The JUNOS Powered Enterprise - Westcon-Comstorbe.security.westcon.com/documents/35072/JunosSRX650ServicesGat… · SRX SERIES SERVICE GATEWAYS 21 ... Slot guide [ or SPCs ] ... Course

The JUNOS Powered Enterprise

Koen Geusens

| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net1

June 11, 2009

JUNOS Strategy


Multi-year trends in the enterpriseMulti year trends in the enterpriseMega Data

Centers(thousands)

Clients(billions)

Global High-Performance Network

(thousands)

Mobile

Workforce Globalization

ent

erpr

ise

Home

bute

d En

Branch

he D

istr

ib

Data/App Consolidation

Th


Campus

Juniper’s distributed enterprise visionp p

User

Switching Routing and Enterprise wide access

User Productivity

Switching, Routing and Application Acceleration for delivering converged

applications

Enterprise-wide access control, Adaptive Threat Management and integrated multi-function products

Lower TCO

pp

ManageClient Satisfaction

Customer Retention

Consistent functionality, centralized administration and proactive services

Satisfaction Retention


IT SERVICES WITHOUT BOUNDARIES

Security, Routing and SwitchingSecurity, Routing and SwitchingMega Data

Centers(thousands)

Clients(billions)

Global High-Performance Network

(thousands)

Mobile

Home

Branch


Campus

Using high-performance networking to reduce complexityto educe co p e ty

Juniper High-Performance Network Legacy NetworkHigh-performance network

Learn and configure

one OS

OS #1 OS #3 OS #4OS #2Scalable

one OS

Firewall/VPNDynamic

Fast

Use fewer boxes

SwitchRouterVoice gatewayUTM

Dynamic Services Architecture

Firewall/VPNSwitchRouterVoice gatewayUTM

ReliableIPSAccess Control

IPSAccess Control

Secure

Simplifysoftware

management9.49.2 9.3

Simple


JUNOS Software:The Power of One Operating SystemThe Power of One Operating System

Deployed since 1998p y– First high-performance network operating system

10+ years of innovation and development10 years of innovation and development– Runs routing, switching, and security platforms – Reduces complexity, achieves operational excellence– Evolutionary architecture expands to new services and

extends to new platforms for tomorrow

Serving the most demanding customers– Top 40+ service providers

High performance enterprise and– High-performance enterprise and public sector customers


JUNOS Software: The Power of One

One OS– Single source code base

L ti d ff t t l d l d t– Less time and effort to plan, deploy, and operate

O R l

4Q08

9.3

3Q08

9.2

2Q08

9.1

One Release– Single software release train– Stable, predictable delivery of new functionalityStable, predictable delivery of new functionality

One ArchitectureModule

X API

One Architecture– Modular software with functional separation– Highly available, scalable, and evolutionary software


One Operating System

Less Time and Effort to Plan, Deploy, and Operate

Single source code base – Optimized for platform

requirements

OS

PFBG

PM

PLS

IPv6…

Consistent user experience– Common management

interface and toolsC hit t

F P S 6

– Common architecture framework

Consistent implementation of control features

Branch Office

– Ease training– Streamline testing,

qualification, and deploymentR d l i t t

ServiceProvider

Access/Edge

ServiceProvider

CoreCorporate HQ

– Redeploy equipment to new needs

Data


DataCenter

One Release Train 4Q08

9.3

3Q08

9.2

2Q08

9.1

4Q08

9.3

3Q08

9.2

2Q08

9.1

Disciplined process for developmentDisciplined process for development– New versions build upon the prior, so features remain– Extensive automated regressions and quality metrics for

bl d li l f lstable delivery release after release

Predictable scheduleTen years in a steady release cadence– Ten years in a steady release cadence

– Released for the devices run by JUNOS Software

Streamlines upgrades and reduces upgrade issuesStreamlines upgrades and reduces upgrade issues – Plan resources for upgrades with confidence– Extended End-of-Life for the last release of each year

9.29.19.08.5 9.3


Q108 Q208 Q308Q407 Q408

Reduce Complexity

Ten Years on Time, Stable Release Delivery

Simple

9 1 9 2 9 3

Simple

Predictable 9.1 9.2 9.3

2Q08 3Q08 4Q08Reliable


One Open Modular Architecture Module X APIModule X API

Highly Available, Secure and Evolutionary Software

Independent modules– Protected Memory for stability– Contain faults and enablesOpen Management Interfaces Contain faults and enables

rapid isolation– Well-defined interfaces for

expansion of functions/platforms

le nces

men

t

ane

ng

ServiceApp 1

Open Management Interfaces

Separates control frompacket forwarding

– Scales performance, enhances

Mod

ul

Inte

rfa

Man

age

ontr

ol P

la

Rou

ti

aneService

App 2ces

presiliency, enables redundancy

Kernel

Co

rvic

es P

la

ServiceApp 3es

Inte

rfac

Tailored services flexibility– Create customized service

Packet ForwardingPlan

e Open management and development Interfaces

Ser

Serv

ice chains with high-performance

| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net12Physical InterfacesD

ata

P p– NETCONF/XML– Partner development platform

ServiceApp n

Operational Excellence

JUNOS Features– Changes made to candidate

Benefits– Avert downtime

d bCommit verifications check fileNo changes made until full configuration is ready

