1 / 38

Product Update Seminar

Product Update Seminar. Agenda. 13.00 Welcome 13.30 SRX update + Application Aware FW positioning Value Add proposition having onbox AV (Kaspersky) MAG SSL/UAC license scenario’s recap vGW short recap (demo) 15.30 Coffee break EX technology portfolio update

carter
Download Presentation

Product Update Seminar

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Product Update Seminar

  2. Agenda 13.00Welcome 13.30 SRX update + Application Aware FW positioning Value Add proposition having onbox AV (Kaspersky) MAG SSL/UAC license scenario’s recap vGW short recap (demo) 15.30 Coffee break EX technology portfolio update "The new network is simply connected" Wireless Newsflash Westcon Academy Juniper Training update 17.30 Great drinks & Fingerfood @ SKYBAR terrace

  3. Legal Disclaimer: This statement of product direction (formerly called “roadmap”) sets forth Juniper Networks‘ current intention, and is subject to change at any time without notice. No purchases are contingent upon Juniper Networks delivering any feature or functionality depicted on this statement.

  4. SRX update Frederick VerduycktSecurity System Engineer

  5. DON'T TAKE OUR WORD FOR IT…. SRX210 wins Tokyo Interop Grand Prix (highest honor) for SMB Infrastructure SRX650 wins Best of Interop Award, Infrastructure Category • “Branch Office Swiss Army Knife” that “packs a bunch ofhorsepower and features” • “Amazed that high-performance JUNOS software is installed in this small appliance” – the vote was unanimous!

  6. Branch srx delivers…Consolidated Security and networking Firewall All-in-One VPN IPS Anti-Virus UTM Anti-Spam Web filtering Routing / WAN • Single device for routing, switching, and security • Comprehensive security • Easy to activate new layers of security LAN, Switching

  7. BRANCH SRX PORTFOLIO SRX650 + More LAN slots, dual processors, dual P/S SRX240 + 4 WAN slots, 16 x GigE, PoE SRX220 + 2 WAN slots, 8 x GigE, PoE SRX210 WAN slot, 2 x GigE, PoE SRX100/110 Large Branch/Regional Office Small Office Small to Medium Office

  8. SRX Services Gateways • Highly configurable • Fixed, semi-modular, and modular form factors • Choice of WAN and LAN interfaces • Extensive integration • Full suite of JUNOS routing and switching capabilities • Unmatched security, including FW, VPN, UTM, UAC, and full IPS • Exceptional performance and availability • Hardware-assisted Content Security Acceleration (CSA) for ExpressAV and IPS • Control & data plane separation, redundant processing and power

  9. SRX Services Gateways data center seriesComparison

  10. SRX210 Enhanced Improved SRX210 with faster processor! • Increases processor speed to 600MHz from 400MHz • Existing SRX210 has 400MHz processor • Provides faster J-Web, improved boot-up time, faster throughput Provided under new SKUs: • SRX210BE, SRX210HE, SRX210HE-POE • No change to list price • No change to datasheet specs FIPS & EAL4 Certs submitted with 10.4 End-of-Sale of existing SRX210 will be announced after receiving certifications in 2H 2011 • Providing at least 6 month notice for LTB

  11. SRX110 • Single box solution for Enterprise and MSP • Fixed form factor • 8 10/100MB Ethernet ports • WAN Options • VDSL Annex A or VDSL Annex B with ADSL fallback • 3G USB Modem port for backup • Express slot is being deprecated • Feature rich in Routing, Switching and Security • Security – UTM, Stateful Firewall, IPSec VPN • Routing – RIP, OSPF, BGP, MPLS, VPLS • Switching – Ethernet Switching features parity with SRX 100 • External CF for more storage options Security & Performance

  12. 3G/4G for SRX – Updates • GSM/HSPA+ Modem support in Q3 '11 • (Sierra Wireless 319U) • Secure Modem with Modem Cap (2H '11) • Recommended for use with SRX • LTE/HSPA modem support in 1H '12 • LTE/EVDO Modem support in 1H '12 • SRX/Junos based 3G support • No USB 3G support on 220/240/650 • Worldwide 70+ Modems supported in latest firmware (July '11) • Verizon LTE supported NOW • CX111 supports SNMP NOW (v 1.8.2, July 2011) • Junos CLI based management Phase-1 release in Q4 '11 USB 3G/4G – This is the Future CX111 Bridge Direct plug-in USB Modem Support for SRX100, SRX110 and SRX210E CX111 3G/4G Bridge for“ALL” SRX, SSG & J-Series ROADMAP

