SRX Overview Branch and High End Bernd Kunze/Rob Cameron

SRX Overview Branch and High End Bernd Kunze/Rob Cameron

SRX 5000 overview

Evolution of Integrated Technology
Stand-alone Specialized functions Stateful FW IPSec VPN IDP Routing Bolt-on Loose functional integration & coordination FW “houses” add-on svcs Single chassis convenience Fully-integrated HW/SW optimized for full integration – Tight coordination with apps & functions Uncompromised performance Complete inheritance Best in class services Separation of tasks Expensive, high-touch No logical integration Complex set-up & ongoing maintenance

High-End Security Systems Portfolio
SRX characteristics Scalable Performance Rich Standard Services Firewall IDP Routing QoS IPSec (9.3) Extensible Security Services Integrated Networking Services

Feature comparison SRX vs. NetScreen
JUNOS 9.2 ScreenOS (6.0, 6.1) Layer 2 VLAN Tagging (802.1Q) VLAN Tagging (802.1Q) , Switching IPv4 Routing RIP, BGPv4, OSPF, VRRP (No IS-IS) RIP, BGPv4, OSPF, VRRP Firewall Sessions, zones, screens, Policies, Auth Session, zones, Screens, Policies, Auth NAT Destination, Source, Static* (ruled based) Destination, Source, Static (policy based) ALGs FTP, TFTP, MGCP SIP,H323,SCCP,MGCP,Avaya,NEC,RTSP,D NS, FTP,SQL,TFTP,PPTP Content Security IDP IDP (ISG platforms) HA Chassis Cluster (limited feature support), Active-Passive NSRP QoS Classification, Marking, Scheduling, Shaping Interface based, three level hierarchical queuing, two rate three color marker (No POLICING) Interface based, classification, marking Management JWEB, NSM, logging, SNMP, JUNOScript NSM, WebUI, SNMP (read-only) Performance Multi-10Gig (120Gbps on 5800) Multi-Gig (30Gbps) IPSec VPN* Remote access, site-to-site (No HUB/Spoke support) Remote access, site-to-site, AC VPN AC VPN not on Monear’s presentation * 9.3R1 item

Missing features in FRS
IPv4 Multicast Limited HA (Active/Active, software upgrades) Virtualization (LSYS and resource control) Tunneling (GRE, IP-IP) Layer2 (Switching) Hub and Spoke VPNs Transparent (Layer2) Mode IPv6 SNMP MPLS PCAP/port mirroring RPM Intrabox HA including Hardware hotswap

Service Processing Cards
HW Design MGT Central Service Plane Built around high-speed switch fabric Dedicated, separate control & data planes Adaptive Platform Buildable, processing pool Supplies scalable increase to performance and capacity Resiliency Dual “everything” Fabric Service Processing Cards Input/Output Cards

Service Processing Card
SW Capabilities Highly integrated services Advanced services & features always present Turn-on additional services - same card High-density, programmable processing Intelligent session load balancing Pushed across compute elements Elegant scale model for session set up, service throughput Extensible services Up and down the “stack” Rich L3 features – routing/QoS/NAT Comprehensive L4-7 coverage – FW, VPN, IDP Fabric Service Processing Card

Packet Flow – Fully Integrated
MGT Routing/MGT/ Device MGT Flow Lookup Classification DoS/DDoS Policing Services Processing FW/IPSec VPN/IDP/UTM NAT/Routing Ingress Packet Fabric Egress Packet QoS/Shaping Service Processing Cards Input/Output Cards

Packet Flow – Inside the processor
1) Pull Packet from queue 2) Police Packet 3) Filter Packet 4) Lookup Session: 4.a) No Match => Slow Path a) FW Screen Check b) Route Lookup c) Find Destination Zone d) Look-up Policy e) Allocate NAT f) Setup ALG vector g) Install Session 4.b) Match => Fast Path b) TCP Checks c) NAT Translation g) ALG Processing 5) Filter Packet 6) Shape Packet 7) Transmit Packet Forwarding Lookup Screens Route Zones Policy NAT Services Session ALG No Slow Path Match Services Session Yes Screens TCP NAT ALG ? Fast Path tcp sequence check - is within lower bound ([ack_num - max_window]) and higher bound ([ack_num + current_window]) of its wing Flow Module Per Packet Filters Per Packet Policers / Shapers Event Scheduler Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential 10

