Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1 Secure Services Gateway (SSG)Family Overview SSG 5, SSG 20, SSG 140
Jan 15, 2016
Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1
Secure Services Gateway (SSG)Family
Overview
SSG 5, SSG 20, SSG 140
2Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Key Security and Routing Features
SSG Family Specifications
Deployment Examples
Agenda
3Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Internal security Content protection
No IT staff
Current Trends
By 2007, 50% of the companies surveyed will significantly increase their WAN access bandwidth – Infonetics
More employees working away from main offices
• 91% of employees in companies of all sizes, work outside of main office – Nemertes Research
Security risks continue
• In 2005, 56% of companies had at least 1 internal attack
• 65% had at least 1 external attack – CSI/FBI 2005 survey
Small to medium business FW opportunity in 2006 = $1 Billion (Infonetics)
Wi Fi
DMZ
Bandwidth usageDirect Internet Remote mgmt
4Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Small to Medium Branch Office / Business Characteristics
Smaller in scale, but not necessarily less complex than big businesses or HQ sites
• Multiple local networks
• More complicated security due to environment, support, etc
• Many devices on a per capita basis
• No local IT help Range of WAN connections: from DS3 to low speed modem Require protection for owned and non-owned IT assets
• Firewall, VPN, IPS and File-based AV scanning, Spyware detection
• Internal network segmentation for attack mitigation, access control
Outbound link = > T1, DSL, DS3
Local Apps
Users
WLAN
IPSec
www
100+ Mbps
5Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Secure Service Gateway Family
Secure Services Gateway (SSG) family integrates proven security of ScreenOS and WAN connectivity to deliver secured and assured networking• New levels of price/performance and I/O
flexibility
• Unified Threat Management features complement FW, IPSec VPN
Ideal small to medium stand alone business / branch office offerings
Can be deployed as a traditional Firewall, as a Site to Site VPN and as a Security Router
SSG 5
SSG 20
SSG 140
SSG 550/SSG 550M
SSG 520SSG 520M
6Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
ScreenOS: Proven Enterprise Class Security
SSG Purpose-Built Hardware Platform
LAN & WAN I/O
Mgmt/Modem
Rich networking and virtualization capabilities • Segmentation (Zones, VLANs) to divide
the network into secure segments
• Combines ScreenOS deployment modes, dynamic routing and high availability with select JUNOS WAN encapsulations
Security Zones LAN Routing
Deployment Modes WAN Encapsulations
Networking
Network security features / Access control• Stateful firewall, IPSec VPN, NAT, DoS
protection, user authentication FW IPSec VPN
DoS/DDoS User auth.
Network Security Features
ScreenOS
UTM Features / Content Security Antivirus/Anti-
Spyware Web filtering
Anti-Spam IPS (Deep
Inspection)
Integrated Unified Threat Management (UTM) security features • IPS (Deep Inspection), Antivirus
(includes Anti-Spyware, Anti-Phishing) Anti-Spam, Web filtering
7Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Unified Threat Management Features Stop Common and Emerging Threats
Inbound Threats Outbound Threats
SurfControl to block Spyware Site Access / Phishing Site Access
Web Filtering
Kaspersky Lab AV stops Viruses, file-based Trojans Spyware, Adware, Keyloggers
Viruses, file-based TrojansAV
Symantec stops Spam / Phishing
Anti Spam
Worms, TrojansWorms, Trojans, DoS (L4 & L7), Recon, Scans
IPS/DI
Stateful Firewall
8Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
UTM Security Backed by Best-In-Class Partners
Integrated Kaspersky Antivirus solution blocks thousands of viruses PLUS Spyware / Adware / Keyloggers
Integrated or redirect Web filtering with SurfControl blocks outbound access to known Spyware, Phishing, & Virus download sites
• Integrated via SurfControl or redirect via SurfControl or Websense
Integrated Anti-Spam from Symantec
• Brightmail-based database blocks (and/or tags) spam by using robust IP based, constantly updated worldwide list of spammers and phishers
Intrusion Prevention (Deep Inspection) detects several thousand attacks such as Worms, Trojans and other malware for up to 43 protocols
Delivered in the form of an annual subscription fee
9Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Network Segmentation Security Zones, VLANs, Virtual Routers
Security zones, VLANs Virtual Routers• Divide network into logical, secure
domains
• Protect network with Inter-, Intra- zone policies
Key benefits:• Better Security
• Divide the network into distinct, secure domains
