Presentation title here
Download
Report
Transcript Presentation title here
Product Update Seminar
AGENDA
13.00
Welcome
13.30
SRX update + Application Aware FW positioning
Value Add proposition having onbox AV (Kaspersky)
MAG SSL/UAC license scenario’s recap
vGW short recap (demo)
15.30
Coffee break
EX technology portfolio update
"The new network is simply connected"
Wireless Newsflash
Westcon Academy Juniper Training update
17.30
2
Great drinks & Fingerfood @ SKYBAR terrace
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
Legal Disclaimer: This statement of product direction
(formerly called “roadmap”) sets forth Juniper Networks‘
current intention, and is subject to change at any time
without notice. No purchases are contingent upon Juniper
Networks delivering any feature or functionality depicted
on this statement.
SRX update
Frederick Verduyckt
Security System Engineer
DON'T TAKE OUR WORD FOR IT….
SRX650 wins Best of Interop
Award, Infrastructure Category
“Branch Office Swiss Army Knife”
that “packs a bunch of
horsepower and features”
5
Copyright © 2011 Juniper Networks, Inc.
SRX210 wins Tokyo Interop
Grand Prix (highest honor)
for SMB Infrastructure
“Amazed that high-performance
JUNOS software is installed in
this small appliance” – the vote
was unanimous!
www.juniper.net
BRANCH SRX DELIVERS…
CONSOLIDATED SECURITY AND NETWORKING
All-in-One
Firewall
VPN
UTM
IPS
Anti-Virus
Anti-Spam
Web filtering
Routing / WAN
Single device for routing, switching,
and security
Comprehensive security
Easy to activate new layers of security
LAN, Switching
6
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
BRANCH SRX PORTFOLIO
SRX650
+ More LAN slots, dual
processors, dual P/S
SRX240
+ 4 WAN slots, 16 x GigE, PoE
SRX220
+ 2 WAN slots, 8 x GigE, PoE
SRX210
WAN slot, 2 x GigE, PoE
SRX100/110
Small Office
7
Small to Medium Office
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
Large Branch/Regional Office
SRX SERVICES GATEWAYS
Highly configurable
– Fixed, semi-modular, and
modular form factors
– Choice of WAN and LAN interfaces
Extensive integration
– Full suite of JUNOS routing and
switching capabilities
– Unmatched security, including FW,
Model
Configuration
FW/IPS
Performance
SRX100
Fixed
600/60 Mbps
SRX210
1 mini PIM slot
750/80 Mbps
SRX220
2 mini PIM slots
950/100 Mbps
SRX240
4 mini PIM slots
1500/250 Mbps
SRX650
8 GPIM slots
7000/900 Mbps
VPN, UTM, UAC, and full IPS
Exceptional performance
and availability
– Hardware-assisted Content Security
Acceleration (CSA) for ExpressAV
and IPS
– Control & data plane separation,
redundant processing and power
8
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
SRX SERVICES GATEWAYS DATA CENTER SERIES
COMPARISON
Max. Value
Junos 10.4
SRX1400
SRX3400
SRX3600
SRX5600
SRX5800
FW Throughput
10 Gbps
20 Gbps
30 Gbps
60 Gbps
150 Gbps
VPN Throughput
2 Gbps
6 Gbps
10 Gbps
15 Gbps
30 Gbps
IPS Throughput
2 Gbps
6 Gbps
10 Gbps
15 Gbps
30 Gbps
Max PPS
1 million
3.5 million
6.5 million
9 million
21 million
0.5 million
2.25 / 3 million
2.25 / 6 million
9 million
12.5 million
14 million (with caveats)
45k
175k
175k / 300k
350k
350k
Max Sessions
(
/ with add’l license)
New & Sustained CPS
( / with add’l license)
Built-in Interfaces:
10/100/1000Base-T
1000Base-X (HA off / on)
10GBase-F
GE
XGE
6
6
8
8
6/4
3/1
4
4
0
3
28/26
25/23
76
108
200
440
2
5
8
12
40
88
Total I/O Ports
GbE (HA off / on)
10 GbE
9
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
SRX210 ENHANCED
Improved SRX210 with faster processor!
