低端 SRX 防火墙介绍.pptx

Click to edit Master title style,Click to edit Master text styles,Second level,Third level,Fourth level,Fifth level,#,Copyright,2009 Juniper Networks,Inc.,低端,SRX,防火墙,议程,分布式的企业,低端,SRX,功能,低端,SRX,硬件型号,竞争比较,传统的企业分支机构的网络部署,传统企业的分支机构的部署方式是：,路由器,+,防火墙,+,交换机,的模式,路由器：各种广域网接口、路由协议、,MPLS,防火墙：安全区隔离、,UTM,、流量日志,交换机：接入用户，隔离各个,Vlan,广播域,.,分支,1,分支,n,企业专网,(MPLS,或者,non-MPLS),路由,安全,交换,分支机构的路由和安全设备存在很多的共同点,.,分支,1,分支,n,分支路由,分支安全,分支交换,企业专网,(MPLS,或者,non-MPLS),2,台高成本、具备复杂运算能力的智能设备,每端口的价格高,低成本,ASIC,交换设备，每端口的价格非常低,低端,SRX,防火墙,随着多核,CPU,的架构出现，分支机构的路由器和防火墙都逐渐采用多核,CPU,的硬件平台，,Juniper,推出了分支机构,SRX,安全路由器：,支持,JUNOS,的无状态的包转发、广域网接口、路由协议、,MPLS,协议、,QoS,，降低硬件成本和管理成本,支持,ScreenOS,防火墙的基于状态的流转发、防火墙、,UTM,和防攻击技术，降低硬件成本和管理成本,整合了,2,个具备复杂运算功能的智能设备后，可以较大地降低每个分支机构的硬件采购成本和后期运维成本,二合一,低端,SRX,防火墙全面,的路由功能,低端,SRX,防火墙可支持虚拟路由器，并且同时支持基于,JUNOS,的无状态的包,转发和状态防火墙,广域网接口：支持串口（,SRX240/210,）和,E1,口（,SRX650/240/210,）,路由协议：,BGP,、,OSPF,、,RIP,；多个虚拟路由器；,VRRP,；,BFD,MPLS,：,L3 VPN,、,L2 VPN,、,FRR,等,全面,的,UTM,安全功能,Websense,拒绝对部分站点的访问,网页过滤,卡巴斯基防病毒（支持硬件加速）,防病毒,Sophos,防垃圾邮件,防垃圾邮件,入侵防御,防火墙、,VPN,、接入控制,核心安全,SRX,控制文件传输,内容过滤,内部攻击,外部攻击,INTERNET,Juniper IDP,识别,/,防护 蠕虫、木马、,DDoS,防护（,4,到,7,层）,扫描（支持硬件加速）,Multi-services Gateway,SRX,：适合多种客户需求,Secure Router,UTM,NGFW,Routing and WAN Interfaces,Firewall,VPN,NAT,In-line IPS,High availability,Transparent mode,Ease of,use,Best-of-breed,Anti-Virus,Anti-Spam,Web,filtering,New AV offering-Sophos,In-line IPS,AppSecure,Next generation firewall(AppSecure),In-line IPS,Application visibility,tracking and enforcement,User-role based,policies,Branch SRX,低端,SRX,防火墙功能,Security,Firewall,VPN,IPS,AppSecure,Antivirus,Enhanced Web,filtering,Antispam,Wireless LAN and,3G/4G,WAN,802.11n,3G/4G WiMax&LTE,Routing&Switching,RIP,OSPF,BGP,Multicast,IPv6,MPLS;Full BGP table,J Flow,RPM,L2 Switching,POE Options,Physical Interfaces,T1/E1,Serial,DS3/E3,VDSL,ADSL,G.SHDSL,DOCSIS Cable Modem,Ethernet 10/100/1000&10G,Copper or Fiber,AppSecure SOFTWARE SERVICE SUITE,Understand security risks,Address new user behaviors,Application Intelligence and Security In Branch,Subscription service includes all modules and updates,Juniper Security Lab provides 900+application signatures,AppTrack,AppQoS,AppDoS,IPS,Block access to risky apps,Allows user tailored policies,Prioritize important apps,Rate limit less important apps,Protect apps from bot attacks,Allow legitimate user traffic,Remediate security threats,Stay current with daily signatures,AppFW,Customer Choice for Antivirus,On-box option:Kaspersky,Cloud-based option:Sophos,Juniper is the only vendor offering customers a choice between two market proven