300 likes | 589 Views
Secure Services Gateway (SSG)Family Overview. SSG 5, SSG 20, SSG 140. Agenda. Key Security and Routing Features SSG Family Specifications Deployment Examples. Current Trends. DMZ. By 2007, 50% of the companies surveyed will significantly increase their WAN access bandwidth – Infonetics
E N D
Secure Services Gateway (SSG)Family Overview SSG 5, SSG 20, SSG 140
Agenda • Key Security and Routing Features • SSG Family Specifications • Deployment Examples
Current Trends DMZ • By 2007, 50% of the companies surveyed will significantly increase their WAN access bandwidth – Infonetics • More employees working away from main offices • 91% of employees in companies of all sizes, work outside of main office – Nemertes Research • Security risks continue • In 2005, 56% of companies had at least 1 internal attack • 65% had at least 1 external attack – CSI/FBI 2005 survey • Small to medium business FW opportunity in 2006 = $1 Billion (Infonetics) Bandwidth usageDirect Internet Remote mgmt Wi Fi Internal security Content protection No IT staff
WLAN Small to Medium Branch Office / Business Characteristics Local Apps 100+ Mbps Outbound link = > T1, DSL, DS3 • Smaller in scale, but not necessarily less complex than big businesses or HQ sites • Multiple local networks • More complicated security due to environment, support, etc • Many devices on a per capita basis • No local IT help • Range of WAN connections: from DS3 to low speed modem • Require protection for owned and non-owned IT assets • Firewall, VPN, IPS and File-based AV scanning, Spyware detection • Internal network segmentation for attack mitigation, access control IPSec www Users
Secure Service Gateway Family • Secure Services Gateway (SSG) family integrates proven security of ScreenOS and WAN connectivity to deliver secured and assured networking • New levels of price/performance and I/O flexibility • Unified Threat Management features complement FW, IPSec VPN • Ideal small to medium stand alone business / branch office offerings • Can be deployed as a traditional Firewall, as a Site to Site VPN and as a Security Router SSG 5 SSG 20 SSG 140 SSG 520SSG 520M SSG 550/SSG 550M
Network Security Features • FW • IPSec VPN • DoS/DDoS • User auth. Mgmt/Modem ScreenOS: Proven Enterprise Class Security ScreenOS • Integrated Unified Threat Management (UTM) security features • IPS (Deep Inspection), Antivirus (includes Anti-Spyware, Anti-Phishing) Anti-Spam, Web filtering UTM Features / Content Security • Anti-Spam • IPS (Deep Inspection) • Antivirus/Anti-Spyware • Web filtering • Network security features / Access control • Stateful firewall, IPSec VPN, NAT, DoS protection, user authentication Networking • Rich networking and virtualization capabilities • Segmentation (Zones, VLANs) to divide the network into secure segments • Combines ScreenOS deployment modes, dynamic routing and high availability with select JUNOS WAN encapsulations • Security Zones • LAN Routing • Deployment Modes • WAN Encapsulations SSG Purpose-Built Hardware Platform LAN & WAN I/O
Unified Threat Management Features Stop Common and Emerging Threats Inbound Threats Outbound Threats Worms, Trojans, DoS (L4 & L7), Recon, Scans Worms, Trojans IPS/DI SurfControl to block Spyware Site Access / Phishing Site Access Web Filtering Kaspersky Lab AV stops Viruses, file-based Trojans Spyware, Adware, Keyloggers AV Viruses, file-based Trojans Anti Spam Symantec stops Spam / Phishing Stateful Firewall
UTM Security Backed by Best-In-Class Partners • Integrated Kaspersky Antivirus solution blocks thousands of viruses PLUS Spyware / Adware / Keyloggers • Integrated or redirect Web filtering with SurfControl blocks outbound access to known Spyware, Phishing, & Virus download sites • Integrated via SurfControl or redirect via SurfControl or Websense • Integrated Anti-Spam from Symantec • Brightmail-based database blocks (and/or tags) spam by using robust IP based, constantly updated worldwide list of spammers and phishers • Intrusion Prevention (Deep Inspection) detects several thousand attacks such as Worms, Trojans and other malware for up to 43 protocols • Delivered in the form of an annual subscription fee
