Download - Product Update Seminar
Product Update Seminar
2 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
AGENDA
13.00 Welcome
13.30 SRX update + Application Aware FW positioning
Value Add proposition having onbox AV (Kaspersky)
MAG SSL/UAC license scenario’s recap
vGW short recap (demo)
15.30 Coffee break
EX technology portfolio update
"The new network is simply connected"
Wireless Newsflash
Westcon Academy Juniper Training update
17.30 Great drinks & Fingerfood @ SKYBAR terrace
Legal Disclaimer: This statement of product direction (formerly called “roadmap”) sets forth Juniper Networks‘ current intention, and is subject to change at any time without notice. No purchases are contingent upon JuniperNetworks delivering any feature or functionality depicted on this statement.
SRX update
Frederick VerduycktSecurity System Engineer
5 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
DON'T TAKE OUR WORD FOR IT….
SRX650 wins Best of Interop Award, Infrastructure Category
“Branch Office Swiss Army Knife” that “packs a bunch of
horsepower and features”
SRX210 wins Tokyo Interop Grand Prix (highest honor)
for SMB Infrastructure
“Amazed that high-performance JUNOS software is installed in this small appliance” – the vote
was unanimous!
6 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
BRANCH SRX DELIVERS…CONSOLIDATED SECURITY AND NETWORKING
All-in-One
Single device for routing, switching, and security
Comprehensive security
Easy to activate new layers of security
Firewall
VPN
IPS
Anti-Virus
Anti-Spam
Web filtering
Routing / WAN
UTM
LAN, Switching
7 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
BRANCH SRX PORTFOLIO
Large Branch/Regional OfficeSmall Office
SRX100/110
Small to Medium Office
SRX210
SRX650
WAN slot, 2 x GigE, PoE
+ More LAN slots, dual processors, dual P/S
SRX240+ 4 WAN slots, 16 x GigE, PoE
SRX220+ 2 WAN slots, 8 x GigE, PoE
8 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SRX SERVICES GATEWAYS
Highly configurable– Fixed, semi-modular, and
modular form factors
– Choice of WAN and LAN interfaces
Extensive integration– Full suite of JUNOS routing and
switching capabilities
– Unmatched security, including FW, VPN, UTM, UAC, and full IPS
Exceptional performance and availability– Hardware-assisted Content Security
Acceleration (CSA) for ExpressAV and IPS
– Control & data plane separation, redundant processing and power
Model Configuration FW/IPSPerformance
SRX100 Fixed 600/60 Mbps
SRX210 1 mini PIM slot 750/80 Mbps
SRX220 2 mini PIM slots 950/100 Mbps
SRX240 4 mini PIM slots 1500/250 Mbps
SRX650 8 GPIM slots 7000/900 Mbps
9 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Max. ValueJunos 10.4 SRX1400 SRX3400 SRX3600 SRX5600 SRX5800
FW Throughput 10 Gbps 20 Gbps 30 Gbps 60 Gbps 150 Gbps
VPN Throughput 2 Gbps 6 Gbps 10 Gbps 15 Gbps 30 Gbps
IPS Throughput 2 Gbps 6 Gbps 10 Gbps 15 Gbps 30 Gbps
Max PPS 1 million 3.5 million 6.5 million 9 million 21 million
Max Sessions( / with add’l license)
0.5 million 2.25 / 3 million 2.25 / 6 million 9 million 12.5 million14 million (with caveats)
New & Sustained CPS( / with add’l license)
45k 175k 175k / 300k 350k 350k
Built-in Interfaces: 10/100/1000Base-T 1000Base-X (HA off / on) 10GBase-F
GE6
6 / 40
XGE6
3 / 13
8
4
8
4
Total I/O PortsGbE (HA off / on)
10 GbE28/26
225/23
5768 108
12200
40
44088
SRX SERVICES GATEWAYS DATA CENTER SERIESCOMPARISON
