SRX

Technical Decision Makers

SRX Branch / Mid Range

1 Copyright © 2015 Juniper Networks, Inc.

 USE CASES

3 Copyright © 2015 Juniper Networks, Inc.

 Manage CPE: Key Requirements
Remote Office Remote Office
Service Provider managed equipment – Provides WAN
connectivity and value added services to branch offices
and enterprises

Target Segment : Managed Service Provider

Managed Managed
WAN CPE WAN CPE
WAN Bandwidth : Upto 1 Gbps
Connectivity : Ethernet, DSL, TDM
SP Network

Key Features : Routing, Auto Installation, QOS,

Managed Managed RPM, BFD and WAN Interfaces
WAN CPE WAN CPE

Typical Customers : Century Link, Sonera,

Telefonica, IDF, Verizon, Telus, 6DG

Competition: Cisco ISR 4300

Remote Office Remote Office

4 Copyright © 2015 Juniper Networks, Inc.

 Managed CPE: Capabilities

Routing Protocols Services WAN Interfaces

• IPv4 / IPv6 Routing • Class based QOS • 1, 2, 4 ports T1 / E1

• RIP / OSPF / BGP • BFD, Ethernet OAM • 1x port VDSL2 / ADSL2
• Multicast, VRRP • DHCP client / server • 1x Serial
• PBR, Virtual Router • J-Flow v5/ v8 / v9 • 3G / LTE Bridge
• MPLS, LDP, RSVP • RPM / IP Monitoring • 1x DS3 / E3
• L2 / L3 VPN, VPLS • GRE, IP-IP Tunneling

5 Copyright © 2015 Juniper Networks, Inc.

 Secure Router: Key Requirements
An enterprise owned and managed device in branch
office provide WAN connectivity, create secure tunnel
Internet to HQ / DC and prioritize / protect local users / apps

Target Segment : Retail, Distributed Enterprise,

WAN Bandwidth : Upto 1 Gbps

Multi Services Gateway
Connectivity : Ethernet, DSL, TDM

Wireless
L2 Switch
Key Requirements: Routing, L2 Switching, NAT,
APs IPSec VPN, Wireless WAN, AVC, IPS

Our Customers: 7-Eleven, Starbucks, Citibank,

Nike, Barclays, Payless Shoes, Darden Restaurants
Branch Office Devices

Competition: Cisco ISR 4300

6 Copyright © 2015 Juniper Networks, Inc.

 Secure Router: Capabilities
Routing Ethernet Switching
• IPv4 / IPv6 Routing • Wire-rate switching on all ports
• Routing / Multicast Protocols • Integration with all L3 Features
• PBR, Virtual Router, VRRP • VLAN, IRB, 802.1x
• Quality of Service • LACP, xSTP, LLDP
• DHCP, J-Flow, RPM • Optional POE Support

Core Security IPSec VPN

• Zone based Firewall • IPv4 / v6 Site–Site VPN
• Static NAT / PAT • IKEv1 / v2, NAT-T
• Destination NAT • VRF, QOS aware
• Static Bidirectional NAT • DPD, Multi-proxy ID
• ALGs, Screens • Auto VPN / Group VPN

7 Copyright © 2015 Juniper Networks, Inc.

 NGFW: Key Requirements
A high performance security appliance – protects
corporate network, provide application visibility &
control and help improve employee productivity

Target Segment : Finance, Federal, TMT

Campus Edge
Firewall
Users : Campus (upto 1000) and Branch (upto 200)
HQ or Campus

Key Features : NGFW, client side IPS, Remote

Branch
Access VPN, threat intelligence, anti-malware
Internet Firewall

Typical Customers: MOE (Saudi), Federal Reserve,

Liberty Mutual, USPS, Ascension Health, MDA
Branch Offices

Competition: PAN, Checkpoint, Fortinet

8 Copyright © 2015 Juniper Networks, Inc.

 NGFW: Capabilities
Routing Advanced Security
• IPv4 / IPv6 Routing • Application Control & Visibility
• Routing / Multicast Protocols • User Visibility and Enforcement
• PBR, Virtual Router, VRRP • Anti-Virus, Web Filtering, Anti-Spam
• Quality of Service • IPS
• DHCP, J-Flow, RPM • Dynamic Threat Intelligence