– Hierarchical command structureUser-defined variables, such as policies, for consistent

caused by configuration errors

– Reduce time for configuration and User defined variables, such as policies, for consistent

re-useCommand completion + extensive set of help tools

– Commit scripts customize checks and verificationsMacros minimize line entries

gchanges

– Enforce compliance to policiesAvoid risks ofMacros minimize line entries

– Commit confirmed automates rollback – Rollback restores up to 50 configs

– Avoid risks of transient configuration state

Candidate Active

CommitConfirmed VerifiedCandidate

ConfigurationLoad ActiveConfiguration

R llb kCLI

Ch k

Commit

CommitS i t

VerifiedConfiguration


RollbackChecksScripts

Solution portfolio

EX8216SRX3000 Series

SRX5000 Series

EX8208

EX8216

MX Series

SRX650

SRX3000 Series

SRX240 EX4200

M SeriesSRX210

J Series

EX3200

EX2200 SRX100

Unified Management (NSM)


Unified Management (NSM)

Datacenter Positioning


New Technologies Exacerbate Complexity

Server Virtualization

Storage on Ethernet

LAN SAN

SOA

switch switch

Application Evolution

SAAS

Web 2.0


Legacy DC Network Infrastructure

Too many devices

Wan EdgeL3 convergence

oo a y de cesand layersApplications subjected tohigh latency EdgeUptime is a challengeTakes too long to deploy anything

CoreTier

Security Sprawl

p y y g

Aggregation TierHard to manage STP in a flat L2 access network

Access Tier

10 GbE (active)

access network

End of Row

Top of Rack


10 GbE (standby)

1 GbE

10 GbE (active)Top of Rack

Virtual Chassis™ plus line-rate 10GbE

Easy to cable

Wan Edge

asy to cab eand manageFull feature setEfficient use of uplinks Edgeof uplinksVC is One logical switchReduced latency

CoreTier

Aggregation Tier

Access Tier

10 GbE (active)Top of Rack or


10 GbE (standby)

1 GbE

10 GbE (active)Top of Rack or End of Row deployment

Collapsed Tiers, Consolidated Security

Faster application

Wan Edge

aste app cat oand service deploymentTrue services integration EdgeOperational simplicityReduced power, cooling, and space

CoreTier

g p

Access Tier

10 GbE (active)Top of Rack or


10 GbE (standby)

1 GbE

10 GbE (active)Top of Rack or End of Row deployment

Lowering Application Latency by Collapsing tiers and Consolidating Security

J i

p g g y

L JuniperLegacy

Server A Server BServer A Server B

• More devices/interconnections• 20-50 us in each chassis

based switchO / l i lti l ti

• Fewer devices/interconnections• EX4200: Lowest 10GbE latency in the

entire industry – 1.96 usO / l i l


• Open/close sessions multiple times • Open/close sessions only once

SRX SERIES SERVICE GATEWAYS


Security, Routing and SwitchingData Center (High End)

Enterprise (Branch)

Mobile

Home

Branch


Campus

High End SRX


SRX3000 Packet Flow – Fully IntegratedFlow LookupClassification RE

Routing / Network Processing

S 3000 ac et o u y teg ated

DoS/DDoSPolicing

Services

REDevice MGTProcessing Cards

Oversubscrptn1 5

IngressPacket

FW/VPN/IDPNAT/Routing

Oversubscrptn.Control1.5

Packet

Fabr

ic

Fabr

ic

Egress Packet

FF

Services Processing

Cards

Packet

QoS/Shaping

Integrated in SRX 5000 IOC

Input/Output


CardsQoS/S ap gCards

No Compromise Security:SRX3000-line: The most cost-effective network security solutionSRX3000 line: The most cost effective network security solution

Maximum Flexibility without Sacrificing SecuritySacrificing Security

Unmatched Price / Performance

Powered by JUNOS and Juniper’s Dynamic Services Architecture (DSA)p y ( )

Based on Dynamic services Architecture for accelerated new service deployment


for accelerated new service deployment

SRX3400S 3 00Hardware

Modular chassis– 7 slots (4 front, 3 rear)– MGT module – dual, hot swap– 3U chassis height

Fixed InterfacesFixed Interfaces– 12 built-in (8-10/100/1000 + 4-SFP)– 2 Ethernet Management Ports

Modular Interfaces FrontModular Interfaces– 16-10/100/1000– 16-SFP– 2-XFP

Performance & Capacities FW – 10/20 Gbps VPN – 6 GbpspIDP – 6 GbpsConcurrent sessions – 1MNew and sustained CPS – 175k

Rear


New and sustained CPS – 175kConcurrent IPSec VPN tunnels – 10k

SRX3600S 3600Hardware

Modular chassis– 12 slots (6 front, 6 rear)– MGT module – dual, hot swap– 5U chassis height

Fixed InterfacesFixed Interfaces– 12 built-in (8-10/100/1000 + 4-SFP)– 2 Ethernet Management Ports

