Copyright © 2015 Juniper Networks, Inc. 1 Juniper vSRX Technical Overview for X47D20 Release.

Copyright 2015 Juniper Networks, Inc. 2 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Agenda vSRX Use Cases and Solution 1 2 Scale and Performance Update 3 Advanced Security Features 4 License Information 5 Whats New in vSRX x47d20

Copyright 2015 Juniper Networks, Inc. 4 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: vSRX Overview Advanced Security Services Integrated UTM including Full Anti-virus, Anti-spam, Web-filtering, Content filtering with IPS and AppSecure 2.0 Rich Routing & Network Capabilities VPN connectivity and routing features in a flexible virtual machine format based on proven Junos OS foundation Full Stateful Firewall SRX in virtual machine format, firewall protection for virtualized, private and hybrid environments, HA support for active/active and active/passive modes, multi-platform support; VMware, KVM and Contrail and integrated automated management functionality

Copyright 2015 Juniper Networks, Inc. 5 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: VSRX SRX in a Virtual Format Junos Routing Protocols and SDK Junos Rich and Extensible Security Stack Firewall VPN NAT Routing Anti-Virus IPS Web Filtering Anti-Spam AppID AppFW AppQoS AppTrack Junos Space Security Director & Virtual Director, CLI, JWEB, SNMP, HA/FT Available NOW! x47d20 Perimeter SecurityContent SecurityApplication Security

Copyright 2015 Juniper Networks, Inc. 6 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Private Cloud Use Case Department ADepartment B Department C vSRX VM VM Private Cloud Infrastructure SRX Physical Servers Security Director Virtual Director vCenter or Supports security policy configuration and management of both virtual and physical assets VM Contrail Controller VM vSRX VM Juniper virtual security protecting internal applications and VMs AGILE, VM AND APPLICATION ISOLATION

Copyright 2015 Juniper Networks, Inc. 7 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Cloud Hosting Provider Use Case Cloud Hosting Environment : Customer 1 vSRX VM Dedicated to Customer 1 VM App Server VM Web Server VM DB Server VM Other Server CUSTOMER 1 CUSTOMER 2 CUSTOMER 3 Public Cloud IPSec VPN Customer Premise 2 Customer Premise 1 Customer Premise 3 IPSec VPN Providing protection and connectivity to customer hosted VMs

Copyright 2015 Juniper Networks, Inc. 8 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: MSSP (VCPE) Use Case MSSPs Virtual Environment CUSTOMER 1 CUSTOMER 2 CUSTOMER 3 Operator Network Customer Premise 2 Customer Premise 1 Customer Premise 3 MPLS VPN Customer 2 Customer 1Customer 3 vSRX L2/L3 Switch SRX MXQFX Security Director ContrailNSX or Management and Orchestration Platform

Copyright 2015 Juniper Networks, Inc. 9 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: NFV High-End Carrier Use Case Carrier PTX (Or MX) Customer 2Customer 3 vSRX SDN Driven x86 Compute with Contrail Carrier Backbone MPLS VPN vSRX Internet MX Carrier POPs

Copyright 2015 Juniper Networks, Inc. 11 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Whats New in vSRX x47-d20 FeatureDescriptionPlatform Application Identification (AppID/AppTrack) This feature identifies applications as parts of application clusters in TCP/UDP/ICMP traffic. Application Identification strengthens the firewall at different network layers using different techniques rather than port number and IP addresses. Application signatures are modified to provide security at application levels. VMware and KVM Application Quality of Service (AppQoS) Application Quality of Service (AppQoS) is a part of the AppSecure suite of components. This feature expands the capability to include marking Differentiated Service Code Point (DSCP) values based on Layer-7 application. Rate-Limiter, DSCP rewrite, set loss priority, priority and queue traffic are the techniques used by AppQoS. VMware and KVM Application Firewall (AppFW) Application Firewall can define one or more application firewall rule set, create rules for each rule set that permit, reject, or deny traffic based on the application ID, and configure a security policy to invoke the application firewall service and specify the rule set to be applied to permitted traffic. VMware and KVM Dynamic Host Configuration Protocol (DHCP) Dynamic Host Configuration Protocol (DHCP) is based on BOOTP, a bootstrap protocol that allows a client to discover its own IP address, the IP address of a server host, and the name of a bootstrap file. VMware and KVM