SRX 5600: Product Overview Horizontal chassis system Interfaces
1 Dedicated Fabric/RE 6 interchangeable slots MGT module – dual Power AC/DC – 2+2, hot swap Fan tray Interfaces 40-SFP 4-10Gig Dimensions – 8U chassis height Performance & Capacities FW – 60 Gbps VPN – 18 Gbps IDP – 18 Gbps Concurrent sessions – 4M New and sustained cps – 300k Concurrent VPN tunnels – 100k Note: Route Engines, Switch Control Boards, Power supplies, and Ethernet blades are NOT interchangeable with MX series platforms

SRX 5800: Product Overview Vertical slot chassis system Interfaces
2 Dedicated Fabric/RE 12 interchangeable slots MGT module – dual Power AC/DC – Quad, hot swap Fan tray Interfaces 40-SFP 4-10Gig Dimensions – 16U chassis height Performance and Capacities FW – 120 Gbps VPN – 36 Gbps IDP – 36 Gbps Concurrent sessions – 8M New and sustained cps – 300K Concurrent VPN tunnels – 100k Note: Route Engines, Switch Control Boards, Power supplies, and Ethernet blades are NOT interchangeable with MX series platforms

Performance scaling

System configuration flexibility
Flexible configuration of DPC and SPC cards Examples: 6 SPC, 6 DPC 1 SPC, 11 DPC 11 SPC, 1 DPC Etc….. This flexibility allows complete freedom of configuration to match deployment needs High port count, low processing Low port count, high processing Or anywhere in between

Performance Estimate of SRX 5000 Family based on number of Input/Output and Servicing Processing Cards Blue indicates performance of SRX 5600 (6 slots usable for IOC/SPC) Blue + white indicates performance of SRX 5800 (12 slots usable for IOC/SPC) Yellow indicates the supported system configurations in HA mode JUNOS 9.2 supports a maximum of 5xSPCs in an HA configuration Performance is calculated based off of estimates but close to current QA tested performance

SRX 5600/5800 Deployment Scenarios

Deployment Scenario 1 Data Center – Service Providers
Key Customer Requirements DC consolidation results in increasing bandwidth requirements from fewer datacenters Increased requirements for high connection rate Must reduce security appliance deployment and management complexity

Deployment Scenario 2 Data Center– Enterprise
Key Customer Requirements Affordable carrier-grade security product Separation of Control and Data Plane Architecture enabling higher performance and longevity via fabric I/O and SPC scalability and flexibility Datacenter

Data Center Deployments
Key benefit with SRX Additional services expected in future DoS protection at line card and SPC No impact to data flow Possible feature requirements Multicast Requirements in some financial and other verticals Expected JUNOS 9.5 or later ALGs Dependent on specific applications traversing the datacenter Additional ALG supported added in subsequent JUNOS release (i.e., SIP ALG in JUNOS 9.4)

Deployment Scenario 3 Departmental Firewall Aggregation
Key Customer Requirements Aggregation of individual dept. internal FWs Minimize incremental deployment cost Minimize management overhead

Departmental Firewall Aggregation
Key benefit with SRX Cost-effective scalability Reduced operational expense Support high-bandwidth requirements of network core Possible feature requirements VPN Centralized FW is often the network perimeter FW and supports VPN Hub-n-spoke VPN support expected in JUNOS 9.5 or later VSYS Management of some FW aggregations may require VSYS rather than VLANs and zones VSYS support expected in 2H ‘09