Modular InterfacesModular Interfaces– 16-10/100/1000– 16-SFP– 2-XFP

Front

Performance & Capacities FW – 10/20/30 Gbps VPN – 10 GbpspIDP – 10 GbpsConcurrent sessions – 2MNew and sustained CPS – 175k


New and sustained CPS – 175kConcurrent IPSec VPN tunnels – 20k Rear

Sample SRX3000 Base ConfigurationsSa p e S 3000 ase Co gu at o s

SRX3400SRX3400

– Minimal Configuration

SRX3600

Minimal ConfigurationMinimal ConfigurationSRX 34000 Chassis1 SPC1 NPC

– Minimal ConfigurationSRX 3600 Chassis1 SPC

1 NPC– $50,000 (US List)*

1 NPC– $60,000 (US List)*


*AC power cords are not included. One C19-Straight cable with appropriate wall-plug for the final destination of the system is required for each power supply.

Component ReviewDual-height SFB

option cover (SRX3600 only)

Co po e t e e

Switch FabricBoard (SFB)Air

IntakeIOC 16xSFP

( y)

IOC 2x10GEServices

ProcessingC d (SPC)

IOC 16xCopper

IOC 16xSFP

Fan tray

Card (SPC)FrontSlot guide

Fan tray doorServices

ProcessingCards (SPC) N k

Routing Engine

Cards (SPC) Network ProcessingCards (NPC) [ or SPCs ]


g g(RE) Rear

Slot guide

[ or SPCs ]

Branch SRX


Demand more connectivityy

DCOSCONNECT

SMALL BRANCH

Point products

IOS MIOS

Linux(<50 people)

USE

Resources wastedION 12.2

IOS 12.3R

EXPER

MEDIUM BRANCH(50 500

Too many operating

Cat OS

IOS 12.2R

IENC

E

(50–500 people)

operating systems

Cat OSIOS

IPS

PIX OS

LARGE

Inconsistent user experienceLinux

12.3NX OS

IOS BIN


LARGE BRANCH(>500 people)

12.4 BIN OS

IOS 12.2

IOS T

More connectivity deliveredy

DCOSCONNECT

SMALL BRANCH( 50 l )

Simplified design with EX

IOS MIOS

LinuxSRX

WX

USER

USE

(<50 people)

Integrated functionality ION

IOS 12.3 12.2

Virtual Chassis

R EXPER

R EXPER

MEDIUM BRANCH(50–500

with SRX

Consistency

Cat OS

IOS 12.2 SRXR

IENC

ER

IENC

E

(50–500 people) with JUNOS

Application i i i

Cat OSIOS

12 3

IPS

PIX OS

EXVirtual Chassis Dist

Switch

LARGE

optimization for consistent experience with WX

Linux

12.3NX OS

IOS BIN

Switch


BRANCH(>500 people)

with WX12.4 BIN OS

IOS T

IOS 12.2

SRXEX

EXWX

Demand more securityySECURE

USER AND LOCATION

SMALL BRANCH

Location-based security OFFSHORE

POLIC

Y

(<50 people)y

policies with silosPO

LI


Autonomous devicesPARTNER

ICY

P

Performance or Security?

(50–500 people) No

collaborationCONTRACTOR

POLIC

YLARGE

Performance–Security trade-offs

POLIC



trade-offsEMPLOYEE

CY

More security deliveredy

SECUREUSER AND LOCATION

POLIC

YC

ON

SSMALL BRANCH

Enterprise-wide “Follow-me” security OFFSHORE

UAC

POLI

ISTENT “

(<50 people)y

policies

Integrated

UAC

ICY

P“FO

LLOW


Integrated functionality

Collaborative

PARTNERPerformance or Security?

POLIC

YW

-ME” P

(50–500 people)

Collaborative security and CTC

CONTRACTOR

SRXEX

ADAPTIVE THREAT

POLIC

OLIC

IESLARGE

Award-winning performance

THREAT MANAGEMENT

SOLUTION


CYLARGE

BRANCH(>500 people)

performanceEMPLOYEE

Demand more manageabilityg yMANAGECNA

SMALL BRANCH

Too many NSMs

DCNM

ASDM

Switch

(<50 people)

SDM

Router

MEDIUM BRANCH(50 500 Manual data

CSM

PIXDM

Antivirus

(50–500 people)

Manual data correlation

LMSOVERLOAD!!! Spyware

LARGE

vFrame

LMS

Antispam

| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net35 | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net35


Ciscoview Firewall

More manageability deliveredg y

MANAGECNA

SMALL BRANCH

Single pane of management

DCNM

ASDM

Switch

STRM

(<50 people)g

with NSMSDM

Router


Automated log reduction with STRM

CSM

PIXDM

AntivirusNSM

(50–500 people)

Reduce time t i ith

LMSOVERLOAD!!! SpywareAIS

LARGE

to repair with AIS

vFrame

LMS

AntispamIDPJUNIPER SUPPORT

| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net36 | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net36


Ciscoview FirewallGateway

Three key market driversee ey a et d e sUTM

CONSOLIDATION

Antispam AntivirusIPS Web filtering

UAC

FREE

LICENSED

CONSOLIDATIONNetwork migration to multi-service platform—“Secure Router” instead of multiple appliancesSecure Router =

