Presentation title here
Product Update Seminar
AGENDA
13.00
13.30
15.30
17.30
Welcome
SRX update + Application Aware FW positioning
Value Add proposition having onbox AV (Kaspersky)
MAG SSL/UAC license scenario’s recap vGW short recap (demo)
Coffee break
EX technology portfolio update
"The new network is simply connected"
Wireless Newsflash
Westcon Academy Juniper Training update
Great drinks & Fingerfood @ SKYBAR terrace
2 Copyright
© 2011 Juniper Networks, Inc. www.juniper.net
Legal Disclaimer: This statement of product direction
(formerly called “roadmap”) sets forth Juniper Networks‘ current intention, and is subject to change at any time without notice. No purchases are contingent upon Juniper
Networks delivering any feature or functionality depicted on this statement.
SRX update
Frederick Verduyckt
Security System Engineer
DON'T TAKE OUR WORD FOR IT ….
SRX650 wins Best of Interop
Award, Infrastructure Category
“Branch Office Swiss Army Knife” that “packs a bunch of horsepower and features”
SRX210 wins Tokyo Interop
Grand Prix (highest honor) for SMB Infrastructure
“Amazed that high-performance
JUNOS software is installed in this small appliance” – the vote was unanimous!
5 Copyright
© 2011 Juniper Networks, Inc. www.juniper.net
6
BRANCH SRX DELIVERS…
CONSOLIDATED SECURITY AND NETWORKING
All-in-One
Firewall
VPN
IPS
Anti-Virus
Anti-Spam
Web filtering
Routing / WAN
LAN, Switching
Single device for routing, switching, and security
Comprehensive security
Easy to activate new layers of security
Copyright
© 2011 Juniper Networks, Inc. www.juniper.net
BRANCH SRX PORTFOLIO
SRX240
+ 4 WAN slots, 16 x GigE, PoE
SRX650
+ More LAN slots, dual processors, dual P/S
SRX220
+ 2 WAN slots, 8 x GigE, PoE
SRX210
WAN slot, 2 x GigE, PoE
7
SRX100/110
Small Office Small to Medium Office
Copyright
© 2011 Juniper Networks, Inc. www.juniper.net
Large Branch/Regional Office
SRX SERVICES GATEWAYS
8
Highly configurable
– Fixed, semi-modular, and modular form factors
– Choice of WAN and LAN interfaces
Extensive integration
– Full suite of JUNOS routing and switching capabilities
– Unmatched security, including FW,
VPN, UTM, UAC, and full IPS
Exceptional performance and availability
– Hardware-assisted Content Security
Acceleration (CSA) for ExpressAV and IPS
– Control & data plane separation, redundant processing and power
Model
SRX100
SRX210
SRX220
SRX240
SRX650
Configuration
Fixed
1 mini PIM slot
2 mini PIM slots
4 mini PIM slots
8 GPIM slots
Copyright
© 2011 Juniper Networks, Inc. www.juniper.net
FW/IPS
Performance
600/60 Mbps
750/80 Mbps
950/100 Mbps
1500/250 Mbps
7000/900 Mbps
SRX SERVICES GATEWAYS DATA CENTER SERIES
COMPARISON
Max. Value
Junos 10.4
FW Throughput
VPN Throughput
IPS Throughput
SRX1400
10 Gbps
2 Gbps
2 Gbps
SRX3400
20 Gbps
6 Gbps
6 Gbps
SRX3600
30 Gbps
10 Gbps
10 Gbps
SRX5600
60 Gbps
15 Gbps
15 Gbps
Max PPS 1 million 3.5 million 6.5 million 9 million
(
Max Sessions
/ with add’l license)
New & Sustained CPS
( / with add’l license)
Built-in Interfaces:
10/100/1000Base-T
1000Base-X (HA off / on )
10GBase-F
Total I/O Ports
GbE (HA off / on)
10 GbE
9
0.5 million
GE
6
6 / 4
0
28/26
2
45k
XGE
6
3 / 1
3
25/23
5
2.25 / 3 million
175k
2.25 / 6 million
175k / 300k
8
4
76
8
4
108
8 12
Copyright
© 2011 Juniper Networks, Inc. www.juniper.net
9 million
350k
200
40
SRX5800
150 Gbps
30 Gbps
30 Gbps
21 million
12.5 million
14 million
(with caveats)
350k
440
88
SRX210 ENHANCED
Improved SRX210 with faster processor!