Copyright 2015 Juniper Networks, Inc. 12 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: RLIs 21995 : AppSecure AppID/AppTrack Support on KVM and VMware 22229 : AppSecure AppFW Support on KVM and VMware 23876 : AppSecure AppQoS Support on KVM and VMware 23317 : UTM Licensing TRD 25246 : DHCPv6 Client support

Copyright 2015 Juniper Networks, Inc. 14 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: VSRX X47D20: Scale and Performance Metrics Firewall (UDP 1514B pkts) 4.35 Gbps2.6 Gbps Firewall (IMIX) 1.05 Gbps620 Mbps Firewall Ramp Rate (TCP) 22K CPS Firewall Latency (512B UDP) 107 Micro Sec87 Micro Sec Firewall IPv6 (UDP 512B pkts) 1.46 Gbps829Mbps NAT (UDP 1514B pkts) 4.3 Gbps2.45 Gbps NAT (IMIX) 1.05 Gbps630 Mbps NAT Ramp Rate (TCP) 19K CPS IPSec (3DES+SHA1, 1514B) 290 Mbps238 Mbps IPSec (3DES+SHA1, IMIX) 146 Mbps 88 Mbps IPSec (3DES+SHA1, 64B) 29 Mbps21 Mbps IKE Rate (3DES+SHA1,V1 or 2) 71 Tunnels/Sec48 Tunnels/Sec EWF (44KB File) 251 Mbps450 Mbps SAV (Allscan 44KB File) 279 Mbps385 Mbps AppSecure+IPS HTTP Throughput 2 (Response Content 44KB File) 760 Mbps290 Mbps AppSecure+IPS HTTP CPS 2 (Response Content 64 bytes)5600 CPS3100 CPS Performance 1 VMwareKVM 1 Reference platform for performance: Dell PowerEdge R820, ESXI 5.1, 24 Cores, 2.899 Ghz CPUs 2 IDP Performance is based on default recommended IDP policy 1024 Max Addresses/Address-set 256K Max Firewall Sessions 256K Max Pat Sessions (Source NAT with PAT) 8K MAC/ARP Table Size 2GB or 3GB (Services) vRAM Required/Instance 10 Max vNICs/Instance 128 Max Zones 128 Max Address Books 10240 Max Policies 128 Max Policies with Count 1024 Max Applications/Policy 4K Max VLANS 160K Max OSPF Routes 2 vCPUs Required/Instance Max VRs Supported 5 IDP Session Scaling 2 32K ScaleVMware & KVM

Copyright 2015 Juniper Networks, Inc. 15 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Server Configuration vSRX Density Metrics 1 2 3 Number of vSRX Instances/Servers 1 25 vSRX Virtual Machines 100 vSRX Virtual Machines (@ ~ 25Mbps) 500 vSRX Virtual Machines 3 (@ ~ 25Mbps) 8 Cores @ 2.66 GHz 64 GB RAM 2 x 10G NICs 40 Cores @ 2.393 GHz 256 GB RAM 4 x 10G NICs 2U Server with 4 Hot Plug Nodes 2 80 Cores @ 2.8 GHz 512MB RAM (x4) 2 x 10G NICs (x4) 1 This is a function of network I/O, memory and CPU) 2 SuperMicro 2027TR 3 This server is ~$40K which translates to $80 per subscriber for initial server cost

Copyright 2015 Juniper Networks, Inc. 17 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Junipers Layer Approach to Network Security Inspection Depth Processing Intensity & Cost ACLs & Stateless Firewall Stateful Firewall / SecIntel Application Security IPS, UTM, AppSecure Decisions made based on packet header info such as Source and Destination addresses Very fast More context incorporated into decision process Better at identifying unauthorized or forged communications Still fast Looks at every bit for threatsthorough but intensive processing

Copyright 2015 Juniper Networks, Inc. 18 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: vSRX Advanced Security Features Demo You can visit the following YouTube link to watch all the all the advanced security features demonstration with vSRX: http://youtu.be/dOF6n-V7P00

Copyright 2015 Juniper Networks, Inc. 20 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Intelligent software services delivers smarter FW policies on vSRX and SRX gateways Integrates application traffic control and threat remediation Provides Network level visibility with correlated application and threat event tracking AppSecure Next-Generation Firewall Overview vSRX

