJRE Operating Juniper Networks Routers in the Enterprise: Leads to JNCIA-ER associate level certification exam
Networking Engineers http://www.juniper.net/training/technical_education/courses/EDU-JUN-OJRE.html
AJRE Advanced Juniper Networks Routers in the Enterprise: Leads to JNCIS-ER
Networking Engineers http://www.juniper.net/training/technical_education/courses/EDU-JUN-AJRE.html
USD) JUNOS Software Partner Collateral
SRX Partner Collateralthe Enterprise: Leads to JNCIS-ER specialist-level certification exam
JNSA-EN Juniper Networks Sales Associate: product authorization
Sales https://www.juniper.net/partners/partner_center/common/training/training_nam.jsp
JNSS-EN Juniper Networks Sales Specialist: product authorization
Networking Engineers https://www.juniper.net/partners/partner_center/common/training/training_nam.jsp
SRX Partner Collateral
J-series Partner Collateral product authorization
VLAB Virtual labs with Juniper equipment accessible online
Networking Engineers https://www.juniper.net/partners/partner_center/common/training/virtual_lab.jsp
JSL2 JUNOS as a Security Language: Intro to JUNOS software with enhanced services for ScreenOS Users
Networking Engineers (ScreenOS JUNOS)
http://www.juniper.net/training/elearning/junos_security.html
Integrated Firewall/IPSec VPN CollateralTRAINING
Virtual Lab – Learn how toservices for ScreenOS UsersJSL 3 JUNOS as a Switching Language: Intro to
JUNOS software on EX SeriesNetworking Engineers (IOS JUNOS (Switching))
http://www.juniper.net/training/elearning/junos_switching.html
OEJS Operating Enhanced Services for JUNOS Software: Leads to JNCIS-ES certification
Networking Engineers http://www.juniper.net/training/technical_educat ion/courses/EDU-JUN-OESJ.html
Virtual Lab Learn how to configure security policies on a
J-series running JUNOS
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net62
exam
THANK YOUTHANK YOU
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net63