antivirus solutions.,High availability,Features,Stateful fail-over,Active/Backup Control Plane,Active/Active Data Plane,Single System View,Benefits,Maintains connection persistence&improves system resiliency for services,Load sharing across systems,Optimized for complex routing environments,分支机构,SRX,（低端系列）,小型,办公室,中型办公室,大型办公室,SRX220,+2 WAN slots,8,x GigE,PoE,2,GB DRAM,SRX240,+4 WAN slots,16,x GigE,PoE,1 GB DRAM,SRX650,+More LAN slots,Dual P/S,+Hot Swap I/O,4 GB DRAM,SRX110,SRX100,SRX210,WAN slot,2,x GigE,PoE,1 GB DRAM,硬件型号：,700M,to,7,G,软件：,Junos,（安全,/,路由,/,交换）,1G,7,G,Fixed Config,8 x FE1 GB DRAM,Fixed Config,VDSL2 WAN,8 x FE1 GB DRAM,2mPIM+6GPIM WAN slots,10 x,GigE,PoE,Dual PS,2 GB DRAM,SRX550,mini-PIM,GPIM,Announcing SRX550 Services Gateway,Routing Performance,700 Kpps,Firewall Performance,1.7 Gbps(IMIX),5.5 Gbps(Large packets),AV&IDP HW Acceleration,Yes,IPSec Performance,1 Gbps,“No-Compromise Services”with scale and performance for the medium to large branch,Advanced,S,ecurity,Firewall and VPN,UTM:IPS,antivirus,enhanced web-filtering,anti-spam,Application visibility,tracking&enforcement,High Density Switching,10 x GE on board(6 Copper,4 SFP),Modular switching with POE,Comprehensive Routing,Wide range of WAN options:3G/LTE,T1/E1/DS3/E3,xDSL,Nx1GE,10 GE,L2/L3 VPN,MPLS,VPLS,IPv6,v4,Business Continuity,Resiliency,HA cluster(A/A,or A/P),WAN backup and redundancy,Control plane,data plane separation,GPIM,Online-Insertion-Removal*,Optional redundant power supplies(AC and DC),FRS 12.1,SRX100,Features,SRX100,On-board Ethernet,8 x FE,Power over Ethernet(802.3af,802.3at),None,WAN slots,None,USB ports,1,Content Security AcceleratorExpressAVand Intrusion Detection and Prevention,No,JUNOS Software version support,JUNOS 11.1,Firewall performance(Large Packets),700 Mbps,Firewall performance(IMIX),200 Mbps,Firewall performance(Firewall+Routing PPS 64byte),70 Kpps,VPN PerformanceAES256+SHA-1 3DES+SHA 1,65 Mbps,IPS performance,60 Mbps,Connections Per Second(CPS),2K CPS,Maximum Concurrent Sessions(512MB/1GB RAM),16 K/32K,Antivirus performance,25Mbps,AppSecure Throughput(HTTP),90Mbps,High Availability,N/A,Ideal for small sites and managed telecommuters,Full security features,Firewall and VPN,UTM:IPS,AppSecure,antivirus,web-filtering,and anti-spam,UTM requires high memory version,SRX110 ideal solution for Small Branch,Features,SRX 110,On-board Ethernet,8 x FE,Primary WAN,VDSL2 with ADSL2 Fallback,Backup WAN,USB Port for,3G/4G Modem,Additional USB ports,One(total 2),Content Security AcceleratorExpressAVand Intrusion Detection and Prevention,No,Firewall