Branch srx update

advertisement
BRANCH SRX UPDATE
Niklas Henriksson
nhenriksson@juniper.net
Senior Systems Engineer
ROUTING, SECURITY, SWITCHING – ALL IN ONE
Router
 Rich set of WAN and
LAN interfaces
 Separation of CP & DP
 Robust and rich routing
(RIP, OSPF, BGP)
 IPv4/IPv6 support
 Low Latency
 High Throughput
 HA & ISSU
 Extensive QoS
 MPLS
 VPLS
 J-Flow RPM
2
Security
 High-performance FW
 AppSecure (AppFW,
AppTrack, AppQoS)
 IPsec
 IPS
 Web filtering
 Anti-virus
 Anti-spam
 NAT
 L2 Transparent Mode
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
Switching
 802.1Q VLANs
 STP, Spanning Tree
Protocols
 802.1x Port Based
Authentication,
Dynamic VLAN
assignment, & MACRadius
 802.3ad (Link Agg)
BRANCH SRX PORTFOLIO
SRX110
3
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
SRX110
Single box solution for Enterprise and MSP
 Integrated VDSL port
 8 10/100MB Ethernet ports
WAN Options
 VDSL Annex A or VDSL Annex B with ADSL fallback
 3G USB Modem port for backup
Feature rich in Routing, Switching and Security
 Security – UTM, Stateful Firewall, IPSec VPN
Security & Performance
 Routing – RIP, OSPF, BGP, MPLS, VPLS
 Switching – Ethernet Switching features parity with
SRX 100
External CF for more storage options
4
Routing Performance
Est. 100Kpps
Firewall Performance
750Mbps (Large Pkt)
250 Mbps (IMIX)
VPN Performance
75 Mbps
SKU
Memory &
Storage
LAN
DSL WAN
3G WAN
IDP Performance
65 Mbps
SRX110H-VA
1GB RAM
1GB Flash
8 x FE
VDSL Annex A
Yes
AV & IDP HW Acceleration
NO
SRX110H-VB
1GB RAM
1GB Flash
8xFE
VDSL Annex B
Yes
High Availability (Q3 ‘11)
A/A or A/P
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
SRX550
Beta in Q4
New platform for mid-large branches
 Faster than a J6350
Flexible Slots
 Two mPIM slots for low-speed interfaces
 Six PIM slots (2 XPIM + 4 GPIM)
 One ACE slot (future CPU offload)
Support for LAN bypass (ports 4 and 5)
Security & Performance Targets
10xGE ports built-in
Routing Performance
Est. 700Kpps
Firewall Performance
1.5 Gbps
(IMIX)
6 Gbps (large
packets)
AV & IDP HW
Acceleration
Yes
IPSec Performance
TBD
 6xGE
 4xSFP
Dual PSU support
Two USB ports
Serial and USB-based Console
External CF/SSD for storage
5
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
3G/4G FOR SRX - UPDATES
3G for the SRX
Direct plug-in USB Modem Support for
SRX100, SRX110 and SRX210E
CX111 3G Bridge for
“ALL” SRX, SSG & J-Series
Worldwide 70+ Modems supported
in latest firmware (June ‘11)
•
•
HSPA+ Modem support in Q3 2011
LTE/HSPA modem support in 1H 2012
LTE/EVDO Modem support in 1H 2012
6
Copyright © 2011 Juniper Networks, Inc.
Verizon LTE supported NOW
SNMP Support to manage CX111
Junos CLI based management in
1H 2012
www.juniper.net
SOFTWARE UPDATE
7
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
APPSECURE NEXT GENERATION FIREWALL OVERVIEW
• Intelligent software services delivers smarter FW
policies on SRX gateways
• Integrates application traffic control, with user
control, and DoS remediation
• Provides Network level visibility with correlated
application and threat event tracking
8
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
APPSECURE: AN IMPORTANT COMPONENT
TO A LAYERED SECURITY APPROACH
Processing
Intensity & Cost
Inspection Depth
ACLs & Stateless
Firewall
• Decisions made based
on packet header info
such as Source and
Destination addresses
• Very fast
9
Stateful
Firewall
Application
Security
Intrusion
Prevention
• More context incorporated • Looks at every bit for
into decision process
threats—thorough but
• Better at identifying
intensive processing
unauthorized or forged
• Best used sparingly
communications
• Still fast
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
CORE DETECTION TECHNOLOGIES
IPS
 Full featured detection
 Constant inspection
 Decoder based updates
 Geared for evasive
application detection
 Process intensive
Application Identification
 Separate Process
 Pattern match + light-
weigh decoding
 Heuristics assistance
 Web 2.0 focused
 Higher Performance*
Contextual Network Security - AppSecure
10
Copyright © 2011 Juniper Networks, Inc.
