Transcription
DatasheetFrontJuniper NetworksSSG 140Portfolio DescriptionBackThe Juniper Networks Secure Services Gateway140 (SSG 140) is a purpose-built securityappliance that delivers a perfect blend ofperformance, security, routing and LAN/WANconnectivity for medium sized branch officesand business deployments. Traffic flowing in andout of the branch office or business is protectedfrom worms, spyware, Trojans, and malware bya complete set of Unified Threat Management(UTM) security features that include statefulfirewall, IPSecurity (IPSec) virtual private network(VPN), Intrusion Prevention System (IPS),antivirus (includes anti-spyware, anti-adware,anti-phishing), anti-spam and Web Filtering.The SSG 140 is a high-performance security platform for branch offices and small/medium sized standalone businesses that want to stop internal and external attacks,prevent unauthorized access, and achieve regulatory compliance. The SSG 140 is amodular platform that delivers more than 350 Mbps of stateful firewall traffic and100 Mbps of IPSec VPN traffic.Security: Protection against worms, viruses, Trojans, spam, and emerging malwareis delivered by proven Unified Threat Management (UTM) security features that arebacked by best-in-class partners. To address internal security requirements and facilitateregulatory compliance, the SSG 140 supports an advanced set of network protectionfeatures such as security zones, virtual routers and VLANs that allow administratorsto divide the network into distinct, secure domains, each with its own unique securitypolicy. Policies protecting each security zone can include access control rules andinspection by any of the supported UTM security features.Connectivity and Routing: The SSG 140 supports ten on-board interfaces (8 10/100plus 2 10/100/1000) complemented by four I/O expansion slots that can houseadditional WAN interfaces (T1, E1, ISDN BRI S/T and Serial), making the SSG 140 themost extensible security platform in its class. This broad array of I/O options coupledwith WAN protocol and encapsulation support in its routing engine make the SSG 140a platform that can easily be deployed as a traditional branch office router or as aconsolidated security and routing device to reduce CAPEX and OPEX.Access Control Enforcement: The SSG 140 can act as an enforcement point in aJuniper Networks Unified Access Control deployment with the simple addition of theInfranet Controller. The Infranet Controller functions as a central policy managementengine, interacting with the SSG 140 to augment or replace the firewall-based accesscontrol with a solution that grants/denies access based on more granular criteria thatinclude endpoint state and user identity, in order to accommodate the dramatic shiftsin attack landscape and user characteristics.World Class Support: From simple lab testing to major network implementations,Juniper Networks Professional Services will collaborate with your team to identify goals,define the deployment process, create or validate the network design, and manage thedeployment to its successful conclusion.WWWZone AThe SSG 140 deployed at a branch office for secureInternet connectivity and site-to-site VPN to corporateheadquarters. Internal branch office resources areprotected with unique security policies for eachsecurity zone.SSGBranchOfficeZone B140InternetHQM7iIS200 G0