10 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SRX210 ENHANCED
Improved SRX210 with faster processor! Increases processor speed to 600MHz from 400MHz Existing SRX210 has 400MHz processor Provides faster J-Web, improved boot-up time,
faster throughput
Provided under new SKUs: SRX210BE, SRX210HE, SRX210HE-POE No change to list price No change to datasheet specs
FIPS & EAL4 Certs submitted with 10.4
End-of-Sale of existing SRX210 will be announced after receiving certifications in 2H 2011
Providing at least 6 month notice for LTB
11 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SRX110 Single box solution for Enterprise and MSP
Fixed form factor 8 10/100MB Ethernet ports
WAN Options VDSL Annex A or VDSL Annex B with ADSL fallback 3G USB Modem port for backup Express slot is being deprecated
Feature rich in Routing, Switching and Security Security – UTM, Stateful Firewall, IPSec VPN Routing – RIP, OSPF, BGP, MPLS, VPLS Switching – Ethernet Switching features parity with SRX 100
External CF for more storage options
SKU Memory & Storage LAN DSL WAN 3G WAN
SRX110H-VA-3G 1GB RAM1GB Flash 8 x FE VDSL Annex A Yes
SRX110H-VB-3G 1GB RAM1GB Flash 8xFE VDSL Annex B Yes
Security & Performance
Routing Performance Est. 100Kpps
Firewall Performance 750Mbps (Large Pkt)250 Mbps (IMIX)
VPN Performance 75 Mbps
IDP Performance 65 Mbps
AV & IDP HW Acceleration NO
High Availability (Q3 ‘11) A/A or A/P
12 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
3G/4G FOR SRX – UPDATES
GSM/HSPA+ Modem support in Q3 '11 (Sierra Wireless 319U)
Secure Modem with Modem Cap (2H '11) Recommended for use with SRX
LTE/HSPA modem support in 1H '12 LTE/EVDO Modem support in 1H '12 SRX/Junos based 3G support No USB 3G support on 220/240/650
USB 3G/4G – This is the Future
Worldwide 70+ Modems supported in latest firmware (July '11)
Verizon LTE supported NOW CX111 supports SNMP NOW (v 1.8.2, July 2011) Junos CLI based management Phase-1 release
in Q4 '11
CX111 Bridge
Direct plug-in USB Modem Support for SRX100, SRX110 and SRX210E
CX111 3G/4G Bridge for“ALL” SRX, SSG & J-Series
ROADMAP
13 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SRX550New platform for mid-large branches
Faster than a J6350
Flexible Slots Two mPIM slots for low-speed interfaces Six PIM slots (2 XPIM + 4 GPIM) One ACE slot (future CPU offload)
Support for LAN bypass (ports 4 and 5)
10xGE ports built-in 6xGE 4xSFP
Dual PSU support
Two USB ports
Serial and USB-based Console
External CF/SSD for storage
Beta in 11.4
Routing Performance Est. 700Kpps
Firewall Performance2 Gbps (IMIX)8 Gbps (large
packets)
AV & IDP HW Acceleration Yes
IPSec Performance TBD
Security & Performance Targets
APPSECURE UPDATE
15 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
WHERE IS SECURITY HEADED? CONTEXT AWARENESS
Global High-Performance Network
“Location, device and user ” vs. “Source to Destination”
Source to DestinationSource to
Destination
Dat
a C
ente
r
What User
What Application
User Device
User Location
Branch
Campus
Mobile Clients
16 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
APPSECURE SOFTWARE SERVICE SUITE
Understand security risks
Address new user behaviors
Application Intelligence from User to Data Center
• Subscription service includes all modules and updates• Juniper Security Lab provides 800+ application signatures
AppTrack AppQoS AppDoS IPS
Block access to risky apps
Allows user tailored policies
