1 / 17

Branch srx update

Branch srx update. Niklas Henriksson nhenriksson@juniper.net Senior Systems Engineer. Routing, Security, Switching – All in ONe. Security. Switching. Router. 802.1Q VLANs STP, Spanning Tree Protocols 802.1x Port Based Authentication, Dynamic VLAN assignment, & MAC-Radius

butch
Download Presentation

Branch srx update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Branch srx update Niklas Henriksson nhenriksson@juniper.net Senior Systems Engineer

  2. Routing, Security, Switching – All in ONe Security Switching Router • 802.1Q VLANs • STP, Spanning Tree Protocols • 802.1x Port Based Authentication, Dynamic VLAN assignment, & MAC-Radius • 802.3ad (Link Agg) • High-performance FW • AppSecure (AppFW, AppTrack, AppQoS) • IPsec • IPS • Web filtering • Anti-virus • Anti-spam • NAT • L2 Transparent Mode • Rich set of WAN and LAN interfaces • Separation of CP & DP • Robust and rich routing (RIP, OSPF, BGP) • IPv4/IPv6 support • Low Latency • High Throughput • HA & ISSU • Extensive QoS • MPLS • VPLS • J-Flow RPM

  3. Branch srx portfolio SRX110

  4. SRX110 • Single box solution for Enterprise and MSP • Integrated VDSL port • 8 10/100MB Ethernet ports • WAN Options • VDSL Annex A or VDSL Annex B with ADSL fallback • 3G USB Modem port for backup • Feature rich in Routing, Switching and Security • Security – UTM, Stateful Firewall, IPSec VPN • Routing – RIP, OSPF, BGP, MPLS, VPLS • Switching – Ethernet Switching features parity with SRX 100 • External CF for more storage options Security & Performance

  5. SRX550 Beta in Q4 New platform for mid-large branches • Faster than a J6350 Flexible Slots • Two mPIM slots for low-speed interfaces • Six PIM slots (2 XPIM + 4 GPIM) • One ACE slot (future CPU offload) Support for LAN bypass (ports 4 and 5) 10xGE ports built-in • 6xGE • 4xSFP Dual PSU support Two USB ports Serial and USB-based Console External CF/SSD for storage Security & Performance Targets

  6. 3G/4G for SRX - Updates • HSPA+ Modem support in Q3 2011 • LTE/HSPA modem support in 1H 2012 LTE/EVDO Modem support in 1H 2012 3G for the SRX CX111 3G Bridge for “ALL” SRX, SSG & J-Series Direct plug-in USB Modem Support for SRX100, SRX110 and SRX210E • Worldwide 70+ Modems supported in latest firmware (June ‘11) • Verizon LTE supported NOW • SNMP Support to manage CX111 • Junos CLI based management in 1H 2012

  7. Software update

  8. APPSECURE Next Generation Firewall overview • Intelligent software services delivers smarter FW policies on SRX gateways • Integrates application traffic control, with user control, and DoS remediation • Provides Network level visibility with correlated application and threat event tracking

  9. AppSecure: An important component To a Layered Security approach Processing Intensity & Cost Inspection Depth Intrusion Prevention Application Security Stateful Firewall ACLs & Stateless Firewall • Decisions made based on packet header info such as Source and Destination addresses • Very fast • More context incorporated into decision process • Better at identifying unauthorized or forged communications • Still fast • Looks at every bit for threats—thorough but intensive processing • Best used sparingly

  10. Core Detection technologies • IPS • Full featured detection • Constant inspection • Decoder based updates • Geared for evasive application detection • Process intensive • Application Identification • Separate Process • Pattern match + light-weigh decoding • Heuristics assistance • Web 2.0 focused • Higher Performance* Contextual Network Security - AppSecure Performance *uses Application System Cache (ASC)

  11. AppTrack Simplifies Application visibility and Control 1 2 3 SIEM reports analyzed by IT staff Traffic analyzed by AppTracker as it traverses the SRX SRX sends application logs to a SIEM/Log collector 3 1 DC Firewall(s) 2 STRM or 3rdParty SIEM DC Switching STRM Reports Server Farms Operations Center Data Center

  12. APPFW – 3 dimensional security polices • Easily restrict application access to necessary users • Reduce the spread of confidential information • Stop high-risk and unwanted applications DC Firewall(s) Traditional Firewall Policy User and Group Awareness Application Awareness User Store (special UAC) STRM AppTrack DC Switching Server Farms Operations Center Data Center

  13. APPQoS – bandwidth management for businesses • Prioritize traffic based on application type • Limit the amount of bandwidth an application can consume • Mark the DSCP values for proper QoS treatment • Leverage Junos Class-of-Service feature set to fully control application handling at the interface queue level Traditional Firewall Policy User and Group Awareness Application Awareness AppTrack

  14. User-Role Firewall for Active Directory Data Finance Video Apps Windows ADs 1 • Doman user logins into domain from domain member device • Unauthenticated Client tries to access resource through SRX, and dropped • SRX redirects client to IC for authentication process using Kerberos • Upon successful authentication and identification of user, IC gets AD group membership using LDAP and maps to Roles and sends info to SRX • Client device passes traffic through SRX per corresponding policy enforcement controls based on User/Role 1 2 IC Series 3 4 3 4 5 2 Client SRX Series Internet 5 Corporate Data Center

  15. Integrated User-Role Firewall for Active Directory – future direction Data Finance Video Apps Windows ADs 1 • Doman user logins into domain from domain member device • SRX participates in the domain as a Read-only device - AD pushes user and group information to SRX • Client device passes traffic through SRX per corresponding policy enforcement controls 1 2 2 3 3 Client SRX Series Internet Corporate Data Center

  16. L2 SWITCHING WITH HA:Single Switching Domain across an HA Cluster Q1 2011 • Characteristics • L2 to span both systems • L2 Protocol HA • Supports multiple non-overlapping VLANs • Replaces external switches • Requires adding an optional 3rd HA link, the Switch-fabric link Single L2 Domainvlan.0 in Trust Zone Untrust Zone SRX Cluster ge-0/0/0.0 INTERNET vlan.0 ge-7/0/0.0 Server L2 Switched traffic Traffic between devices in the same L2 broadcast domain it is forwarded using the swfab interfaces. Routed traffic Traffic to a different subnet is sent to the vlan.0 interface and routed by the SRX

More Related