Transcription

Product BrochureSecurity PortfolioJuniper NetworksIntegrated Firewall/VPN PlatformsFixedSmal Telecomml Medium O uter orfficeBranSSG.1. .4. .0. . . .S. .S.G. . 5.S. . .S.G. .2. 0.SRX 5800. . . SSG. . . . . .3. 20M. . . . . .Regional OfficeSSG. . . .5. .2.0M.InterSRX 5600.netG. . . .S. S. . . 550MNS540 0. . . . . . . 5 NS. . . .2. .0. .0.NSMAdminNeSecu twork andrityNSM. . . . . . . 2 ISG. . . . .0. .0. . .0. . . .ISG. . . .1. .0.0. . .0.ch Office. . . . . . S. SG 350. M.

2Security PlatformsJuniper Networks SSG 5/SSG 5 WirelessJuniper Networks SSG 20/SSG 20 WirelessJuniper Networks SSG 140Juniper Networks SSG 320M/350MJuniper Networks SSG 520M/550MJuniper Networks ISG 1000Juniper Networks ISG 2000Juniper Networks NetScreen-5200Juniper Networks NetScreen-5400Juniper Networks SRX-5600Juniper Networks SRX-5800Strong Security for Access Control, User Authentication, and AttackProtection at the Network and Application LevelAs threats to the network grow more prevalent and destructive, securing theinfrastructure is critical to maintaining a viable business. Attacks come frommultiple sources in a variety of forms. Enterprises and service providers need morethan just a security device; they require a comprehensive, reliable security solutionbacked by an industry leader.The Juniper Networks integrated security devices are purpose-built to performessential networking security functions. Optimized for maximum performanceand feature integration, they are designed on top of robust networking andsecurity real-time operating systems, Juniper Networks ScreenOS and JUNOS software. Designed from ground up to provide the superior networking and securitycapabilities, these operating systems are not plagued by inefficiencies andvulnerabilities of general-purpose operating systems.With a range of purpose-built, high-performance platforms that deliver integratedsecurity and LAN/WAN routing across high-density LAN/WAN interfaces, JuniperNetworks integrated security devices address the needs of small to mediumbusinesses, large distributed enterprises, and service providers as well as largeand co-located datacenters. These integrated devices can protect the networkfrom all manner of attacks and malware while simultaneously facilitating securebusiness-to-business communications.Product Line highlights: Complete set of Unified Threat Management (UTM) security features—includingstateful firewall, intrusion prevention, antivirus (instant message scanning, antispyware, anti-adware, and anti-phishing), anti-spam, and Web filtering—stopsworms, spyware, trojans, malware, and other emerging attacks. (Note that notall UTM features are available on all platforms.) Centralized, policy-based management minimizes the chance of overlookingsecurity holes by simplifying rollout and network-wide updates. Virtualization technologies make it easy for administrators to divide thenetwork into secure segments for additional protection. Various high-availability options offer the best redundant capabilties for anygiven network. Rapid-deployment features, including Auto Connect VPN, help minimizerepetitive tasks and the administrative burden associated with widespreaddeployments.