SRX 5000 Series Competitive Analysis
Preliminary

Cisco FWSM vs. SRX 5000 series
Cisco IPSec VPN SPA Cisco IPS Module Max FW Throughput 60 Gbps 120 Gbps 5.5 Gbps per module (4 blades max / chassis) N/A Max VPN Throughput 18 Gbps 36 Gbps N/A – requires VPN Module 25 Gbps* Max IPS Throughput N/A – requires IPS module 4 Gbps** Interfaces 40 x SFP x 10 GigE 40 x SFP x 10 GigE Catalyst Concurrent VPN Tunnels 100,00 100,000 8,000 x 10 modules Max Sessions 4 million 8 million 1 million New & Sustained CPS 300,000 Max PPS 10 Mpps 18 Mpps 2.8 Mpps List Price US$675,000 US$1,278,000 US$34,995 (blade only) US$29,995 (blade only) Price per FW Mbps Throughput ~US$11.25 / Mbps ~US$10.65 / Mbps ~US$6.4 / Mbps ~US$12 / Mbps ~US$60 / Mbps Price per Mbps with Chassist ~US$13.64 / Mbps ~US$30 / Mbps ~US$125 / Mbps * 2.5 Gbps per module, up to 10 modules per system. Each module is half-slot wide; 2 modules per slot. ** 500 Mbps inline, 600 Mbps passive, up to 8 modules per chassis to achieve 4 Gbps of inline throughput t Based on published list prices of chassis plus module bundle (~US$74,995)

5 Gbps (10 Gbps Jumbo Frame) 10 Gbps (20 Gbps Jumbo Frame)
Cisco ASA 5580 vs. SRX 5000 series SRX 5600 SRX 5800 ASA ASA Max FW Throughput 60 Gbps 120 Gbps 5 Gbps (10 Gbps Jumbo Frame) 10 Gbps (20 Gbps Jumbo Frame) Max VPN Throughput 18 Gbps 36 Gbps 1 Gbps Max IPS Throughput Not Supported Interfaces 40 x SFP 4 x 10 GigE 4 10/100/1000 4 GigE 2 x 10 GigE fiber Concurrent VPN Tunnels 100,00 100,000 10,000 Max Sessions 4 million 8 million 1 million 2 million New & Sustained CPS 300,000 90,000 150,000 Max PPS 10 Mpps 18 Mpps 2.5 million List Price (max. config) US$675,000 US$1,278,000 US$59,995 US$129,995 Price per firewall Mbps Throughput ~US$11.25 / Mbps ~US$10.65 / Mbps ~US$12 / Mbps ~US$13 / Mbps

Check Point vs. SRX 5000 series
Power Power Nokia IP2255 Nokia IP2450 Max FW Throughput 60 Gbps 120 Gbps 9 Gbps 14 Gbps 8.9 Gbps 20 Gbps* Max VPN Throughput 18 Gbps 36 Gbps 2.4 Gbps 3.7 Gbps 2.3 Gbps 2.5 Gbps* Max IPS Throughput 4.5 Gbps 6.1 Gbps N/A Interfaces 40 x SFP 4 x 10 GigE 8 on-board 10/100/1000 4 x GE 2 x 10 GigE 4 on-board 10/100/1000 8 x 10/100 1 x 10GigE Concurrent VPN Tunnels 100,00 100,000 Not Published Max Sessions 4 million 8 million 1.1 million New & Sustained CPS 300,000 87,000 Max PPS 10 Mpps 18 Mpps List Price (max. config) US$675,000 US$1,278,000 US$36,500 US$49,500 US$79,995 US$129,985 Price per firewall Mbps Throughput ~US$11.25 / Mbps ~US$10.65 / Mbps ~US$4.1 / Mbps ~US$3.5 / Mbps ~US$8.9 / Mbps ~US$6.5 / Mbps * Requires Nokia IPSO 6.0 plus 2 (two) Nokia Accelerated Data Path (ADP) cards, otherwise max FWTP is 9.0 Gbps, max. VPN TP is 2.0 Gbps.