Prioritize important apps
Rate limit less important apps
Protect apps from bot attacks
Allow legitimate user traffic
Remediate security threats
Stay current with daily signatures
2H 2011
AppFW
17 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Customer Profile
AppSecure Implementation
APPSECURE USE CASE – COST REDUCTIONCustomer Initiative
AppTrack Identify global use of applications, cloud-based or not
AppFW
AppQoS
Block out-of-policy applications• Facebook
Prioritize business-critical applications• Oracle• GoogleSites
Large technology company with over 100 offices worldwide
IT cost reduction through standardization on a smaller number of supported applications
Lower priority of less essential applications• QuickTime
18 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Customer Profile
AppSecure Implementation
APPSECURE USE CASE – COMPLIANCECustomer Initiative
Identify and permit Microsoft Outlook traffic
Identify and permit access to LinkedIn to enable recruiting productivity
Identify and deny access to LinkedIn’sIn-Mail application
AppFW
US based HR recruiting firm with clients in US and EMEA
Standardize on a single e-mail application to meet compliance guidelines
AppTrack
19 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
APPSECURE AVAILABILITY
High End SRX Branch SRX
11.2
11.211.1
11.4 1H12
TBD
AppTrack
AppFW
AppQoS
AppDoS
IPS
User-Roles 12.1 12.1
LOGICAL SYSTEMS UPDATE
21 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
WHAT IS LSYS?• Virtualization of many aspects of Junos, especially security policies and enforcement options
• “Complete” separation of a single device into unique virtual instances, including:
• Administrative separation – users in one LSYS have no visibility into or knowledge of any other LSYS instances that may be running on the box
• Traffic Separation – network traffic for a given LSYS cannot cross into another LSYS unless a security and routing policies are configured to allow it
• Resource separation – resources such as sessions, policies, zones, and virtual routers can be budgeted between the various LSYS instances
• An evolution of ScreenOS’s VSYS concept
22 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LSYS VS. VSYS ScreenOS
VSYS
IP
Interface
Zone
Virtual Router
Virtual System
Junos*
LSYS
IP
Interface
Logical System
Int
VR
Int
Zone
*All interfaces in a given zone must be in the same routing instance
23 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LSYS ISN’T A HYPERVISOR-LEVEL VIRTUALIZATION Only one version of Junos is running on the SRX
System daemons have been made ‘LSYS aware’
In some cases, multiple daemons are used, one per LSYS
Akin to “Operating System-Level virtualization”
Looks and feels like a real system
Has resource protection to protect one from another
24 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
EXAMPLE
LSYS0
Zone: LRlt
Zone: L1lt
Zone: L2lt
LSYS2
LSYS1
Root
lt0/0/0.0
lt0/0/0.2
lt0/0/0.4
lt0/0/0.3
lt0/0/0.1
lt0/0/0.5
PC1
PC2
PC3
Zone: Inet
Zone: L2SVR
Zone: L2USR
Zone: L1USR
25 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LSYS Management Methods
CLIGlobal
(root) viewLSYS view
WebJWeb Global
ViewJWeb
LSYS View
NMSSpace Third-
party
26 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LSYS: 11.2 CLI
interfaces {...} lsys-profiles {...} applications {...} schedulers {...} routing-instance {...} protocols {...} routing-options {...} security {.
