BRANCH SRX UPDATE Niklas Henriksson nhenriksson@juniper.net Senior Systems Engineer ROUTING, SECURITY, SWITCHING – ALL IN ONE Router Rich set of WAN and LAN interfaces Separation of CP & DP Robust and rich routing (RIP, OSPF, BGP) IPv4/IPv6 support Low Latency High Throughput HA & ISSU Extensive QoS MPLS VPLS J-Flow RPM 2 Security High-performance FW AppSecure (AppFW, AppTrack, AppQoS) IPsec IPS Web filtering Anti-virus Anti-spam NAT L2 Transparent Mode Copyright © 2011 Juniper Networks, Inc. www.juniper.net Switching 802.1Q VLANs STP, Spanning Tree Protocols 802.1x Port Based Authentication, Dynamic VLAN assignment, & MACRadius 802.3ad (Link Agg) BRANCH SRX PORTFOLIO SRX110 3 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SRX110 Single box solution for Enterprise and MSP Integrated VDSL port 8 10/100MB Ethernet ports WAN Options VDSL Annex A or VDSL Annex B with ADSL fallback 3G USB Modem port for backup Feature rich in Routing, Switching and Security Security – UTM, Stateful Firewall, IPSec VPN Security & Performance Routing – RIP, OSPF, BGP, MPLS, VPLS Switching – Ethernet Switching features parity with SRX 100 External CF for more storage options 4 Routing Performance Est. 100Kpps Firewall Performance 750Mbps (Large Pkt) 250 Mbps (IMIX) VPN Performance 75 Mbps SKU Memory & Storage LAN DSL WAN 3G WAN IDP Performance 65 Mbps SRX110H-VA 1GB RAM 1GB Flash 8 x FE VDSL Annex A Yes AV & IDP HW Acceleration NO SRX110H-VB 1GB RAM 1GB Flash 8xFE VDSL Annex B Yes High Availability (Q3 ‘11) A/A or A/P Copyright © 2011 Juniper Networks, Inc. www.juniper.net SRX550 Beta in Q4 New platform for mid-large branches Faster than a J6350 Flexible Slots Two mPIM slots for low-speed interfaces Six PIM slots (2 XPIM + 4 GPIM) One ACE slot (future CPU offload) Support for LAN bypass (ports 4 and 5) Security & Performance Targets 10xGE ports built-in Routing Performance Est. 700Kpps Firewall Performance 1.5 Gbps (IMIX) 6 Gbps (large packets) AV & IDP HW Acceleration Yes IPSec Performance TBD 6xGE 4xSFP Dual PSU support Two USB ports Serial and USB-based Console External CF/SSD for storage 5 Copyright © 2011 Juniper Networks, Inc. www.juniper.net 3G/4G FOR SRX - UPDATES 3G for the SRX Direct plug-in USB Modem Support for SRX100, SRX110 and SRX210E CX111 3G Bridge for “ALL” SRX, SSG & J-Series Worldwide 70+ Modems supported in latest firmware (June ‘11) • • HSPA+ Modem support in Q3 2011 LTE/HSPA modem support in 1H 2012 LTE/EVDO Modem support in 1H 2012 6 Copyright © 2011 Juniper Networks, Inc. Verizon LTE supported NOW SNMP Support to manage CX111 Junos CLI based management in 1H 2012 www.juniper.net SOFTWARE UPDATE 7 Copyright © 2011 Juniper Networks, Inc. www.juniper.net APPSECURE NEXT GENERATION FIREWALL OVERVIEW • Intelligent software services delivers smarter FW policies on SRX gateways • Integrates application traffic control, with user control, and DoS remediation • Provides Network level visibility with correlated application and threat event tracking 8 Copyright © 2011 Juniper Networks, Inc. www.juniper.net APPSECURE: AN IMPORTANT COMPONENT TO A LAYERED SECURITY APPROACH Processing Intensity & Cost Inspection Depth ACLs & Stateless Firewall • Decisions made based on packet header info such as Source and Destination addresses • Very fast 9 Stateful Firewall Application Security Intrusion Prevention • More context incorporated • Looks at every bit for into decision process threats—thorough but • Better at identifying intensive processing unauthorized or forged • Best used sparingly communications • Still fast Copyright © 2011 Juniper Networks, Inc. www.juniper.net CORE DETECTION TECHNOLOGIES IPS Full featured detection Constant inspection Decoder based updates Geared for evasive application detection Process intensive Application Identification Separate