1500024-En - Integrated Firewall & VPN Platforms
1500024-En - Integrated Firewall & VPN Platforms
1500024-En - Integrated Firewall & VPN Platforms
INTEGRATED FIREWALL/
VPN PLATFORMS
Strong Security for Access Control, User
Authentication, and Attack Protection at the
Network and Application Level
As threats to the network grow more prevalent and
destructive, securing the infrastructure is critical to
maintaining a viable business. Attacks come from
multiple sources in a variety of forms. Enterprises and
service providers need more than just a security device;
they require a comprehensive, reliable, and integrated
security solution backed by an industry leader.
The Juniper Networks integrated security devices are purpose-built to perform essential
networking security functions. Optimized for maximum performance and feature
integration, they are designed on top of robust networking and security real-time operating
systems, Juniper Networks® Junos® operating system and ScreenOS®. Designed from ground
up to provide the superior networking and security capabilities, these operating systems are
not plagued by inefficiencies and vulnerabilities of general-purpose operating systems.
• Virtualization technologies make it easy for administrators to divide the network into
secure segments for additional protection.
• Various high availability (HA) options offer the best redundant capabilties for any given
network.
2
Perimeter Defense Begins with Network-Level Protection Security platforms
To protect against network-level attacks, Juniper Networks devices use a dynamic packet
• SRX100
filtering method known as stateful inspection to unmask malicious traffic. With this
• SRX210
method, firewalls collect information on various components in a packet header, including
source and destination IP addresses, source and destination port numbers, and packet • SRX220
sequence numbers. When a responding packet arrives, the firewall will compare the • SRX240
information reported in its header with the state of its associated session. If they do not • SRX650
match, the firewall will execute the actions specified in the security policy, which typically • SRX1400
involves dropping the packet and logging the action.
• SRX3400
Stateful inspection provides more security than other firewall technology such as packet • SRX3600
filtering because the traffic is examined under the context of the connection and not as • SRX5600
a collection of various packets. By default, the Juniper Networks firewall denies all traffic • SRX5800
in all directions. Then, by using centralized, policy-based management, enterprises can
• SSG5/SSG5 Wireless
create security policies that define the parameters of traffic that is permitted to pass from
• SSG20/SSG20 Wireless
specified sources to specified destinations.
• SSG140
Secure, reliable WAN connectivity also plays an important role in network-level protection. • SSG320M/350M
By deploying robust virtual private networks (VPNs), remote sites can be securely
• SSG520M/550M
connected to other remote sites and to centralized data and applications using high-
• ISG1000
bandwidth shared media such as the Internet. Features such as Auto Connect VPN,
available on select models, can help ease the administration and management of VPNs, • ISG2000
Unmatched security processing power and network segmentation features protect critical
high-speed networks against the penetration and proliferation of existing and emerging
application-level threats. With multiple attack detection mechanisms, including stateful
signatures and protocol anomaly, the ISG Series and SRX Series Services Gateways
performs in-depth analysis of application protocol, context, state and behavior to deliver
Zero-day protection.
Security administrators can deploy Juniper Networks AppSecure capability using deep
inspection to block application-level attacks before they infect the network and inflict
any damages. AppSecure utilizes advanced, high-performance detection mechanisms
integrated with stateful inspection firewall, along with multiple threat inspection engines
operating in parallel to accurately detect advanced persistent threats, including those
found in nested applications within applications.
3
Integrated Antivirus Protects Remote Locations
For remote offices or smaller locations with limited IT staff, integration and simplicity are
an absolute must in any security solution. Juniper Networks currently provides integrated
file-based antivirus protection from Kaspersky Lab on the Juniper Networks SSG Series
Secure Services Gateways and the SRX Series Services Gateways for the branch. These
products combine firewall and VPN capabilities with an antivirus scanning engine that
includes antiphishing, antispyware, anti-adware to provide a comprehensive security
solution in a single device.
These integrated appliances scan for viruses imbedded in both email and Web traffic
by scrutinizing IMAP, SMTP, FTP, POP3, IM and HTTP protocols. They provide the most
advanced protection from today’s fast-spreading worms, viruses, trojans, spyware, and
other malware from damaging the network. With its ability to uncompress files using
common protocols, the engine scans deep inside attachments to detect threats hidden in
multiple levels of compression.
Two approaches are available: external and integrated Web filtering. External Web
filtering, available on all Juniper Networks firewall and VPN devices, redirects traffic
from the device to a dedicated Websense Web filtering server for enforcement of the
organization’s policies. Integrated Web filtering, available on the SRX Series for the branch
and SSG Series, enables enterprises to build their own Web access policies by selectively
blocking access to sites listed in a continuously updated database. Maintained by
Websense, a Juniper Networks security alliance partner, the database lists more than 20+
million URLs organized into more than 54 categories of potentially problematic content.
Customers can rapidly deploy integrated or external Web filtering using default
configurations based on the Websense database. Web filtering profiles can be customized
by using black lists or white lists, plus a number of predefined and user-defined categories.
4
Virtualization Boosts Security by Dividing the Network into Multiple
Network Segments
Virtualization technologies in the Juniper Networks integrated firewall/VPN, and secure
router security solutions enable users to segment their network into many separate
compartments, all controlled through a single appliance. Administrators can simply
segment traffic bound for different destinations, or they can further divide the network
into distinct, secure segments with their own firewalls and separate security policies.
• Security Zones: Supported on every product, security zones represent virtual sections
of the network, segmented into logical areas. Security zones can be assigned to a
physical interface or, on the larger devices, to a virtual system. When assigned to
a virtual system, multiple zones can share a single physical interface which lowers
ownership costs by effectively increasing interface densities.