Fortinet FortiGate vs. SRX 5000 series
Max FW Throughput 60 Gbps 120 Gbps 70 Gbps* 25 Gbps* 10 Gbps* Max VPN Throughput 18 Gbps 36 Gbps 8.4 Gbps* 3 Gbps* 1.2 Gbps* Max IPS Throughput Not Published Interfaces 40 x SFP 4 x 10 GigE 6 x GigE 2 x FortiAccel SFP Concurrent VPN Tunnels 100,00 100,000 Max Sessions 4 million 8 million 14 million* 5 million* 2 million* New & Sustained CPS 300,000 420,000 150,000 60,000 Max PPS 10 Mpps 18 Mpps List Price (max. config) US$675,000 US$1,278,000 US$1,009,925 US$369,970 US$149,985 Price per firewall Mbps Throughput ~US$11.25 / Mbps ~US$10.65 / Mbps ~US$14.3 / Mbps ~US$14.8 / Mbps ~US$15 / Mbps * Performance based on FG-5005FA2 module which delivers: 5 Gbps FWTP, 600 Mbps IPSec VPN TP, 1 million sessions, and 30k cps. FortiGate 5140 has 14 available slots, FortiGate 5050 has 5 available slots, and FortiGate 5020 has 2 available slots for FG-5005FA2 modules.

SRX 3000 sneak preview (more in the hardware session) Ships w/ 9
SRX 3000 sneak preview (more in the hardware session) Ships w/ 9.4R1 tentativly

SRX 3400: Product Overview Modular chassis Performance & Capacities
7- slots: 4 front, 3 rear Common form factor modules MGT module – dual Power AC/DC – dual, hot swap Fan tray Fixed Interfaces 12 built-in (8-10/100/ SFP) 1 AUX/Console Port (RJ45) 2 Ethernet Management Port 2 USB Ports Dimensions – 3U height x 24” depth Performance & Capacities FW – 10 Gbps VPN – 8 Gbps IDP – 8 Gbps Concurrent sessions – 1M New and sustained cps – 60k Concurrent VPN tunnels – 10k Modular Interfaces 16-10/100/1000 16-SFP 2-XFP

SRX 3600: Product Overview Modular chassis Fixed Interfaces
12 high slots: 6 front, 6 rear Common form factor modules MGT module – dual Power AC/DC – 2+2, hot swap Fan tray Fixed Interfaces 12 built-in (8-10/100/ SFP) 1 AUX/Console Port (RJ45) 2 Ethernet Management Port 2 USB Ports Modular Interfaces 16-10/100/1000 16-SFP 2-XFP Dimensions – 5U height x 24” depth Performance & Capacities FW – 20 Gbps VPN – 12 Gbps IDP – 12 Gbps Concurrent sessions – 2M New and sustained cps – 120k Concurrent VPN tunnels – 30k

Product Comparison – ISG vs. SRX 3k
FW 1 Gbps Gbps 4 Gbps Gbps VPN (IPSec) Gbps 2 Gbps 5-10 Gbps IDP Up to 1 Gbps Up to 2 Gbps AV (HTTP) N/A Up to 500 Mbps VPN (SSL) Up to 5Gbps Up to 10Gbps Interfaces 4CG + Up to 4GE/16FE 8-12CG + Up to 8XG/64GE/64CG Up to 8GE or 28FE 8-12CG + Up to 16XG/128GE/128CG Slots (IOC,APC) 2+2 Up to 7 CFM slots 4+3 Up to 12 CFM slots Power supply Single modular Single (Dual option) Dual Quad Session/secon d 20K 60K 25K 100K Total sessions 500K 2M 1M 4M VPN tunnels 2,000 10,000 30,000 VSYS Up to 10 Up to 250 Up to 50 Up to 500 List Price $25k ~$25-45k $42k ~$40-60k The slides on this page and next page are adapted from Glen’s slides deck. 10-20 Gbps capable for enterprise Major resolution to CPS, sessions, service flexibility and scale