UAC Content Filtering

R ti Ethernet FirewallIPSec VPN

Voice and Data

CONVERGENCE

Secure Router = – Router + Firewall + VPN + Switching– Unified Threat Management

Routing Ethernet Switching

NETWORK SECURITY

VoIP

Analog

Fax WLAN AP

Security Camera

Power Over Ethernet

VoIP Gateway and VoIP handsetsPower over EthernetWireless Access Points

CONNECTIVITYInternet MetroInternet

Metro EthernetWireless WAN 3GPSTN


3G PSTN MPLSMPLS

New SRX Services GatewaysLeveraging Juniper’s Dynamic Services Architecture

Highly configurable– Fixed semi-modular and

Leveraging Juniper s Dynamic Services Architecture

Up to 80% lower price– Fixed, semi-modular, and modular form factors

– Choice of WAN, wireless, and LAN interfacesAvailable voice media gateway20X IPS performance

p p

– Available voice media gateway Extensive integration

– Full suite of JUNOS routing and switching capabilitiesFull UTM

20X IPS performance

g p– Unmatched security, including

FW, VPN, UTM, UAC, and full IPSExceptional performance and availability16 X Gigabit Ethernetand availability

– Hardware-assisted Content Security Acceleration for ExpressAV and IPSC t l & d t l ti

Model Configuration SIPGateway

ContentSecurity

AccelerationFW/IPS

Performance

SRX100 Fixed No No 600/50 MbpsAdvanced

FW / VPN /ROUTING

g

– Control & data plane separation, redundant processing and power

Priced at $699 , $1099, $2999, and $16000 (list)

SRX210 1 mini PIM slot Optional Optional 750/80 Mbps

SRX240 4 mini PIM slots Optional Optional 1500/250 Mbps

license included


SRX650 8 GPIM slots Optional Standard 7000/900 Mbps

Roadmap

The SRX Branch portfolio 2009e S a c po t o o 009

SRX 650

+ More LAN slots, dual processors, dual P/S

SRX 240

+ 4 WAN slots, 16 x Gig E

SRX 210

+ WAN slot, 2 x Gig E, PoE

NSM

Centrally managedby NSM

Large Branch/Regional OfficeTelecommuter/Small Office

SRX 100

Small to Medium Office


Large Branch/Regional OfficeTelecommuter/Small Office Small to Medium Office

Typical Deploymentyp ca ep oy e t


SRX Series Specification Summary S Se es Spec cat o Su a yFEATURES SRX100 (target) SRX210 SRX240 SRX650On-board Ethernet 8 x FE 2 x GE + 6 x FE 16 x GE 4 x GE

Power over Ethernet (802.3af, 802.3at) None 4 ports—50 W total

16 ports GE, 150 W

48 ports GE, 250 W or 500 W

WAN slots None 1 x mini PIM 4 x SRX mini PIM 8 x GPIMUSB ports (flash) 1 2 2 2 per processorContent Security Acceleration—ExpressAV and Intrusion Detection and Prevention No YES YES YES

JUNOS Software version support JUNOS 9.6 JUNOS 9.5 JUNOS 9.5 JUNOS 9.5Routing Performance 60 Kpps 80Kpps 200Kpps 900KppsFirewall performance (Large Packets) 600 Mbps 750 Mbps 1.5 Gbps 7.0 Gbps

Firewall performance (IMIX) 175 Mbps 250 Mbps 500 Mbps 2.5 GbpsFirewall performance (Firewall + Routing PPS 64byte) 65 Kpps 75 Kpps 150 Kpps 900Kpps

VPN Performance—AES256+SHA-1 3DES+SHA 1 65 Mbps 75 Mbps 250 Mbps 1.5 GbpsIntrusion Prevention System 50 Mbps 80 Mbps 250 Mbps 900 MbpsConnections Per Second (CPS) 2K 2K 9K 35KMaximum Concurrent Sessions (512MB/1GB RAM) 16 K / 32K 32K / 64K 64K / 128K 512 KMaximum Concurrent Sessions (512MB/1GB RAM) 16 K / 32K 32K / 64K 64K / 128K 512 KAntivirus TBD 30 Mbps 85 Mbps 350 Mbps

High Availability A/A or A/P A/A or A/P A/A* or A/PA/A* or A/P,

Hot swap GPIMs,Dual processors*,

D l


Dual power

* Supported in JUNOS 9.6

SRX100 Q3 2009S 00

Id l f i b hFeatures SRX100 (target)

O b d Eth t 8 FEIdeal for micro-branch, managed telecommuters, SOHOFixed I/O—8 x 10/100 Ethernet portsF ll UTM f t

On-board Ethernet 8 x FE

Power over Ethernet (802.3af, 802.3at) None

WAN slots None

USB ports 1Full UTM features– IDP– Antivirus

Anti spam

p 1

3G Future

Intrusion Prevention System No

JUNOS Software version support JUNOS 9.6– Anti-spam – Web filtering– UAC Enforcement– UTM requires High Memory model

Routing performance 60 Kpps

Firewall performance (Large Packets) 600 Mbps

Firewall performance (IMIX) 175 Mbps– UTM requires High Memory model

(UTM, license), no CSAFirewall performance (Firewall + Routing PPS 64byte) 65 Kpps