3Perimeter Defense Begins with Network-Level ProtectionTo protect against network-level attacks, Juniper Networks devices use a dynamic packet filteringmethod known as stateful inspection to unmask malicious traffic. With this method, firewallscollect information on various components in a packet header, including source and destinationIP addresses, source and destination port numbers, and packet sequence numbers. When aresponding packet arrives, the firewall will compare the information reported in its header with thestate of its associated session. If they do not match, the packet is dropped.Stateful inspection provides more security than other firewall technology such as packet filteringbecause the traffic is examined under the context of the connection and not as a collection ofvarious packets. By default, the Juniper Networks firewall denies all traffic in all directions. Then, byusing centralized, policy-based management, enterprises can create security policies that define theparameters of traffic that is permitted to pass from specified sources to specified destinations.Secure, reliable WAN connectivity also plays an important role in network-level protection. Bydeploying robust virtual private networks (VPNs), remote sites can be securely connected to otherremote sites and to centralized data and applications using high-bandwidth shared media suchas the Internet. Features such as Auto Connect VPN, available on select models, can help easethe administration and management of VPNs, particularly in hub-and-spoke topologies, allowingsecure connections to be automatically set up and taken down without manual configuration.Day-Zero Protection Against Application-Level AttacksTo help block malicious application-level attacks, Juniper Networks seamlessly integratesintrusion prevention across the entire product line. For central enterprise sites, data centerenvironments and service provider networks with high volumes of throughput, the JuniperNetworks Integrated Security Gateway (ISG) series with IDP and SRX 5000 line can be deployedfor application-level protection. The ISG and SRX-series tightly integrates the same software foundon the Juniper Networks IDP Platforms to provide unmatched application-level protection againstworms, trojans, spyware, and malware. More than 60 protocols are supported including thoseused by advanced applications such as VoIP and streaming media.Unmatched security processing power and network segmentation features protect critical highspeed networks against the penetration and proliferation of existing and emerging applicationlevel threats. With multiple attack detection mechanisms, including stateful signatures andprotocol anomaly, the ISG series and SRX 5000 line performs in-depth analysis of applicationprotocol, context, and state to deliver Zero-day protection from application level attacksOn all other models, security administrators can deploy IPS capability using the Deep Inspectionfirewall to block application-level attacks. Deep Inspection utilizes two of the eight attackdetection mechanisms available on the standalone IDP platforms and integrates them with thestateful inspection firewall. Deployed in perimeter locations such as the branch office, a DeepInspection firewall can block application-level attacks before they infect the network and inflictany damages.

4Security Solution Portfolio Juniper Networks Firewall/VPN SolutionsIntegrated Antivirus Protects Remote LocationsFor remote offices or smaller locations without full-time IT staff, integration and simplicity are anabsolute must in any security solution. Juniper Networks currently provides integrated file-basedantivirus protection from Kaspersky Lab on the Secure Services Gateway (SSG) family. Theseproducts combine firewall and VPN capabilities with an antivirus scanning engine that includesanti-phishing, anti-spyware, anti-adware to provide a comprehensive security solution in a singledevice.These integrated appliances scan for viruses imbedded in both email and Web traffic byscrutinizing IMAP, SMTP, FTP, POP3, IM and HTTP protocols. They provide the most advancedprotection from today’s fast-spreading worms, viruses, trojans, spyware, and other malware fromdamaging the network. With its ability to uncompress files using common protocols, the enginescans deep inside attachments to detect threats hidden in multiple levels of compression.Controlling Access to Known Malware and Phishing Web SitesEmployees who access inappropriate Web sites from the corporate network risk bringing malicioussoftware into the organization. Worse, their errors in judgment could also expose the company tolitigation for not having adequate controls in place. Juniper Networks integrated security devicesare the ideal solution to help organizations devise and enforce responsible Web usage policies.Two approaches are available: external and integrated Web filtering. External Web filtering, availableon all Juniper Networks firewall and VPN devices, redirects traffic from the device to a dedicatedWebsense Web filtering server for enforcement of the organization’s policies. Integrated Webfiltering, available on the Juniper Networks SSG family, enables enterprises to build their own Webaccess policies by selectively blocking access to sites listed in a continuously updated database.Maintained by Websense, a Juniper Networks security alliance partner, the database lists morethan 20 million URLs organized into more than 54 categories of potentially problematic content.Customers can rapidly deploy integrated or external Web filtering using default configurationsbased on the Websense database. Web filtering profiles can be customized by using black lists orwhite lists, plus a number of predefined and user-defined categories.Blocking Inbound Spam and Phishing AttacksJuniper Networks has teamed with Symantec Corporation to leverage Symantec’s market-leadinganti-spam solution and reputation service for Juniper’s small-to-medium office platforms to helplimit unwanted emails and the potential attacks they carry. Installed on the Juniper Networksfirewall/VPN gateway, the anti-spam engine filters incoming email from known spam and phishingusers, acting as a first line of defense. When a known malicious email arrives, it is blockedand/or flagged so that the email server can take appropriate action. Integrated anti-spam isavailable on the Juniper Networks entire SSG family.

