Presentation title here

Transcript Presentation title here

Product Update Seminar

AGENDA

13.00

13.30

15.30

17.30

Welcome SRX update + Application Aware FW positioning Value Add proposition having onbox AV (Kaspersky) MAG SSL/UAC license scenario’s recap vGW short recap (demo) Coffee break EX technology portfolio update "The new network is simply connected" Wireless Newsflash Westcon Academy Juniper Training update Great drinks & Fingerfood @ SKYBAR terrace 2 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

Legal Disclaimer: This statement of product direction (formerly called “roadmap”) sets forth Juniper Networks‘ current intention, and is subject to change at any time without notice. No purchases are contingent upon Juniper Networks delivering any feature or functionality depicted on this statement.

SRX update

Frederick Verduyckt Security System Engineer

DON'T TAKE OUR WORD FOR IT ….

SRX650 wins Best of Interop Award, Infrastructure Category “Branch Office Swiss Army Knife” that “packs a bunch of horsepower and features” SRX210 wins Tokyo Interop Grand Prix (highest honor) for SMB Infrastructure “Amazed that high-performance JUNOS software is installed in this small appliance” – the vote was unanimous!

BRANCH SRX DELIVERS… CONSOLIDATED SECURITY AND NETWORKING

All-in-One Firewall VPN IPS Anti-Virus Anti-Spam Web filtering Routing / WAN LAN, Switching  Single device for routing, switching, and security  Comprehensive security  Easy to activate new layers of security Copyright © 2011 Juniper Networks, Inc. www.juniper.net

BRANCH SRX PORTFOLIO

SRX240 + 4 WAN slots, 16 x GigE, PoE SRX650 + More LAN slots, dual processors, dual P/S SRX220 + 2 WAN slots, 8 x GigE, PoE SRX210 WAN slot, 2 x GigE, PoE 7 SRX100/110 Small Office Small to Medium Office Copyright © 2011 Juniper Networks, Inc. www.juniper.net

Large Branch/Regional Office

SRX SERVICES GATEWAYS

8 Highly configurable – Fixed, semi-modular, and modular form factors – Choice of WAN and LAN interfaces Extensive integration – Full suite of JUNOS routing and switching capabilities – Unmatched security, including FW, VPN, UTM, UAC, and full IPS Exceptional performance and availability – Hardware-assisted Content Security Acceleration (CSA) for ExpressAV and IPS – Control & data plane separation, redundant processing and power Model SRX100 SRX210 SRX220 SRX240 SRX650 Configuration Fixed 1 mini PIM slot 2 mini PIM slots 4 mini PIM slots 8 GPIM slots Copyright © 2011 Juniper Networks, Inc. www.juniper.net

FW/IPS Performance 600/60 Mbps 750/80 Mbps 950/100 Mbps 1500/250 Mbps 7000/900 Mbps

SRX SERVICES GATEWAYS DATA CENTER SERIES COMPARISON

Max. Value Junos 10.4

FW Throughput VPN Throughput IPS Throughput SRX1400 10 Gbps 2 Gbps 2 Gbps SRX3400 20 Gbps 6 Gbps 6 Gbps SRX3600 30 Gbps 10 Gbps 10 Gbps SRX5600 60 Gbps 15 Gbps 15 Gbps Max PPS 1 million 3.5 million 6.5 million 9 million ( Max Sessions / with add’l license) New & Sustained CPS ( / with add’l license) Built-in Interfaces: 10/100/1000Base-T 1000Base-X (HA off / on ) 10GBase-F Total I/O Ports GbE (HA off / on) 10 GbE 9 0.5 million GE 6 6 / 4 0 28/26 2 45k XGE 6 3 / 1 3 25/23 5 2.25 / 3 million 175k 4 76 2.25 / 6 million 175k / 300k 8 8 4 108 8 12 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

9 million 350k 200 40 SRX5800 150 Gbps 30 Gbps 30 Gbps 21 million 12.5 million 14 million (with caveats) 350k 440 88

SRX210 ENHANCED

Improved SRX210 with faster processor!

 Increases processor speed to 600MHz from 400MHz  Existing SRX210 has 400MHz processor  Provides faster J-Web, improved boot-up time, faster throughput Provided under new SKUs:  SRX210BE, SRX210HE, SRX210HE-POE  No change to list price  No change to datasheet specs FIPS & EAL4 Certs submitted with 10.4

SRX110

Single box solution for Enterprise and MSP  Fixed form factor  8 10/100MB Ethernet ports WAN Options  VDSL Annex A or VDSL Annex B with ADSL fallback   3G USB Modem port for backup

Express slot is being deprecated

Feature rich in Routing, Switching and Security  Security – UTM, Stateful Firewall, IPSec VPN   Routing – RIP, OSPF, BGP, MPLS, VPLS Switching – Ethernet Switching features parity with SRX 100 Security & Performance

