SRX 3400/3600 Services Gateways

Download Report

Transcript SRX 3400/3600 Services Gateways 

Securing the Enterprise - new trends
on networking security
SCOP / Bucharest 15th April 2009
Uwe Richter
Sr. SE Manager Eastern Europe
The most flexible, cost-effective solution for mid to large enterprises and service providers
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
Juniper Networks - Leadership & Expertise
NS1000
NS1000 w
Switch 2
1G FW &
1G VPN
100 VSYS
2000
ISG 2000
2G FW &
1G VPN
250 VSYS
A/A-Full
Mesh HA
NS-5200
4G & 12G FW
3M & 9M PPS
500 VSYS
<78 interfaces
& 4000 VLANs
NS-5400
10G & 30G FW
6M & 18M PPS
10 GigE interfaces
Jumbo Frames
Hardware AES
SRX 5600
SRX 5800
60G & 100+G FW
20G & 40+G IPS
4M & 8M Sessions
Now
Gartner’s Magic Quadrant
Worldwide Integrated Security Appliance
Revenue Market Share: ≥$30,000
Market Share (%)
100%
75%
Juniper
50%
Cisco
Nortel
25%
Nokia
0%
1Q05 2Q05 3Q05 4Q05 1Q06 2Q06 3Q06 4Q06 1Q07 2Q07 3Q07 4Q07 1Q08
Calendar Quarter
Source: Infonetics, Jun 2008
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
Fortinet
Juniper Networks
“Upper-right”
• Firewall & IPSec
VPN
What customers expect...
Integrated Services
Deliver a superior user
experience
Scalable Performance
Faster application and
service deployment
Operational Simplicity
Total cost of ownership
advantage
FAST
RELIABLE
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
Today’s Enterprise Requirements
Enablement versus Constraint
 Core / Infrastructure: 10 GigE
– More traffic, new/next gen apps, video and other
streaming media
 Customers demand full-fledged security posture
for network performance
– Deliver all security services at scale
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
Business Challenges
Performance and Flexibility Compromise
 Traditional solutions based
on performance/flexibility
tradeoff
 Limited performance
options
Performance
Flexibility
– Deploy more platforms
– Disable “expensive” features
 Limited flexibility options
– Deploy dedicated appliances
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
Pitfall of Today’s Security Adaptability
 Limited flexibility in adapting to business requirements
 Poor service integration resulting in poor business operations
– Complex rack space planning
– Installation, management and maintenance overhead
•Rack Space Planning: High
•CAPEX: High
•OPEX: High
10
Security
Requirements
FW, IPS & VPN
ASA 5540
(Gbps)
5
Network Traffic Requirements
TODAY
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
Time
FUTURE
Dynamic Services Architecture ™
 Dedicated Control Plane
 Built-on Terabit Fabric
– Interchangeable I/O and
processing cards
– Any service, any card
Service Integration
via
JUNOS ™
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
Fabric
 Feature integration on
JUNOS
– Fast time to market
– Tightest integration
between features
 Carrier-class Reliability
Dedicated
Management
Interface
Scalability
FW
IDP
NAT VPN
DoS QoS
Processing
Scalability
SRX Services Gateway
Family of JUNOS-based Dynamic Services Gateways
Dynamic Services
Consolidate Management Framework
App Layer
Forwarding
Routing
Threat
Prevention
Firewall
IPS
Access Control
IPSec
VPN
SRX Dynamic Services Gateway
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
NAT
SRX Dynamic Services Gateways
Sept 2008 Market Introduction
SRX5000 Series Services Gateway
 Revolutionary Architecture
 Integrated Services
 Scalable Performance
 Operational Simplicity
 World’s Fastest Security
Solution
 The heritage of ScreenOS on
JUNOS
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
Juniper (mid to high-end) Enterprise Security
Portfolio
150 Gbps
SRX5800
• Services Gateway
• Designed for integration and scalability
• Dynamic Services Architecture
•Terabit Fabric Technology
•Dynamic Processing Pool
50 Gbps
SRX5600
•Dynamic I/O Pool
•JUNOS SW feature delivery
30 Gbps
Products addressing
this segment?
10 Gbps
NS5400
• FW and Integrated Security
ISG/IDP
• Designed for enhanced perimeter and DC security
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
No Compromise Security:
SRX3000-line: The most cost-effective network security solution
 Maximum Flexibility without
Sacrificing Security
 Unmatched Price /
Performance
 Powered by JUNOS and
Juniper’s Dynamic Services Architecture (DSA)
Based on Dynamic Services Architecture™
for accelerated new service deployment
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
SRX3400
Hardware
 Modular chassis
– 7 slots (4 front, 3 rear)
– MGT module – dual, hot swap
– 3U chassis height
 Fixed Interfaces
– 12 built-in (8-10/100/1000 + 4-SFP)
– 2 Ethernet Management Ports
 Modular Interfaces
Front
– 16-10/100/1000
– 16-SFP
– 2-XFP
Performance & Capacities
 FW – 10/20 Gbps
 VPN – 6 Gbps
 IDP – 6 Gbps
 Concurrent sessions – 1M
 New and sustained CPS – 175k
 Concurrent IPSec VPN tunnels – 10k
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
Rear
SRX3600
Hardware
 Modular chassis
– 12 slots (6 front, 6 rear)
– MGT module – dual, hot swap
– 5U chassis height
 Fixed Interfaces
– 12 built-in (8-10/100/1000 + 4-SFP)
– 2 Ethernet Management Ports
 Modular Interfaces
– 16-10/100/1000
– 16-SFP
– 2-XFP
Performance & Capacities
 FW – 10/20/30 Gbps
 VPN – 10 Gbps
 IDP – 10 Gbps
 Concurrent sessions – 2M
 New and sustained CPS – 175k
 Concurrent IPSec VPN tunnels – 20k
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
Front
Rear
Sample SRX3000 Base Configurations
SRX3400
SRX3600
– Minimal Configuration
– Minimal Configuration
 SRX 3400 Chassis
 1 SPC
 1 NPC
 SRX 3600 Chassis
 1 SPC
 1 NPC
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
SRX 3K Packet Flow – Fully Integrated
Flow Lookup
Network
Processing
Cards
Classification
DoS/DDoS
Policing
Routing /
Device MGT
RE
Services
Oversubscrptn.
Control
1.5
FW/VPN/IDP
NAT/Routing
 Ingress
Fabric
Fabric
Packet
 Egress
Packet
Integrated in SRX 5000 IOC
Input/Output
Cards
QoS/Shaping
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
Services
Processing
Cards
Integrated Services
Dynamic Services Architecture Differentiator
Juniper SRX
Dedicated Control Plane
Buildable Processing Pool
Buildable I/O Pool
Scalable Service Engine
Single policy/configuration
Single device to manage






‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
Traditional Appliances






Adapting to Changing Security Requirements
 High integration supporting wide range of services
 Scales as your business grows
 Minimal/No policy changes required
•Rack Space Planning: NONE
•CAPEX: LOW
•OPEX: LOW
10
Security
Requirements
FW, IPS & VPN
(Gbps)
5
Network Traffic Requirements
TODAY
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
Time
FUTURE
Industry’s Most cost-effective security solution
Power Savings
Price per Gbps
FW/IPS/IPSec VPN
83%
84%
SAVINGS
SAVINGS
10 Gbps FW, IPS & IPSec
VPN Solution
84%
SPACE
SAVINGS
Juniper SRX 3600
Juniper SRX 3600
Cisco ASA 5540
Cisco ASA 5540
31 Appliances
Price per FW Gbps
$350,000
$300,000
$250,000
Cisco ASA 5580
$200,000
$150,000
44%
$100,000
SAVINGS
$50,000
Juniper SRX 3600
$0
10Gbps
20Gbps
30Gbps
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
Juniper SRX 3600
Cisco ASA 5540
Juniper (mid to high-end) Enterprise Security
Portfolio
SRX5800
150 Gbps
• Services Gateway
• Designed for integration and scalability
• Dynamic Services Architecture
•Terabit Fabric Technology
•Dynamic Processing Pool
50 Gbps
SRX5600
•Dynamic I/O Pool
•JUNOS SW feature delivery
SRX3600
30 Gbps
SRX3400
10 Gbps
NS5400
• FW and Integrated Security
ISG/IDP
• Designed for enhanced perimeter and DC security
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
Juniper Networks Security Manager
A comprehensive approach to security
management
 Device-lifecycle management
– Manages through every phase of device lifecycle:
design, deploy, configure, monitor, maintain,
upgrade, adjust
 Manage all aspects of configuration
– Manage configuration tasks at device,
networking and security levels
 Delegation of administrative access
– Provides needed power and tools to the right
groups
(access and control)
– Control to provide/restrict information to
different people within the organization, allowing
them to make appropriate decisions
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
The
Device
Lifecycle
NSM Management Features
Features
Description
Scheduled Security Updates
Automatically update devices with new attack objects
Domains
Service providers and distributed enterprises may use this
mechanism to logically separate devices, policies, reports, objects,
etc…
Role-based Administration
Granular approach in which all 100+ activities in the system may
be assigned as a separate permissions
Object Locking
Multiple administrators can safely and concurrently modify
different objects in the system at the same time
Audit Logs
Sort-able and filterable record of who made which changes to
which objects in the system
Device Templates
Manage shared configuration such as sensor settings in one place
Job Manager
View pending and completed directives (such as device update)
and their status
High Availability
Active/passive high availability of the management server
Scheduled Database Backups
Copies of the NSM database may be saved on a daily basis
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
3-Tier Management
Network-Security Manager (NSM)
NS-5000 Series
ISG / ISG with IDP
SSG Series
Common User
Interface
Centralized
NSM Server
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
IDP Appliances
Future Direction
Continued
leadership in
security
Best-in-Class Security
JUNOS
Integrated
security and
networking
on JUNOS
Continued
leadership in
networking
Best-in-Class Routing
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
The High-Value Branch
When remote sites
are essential to the
organization’s strategic mission,
you can WIN!
Ministry of Foreign Affairs
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
What Are High-Value Remote Locations?
Gateways to Better Businesses
Role
Mission
Changes
Revenue
Gateway
Create new sources
of revenue and
operational
efficiencies
 Support partners, guests,
and devices
Service
Gateway
Attract and
retain valuable
clients
 Centralization of applications
and databases; SaaS
Innovation
Gateway
Retain and activate
a high quality
workforce
 Advanced collaboration
The Humble
Storefront
The Mission
Critical Clinic
The High-Powered
Center of Excellence
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
 Reputation and compliance
 Privacy and compliance
 Unrestricted Internet access
for employees
THANK YOU
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net