performance(Large Packets),700 Mbps,Firewall performance(IMIX),200 Mbps,Firewall performance(Firewall+Routing PPS 64byte),65 Kpps,VPN Performance,(AES256+SHA1/3DES+SHA1),65 Mbps,IPS performance,60 Mbps,Connections Per Second(CPS),2K CPS,Maximum Concurrent Sessions,16 K/32K,Antivirus performance,25Mbps,AppSecure Throughput(HTTP),90 Mbps,High Availability,N/A,Additional,USB port,Front,Back,Designed for flexibility,investment protection,and lowest total cost of ownership(TCO).,PrimaryWANVDSL,Backup 3G WAN,11.4,Ideal for small branches,Full security features,Firewall and VPN,UTM:IPS,AppSecure,antivirus,web-filtering,and anti-spam,UTM requires high memory version,SRX210E,Features,SRX210E,On-board Ethernet,2 x GE+6 x FE,Power over Ethernet(802.3af,802.3at),4 ports,50 W total,WAN slots,1 x mini PIM,USB ports(flash),2,Content Security AcceleratorExpressAVand Intrusion Detection and Prevention,Yes,JUNOS Software version support,JUNOS 11.1,Firewall performance(Large Packets),850 Mbps,Firewall performance(IMIX),250 Mbps,Firewall performance(Firewall+Routing PPS 64byte),95 Kpps,IPSec VPN Throughput,85 Mbps,IPS performance,85 Mbps,Connections Per Second(CPS),2,200 CPS,Maximum Concurrent Sessions(512MB/1GB RAM),32K/64K,Antivirus performance,25 Mbps,AppSecure Throughput(HTTP),250 Mbps,High Availability,A/A or A/P,SRX220,Features,SRX220,On-board Ethernet,18x GE,Power over Ethernet(802.3af,802.3at),8 ports GE,120 W,WAN slots,2 x mini PIM,USB ports(flash),2,Content Security AcceleratorExpressAVand Intrusion Detection and Prevention,Yes,JUNOS Software version support,JUNOS 11.1,Firewall performance(Large Packets),950 Gbps,Firewall performance(IMIX),300 Mbps,Firewall performance(Firewall+Routing PPS 64byte),125 Kpps,VPN PerformanceAES256+SHA-1 3DES+SHA-1,100 Mbps,IPS Performance,100 Mbps,Connections Per Second(CPS),3K CPS,Maximum Concurrent Sessions(512MB/1GB RAM),96K,Antivirus performance,34 Mbps,AppSecure Throughput(HTTP),300 Mbps,High Availability,A/A or A/P,Ideal for small and medium branches,Full security features,Firewall and VPN,UTM:IPS,AppSecure,antivirus,web-filtering,and anti-spam,SRX240,Features,SRX240,On-board Ethernet,16 x GE,Power over Ethernet(802.3af,802.3at),16 ports GE,150 W,WAN slots,4 x mini PIM,USB ports(flash),2,Content Security AcceleratorExpressAVand Intrusion Detection and Prevention,Yes,JUNOS Software version support,JUNOS 11.1,Firewall performance(Large Packets),1.5 Gbps,Firewall performance(IMIX),500 Mbps,Firewall performance(Firewall+Routing PPS 64byte),200 Kpps,VPN PerformanceAES256+SHA-1 3DES+SHA-1,300 Mbps,IPS