Juniper新一代业务网关SRX-(NXPowerLite).ppt

1、Juniper 新一代安全业务网关SRX,Juniper下一代安全业务网关,下一代安全业务网关 可升级的性能 丰富的服务功能 防火墙/UAC 执行点 IDP IPSEC VPN Routing / QoS,3U, 4+3 CFMs, 8+4 GE, 2 RE*, 1+1 PS, 20/6/6 Gbps, 1M sessions, 175kcps, 10k IPSEC tunnels,5U, 6+6 CFMs, 8+4 GE, 2 RE*, 2+2 PS, 30/10/10 Gbps, 2M sessions, 175kcps, 20k IPSEC tunnels,8U, 6 slots, 2

2、RE*, 1+1 SCB, 2+2 PS, 60/15/15Gbps, 8M sessions, 350kcps, 30k IPSEC tunnels,16U, 12 slots, 2 RE*, 2+1 SCB, 3+1 AC, 2+2 DC, 120/30/30 Gbps, 8M sessions, 350kcps, 60k IPSEC tunnels,SRX210,SRX650,SRX3600,SRX3400,SRX5600,SRX5800,SRX100,SRX240,SRX 系列 基于JUNOS的业务安全网关,Dynamic Services,Consolidate Management

3、 Framework,App LayerForwarding,ThreatPrevention,Access Control,SRX Dynamic Services Gateway,Routing,Firewall,IPS,IPSec VPN,NAT,UAC,？,电信级路由操作系统JUNOS和安全操作系统ScreenOS的完美融合 来自JUNOS的MPLS/NSF/NSR等高级功能 来自JUNOS的层次化CLI配置风格 来自ScreenOS的安全特性: 安全域/NAT/IPsec VPN/Screen/深度检测/UTM Commit/JUNOS Scripts等高级管理特性 模块化设计 故障

4、和内存保护 独立进程，独立重启 10+ 年研发， TL-9000 认证,M40e,MX960,M7i,M10i,T320,T640,M320,M120,JUNOS,M20,kernel,协议,接口管理,机箱管理,SNMP,安全性,J2300/ J4350/ J6350,SRX软件：新一代安全操作系统JUNOS,集成的业界最好的解决方案,JUNOS 高性能网络操作系统 10多年的创新以及开发 服务于有最多需求的客户,ScreenOS Juniper安全设备的基础 市场领先的创新以及特性 #1 高端防火墙市场份额第一 Infonetics 06/09,满足服务提供商需求的性能以及可靠性，还有企业的

5、安全特性 在单一的OS中，提供简化的操作，可靠的/性能以及增强的功能,* Infonetics Network Security Appliances and Software - Quarterly Worldwide Market Share and Forecasts for 3Q07,高端安全产品,10 Gbps,30 Gbps,50 Gbps,150 Gbps,ScreenOS,JUNOS,SRX5800,ISG2000,ISG1000,NS-5200,NS-5400,SRX3400,SRX3600,SRX5600,SRX 高端平台硬件设计,中央服务平面 在高速交换背板基础上建立 带

6、有独立的控制和数据平面 适应性平台 可扩展的，处理能力 提供性能以及容量上的扩展性 可用性 所有部件均采用冗余备份,Service Processing Cards,Fabric,Input/Output Cards,RE,SRX 软件能力,高度集成的服务 高级服务以及特性的可见性 在同一张卡上提供新增服务 高密度，可编程的处理能力 智能化的任务分担 将计算分布到整个系统中 优异的分布式模型用于会话的建立以及服务的提供 可扩展的服务 在网络各“层”上的服务 丰富的第三层特性 路由/QoS/NAT 完整的L4-7 支持 FW, VPN, IDP, UTM,Services Processing

7、Card,Fabric,QoS,DoS,NAT,VPN,FW,IDP,SRX 5000 系列动态服务网关,SRX 5000 系列服务网关,2008年9月发布 革命性的架构 集成的服务 可伸缩的性能 简化的操作 世界上最高速的安全解决方案 ScreenOS的历史，在 JUNOS里面延续,SRX5000世界最快的安全解决方案,世界最大容量的防火墙 集成式的服务 可扩展的性能 简化的操作 以JUNOS和Juniper动态服务架构(DSA)驱动,SRX5800,竖插机箱 2 个专用交换矩阵模块（缺省） 12 个插槽（SPC/IOC） 接口IOC模块（内置NP模块） 40-SFP 4-10Gig Fle