2Features and BenefitsFeatureFeature DescriptionBenefitHigh performancePurpose-built platform is assembled from custom-builthardware, powerful processing and a security-specificoperating system.Delivers performance headroom required to protect againstinternal and external attacks now and into the future.Best-in-class UTM security featuresUTM security features (antivirus, anti-spam, Webfiltering, IPS) stop all manner of viruses and malwarebefore they damage the network.Ensures that the network is protected against all manner ofattacks.Integrated antivirusAnnually licensed antivirus engine, provided by Juniper,is based on Kaspersky Lab engine.Stops viruses, spyware, adware and other malware.Integrated anti-spamAnnually licensed anti-spam offering, provided byJuniper, is based on Symantec technology.Blocks unwanted email from known spammers and phishers.Integrated Web filteringAnnually licensed Web filtering solution, provided byJuniper, is based on SurfControl’s technology.Controls/blocks access to malicious Web sites.Integrated IPS (Deep Inspection)Annually licensed IPS engine.Prevents application-level attacks from flooding the network.Fixed InterfacesEight fixed 10/100 interfaces and two 10/100/1000interfaces, one USB port, one console port, and oneauxiliary port.Provides high-speed LAN connectivity, future connectivity, andflexible management.Network segmentationBridge groups, security zones, virtual LANs and virtualrouters allow administrators to deploy security policiesto isolate guests, wireless networks and regionalservers or databases.*Powerful capabilities facilitate deploying security for variousinternal, external and DMZ sub-groups on the network, toprevent unauthorized access.Robust routing engineProven routing engine supports OSPF, BGP and RIPv1/2 along with Frame Relay, Multilink Frame Relay,PPP, Multilink PPP and HDLC.Enables the deployment of consolidated security and routingdevice, thereby lowering operational and capital expenditures.High interface densityEight 10/100 plus two 10/100/1000 interfaces plusa console and an Aux interface for management.Provides unmatched interface density when compared tocompetitive offerings.Interface modularityFour SSG 140 interface expansion slots supportoptional T1, E1, ISDN BRI S/T, ADSL2 , G.SHDSLand serial physical interface modules (PIMs), and10/100/1000 and SFP universal PIMs (uPIMs).**Delivers LAN and WAN connectivity options on top ofunmatched security to reduce costs and extend investmentprotection.Management flexibilityUse any one of three mechanisms, CLI, WebUI orJuniper Networks NetScreen-Security Manager, tosecurely deploy, monitor and manage security policies.Enables management access from any location, eliminatingon-site visits thereby improving response time and reducingoperational costs.Juniper Networks Unified AccessControl enforcement pointInteracts with the centralized policy managementengine (Infranet Controller) to enforce session-specificaccess control policies using criteria such as useridentity, device security state, and network location.Improves security posture in a cost-effective mannerby leveraging existing customer network infrastructurecomponents and best-in-class technology.World-class professional servicesFrom simple lab testing to major networkimplementations, Juniper Networks ProfessionalServices will collaborate with your team to identifygoals, define the deployment process, create or validatethe network design, and manage the deployment.Transforms the network infrastructure to ensure that it issecure, flexible, scalable and reliable.Auto-Connect VPNAutomatically sets up and takes down VPN tunnelsbetween spoke sites in a hub-and-spoke topology.Provides a scalable VPN solution for mesh architectures withsupport for latency-sensitive applications such as VoIP andvideo conferencing.Product OptionsOptionOption DescriptionApplicable ProductsDRAMThe SSG 140 is available with either 256 MB or512 MB of DRAM.SSG 140Unified Threat Management/Content Security (high memoryoption required)The SSG 140 can be configured with any combinationof the following best-in-class UTM and content securityfunctionality: Antivirus (includes anti-spyware, antiphishing), IPS (Deep Inspection), Web filtering, and/oranti-spam.SSG 140 high memory model onlyI/O optionsFour SSG 140 interface expansion slots supportoptional T1, E1, ISDN BRI S/T, ADSL2 , G.SHDSLand serial physical interface modules (PIMs), and10/100/1000 and SFP universal PIMs (uPIMs).SSG 140* Bridge groups supported only on uPIMs in ScreenOS 6.0 and greater releases**uPIMs are only supported in ScreenOS 6.0 or greater releases