Network Segmentation Security Zones, VLANs, Virtual Routers • Security zones, VLANs Virtual Routers • Divide network into logical, secure domains • Protect network with Inter-, Intra- zone policies • Key benefits: • Better Security • Divide the network into distinct, secure domains • Able to assign appropriate levels of security to different user groups • Competitive differentiator Trusted Zone Full access to all resources DMZ Zone1 “Hoteling” employees Web, email, key apps Zone2 “Guests” Web access only
Routing and Network Deployment ModesSimplify Network Integration • Dynamic routing and deployment modes • Support for transparent, static and dynamic route modes • Dynamic routing support across entire product line • OSPF, BGP, RIPv1/2 available on all products • WAN encapsulation support • FR, MLFR, PPP, MLPPP and HDLC • Benefit: • Automatically learns network configuration • Facilitates security deployment without network configuration changes • Simplifies network integration • Reduces manual configuration efforts • Facilitates WAN connectivity • Increases network resiliency – especially for VPNs
Bridge GroupsInterface Configuration Flexibility • Replaces Port Modes (SSG 5 / SSG 20 only) with more flexible means of interface configuration • Group Ethernet ports and Wireless ports as L2 Switch with one logical L3 interface – no policy between ports - apply policy to bgroup • As policy dictates, Bridge Group interface can act as L2 switch – directing traffic to destination bgroup Src1 bgroup eth eth eth SSG 5 or SSG 20 SSG 5 or SSG 20 eth Traffic eth eth wireless Dst1 wireless Server Farm Security Zone eth eth Bridge Groups as a L3 interface assigned to a Server Farm Security Zone Bridge Groups as a virtual L2 Switch
Security Operations Network Network Network Security Security Operations Operations Secure, Centralized Management • Centralized control over SSG population • Remote Management • Secure, centralized management of firewall, VPN, content security, and routing across all devices • Rapid Deployment • Reduce provisioning time / streamline large deployments • Role-based administration • Delegate administrative access to key support people by assigning specific tasks to specific individuals • Centralized activation/deactivation of security features • Application attack protection, Web usage control, Payload attack protection, Spam Control • SSG Family supported by NSM* now • Schema update may be required * Some functions (WAN Config) may be CLI only
Agenda • Key Security and Routing Features • SSG Family Specifications • Deployment Examples
Secure Service Gateway Family • SSG 5 - Six fixed form factor models • 160 Mbps FW / 40 Mbps VPN • SSG 20 – 2 modular models • 160 Mbps FW / 40 Mbps VPN • SSG 140 • 350+ Mbps FW / 100 Mbps VPN • 8 FE + 2 GE Interfaces + 4 WAN PIM slots • SSG 520/SSG 520M • 650+ Mbps FW / 300 Mbps VPN • SSG 550/SSG 550M • 1+ Gbps FW / 500 Mbps VPN SSG 5 SSG 20 SSG 140 SSG 520/SSG 520M SSG 550/SSG 550M
Performance and physical characteristics 160 Mbps FW (large packets)/ 90 Mbps FW (IMIX) / 40 Mbps VPN Integrated Fan w/ Temp Sensor (wireless only) Reliability and extensibility External AC power supply Full Active/Passive (w/ Extended license) User upgradeable memory Flexible connectivity Fixed form factor w/ 7 Fast Ethernet + 1 WAN interface Factory configured WAN options include ISDN BRI S/T or V.92 or RS-232 Serial/Aux Optional factory configured Dual radio 802.11a + 802.11 b/g Six models to choose from SSG 5 Overview
Performance and physical characteristics 160 Mbps FW (large packets)/ 90 Mbps FW (IMIX) / 40 Mbps VPN Integrated Fan w/ Temp Sensor (wireless only) Reliability and extensibility External AC power supply Full Active/Passive (w/ Extended license) User upgradeable memory Flexible connectivity 5 Fast Ethernet + 2 Mini I/O slots Mini PIM options include ADSL2+, T1, E1, ISDN BRI S/T, V.92 at FCS Optional factory configured Dual radio 802.11a + 802.11 b/g Two models to choose from SSG 20 Overview