  13. SRX550 Beta in 11.4 New platform for mid-large branches • Faster than a J6350 Flexible Slots • Two mPIM slots for low-speed interfaces • Six PIM slots (2 XPIM + 4 GPIM) • One ACE slot (future CPU offload) Support for LAN bypass (ports 4 and 5) 10xGE ports built-in • 6xGE • 4xSFP Dual PSU support Two USB ports Serial and USB-based Console External CF/SSD for storage Security & Performance Targets

  14. APPSECURE UPDATE

  15. “Location, device and user ” vs. “Source to Destination” Where is security headed? Context Awareness Global High-Performance Network Data Center What User Branch What Application Source to Destination Source to Destination User Device User Location Campus Mobile Clients

  16. AppSecure Software Service Suite Application Intelligence from User to Data Center IPS AppDoS AppTrack AppFW AppQoS Understand security risks Address new user behaviors Block access to risky apps Allows user tailored policies Prioritize important apps Rate limit less important apps Protect apps from bot attacks Allow legitimate user traffic Remediate security threats Stay current with daily signatures • Subscription service includes all modules and updates • Juniper Security Lab provides 800+ application signatures 2H 2011

  17. APPSECURE USE CASE – COST REDUCTION Customer Profile Customer Initiative IT cost reduction through standardization on a smaller number of supported applications Large technology company with over 100 offices worldwide AppSecure Implementation Identify global use of applications, cloud-based or not AppTrack AppFW AppQoS • Block out-of-policy applications • Facebook • Prioritize business-critical applications • Oracle • GoogleSites • Lower priority of less essential applications • QuickTime

  18. APPSECURE USE CASE – Compliance Customer Profile Customer Initiative Standardize on a single e-mail application to meet compliance guidelines US based HR recruiting firm with clients in US and EMEA AppSecure Implementation AppFW AppTrack Identify and permit Microsoft Outlook traffic Identify and permit access to LinkedIn to enable recruiting productivity Identify and deny access to LinkedIn’sIn-Mail application

  19. aPPsECURE Availability High End SRX Branch SRX AppTrack  11.2 AppFW 11.2 11.1 AppQoS 1H12 11.4  AppDoS TBD   IPS User-Roles 12.1 12.1

  20. LOGICAL SYSTEMS UPDATE

  21. What is LSYS? • Virtualization of many aspects of Junos, especially security policies and enforcement options • “Complete” separation of a single device into unique virtual instances, including: • Administrative separation – users in one LSYS have no visibility into or knowledge of any other LSYS instances that may be running on the box • Traffic Separation – network traffic for a given LSYS cannot cross into another LSYS unless a security and routing policies are configured to allow it • Resource separation – resources such as sessions, policies, zones, and virtual routers can be budgeted between the various LSYS instances • An evolution of ScreenOS’s VSYS concept

  22. LSYS vs. VSYS Junos* LSYS • ScreenOS • VSYS • Virtual System • Logical System • Zone • VR • Virtual Router • Int • Int • Zone • Interface • Interface • IP • IP *All interfaces in a given zone must be in the same routing instance

  23. LSYS Isn’t a hypervisor-level virtualization  • Only one version of Junos is running on the SRX • System daemons have been made ‘LSYS aware’ • In some cases, multiple daemons are used, one per LSYS • Akin to “Operating System-Level virtualization” • Looks and feels like a real system • Has resource protection to protect one from another

  24. EXAMPLE Root lt0/0/0.1 lt0/0/0.0 LSYS1 lt0/0/0.2 lt0/0/0.3 PC1 Zone: L2USR Zone: LRlt Zone: L1lt Zone: L1USR Zone: Inet Zone: L2SVR Zone: L2lt lt0/0/0.4 lt0/0/0.5 PC2 LSYS0 LSYS2 PC3