Increases processor speed to 600MHz from 400MHz
Existing SRX210 has 400MHz processor
Provides faster J-Web, improved boot-up time,
faster throughput
Provided under new SKUs:
SRX210BE, SRX210HE, SRX210HE-POE
No change to list price
No change to datasheet specs
FIPS & EAL4 Certs submitted with 10.4
End-of-Sale of existing SRX210 will be announced
after receiving certifications in 2H 2011
Providing at least 6 month notice for LTB
10
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
SRX110
Single box solution for Enterprise and MSP
Fixed form factor
8 10/100MB Ethernet ports
WAN Options
VDSL Annex A or VDSL Annex B with ADSL fallback
3G USB Modem port for backup
Express slot is being deprecated
Feature rich in Routing, Switching and Security
Security & Performance
Security – UTM, Stateful Firewall, IPSec VPN
Routing – RIP, OSPF, BGP, MPLS, VPLS
Switching – Ethernet Switching features parity with SRX 100
External CF for more storage options
11
Routing Performance
Est. 100Kpps
Firewall Performance
750Mbps (Large Pkt)
250 Mbps (IMIX)
VPN Performance
75 Mbps
SKU
Memory &
Storage
LAN
DSL WAN
3G WAN
IDP Performance
65 Mbps
SRX110H-VA-3G
1GB RAM
1GB Flash
8 x FE
VDSL Annex A
Yes
AV & IDP HW Acceleration
NO
SRX110H-VB-3G
1GB RAM
1GB Flash
8xFE
VDSL Annex B
Yes
High Availability (Q3 ‘11)
A/A or A/P
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
3G/4G FOR SRX – UPDATES
USB 3G/4G – This is the Future
CX111 Bridge
Direct plug-in USB Modem Support
for SRX100, SRX110 and SRX210E
CX111 3G/4G Bridge for
“ALL” SRX, SSG & J-Series
GSM/HSPA+ Modem support in Q3 '11
(Sierra Wireless 319U)
Secure Modem with Modem Cap (2H '11)
Recommended for use with SRX
LTE/HSPA modem support in 1H '12
LTE/EVDO Modem support in 1H '12
SRX/Junos based 3G support
No USB 3G support on 220/240/650
12
Worldwide 70+ Modems supported in latest
firmware (July '11)
Verizon LTE supported NOW
CX111 supports SNMP NOW (v 1.8.2, July
2011)
Junos CLI based management Phase-1 release
in Q4 '11
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
SRX550
Beta in 11.4
New platform for mid-large branches
Faster than a J6350
Flexible Slots
Two mPIM slots for low-speed interfaces
Six PIM slots (2 XPIM + 4 GPIM)
One ACE slot (future CPU offload)
Support for LAN bypass (ports 4 and 5)
10xGE ports built-in
Security & Performance Targets
Routing Performance
Est. 700Kpps
Firewall Performance
2 Gbps (IMIX)
8 Gbps (large
packets)
AV & IDP HW
Acceleration
Yes
IPSec Performance
TBD
6xGE
4xSFP
Dual PSU support
Two USB ports
Serial and USB-based Console
External CF/SSD for storage
13
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
APPSECURE UPDATE
WHERE IS SECURITY HEADED? CONTEXT AWARENESS
“Location, device and user ” vs. “Source to Destination”
Global High-Performance Network
What User
Branch
User Location
Campus
Mobile Clients
15
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
Data Center
WhatSource
Application
to
Destination
User Device
APPSECURE SOFTWARE SERVICE SUITE
Application Intelligence from User to Data Center
AppTrack
AppFW
AppQoS
AppDoS
IPS
Understand
security risks
Block access to
risky apps
Prioritize
important apps
Protect apps
from bot attacks
Remediate
security threats
Address new
user behaviors
Allows user
tailored policies
Rate limit less
important apps
Allow legitimate
user traffic
Stay current with
daily signatures
•Subscription service includes all modules and updates
• Juniper Security Lab provides 800+ application signatures
16
Copyright © 2011 Juniper Networks, Inc.