Routing Performance

Est. 100Kpps

Firewall Performance

External CF for more storage options 11

SKU SRX110H-VA-3G SRX110H-VB-3G VPN Performance Memory & Storage

1GB RAM 1GB Flash 1GB RAM 1GB Flash

LAN

8 x FE

DSL WAN

VDSL Annex A

3G WAN

Yes

IDP Performance AV & IDP HW Acceleration

High Availability (Q3 ‘11)

750Mbps (Large Pkt) 250 Mbps (IMIX) 75 Mbps 65 Mbps NO A/A or A/P

3G/4G FOR SRX – UPDATES

USB 3G/4G – This is the Future CX111 Bridge Direct plug-in USB Modem Support for SRX100, SRX110 and SRX210E CX111 3G/4G Bridge for “ALL” SRX, SSG & J-Series 12       GSM/HSPA+ Modem support in Q3 '11  (Sierra Wireless 319U) Secure Modem with Modem Cap (2H '11)  Recommended for use with SRX LTE/HSPA modem support in 1H '12 LTE/EVDO Modem support in 1H '12 SRX/Junos based 3G support No USB 3G support on 220/240/650     Worldwide 70+ Modems supported in latest firmware (July '11) Verizon LTE supported NOW CX111 supports SNMP NOW (v 1.8.2, July 2011) Junos CLI based management Phase-1 release in Q4 '11 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

SRX550

New platform for mid-large branches  Faster than a J6350 Flexible Slots  Two mPIM slots for low-speed interfaces  Six PIM slots (2 XPIM + 4 GPIM)  One ACE slot (future CPU offload) Support for LAN bypass (ports 4 and 5) 10xGE ports built-in  6xGE  4xSFP Dual PSU support Two USB ports Serial and USB-based Console External CF/SSD for storage Copyright © 2011 Juniper Networks, Inc. www.juniper.net

13 Beta in 11.4

Security & Performance Targets

Routing Performance

Est. 700Kpps

Firewall Performance

2 Gbps (IMIX) 8 Gbps (large packets)

AV & IDP HW Acceleration IPSec Performance

Yes TBD

APPSECURE UPDATE

WHERE IS SECURITY HEADED? CONTEXT AWARENESS

“Location, device and user ” vs. “Source to Destination”

Branch Global High-Performance Network What User Destination User Device User Location Campus

Mobile Clients

APPSECURE SOFTWARE SERVICE SUITE

Application Intelligence from User to Data Center

AppTrack AppFW AppQoS AppDoS IPS Understand security risks Address new user behaviors Block access to risky apps Prioritize important apps Allows user tailored policies Rate limit less important apps Protect apps from bot attacks Remediate security threats Allow legitimate user traffic Stay current with daily signatures

APPSECURE USE CASE – COST REDUCTION

Customer Profile Customer Initiative Large technology company with over 100 offices worldwide IT cost reduction through standardization on a smaller number of supported applications AppSecure Implementation

AppTrack

Identify global use of applications, cloud-based or not

AppFW

AppQoS

Block out-of-policy applications • Facebook Prioritize business-critical applications • Oracle • GoogleSites Lower priority of less essential applications • QuickTime Copyright © 2011 Juniper Networks, Inc. www.juniper.net

APPSECURE USE CASE – COMPLIANCE

Customer Profile Customer Initiative US based HR recruiting firm with clients in US and EMEA Standardize on a single e-mail application to meet compliance guidelines AppSecure Implementation

AppTrack

Identify and permit Microsoft Outlook traffic

AppFW

APPSECURE AVAILABILITY

AppTrack High End SRX

 11.1

AppFW AppQoS AppDoS IPS

11.4

 

User-Roles

12.1

Branch SRX

11.2

1H12 TBD  12.1

LOGICAL SYSTEMS UPDATE

WHAT IS LSYS?

• Virtualization of many aspects of Junos, especially security policies and enforcement options • “Complete” separation of a single device into unique virtual instances, including: • Administrative separation – users in one LSYS have no visibility into or knowledge of any other LSYS instances that may be running on the box • • Traffic Separation – network traffic for a given LSYS cannot cross into another LSYS unless a security and routing policies are configured to allow it Resource separation – resources such as sessions, policies, zones, and virtual routers can be budgeted between the various LSYS instances • An evolution of ScreenOS’s VSYS concept Copyright © 2011 Juniper Networks, Inc. www.juniper.net

LSYS VS. VSYS

ScreenOS VSYS Virtual System Virtual Router Zone Interface IP Zone Int Junos* LSYS Logical System VR Int Interface IP 22 *All interfaces in a given zone must be in the same routing instance Copyright © 2011 Juniper Networks, Inc. www.juniper.net