5Virtualization Boosts Security by Dividing the Network into MultipleNetwork SegmentsVirtualization technologies in the Juniper Networks integrated firewall/VPN security solutionsenable users to segment their network into many separate compartments, all controlled througha single appliance. Administrators can simply segment traffic bound for different destinations,or they can further divide the network into distinct, secure segments with their own firewalls andseparate security policies.The firewall/VPN devices support the following virtualization technologies: Security Zones: Supported on every product, security zones represent virtual sections ofthe network, segmented into logical areas. Security zones can be assigned to a physicalinterface or, on the larger devices, to a virtual system. When assigned to a virtual system,multiple zones can share a single physical interface which lowers ownership costs byeffectively increasing interface densities. Virtual Systems (VSYS): Available on the ISG and the NetScreen-5000 series, virtualsystems are an additional level of partitioning that creates multiple independent virtualenvironments, each with its own set of users, firewalls, VPNs, security policies, andmanagement interfaces. By providing administrators with the ability to quickly segmentnetworks into multiple secure environments managed through a single device, VSYS enablesnetwork operators to build multi-customer solutions with fewer physical firewalls and reducedadministrative attention. This reduces both capital and operational expenses. Virtual Routers (VR): Supported on all products, virtual routers enable administrators topartition a single device so it functions like multiple physical routers. Each VR can support itsown domains, ensuring that no routing information is exchanged with domains established onother VRs. This enables a single device to support multiple customer environments, loweringtotal cost of ownership. Virtual LANs (VLAN): Supported on all platforms, VLANs are a logical – not physical –division of a subnetwork that enables administrators to identify and segment traffic at a verygranular level. Security policies can specify how traffic is routed from each VLAN to a securityzone, virtual system or physical interface. This makes it easy for administrators to identifyand organize traffic from multiple departments and define what resources each can access.InterFW/Domain 1Zone AVLAN 1 VLAN N netVPN Zone NVLAN 1 VLAN NZone ADomain N VLAN 1 VLAN NZone NVLAN 1 VLAN NNetworks are segmented intohierarchies of secure compartmentsusing virtual technology.

6Security Solution Portfolio Juniper Networks Firewall/VPN SolutionsComprehensive High-Availability Solutions Ensure UptimeA security system is only as good as its reliability and uptime. Juniper Networks security solutionsinclude reliable, high-availability systems based on the NetScreen Redundancy Protocol (NSRP).Firewalls and VPNs can be synchronized between high availability pairs to provide subsecondfailover to a backup device. Configuration options include:System RedundancyActive/Active/Full mesh high availabilityconfigurations maintain servicedespite device failureshhhhhFailure8Gbps4Gbps Active/Passive: Master deviceshares all network, configurationsetting, and current sessioninformation with the backup sothat, in the event of a failure,the backup can take over ina seamless manner. JuniperNetworks NetScreen-SecurityManager provides centralized,policy-based control. Active/Active: Both devices areactive, sharing an approximateequal amount of the load. If onefails, the other unit takes over tomaintain traffic flow and security. Active/Active/Full Mesh: Both devices are configured to be active, with traffic flowingthrough each. Should one device fail, the other device becomes the master and continuesto handle 100 percent of the traffic. The redundant physical paths provide maximumresiliency and uptime.Device Integration Made EasyNetworks are never static. Potentially costly and time-consuming changes and additions occurall the time. When the network topology changes, or as new offices, business partners, andcustomers are added to the network, network interoperability becomes especially important. Tosimplify network integration and help minimize administrative effort when changes are required,Juniper Networks integrated security solutions can operate in three different modes: Transparent mode affords the simplest way to add security to the network. In transparentmode, organizations can deploy a Juniper Networks firewall/VPN appliance without makingany other changes to the network: firewall, VPN, and denial-of-service (DoS) mitigationfunctions work without an IP address, making the device “invisible” to the user. Route mode enables the security device to actively participate in network routing bysupporting both static and dynamic routing protocols, including BGP, OSPF, RIPv1, RIPv2, andECMP. Route mode enables administrators to quickly deploy multilayer security solutions witha minimum of manual configuration. NAT mode automatically translates an IP address or a group of IP addresses to a singleaddress to hide an organization’s private addresses from public view.Juniper Networks integrated security devices support both static and dynamic addressassignment through DHCP or PPPoE, enabling Juniper Networks solutions to operate in anynetwork environment.