Core Security IPSec VPN

• Zone based Firewall • IPv4 / v6 Site–Site VPN
• Static NAT / PAT • IKEv1 / v2, NAT-T
• Destination NAT • VRF, QOS aware
• Static Bidirectional NAT • DPD, Multi-proxy ID
• ALGs, Screens • Auto VPN / Group VPN

9 Copyright © 2015 Juniper Networks, Inc.

 JUNIPER SECURITY
SOLUTIONS

10 Copyright © 2015 Juniper Networks, Inc.

 JUNOS: THE POWER OF ONE
 Deployed since 1998
 First high-performance network operating
system
 16 years of innovation and development
 Spans routing, switching, and security
platforms
 Simplify operations and deliver operational
excellence
 Evolutionary architecture expands and
extends to tomorrow
 Serving the most demanding customers
 Top 100+ service providers
 High-performance enterprise and public
11
sector customers Copyright © 2015 Juniper Networks, Inc.
 ARCHITECTURE:
SEPARATE DATA AND CONTROL PLANE
SHARED PLANE

MANAGEMENT

INTERFACES
Control Plane

MODULE N
ROUTING
DOS & DDOS
…
MANAGEMENT
ATTACKS

ROUTING
KERNEL
DATA

Data Plane
PACKET FORWARDING
DOS & DDOS
Physical Interfaces ATTACKS

Attacks overwhelm the box Attacks can be thwarted

Administrator loses management access – Under attack, administrator maintains management
your network is down access to modify policy, disallow bad traffic, and process
good traffic – your network stays up
12 Copyright © 2015 Juniper Networks, Inc.
 DIFFERENTIATORS

EASY ALL-IN-ONE APPLICATION BEST-IN- ALWAYS

ACTIVATION & DEVICE AWARENESS CLASS AVAILABLE
SCALABLE for security, with AppSecure CONTENT management
MANAGEMENT routing, and to stop SECURITY access even
for all security switching application borne leveraging under attack
services security threats intelligence from delivered by
and manage multiple expert separate control
application usage security and data planes
companies

13 Copyright © 2015 Juniper Networks, Inc.

 Juniper Security Services Overview
Next Generation Firewall Unified Threat Management Threat Intelligence Cloud Based
Services (Known Threats) Platform Advanced Anti-Malware
(Zero Day)
Application Control &
Anti-virus Botnets/C&C Sandboxing
Visibility

Intrusion Prevention Web/Content Filtering GEO-IP Evasive Malware

User-based Firewall Anti-spam Custom Feeds, APT Rich Reporting, Analytics

SRX Foundation Services

Firewall NAT VPN Routing

Management Reporting Analytics Automation

14 Copyright © 2015 Juniper Networks, Inc.

 Application visibility and control
 Understanding security risks
App Tracking  Address new user behavior

• Heuristics for
 Block access to risky apps
evasive and App Firewall  Allow user tailored policies
tunneled apps
Ingress • More  Prioritize important apps Egress
application App QoS  Rate-limit less important apps
signatures
• Open
signature  SSL packet inspection
SSL Proxy
language

 Block security threats

IPS

15 Copyright © 2015 Juniper Networks, Inc.

 User firewall controls
 P2P apps blocked
Finance  YouTube allowed
 Anti-virus applied

 P2P, YouTube blocked

Sales  Anti-virus applied Internet

 No apps blocked
CEO  Anti-virus applied

Allows different users to have different application policies based on their role and group
16 Copyright © 2015 Juniper Networks, Inc.
 Unified Threat Management Services

