Transcript of Copyright © 2015 Juniper Networks, Inc. 1 Juniper vSRX Technical Overview for X47D20 Release.
- Slide 1
- Copyright 2015 Juniper Networks, Inc. 1 Juniper vSRX Technical
Overview for X47D20 Release
- Slide 2
- Copyright 2015 Juniper Networks, Inc. 2 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Agenda vSRX Use Cases
and Solution 1 2 Scale and Performance Update 3 Advanced Security
Features 4 License Information 5 Whats New in vSRX x47d20
- Slide 3
- Copyright 2015 Juniper Networks, Inc. 3 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: vSRX Use Cases &
Key Solution Overview
- Slide 4
- Copyright 2015 Juniper Networks, Inc. 4 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: vSRX Overview Advanced
Security Services Integrated UTM including Full Anti-virus,
Anti-spam, Web-filtering, Content filtering with IPS and AppSecure
2.0 Rich Routing & Network Capabilities VPN connectivity and
routing features in a flexible virtual machine format based on
proven Junos OS foundation Full Stateful Firewall SRX in virtual
machine format, firewall protection for virtualized, private and
hybrid environments, HA support for active/active and
active/passive modes, multi-platform support; VMware, KVM and
Contrail and integrated automated management functionality
- Slide 5
- Copyright 2015 Juniper Networks, Inc. 5 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: VSRX SRX in a Virtual
Format Junos Routing Protocols and SDK Junos Rich and Extensible
Security Stack Firewall VPN NAT Routing Anti-Virus IPS Web
Filtering Anti-Spam AppID AppFW AppQoS AppTrack Junos Space
Security Director & Virtual Director, CLI, JWEB, SNMP, HA/FT
Available NOW! x47d20 Perimeter SecurityContent SecurityApplication
Security
- Slide 6
- Copyright 2015 Juniper Networks, Inc. 6 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Private Cloud Use Case
Department ADepartment B Department C vSRX VM VM Private Cloud
Infrastructure SRX Physical Servers Security Director Virtual
Director vCenter or Supports security policy configuration and
management of both virtual and physical assets VM Contrail
Controller VM vSRX VM Juniper virtual security protecting internal
applications and VMs AGILE, VM AND APPLICATION ISOLATION
- Slide 7
- Copyright 2015 Juniper Networks, Inc. 7 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Cloud Hosting Provider
Use Case Cloud Hosting Environment : Customer 1 vSRX VM Dedicated
to Customer 1 VM App Server VM Web Server VM DB Server VM Other
Server CUSTOMER 1 CUSTOMER 2 CUSTOMER 3 Public Cloud IPSec VPN
Customer Premise 2 Customer Premise 1 Customer Premise 3 IPSec VPN
Providing protection and connectivity to customer hosted VMs
- Slide 8
- Copyright 2015 Juniper Networks, Inc. 8 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: MSSP (VCPE) Use Case
MSSPs Virtual Environment CUSTOMER 1 CUSTOMER 2 CUSTOMER 3 Operator
Network Customer Premise 2 Customer Premise 1 Customer Premise 3
MPLS VPN Customer 2 Customer 1Customer 3 vSRX L2/L3 Switch SRX
MXQFX Security Director ContrailNSX or Management and Orchestration
Platform
- Slide 9
- Copyright 2015 Juniper Networks, Inc. 9 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: NFV High-End Carrier
Use Case Carrier PTX (Or MX) Customer 2Customer 3 vSRX SDN Driven
x86 Compute with Contrail Carrier Backbone MPLS VPN vSRX Internet
MX Carrier POPs
- Slide 10
- Copyright 2015 Juniper Networks, Inc. 10 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Whats New in vSRX
x47d20
- Slide 11
- Copyright 2015 Juniper Networks, Inc. 11 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Whats New in vSRX
x47-d20 FeatureDescriptionPlatform Application Identification
(AppID/AppTrack) This feature identifies applications as parts of
application clusters in TCP/UDP/ICMP traffic. Application
Identification strengthens the firewall at different network layers
using different techniques rather than port number and IP
addresses. Application signatures are modified to provide security
at application levels. VMware and KVM Application Quality of
Service (AppQoS) Application Quality of Service (AppQoS) is a part
of the AppSecure suite of components. This feature expands the
capability to include marking Differentiated Service Code Point
(DSCP) values based on Layer-7 application. Rate-Limiter, DSCP
rewrite, set loss priority, priority and queue traffic are the
techniques used by AppQoS. VMware and KVM Application Firewall
(AppFW) Application Firewall can define one or more application
firewall rule set, create rules for each rule set that permit,
reject, or deny traffic based on the application ID, and configure
a security policy to invoke the application firewall service and
specify the rule set to be applied to permitted traffic. VMware and
KVM Dynamic Host Configuration Protocol (DHCP) Dynamic Host
Configuration Protocol (DHCP) is based on BOOTP, a bootstrap
protocol that allows a client to discover its own IP address, the
IP address of a server host, and the name of a bootstrap file.