Security and Routing Portfolio
Medium Enterprise to Large HQ Micro Branch Small Office Managed Service Branch/Regional Small Branch SME ScreenOS JUNOS Additional M-series and T-series are not shown JUNOS ES Products Common Hardware Asgard 4 Platforms 4 Performance Levels JUNOS JUNOS Gap

What’s different with Next Gen Branch?
Performance Multi-Core CPU Architecture Hardware Acceleration for UTM for IDP & AV Reliability JUNOS High-Performance Resiliency and Reliability Separation of Control Plane & Forwarding with dedicated cores Integrated Branch-in-a-Box Solution Service integration with best-in-class Routing, FW/VPN, UTM, and Switching (Voice and Wireless future release) Services for Mass Deployment Zero touch – bootstrap mode Low touch – rapid deployment with USB (future) New License Server architecture (future)

Asgard Product Portfolio
Four CPE Platforms Entry level platforms for the small branch High performance Services integration Routing Firewall/ PSEC UTM (AV, Web Filtering, Anti- Spam, IDP) Switching VoIP FXS/FXO (future) 8 to16 Ethernet ports Modular architecture with mini-PIM slots Vali Vidar Narfi Loki OK, you can get excited now… We are kicking off two projects that will share lots of commonality for customers, and also have commonality for engineering, across small branches and SOHO applications up to large branches, regional sites or SME HQs/Data-Centers. Project names are from Norsk Deity and Royalty so our apologies. Asgard – Entry level family project name – James Kawamoto, lead PLM Valhalla – Mid-range family project name – Kent Stevens, lead PLM Details in following slides Asgard has plans for 4 platforms, Narfi is fixed, basic and low-cost for bait & switch. Loki, Vali and Vidar will have some modularity to ensure we can provide good range of options and strong performance with low cost. POE options. Various PIM options (mini-PIM) Valhalla has 3 platform chassis, 1U, 2U, and 3U in height, that are named Baldur, Thor and Odin respectively. Various levels of performance capable in each through modular Processing engines, as well as other extensible processing or co-processing for applications/services. Various PIM options including integrated-switching and POE options. VOIP and Wireless Controller are to be driven in separate programs addressing both Asgard and Valhalla families commonly. New in 9.4

Loki Overview Hardware RegEx Acceleration for AV & IDP 1RU High
2xGE + 6xFE Ports 1xMini-PIM Slot 1xConsole port 2xUSB (2.0) Mini-PIM Options 1xT1/E1 1xSFP 1xSync Serial (Future) 1xVDSL2 (Future) Target Performance 200Mbps+ FW, 100Kpps 100Mbps IDP 50Mbps Quick AV Optional Accessories: Desktop Stand Rack Mount Wall Mount Loki offers the following: 1xMini-PIM option supporting existing and new mPIMs. 2xGE ethernet ports + 6xFE ports POE options across four ports (2xGE and 2x)FE More performance over Narfi (+20-25%) Will offer bundles with the ADSL2 mPIM or T1 mPIM to address the integrated ADSL and T1 router market. POE ports (optional) will allow for support of ~53W (15Wx3 + 8Wx1) of power. Note if the stated UTM performance cannot be met via sw with one of several CPU vendors, a hw acceleration ASIC is being considered on this and Vali, Vidar platforms. Fixed Memory Low Memory MB RAM/1GB flash High Memory - 1GB RAM/1GB flash 4 x POE Option (802.3af) External PC Card Slot for 3G Wireless EVDO/HSDPA External Power Supply Hardware RegEx Acceleration for AV & IDP

Loki Hardware – Front View
Voice Ports (Future) Reset Pinhole 1 x mPIM Slot Power Button 2xUSB 2 x GE 6 x GE Console Port POE (Port 0/0-0/3) (Factory Option)

Loki Hardware – Rear View
Chassis Cable Lock Slot Cover External Power Connector ExpressCard Slot (3G) Fan Vent Power Cord Lock Ground Lug

