| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net1
Securing the Enterprise - new trends on networking security
SCOP / Bucharest 15th April 2009Uwe Richter
Sr. SE Manager Eastern Europe
The most flexible, cost-effective solution for mid to large enterprises and service providers
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net2
NS-5400
Juniper Networks - Leadership & Expertise
1G FW & 1G VPN
100 VSYS
2G FW & 1G VPN
250 VSYSA/A-Full Mesh HA
10G & 30G FW6M & 18M PPS
10 GigE interfacesJumbo FramesHardware AES
2000 Now
NS1000 NS1000 w Switch 2
4G & 12G FW3M & 9M PPS
500 VSYS<78 interfaces & 4000 VLANs
Source: Infonetics, Jun 2008
Juniper Networks
“Upper-right”• Firewall & IPSec
VPN
Gartner’s Magic Quadrant
NS-5200 SRX 5600
SRX 5800
60G & 100+G FW20G & 40+G IPS
4M & 8M Sessions
Worldwide Integrated Security ApplianceRevenue Market Share: ≥$30,000
0%
25%
50%
75%
100%
1Q05 2Q05 3Q05 4Q05 1Q06 2Q06 3Q06 4Q06 1Q07 2Q07 3Q07 4Q07 1Q08Calendar Quarter
Mar
ket S
hare
(%)
Juniper
Cisco
Nortel
Nokia
Fortinet
ISG 2000
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net3
Deliver a superior user experience
Faster application and service deployment
Total cost of ownership advantage
Integrated Services
FASTRELIABLE
SECURESECURE
Operational Simplicity
Scalable Performance
What customers expect...
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net4
VPN
IPSecIPS
Core / Infrastructure: 10 GigE– More traffic, new/next gen apps, video and other
streaming media
Customers demand full-fledged security posture for network performance– Deliver all security services at scale
10+ Gbps
FW
Today’s Enterprise RequirementsEnablement versus Constraint
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net5
Business ChallengesPerformance and Flexibility Compromise
Traditional solutions based on performance/flexibility tradeoff
Limited performance options– Deploy more platforms– Disable “expensive” features
Limited flexibility options– Deploy dedicated appliances
FlexibilityPerformance
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net6
Pitfall of Today’s Security Adaptability
Limited flexibility in adapting to business requirements
Poor service integration resulting in poor business operations– Complex rack space planning– Installation, management and maintenance overhead
Network Traffic Requirements
TimeTODAY FUTURE
Security Requirements
FW, IPS & VPN
(Gbps)
10
5
•Rack Space Planning: High
•CAPEX: High
•OPEX: High
ASA 5540
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net7F
ab
ric
Dynamic Services Architecture ™
Dedicated Control Plane
Built-on Terabit Fabric– Interchangeable I/O and
processing cards– Any service, any card
Feature integration on JUNOS– Fast time to market– Tightest integration
between features
Carrier-class Reliability Interface Scalability
Processing Scalability
Dedicated Management
Service Integration
via JUNOS ™
QoSDoS
NAT VPN
FW IDP
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net8
Dynamic Services
Consolidate Management Framework
App LayerForwarding
ThreatPrevention
Access Control
SRX Dynamic Services Gateway
Routing Firewall IPSIPSecVPN
NAT
SRX Services Gateway Family of JUNOS-based Dynamic Services Gateways
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net9
SRX5000 Series Services Gateway
Revolutionary Architecture
Integrated Services
Scalable Performance
Operational Simplicity
World’s Fastest Security
Solution
The heritage of ScreenOS on
JUNOS
SRX Dynamic Services Gateways
Sept 2008 Market Introduction
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net10
Juniper (mid to high-end) Enterprise Security Portfolio
10 Gbps
30 Gbps
50 Gbps
150 Gbps
• FW and Integrated Security
• Designed for enhanced perimeter and DC security
Products addressing this segment?