VMware and KVM
- Slide 12
- Copyright 2015 Juniper Networks, Inc. 12 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: RLIs 21995 : AppSecure
AppID/AppTrack Support on KVM and VMware 22229 : AppSecure AppFW
Support on KVM and VMware 23876 : AppSecure AppQoS Support on KVM
and VMware 23317 : UTM Licensing TRD 25246 : DHCPv6 Client
support
- Slide 13
- Copyright 2015 Juniper Networks, Inc. 13 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Scale and Performance
Update
- Slide 14
- Copyright 2015 Juniper Networks, Inc. 14 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: VSRX X47D20: Scale and
Performance Metrics Firewall (UDP 1514B pkts) 4.35 Gbps2.6 Gbps
Firewall (IMIX) 1.05 Gbps620 Mbps Firewall Ramp Rate (TCP) 22K CPS
Firewall Latency (512B UDP) 107 Micro Sec87 Micro Sec Firewall IPv6
(UDP 512B pkts) 1.46 Gbps829Mbps NAT (UDP 1514B pkts) 4.3 Gbps2.45
Gbps NAT (IMIX) 1.05 Gbps630 Mbps NAT Ramp Rate (TCP) 19K CPS IPSec
(3DES+SHA1, 1514B) 290 Mbps238 Mbps IPSec (3DES+SHA1, IMIX) 146
Mbps 88 Mbps IPSec (3DES+SHA1, 64B) 29 Mbps21 Mbps IKE Rate
(3DES+SHA1,V1 or 2) 71 Tunnels/Sec48 Tunnels/Sec EWF (44KB File)
251 Mbps450 Mbps SAV (Allscan 44KB File) 279 Mbps385 Mbps
AppSecure+IPS HTTP Throughput 2 (Response Content 44KB File) 760
Mbps290 Mbps AppSecure+IPS HTTP CPS 2 (Response Content 64
bytes)5600 CPS3100 CPS Performance 1 VMwareKVM 1 Reference platform
for performance: Dell PowerEdge R820, ESXI 5.1, 24 Cores, 2.899 Ghz
CPUs 2 IDP Performance is based on default recommended IDP policy
1024 Max Addresses/Address-set 256K Max Firewall Sessions 256K Max
Pat Sessions (Source NAT with PAT) 8K MAC/ARP Table Size 2GB or 3GB
(Services) vRAM Required/Instance 10 Max vNICs/Instance 128 Max
Zones 128 Max Address Books 10240 Max Policies 128 Max Policies
with Count 1024 Max Applications/Policy 4K Max VLANS 160K Max OSPF
Routes 2 vCPUs Required/Instance Max VRs Supported 5 IDP Session
Scaling 2 32K ScaleVMware & KVM
- Slide 15
- Copyright 2015 Juniper Networks, Inc. 15 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Server Configuration
vSRX Density Metrics 1 2 3 Number of vSRX Instances/Servers 1 25
vSRX Virtual Machines 100 vSRX Virtual Machines (@ ~ 25Mbps) 500
vSRX Virtual Machines 3 (@ ~ 25Mbps) 8 Cores @ 2.66 GHz 64 GB RAM 2
x 10G NICs 40 Cores @ 2.393 GHz 256 GB RAM 4 x 10G NICs 2U Server
with 4 Hot Plug Nodes 2 80 Cores @ 2.8 GHz 512MB RAM (x4) 2 x 10G
NICs (x4) 1 This is a function of network I/O, memory and CPU) 2
SuperMicro 2027TR 3 This server is ~$40K which translates to $80
per subscriber for initial server cost
- Slide 16