VPN Performance—AES256+SHA-1 65 Mbps

VPN Performance —3DES+SHA 1 50 Mbps

Connections Per Second (CPS) 2KMaximum Concurrent Sessions (512MB/1GB RAM) 16 K / 32K

IPS performance TBD


High Availability A/A or A/P

SRX210 Q2 2009S 0

Ideal for Small branchesFeatures SRX210

O b d Eth t 2 GE 6 FEFull UTM features

– IDP, Antivirus, Anti-spam, Web filtering, Content filtering

On-board Ethernet 2 x GE + 6 x FE

Power over Ethernet (802.3af, 802.3at) 4 ports—50 W total

WAN slots 1 x mini PIM

3G wireless (ExpressCard slot) Yes– UAC Enforcement– UTM requires High Memory model

Available Voice version with

3G wireless (ExpressCard slot) Yes

USB ports (flash) 2

Content Security Accelerator—ExpressAVand Intrusion Detection and Prevention Yes

JUNOS Software version support JUNOS 9.5mini-PIM options—Q3 2009

– Factory-configured voice model (Q3 2009)

JUNOS Software version support JUNOS 9.5


Firewall performance (Large Packets) 750 Mbps

Firewall performance (IMIX) 250 Mbps

Firewall performance (Firewall + Routing PPS 64byte) 75 Kpps



Connections Per Second (CPS) 2K CPS

Maximum Concurrent Sessions (512MB/1GB RAM) 32K / 64K

IPS performance 80 Mbps


High Availability A/A or A/P

SRX240 Q2 2009

Id l f ll di b hFeatures SRX240

O b d Eth t 16 GE

S 0

Ideal for small–medium branchesFull UTM features

– IDP, Antivirus, Anti-spam, Web filtering Content filtering

On-board Ethernet 16 x GE

Power over Ethernet (802.3af, 802.3at) 16 ports GE, 150 W

WAN slots 4 x SRX mini PIM

USB ports (flash) 2filtering, Content filtering– UAC Enforcement– UTM requires High Memory model

A il bl V i i ith

p ( )

3G Future


JUNOS Software version support JUNOS 9 5Available Voice version with mini-PIM options—Q4 2009

– Factory-configured voice model (Q4 2009)



Firewall performance (Large Packets) 1.5 Gbps

Firewall performance (IMIX) 500 Mbps(Q4 2009)Firewall performance (Firewall + Routing PPS 64byte) 150 Kpps




Maximum Concurrent Sessions (512MB/1GB RAM) 64K / 128K



p p

High Availability A/A* or A/P

* Supported in JUNOS 9.6

SRX650 Q2 2009S 650

Ideal for regional sites, large branchesFeatures SRX650

O b d Eth t 4 GEg , g

Modular-– LAN switching– Services Routing Processors with optional

redundancy (future)

On-board Ethernet 4 x GE

Power over Ethernet (802.3af, 802.3at) 48 ports GE, 250 or 500 W

WAN slots 8 x GPIMredundancy (future)

– power supplies with optional redundancy (at FRS)

– voice configurations (field upgradable via PIMs in 2010)

USB ports (flash) 2 per processor

3G Future


PIMs in 2010)Full UTM features

– IDP, Antivirus, Anti-spam, Web filtering, Content filteringUAC E f



Firewall performance (Large Packets) 7.0 Gbps

Fi ll f (IMIX) 2 5 Gb– UAC EnforcementMax Gig E 52 ports (2 x 24 GE PIM + 4 integrated ports)

Firewall performance (IMIX) 2.5 Gbps

Firewall performance (Firewall + Routing PPS 64byte) 900 Kpps

VPN Performance—AES256+SHA-1 1.5 Gbps

VPN P f 3DES SHA 1 1 5 GbVPN Performance —3DES+SHA 1 1.5 Gbps


Maximum Concurrent Sessions (512MB/1GB RAM) 512 K

IPS f 900 Mb



High Availability A/A* or A/P Hot swap GPIMs,

Dual processors*, Dual power* Supported in JUNOS 9.6*Supported in JUNOS 9.6

SRX210 with Integrated Convergence Services Q3 2009g g

FXS ports – connect your analog phone or

FAX machine hereFXO ports – connect to your wall phone socket

E1/T1 or FXOs for carrier trunk or FXS for additional analog phones/ fax machinesFAX machine here your wall phone socket phones/ fax machines

SRX Voice ElementsTarget Branch Size (# users)

No. Slots

Base DSP

Channels

Base No. of Ports

Expansion Slots

Survivable SIP serverSIP Media GatewaySIP Security

users)