policies {...} zones {...}
nat {...} }
logical-system LSYS1 { profile profile-name-Premium interfaces {...} routing-instance one {...} applications {...} security { policies {...} schedulers {...} zones {...} nat {...} }
Global Configuration View• Root administrator can configure
all elements of the SRX• Must create LSYS and LSYS
users• If desired, all admin can be done
by root
LSYS-Level Configuration View• LSYS administrators see only
LSYS-level configuration details• Includes LSYS-only view of all
logs
27 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
JWEB IN 11.2: LSYS MONITORING
28 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
JWEB IN 11.2: CONFIGURATION OF LSYS
29 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
WHEN TO USE LSYS
Customer Requirements: ✔ Complete separation of traffic
Zones and VRs can also provide this functionality without LSYS
✔ Administrative delegation
✔ Log Separation
✔ Resource Reservation
vGW update
31 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VIRTUALIZATION SPECIFIC REQUIREMENTS Secure VMotion/Live-Migration
VMs may migrate to a unsecured or lower trust-level zone Security should enable both migration and enforcement
Hypervisor Protection New operating system means new attack surface Hypervisor connection attempts should be monitored
Regulatory Compliance Isolating VMs, Access Control, Audit, etc. Segregating administrative duties inside the virtual network Tracking VM security profiles
32 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VIRTUAL NETWORK
SECURITY IMPLICATIONS OF VIRTUAL SERVERSPHYSICAL NETWORK
ESX Host
Physical Security is “Blind” toTraffic Between Virtual Machines
Firewall/IPS InspectsAll Traffic Between Servers
HYPERVISOR
VM1 VM2 VM3
33 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
APPROACHES TO SECURING VIRTUAL SERVERS:THREE METHODS
2. Agent-based
Each VM has a software firewall
Drawback: Significant performance implications; Huge management overhead of maintaining software and signature on 1000s of VMs
ESX Host
VM1 VM2 VM3
FW Agents
HYPERVISOR
3. Kernel-based Firewall
VMs can securely share VLANs
Inter-VM traffic always protected
High-performance from implementing firewall in the kernel
Micro-segmenting capabilities
ESX Host
FW as Kernel Module
VM1 VM2 VM3
HYPERVISOR
1. VLAN Segmentation
ESX Host
Each VM in separate VLAN
Inter-VM communications must route through the firewall
Drawback: Possibly complex VLAN networking
HYPERVISOR
VM1 VM2 VM3
34 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VM1 VM2 VM3 ALTOR VM
PolicyLogging
Management
VGW KERNEL IMPLEMENTATION Fully “Fast-Path”
All firewall processing is done within hypervisor High performance, >10Gbps throughput
Designed for ESX Architecture Independent processing firewall policy per-VM Scales up as core count increases
VM1 VM2 VM3
VS
ESX Host
ALTOR VM
PolicyLogging
Management
VMsafe Interface
VMware vSwitch or dvSwitch
Packet /
Data
vGW 4.5Engine Partner Server
(IDS,Syslog,Netflow)
Packet / Data
Altor VF
ESX Kernel
AltorVMsafeKernelModule
35 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VGW ARCHITECTURE3 MAIN MODULES
THE vGW ENGINE
VMVM1 VM2 VM3
VMWARE DVFILTER
VMWARE VSWITCH OR CISCO 1000V
HYPERVISOR
ESX Kernel
ES
X H
ost
THE vGW ENGINE
VMVM1 VM2 VM3
VMWARE DVFILTER
VMWARE VSWITCH OR CISCO 1000V
HYPERVISOR
ESX Kernel
ES
X H
ost
. . . . . . . . . . . .
SECURITY DESIGN VGW• CENTRAL MANAGEMENT• WEB-BASED UI• MANAGEMENT HA• DELIVERED AS VIRTUAL APPLIANCE
VGW SECURITY VM• POLICY FROM MGMT TO ENGINE• LOGGING FROM ENGINE TO MGMT• IDS ENGINE• DEPLOYED AS HA PAIR• DELIVERED AS VIRTUAL APPLIANCE
12
VGW ENGINE• FULL FW IMPLEMENTATION IN
THE KERNEL• STATEFUL FW• PER-VM POLICY
3
36 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
STRM
INTEGRATED WITH JUNIPER DATA CENTER SECURITYVM1 VM2 VM3 ALTOR
vGW 4.5
VMware vSphere
Network
Juniper SRX with IPS
Juniper EXSwitch
Policies
Central Policy Management
Firewall Event SyslogsNetflow for Inter-VM Traffic
Zone Synchronization &Traffic Mirroring to IPS
37 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
DEMO
http://vgwdemo.juniper.net