- Copyright 2015 Juniper Networks, Inc. 16 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Advanced Security
Features
- Slide 17
- Copyright 2015 Juniper Networks, Inc. 17 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Junipers Layer Approach
to Network Security Inspection Depth Processing Intensity &
Cost ACLs & Stateless Firewall Stateful Firewall / SecIntel
Application Security IPS, UTM, AppSecure Decisions made based on
packet header info such as Source and Destination addresses Very
fast More context incorporated into decision process Better at
identifying unauthorized or forged communications Still fast Looks
at every bit for threatsthorough but intensive processing
- Slide 18
- Copyright 2015 Juniper Networks, Inc. 18 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: vSRX Advanced Security
Features Demo You can visit the following YouTube link to watch all
the all the advanced security features demonstration with vSRX:
http://youtu.be/dOF6n-V7P00
- Slide 19
- Copyright 2015 Juniper Networks, Inc. 19 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: AppSecure Suite
- Slide 20
- Copyright 2015 Juniper Networks, Inc. 20 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Intelligent software
services delivers smarter FW policies on vSRX and SRX gateways
Integrates application traffic control and threat remediation
Provides Network level visibility with correlated application and
threat event tracking AppSecure Next-Generation Firewall Overview
vSRX
- Slide 21
- Copyright 2015 Juniper Networks, Inc. 21 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: AppTrack IPS AppQoS
Flow Processing AppFW AI Application Identification Engine NAI
IngressEgress Application ID Results AppSecure Service Modules
- Slide 22
- Copyright 2015 Juniper Networks, Inc. 22 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: AppID as part of Junos
Services Per Packet Policer Per Packet Filter Session Match? Per
Packet Filter Per Packet Shaper Forwarding Lookup Per Packet
Policer Per Packet Filter Per Packet Policer Per Packet Filter
AppID IPS AppID
- Slide 23
- Copyright 2015 Juniper Networks, Inc. 23 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Security Services
Packet Walk Junos Flow Module Dest NAT RouteZonesPolicy Reverse
Static NAT Services SessionScreens Static NAT Source NAT Match
Session? NOYES ScreensTCPNAT Services YES Services ALG Module AppID
(packet) IDP (packet) SSL Proxy AppID (stream) IDP (stream)
ALGUTMAppFWUserFW
- Slide 24
- Copyright 2015 Juniper Networks, Inc. 24 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: APPID LOOKUP No
Application Ca Match No Application Unknown Match No * TCP or UDP?
