Securing the Enterprise - new trends on networking security

SCOP / Bucharest 15th April 2009Uwe Richter Sr. SE Manager Eastern EuropeThe most flexible, cost-effective solution for mid to large enterprises and service providers

Juniper Networks - Leadership & Expertise 1G FW & 1G VPN100 VSYS2G FW & 1G VPN 250 VSYSA/A-Full Mesh HA10G & 30G FW6M & 18M PPS10 GigE interfacesJumbo FramesHardware AES 2000Now4G & 12G FW3M & 9M PPS 500 VSYS

What customers expect...Deliver a superior user experienceFaster application and service deploymentTotal cost of ownership advantageIntegrated ServicesOperational SimplicityScalable Performance

Todays Enterprise RequirementsEnablement versus ConstraintCore / Infrastructure: 10 GigEMore traffic, new/next gen apps, video and other streaming media Customers demand full-fledged security posture for network performanceDeliver all security services at scale10+ Gbps

Business ChallengesPerformance and Flexibility CompromiseTraditional solutions based on performance/flexibility tradeoff

Limited performance optionsDeploy more platformsDisable expensive features

Limited flexibility optionsDeploy dedicated appliances

Pitfall of Todays Security AdaptabilityLimited flexibility in adapting to business requirementsPoor service integration resulting in poor business operationsComplex rack space planningInstallation, management and maintenance overheadNetwork Traffic RequirementsTimeTODAYFUTURESecurity Requirements FW, IPS & VPN(Gbps)105Rack Space Planning: HighCAPEX: HighOPEX: HighASA 5540

Dynamic Services Architecture Dedicated Control PlaneBuilt-on Terabit FabricInterchangeable I/O and processing cardsAny service, any cardFeature integration on JUNOSFast time to marketTightest integration between featuresCarrier-class ReliabilityInterface ScalabilityProcessing ScalabilityDedicated ManagementService Integration via JUNOS QoSDoSNATVPNFWIDP

SRX Services Gateway Family of JUNOS-based Dynamic Services GatewaysDynamic ServicesConsolidate Management FrameworkApp Layer ForwardingThreat PreventionAccess ControlSRX Dynamic Services GatewayRoutingFirewallIPSIPSecVPNNAT

SRX Dynamic Services GatewaysSRX5000 Series Services GatewayRevolutionary ArchitectureIntegrated ServicesScalable PerformanceOperational SimplicityWorlds Fastest Security SolutionThe heritage of ScreenOS on JUNOSSept 2008 Market Introduction

Juniper (mid to high-end) Enterprise Security Portfolio10 Gbps30 Gbps50 Gbps150 Gbps FW and Integrated Security Designed for enhanced perimeter and DC securityProducts addressing this segment?SRX5600SRX5800NS5400 Services Gateway Designed for integration and scalability Dynamic Services ArchitectureTerabit Fabric TechnologyDynamic Processing PoolDynamic I/O PoolJUNOS SW feature delivery

No Compromise Security:SRX3000-line: The most cost-effective network security solutionMaximum Flexibility without Sacrificing Security

Unmatched Price / Performance

Powered by JUNOS and Junipers Dynamic Services Architecture (DSA)Based on Dynamic Services Architecture for accelerated new service deployment

SRX3400HardwareModular chassis7 slots (4 front, 3 rear)MGT module dual, hot swap3U chassis heightFixed Interfaces12 built-in (8-10/100/1000 + 4-SFP)2 Ethernet Management PortsModular Interfaces16-10/100/100016-SFP2-XFPPerformance & Capacities FW 10/20 Gbps VPN 6 GbpsIDP 6 GbpsConcurrent sessions 1MNew and sustained CPS 175kConcurrent IPSec VPN tunnels 10kFrontRear

SRX3600HardwareModular chassis12 slots (6 front, 6 rear)MGT module dual, hot swap5U chassis heightFixed Interfaces12 built-in (8-10/100/1000 + 4-SFP)2 Ethernet Management PortsModular Interfaces16-10/100/100016-SFP2-XFPPerformance & Capacities FW 10/20/30 Gbps VPN 10 GbpsIDP 10 GbpsConcurrent sessions 2MNew and sustained CPS 175kConcurrent IPSec VPN tunnels 20k