• Able to assign appropriate levels of security to different user groups
• Competitive differentiator
DMZ
Trusted Zone Full access to all resources
Zone2“Guests” Web access only
Zone1“Hoteling” employeesWeb, email, key apps
10Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Routing and Network Deployment ModesSimplify Network Integration
Dynamic routing and deployment modes • Support for transparent, static and dynamic route modes
• Dynamic routing support across entire product line• OSPF, BGP, RIPv1/2 available on all products
• WAN encapsulation support • FR, MLFR, PPP, MLPPP and HDLC
Benefit:• Automatically learns network configuration
• Facilitates security deployment without network configuration changes
• Simplifies network integration • Reduces manual configuration efforts
• Facilitates WAN connectivity
• Increases network resiliency – especially for VPNs
11Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
SSG 5 or
SSG 20
Bridge Groups Interface Configuration Flexibility
Replaces Port Modes (SSG 5 / SSG 20 only) with more flexible means of interface configuration
Group Ethernet ports and Wireless ports as L2 Switch with one logical L3 interface – no policy between ports - apply policy to bgroup
As policy dictates, Bridge Group interface can act as L2 switch – directing traffic to destination
eth
eth
wireless
eth
bgroupSrc1
Dst1
Bridge Groups as a virtual L2 Switch
eth
Server Farm Security Zone
Traffic
eth
eth
eth
wireless
eth
bgroup
Bridge Groups as a L3 interface assigned to a Server Farm Security Zone
SSG 5 or
SSG 20
12Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Secure, Centralized Management
Centralized control over SSG population• Remote Management
• Secure, centralized management of firewall, VPN, content security, and routing across all devices
• Rapid Deployment• Reduce provisioning time / streamline large
deployments
• Role-based administration• Delegate administrative access to key support
people by assigning specific tasks to specific individuals
• Centralized activation/deactivation of security features
• Application attack protection, Web usage control, Payload attack protection, Spam Control
• SSG Family supported by NSM* now• Schema update may be required
* Some functions (WAN Config) may be CLI only
NetworkSecurity
Operations
Network
Securit
y
Operatio
nsNetwork
Securit
y
Operatio
ns
13Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Key Security and Routing Features
SSG Family Specifications
Deployment Examples
Agenda
14Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Secure Service Gateway Family
SSG 5 - Six fixed form factor models
• 160 Mbps FW / 40 Mbps VPN
SSG 20 – 2 modular models
• 160 Mbps FW / 40 Mbps VPN
SSG 140
• 350+ Mbps FW / 100 Mbps VPN
• 8 FE + 2 GE Interfaces + 4 WAN PIM slots
SSG 520/SSG 520M
• 650+ Mbps FW / 300 Mbps VPN
SSG 550/SSG 550M
• 1+ Gbps FW / 500 Mbps VPN
SSG 550/SSG 550M
SSG 520/SSG 520M
SSG 5
SSG 20
SSG 140
15Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
SSG 5 Overview
Performance and physical characteristics
160 Mbps FW (large packets)/ 90 Mbps FW (IMIX) / 40 Mbps VPN
• Integrated Fan w/ Temp Sensor (wireless only)
Reliability and extensibility External AC power supply Full Active/Passive (w/ Extended
license) User upgradeable memory
Flexible connectivity Fixed form factor w/ 7 Fast Ethernet
+ 1 WAN interface
• Factory configured WAN options include ISDN BRI S/T or V.92 or RS-232 Serial/Aux
• Optional factory configured Dual radio 802.11a + 802.11 b/g
• Six models to choose from
16Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
SSG 20 Overview
Performance and physical characteristics
160 Mbps FW (large packets)/ 90 Mbps FW (IMIX) / 40 Mbps VPN
• Integrated Fan w/ Temp Sensor (wireless only)
Reliability and extensibility
External AC power supply
Full Active/Passive (w/ Extended license)
User upgradeable memory
Flexible connectivity
5 Fast Ethernet + 2 Mini I/O slots
• Mini PIM options include ADSL2+, T1, E1, ISDN BRI S/T, V.92 at FCS
• Optional factory configured Dual radio 802.11a + 802.11 b/g
• Two models to choose from
17Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
SSG 20 I/O Extensibility
Mini-PIMS are small form factor• Size of a deck of cards
• Not compatible with any other SSG or J series
ADSL 2/2+
TX/RX
SY NC
V.92
CD
TX/RX
E1
CD
LOOP BACK
ALARM
T1
CD
LOOP BACK
ALARM
ISDN (BRI)
Channel B2
Channel B1
ADSL 2+
V.92
E1
T1
ISDN BRI S/T
(2) I/O expansion slots
18Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
SSG 140 Overview
350+ Mbps FW (large packets)/ 300 Mbps FW (IMIX) / 100 Mbps VPN
Brings high performance UTM Security features to the mid-market
Full Active/Passive HA
Fixed 10/100 and 10/100/1000 interfaces
(4) interface expansion slots
• Existing dual Port T1