Performance,230 Mbps,Connections Per Second(CPS),9K CPS,Maximum Concurrent Sessions(512MB/1GB RAM),64K/128K,Antivirus performance,85 Mbps,AppSecure Throughput(HTTP),750 Mbps,High Availability,A/A or A/P,Ideal for small and medium branches,Full security features,Firewall and VPN,UTM:IPS,AppSecure,antivirus,web-filtering,and anti-spam,UTM requires high memory version,SRX550,Features,SRX550,On-board Ethernet,10 x GE(6 Copper,4SFP),Power over Ethernet(802.3af,802.3at),40 ports GE,500 W,WAN slots,2 mPIM,6 x GPIM,USB ports(flash),2,Content Security AcceleratorExpressAVand Intrusion Detection and Prevention,Yes,JUNOS Software version support,JUNOS 12.1,Firewall performance(Large Packets),5.5 Gbps,Firewall performance(IMIX),1.7 Gbps,Firewall performance(Firewall+Routing PPS 64byte),700 Kpps,VPN PerformanceAES256+SHA-1 3DES+SHA-1,1.0 Gbps,IPS Performance,800 Mbps,Connections Per Second(CPS),27K CPS,Maximum Concurrent Sessions(2 GB RAM),375 K,Antivirus performance,300 Mbps,AppSecure Throughput(HTTP),1.5 Gbps,High Availability,A/A or A/P,Ideal for enterprise medium to large branch,Ideal office-in-a-box solution for managed services or commercial business,SRX550 offers:,Comprehensive Routing and Security Services,High density on-board and modular switch ports,Copper and SFP,Application Awareness and Control,Business Continuity and Resiliency,12.1,SRX650,Features,SRX650,On-board Ethernet,4 x GE,Power over Ethernet(802.3af,802.3at),48 ports GE,250W or 500 W,WAN slots,8 x GPIM,USB ports(flash),2 per processor,Content Security AcceleratorExpressAVand Intrusion Detection and Prevention,Yes,JUNOS Software version support,JUNOS 11.1,Firewall performance(Large Packets),7.0 Gbps,Firewall performance(IMIX),2.5 Gbps,Firewall performance(Firewall+Routing PPS 64byte),850 Kpps,VPN PerformanceAES256+SHA-1 3DES+SHA-1,1.5 Gbps,IPS Performance,1 Gbps,Connections Per Second(CPS),35K CPS,Maximum Concurrent Sessions(512MB/1GB RAM),512 K,Antivirus performance,350 Mbps,AppSecure Throughput(HTTP),1.9 Gbps,High Availability,A/A or A/P,Hot swap GPIMs,Dual power,Ideal for regional sites and large branches,Full security features,Firewall and VPN,UTM:IPS,AppSecure,antivirus,web-filtering,and anti-spam,Modular,LAN switching,Services Routing Processors with optional redundancy,Power supplies with optional redundancy(at FRS),B,ranch s,RX,Series Specification,Summary,FEATURES,SRX100(110),SRX210E,SRX220,SRX240,SRX550,SRX650,On-board Ethernet,8 x FE,2 x GE+6 x FE,8 x GE,16 x GE,6 x GE+4 x SFP,4 x GE,Memory/Flash,1 GB/1 GB,1 GB/1 GB,1 GB/1 GB,1 GB*/1 GB,2 GB*/2 GB,2 