8、xIO 2 slot FPC 16xGE, 4x10G modules SPC模块 尺寸 16U 性能 FW 150 Gbps VPN 30 Gbps IDP 30 Gbps 并发会话数 8M 新建会话 350K 并发 VPN 隧道数 100k,SRX5600,横插机箱 1 个交换矩阵模块 6 个插槽（SPC/IOC） 接口模块 40-SFP 4-10Gig FlexIO 2 slot FPC 16xGE, 4x10G modules SPC模块 尺寸 8U 性能 FW 60 Gbps VPN 15 Gbps IDP 15 Gbps 并发会话数 8M 新建会话数 350k 并发VPN隧道数 1

9、00k,FlexIOC,低成本，模块化的I/O卡 全宽度 支持两种插拔模块 16xSFP, 16xCopper & 4xXFP 基于现有的架构 可以与当前40 xSFP/4xXFP IOC卡互操作 20Gbps 最大吞吐 Vs. 40Gbps for 4x10G or 40 x1G IOCs,16x10/100/1000,4x10Gig XFP,NEW!,服务处理卡,Fabric,输入/输出卡,流查找 分类 DoS/DDoS 限速,入流包,出流包,服务处理 FW/IPSec VPN/IDP NAT/路由,路由/ 设备管理,QoS/Shaping,SRX 5K 包流 完全集成式,RE,SRX30

10、00最具效益的网络安全解决方案,在不影响安全下最大化了灵活性 不可超越的性价比 由JUNOS以及Juniper动态服务架构(DSA)驱动,SRX3400: 产品简介,硬件 模块化的机箱 7 槽 (4 槽在前面, 3槽在后面) 3U 机箱高度 双RE ready 1+1 电源 固定接口 12 built-in (8-10/100/1000 + 4-SFP) 2 Ethernet Management Ports 模块化接口 16-10/100/1000 16-SFP 2-XFP 性能 & 处理能力 FW 10 / 20 Gbps VPN 6 Gbps IDP 6 Gbps 并发会话数 2.25M

11、 每秒新建会话数 175k,Front,Rear,SRX3600: 产品简介,硬件 模块化的机箱 12槽 (6在前面, 6槽在后面) 5U 机箱高度 双RE ready 2+2 电源 固定接口 12 built-in (8-10/100/1000 + 4-SFP) 2 Ethernet Management Ports 模块化接口 16-10/100/1000 16-SFP 2-XFP 性能 & 处理能力 FW 10 / 20 / 30 Gbps VPN 10 Gbps IDP 10 Gbps 并发会话数 2.25M 每秒新建会话数 175k,1.5,流查找 分类 DoS/DDoS 限速, 入

12、流包, 出流包,服务 FW/VPN/IDP NAT/路由,RE,路由 / 设备管理,QoS/Shaping,网络处理卡,超卖控制,输入输出卡,SRX 3K 包流 完全集成式,Juniper 完整的中低端UTM产品系列,Centrally managed by NSM,Telecommuter/Small Office,Small to Medium Branch,Large Branch/Regional Office,SRX 100,SRX 210 防火墙性能（最大） 750 Mbps IPS性能 80 Mbps VPN性能 75 Mbps 最大的并发会话数量 64 K,SRX 240 防火

13、墙性能（最大） 1.5 Gbps IPS性能 250 Mbps VPN性能 250 Mbps 最大的并发会话数量 128 K,SRX 650 防火墙性能（最大） 7 Gbps IPS性能 900 Mbps VPN性能 1.5 Gbps 最大的并发会话数 512 k,SRX650,定位在企业核心或大型分支机构 模块化可扩展的接口,最大支持52个千兆 可选的冗余电源 可扩展语音功能 (field upgradable via PIMs in 2010) 路由和 UTM功能的完美融合 Firewall/VPN, IPS (IDP), anti-virus, anti-spam, web filter

14、ing, content-filtering, UAC Enforcement,SRX240,面向中小型分支机构 广域网模块支持 路由功能（JUNOS） UTM功能 Firewall/VPN, IPS (IDP), anti-virus, anti-spam, web filtering, content-filtering, UAC Enforcement UTM requires High memory mini-PIM语音卡 - (Q409) 出厂内置语音模块 (Q409),SRX210,面向小型企业与分支机构 可支持广域网接口 路由、NAT 完整的UTM功能 Firewall/VPN,