• Existing dual Port E1
• Existing Dual Port Serial
New Interfaces at FCS
• Single Port ISDN
Front View
Back View
19Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
SSG 140 Interface Support
1. Console and RS-232/Aux interfaces2. (8) 10/100 interfaces3. (2) 10/100/1000 interfaces4. (4) interface expansion slots: 2xT1, 2xE1, 2xSerial, 1xISDN BRI
S/T5. Status LEDs for rear installed I/O cards – visible from front
1 2 3FrontView
4 BackView
5
20Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
SSG Family Summary
SSG 5 SSG 20 SSG 140
FW Mbps (Large Packets) 160 Mbps 160 Mbps 350+ Mbps
FW Mbps (IMIX) 90 Mbps 90 Mbps 300 Mbps
FW PPS (64 Byte) 30k 30k 100k
VPN (1400 Byte) 40 Mbps 40 Mbps 100 Mbps
IPS (Deep Inspection FW) Yes Yes Yes
Antivirus Yes Yes Yes
Anti-spam Yes Yes Yes
Web Filtering Yes Yes Yes
Modular I/O No Yes Yes
Routing (RIP/OSPF/BGP) Yes Yes Yes
WAN Encapsulations Yes Yes Yes
HA Optional Optional Yes
21Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
SSG Family PositioningAvailability
Full Mesh / Active-Active,
Redundant Power
Capacity, Performance and Features
Active-Passive
Optional
Active-Passive
(w Ext Lic)
>2x FW Perf & Sessions
>2x VPN Perf & Tunnels
>2x Zones & VLANs
Stateful HA ( AP )GigE interfaces
~2x FW Perf & Sessions
~1.5x VPN Perf & Tunnels
AA Full Mesh HARedundant
Power
Modular I/O2 x Mini-PIM’s
~2x FW Perf & Sessions
>3x VPN Perf & Tunnels
Modular LAN (GigE)
10M+ UTM 25M+ UTM 100M+ UTM 200M+ UTMPerformance Recommendations
22Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
SSG Family Interface Module SummaryPIM/EPIM/Mini-PIM SSG 20 SSG 140 SSG 550
SSG 550M
SSG 550 SSG 550M
1 x T1 Mini-PIM -- -- --
1 x E1 Mini-PIM -- -- --
1 x ADSL 2+ Mini-PIM -- -- --
1 x V.92 Mini-PIM -- -- --
1 x ISDN BRI S/T Mini-PIM -- -- --
2 x T1 PIM* -- 2 x E1 PIM* -- 2 x Serial PIM* -- 1 x ISDN BRI S/T PIM -- -- --
1 x DS3 PIM* -- -- 4 x FE EPIM -- -- 1 x Gbe EPIM -- -- 1 x SFP EPIM -- -- * I/O card also compatible with J Series routers
23Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
SSG Product Family Fit
Small Branch, Small Business, Telecommuters
Regional Office,Medium Enterprise
Performance
Improved performance & processing
Wider range of platforms with UTM
Modular (Expandable) Memory
Improved connectivity
24Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
SSG Family Summary
Security: Proven ScreenOS + Best-in-class UTM Security features without add-on hardware• Stateful FW, IPSec VPN, IPS, AV, (incl. Anti-Phishing,Anti-Spyware), Anti-Spam,
Web filtering• Network segmentation via security zones and VLANs
Performance: Purpose built platforms that deliver unmatched price/performance to branch office market
WAN Connectivity: Widest range of FW platforms with WAN interfaces and protocols• Security platforms with LAN and WAN routing capabilities
• Dynamic routing, virtual routers, VPN, high availability, VLANs
• New WAN interfaces and encapsulations taken from J-Series and JUNOS
Centralized management with NSM
25Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Agenda
Key Security and Routing Features
SSG Family Specifications
Deployment Examples
26Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Secure Services Gateway Deployment Options
As a security device 1. Firewall protecting the network
using ScreenOS stateful FW
2. Site-to-site IPsec VPN using ScreenOS VPN dynamic, route based VPN
3. Multifunction security platform using FW plus best-in-class UTM security features, proven in NetScreen-5GT• Antivirus, Web filtering, Anti-Spam,
IPS
As a security router Security features = FW, IPSec VPN,
UTM features Branch office routing: Broad range of
LAN + WAN connectivity• 10/100, 10/100/1000, SFP supported by
OSPF, BGP, RIPv1/2
• DS3, T1, E1, ADSL 2+, ISDN, V.92 supported by PPP, MLPPP, FR, MLFR, HDLC
HQ
WWW
27Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Small Business Deployment ExampleSSG 5
Primary Link = External DSL modem ISP
Back up options = ISDN S/T or V.92 or Modem connected to Serial interface
Internet
Wireless Zone
Server Zone
Small Business
SSG 5• Fixed format appliance: 7x10/100 – connected to DSL modem
• Factory configured back up I/O options: V.92 or ISDN or Serial
• Factory configured Wireless option: 802.11 a/b/g
28Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Small/Medium Office Deployment ExampleSSG 20
InternetPrimary Link = ADSL or
T1 I/O module
Backup = ISDN S/T or V.92 I/O module or externally connected
modem
Wireless Zone
Server Zone
Small Business
SSG 20• Modular appliance: 5x10/100 + 2 I/O slots
• ADSL 2+, T1, E1, V.92, ISDN BRI/S/T
• Factory configured Wireless option: 802.11 a/b/g
ISP
Copyright © 2006 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 29
Thank you