SRX210 2–25 1 mPIM

8–16 (codec

dependent)2 FXO, 2FXS

T1/E14 FXO

2 FXS + 2 FXOSRX240 10–50 4 30–48 2 FXO, y

Base and expandable voice portsPoE Ports P E P t li ith EX it h

FXOSRX240 10 50 mPIMs 30 48 2 FXS

SRX650 50–200 8 gPIMs

Requires gPIM 0

T1/E1Dual T1/E16 FXO + 2

FXS


PoE Ports scaling with EX switchg g FXS

2 FXO + 6 FXS

2H 2009Juniper Integrated Convergence ServicesStage 1: Survivable Media Gateway

SERVICE PROVIDER

VOIP

Stage 1: Survivable Media Gateway

SIP Trunking to Failover to PSTN

SIP Soft Switch

Channelized

Local PSTNLocal PSTN

3

SIP Trunking to Corporate to PSTN (typical)

SIP Trunking“V IP t PSTN” S P V IP

5

Failover to PSTN

CORPORATE OFFICE

SRX210 / SRX240

Channelized T-1 / E1/ FXO

INTERNETSIP VoIPhandset

4

4 “VoIP to PSTN” S.P. VoIP

5X

SIP Serverhandset

WANMPLS SIP VoIP

handset to1

22

SIP Trunking

23

3 34

X

Analog

PBX, Key System

Soft PhonesFAX SIP VoIP

handset to digital or analog phone

1SIP Trunking “Toll bypass”, “extension”

Digital

Soft PhonesFAX SIP VoIPhandset

Enterprise choice SIP standards Choice of sip phones SIP Server and SIP


Enterprise choice and flexibility

SIP standards Choice of sip phones, call servers and applications

Soft switch

3G Wireless WAN 2H 20093G e ess

Deployments-Primary connection where wired broadband is not available HQDatacenteravailableBack up connectivity with wired primary. p yOut of band management, remote deployment.

INTERNET

Available on SRX210 3G Wireless

Dynamic VPN Services

SRX210


Retail Branch Regional

Ethernet Switchingt e et S tc g

Software Features802.1Q VLAN support

SRX210 SRX240 SRX650

Hardware (Onboard Ethernet)SRX100

SRX100

802.1Q VLAN support– Up to 4,096 VLAN support (platform dependent)– Routed VLAN Interface (RVI)– GARP VLAN Registration Protocol (GVRP)

QOS on VLAN interface

– 8 Fixed 10/100 (Switched or Routed)SRX210

– Fixed 2 10/100/1000 + 6 10/100 (Switched or Routed)– 802.3af optional POE (2FE + 2GE)

SRX240Fi d 16 P t 10/100/1000 (S it h d R t d)– QOS on VLAN interface

L3 Strict priority queuing (LLQ) L3 Smoothed Deficit Weighted Round Robin (SDWRR)L3 Weighted Random Early Discard (WRED)

– Fixed 16 Ports 10/100/1000 (Switched or Routed)– Power over Ethernet (optional all ports)– 802.3af, 802.3at

SRX650– Fixed 4 ports 10/100/1000 (Routed)

Hardware Ethernet PIMs(WRED)L3 Per port and per queue shaping

802.1x Port based Authentication802.3ad (AX) link aggregation*

Hardware Ethernet PIMsSRX Mini-PIM (SRX210/SRX240)

– 1 Port SFP 16 port GigE XPIM for SRX650

– Double-highF ll d l 20 Gb b k lSTP, Spanning Tree Protocol

– 802.1D Spanning Tree Protocol– 802.1S Multiple STP– 802.1w Rapid STP

– Full-duplex 20 Gbps backplane– 16 port GE and optional PoE

24 port GigE including 4 SFP slots XPIM for SRX650– Double-high - double-wide– Optional POE - 24 port GE with PoE incl 4 SFP slots– Full-duplex 20 Gbps backplane


pJumbo Frame Support (9,216 Byte)*

– Full-duplex 20 Gbps backplaneOptics

– SRX GE SFP LH | SRX GE SFP LX | SRX GE SFP SX |SRX GE SFP 1000 Base-T | SRX FE FX SFP * Not supported on SRX100

SRX Series—Firewall, Zones, and PoliciesS Se es e a , o es, a d o c esZONE “UNTRUST”

Originating ZoneOriginating Zone

INTERNET

Default Policy—Deny AllDefault Policy—Allow All

SRX

Originating Zone


ZONE “TRUST”ZONE “TRUST”

Unified Threat Management (UTM) FeaturesU ed eat a age e t (U ) eatu es

InternalExternal Internal Threats

ExternalThreatsINTERNET

Websense to block to unapproved site Web Filtering

Juniper IDP detects/stops Worms, Trojans, DoS (L4 & L7), Scans

IPS Juniper IDP detects/stops Worms, Trojans, DoS (L4 & L7), Scans

accessg

Kaspersky Lab AV stops Viruses, file-based Trojans, Spyware, Adware, Keyloggers

Kaspersky Lab AV stops viruses, file-based trojans or spread of spyware, adware, keyloggers

Antivirus

j , py , , y gg adware, keyloggers

Symantec stops Spam / PhishingAnti-spam

C

Firewall, VPN, Unified Access ControlCore Security

Firewall VPN Unified Access Control

SRX Series blocks transmission of files for Data Loss Prevention

Content Filtering


, ,Firewall, VPN, Unified Access Control

Juniper Networks Unified Access Control (UAC)ccess Co t o (U C)