3SpecificationsMaximum Performance and Capacity(1)IPSec VPN (cont’d)ScreenOS version testedFirewall throughput (large packets)Firewall throughput (IMIX)(2)Firewall packets per second (64 byte)Advanced Encryption Standard (AES) 256 SHA-1 VPN throughput3DES encryption SHA-1 VPN throughputMaximum concurrent sessionsNew sessions/secondMaximum security policiesMaximum users supportedScreenOS 6.1350 Mbps300 Mbps100,000 PPS100 Mbps100 Mbps48,0008,0001,000UnrestrictedNetwork ConnectivityFixed I/O8x10/100, 2x10/100/1000Physical Interface Module (PIM) slots4Modular WAN/LAN interface options (PIMs/uPIMs) 2xT1, 2xE1, 2xSerial, 1xISDN BRI S/TSFP, 10/100/1000FirewallNetwork attack detectionDoS and DDoS protectionTCP reassembly for fragmented packet protectionBrute force attack mitigationSYN cookie protectionZone-based IP spoofingMalformed packet protectionYesYesYesYesYesYesYesUnified Threat Management(3)IPS (Deep Inspection firewall)Protocol anomaly detectionStateful protocol signaturesIPS/DI attack pattern obfuscationAntivirusSignature databaseProtocols t message AVAnti-spamIntegrated URL filteringExternal URL filtering(4)YesYesYesYesYes200,000 POP3, HTTP, SMTP, IMAP, FTP, IMYesYesYesYesYesYesYesVoice over IP (VoIP) SecurityH.323. Application-level gateway (ALG)SIP ALGMGCP ALGSCCP ALGNetwork Address Translation (NAT) for VoIP protocolsYesYesYesYesYesIPSec VPNConcurrent VPN tunnels150Tunnel interfaces50DES encryption (56-bit), 3DES encryption (168-bit) and AES (256-bit) YesMD-5 and SHA-1 authenticationYesManual key, Internet Key Exchange (IKE), IKEv2 with EAP publickey infrastructure (PKI) (X.509)YesPerfect forward secrecy (DH Groups)1,2,5Prevent replay attackYesRemote access VPNLayer 2 Tunneling Protocol (L2TP) within IPSecIPSec Network Address Translation (NAT) traversalAuto-Connect VPNRedundant VPN gatewaysYesYesYesYesYesUser Authentication and Access ControlBuilt-in (internal) database user limitThird-party user authenticationRADIUS AccountingXAUTH VPN authenticationWeb-based authentication802.1X authenticationUnified Access Control (UAC) enforcement point250RADIUS, RSA SecureID, LDAPYes – start/stopYesYesYesYesPKI SupportPKI certificate requests (PKCS 7 and PKCS 10)Automated certificate enrollment (SCEP)Online Certificate Status Protocol (OCSP)Certificate Authorities supportedSelf signed certificatesYesYesYesVerisign, Entrust, Microsoft, RSA Keon,iPlanet (Netscape) Baltimore, DOD PKIYesVirtualizationMaximum number of security zonesMaximum number of virtual routersBridge groups*Maximum number of VLANs403Yes100RoutingBGP instancesBGP peersBGP routesOSPF instancesOSPF routesRIPv1/v2 instancesRIP v2 routesStatic routesSource-based routingPolicy-based routingEqual-cost multipath (ECMP)MulticastReverse Forwarding Path (RFP)Internet Group Management Protocol (IGMP) (v1, v2)IGMP ProxyProtocol Independent Multicast (PIM) single modePIM source-specific multicastMulticast inside IPSec sYesYesYesEncapsulationsPoint-to-Point Protocol (PPP)Multilink Point-to-Point Protocol (MLPPP)MLPPP max physical interfacesFrame relayMultilink Frame Relay (MLFR) (FRF 15, FRF 16)MLFR max physical interfacesHDLCYesYes4YesYes8Yes*Bridge groups supported only on uPIMs in ScreenOS 6.0 and greater releases