SSG 20 I/O Extensibility • Mini-PIMS are small form factor • Size of a deck of cards • Not compatible with any other SSG or J series ADSL 2+ (2) I/O expansion slots V.92 E1 T1 ISDN BRI S/T
350+ Mbps FW (large packets)/ 300 Mbps FW (IMIX) / 100 Mbps VPN Brings high performance UTM Security features to the mid-market Full Active/Passive HA Fixed 10/100 and 10/100/1000 interfaces (4) interface expansion slots Existing dual Port T1 Existing dual Port E1 Existing Dual Port Serial New Interfaces at FCS Single Port ISDN SSG 140 Overview Front View Back View
4 Back View SSG 140 Interface Support Front View 3 5 2 1 • Console and RS-232/Aux interfaces • (8) 10/100 interfaces • (2) 10/100/1000 interfaces • (4) interface expansion slots: 2xT1, 2xE1, 2xSerial, 1xISDN BRI S/T • Status LEDs for rear installed I/O cards – visible from front
SSG Family Positioning Availability Full Mesh / Active-Active, Redundant Power ~2x FW Perf & Sessions ~1.5x VPN Perf & Tunnels AA Full Mesh HA Redundant Power Active-Passive ~2x FW Perf & Sessions >3x VPN Perf & Tunnels Modular LAN (GigE) >2x FW Perf & Sessions >2x VPN Perf & Tunnels >2x Zones & VLANs Stateful HA ( AP ) GigE interfaces Optional Active-Passive (w Ext Lic) Modular I/O2 x Mini-PIM’s Performance Recommendations 10M+ UTM 25M+ UTM 100M+ UTM 200M+ UTM Capacity, Performance and Features
SSG Family Interface Module Summary * I/O card also compatible with J Series routers
SSG Product Family Fit • Improved performance & processing • Wider range of platforms with UTM • Modular (Expandable) Memory • Improved connectivity Performance Small Branch, Small Business, Telecommuters Regional Office, Medium Enterprise
SSG Family Summary • Security: Proven ScreenOS + Best-in-class UTM Security features without add-on hardware • Stateful FW, IPSec VPN, IPS, AV, (incl. Anti-Phishing,Anti-Spyware), Anti-Spam, Web filtering • Network segmentation via security zones and VLANs • Performance: Purpose built platforms that deliver unmatched price/performance to branch office market • WAN Connectivity: Widest range of FW platforms with WAN interfaces and protocols • Security platforms with LAN and WAN routing capabilities • Dynamic routing, virtual routers, VPN, high availability, VLANs • New WAN interfaces and encapsulations taken from J-Series and JUNOS • Centralized management with NSM
Agenda • Key Security and Routing Features • SSG Family Specifications • Deployment Examples
As a security device Firewall protecting the network using ScreenOS stateful FW Site-to-site IPsec VPN using ScreenOS VPN dynamic, route based VPN Multifunction security platform using FW plus best-in-class UTM security features, proven in NetScreen-5GT Antivirus, Web filtering, Anti-Spam, IPS As a security router Security features = FW, IPSec VPN, UTM features Branch office routing: Broad range of LAN + WAN connectivity 10/100, 10/100/1000, SFP supported by OSPF, BGP, RIPv1/2 DS3, T1, E1, ADSL 2+, ISDN, V.92 supported by PPP, MLPPP, FR, MLFR, HDLC Secure Services Gateway Deployment Options HQ WWW
ISP Small Business Deployment ExampleSSG 5 • SSG 5 • Fixed format appliance: 7x10/100 – connected to DSL modem • Factory configured back up I/O options: V.92 or ISDN or Serial • Factory configured Wireless option: 802.11 a/b/g Small Business Server Zone Internet Primary Link = External DSL modem Back up options = ISDN S/T or V.92 or Modem connected to Serial interface Wireless Zone
ISP Small/Medium Office Deployment ExampleSSG 20 • SSG 20 • Modular appliance: 5x10/100 + 2 I/O slots • ADSL 2+, T1, E1, V.92, ISDN BRI/S/T • Factory configured Wireless option: 802.11 a/b/g Small Business Server Zone Internet Primary Link = ADSL or T1 I/O module Wireless Zone Backup = ISDN S/T or V.92 I/O module or externally connected modem