15、 IPS (IDP), anti-virus, anti-spam, web filtering, content-filtering, UAC Enforcement UTM需要高内存版本支持 Available Voice version with mini-PIM options - (Q3 09) Factory-configured voice model (Q309),SRX100,Ideal for micro-branch, managed telecommuters, SOHO Fixed I/O 8 x 10/100 Ethernet ports Routing, NG N

16、AT Full UTM features Firewall/VPN, IPS (IDP), anti-virus, anti-spam, web filtering, content-filtering, UAC Enforcement UTM requires High Memory model (Software UTM, no CSA) ExpressCard slot on VDSL & 802.11n platforms,SRX分支机构产品特色,性能 “内容安全硬件加速” IDP & Antivirus 硬件加速功能 “Express AV” Antivirus stream mat

17、ching 集成的多业务安全平台 路由（广域网模块支持）、交换、防火墙、VPN 动态VPN客户端（类似于NC，仅SRX200系列支持） 入侵防御功能 (完整IDP功能） 防病毒、防垃圾邮件与网页过滤 语音功能、无线、应用加速功能（未来） 3G 模块支持PoE、PoE+ 可靠性设计 基于多核处理器转发与控制分离架构 JSRP高可用性支持（A/A、A/P）,基于JUNOS的多业务安全平台,SRX210,3G 无线广域网,Deployments- Primary connection where wired broadband is not available Back up connectivit

18、y with wired primary. Out of band management, remote deployment. Available on SRX210,HQ,Datacenter,3G Wireless,Dynamic VPN Services,INTERNET,Retail,Branch,Regional,分支机构无线AP解决方案,Juniper 802.11n 室内解决方案 Backwards compatible to .11a/b/g Dual mode radio support 300Mbps (Aggregate) Single radio 200Mbps (1

19、60Mbps typical) Spatial Streams: 2x2:2, 2x3:2, 3x3:2 UL2043 Plenum rated for over ceiling mounting. 50 Meter range (indoor) Unit can be mounted on ceiling or wall Virtual AP technology Support of up to 16 simultaneous SSIDs 802.11e WMM capable 1 Gigabit Ethernet POE support Optional External Power S

20、upply Serial Consol Support L2 Managed by SRX Branch Products Additional licensing cost for Branch SRX to manage multiple access points Clusters of 4,8,16 APs.,软件特性 802.1Q VLAN support Up to 4,096 VLAN support (platform dependent) Routed VLAN Interface (RVI) GARP VLAN Registration Protocol (GVRP) QO

21、S on VLAN interface L3 Strict priority queuing (LLQ) L3 Smoothed Deficit Weighted Round Robin (SDWRR) L3 Weighted Random Early Discard (WRED) L3 Per port and per queue shaping 802.1x Port based Authentication 802.3ad (AX) link aggregation* STP, Spanning Tree Protocol 802.1D Spanning Tree Protocol 80

22、2.1S Multiple STP 802.1w Rapid STP Jumbo Frame Support (9,216 Byte)*,以太网交换,SRX210,SRX240,SRX650,硬件 (主机板上的以太网) SRX100 8 Fixed 10/100 (Switched or Routed) SRX210 Fixed 2 10/100/1000 + 6 10/100 (Switched or Routed) 802.3af optional POE (2FE + 2GE) SRX240 Fixed 16 Ports 10/100/1000 (Switched or Routed)

23、Power over Ethernet (optional all ports) 802.3af, 802.3at SRX650 Fixed 4 ports 10/100/1000 (Routed),硬件（Ethernet模块） SRX Mini-PIM (SRX210/SRX240) 1 Port SFP 16 port GigE XPIM for SRX650 Double-high Full-duplex 20 Gbps backplane 16 port GE and optional PoE 24 port GigE including 4 SFP slots XPIM for SR

24、X650 Double-high - double-wide Optional POE - 24 port GE with PoE incl 4 SFP slots Full-duplex 20 Gbps backplane Optics SRX GE SFP LH | SRX GE SFP LX | SRX GE SFP SX |SRX GE SFP 1000 Base-T | SRX FE FX SFP,SRX100,* Not supported on SRX100,Unified Threat Management (UTM) Features,Websense to block to

25、 unapproved site access,Web Filtering,Kaspersky Lab AV stops Viruses, file-based Trojans, Spyware, Adware, Keyloggers,Kaspersky Lab AV stops viruses, file-based trojans or spread of spyware, adware, keyloggers,Antivirus,Symantec stops Spam / Phishing,Antispam,Juniper IDP detects/stops Worms, Trojans