POLICY SERVERPOLICY SERVER

Identity Stores

IC Series

1

A th ti t U

APPLICATIONS

Stores

22 Dynamically

Provision Policy

Authenticate User, Profile Endpoint,

Determine Location 1

Data App InternetISG

3

Control

yEnforcement

UAC Agent EX Series L2 Switch

802.1X Switches & Juniper Firewall

NSSSG

ISGAccess to Protected Resources SRX

802.1X Switches & Access Points

Juniper Firewall Platforms

UAC Enforcement Points

Comprehensive vendor agnostic standards based access control across


Comprehensive, vendor-agnostic, standards-based access control across heterogeneous environments delivering investment protection

Remote AccessQ2 2009

Dynamic VPN Service –A M Cli tAccess Manager ClientA dynamic IPSEC Client that is automatically downloaded WiredWireless

5-user, 10-user, 25-user, 50-user (SRX240) license option with simultaneous tunnel enforcement

3G WirelessSupported on the SRX100, SRX210, and SRX240Not supported on SRX650 A i li d bili i

3G Wireless

INTERNET

Automatic client upgrade capabilitiesSelf-provisioning from SRX210, SRX240IPS ith TCP b d f llb k f

Dynamic VPN Services

SRX210

IPSec with TCP-based fallback for NAT traversalInitial release to support Windows platforms—XP, Vista, Win 2000


p , ,

Juniper Unified ManagementJu pe U ed a age e t

UnifiedUnified management across Juniper’s network EMS NMS Visibility Diagnostics

SNMP, Syslog, XMLSNMP, Syslog

network infrastructureNetwork lifecycle

t

EMS NMS Visibility Diagnostics

Security ThreatNetwork & SecurityJUNOScope Advancedmanagement—Provision, Monitor, and Troubleshoot NetConf, DMI, Syslog, Sflow

Security Threat Response Manager

Network & Security Manager (NSM)

JUNOScope Advanced Insight Manager

NETWORK MANAGEMENT

Consistent and Open standards NBI for easy

ONEJUNOS

CLI,

ONE

J Web

Web UI

HTTP / HTTPS XML

Telnet, SSH, XML

integration with 3rd party NMS

JUNOScript J-Web

MX M S i

ISG/IDP

SSL VPN

Infranet C t ll SRX5600


SwitchingSecurityRoutingSeries Series Controller SRX5600

Network Security Manager et o Secu ty a age

Along with SRX NSM is a great way to CommonAlong with SRX, NSM Manages Juniper’s entire enterprise portfolio*

NSM is a great way to port ScreenOS customers over to a JUNOS solution and to

Common Management also offers huge up-sell


enterprise portfolio JUNOS solution and to help manage a mixed environment

huge up sell opportunity

Security Threat Response ManagerSecu ty eat espo se a age

STRM supports SRX Series– Intrusion Prevention System (IPS)– 220+ out-of-the box report templatesp p– Fully customizable reporting engine:

creating, branding and scheduling delivery of reports– Compliance reporting packages for PCI, SOX, FISMA, GLBA, and HIPAA


– Reports based on control frameworks: NIST, ISO and CoBIT

Rapid Deployment Q4 2009ap d ep oy e t

Simplified deployment-2 USB L d t t fi– Eliminate need for-

Pre-staging deviceIT at point of installation

2. USB Loads startup config3. Validation of start up config4. Secure communication to NSM

SRX 210

6. SRX In Serviceinstallation

Reduce -– Provisioning time • A Unique ID for tracking

purposes

1. Generate and export startup config to USB

5. Download Running Config

– Installation cost– No “truck roll”

purposes• Untrust Interface

configuration• Configuration

parameters to enable “registration” of device gto management server

• User/Password• Management Server IP

Address/Domain Name• One time password

Network Security Manager


Juniper Branch ProductsSSG, SRX, and J Series ProductsSSG, SRX, and J Series Products

SSG F il J S iSRX

U ifi d Th t M tSSG FamilyFW, VPN, NAT, UAC

IPv6 Security Wireless (WLAN)

J SeriesFW, VPN, NAT, UAC

Routing, Switching, QOS, MPLSWX—ISM 200 Application

Unified Threat Management– Full IDP—Juniper– Antivirus—Kaspersky– Web filtering—WebsenseWireless (WLAN)

Unified Threat Management

– Intrusion Prevention: DI

WX ISM 200 Application AccelerationVoIP—Avaya Integ. GwayUnified Threat Management

– Full IDP—Juniper

g– Anti-spam—Symantec

VoIP– Juniper OpenCommunications

– Antivirus—Kaspersky– Web filtering—Websense– Anti-spam—Symantec

Full IDP Juniper– Antivirus—Kaspersky– Web filtering—Websense– Anti-spam—Symantec

Juniper OpenCommunications– Power over Ethernet

FW, VPN, NAT, UAC

SSG320M

SSG5 Wireless

SSG20 Wireless J2320

J2350SSG140

SRX 100

SRX 210

SSG350M

SSG520SSG520M

J6350SSG550

J4350SRX 240

SRX 650


J6350SSG550SSG550M

SRX 650

Branch: Positioning Your Customera c os t o g ou Custo eNew Customers

– Consider an all-JUNOS routing, switching, and security network for consistently highConsider an all JUNOS routing, switching, and security network for consistently high performance and consistently easy operations