3G ExpressCard - Wireless Backup
Applications High speed wireless backup for remote branch offices, retail stores, kiosks, ATMs… Replacement for v.92 and ISDN backup ExpressCard for Loki Sierra EVDO/HSDPA in first phase Leverage contract deals with providers Other vendors and technologies later Carrier card is Juniper product Modem must be ordered separately (not on the Juniper price list) Certifications Generic GSM certification Specific certifications per carrier as necessary Carrier card design makes certifications easier

External Wireless AP Solution (2H09)
Juniper n Solution Backwards compatible to a/b/g 2x3 MIMO w/ ~300Mbps performance 50 Meter range (indoor) Unit can be mounted on ceiling or wall Seamless management as single device Single port 10/100/1000Mbps POE Support – 802.3af or 802.3at External DC power supply option Plenum rating support Basic Access Controller support L2 Clustering support – up to 16 APs per device Richer Access Controller rollout in 2H09-1H10 time- frame Sample Customers have provided feedback that they do not necessarily desire the AP to be located with the base unit. The AP is typically in an optimal configuration located away from the base unit on the ceiling or on a wall away from the system which may be in a back office or wiring closet. The design planned with Asgard is for an external WLAN AP with the AP configured and managed seamlessly as a single device, typically via a POE connection. The assumption here is that the base systems will be fanless with the WLAN AP external. Future enhancements will allow the device to support multiple APs and provide wireless controller functionality. This solution will also significantly reduce the number of SKUs required to homologate the systems in each region, making this much attractive with manufacturing ops. Diagrams illustrative only – Not to scale

Loki vs Cisco (Today) – to be updated
Narfi Loki Vali Cisco ISR1811 Cisco ISR1841 Fixed I/O 4 10/100 8xFE 2xGE + 6xFE 8xGE 2WAN+8LAN 10/100 2 10/100 I/O expansion slots None 1xMini-PIM 2xMini-PIMs 2 WICs Backup Options AUX 3G, USB 3G, USB or mPIM 3G, USB, or mPIM v.92 (1812 w/ ISDN) Routing PPS 30Kpps 80Kpps 100Kpps 150Kpps 50-60Kpps (est) FW performance 65Mbps 150Mbps IMIX 200Mbps IMIX 300Mbps IMIX 100Mbps UTM performance (AV, IDP) N/A 75Mbps 150Mbps POE Integration No 4xPoE (Factory Option) 8xPOE (Factory option) w/ Injector Voice Yes – 2FXS/1FXO and mini-PIM Integrated xDSL? ADSL2 VDSL2 VDSL2 (via mini-PIM) List Price (Base Unit) $649 to $799 $799 $1,295 $1,395

Loki vs Cisco Next Gen – to be updated
Narfi Loki Vali Cisco ISR19xx Fixed I/O 4xFE 8xFE 2xGE + 6FE 8xGbE GE I/O expansion slots None 1 Mini-PIM 2 Mini-PIMs Yes RAM / FLASH 256MB / 128MB 512MB / 1GB tbd Backup Options 3G 3G, USB 3G, USB or mPIM 3G, USB, or mPIM FW performance 150Mbps IMIX 200Mbps IMIX 300Mbps IMIX SSL VPN Yes (Dynamic VPN Client) Wireless a/b/g/n Option a/b/g/n option a/b/g/n (external) POE Integration Yes (2 ports only) No 4xPoE (50W) Optional 8xPOE (75W) Optional Integrated Voice Yes – 2FXS/1FXO and mini-PIM Integrated xDSL? G.SHDSL or VDSL Via Mini-PIM TBD List Price (Base Unit) $649 $799

SRX Overview Branch and High End Bernd Kunze/Rob Cameron

Similar presentations

Presentation on theme: "SRX Overview Branch and High End Bernd Kunze/Rob Cameron"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

SRX Overview Branch and High End Bernd Kunze/Rob Cameron

Similar presentations

Presentation on theme: "SRX Overview Branch and High End Bernd Kunze/Rob Cameron"— Presentation transcript:

Similar presentations

About project

Feedback