26、, DoS (L4 & L7), Scans,IPS,Firewall, VPN, Unified Access Control,Core Security,Firewall, VPN, Unified Access Control,SRX Series blocks transmission of files for Data Loss Prevention,Content Filtering,Internal Threats,External Threats,INTERNET,Juniper IDP detects/stops Worms, Trojans, DoS (L4 & L7),

27、Scans,Juniper Networks Unified Access Control (UAC),UAC Agent,EX Series,L2 Switch,802.1X Switches & Access Points,APPLICATIONS,Juniper Firewall Platforms,POLICY SERVER,Identity Stores,IC Series,1,UAC Enforcement Points,Data,App,Internet,2,2,3,Control Access to Protected Resources,Dynamically Provisi

28、on Policy Enforcement,Authenticate User, Profile Endpoint, Determine Location,Comprehensive, vendor-agnostic, standards-based access control across heterogeneous environments delivering investment protection,1,SRX,SRX210,Remote Access,Dynamic VPN Service Access Manager Client A dynamic IPSEC Client

29、that is automatically downloaded 5-user, 10-user, 25-user, 50-user (SRX240) license option with simultaneous tunnel enforcement Supported on the SRX100*, SRX210, and SRX240 Not supported on SRX650 Automatic client upgrade capabilities Self-provisioning from SRX210, SRX240 IPSec with TCP-based fallba

30、ck for NAT traversal Initial release to support Windows platformsXP, Vista, Win 2000,Wired,Wireless,3G Wireless,Dynamic VPN Services,INTERNET,*Supported in JUNOS 10.0,Juniper Unified Management,Unified management across Junipers network infrastructure Network lifecycle managementProvision, Monitor,

31、and Troubleshoot Consistent and Open standards NBI for easy integration with 3rd party NMS,EMS,NMS,Visibility,Diagnostics,SNMP, Syslog, XML,SNMP, Syslog,NetConf, DMI, Syslog, Sflow,Security Threat Response Manager,Network & Security Manager (NSM),JUNOScope,Advanced Insight Manager,NETWORK MANAGEMENT

32、,HTTP / HTTPS XML,Telnet, SSH, XML,Switching,Security,Routing,MX Series,M Series,ISG/IDP,SSL VPN,Infranet Controller,SRX5600,Network and Security Manager,Along with SRX, NSM Manages Junipers entire enterprise portfolio*,NSM is a great way to port ScreenOS customers over to a JUNOS solution and to he

33、lp manage a mixed environment,Common Management also offers huge up-sell opportunity,Security Threat Response Manager,STRM supports SRX Series Intrusion Prevention System (IPS) 220+ out-of-the box report templates Fully customizable reporting engine: creating, branding and scheduling delivery of rep

34、orts Compliance reporting packages for PCI, SOX, FISMA, GLBA, and HIPAA Reports based on control frameworks: NIST, ISO and CoBIT,Rapid Deployment,Simplified deployment- Eliminate need for- Pre-staging device IT at point of installation Reduce - Provisioning time Installation cost No “truck roll”,A U

35、nique ID for tracking purposes Untrust Interface configuration Configuration parameters to enable “registration” of device to management server User/Password Management Server IP Address/Domain Name One time password,1. Generate and export startup config to USB,Network and Security Manager,USB Loads

36、 startup config Validation of start up config Secure communication to NSM,SRX 210,5. Download Running Config,6. SRX In Service,Juniper Branch ProductsSSG, SRX, and J Series Products,SSG320M,SSG5 Wireless,SSG20 Wireless,J2320,J2350,SSG140,SSG350M,SSG520 SSG520M,J6350,SSG550 SSG550M,J4350,Juniper防火墙产品

37、市场定位,Juniper防火墙有着非常完整的产品线，能够覆盖从soho级到运营商核心级所有用户的需求。 SSG系列中低端防火墙针对中小型企业 购买成本及维护成本是首要的需求 路由、安全功能All in one 统一的配置界面 Juniper SSG系列产品具备无可比拟的优势 购买成本较低 无需管理多台设备 性能可接受 高端防火墙针对运营商及大型企业 性能与稳定性是用户首要的需求 防火墙不能因为开启新业务成为网络处理能力的瓶颈 防火墙需具备高稳定性，不能影响业务的正常开展 Juniper ISG/SRX3000/SRX5000的目标客户 SRX产品系列的定位 对当前SSG/ISG产品线的补充完善