Copyright 2015 Juniper Networks, Inc. 21 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: AppTrack IPS AppQoS Flow Processing AppFW AI Application Identification Engine NAI IngressEgress Application ID Results AppSecure Service Modules

Copyright 2015 Juniper Networks, Inc. 22 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: AppID as part of Junos Services Per Packet Policer Per Packet Filter Session Match? Per Packet Filter Per Packet Shaper Forwarding Lookup Per Packet Policer Per Packet Filter Per Packet Policer Per Packet Filter AppID IPS AppID

Copyright 2015 Juniper Networks, Inc. 23 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Security Services Packet Walk Junos Flow Module Dest NAT RouteZonesPolicy Reverse Static NAT Services SessionScreens Static NAT Source NAT Match Session? NOYES ScreensTCPNAT Services YES Services ALG Module AppID (packet) IDP (packet) SSL Proxy AppID (stream) IDP (stream) ALGUTMAppFWUserFW

Copyright 2015 Juniper Networks, Inc. 24 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: APPID LOOKUP No Application Ca Match No Application Unknown Match No * TCP or UDP? More Packets? Yes No Application Unknown Match No Match First Packet Yes * Yes * / No *- Match happens until max-checked-bytes/packets limit for appid match is reached

Copyright 2015 Juniper Networks, Inc. 25 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: AppFW Signature Management Granular Filters Extensive sub categories Create groups Clone existing

Copyright 2015 Juniper Networks, Inc. 26 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Open Application Signature Database application junos:FTP { type FTP; index 63; port-mapping { port-range { tcp 0-65535; } signature { port-range { tcp [ 0-24 26-65535 ]; } client-to-server { dfa-pattern "\[(USER|STAT|PORT|CHMOD|ACCOUNT|BYE|ASCII|GLOB|HELP|AUTH|SYST|QUIT|STOR|PASV|CWD|PWD|MDTM)\](\s|\x 0d 0a\x|\x0a\x).*"; } server-to-client { dfa-pattern "(220|230|331|530)[\s\-].*"; } min-data 8; order 66; }

Copyright 2015 Juniper Networks, Inc. 27 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Server Farms DC Firewall(s) DC Switching Junos Space Log Director/ Log Collector, or 3 rd Party Data Center 1 1 Traffic analyzed by AppTrack as it traverses the SRX 1 AppTrack Simplifies Application Visibility and Control vSRX sends application logs to a Log Collector 3 Junos Space Log Director reports analyzed by IT staff Operations Center 3 3 2 2 2 vSRX collects on-box application statistics for Monitoring vSRX

Copyright 2015 Juniper Networks, Inc. 29 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Prioritize traffic based on application type Limit the amount of bandwidth an application can consume Mark the DSCP values for proper QoS treatment Leverage Junos Class-of-Service feature set to fully control application handling at the interface queue level Traditional Firewall Policy AppTrack Application Awareness Give highest priority to financial applications for finance and sales Approved applications receive normal priority Lower priority for multimedia applications, except for the MM content group Application QoS

Copyright 2015 Juniper Networks, Inc. 30 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Application QoS Implementation Security Policy Policy N AppQoS Rule Set Application or Application Group M Ordered Lookup Actions Rate Limit Drop Profile Forwarding Class DSCP Ordered Lookup Matching Application Policy1 Application or Application Group 1 Matching Policy points to an AppQoS Rule-Set Policy Lookup Firewall Policies can point to AppQoS rule-sets The any application can be used to apply QoS on a per policy basis, regardless of the application Per-direction rate-limiters can be configured to restrict the BW an application, or group of apps is allowed to use Forwarding classes and drop profiles specify how traffic is queued and shaped in the egress interface

Copyright 2015 Juniper Networks, Inc. 32 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Dedicated Security Team Delivers Zero-day Protection Dedicated team to research vulnerabilities and emerging threats Protocol decode expertise Multiple research and vendor partnerships Microsoft Active Protections Program (MAPP) Reverse-engineering experts Global honey pot networks Industry-leading Response Time Daily signature updates Globally distributed team Emergency update within hours/minutes Open Signature Database

Copyright 2015 Juniper Networks, Inc. 33 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Intrusion Prevention: Use Cases Server Protection Protect Server and Application Vulnerabilities (PHP, SQL Injection) Client Protection Protect Client Vulnerabilities (Browsers etc), Malware Downloads or Callbacks, Detect Application Tunneling and C&C Channels Internal Attack Detection Detect Malware Spreading, Bruteforce Attacks, Internal Attacks vSRX