  25. LSYS: 11.2 CLI interfaces {...} lsys-profiles {...} applications {...} schedulers {...} routing-instance {...} protocols {...} routing-options {...} security {. policies {...} zones {...} nat{...} } logical-system LSYS1 { profile profile-name-Premium interfaces {...} routing-instance one {...} applications {...} security { policies {...} schedulers {...} zones {...} nat {...} } • Global Configuration View • Root administrator can configure all elements of the SRX • Must create LSYS and LSYS users • If desired, all admin can be done by root • LSYS-Level Configuration View • LSYS administrators see only LSYS-level configuration details • Includes LSYS-only view of all logs

  26. JWeb in 11.2: LSYS Monitoring

  27. JWeb in 11.2: Configuration of LSYS

  28. When to use LSYS • Customer Requirements: • ✔ Complete separation of traffic • Zones and VRs can also provide this functionality without LSYS • ✔Administrative delegation • ✔Log Separation • ✔Resource Reservation

  29. vGW update

  30. Virtualization Specific Requirements • Secure VMotion/Live-Migration • VMs may migrate to a unsecured or lower trust-level zone • Security should enable both migration and enforcement • Hypervisor Protection • New operating system means new attack surface • Hypervisor connection attempts should be monitored • Regulatory Compliance • Isolating VMs, Access Control, Audit, etc. • Segregating administrative duties inside the virtual network • Tracking VM security profiles

  31. Security Implications of Virtual servers PHYSICAL NETWORK VIRTUAL NETWORK VM1 VM2 VM3 ESX Host HYPERVISOR Firewall/IPS InspectsAll Traffic Between Servers Physical Security is “Blind” toTraffic Between Virtual Machines

  32. Approaches To Securing Virtual servers:Three Methods 3. Kernel-based Firewall 2. Agent-based 1. VLAN Segmentation Each VM in separate VLAN Inter-VM communications must route through the firewall Drawback: Possibly complex VLAN networking Each VM has a software firewall Drawback: Significant performance implications; Huge management overhead of maintaining software and signature on 1000s of VMs VMs can securely share VLANs Inter-VM traffic always protected High-performance from implementing firewall in the kernel Micro-segmenting capabilities VM2 VM3 VM1 VM1 VM2 VM3 VM1 VM2 VM3 ESX Host ESX Host ESX Host FW as Kernel Module HYPERVISOR HYPERVISOR HYPERVISOR FW Agents

  33. vGW Kernel Implementation • Fully “Fast-Path” • All firewall processing is done within hypervisor • High performance, >10Gbps throughput • Designed for ESX Architecture • Independent processing firewall policy per-VM • Scales up as core count increases ALTOR VM VM1 VM3 VM2 Policy Logging Management ESX Kernel Packet / Data VM1 VM2 VM3 ALTOR VM Policy Logging Management VMware vSwitch or dvSwitch Altor VMsafe Kernel Module vGW 4.5 Engine ESX Host Altor VF VS Packet / Data Partner Server (IDS,Syslog,Netflow) VMsafe Interface

  34. vGW architecture3 main modules • SECURITY DESIGN VGW • CENTRAL MANAGEMENT • WEB-BASED UI • MANAGEMENT HA • DELIVERED AS VIRTUAL APPLIANCE 1 • VGW SECURITY VM • POLICY FROM MGMT TO ENGINE • LOGGING FROM ENGINE TO MGMT • IDS ENGINE • DEPLOYED AS HA PAIR • DELIVERED AS VIRTUAL APPLIANCE 2 VM VM VM1 VM1 VM2 VM2 VM3 VM3 ESX Host ESX Host THE vGW ENGINE THE vGW ENGINE 3 VMWARE DVFILTER VMWARE DVFILTER • VGW ENGINE • FULL FW IMPLEMENTATION IN THE KERNEL • STATEFUL FW • PER-VM POLICY ESX Kernel ESX Kernel VMWARE VSWITCH OR CISCO 1000V VMWARE VSWITCH OR CISCO 1000V HYPERVISOR HYPERVISOR . . . . . . . . . . . .

  35. Integrated with Juniper data center Security VM1 VM2 VM3 ALTOR Policies vGW 4.5 VMware vSphere STRM Zone Synchronization & Traffic Mirroring to IPS Firewall Event Syslogs Netflow for Inter-VM Traffic Central Policy Management Network Juniper SRX with IPS Juniper EX Switch

  36. DEMO http://vgwdemo.juniper.net

More Related