SRX 3400/3600 Services Gateways
Download
Report
Transcript SRX 3400/3600 Services Gateways
Securing the Enterprise - new trends
on networking security
SCOP / Bucharest 15th April 2009
Uwe Richter
Sr. SE Manager Eastern Europe
The most flexible, cost-effective solution for mid to large enterprises and service providers
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
Juniper Networks - Leadership & Expertise
NS1000
NS1000 w
Switch 2
1G FW &
1G VPN
100 VSYS
2000
ISG 2000
2G FW &
1G VPN
250 VSYS
A/A-Full
Mesh HA
NS-5200
4G & 12G FW
3M & 9M PPS
500 VSYS
<78 interfaces
& 4000 VLANs
NS-5400
10G & 30G FW
6M & 18M PPS
10 GigE interfaces
Jumbo Frames
Hardware AES
SRX 5600
SRX 5800
60G & 100+G FW
20G & 40+G IPS
4M & 8M Sessions
Now
Gartner’s Magic Quadrant
Worldwide Integrated Security Appliance
Revenue Market Share: ≥$30,000
Market Share (%)
100%
75%
Juniper
50%
Cisco
Nortel
25%
Nokia
0%
1Q05 2Q05 3Q05 4Q05 1Q06 2Q06 3Q06 4Q06 1Q07 2Q07 3Q07 4Q07 1Q08
Calendar Quarter
Source: Infonetics, Jun 2008
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
Fortinet
Juniper Networks
“Upper-right”
• Firewall & IPSec
VPN
What customers expect...
Integrated Services
Deliver a superior user
experience
Scalable Performance
Faster application and
service deployment
Operational Simplicity
Total cost of ownership
advantage
FAST
RELIABLE
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
Today’s Enterprise Requirements
Enablement versus Constraint
Core / Infrastructure: 10 GigE
– More traffic, new/next gen apps, video and other
streaming media
Customers demand full-fledged security posture
for network performance
– Deliver all security services at scale
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
Business Challenges
Performance and Flexibility Compromise
Traditional solutions based
on performance/flexibility
tradeoff
Limited performance
options
Performance
Flexibility
– Deploy more platforms
– Disable “expensive” features
Limited flexibility options
– Deploy dedicated appliances
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
Pitfall of Today’s Security Adaptability
Limited flexibility in adapting to business requirements
Poor service integration resulting in poor business operations
– Complex rack space planning
– Installation, management and maintenance overhead
•Rack Space Planning: High
•CAPEX: High
•OPEX: High
10
Security
Requirements
FW, IPS & VPN
ASA 5540
(Gbps)
5
Network Traffic Requirements
TODAY
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
Time
FUTURE
Dynamic Services Architecture ™
Dedicated Control Plane
Built-on Terabit Fabric
– Interchangeable I/O and
processing cards
– Any service, any card
Service Integration
via
JUNOS ™
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
Fabric
Feature integration on
JUNOS
– Fast time to market
– Tightest integration
between features
Carrier-class Reliability
Dedicated
Management
Interface
Scalability
FW
IDP
NAT VPN
DoS QoS
Processing
Scalability
SRX Services Gateway
Family of JUNOS-based Dynamic Services Gateways
Dynamic Services
Consolidate Management Framework
App Layer
Forwarding
Routing
Threat
Prevention
Firewall
IPS
Access Control
IPSec
VPN
SRX Dynamic Services Gateway
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
NAT
SRX Dynamic Services Gateways
Sept 2008 Market Introduction
SRX5000 Series Services Gateway
Revolutionary Architecture
Integrated Services
Scalable Performance
Operational Simplicity
World’s Fastest Security
Solution
The heritage of ScreenOS on
JUNOS
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
Juniper (mid to high-end) Enterprise Security
Portfolio
150 Gbps
SRX5800
• Services Gateway
• Designed for integration and scalability
• Dynamic Services Architecture
•Terabit Fabric Technology
•Dynamic Processing Pool
50 Gbps
SRX5600
•Dynamic I/O Pool
•JUNOS SW feature delivery
30 Gbps
Products addressing
this segment?
10 Gbps
NS5400
• FW and Integrated Security
ISG/IDP
• Designed for enhanced perimeter and DC security
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
No Compromise Security:
SRX3000-line: The most cost-effective network security solution
Maximum Flexibility without
Sacrificing Security
Unmatched Price /
Performance
Powered by JUNOS and
Juniper’s Dynamic Services Architecture (DSA)
Based on Dynamic Services Architecture™
for accelerated new service deployment
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
SRX3400
Hardware
Modular chassis
– 7 slots (4 front, 3 rear)
– MGT module – dual, hot swap
– 3U chassis height
Fixed Interfaces
– 12 built-in (8-10/100/1000 + 4-SFP)
– 2 Ethernet Management Ports
Modular Interfaces
Front
– 16-10/100/1000
– 16-SFP
– 2-XFP
Performance & Capacities
FW – 10/20 Gbps
VPN – 6 Gbps
IDP – 6 Gbps
Concurrent sessions – 1M
New and sustained CPS – 175k
Concurrent IPSec VPN tunnels – 10k
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
Rear
SRX3600
Hardware
Modular chassis
– 12 slots (6 front, 6 rear)
– MGT module – dual, hot swap
– 5U chassis height
Fixed Interfaces
– 12 built-in (8-10/100/1000 + 4-SFP)
– 2 Ethernet Management Ports
Modular Interfaces
– 16-10/100/1000
– 16-SFP
– 2-XFP
Performance & Capacities
FW – 10/20/30 Gbps
VPN – 10 Gbps
IDP – 10 Gbps
Concurrent sessions – 2M
New and sustained CPS – 175k
Concurrent IPSec VPN tunnels – 20k
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
Front
Rear
Sample SRX3000 Base Configurations
SRX3400
SRX3600
– Minimal Configuration
– Minimal Configuration
SRX 3400 Chassis
1 SPC
1 NPC
SRX 3600 Chassis
1 SPC
1 NPC
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
SRX 3K Packet Flow – Fully Integrated
Flow Lookup
Network
Processing
Cards
Classification
DoS/DDoS
Policing
Routing /
Device MGT
RE
Services
Oversubscrptn.