Increases processor speed to 600MHz from 400MHz
Existing SRX210 has 400MHz processor
Provides faster J-Web, improved boot-up time, faster throughput
Provided under new SKUs:
SRX210BE, SRX210HE, SRX210HE-POE
No change to list price
No change to datasheet specs
FIPS & EAL4 Certs submitted with 10.4
End-of-Sale of existing SRX210 will be announced after receiving certifications in 2H 2011
Providing at least 6 month notice for LTB
Copyright
© 2011 Juniper Networks, Inc. www.juniper.net
10
SRX110
Single box solution for Enterprise and MSP
Fixed form factor
8 10/100MB Ethernet ports
WAN Options
VDSL Annex A or VDSL Annex B with ADSL fallback
3G USB Modem port for backup
Express slot is being deprecated
Feature rich in Routing, Switching and Security
Security – UTM, Stateful Firewall, IPSec VPN
Routing – RIP, OSPF, BGP, MPLS, VPLS
Switching – Ethernet Switching features parity with SRX 100
Security & Performance
Routing Performance Est. 100Kpps
Firewall Performance
External CF for more storage options
11
SKU
SRX110H-VA-3G
SRX110H-VB-3G
VPN Performance
Memory &
Storage
1GB RAM
1GB Flash
1GB RAM
1GB Flash
LAN
8 x FE
DSL WAN
VDSL Annex A
3G WAN
Yes
IDP Performance
AV & IDP HW Acceleration
8xFE VDSL Annex B Yes
Copyright
© 2011 Juniper Networks, Inc. www.juniper.net
High Availability (Q3 ‘11)
750Mbps (Large Pkt)
250 Mbps (IMIX)
75 Mbps
65 Mbps
NO
A/A or A/P
3G/4G FOR SRX – UPDATES
USB 3G/4G – This is the Future CX111 Bridge
Direct plug-in USB Modem Support for SRX100, SRX110 and SRX210E
CX111 3G/4G Bridge for
“ALL” SRX, SSG & J-Series
12
GSM/HSPA+ Modem support in Q3 '11
(Sierra Wireless 319U)
Secure Modem with Modem Cap (2H '11)
Recommended for use with SRX
LTE/HSPA modem support in 1H '12
LTE/EVDO Modem support in 1H '12
SRX/Junos based 3G support
No USB 3G support on 220/240/650
Worldwide 70+ Modems supported in latest
firmware (July '11)
Verizon LTE supported NOW
CX111 supports SNMP NOW (v 1.8.2, July
2011)
Junos CLI based management Phase-1 release in Q4 '11
Copyright
© 2011 Juniper Networks, Inc. www.juniper.net
SRX550
New platform for mid-large branches
Faster than a J6350
Flexible Slots
Two mPIM slots for low-speed interfaces
Six PIM slots (2 XPIM + 4 GPIM)
One ACE slot (future CPU offload)
Support for LAN bypass (ports 4 and 5)
10xGE ports built-in
6xGE
4xSFP
Dual PSU support
Two USB ports
Serial and USB-based Console
External CF/SSD for storage
Copyright
© 2011 Juniper Networks, Inc. www.juniper.net
13
Beta in 11.4
Security & Performance Targets
Routing Performance Est. 700Kpps
Firewall Performance
2 Gbps (IMIX)
8 Gbps (large packets)
AV & IDP HW
Acceleration
IPSec Performance
Yes
TBD
APPSECURE UPDATE
WHERE IS SECURITY HEADED? CONTEXT AWARENESS
“Location, device and user ” vs. “Source to Destination”
Branch
Global High-Performance Network
What User
Destination
User Device
User Location
Campus
15
Mobile Clients
Copyright
© 2011 Juniper Networks, Inc. www.juniper.net
APPSECURE SOFTWARE SERVICE SUITE
Application Intelligence from User to Data Center
AppTrack AppFW AppQoS AppDoS IPS
Understand security risks
Address new user behaviors
Block access to risky apps
Prioritize important apps
Allows user tailored policies
Rate limit less important apps
Protect apps from bot attacks
Remediate security threats
Allow legitimate user traffic
Stay current with daily signatures
16
2H
2011
•Subscription service includes all modules and updates
• Juniper Security Lab provides 800+ application signatures
Copyright
© 2011 Juniper Networks, Inc. www.juniper.net
APPSECURE USE CASE – COST REDUCTION
Customer Profile Customer Initiative
Large technology company with over 100 offices worldwide
IT cost reduction through standardization on a smaller number of supported applications
AppSecure Implementation
AppTrack
Identify global use of applications, cloud-based or not
AppFW
17
AppQoS
Block out-of-policy applications
Prioritize business-critical applications
• Oracle
• GoogleSites
Lower priority of less essential applications
• QuickTime
Copyright
© 2011 Juniper Networks, Inc. www.juniper.net
APPSECURE USE CASE – COMPLIANCE
Customer Profile Customer Initiative
US based HR recruiting firm with clients in US and EMEA
Standardize on a single e-mail application to meet compliance guidelines
AppSecure Implementation
AppTrack Identify and permit Microsoft Outlook traffic
AppFW
Identify and permit access to LinkedIn to enable recruiting productivity
Identify and deny access to LinkedIn’s
In-Mail application
Copyright
© 2011 Juniper Networks, Inc. www.juniper.net
18
APPSECURE AVAILABILITY
AppTrack
High End SRX
11.1
AppFW
AppQoS
AppDoS
IPS
11.4
User-Roles 12.1
Copyright
© 2011 Juniper Networks, Inc. www.juniper.net
19
Branch SRX
11.2
11.2
1H12
TBD
12.1
LOGICAL SYSTEMS UPDATE
WHAT IS LSYS?