ISG/IDP
SRX5600
SRX5800
NS5400
• Services Gateway
• Designed for integration and scalability
• Dynamic Services Architecture
•Terabit Fabric Technology
•Dynamic Processing Pool
•Dynamic I/O Pool
•JUNOS SW feature delivery
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net11
No Compromise Security:SRX3000-line: The most cost-effective network security solution
Maximum Flexibility without Sacrificing Security
Unmatched Price / Performance
Powered by JUNOS and Juniper’s Dynamic Services Architecture (DSA)
Based on Dynamic Services Architecture™ for accelerated new service deployment
Based on Dynamic Services Architecture™ for accelerated new service deployment
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net12
SRX3400Hardware Modular chassis
– 7 slots (4 front, 3 rear)– MGT module – dual, hot swap– 3U chassis height
Fixed Interfaces– 12 built-in (8-10/100/1000 + 4-SFP)– 2 Ethernet Management Ports
Modular Interfaces– 16-10/100/1000– 16-SFP– 2-XFP
Performance & Capacities FW – 10/20 Gbps VPN – 6 Gbps IDP – 6 Gbps Concurrent sessions – 1M New and sustained CPS – 175k Concurrent IPSec VPN tunnels – 10k
Front
Rear
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net13
SRX3600Hardware Modular chassis
– 12 slots (6 front, 6 rear)– MGT module – dual, hot swap– 5U chassis height
Fixed Interfaces– 12 built-in (8-10/100/1000 + 4-SFP)– 2 Ethernet Management Ports
Modular Interfaces– 16-10/100/1000– 16-SFP– 2-XFP
Performance & Capacities FW – 10/20/30 Gbps VPN – 10 Gbps IDP – 10 Gbps Concurrent sessions – 2M New and sustained CPS – 175k Concurrent IPSec VPN tunnels – 20k
Front
Rear
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net14
Sample SRX3000 Base Configurations
SRX3400
– Minimal Configuration SRX 3400 Chassis 1 SPC 1 NPC
SRX3600
– Minimal Configuration SRX 3600 Chassis 1 SPC 1 NPC
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net16
Services Processing
Cards
Flow LookupClassification
DoS/DDoSPolicing
Ingress Packet
Egress Packet
ServicesFW/VPN/IDPNAT/Routing
RERouting /
Device MGT
QoS/Shaping
Fa
bri
c
Fa
bri
c
Integrated in SRX 5000 IOC
Network Processing
Cards
Oversubscrptn.Control
1.5
Input/Output Cards
SRX 3K Packet Flow – Fully Integrated
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net17
Juniper SRX Traditional Appliances
Dedicated Control Plane
Buildable I/O Pool
Buildable Processing Pool
Single device to manage
Single policy/configuration
Scalable Service Engine
Integrated ServicesDynamic Services Architecture Differentiator
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net18
Adapting to Changing Security Requirements
High integration supporting wide range of services
Scales as your business grows
Minimal/No policy changes required
•Rack Space Planning: NONE
•CAPEX: LOW
•OPEX: LOW
Network Traffic Requirements
TimeTODAY FUTURE
Security Requirements
FW, IPS & VPN
(Gbps)
10
5
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net19
Price per FW Gbps
$0
$50,000
$100,000
$150,000
$200,000
$250,000
$300,000
$350,000
10Gbps 20Gbps 30Gbps
44%44% SAVINGSSAVINGS
Juniper SRX 3600 Cisco ASA 5540
Price per Gbps FW/IPS/IPSec VPN
83%83% SAVINGSSAVINGS
Juniper SRX 3600 Cisco ASA 5540
Power Savings
84%84% SAVINGSSAVINGS
Cisco ASA 5580
Juniper SRX 3600
84%84%SPACE SPACE
SAVINGSSAVINGS
10 Gbps FW, IPS & IPSec VPN Solution
31 Appliances
Cisco ASA 5540Juniper SRX 3600
Industry’s Most cost-effective security solution
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net20
Juniper (mid to high-end) Enterprise Security Portfolio
10 Gbps
30 Gbps
50 Gbps
150 Gbps
• FW and Integrated Security
• Designed for enhanced perimeter and DC security
• Services Gateway
• Designed for integration and scalability
• Dynamic Services Architecture
•Terabit Fabric Technology
•Dynamic Processing Pool
•Dynamic I/O Pool
•JUNOS SW feature delivery
ISG/IDP
SRX5600
SRX5800
NS5400
SRX3400
SRX3600
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net21
Juniper Networks Security Manager
A comprehensive approach to security management
Device-lifecycle management – Manages through every phase of device lifecycle:
design, deploy, configure, monitor, maintain, upgrade, adjust
Manage all aspects of configuration– Manage configuration tasks at device, networking
and security levels
Delegation of administrative access– Provides needed power and tools to the right
groups (access and control)
– Control to provide/restrict information to different people within the organization, allowing them to make appropriate decisions
TheDevice
Lifecycle
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net22
NSM Management Features
Features Description
Scheduled Security Updates Automatically update devices with new attack objects
DomainsService providers and distributed enterprises may use this mechanism to logically separate devices, policies, reports, objects, etc…
Role-based AdministrationGranular approach in which all 100+ activities in the system may be assigned as a separate permissions
Object LockingMultiple administrators can safely and concurrently modify different objects in the system at the same time
Audit LogsSort-able and filterable record of who made which changes to which objects in the system
Device Templates Manage shared configuration such as sensor settings in one place
Job ManagerView pending and completed directives (such as device update) and their status
High Availability Active/passive high availability of the management server
Scheduled Database Backups Copies of the NSM database may be saved on a daily basis
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net23
3-Tier ManagementNetwork-Security Manager (NSM)
IDP Appliances
ISG / ISG with IDP
CentralizedNSM ServerCommon User
Interface
NSM SSG Series
NS-5000 Series
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net24
Future Direction
Best-in-Class Routing
Best-in-Class Security
Continued leadership in networking
Continued leadership in
security
Integrated security and networking on JUNOS
JUNOSJUNOS
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net25
The High-Value Branch
When remote sites are essential to the
organization’s strategic mission,you can WIN!
Ministry of Foreign AffairsMinistry of Foreign Affairs
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net26
Role Mission ChangesThe HumbleStorefront
RevenueGateway
Create new sources of revenue and operational efficiencies
Support partners, guests, and devices
Reputation and compliance
The MissionCritical Clinic
Service Gateway
Attract and retain valuable clients
Centralization of applications and databases; SaaS
Privacy and compliance
The High-PoweredCenter of Excellence
Innovation Gateway
Retain and activate a high quality workforce
Advanced collaboration
Unrestricted Internet access for employees
What Are High-Value Remote Locations?Gateways to Better Businesses
| Copyright © 2009 Juniper Networks, Inc. | www.juniper.net27
THANK YOU
Top Related