Control
1.5
FW/VPN/IDP
NAT/Routing
Ingress
Fabric
Fabric
Packet
Egress
Packet
Integrated in SRX 5000 IOC
Input/Output
Cards
QoS/Shaping
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
Services
Processing
Cards
Integrated Services
Dynamic Services Architecture Differentiator
Juniper SRX
Dedicated Control Plane
Buildable Processing Pool
Buildable I/O Pool
Scalable Service Engine
Single policy/configuration
Single device to manage
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
Traditional Appliances
Adapting to Changing Security Requirements
High integration supporting wide range of services
Scales as your business grows
Minimal/No policy changes required
•Rack Space Planning: NONE
•CAPEX: LOW
•OPEX: LOW
10
Security
Requirements
FW, IPS & VPN
(Gbps)
5
Network Traffic Requirements
TODAY
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
Time
FUTURE
Industry’s Most cost-effective security solution
Power Savings
Price per Gbps
FW/IPS/IPSec VPN
83%
84%
SAVINGS
SAVINGS
10 Gbps FW, IPS & IPSec
VPN Solution
84%
SPACE
SAVINGS
Juniper SRX 3600
Juniper SRX 3600
Cisco ASA 5540
Cisco ASA 5540
31 Appliances
Price per FW Gbps
$350,000
$300,000
$250,000
Cisco ASA 5580
$200,000
$150,000
44%
$100,000
SAVINGS
$50,000
Juniper SRX 3600
$0
10Gbps
20Gbps
30Gbps
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
Juniper SRX 3600
Cisco ASA 5540
Juniper (mid to high-end) Enterprise Security
Portfolio
SRX5800
150 Gbps
• Services Gateway
• Designed for integration and scalability
• Dynamic Services Architecture
•Terabit Fabric Technology
•Dynamic Processing Pool
50 Gbps
SRX5600
•Dynamic I/O Pool
•JUNOS SW feature delivery
SRX3600
30 Gbps
SRX3400
10 Gbps
NS5400
• FW and Integrated Security
ISG/IDP
• Designed for enhanced perimeter and DC security
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
Juniper Networks Security Manager
A comprehensive approach to security
management
Device-lifecycle management
– Manages through every phase of device lifecycle:
design, deploy, configure, monitor, maintain,
upgrade, adjust
Manage all aspects of configuration
– Manage configuration tasks at device,
networking and security levels
Delegation of administrative access
– Provides needed power and tools to the right
groups
(access and control)
– Control to provide/restrict information to
different people within the organization, allowing
them to make appropriate decisions
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
The
Device
Lifecycle
NSM Management Features
Features
Description
Scheduled Security Updates
Automatically update devices with new attack objects
Domains
Service providers and distributed enterprises may use this
mechanism to logically separate devices, policies, reports, objects,
etc…
Role-based Administration
Granular approach in which all 100+ activities in the system may
be assigned as a separate permissions
Object Locking
Multiple administrators can safely and concurrently modify
different objects in the system at the same time
Audit Logs
Sort-able and filterable record of who made which changes to
which objects in the system
Device Templates
Manage shared configuration such as sensor settings in one place
Job Manager
View pending and completed directives (such as device update)
and their status
High Availability
Active/passive high availability of the management server
Scheduled Database Backups
Copies of the NSM database may be saved on a daily basis
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
3-Tier Management
Network-Security Manager (NSM)
NS-5000 Series
ISG / ISG with IDP
SSG Series
Common User
Interface
Centralized
NSM Server
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
IDP Appliances
Future Direction
Continued
leadership in
security
Best-in-Class Security
JUNOS
Integrated
security and
networking
on JUNOS
Continued
leadership in
networking
Best-in-Class Routing
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
The High-Value Branch
When remote sites
are essential to the
organization’s strategic mission,
you can WIN!
Ministry of Foreign Affairs
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
What Are High-Value Remote Locations?
Gateways to Better Businesses
Role
Mission
Changes
Revenue
Gateway
Create new sources
of revenue and
operational
efficiencies
Support partners, guests,
and devices
Service
Gateway
Attract and
retain valuable
clients
Centralization of applications
and databases; SaaS
Innovation
Gateway
Retain and activate
a high quality
workforce
Advanced collaboration
The Humble
Storefront
The Mission
Critical Clinic
The High-Powered
Center of Excellence
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net
Reputation and compliance
Privacy and compliance
Unrestricted Internet access
for employees
THANK YOU
‹#› | Copyright © 2009 Juniper Networks, Inc. | www.juniper.net