4SpecificationsIPv6AdministrationDual stack IPv4/IPv6 firewall and VPNIPv4 to/from IPv6 translations and encapsulationsSyn-Cookie and Syn-Proxy DoS Attack DetectionSIP, RTSP, Sun-RPC, and MS-RPC ALG’sRIPngYesYesYesYesYesMode of OperationLayer 2 (transparent) mode(5)Layer 3 (route and/or NAT) modeYesYesAddress TranslationNetwork Address Translation (NAT)Port Address Translation (PAT)Policy-based NAT/PATMapped IP (MIP)Virtual IP (VIP)MIP/VIP GroupingYesYesYes1,00016YesIP Address AssignmentStaticDynamic Host Configuration Protocol (DHCP),Point-to-Point Protocol over Ethernet (PPPoE) clientInternal DHCP serverDHCP relayYesYesYesYesTraffic Management Quality of Service (QoS)Guaranteed bandwidthMaximum bandwidthIngress traffic policingPriority-bandwidth utilizationDifferentiated Services markingYes - per policyYes - per policyYesYesYes - per policyHigh Availability (HA)Active/active - L3 modeActive/passive - Transparent & L3 modeConfiguration synchronizationSession synchronization for firewall and VPNSession failover for routing changeVRRPDevice failure detectionLink failure detectionAuthentication for new HA membersEncryption of HA traffic20RADIUS, RSA SecureID, LDAP6YesTFTP, WebUI, NSM, SCP, USBYesLogging/MonitoringSystem log (multiple servers)Email (2 addresses)NetIQ WebTrendsSNMP (v2)SNMP full custom MIBTracerouteVPN tunnel monitorYes – up to 4 serversYesYesYesYesYesYesExternal FlashAdditional log storageEvent logs and alarmsSystem configuration scriptScreenOS SoftwareUSB 1.1YesYesYesDimensions and PowerDimensions (W x H x D)WeightRack mountablePower supply (AC)Maximum thermal outputNoise Level17.5 x 1.8 x 15 in (44.5 x 4.5 x 38.1 cm)10.2 lb (4.63 kg)Yes, 1RU100-240 VAC,AC Input line frequency 50 or 60 HzAC system current rating 2 A580 BTU/hour (170 W)48.8 em ManagementWebUI (HTTP and HTTPS)Command line interface (console)Command line interface (telnet)Command line interface (SSH)NetScreen-Security ManagerAll management via VPN tunnel on any interfaceRapid deploymentLocal administrator database sizeExternal administrator database supportRestricted administrative networksRoot Admin, Admin, and Read Only user levelsSoftware upgradesConfiguration roll-backYesYesYesYes – v1.5 and v2.0 compatibleYesYesNoSafety certificationsElectromagnetic compatibility (EMC) certificationsNetwork Equipment Building System (NEBS)Mean time between failures (MTBF) (Bellcore model)UL, CUL, CSA, CBFCC class B, CE class BNo16 yearsSecurity CertificationsCommon Criteria: EAL4FIPS 140-2: Level 2ICSA Firewall and VPNFutureFutureYesOperating EnvironmentOperating temperatureNon-operating temperatureHumidity32 to 122 F (0 to 50 C)-4 to 158 F (-20 to 70 C)10% to 90% noncondensing(1) Performance, capacity and features listed are based upon systems running ScreenOS 6.1 and are themeasured maximums under ideal testing conditions unless otherwise noted. Actual results may varybased on ScreenOS release and deployment. For a complete list of supported ScreenOS versions forSSG platforms, please visit the Juniper Customer Support Center (http://www.juniper.net/customers/support/) and click on ScreenOS Software Downloads.(2) I MIX stands for Internet mix and is more demanding than a single packet size as it represents a traffic mix that is more typical of a customer’s network. The IMIX traffic used is made up of 58.33% 64byte packets 33.33% 570 byte packets 8.33% 1518 byte packets of UDP traffic.(3) U TM Security features (IPS/Deep Inspection, antivirus, anti-spam and Web filtering) are deliveredby annual subscriptions purchased separately from Juniper Networks. Annual subscriptionsprovide signature updates and associated support. The high memory option is required for UTMSecurity features.(4) Redirect Web filtering sends traffic from the firewall to a secondary server. The redirect feature isfree, however it does require the purchase of a separate Web filtering license from eitherWebsense or SurfControl.(5) NAT, PAT, policy-based NAT, virtual IP, mapped IP, virtual systems, virtual routers, VLANs, OSPF, BGP,RIPv2, active/active HA and IP address assignment are not available in layer 2 transparent mode.