SSG-series supports security features not available elsewhere in the Juniper portfolio

Existing JUNOS Customers– Juniper’s strategic investments in JUNOS security capabilities deliver integrated,

consistent security capabilities– JUNOS is the platform for service delivery across the network infrastructure– Educate customers: security services of JUNOS leverage the strengths of ScreenOSEducate customers: security services of JUNOS leverage the strengths of ScreenOS

Existing ScreenOS Customers– ScreenOS has a long life ahead– When appropriate, selling JUNOS today creates future routing & switching salesWhen appropriate, selling JUNOS today creates future routing & switching sales

opportunitiesSelect SSG platforms can run JUNOS with a software upgrade

Regulatory-Sensitive Customers– Reassure with longevity of ScreenOS development and support– Government or regulation-sensitive customers

Certifications (e.g. CC EAL4, FIPS, JTIC, NEBS)


High-End: Positioning Your Customerg d os t o g ou Custo e

JUNOS Best for Customers WhenC d OS ti l ffi i i– Converged OS = operational efficiencies

– Native routing, firewall, IPSec VPN, IDP, QoS, and more– Performance requirements >30 Gbps FW throughput– Only solution scalable > 100 Gbps FW on a single productOnly solution scalable > 100 Gbps FW on a single product– Only solution scalable w/no downtime– Service provider / large data centers which need

segmentation, IDP, and QoSto maximize IO port density/scalability

ScreenOS Best for Customers WhenR i tifi ti f ISG d NS 5000 i– Require certifications for ISG and NS-5000 series

– IPv6 environments – r.6.2 includes IPv6 support for ISG with IDP– Rich perimeter security heritage – throughput performance & capacities

align bestalign best– Mixed deployment with current ScreenOS products address all

segments of the network– Management simplicity with NSM


– Management simplicity with NSM

Call To ActionCa o ct oSell ScreenOS with confidence!

J i l t l i f S OS– Juniper plans to release new versions of ScreenOS– Public sector sales require a long life for ScreenOS

Invest in JUNOS todayInvest in JUNOS today– Positions you for a broader portfolio sale tomorrow

integrate networking & security i

Sell JUNOS to… Sell ScreenOS to…customers requiring industry &

servicesmaximize performancereduce complexity with a single

government certificationsIPv6 environmentsfull-feature security appliancesp y g

box for routing, firewall, IPSec VPN, & QoS

existing JUNOS customers

full feature security appliancesexisting ScreenOS customers


g

JUNOS Adoption Tools & TrainingJU OS dopt o oo s & a g

PROGRAMSCourse Description Target Audience URL

JSL JUNOS As a Second Language Networking Engineers (IOS JUNOS) http://www.juniper.net/training/elearning/jsl.html

PROGRAMSFast Track – subsidized exam for

JUNOS certification ($2-3K USD)

COLLATERALJUNOS Software Partner

OJRE Operating Juniper Networks Routers in the Enterprise: Leads to JNCIA-ER associate level certification exam

Networking Engineers http://www.juniper.net/training/technical_education/courses/EDU-JUN-OJRE.html

AJRE Advanced Juniper Networks Routers in the Enterprise: Leads to JNCIS-ER

Networking Engineers http://www.juniper.net/training/technical_education/courses/EDU-JUN-AJRE.html

USD) JUNOS Software Partner Collateral

SRX Partner Collateralthe Enterprise: Leads to JNCIS-ER specialist-level certification exam

JNSA-EN Juniper Networks Sales Associate: product authorization

Sales https://www.juniper.net/partners/partner_center/common/training/training_nam.jsp

JNSS-EN Juniper Networks Sales Specialist: product authorization

Networking Engineers https://www.juniper.net/partners/partner_center/common/training/training_nam.jsp

SRX Partner Collateral

J-series Partner Collateral product authorization

VLAB Virtual labs with Juniper equipment accessible online

Networking Engineers https://www.juniper.net/partners/partner_center/common/training/virtual_lab.jsp

JSL2 JUNOS as a Security Language: Intro to JUNOS software with enhanced services for ScreenOS Users

Networking Engineers (ScreenOS JUNOS)

http://www.juniper.net/training/elearning/junos_security.html

Integrated Firewall/IPSec VPN CollateralTRAINING

Virtual Lab – Learn how toservices for ScreenOS UsersJSL 3 JUNOS as a Switching Language: Intro to

JUNOS software on EX SeriesNetworking Engineers (IOS JUNOS (Switching))

http://www.juniper.net/training/elearning/junos_switching.html

OEJS Operating Enhanced Services for JUNOS Software: Leads to JNCIS-ES certification

Networking Engineers http://www.juniper.net/training/technical_educat ion/courses/EDU-JUN-OESJ.html

Virtual Lab Learn how to configure security policies on a

J-series running JUNOS


exam

THANK YOUTHANK YOU


Documents

The JUNOS Powered Enterprise - Westcon-Comstorbe.security.westcon.com/documents/35072/JunosSRX650ServicesGat… · SRX SERIES SERVICE GATEWAYS 21 ... Slot guide [ or SPCs ] ... Course