Transcription
DatasheetFrontJuniper NetworksSSG 140Portfolio DescriptionBackThe Juniper Networks Secure Services Gateway140 (SSG 140) is a purpose-built securityappliance that delivers a perfect blend ofperformance, security, routing and LAN/WANconnectivity for medium sized branch officesand business deployments. Traffic flowing in andout of the branch office or business is protectedfrom worms, spyware, trojans, and malware bya complete set of Unified Threat Management(UTM) security features that include statefulfirewall, IPSecurity (IPSec) virtual private network(VPN), Intrusion Prevention System (IPS),antivirus (includes anti-spyware, anti-adware,anti-phishing), anti-spam and Web Filtering.The SSG 140 is a high-performance security platform for branch offices and small/medium sized standalone businesses that want to stop internal and external attacks,prevent unauthorized access, and achieve regulatory compliance. The SSG 140 is amodular platform that delivers more than 350 Mbps of stateful firewall traffic and 100Mbps of IPSec VPN traffic.Security: Protection against viruses, SPAM, and emerging malware is delivered byproven Unified Threat Management (UTM) security features that are backed by bestin-class partners. To address internal security requirements and facilitate regulatorycompliance, the SSG 140 supports an advanced set of network protection features suchas security zones, virtual routers and VLANs that allow administrators to divide thenetwork into distinct, secure domains, each with its own unique security policy. Policiesprotecting each security zone can include access control rules and inspection by any ofthe supported UTM security features.Connectivity and Routing: The SSG 140 supports ten on-board interfaces (8 10/100plus 2 10/100/1000) complemented by four I/O expansion slots that can houseadditional WAN interfaces (T1, E1, ISDN BRI S/T and Serial), making the SSG 140 themost extensible security platform in its class. This broad array of I/O options coupledwith WAN protocol and encapsulation support in its routing engine make the SSG 140a platform that can easily be deployed as a traditional branch office router or as aconsolidated security and routing device to reduce CAPEX and OPEX.Access Control Enforcement: The SSG 140 can act as an enforcement point in aJuniper Networks Unified Access Control deployment with the simple addition of theInfranet Controller. The Infranet Controller functions as a central policy managementengine, interacting with the SSG 140 to augment or replace the firewall-based accesscontrol with a solution that grants/denies access based on more granular criteria thatinclude endpoint state and user identity, in order to accommodate the dramatic shiftsin attack landscape and user characteristics.World Class Support: From simple lab testing to major network implementations,Juniper Networks Professional Services will collaborate with your team to identify goals,define the deployment process, create or validate the network design, and manage thedeployment to its successful conclusion.WWWZone AThe SSG 140 deployed at a branch office for secureInternet connectivity and site-to-site VPN to corporateheadquarters. Internal branch office resources areprotected with unique security policies for eachsecurity zone.SSGBranchOfficeZone B140InternetHQM7iIS200 G0