5IPS (Deep Inspection firewall) Signature PacksSignature Packs provide the ability to tailor the attack protection to the specific deployment and/or attack type. The following Signaturepacks are available for the SSG 140.Signature PackTarget DeploymentDefense TypeType of Attack ObjectBaseBranch offices, small/medium businessesClient/server and worm protectionRange of signatures and protocolanomaliesClientRemote/branch officesPerimeter defense, compliance for hosts(for example desktops)Attacks in the server-to-client directionServerSmall/medium businessesPerimeter defense, compliance for serverinfrastructureAttacks in the client-to-server directionWorm MitigationRemote/branch offices of largeenterprisesMost comprehensive defense againstworm attacksWorms, Trojans, backdoor attacksOrdering InformationSSG 140SSG 140 with 256 MB memory, 0 PIM cards, AC powerSSG 140 with 512 MB memory, 0 PIM cards, AC powerSSG 140 I/O OptionsPart NumberSSG-140-SBSSG-140-SHPart Number1 Port ISDN BRI S/T PIMJX-1BRI-ST-S2 Port E1 PIM with integrated CSU/DSUJX-2E1-RJ48-S2 Port T1 PIM with integrated CSU/DSUJX-2T1-RJ48-S2 Port Serial PIMJX-2Serial-S1 Port ADSL 2/2 Annex A PIMJX-1ADSL-A-S1 Port ADSL 2/2 Annex B PIMJX-1ADSL-B-S1 Port G.SHDSL PIMJX-2SHDSL-S6 Port SFP Gigabit Ethernet Universal PIM*JXU-6GE-SFP-S1 Port SFP 100 Mbps or Gigabit Ethernet Universal PIM * (SFP sold separately) JXU-1SFP-S8 Port Gigabit Ethernet 10/100/1000 Copper Universal PIM*JXU-8GE-TX-S16 Port Gigabit Ethernet 10/100/1000 Copper Universal PIM*JXU-16GE-TX-SUnified Threat Management/Content Security(High Memory Option Required)Antivirus (Anti-spyware, Anti-phishing)IPS (Deep Inspection)Anti-spamWeb filteringRemote Office Bundle (AV, IPS, WF)Main Office Bundle (AV, IPS, WF, AS)*uPIMs are only supported in ScreenOS 6.0 or greater releasesSSG 140 Memory Upgrades, Spares andCommunications Cables512 MB DIMM Memory upgradePower Cable, AustraliaPower Cable, ChinaPower Cable, EuropePower Cable, ItalyPower Cable, JapanPower Cable, UKPower Cable, USBlank I/O plateEIA530 cable (DTE)RS232 cable (DTE)RS449 cable (DTE)V.35 cable (DTE)X.21 cable (DTE)Part TENote: The appropriate power cord is included based upon the sales order “Ship To” destinationPart WF-SSG140NS-RBO-CS-SSG140NS-SMB-CS-SSG140
About Juniper NetworksJuniper Networks, Inc. is the leader in high-performancenetworking. Juniper offers a high-performance networkinfrastructure that creates a responsive and trusted environmentCORPORATE HEADQUARTERSAND SALES HEADQUARTERS FORNORTH AND SOUTH AMERICAJuniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, CA 94089 USAPhone: 888.JUNIPER (888.586.4737)or 408.745.2000Fax: 408.745.2100www.juniper.netEUROPE, MIDDLE EAST, AFRICAREGIONAL SALES HEADQUARTERSJuniper Networks (UK) LimitedBuilding 1Aviator ParkStation RoadAddlestoneSurrey, KT15 2PG, U.K.Phone: 44.(0).1372.385500Fax: 44.(0).1372.385501Copyright 2008 Juniper Networks, Inc. All rights reserved. Juniper Networks, the JuniperNetworks logo, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc.in the United States and other countries. JUNOS and JUNOSe are trademarks of JuniperNetworks, Inc. All other trademarks, service marks, registered trademarks, or registered servicemarks are the property of their respective owners. Juniper Networks assumes no responsibilityfor any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.100181-008 June 2008for accelerating the deployment of services and applications over asingle network. This fuels high-performance businesses. Additionalinformation can be found at www.juniper.net.EAST COAST OFFICEJuniper Networks, Inc.10 Technology Park DriveWestford, MA 01886-3146 USAPhone: 978.589.5800Fax: 978.589.0800ASIA PACIFIC REGIONAL SALES HEADQUARTERSJuniper Networks (Hong Kong) Ltd.26/F, Cityplaza One1111 King’s RoadTaikoo Shing, Hong KongPhone: 852.2332.3636Fax: 852.2574.7803To purchase Juniper Networks solutions, pleasecontact your Juniper Networks sales representativeat 1-866-298-6428 or authorized reseller.
The Juniper Networks Secure Services Gateway 140 (SSG 140) is a purpose-built security . is based on Symantec technology. Blocks unwanted email from known spammers and phishers. . DES encryption (56-bit), 3DES encryption (168-bit) and AES (256-bit) Yes MD-5 and SHA-1 authentication Yes