FrontRear

Sample SRX3000 Base ConfigurationsSRX3400

Minimal ConfigurationSRX 3400 Chassis1 SPC1 NPC

SRX3600

Minimal ConfigurationSRX 3600 Chassis1 SPC1 NPC

System configuration flexibilityFlexible configuration of IOCs, NPCs and SPCs:SRX3400:7 slots for Common Form-factor Modules (CFMs):4 in the front for IOCs and SPCs3 in the rear for NPCs and SPCs4 SPCs max (1 min)2 NPCs max (1 min)4 IOCs max

SRX3600: 12 slots for Common Form-factor Modules (CFMs):6 in the front for IOCs and SPCs6 in the rear for NPCs and SPCs7 SPCs max (1 min)3 NPCs max (1 min)6 IOCs maxSRX 3400-DC is limited by power supply capacity. No HA limitations.

SRX 3K Packet Flow Fully IntegratedFlow LookupClassification DoS/DDoSPolicing Ingress Packet Egress PacketServicesFW/VPN/IDPNAT/RoutingRouting / Device MGTQoS/ShapingIntegrated in SRX 5000 IOC Oversubscrptn.Control

Integrated ServicesDynamic Services Architecture DifferentiatorJuniper SRXTraditional AppliancesDedicated Control PlaneBuildable I/O PoolBuildable Processing PoolSingle device to manageSingle policy/configurationScalable Service Engine

Adapting to Changing Security RequirementsHigh integration supporting wide range of servicesScales as your business growsMinimal/No policy changes required Rack Space Planning: NONECAPEX: LOWOPEX: LOWNetwork Traffic RequirementsTimeTODAYFUTURESecurity Requirements FW, IPS & VPN(Gbps)105

Price per Gbps FW/IPS/IPSec VPNCisco ASA 5580Juniper SRX 360010 Gbps FW, IPS & IPSec VPN Solution31 AppliancesCisco ASA 5540Juniper SRX 3600Industrys Most cost-effective security solution

Juniper (mid to high-end) Enterprise Security Portfolio10 Gbps30 Gbps50 Gbps150 Gbps FW and Integrated Security Designed for enhanced perimeter and DC security Services Gateway Designed for integration and scalability Dynamic Services ArchitectureTerabit Fabric TechnologyDynamic Processing PoolDynamic I/O PoolJUNOS SW feature deliveryISG/IDPSRX5600SRX5800NS5400SRX3400SRX3600

Juniper Networks Security ManagerA comprehensive approach to security managementDevice-lifecycle management Manages through every phase of device lifecycle: design, deploy, configure, monitor, maintain, upgrade, adjustManage all aspects of configurationManage configuration tasks at device, networking and security levelsDelegation of administrative accessProvides needed power and tools to the right groups (access and control)Control to provide/restrict information to different people within the organization, allowing them to make appropriate decisionsThe Device Lifecycle

NSM Management Features

3-Tier ManagementNetwork-Security Manager (NSM)IDP AppliancesISG / ISG with IDPCentralized NSM ServerCommon User InterfaceSSG SeriesNS-5000 Series

Future DirectionBest-in-Class RoutingBest-in-Class SecurityContinued leadership in networking Continued leadership in securityIntegrated security and networking on JUNOS

The High-Value BranchWhen remote sites are essential to the organizations strategic mission, you can WIN!

Ministry of Foreign Affairs

What Are High-Value Remote Locations?Gateways to Better Businesses

THANK YOU

**Simultaneously Scale Integrated Services and Network Capabilities

Carrier Grade Availability

Operational Simplicity through a Single Network OS

In the past, decisions were based on three perimeters:Have a tunnel/pipe and the security devices looked at 1) IP address, 2) port and 3) protocol*Juniper NSM is for those environments that have large deployments of Juniper FW/VPN and IDP devices. Right now it manages only the Firewall/VPN and IDP platforms, but going forward that will be extended to other Juniper security platforms as well.NSM is Junipers central management tool for FW/VPN and IDP appliances.

Domains and Role-based Admin feature deserves to be pointed out in this slide. While often requested by service providers, this feature is also very valuable to enterprise. It is not uncommon for enterprise to logically divide the roles of administrators based on the type of security gear so that s specific administrator manages firewall policies while others manage IDP policies, etc It is also common for enterprises to logically separate admin responsibilities based on their business requirements (e.g., a particular admin manages all security gear at a specific branch office while another manages the headquarter).

NSM utilizes a 3-tier management architecture which optimizes performance as well as security. From the perspective of the administrator, managing multiple security appliances is greatly simplified.