Features and BenefitsFeatureFeature DescriptionBenefitHigh performancePurpose-built platform is assembled from custom-builthardware, powerful processing and a security-specificoperating system.Delivers performance headroom required to protect againstinternal and external attacks now and into the future.Best-in-class UTM security featuresUTM security features (antivirus, anti-spam, Webfiltering, IPS) stop all manner of viruses and malwarebefore they damage the network.Ensures that the network is protected against all manner ofattacks.Integrated antivirusAnnually licensed antivirus engine, provided by Juniper,is based on Kaspersky Lab engine.Stops viruses, spyware, adware and other malware.Integrated anti-spamAnnually licensed anti-spam offering, provided byJuniper, is based on Symantec technology.Blocks unwanted email from known spammers and phishers.Integrated Web filteringAnnually licensed Web filtering solution, provided byJuniper, is based on SurfControl’s technology.Controls/blocks access to malicious Web sites.Integrated IPS (Deep Inspection)Annually licensed IPS engine.Prevents application-level attacks from flooding the network.Fixed InterfacesEight fixed 10/100 interfaces and two 10/100/1000interfaces, one USB port, one console port, and oneauxiliary port.Provides high-speed LAN connectivity, future connectivity, andflexible management.Network segmentationBridge groups, security zones, virtual LANs and virtualrouters allow administrators to deploy security policiesto isolate guests, wireless networks and regionalservers or databases.*Powerful capabilities facilitate deploying security for variousinternal, external and DMZ sub-groups on the network, toprevent unauthorized access.Robust routing engineProven routing engine supports OSPF, BGP and RIPv1/2 along with Frame Relay, Multilink Frame Relay,PPP, Multilink PPP and HDLC.Enables the deployment of consolidated security and routingdevice, thereby lowering operational and capital expenditures.High interface densityEight 10/100 plus two 10/100/1000 interfaces plusa console and an Aux interface for management.Provides unmatched interface density when compared tocompetitive offerings.Interface modularityFour SSG 140 interface expansion slots supportoptional T1, E1, ISDN BRI S/T, ADSL2 , G.SHDSLand serial physical interface modules (PIMs), and10/100/1000 and SFP universal PIMs (uPIMs).**Delivers LAN and WAN connectivity options on top ofunmatched security to reduce costs and extend investmentprotection.Management flexibilityUse any one of three mechanisms, CLI, WebUI orJuniper Networks NetScreen-Security Manager, tosecurely deploy, monitor and manage security policies.Enables management access from any location, eliminatingon-site visits thereby improving response time and reducingoperational costs.Juniper Networks Unified AccessControl enforcement pointInteracts with the centralized policy managementengine (Infranet Controller) to enforce session-specificaccess control policies using criteria such as useridentity, device security state, and network location.Improves security posture in a cost-effective mannerby leveraging existing customer network infrastructurecomponents and best-in-class technology.World-class professional servicesFrom simple lab testing to major networkimplementations, Juniper Networks ProfessionalServices will collaborate with your team to identifygoals, define the deployment process, create or validatethe network design, and manage the deployment.Transforms the network infrastructure to ensure that it issecure, flexible, scalable and reliable.Auto-Connect VPNAutomatically sets up and takes down VPN tunnelsbetween spoke sites in a hub-and-spoke topology.Provides a scalable VPN solution for mesh architectures withsupport for latency-sensitive applications such as VoIP andvideo conferencing.OptionOption DescriptionApplicable ProductsDRAMThe SSG 140 is available with either 256 MB or512 MB of DRAM.SSG 140Unified Threat Management/Content Security (high memoryoption required)The SSG 140 can be configured with any combinationof the following best-in-class UTM and content securityfunctionality: Antivirus (includes anti-spyware, antiphishing), IPS (Deep Inspection), Web filtering, and/oranti-spam.SSG 140 high memory model onlyI/O optionsFour SSG 140 interface expansion slots supportoptional T1, E1, ISDN BRI S/T, ADSL2 , G.SHDSLand serial physical interface modules (PIMs), and10/100/1000 and SFP universal PIMs (uPIMs).SSG 140Product Options* Bridge groups supported only on uPIMs in ScreenOS 6.0 and greater releases**uPIMs are only supported in ScreenOS 6.0 or greater releases