More Packets? Yes No Application Unknown Match No Match First
Packet Yes * Yes * / No *- Match happens until
max-checked-bytes/packets limit for appid match is reached
- Slide 25
- Copyright 2015 Juniper Networks, Inc. 25 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: AppFW Signature
Management Granular Filters Extensive sub categories Create groups
Clone existing
- Slide 26
- Copyright 2015 Juniper Networks, Inc. 26 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Open Application
Signature Database application junos:FTP { type FTP; index 63;
port-mapping { port-range { tcp 0-65535; } signature { port-range {
tcp [ 0-24 26-65535 ]; } client-to-server { dfa-pattern
"\[(USER|STAT|PORT|CHMOD|ACCOUNT|BYE|ASCII|GLOB|HELP|AUTH|SYST|QUIT|STOR|PASV|CWD|PWD|MDTM)\](\s|\x
0d 0a\x|\x0a\x).*"; } server-to-client { dfa-pattern
"(220|230|331|530)[\s\-].*"; } min-data 8; order 66; }
- Slide 27
- Copyright 2015 Juniper Networks, Inc. 27 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Server Farms DC
Firewall(s) DC Switching Junos Space Log Director/ Log Collector,
or 3 rd Party Data Center 1 1 Traffic analyzed by AppTrack as it
traverses the SRX 1 AppTrack Simplifies Application Visibility and
Control vSRX sends application logs to a Log Collector 3 Junos
Space Log Director reports analyzed by IT staff Operations Center 3
3 2 2 2 vSRX collects on-box application statistics for Monitoring
vSRX
- Slide 28
- Copyright 2015 Juniper Networks, Inc. 28 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Application Firewall
Management Insert Screenshot 12.1 FW Policy Mgmnt Or Live Demo
- Slide 29
- Copyright 2015 Juniper Networks, Inc. 29 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Prioritize traffic
based on application type Limit the amount of bandwidth an
application can consume Mark the DSCP values for proper QoS
treatment Leverage Junos Class-of-Service feature set to fully
control application handling at the interface queue level
Traditional Firewall Policy AppTrack Application Awareness Give
highest priority to financial applications for finance and sales
Approved applications receive normal priority Lower priority for
multimedia applications, except for the MM content group
Application QoS
- Slide 30
- Copyright 2015 Juniper Networks, Inc. 30 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Application QoS
Implementation Security Policy Policy N AppQoS Rule Set Application
or Application Group M Ordered Lookup Actions Rate Limit Drop
Profile Forwarding Class DSCP Ordered Lookup Matching Application
Policy1 Application or Application Group 1 Matching Policy points
to an AppQoS Rule-Set Policy Lookup Firewall Policies can point to
AppQoS rule-sets The any application can be used to apply QoS on a
per policy basis, regardless of the application Per-direction
rate-limiters can be configured to restrict the BW an application,
or group of apps is allowed to use Forwarding classes and drop
profiles specify how traffic is queued and shaped in the egress
interface
- Slide 31
- Copyright 2015 Juniper Networks, Inc. 31 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: IPS
- Slide 32
- Copyright 2015 Juniper Networks, Inc. 32 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Dedicated Security Team
Delivers Zero-day Protection Dedicated team to research
vulnerabilities and emerging threats Protocol decode expertise
Multiple research and vendor partnerships Microsoft Active
Protections Program (MAPP) Reverse-engineering experts Global honey
pot networks Industry-leading Response Time Daily signature updates
Globally distributed team Emergency update within hours/minutes
Open Signature Database
- Slide 33
- Copyright 2015 Juniper Networks, Inc. 33 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Intrusion Prevention:
Use Cases Server Protection Protect Server and Application
Vulnerabilities (PHP, SQL Injection) Client Protection Protect
Client Vulnerabilities (Browsers etc), Malware Downloads or
Callbacks, Detect Application Tunneling and C&C Channels
Internal Attack Detection Detect Malware Spreading, Bruteforce
Attacks, Internal Attacks vSRX
- Slide 34
- Copyright 2015 Juniper Networks, Inc. 34 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Managing IPS with
Security Director Powerful filtering for attack objects in the
signature database. Filter by Severity, Category, Object type,
Recommended.. Granular Filters Create Static/Dynamic Groups
- Slide 35
- Copyright 2015 Juniper Networks, Inc. 35 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: IPS Signature
Management Search for signatures by CVE ID, Keyword, Bugtraq
- Slide 36