*uses Application System Cache (ASC)
www.juniper.net
Performance
APPTRACK SIMPLIFIES APPLICATION VISIBILITY AND
CONTROL
Traffic analyzed
by AppTracker as
it traverses the
SRX
1
2
SRX sends
application logs
to a SIEM/Log
collector
3
SIEM reports
analyzed by IT
staff
3
1
DC
Firewall(s)
2
STRM or
3rd Party
SIEM
11
STRM
Reports
Copyright © 2011 Juniper Networks, Inc.
Data Center
Operations Center
DC
Switching
Server
Farms
www.juniper.net
APPFW – 3 DIMENSIONAL SECURITY POLICES
• Easily restrict application access to necessary users
• Reduce the spread of confidential information
• Stop high-risk and unwanted applications
DC
Firewall(s)
AppTrack
Traditiona
l Firewall
Policy
User and
Group
Awareness
Application
Awareness
User Store
(special UAC)
12
Match Criteria
Rule Source
Dest
Dynamic#
Zone
Zone Source IP User/Role Dest IP
Application
1 Zone-1
Zone-2 1.1.1.0
Amy
Any
Facebook
2 Zone-1
Zone-2 1.1.2.0
Finance Any
LinkedIn
3 Zone-1
Zone-2 any
any
Any
none
kazza,,Yahoo IM,
4 Zone-1
Zone-2 any
any
Any
Facebook
Then
Action
Permit
Permit
permit
Service Options
None Log
None Log
none
Log
Deny
none
DC
Switching
Log
Data Center
Operations Center
STRM
Copyright © 2011 Juniper Networks, Inc.
Server
Farms
www.juniper.net
APPQOS – BANDWIDTH MANAGEMENT FOR BUSINESSES
Prioritize traffic based on application type
Limit the amount of bandwidth an application can consume
Mark the DSCP values for proper QoS treatment
Leverage Junos Class-of-Service feature set to fully control
application handling at the interface queue level
Give highest priority to
financial applications for
finance and sales
Approved applications
receive normal priority
AppTrack
Traditional
Firewall Policy
13
User and Group
Awareness
Application
Awareness
Copyright © 2011 Juniper Networks, Inc.
Lower priority for
multimedia applications,
except for the MM content
group
www.juniper.net
USER-ROLE FIREWALL FOR ACTIVE DIRECTORY
Windows ADs
1
1
 Doman user logins into domain from
domain member device
2
 Unauthenticated Client tries to
access resource through SRX, and
dropped
3
 SRX redirects client to IC for
authentication process using
Kerberos
4
 Upon successful authentication and
identification of user, IC gets AD
group membership using LDAP and
maps to Roles and sends info to SRX
5
 Client device passes traffic through
SRX per corresponding policy
enforcement controls based on
User/Role
IC Series
Data
3
4
Finance
Client
14
2
5
SRX Series
Video
Internet
Apps
Corporate Data Center
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
INTEGRATED USER-ROLE FIREWALL FOR ACTIVE
DIRECTORY – FUTURE DIRECTION
Windows ADs
1
2
Data
Finance
Client
15
3
SRX Series
Video
Internet
Apps
Corporate Data Center
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
1
 Doman user logins into domain from
domain member device
2
 SRX participates in the domain as a
Read-only device - AD pushes user
and group information to SRX
3
 Client device passes traffic through
SRX per corresponding policy
enforcement controls
L2 SWITCHING WITH HA:
SINGLE SWITCHING DOMAIN ACROSS AN HA CLUSTER
Q1 2011
Characteristics
 L2 to span both




16
systems
L2 Protocol HA
Supports multiple
non-overlapping
VLANs
Replaces external
switches
Requires adding an
optional 3rd HA link,
the Switch-fabric link
Single L2 Domain
vlan.0 in Trust Zone
Untrust Zone
SRX
Cluster
ge-0/0/0.0
INTERNET
vlan.0
ge-7/0/0.0
Server
L2 Switched traffic
Routed traffic
Traffic between devices in the same L2 broadcast
domain it is forwarded using the swfab interfaces.
Traffic to a different subnet is sent to the vlan.0
interface and routed by the SRX
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
Download