2H
2011
www.juniper.net
APPSECURE USE CASE – COST REDUCTION
Customer Profile
Customer Initiative
Large technology company with
over 100 offices worldwide
IT cost reduction through
standardization on a smaller
number of supported applications
AppSecure Implementation
AppTrack
AppFW
Identify global use of applications, cloud-based or not
Block out-of-policy applications
• Facebook
Prioritize business-critical applications
• Oracle
• GoogleSites
AppQoS
Lower priority of less essential applications
• QuickTime
17
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
APPSECURE USE CASE – COMPLIANCE
Customer Profile
Customer Initiative
US based HR recruiting firm with
clients in US and EMEA
Standardize on a single e-mail
application to meet compliance
guidelines
AppSecure Implementation
AppTrack
AppFW
Identify and permit Microsoft Outlook traffic
Identify and permit access to LinkedIn to
enable recruiting productivity
Identify and deny access to LinkedIn’s
In-Mail application
18
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
APPSECURE AVAILABILITY
High End SRX
Branch SRX
11.2
AppFW
11.1
11.2
AppQoS
11.4
1H12
AppDoS
TBD
IPS
12.1
12.1
AppTrack
User-Roles
19
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
LOGICAL SYSTEMS UPDATE
WHAT IS LSYS?
• Virtualization
of many aspects of Junos, especially security
policies and enforcement options
• “Complete”
separation of a single device into unique virtual
instances, including:
•
•
•
• An
21
Administrative separation – users in one LSYS have no visibility
into or knowledge of any other LSYS instances that may be
running on the box
Traffic Separation – network traffic for a given LSYS cannot cross
into another LSYS unless a security and routing policies are
configured to allow it
Resource separation – resources such as sessions, policies,
zones, and virtual routers can be budgeted between the various
LSYS instances
evolution of ScreenOS’s VSYS concept
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
LSYS VS. VSYS
ScreenOS
Junos*
VSYS
LSYS
Logical System
Virtual System
Virtual Router
Zone
VR
Zone
Int
Int
Interface
Interface
IP
IP
*All interfaces in a given zone must be in the same routing instance
22
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
LSYS ISN’T A HYPERVISOR-LEVEL VIRTUALIZATION
Only one version of Junos is
running on the SRX
System daemons have been
made ‘LSYS aware’
In some cases, multiple
daemons are used, one per
LSYS
Akin to “Operating SystemLevel virtualization”
Looks and feels like a real
system
Has resource protection to
protect one from another
23
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
EXAMPLE
Root
Zone:
Inet
lt0/0/0.1
Zone:
LRlt
lt0/0/0.0
lt0/0/0.2
LSYS1
Zone:
L1USR
lt0/0/0.3
PC1
Zone:
L1lt
lt0/0/0.4
lt0/0/0.5
Zone:
L2USR
PC2
Zone:
L2lt
LSYS0
LSYS2
Zone:
L2SVR
PC3
24
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
LSYS Management Methods
CLI
Global
(root)
view
25
LSYS
view
Web
JWeb
Global
View
NMS
JWeb
LSYS
View
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
Space
Thirdparty
LSYS: 11.2 CLI
interfaces {...}
lsys-profiles {...}
applications {...}
schedulers {...}
routing-instance {...}
protocols {...}
routing-options {...}
security {.
policies {...}
zones {...}
nat {...}
}
logical-system LSYS1 {
profile profile-name-Premium
interfaces {...}
routing-instance one {...}
applications {...}
security {
policies {...}
schedulers {...}
zones {...}
nat {...}
}
Global Configuration View
• Root administrator can configure
all elements of the SRX
• Must create LSYS and LSYS
users
• If desired, all admin can be done
by root
26
LSYS-Level Configuration View
• LSYS administrators see only
LSYS-level configuration details
• Includes LSYS-only view of all
logs
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
JWEB IN 11.2: LSYS MONITORING
27
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
JWEB IN 11.2: CONFIGURATION OF LSYS
28
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
WHEN TO USE LSYS
Customer Requirements:
✔
Complete separation of traffic
Zones and VRs can also provide this functionality without LSYS
✔ Administrative delegation
✔ Log Separation
✔ Resource Reservation
29
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
vGW update
VIRTUALIZATION SPECIFIC REQUIREMENTS
Secure VMotion/Live-Migration
VMs may migrate to a unsecured or lower trust-level zone
Security should enable both migration and enforcement
Hypervisor Protection
New operating system means new attack surface
Hypervisor connection attempts should be monitored
Regulatory Compliance
Isolating VMs, Access Control, Audit, etc.