Process Pattern match + light- weigh decoding Heuristics assistance Web 2.0 focused Higher Performance* Contextual Network Security - AppSecure 10 Copyright © 2011 Juniper Networks, Inc. *uses Application System Cache (ASC) www.juniper.net Performance APPTRACK SIMPLIFIES APPLICATION VISIBILITY AND CONTROL Traffic analyzed by AppTracker as it traverses the SRX 1 2 SRX sends application logs to a SIEM/Log collector 3 SIEM reports analyzed by IT staff 3 1 DC Firewall(s) 2 STRM or 3rd Party SIEM 11 STRM Reports Copyright © 2011 Juniper Networks, Inc. Data Center Operations Center DC Switching Server Farms www.juniper.net APPFW – 3 DIMENSIONAL SECURITY POLICES • Easily restrict application access to necessary users • Reduce the spread of confidential information • Stop high-risk and unwanted applications DC Firewall(s) AppTrack Traditiona l Firewall Policy User and Group Awareness Application Awareness User Store (special UAC) 12 Match Criteria Rule Source Dest Dynamic# Zone Zone Source IP User/Role Dest IP Application 1 Zone-1 Zone-2 1.1.1.0 Amy Any Facebook 2 Zone-1 Zone-2 1.1.2.0 Finance Any LinkedIn 3 Zone-1 Zone-2 any any Any none kazza,,Yahoo IM, 4 Zone-1 Zone-2 any any Any Facebook Then Action Permit Permit permit Service Options None Log None Log none Log Deny none DC Switching Log Data Center Operations Center STRM Copyright © 2011 Juniper Networks, Inc. Server Farms www.juniper.net APPQOS – BANDWIDTH MANAGEMENT FOR BUSINESSES Prioritize traffic based on application type Limit the amount of bandwidth an application can consume Mark the DSCP values for proper QoS treatment Leverage Junos Class-of-Service feature set to fully control application handling at the interface queue level Give highest priority to financial applications for finance and sales Approved applications receive normal priority AppTrack Traditional Firewall Policy 13 User and Group Awareness Application Awareness Copyright © 2011 Juniper Networks, Inc. Lower priority for multimedia applications, except for the MM content group www.juniper.net USER-ROLE FIREWALL FOR ACTIVE DIRECTORY Windows ADs 1 1 Doman user logins into domain from domain member device 2 Unauthenticated Client tries to access resource through SRX, and dropped 3 SRX redirects client to IC for authentication process using Kerberos 4 Upon successful authentication and identification of user, IC gets AD group membership using LDAP and maps to Roles and sends info to SRX 5 Client device passes traffic through SRX per corresponding policy enforcement controls based on User/Role IC Series Data 3 4 Finance Client 14 2 5 SRX Series Video Internet Apps Corporate Data Center Copyright © 2011 Juniper Networks, Inc. www.juniper.net INTEGRATED USER-ROLE FIREWALL FOR ACTIVE DIRECTORY – FUTURE DIRECTION Windows ADs 1 2 Data Finance Client 15 3 SRX Series Video Internet Apps Corporate Data Center Copyright © 2011 Juniper Networks, Inc. www.juniper.net 1 Doman user logins into domain from domain member device 2 SRX participates in the domain as a Read-only device - AD pushes user and group information to SRX 3 Client device passes traffic through SRX per corresponding policy enforcement controls L2 SWITCHING WITH HA: SINGLE SWITCHING DOMAIN ACROSS AN HA CLUSTER Q1 2011 Characteristics L2 to span both 16 systems L2 Protocol HA Supports multiple non-overlapping VLANs Replaces external switches Requires adding an optional 3rd HA link, the Switch-fabric link Single L2 Domain vlan.0 in Trust Zone Untrust Zone SRX Cluster ge-0/0/0.0 INTERNET vlan.0 ge-7/0/0.0 Server L2 Switched traffic Routed traffic Traffic between devices in the same L2 broadcast domain it is forwarded using the swfab interfaces. Traffic to a different subnet is sent to the vlan.0 interface and routed by the SRX Copyright © 2011 Juniper Networks, Inc. www.juniper.net