Anti-Virus Anti-Spam Web Filtering Content Filtering

 Protection from  Multilayered spam  Block malicious  Filter out

top-tier AV partner protection URLs extraneous or
malicious content
 Reputation-  Protection against  Prevent lost
enhanced APTs productivity  Maintain
capabilities bandwidth for
essential traffic

17 Copyright © 2015 Juniper Networks, Inc.

 INTRUSION PREVENTION & DECEPTION

Stateful Signature Inspection Protocol Decodes

• Improves signature accuracy through precise
• Minimizes false positives
contexts of protocols

Signatures Traffic Normalization

• Detects attacks and attempts to exploit known • Overcomes attempts to bypass other IPS detections
vulnerabilities through obfuscation

18 Copyright © 2015 Juniper Networks, Inc.

 BRANCH SRX SERIES
SOLUTIONS

19 Copyright © 2015 Juniper Networks, Inc.

 Siege Portfolio (Planned for 1H 2016 FRS)
Retail Office Small Branch Mid Branch Mid – Large Branch Large Branch
< 50 Users 50 – 100 Users 100 - 200 Users 200 - 500 Users 200 – 500 Users

• 8xGE (w/ 2xSFP) • 8xGE (w/ 2xSFP) • 16xGE (w/ 8xSFP) • 16xGE (w/ 8xSFP) • 10xGE (w/ 4xSFP)
• Desktop form factor • 2x MPIM Slots • 1U Rack Mount • 1U Rack Mount • 2U Rack Mount
• Fanless design • MAC-Sec (2xSFP) • 4x MPIM Slots • 4x MPIM Slots • 2x MPIM + 6x GPIM
• MAC-Sec (2xSFP) • Optional POE SKU • MAC-Sec (16xGE) • MAC-Sec (16xGE) • 1 + 1 AC / DC PSU
• OOB Mgmt port (1xGE) • OOB Mgmt port (1xGE)
IMIX Perf (vs. SRX100) IMIX Perf (vs. SRX210) IMIX Perf (vs. SRX240) IMIX Perf (vs. SRX240) IMIX Perf (vs. SRX550)
• Routing : 500 Mbps (2.5x) • Routing : 500 Mbps (2.0x) • Routing : 1.0 Gbps (1.7x) • Routing : 2.0 Gbps (3.5x) • Routing : 3.0 Gbps (-)
• Firewall : 500 Mbps (2.5x) • Firewall : 500 Mbps (2.0x) • Firewall : 1.0 Gbps (1.7x) • Firewall : 2.0 Gbps (3.5x) • Firewall : 3.0 Gbps (-)
• IPSec : 100 Mbps (3.3x) • IPSec : 100 Mbps (2.5x) • IPSec : 200 Mbps (2.0x) • IPSec : 300 Mbps (3.0x) • IPSec : 350 Mbps (-)
• NGFW* : 50 Mbps (3.0x) • NGFW* : 50 Mbps (2.0x) • NGFW* : 100 Mbps (1.5x) • NGFW* : 200 Mbps (3.0x) • NGFW* : 300 Mbps (-)

SRX300 SRX320 SRX340 SRX345 SRX550-M

(SRX100 Refresh) (SRX210 / SRX220 Refresh) (SRX240 Refresh) (New Model) (SRX550 RoHS)

• Junos 12.3X48 feature parity and FRS with Junos 15.1X release
• Based on Branch SRX (SRX SME) software architecture (does not run TVP architecture)

20 *NGFW = Client Side IPS + AppFW + External Logging Copyright © 2015 Juniper Networks, Inc.
 Branch SRX WAN Interfaces

PIM Available Restricted Availability

• 1x T1E1 MPIM • 2x T1E1 GPIM
• 1x VDSL2 MPIM • 4x T1E1 GPIM
• 1x Serial MPIM • 1x DS3E3 GPIM
• 16x POE Ethernet GPIM
• 8x SFP Ethernet GPIM