• Virtualization of many aspects of Junos, especially security policies and enforcement options
•
“Complete” separation of a single device into unique virtual instances, including:
• Administrative separation – users in one LSYS have no visibility into or knowledge of any other LSYS instances that may be running on the box
•
• Traffic Separation – network traffic for a given LSYS cannot cross into another LSYS unless a security and routing policies are configured to allow it
Resource separation – resources such as sessions, policies, zones, and virtual routers can be budgeted between the various
LSYS instances
• An evolution of ScreenOS’s VSYS concept
Copyright
© 2011 Juniper Networks, Inc. www.juniper.net
21
LSYS VS. VSYS
ScreenOS
VSYS
Virtual System
Virtual Router
Zone
Interface
IP
Zone
Int
Junos*
LSYS
Logical System
VR
Int
Interface
IP
22
*All interfaces in a given zone must be in the same routing instance
Copyright
© 2011 Juniper Networks, Inc. www.juniper.net
LSYS ISN’T A HYPERVISOR-LEVEL VIRTUALIZATION
Only one version of Junos is running on the SRX
System daemons have been made ‘LSYS aware’
In some cases, multiple daemons are used, one per
LSYS
Akin to “Operating System-
Level virtualization”
Looks and feels like a real system
Has resource protection to protect one from another
Copyright
© 2011 Juniper Networks, Inc. www.juniper.net
23
EXAMPLE
Root Zone:
Inet lt0/0/0.1
lt0/0/0.0
Zone:
LRlt
LSYS1 lt0/0/0.2
lt0/0/0.3
Zone:
L1lt
Zone:
L1USR
PC1 lt0/0/0.4
lt0/0/0.5
Zone:
L2lt
LSYS0 LSYS2
Zone:
L2USR
PC2
Zone:
L2SVR
PC3
Copyright
© 2011 Juniper Networks, Inc. www.juniper.net
24
LSYS Management Methods
25
CLI Web NMS
Global
(root) view
LSYS view
JWeb
Global
View
JWeb
LSYS
View
Space
Thirdparty
Copyright
© 2011 Juniper Networks, Inc. www.juniper.net
LSYS: 11.2 CLI interfaces {...} lsys-profiles {...} applications {...} schedulers {...} routing-instance {...} protocols {...} routing-options {...} security {.
policies {...} zones {...} nat {...}
} logical-system LSYS1 { profile profile-name-Premium interfaces {...} routing-instance one {...} applications {...} security { policies {...} schedulers {...} zones {...} nat {...}
}
Global Configuration View
• Root administrator can configure all elements of the SRX
• Must create LSYS and LSYS users
• If desired, all admin can be done by root
26
LSYS-Level Configuration View
• LSYS administrators see only
LSYS-level configuration details
• Includes LSYS-only view of all logs
Copyright
© 2011 Juniper Networks, Inc. www.juniper.net
JWEB IN 11.2: LSYS MONITORING
27 Copyright
© 2011 Juniper Networks, Inc. www.juniper.net
JWEB IN 11.2: CONFIGURATION OF LSYS
28 Copyright
© 2011 Juniper Networks, Inc. www.juniper.net
29
WHEN TO USE LSYS
Customer Requirements:
✔
Complete separation of traffic
Zones and VRs can also provide this functionality without LSYS
✔
Administrative delegation
✔
Log Separation
✔
Resource Reservation
Copyright
© 2011 Juniper Networks, Inc. www.juniper.net
vGW update
VIRTUALIZATION SPECIFIC REQUIREMENTS
Secure VMotion/Live-Migration
VMs may migrate to a unsecured or lower trust-level zone
Security should enable both migration and enforcement
Hypervisor Protection
New operating system means new attack surface
Hypervisor connection attempts should be monitored
Regulatory Compliance
Isolating VMs, Access Control, Audit, etc.