SpecificationsJuniper Networks SSG 140Maximum Performance and Capacity(1)Minimum ScreenOS version supportFirewall throughput (large packets)Firewall throughput (IMIX)(2)Firewall packets per second (64 byte)Advanced Encryption Standard (AES)256 SHA-1 VPN throughput3DES encryption SHA-1 VPN throughputMaximum concurrent sessionsNew sessions/secondMaximum security policiesMaximum users supportedScreenOS 5.4350 Mbps300 Mbps100,000 PPS100 Mbps100 Mbps32,0008,000500UnrestrictedNetwork ConnectivityFixed I/O8x10/100, 2x10/100/1000Physical Interface Module (PIM) slots4Modular WAN/LAN interface options (PIMs/uPIMs) 2xT1, 2xE1, 2xSerial, 1xISDN BRI S/TSFP, 10/100/1000FirewallNetwork attack detectionDoS and DDoS protectionTCP reassembly for fragmented packet protectionBrute force attack mitigationSYN cookie protectionZone-based IP spoofingMalformed packet sYesUser Authentication and Access ControlBuilt-in (internal) database user limitThird-party user authenticationRADIUS AccountingXAUTH VPN authenticationWeb-based authentication802.1X authenticationUnified Access Control (UAC) enforcement point250RADIUS, RSA SecureID, LDAPYes – start/stopYesYesYesYesPKI SupportPKI certificate requests (PKCS 7 and PKCS 10)Automated certificate enrollment (SCEP)Online Certificate Status Protocol (OCSP)Certificate Authorities supportedSelf signed certificatesYesYesYesVerisign, Entrust, Microsoft, RSA Keon,iPlanet (Netscape) Baltimore, DOD PKIYesVirtualizationMaximum number of security zonesMaximum number of virtual routersBridge groups*Maximum number of VLANs403Yes100RoutingUnified Threat Management(3)IPS (Deep Inspection firewall)Protocol anomaly detectionStateful protocol signaturesIPS/DI attack pattern obfuscationAntivirusSignature databaseProtocols t message AVAnti-spamIntegrated URL filteringExternal URL filtering(4)Perfect forward secrecy (DH Groups)Prevent replay attackRemote access VPNLayer 2 Tunneling Protocol (L2TP) within IPSecIPSec Network Address Translation (NAT) traversalAuto-Connect VPNRedundant VPN gatewaysYesYesYesYesYes100,000POP3, HTTP, SMTP, IMAP, FTPYesYesYesYesYesYesYesVoice over IP (VoIP) SecurityH.323. Application-level gateway (ALG)SIP ALGMGCP ALGSCCP ALGNetwork Address Translation (NAT) for VoIP protocolsYesYesYesYesYesIPSec VPNConcurrent VPN tunnelsTunnel interfacesDES encryption (56-bit), 3DES encryption (168-bit) and AES (256-bit)MD-5 and SHA-1 authenticationManual key, Internet Key Exchange (IKE), public key infrastructure(PKI) (X.509)12550YesYesYesBGP instancesBGP peersBGP routesOSPF instancesOSPF routesRIPv1/v2 instancesRIP v2 routesStatic routesSource-based routingPolicy-based routingEqual-cost multipath (ECMP)MulticastReverse Forwarding Path (RFP)Internet Group Management Protocol (IGMP) (v1, v2)IGMP ProxyProtocol Independent Multicast (PIM) single modePIM source-specific multicastMulticast inside IPSec sYesYesYesEncapsulationsPoint-to-Point Protocol (PPP)Multilink Point-to-Point Protocol (MLPPP)MLPPP max physical interfacesFrame relayMultilink Frame Relay (MLFR) (FRF 15, FRF 16)MLFR max physical interfacesHDLCYesYes8YesYes8Yes*Bridge groups supported only on uPIMs in ScreenOS 6.0 and greater releases