21 Copyright © 2015 Juniper Networks, Inc.

 MID-RANGE SRX SERIES
SOLUTIONS

22 Copyright © 2015 Juniper Networks, Inc.

 Mid-Range SRX1500 for Enterprise

Modular Interfaces Power, Storage & Dimensions Firewall Performance

• 12x1GE (Cu) + 4x1GE (SFP) • 16G eSATA + 100G SSD • Firewall (IMIX) : 8.0 Gbps
• 4x 10GE (SFP+) • Dual power supply (AC / DC) • VPN (IMIX) : 1.0 Gbps
• 2x PIM Slots (for future use) • Avg / Max Power : • AppID (HTTP) : 5.0 Gbps
• Dedicated HA Control Port (SFP) • Size : 1 RU • IPS Recommended : 3.0 Gbps
• Dedicated OOB Mgmt (1xGE) • Front to Back Airflow • NGFW* : 1.5 Gbps

23 *NGFW = Client Side IPS + AppFW + External Logging Copyright © 2015 Juniper Networks, Inc.
 SRX1500 Hardware Architecture
• Intel X86 multi-core processor 16GB
mSATA

400W AC / DC PSU

400W AC / DC PSU
120GB

2x 8GB DDR3 RAM

• Broadcom switch ports SSD
Intel Xeon
Cave
1125v2 4C
• FPGA for fast packet Creek
PCH
2.4Ghz

processing (service offload) CPU Board

8x PCIe (10Gbps)
• 120G SSD for log storage PFE Board
Altera 2x10G
Stratex V
FPGA

2x1G
Broadcom
56548 WAN PIM
Slots

12x1G 4x1G 4x10G

12x1G Cu 4x1G SFP 4x10G SFP+

24 Copyright © 2015 Juniper Networks, Inc.
 SRX 1500 Software Architecture
• TVP Architecture
• Common for Switching & Security TVP Architecture
• “Yocto” based Juniper Linux distro (3.x Switching & Security
kernel)
3rd
• SELinux compliant JCP
Party
Platform Services
• Support latest KVM & QEMU versions QEMU/Libvirt
TVP
Software
• JCP (JunOS Control Plane) runs as a Architecture
nested VM KVM Wind River Linux 6

• Communicate with processes on Yocto Control Plane

host through Linux bridges PPC or X86 Control Plane CPU Hardware
• TCP/IP based connection between JCP Forwarding Plane
and PFE Hardware
• File sharing with Yocto host via NFS mount ASIC, FPGA [Custom/Merchant] or x86

• Can not be upgraded/rebooted alone

25 Copyright © 2015 Juniper Networks, Inc.

 SRX1500
SRX1500
• Ideal for large branch to small data centers,
On-board Ethernet 16x1GE (12Cu +4SPF)
enterprises, and Service Provider networks 4x10GE (SPF+)

• Software Security Services JUNOS Software Version Support JUNOS 15.1X

• AppSecure and IPS Firewall Performance (Large Packets) 10 Gbps

• AV and web filtering Firewall Performance (IMIX) 10 Gbps

• Threat intelligence Firewall Performance

(Firewall + Routing PPS 64byte)
1.5 Mpps

• Typical Use Cases VPN Performance – AES256+SHA-1 or 1Gbps

• 3DES+SHA 1
Large Secure Router
• VPN Concentrator NGFW Performance (IPS, AppFW, 1.5Gbps
Logging)
• Small Data Center
Intrusion Prevention System 3 Gbps
• NGFW
Connections Per Second (CPS) 70 K
Maximum Concurrent Sessions 1.5 M
High Availability (Dedicated HA control port - A/A or A/P
SPF)

26 *Performance and capacity numbers are subject to change pending FRS Copyright © 2015 Juniper Networks, Inc.
 New On-box GUI

 Cleaner look and feel

Workflow and Usability
Improvements
 Simplified policy creation
 Easier priority setting

27 Copyright © 2015 Juniper Networks, Inc.

The Power of a Connected World
CONNECT EVERYTHING. EMPOWER EVERYONE.