• Virtual Systems (VSYS): Available on the ISG Series and Juniper Networks NetScreen
Series Security Systems, virtual systems are an additional level of partitioning
that creates multiple independent virtual environments, each with its own set of
users, firewalls, VPNs, security policies, and management interfaces. By providing
administrators with the ability to quickly segment networks into multiple secure
environments managed through a single device, VSYS enables network operators to
build multi-customer solutions with fewer physical firewalls and reduced administrative
attention. This reduces both capital and operational expenses.
• Virtual Routers (VR): Supported on all products, virtual routers enable administrators
to partition a single device so it functions like multiple physical routers. Each VR can
support its own domains, ensuring that no routing information is exchanged with
domains established on other VRs. This enables a single device to support multiple
customer environments, lowering total cost of ownership.
• Virtual LANs (VLAN): Supported on all platforms, VLANs are a logical – not physical
– division of a subnetwork that enables administrators to identify and segment traffic
at a very granular level. Security policies can specify how traffic is routed from each
VLAN to a security zone, virtual system or physical interface. This makes it easy for
administrators to identify and organize traffic from multiple departments and define
what resources each can access.
INTERNET
Firewall/VPN
Domain 1 Domain N
Networks are segmented into hierarchies of secure compartments using virtual technology.
5
Comprehensive High Availability Solutions Ensure Uptime
A security system is only as good as its reliability and uptime. Juniper Networks security
solutions include reliable, high availability systems based on the NetScreen Redundancy
Protocol (NSRP) and Juniper Services Redundancy Protocol (JSRP) to run on Junos
operating system-based products. Firewall, VPN, and IPS flows can be synchronized
between high availability pairs to provide subsecond failover to a backup device.
Configuration options include:
EX Series EX Series EX Series EX Series with traffic flowing through each. Should one device fail,
the other device becomes the master and continues
to handle 100 percent of the traffic. The redundant
physical paths provide maximum resiliency and uptime.
• Transparent mode affords the simplest way to add security to the network. In
transparent mode, organizations can deploy a Juniper Networks firewall/VPN
appliance without making any other changes to the network: firewall, VPN, IPS, and
denial-of-service (DoS) mitigation functions work without an IP address, making the
device “invisible” to the user.
• Route mode enables the security device to actively participate in network routing by
supporting both static and dynamic routing protocols, including BGP, OSPF, RIPv1,
RIPv2, and ECMP. Route mode enables administrators to quickly deploy multilayer
security solutions with a minimum of manual configuration.
Juniper Networks integrated security devices support both static and dynamic address
assignment through DHCP or PPPoE, enabling Juniper Networks solutions to operate in
any network environment.
Unbound Scalability
As network requirements continue to evolve, the processing and I/O requirements for
various network devices will also evolve. To meet the demands of ever changing scalability
requirements, the SRX1400, SRX3000 line and SRX5000 line of services gateways
leverage the Juniper Networks Dynamic Services Architecture.
6
Dynamic Services Architecture enables the most flexible I/O and processing configuration
JUNIPER NETWORKS
by supporting service processing cards and I/O cards on the same slot, allowing the high-
service and support
end SRX Series Services Gateways to be configured as a processing-intensive solution or
an I/O-intensive solution and anywhere in between. The SRX3000 line and SRX5000 line Juniper Networks is the leader in
is able to scale performance almost linearly by adding additional network and services performance-enabling services
processing cards with very little overhead. This extensive I/O and processing scalability and support, which are designed to
brought about by Juniper’s Dynamic Services Architecture is only available on the data accelerate, extend, and optimize your
center class of SRX Series Services Gateways. high-performance network. Our services
allow you to bring revenue-generating
capabilities online faster so you can
Managing the Network and Security
realize bigger productivity gains and
Unlike solutions that require administrators to use multiple management tools to control
faster rollouts of new business models
a single device, Network and Security Manager (NSM) enables IT departments to control
and ventures. At the same time,
the device throughout its life cycle with a single, centralized dashboard. NSM is designed
Juniper Networks ensures operational
specifically to foster teamwork among device technicians, network administrators, and
excellence by optimizing your network to
security personnel.
maintain required levels of performance,
reliability, and availability. For more
Network and Security Manager takes a new approach to security management by providing
details, please visit www.juniper.net/us/
IT departments with an easy-to-use solution that controls all aspects of the firewall/VPN
en/products-services/.
security device, including device configuration, network settings, and security policy.
Juniper Networks STRM Series Security Threat Response Managers provides Security
Information and Event Management (SIEM) capabilities with advanced multivendor
monitoring and event correlation and sophisticated comprehensive log management.
Juniper Networks Advanced Insight Solution(AIS) and Juniper Networks Advanced Insight
Manager (AIM) provide in-service diagnostic functionality with flexible automated
monitoring and reporting. Third-party network management partners supporting
the Juniper products provide additional management solutions for network, fault,
performance, and change control. By selecting the appropriate management tool, network
administrators can deploy, manage and troubleshoot large network deployments.
At the remote site, the new device simply needs to be cabled up and loaded with a small
configuration file, which a central administrator has either emailed or sent on CD to the
remote location. The initial configuration file establishes a secure connection to Network
and Security Manager which then pushes the complete configuration files to the new device.
7
Corporate and Sales Headquarters
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089 USA
Phone: 888.JUNIPER (888.586.4737)
or 408.745.2000
Fax: 408.745.2100
www.juniper.net
APAC Headquarters
Juniper Networks (Hong Kong)
26/F, Cityplaza One
1111 King’s Road
Taikoo Shing, Hong Kong
Phone: 852.2332.3636
Fax: 852.2574.7803
EMEA Headquarters
Juniper Networks Ireland
Airside Business Park
Swords, County Dublin, Ireland
Phone: 35.31.8903.600
EMEA Sales: 00800.4586.4737
Fax: 35.31.8903.601