7Unbound ScalabilityAs network requirements continue to evolve, the processing and I/O requirements for variousnetwork devices will also evolve. To meet the demands of ever changing scalability requirements,the SRX 5000 line service gateway leverage the dynamic services architecture (DSA).DSA enables the most flexible I/O and processing configuration by supporting service processingcards and I/O cards on the same slot allowing configuration of the SRX 5000 line to be configuredas processing intensive solution or I/O intensive solution and anywhere in between. The scalabilitywith incremental cards are almost linear with very little overhead. The DSA architecture is onlyavailable on the SRX 5000 line services gateway.Network and Security Manager Provides Centralized, Policy-Based ControlNetwork and Security Manager takes a new approach to security management by providing ITdepartments with an easy-to-use solution that controls all aspects of the firewall/VPN securitydevice, including device configuration, network settings, and security policy.Unlike solutions that require administrators to use multiple management tools to control a singledevice, Network and Security Manager enables IT departments to control the device throughoutits life cycle with a single, centralized dashboard. It is designed specifically to foster teamworkamong device technicians, network administrators, and security personnel.The intuitive user interface of Network and Security Manager streamlines the process of configuringdevices, creating security policies, and setting up VPNs. It is easy to delegate administrative rolesso that everyone who plays a role has access to the information and controls they need, whilecomprehensive logging tracks who performs each action. Dramatic reductions in operating costsare common because Network and Security Manager promotes organizational efficiency like noother product on the market. Network and Security Manager is the common management serverfor all Juniper Networks firewall products as well as IDP, SSL VPN and Unified Access Control (UAC)product lines.For Low-Cost Rapid Deployment, Drop Ship Devices—Not AdministratorsTo avoid the high cost of sending administrators to configure systems at remote sites, JuniperNetworks integrated security devices can be installed by nontechnical users. With the Networkand Security Manager Rapid Deployment functionality, network administrators do not need topreconfigure the devices or handle them in any way.At the remote site, the new device simply needs to be cabled up and loaded with a smallconfiguration file, which a central administrator has either emailed or sent on CD to the remotelocation. The initial configuration file establishes a secure connection to Network and SecurityManager which then pushes the complete configuration files to the new device.Performance-EnablingServices and SupportJuniper Networks is the leaderin performance-enablingservices and support, whichare designed to accelerate,extend, and optimize yourhigh-performance network.Our services allow you to bringrevenue-generating capabilitiesonline faster so you can realizebigger productivity gains,faster rollouts of new businessmodels and ventures, andgreater market reach, whilegenerating higher levels ofcustomer satisfaction. At thesame time, Juniper Networksensures operational excellenceby optimizing your network tomaintain required levels ofperformance, reliability, andavailability. For more details,please visit www.juniper.net/products and services.

8Security Solution Portfolio Juniper Networks Firewall/VPN SolutionsCORPORATE AND SALES HEADQUARTERSAbout Juniper NetworksJuniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, CA 94089 USAPhone: 888.JUNIPER (888.586.4737)or 408.745.2000Fax: 408.745.2100www.juniper.netJuniper Networks, Inc., is the leader in high-performance networking. Juniper offers ahigh-performance network infrastructure that creates a responsive and trusted environmentfor accelerating the deployment of services and applications over a single network. This fuelshigh-performance businesses. Additional information can be found at www.juniper.net.APAC HEADQUARTERSJuniper Networks (Hong Kong)26/F, Cityplaza One1111 King’s RoadTaikoo Shing, Hong KongPhone: 852.2332.3636Fax: 852.2574.7803EMEA HEADQUARTERSJuniper Networks IrelandAirside Business ParkSwords, County Dublin, IrelandPhone: 35.31.8903.600Fax: 35.31.8903.601Copyright 2008 Juniper Networks, Inc. Allrights reserved. Juniper Networks, the JuniperNetworks logo, JUNOS, NetScreen, andScreenOS are registered trademarks of JuniperNetworks, Inc. in the U