GB/2 GB,Power over Ethernet(802.3af,802.3at),None,4 ports,50 W total,8 ports GE,120 W,16 ports GE,150 W,40 Port GE,250 W or 500 W,48 ports GE,250 W or 500 W,WAN slots,None (1),1 x mini PIM,2 x mini PIM,4 x mini PIM,2 x mini PIM+4 x GPIM,8 x GPIM,USB ports(flash),1(2),2,2,2,2,2 per processor,JUNOS Software version support,JUNOS 11.1*,JUNOS 11.1*,JUNOS 11.1*,JUNOS 11.1*,JUNOS 12.1,JUNOS 11.1*,Routing,YES,YES,YES,YES,YES,YES,Content Security Acceleration(IPS,ExpressAV),No,YES,YES,YES,YES,YES,Firewall performance(Large Packets),700 Mbps,850 Mbps,950 Mbps,1.8 Gbps,5.5 Gbps,7.0 Gbps,Firewall performance(IMIX),200 Mbps,250 Mbps,300 Mbps,600 Mbps,1.7 Gbps,2.5 Gbps,Firewall performance(Firewall+Routing PPS 64byte),70 Kpps,95 Kpps,125 Kpps,200 Kpps,700 Kpps,850 Kpps,IPSec VPN throughput,65 Mbps,85 Mbps,100 Mbps,300 Mbps,1.0 Gbps,1.5 Gbps,Intrusion Prevention System,60Mbps,85 Mbps,100 Mbps,230 Mbps,800 Mbps,1 Gbps,Connections Per Second(CPS),2K,2.2K,3K,9K,27K,35K,Maximum Concurrent Sessions(512MB/1GB RAM),16 K/32K,32K/64K,96K,64K/128K,375K,512 K,Antivirus,25 Mbps,30 Mbps,35 Mbps,85 Mbps,300 Mbps,350 Mbps,High Availability,A/A or A/P,A/A or A/P,A/A or A/P,A/A or A/P,A/A or A/P,Hot swap GPIMs,Dual power,A/A or A/P,Hot swap GPIMs,Dual power,Flexible Physical interfaces-WAN,LAN,WLAN and 3G/4G,MPIMs,T1/E1,Serial,1XGE SFP,ADSL,G.SHDSL,VDSL2,Docsis3.0,GPIMs,16XGE,16XGE POE,24XGE,24XGE POE,2x10GE SFP+/Copper,4XT1E1,2XT1E1,1xDS3/E3,场景一（,SRX,当传统的路由器部署）,广域网（或,MPLS,网络）,优势：,1,、,JUNOS,的软件：模块化、所有型号共用一个软件文件、单一版本链；,2,、无需,license,即支持,MPLS,等复杂功能；,3,、更高性能,场景二（,SRX,当路由器,+,交换机部署）,广域网（或,MPLS,网络）,优势：,SRX100/210/240,缺省支持大量的以太网接口，,SRX650,可以扩展支持高密度的以太网接口卡，这些接口缺省支持路由和交换功能，无需,license,。为小型办事处节省了交换机成本。,场景三（,SRX,当,VPN/NAT/,防火墙,/UTM,部署）,广域网,优势：,1,、集成了,ScreenOS,的防火墙和,IPsec,功能，无需额外,license,；,2,、全面的,UTM,功能（集成了多个领先内容安全厂家的技术），包括防病毒（卡巴斯基）、防垃圾邮件（,Sophos,）、入侵防御（,Juniper,）、网页过滤（,websense,）等；,3,、具备对防病毒和防入侵的硬件加速特征匹配芯片。,4,、对流量进行详细的流量日志记录。,场景四（,SRX,当路由器,+,状态防火墙,部署）,广域网,优势：,1,、单一设备，可以支持广域网路由接口（串口、,E1,）；,2,、将路由器、,UTM,防火墙合二为一；,3,、支持部分流量按路由器方式进行处理，部分流量按状态防火墙进行处理。,场景五（,SRX,当路由器,+,UTM,防火墙,部署）,广域网（或,MPLS,网络）,优势：,1,、单一设备，可以支持广域网路由接口（串口、,E1,）；,2,、将路由器、,UTM,防火墙合二为一；,3,、支持,MPLS,和,UTM,防火墙的同时部署。,Juniper,的优势,1,、不需要,license,即可以,支持动态路由,/,MPLS,、,BFD,、交换功能（包括机箱自带接口）,、虚拟路由器、防火墙,NAT,、,IPsec VPN,功能，尽量将这些功能加进去；,2,、,Juniper,可以同时支持,防病毒和防垃圾邮件，,Cisco,不支持；,3,、,Juniper,支持内置内容安全的硬件加速的芯片，对防病毒和入侵防御的特征匹配可以,加速；,4,、,Juniper,的总体性能上有优势，但是需要在相同环境下进行比较，如：路由、防火墙、,IPS,、,IPsec VPN,等各个环境下的,性能。,5,、缺省配置自带的接口数量比较多，尤其是,SRX210,和,SRX240,，而且有自带接口,可以,支持,POE,的机箱（,Cisco,需要额外配,POE,接口模块）,。,6,、,JUNOS,操作系统本身的优势（配置回滚,/,配置对比,）,；,Thank you,