Mode of OperationLogging/MonitoringLayer 2 (transparent) modeLayer 3 (route and/or NAT) modeYesYes(5)Address TranslationNetwork Address Translation (NAT)Port Address Translation (PAT)Policy-based NAT/PATMapped IP (MIP)Virtual IP (VIP)MIP/VIP GroupingYesYesYes1,00016YesIP Address AssignmentStaticDynamic Host Configuration Protocol (DHCP),Point-to-Point Protocol over Ethernet (PPPoE) clientInternal DHCP serverDHCP relayYesYesYesYesTraffic Management Quality of Service (QoS)Guaranteed bandwidthMaximum bandwidthIngress traffic policingPriority-bandwidth utilizationDifferentiated Services markingYes - per policyYes - per policyYesYesYes - per policyHigh Availability (HA)YesYesYesYesYesYesYesYesYesSystem ManagementExternal FlashAdditional log storageEvent logs and alarmsSystem configuration scriptScreenOS SoftwareUSB 1.1YesYesYesDimensions and PowerDimensions(HxWxD)WeightRack mountablePower supply (AC)Maximum thermal output1.75” x 17.5” x 15”4.45 cm x 44.45 cm x 38.1 cm10.2 lbs4.63 KgYes, 1RU100-240 VAC,AC Input line frequency 50 or 60 HzAC system current rating 2A580 BTU/hour (170W)Safety certificationsElectromagnetic compatibility (EMC) certificationsNetwork Equipment Building System (NEBS)Mean time between failures (MTBF) (Bellcore model)UL, CUL, CSA, CBFCC class B, CE class BNo16 yearsSecurity CertificationsCommon Criteria: EAL4 and EAL4 FIPS 140-2: Level 2ICSA Firewall and VPNNoNoYesOperating EnvironmentYesYesYesYes – v1.5 and v2.0 compatibleYesYesNoAdministrationLocal administrator database sizeExternal administrator database supportRestricted administrative networksRoot Admin, Admin, and Read Only user levelsSoftware upgradesConfiguration roll-backYes – up to 4 ve*Active/passiveConfiguration synchronizationSession synchronization for firewall and VPNSession failover for routing changeDevice failure detectionLink failure detectionAuthentication for new HA membersEncryption of HA trafficWebUI (HTTP and HTTPS)Command line interface (console)Command line interface (telnet)Command line interface (SSH)NetScreen-Security ManagerAll management via VPN tunnel on any interfaceRapid deploymentSystem log (multiple servers)Email (2 addresses)NetIQ WebTrendsSNMP (v2)SNMP full custom MIBTracerouteVPN tunnel monitor20RADIUS, RSA SecureID, LDAP6YesTFTP, WebUI, NSM, SCP, USBYes*Active/active HA is only available in ScreenOS 6.0 and greater releasesOperating temperatureNon-operating temperatureHumidity32 to 122 F0 to 50 C-4 to 158 F-20 to 70 C10% to 90% non-condensing(1) P erformance, capacity and features listed are based upon systems running ScreenOS 5.4 and arethe measured maximums under ideal testing conditions unless otherwise noted. Actual resultsmay vary based on ScreenOS release and deployment.(2) I MIX stands for Internet mix and is more demanding than a single packet size as it representsa traffic mix that is more typical of a customer’s network. The IMIX traffic used is made up of58.33% 64 byte packets 33.33% 570 byte packets 8.33% 1518 byte packets of UDP traffic.(3) U TM Security features (IPS/Deep Inspection, antivirus, anti-spam and Web filtering) are deliveredby annual subscriptions purchased separately from Juniper Networks. Annual subscriptionsprovide signature updates and associated support. The high memory option is required for UTMSecurity features.(4) R edirect Web filtering sends traffic from the firewall to a secondary server. The redirect feature isfree, however it does require the purchase of a separate Web filtering license from eitherWebsense or SurfControl.(5) N AT, PAT, policy-based NAT, virtual IP, mapped IP, virtual systems, virtual routers, VLANs, OSPF,BGP, RIPv2, active/active HA and IP address assignment are not available in layer 2 transparentmode.