Segregating administrative duties inside the virtual network
Tracking VM security profiles
31
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
SECURITY IMPLICATIONS OF VIRTUAL SERVERS
PHYSICAL NETWORK
VIRTUAL NETWORK
VM1
VM2
VM3
ESX Host
HYPERVISOR
Firewall/IPS Inspects
All Traffic Between Servers
32
Copyright © 2011 Juniper Networks, Inc.
Physical Security is “Blind” to
Traffic Between Virtual Machines
www.juniper.net
APPROACHES TO SECURING VIRTUAL SERVERS:
THREE METHODS
1. VLAN Segmentation
2. Agent-based
3. Kernel-based Firewall
Each VM in separate VLAN
Each VM has a software firewall
VMs can securely share VLANs
Inter-VM communications must
route through the firewall
Drawback: Significant performance
implications; Huge management
overhead of maintaining software
and signature on 1000s of VMs
Inter-VM traffic always protected
Drawback: Possibly complex VLAN
networking
VM1
VM2
VM3
Micro-segmenting capabilities
VM1
VM2
VM3
VM1
HYPERVISOR
Copyright © 2011 Juniper Networks, Inc.
FW as Kernel Module
HYPERVISOR
FW Agents
33
VM2
www.juniper.net
VM3
ESX Host
ESX Host
ESX Host
HYPERVISOR
High-performance from
implementing firewall in the kernel
VGW KERNEL IMPLEMENTATION
Fully “Fast-Path”
All firewall processing is done within hypervisor
High performance, >10Gbps throughput
Designed for ESX Architecture
Independent processing firewall policy per-VM
Scales up as core count increases
VM1
VM2
VM3
ALTOR VM
Policy
Logging
Management
VM2
VM3
ALTOR VM
ESX Host
Policy
Logging
Management
Altor VS
VF
Packet /
Data
VM1
ESX Kernel
VMware vSwitch or dvSwitch
Altor
VMsafe
Kernel
Module
vGW 4.5
Engine
Packet / Data
Partner Server
(IDS,Syslog,Netflow)
VMsafe Interface
34
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
VGW ARCHITECTURE
3 MAIN MODULES
1
SECURITY DESIGN VGW
• CENTRAL MANAGEMENT
• WEB-BASED UI
• MANAGEMENT HA
• DELIVERED AS VIRTUAL APPLIANCE
VM
VM1
VM2
VM
VM3
VM2
3
VGW ENGINE
• FULL FW IMPLEMENTATION
IN THE KERNEL
• STATEFUL FW
• PER-VM POLICY
THE vGW ENGINE
VMWARE DVFILTER
VMWARE VSWITCH OR
CISCO 1000V
............
HYPERVISOR
35
VM3
HYPERVISOR
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
ESX Kernel
ESX Kernel
VMWARE DVFILTER
VM1
ESX Host
ESX Host
THE vGW ENGINE
VMWARE VSWITCH OR
CISCO 1000V
VGW SECURITY VM
• POLICY FROM MGMT TO ENGINE
• LOGGING FROM ENGINE TO MGMT
• IDS ENGINE
• DEPLOYED AS HA PAIR
• DELIVERED AS VIRTUAL APPLIANCE
2
INTEGRATED WITH JUNIPER DATA CENTER SECURITY
VM1
VM2
VM3
ALTOR
Policies
Central Policy Management
vGW 4.5
VMware vSphere
Firewall Event Syslogs
Netflow for Inter-VM Traffic
Zone Synchronization &
Traffic Mirroring to IPS
STRM
Network
Juniper EX
Switch
36
Juniper SRX
with IPS
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net
DEMO
http://vgwdemo.juniper.net
37
Copyright © 2011 Juniper Networks, Inc.
www.juniper.net