38、 SRX当前主推的型号SRX650、SRX3400、SRX3600、SRX5800,SRX高端产品的竞争优势,性能 SRX5000系列无与伦比的性能单体吞吐量120Gbps 灵活的配置根据客户需求灵活选择SPC的数量，达到所需的性能 硬件 转发与控制分离（路由引擎、SPC、NPC由独立硬件处理，并可按需配置） 交换矩阵，彻底摆脱现有防火墙通过总线进行内部数据交换的现状，提供高性能的交换矩阵，真正无阻塞交换（SRX5000采用MX系列的交换矩阵；SRX3000系列采用SF16 矩阵） 接口数量总数多（SRX5800最大可支持240个GE，24个万兆；SRX3600缺省有12个千兆口，总千兆接口1

39、00+，总万兆口12个） 功能 JUNOS的优势 路由 QoS 配置回退 完整的IDP功能（独立硬件处理，多核处理器中独立的core） 基于硬件的DoS攻击防护功能（Screen 功能） 基于策略的流量统计、基于策略的新建会话统计等,为什么要卖SRX5800？,实现竞争对手无法做到容量和性能， 满足未来业务流量快速增长 SRX高端特有的技术优势，技术特色明显 如果能卖SRX5000，一般就卖SRX5800，不卖SRX5600，因为价格成本基本一样,SRX5800,SRX5600,为什么要卖SRX3400/3600？,解决ISG2000和NS5200竞争力不够的问题，性价比好，技术特色明显 SR

40、X3400价格与ISG2000相当，接口配置相同时比ISG2000稍便宜。 性能容量远在ISG2000之上，各项性能提高28倍 SRX高端特有的技术优势，容易在竞争中胜出,SRX3400,SRX3600,为什么要卖SRX650？,价格弥补了ISG1000与SSG550之间的空档 性能弥补了原来4G10G之间的空挡 很高的性价比，性能指标远在ISG1000之上 在接口密度高时，有更高的性价比 可配置双电源，竞争有力武器 外表好，个头大，有面子,SRX650,ISG1000,SSG550,推荐SRX高端产品时与客户的话题,防火墙的发展趋势 可按需扩展的动态可适应型体系架构 高可靠性 安全性与QoS

41、,42,Software based firewall (1994 CheckPoint Firewall-1),Software based router (1987 Cisco AGS),ASIC based firewall (1999 Netscreen NS-1000),Workstation +routing daemon,Workstation + software (1991 DEC SEAL),ASIC based router (1998 Juniper M40),“就像广泛应用于企业和服务提供商骨干网上的基于ASIC结构的路由器/交换机竞争一样，安全领域同样存在软件和硬件

42、产品之间的竞争。任何关注高性能网络安全的经理们都应当备加关注于此。” By Kevin Tolly Tolly Research/The Tolly Group总裁,防火墙架构演进路线 ,NOW:ASIC + MultiCore router Matrix,NOW:MultiCore + NPSwitch Fabric based,43,路由器集成包过滤功能,1989,1994,第一台商用软件防火墙 DEC SEAL发布,防火墙上集成用户认证功能,防火墙集成NAT功能,防火墙集成IPsec VPN,防火墙集成虚拟系统,1991,1993,1999,2002,防火墙功能演进路线 ,防火墙集成IP

43、S功能,2002,七层线速级能力,2004,UTM功能防火墙,2006,防火墙集成MPLS,2008,44,Gartner Next Generation FireWall (NGFW),As a mininum, an NGFW will have the following attributes: Support in-line bump-in-the-wire configuration without disrupting network operations. Act as a platform for network traffic inspection and network s

44、ecurity enforcement, with the following minimum features: Standard first-generation firewall capabilities: Use packet filtering, network-address translation (NAT), stateful protocol inspection, VPN capabilities and so on Integrated rather than merely colocated network intrusion prevention: Support v

45、ulnerability-facing signatures and threat-facing signatures. The IPS interaction with the firewall should be greater than the sum of the parts, such as providing a suggested firewall rule to block an address that is continually loading the IPS with bad traffic. This examplifies that, in the NGFW, it

46、 is the firewall correlates rather than the operator having to derive and implement solutions across consoles. Having high quality in the integrated IPS engine and signatures is primary characteristic. Integration can include features such as providing suggested blocking at the firewall based on IPS

47、 inspection of sites only providing malware. Application awareness and full stack visibility: Identify applications and enforce network security policy at the application layer independent of port and protocol versus only ports, protocols and services. Examples include the ability to allow Skype use but disable file sharing within Skype or to always block GoToMyPC. Extrafirewall intelligence: Bring information f