IPS (Deep Inspection firewall) Signature PacksSignature Packs provide the ability to tailor the attack protection to the specific deployment and/or attack type. The following Signaturepacks are available for the SSG 140.Signature PackTarget DeploymentDefense TypeType of Attack ObjectBaseBranch offices, small/medium businessesClient/server and worm protectionRange of signatures and protocolanomaliesClientRemote/branch officesPerimeter defense, compliance for hosts(for example desktops)Attacks in the server-to-client directionServerSmall/medium businessesPerimeter defense, compliance for serverinfrastructureAttacks in the client-to-server directionWorm MitigationRemote/branch offices of largeenterprisesMost comprehensive defense againstworm attacksWorms, trojans, backdoor attacksOrdering InformationSSG 140SSG 140 with 256 MB memory, 0 PIM cards, AC powerSSG 140 with 512 MB memory, 0 PIM cards, AC powerSSG 140 I/O Options1 Port ISDN BRI S/T PIMJX-1BRI-ST-S2 Port E1 PIM with integrated CSU/DSU2 Port T1 PIM with integrated CSU/DSU2 Port Serial PIM1 Port ADSL 2/2 Annex A PIM1 Port ADSL 2/2 Annex B PIM1 Port G.SHDSL PIM6 Port SFP Gigabit Ethernet Universal PIM*8 Port Gigabit Ethernet 10/100/1000 Copper Universal PIM*16 Port Gigabit Ethernet 10/100/1000 Copper Universal PIM*Unified Threat Management/Content Security(High Memory Option Required)Antivirus (Anti-spyware, Anti-phishing)IPS (Deep Inspection)Anti-spamWeb filteringRemote Office Bundle (AV, IPS, WF)Main Office Bundle (AV, IPS, WF, AS)*uPIMs are only supported in ScreenOS 6.0 or greater releasesPart NumberSSG-140-SBSSG-140-SHPart TX-SJXU-16GE-TX-SPart WF-SSG140NS-RBO-CS-SSG140NS-SMB-CS-SSG140SSG 140 Memory Upgrades, Spares andCommunications Cables512 MB DIMM Memory upgradePower Cable, AustraliaPower Cable, ChinaPower Cable, EuropePower Cable, ItalyPower Cable, JapanPower Cable, UKPower Cable, USBlank I/O plateEIA530 cable (DCE)EIA530 cable (DTE)RS232 cable (DCE)RS232 cable (DTE)RS449 cable (DCE)RS449 cable (DTE)V.35 cable (DCE)V.35 cable (DTE)X.21 cable (DCE)X.21 cable (DTE)Part EJX-CBL-X21-DCEJX-CBL-X21-DTENote: The appropriate power cord is included based upon the sales order “Ship To” destination
About Juniper NetworksJuniper Networks develops purpose-built, high-performance IPplatforms that enable customers to support a wide variety ofservices and applications at scale. Service providers, enterprises,governments and research and education institutions rely onCORPORATE HEADQUARTERSAND SALES HEADQUARTERSFOR NORTH AND SOUTH AMERICAJuniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, CA 94089 USAPhone: 888.JUNIPER (888.586.4737)or 408.745.2000Fax: 408.745.2100www.juniper.netEAST COAST OFFICEJuniper Networks, Inc.10 Technology Park DriveWestford, MA 01886-3146 USAPhone: 978.589.5800Fax: 978.589.0800Juniper to deliver a portfolio of proven networking, security andapplication acceleration solutions that solve highly complex, fastchanging problems in the world’s most demanding networks.Additional information can be found at www.juniper.net.ASIA PACIFIC REGIONALSALES HEADQUARTERSEUROPE, MIDDLE EAST, AFRICAREGIONAL SALES HEADQUARTERSJuniper Networks (Hong Kong) Ltd.Suite 2507-11, 25/FICBC TowerCitibank Plaza, 3 Garden RoadCentral, Hong KongPhone: 852.2332.3636Fax: 852.2574.7803Juniper Networks (UK) LimitedBuilding 1Aviator ParkStation RoadAddlestoneSurrey, KT15 2PG, U.K.Phone: 44.(0).1372.385500Fax: 44.(0).1372.385501Copyright 2007, Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networkslogo, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United Statesand other countries. All other trademarks, service marks, registered trademarks, or registered servicemarks in this document are the property of Juniper Networks or their respective owners. All specificationsare subject to change without notice. Juniper Networks assumes no responsibility for any inaccuraciesin this document or for any obligation to update information in this document. Juniper Networksreserves the right to change, modify, transfer, or otherwise revise this publication without notice.100181-004 Apr 2007
Juniper, is based on Symantec technology. Blocks unwanted email from known spammers and phishers. Integrated Web filtering Annually licensed Web filtering solution, provided by Juniper, is based on SurfControl’s technology. Controls/blocks access to malicious Web sites. Integ