LSYS ISN’T A HYPERVISOR-LEVEL VIRTUALIZATION

Only one version of Junos is running on the SRX System daemons have been made ‘LSYS aware’  In some cases, multiple daemons are used, one per LSYS Akin to “Operating System Level virtualization”  Looks and feels like a real system  Has resource protection to protect one from another Copyright © 2011 Juniper Networks, Inc. www.juniper.net

EXAMPLE

Root Zone: Inet lt0/0/0.1

lt0/0/0.0

Zone: LRlt LSYS1 lt0/0/0.2

lt0/0/0.3

Zone: L1lt Zone: L1USR PC1 lt0/0/0.4

lt0/0/0.5

LSYS Management Methods

CLI Web NMS

Global (root) view LSYS view JWeb Global View JWeb LSYS View Space Third party

LSYS: 11.2 CLI

interfaces {...} lsys-profiles {...} applications {...} schedulers {...} routing-instance {...} protocols {...} routing-options {...} security {.

policies {...} zones {...} nat {...} } logical-system LSYS1 { profile profile-name-Premium interfaces {...} routing-instance one {...} applications {...} security { policies {...} schedulers {...} zones {...} nat {...} } Global Configuration View • Root administrator can configure all elements of the SRX • Must create LSYS and LSYS users • If desired, all admin can be done by root 26 LSYS-Level Configuration View • LSYS administrators see only LSYS-level configuration details • Includes LSYS-only view of all logs Copyright © 2011 Juniper Networks, Inc. www.juniper.net

JWEB IN 11.2: LSYS MONITORING

JWEB IN 11.2: CONFIGURATION OF LSYS

WHEN TO USE LSYS

Customer Requirements:

✔  Complete separation of traffic Zones and VRs can also provide this functionality without LSYS ✔ Administrative delegation ✔ Log Separation ✔ Resource Reservation Copyright © 2011 Juniper Networks, Inc. www.juniper.net

vGW update

VIRTUALIZATION SPECIFIC REQUIREMENTS

Secure VMotion/Live-Migration  VMs may migrate to a unsecured or lower trust-level zone  Security should enable both migration and enforcement Hypervisor Protection  New operating system means new attack surface  Hypervisor connection attempts should be monitored Regulatory Compliance  Isolating VMs, Access Control, Audit, etc.

SECURITY IMPLICATIONS OF VIRTUAL SERVERS

PHYSICAL NETWORK VIRTUAL NETWORK VM1 VM2 VM3

APPROACHES TO SECURING VIRTUAL SERVERS: THREE METHODS

1. VLAN Segmentation

Each VM in separate VLAN Inter-VM communications must route through the firewall Drawback: Possibly complex VLAN networking

2. Agent-based

Each VM has a software firewall Drawback: Significant performance implications; Huge management overhead of maintaining software and signature on 1000s of VMs

3. Kernel-based Firewall

VMs can securely share VLANs Inter-VM traffic always protected High-performance from implementing firewall in the kernel Micro-segmenting capabilities

VM1 VM2 VM3 VM1 VM2 VM3 VM1 VM2 VM3

VGW KERNEL IMPLEMENTATION

 Fully “Fast-Path”   All firewall processing is done within hypervisor High performance, >10Gbps throughput  Designed for ESX Architecture   Independent processing firewall policy per-VM

VM1

Scales up as core count increases

VM2 VM3 ALTOR VM

Policy Logging Management 34

VM1 VM2 VM3 ALTOR VM

Policy Logging Management ESX Kernel VMware vSwitch or dvSwitch Altor VMsafe Kernel Module vGW 4.5

VGW ARCHITECTURE 3 MAIN MODULES

• • • • SECURITY DESIGN VGW CENTRAL MANAGEMENT WEB-BASED UI MANAGEMENT HA DELIVERED AS VIRTUAL APPLIANCE • • • • • VGW SECURITY VM POLICY FROM MGMT TO ENGINE LOGGING FROM ENGINE TO MGMT IDS ENGINE DEPLOYED AS HA PAIR DELIVERED AS VIRTUAL APPLIANCE

VM VM1 VM2 VM3 VM VM1 VM2 VM3 THE vGW ENGINE VMWARE DVFILTER VMWARE VSWITCH OR CISCO 1000V HYPERVISOR 3

• • • VGW ENGINE FULL FW IMPLEMENTATION IN THE KERNEL STATEFUL FW PER-VM POLICY . . . . . . . . . . . .

THE vGW ENGINE VMWARE DVFILTER VMWARE VSWITCH OR CISCO 1000V HYPERVISOR

INTEGRATED WITH JUNIPER DATA CENTER SECURITY

VM1 VM2 VM3 ALTOR Policies Central Policy Management

vGW 4.5

VMware vSphere

Zone Synchronization & Traffic Mirroring to IPS Firewall Event Syslogs Netflow for Inter-VM Traffic STRM

Juniper EX Switch Network Juniper SRX with IPS

DEMO

http://vgwdemo.juniper.net