Copyright 2015 Juniper Networks, Inc. 34 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Managing IPS with Security Director Powerful filtering for attack objects in the signature database. Filter by Severity, Category, Object type, Recommended.. Granular Filters Create Static/Dynamic Groups

Copyright 2015 Juniper Networks, Inc. 36 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Open Attack Database Attacks are written to protect vulnerabilities than a specific exploit Recommended action

Copyright 2015 Juniper Networks, Inc. 37 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: IPS Policy & FW Integration IPS Policy Tabular View FW Policy Integration Use Predefined IPS template or customize IPS policy

Copyright 2015 Juniper Networks, Inc. 38 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: IPS PCAPS for Forensic Analysis STRM provides ability to download and view the packet capture from IPS

Copyright 2015 Juniper Networks, Inc. 40 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: vSRX UTM Architecture Flow/Service Real-Time Thread TCP Proxy FLOW FIREWALL/POLICY Web Filtering TCP Proxy Server Emulation TCP Proxy Client Emulation Other Packet Based.. UAC,..FTP ALG UTM Application Proxy CF AS AM IDP JEXEC FORWARDING ENGINE/FILTERS/QOS Interface I/O

Copyright 2015 Juniper Networks, Inc. 41 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: UTMD (Control Core/RE) UTMD (Control Core/RE) Enhanced Web Filtering: How it Works REAL Time Forwarding/Services Thread FLOW Lookup WEB Filtering HTTP GET Parse URL Web server Log, in-band message Match Cache, Black list, White List No local match - Categorize URL Local Result Matched Category and/or Reputation score Category/ Reputation Blocked EWF Server Look up Policy HTTP Response Category/ Reputation Allowed (Log) Anti-malware

Copyright 2015 Juniper Networks, Inc. 42 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Introducing New Enhanced Anti-Virus Purpose built for edge devices Cloud-based intelligence delivers high performance malware protection URL blocking (via cloud based look-up) stops HTTP requests to infected Websites Malware distributed by FTP, SMTP, IMAP, POP3, and IM are secured through checksum detection of static malware. Juniper is 1st to market Live Protection provides effective protection against known malicious files and web pages at the network level

Copyright 2015 Juniper Networks, Inc. 43 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Sophos In-the-cloud AV with Web Security FutureBenefit URL Reputation Web-Security and detects polymorphic viruses Hybrid on-device + cloud solution Offloads some processing to cloud server. File checksum against SXL database No limitation on database size; fast processing and high throughput Cached URL queries Fast reputation check on URIs: detects server-based polymorphic malware

Copyright 2015 Juniper Networks, Inc. 44 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Enhanced Anti-Virus: How it Works URI cache lookup Cache miss SXL query and response Block Permit File type check Block No scan; Permit Scan Checksum lookup threat inspection Web server Block Real Time Forwarding/Service Thread

Copyright 2015 Juniper Networks, Inc. 46 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: vSRX Standard Pricing Models Subscription License MSSP Utility Pricing Model available upon request Traditional License Pricing Flexibility License is perpetual Additional 22% of perpetual license for support / maintenance Minimum of two cores required per VM Support / maintenance fee is $308 per year per core Perpetual license fee per VM is $1400 per core License is paid on an annual fee basis Annual fee gives access to Firewall base service and includes support / maintenance Minimum of two cores required per VM Support / maintenance is included in annual fee Subscription license fee per VM is $660 per core Copyright 2015 Juniper Networks, Inc.

47 JUNIPER NETWORKS & PARTNER CONFIDENTIAL: SHARE UNDER NDA ONLY: Advanced Security Features License Licenses are required for all advanced security features: AppSecure, IPS, and UTM To achieve HA, license must be installed on each HA unit Licenses for advanced security features are on based on subscription model only with 1,3, or 5-year term Flexible with choices of security features combination license Evaluation Trial License is valid for 30 days

Copyright © 2015 Juniper Networks, Inc. 1 Juniper vSRX Technical Overview for X47D20 Release.

Documents

Transcript of Copyright © 2015 Juniper Networks, Inc. 1 Juniper vSRX Technical Overview for X47D20 Release.