- Copyright 2015 Juniper Networks, Inc. 36 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Open Attack Database
Attacks are written to protect vulnerabilities than a specific
exploit Recommended action
- Slide 37
- Copyright 2015 Juniper Networks, Inc. 37 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: IPS Policy & FW
Integration IPS Policy Tabular View FW Policy Integration Use
Predefined IPS template or customize IPS policy
- Slide 38
- Copyright 2015 Juniper Networks, Inc. 38 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: IPS PCAPS for Forensic
Analysis STRM provides ability to download and view the packet
capture from IPS
- Slide 39
- Copyright 2015 Juniper Networks, Inc. 39 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Full UTM
Capabilities
- Slide 40
- Copyright 2015 Juniper Networks, Inc. 40 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: vSRX UTM Architecture
Flow/Service Real-Time Thread TCP Proxy FLOW FIREWALL/POLICY Web
Filtering TCP Proxy Server Emulation TCP Proxy Client Emulation
Other Packet Based.. UAC,..FTP ALG UTM Application Proxy CF AS AM
IDP JEXEC FORWARDING ENGINE/FILTERS/QOS Interface I/O
- Slide 41
- Copyright 2015 Juniper Networks, Inc. 41 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: UTMD (Control Core/RE)
UTMD (Control Core/RE) Enhanced Web Filtering: How it Works REAL
Time Forwarding/Services Thread FLOW Lookup WEB Filtering HTTP GET
Parse URL Web server Log, in-band message Match Cache, Black list,
White List No local match - Categorize URL Local Result Matched
Category and/or Reputation score Category/ Reputation Blocked EWF
Server Look up Policy HTTP Response Category/ Reputation Allowed
(Log) Anti-malware
- Slide 42
- Copyright 2015 Juniper Networks, Inc. 42 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Introducing New
Enhanced Anti-Virus Purpose built for edge devices Cloud-based
intelligence delivers high performance malware protection URL
blocking (via cloud based look-up) stops HTTP requests to infected
Websites Malware distributed by FTP, SMTP, IMAP, POP3, and IM are
secured through checksum detection of static malware. Juniper is
1st to market Live Protection provides effective protection against
known malicious files and web pages at the network level
- Slide 43
- Copyright 2015 Juniper Networks, Inc. 43 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Sophos In-the-cloud AV
with Web Security FutureBenefit URL Reputation Web-Security and
detects polymorphic viruses Hybrid on-device + cloud solution
Offloads some processing to cloud server. File checksum against SXL
database No limitation on database size; fast processing and high
throughput Cached URL queries Fast reputation check on URIs:
detects server-based polymorphic malware
- Slide 44
- Copyright 2015 Juniper Networks, Inc. 44 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Enhanced Anti-Virus:
How it Works URI cache lookup Cache miss SXL query and response
Block Permit File type check Block No scan; Permit Scan Checksum
lookup threat inspection Web server Block Real Time
Forwarding/Service Thread
- Slide 45
- Copyright 2015 Juniper Networks, Inc. 45 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: License
Information
- Slide 46
- Copyright 2015 Juniper Networks, Inc. 46 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: vSRX Standard Pricing
Models Subscription License MSSP Utility Pricing Model available
upon request Traditional License Pricing Flexibility License is
perpetual Additional 22% of perpetual license for support /
maintenance Minimum of two cores required per VM Support /
maintenance fee is $308 per year per core Perpetual license fee per
VM is $1400 per core License is paid on an annual fee basis Annual
fee gives access to Firewall base service and includes support /
maintenance Minimum of two cores required per VM Support /
maintenance is included in annual fee Subscription license fee per
VM is $660 per core Copyright 2015 Juniper Networks, Inc.
- Slide 47
- 47 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA
ONLY: Advanced Security Features License Licenses are required for
all advanced security features: AppSecure, IPS, and UTM To achieve
HA, license must be installed on each HA unit Licenses for advanced
security features are on based on subscription model only with 1,3,
or 5-year term Flexible with choices of security features
combination license Evaluation Trial License is valid for 30
days
- Slide 48
- Copyright 2015 Juniper Networks, Inc. 48 JUNIPER NETWORKS &
PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: THE POWER OF A
CONNECTED WORLD CONNECT EVERYTHING. EMPOWER EVERYONE.