Segregating administrative duties inside the virtual network
Tracking VM security profiles
Copyright
© 2011 Juniper Networks, Inc. www.juniper.net
31
SECURITY IMPLICATIONS OF VIRTUAL SERVERS
PHYSICAL NETWORK VIRTUAL NETWORK
VM1 VM2 VM3
HYPERVISOR
32
Firewall/IPS Inspects
All Traffic Between Servers
Physical Security is “Blind” to
Traffic Between Virtual Machines
Copyright
© 2011 Juniper Networks, Inc. www.juniper.net
APPROACHES TO SECURING VIRTUAL SERVERS:
THREE METHODS
1. VLAN Segmentation
Each VM in separate VLAN
Inter-VM communications must route through the firewall
Drawback: Possibly complex VLAN networking
2. Agent-based
Each VM has a software firewall
Drawback: Significant performance implications; Huge management overhead of maintaining software and signature on 1000s of VMs
3. Kernel-based Firewall
VMs can securely share VLANs
Inter-VM traffic always protected
High-performance from implementing firewall in the kernel
Micro-segmenting capabilities
VM1 VM2 VM3 VM1 VM2 VM3
VM1 VM2 VM3
HYPERVISOR
HYPERVISOR
FW as Kernel Module
HYPERVISOR
FW Agents
Copyright
© 2011 Juniper Networks, Inc. www.juniper.net
33
VGW KERNEL IMPLEMENTATION
Fully “Fast-Path”
All firewall processing is done within hypervisor
High performance, >10Gbps throughput
Designed for ESX Architecture
Independent processing firewall policy per-VM
VM1
Scales up as core count increases
VM2 VM3 ALTOR VM
Policy
Logging
Management
34
VM1 VM2 VM3 ALTOR VM
Policy
Logging
Management
ESX Kernel
VMware vSwitch or dvSwitch
Altor
VMsafe
Kernel
Module vGW 4.5
Engine Packet / Data
VMsafe Interface
Partner Server
(IDS,Syslog,Netflow)
Copyright
© 2011 Juniper Networks, Inc. www.juniper.net
VGW ARCHITECTURE
3 MAIN MODULES
1
SECURITY DESIGN VGW
•
CENTRAL MANAGEMENT
• WEB-BASED UI
• MANAGEMENT HA
• DELIVERED AS VIRTUAL APPLIANCE
VGW SECURITY VM
• POLICY FROM MGMT TO ENGINE
• LOGGING FROM ENGINE TO MGMT
•
IDS ENGINE
• DEPLOYED AS HA PAIR
• DELIVERED AS VIRTUAL APPLIANCE
2
35
VM
VM1 VM2 VM3
VM
VM1 VM2 VM3
THE vGW ENGINE
VMWARE DVFILTER
VMWARE VSWITCH OR
CISCO 1000V
HYPERVISOR
3
VGW ENGINE
• FULL FW IMPLEMENTATION
IN THE KERNEL
• STATEFUL FW
• PER-VM POLICY
. . . . . . . . . . . .
Copyright
© 2011 Juniper Networks, Inc. www.juniper.net
THE vGW ENGINE
VMWARE DVFILTER
VMWARE VSWITCH OR
CISCO 1000V
HYPERVISOR
INTEGRATED WITH JUNIPER DATA CENTER SECURITY
VM1 VM2 VM3 ALTOR
Policies
Central Policy Management vGW 4.5
VMware vSphere
Zone Synchronization &
Traffic Mirroring to IPS
Firewall Event Syslogs
Netflow for Inter-VM Traffic
STRM
36
Juniper EX
Switch
Network
Juniper SRX with IPS
Copyright
© 2011 Juniper Networks, Inc. www.juniper.net
DEMO
http://vgwdemo.juniper.net
37 Copyright
© 2011 Juniper Networks, Inc. www.juniper.net
