WIXLIB

DatasheetJuniper NetworksISG SeriesISG 1000Product DescriptionThe Juniper Networks ISG 1000 and ISG 2000 are fully integrated firewall/VPN systemsthat provide: Multi-gigabit performance Modular architecture Rich virtualization capabilitiesISG 2000Juniper Networks Integrated Security Gateways(ISG) are ideally suited for securing enterprise,carrier and data center environments whereadvanced applications such as voice over IP(VoIP) and streaming media demand consistent,scalable performance. The Juniper NetworksISG 1000 and ISG 2000 solutions are purposebuilt security solutions that leverage a fourthgeneration security ASIC, the GigaScreen3, alongwith high-speed microprocessors to deliverunmatched firewall and virtual private network(VPN) performance. Integrating best-in-classfirewall, VPN, and optional Intrusion Detectionand Prevention (IDP), the ISG 1000 and ISG2000 enable secure, reliable connectivity alongwith network and application-level protection forcritical, high traffic network segments.They provide an ideal solution for large enterprise, data center, and service providernetworks. The ISG Series firewall/VPN based system delivers security features suchas Intrusion Prevention System (IPS), anti-spam, Web filtering, and Internet ContentAdaptation Protocol (ICAP) antivirus redirection support. The advanced system isfurther expandable with optionally integrated IDP or as a General Packet Radio Service(GPRS) firewall/VPN for mobile network service provider environments.The ISG Series firewall/VPN modular architecture enables deployment with a widevariety of copper and fiber interface options. Highly flexible segmentation and isolationof traffic belonging to different trust levels can be achieved using advanced featuressuch as virtual systems, virtual LANs, and security zones. The ISG Series firewall/VPNallows multiple, separate firewall inspection or routing policies to simplify networkdesign. This enables the enforcement of security policies to traffic streams – even inhighly complex environments – without significant impact on the network itself.The flexibility and efficiency offered by the ISG Series architecture provides stateof-the-art performance and best-in-class functionality in three different deploymentconfigurations: firewall/VPN, firewall/VPN/IDP, and IDP only – all in a single solution.The ISG 1000 supports up to two security modules, while the ISG 2000 can supportup to three security modules. The security modules maintain their own dedicatedprocessing and memory and incorporate technology designed to accelerate IDP packetprocessing. This reduces the number of separate security devices and managementapplications, and simplifies deployment effort and network complexity. The result?Higher cost savings.The ISG Series firewall/VPN with IDP utilizes the same award-winning software foundon Juniper Networks IDP platforms, which are now fully integrated into JuniperNetworks ScreenOS. ScreenOS is a purpose-built, hardened operating system that canbe deployed in either inline or TAP mode to protect both perimeter deployments aswell as internal networks. The IDP security module supports multi-method detection,combining eight different detection mechanisms – including stateful signatures andprotocol anomaly detection. This helps businesses defend against security threats suchas worms, trojans, malware, spyware, and hackers.The ISG 1000 and ISG 2000 can be deployed in a number of different configurations toprotect both the perimeter and internal network resources. When deployed in a mobileoperator network, the ISG 1000 and ISG 2000 GPRS solutions are GPRS TunnelingProtocol (GTP) aware and fully support GTP functionality in virtual systems. The ISG Seriesfirewall/VPN can be deployed at the Gp interface connection between two Public LandMobile Networks (PLMN), the Gn interface connection between the SGSN and the GGSNsupport nodes, and the Gi interface-connection between the GGSN and the Internet.In addition to countering sophisticated availably threats, Denial of Service (DoS) attacks,and malicious users, the ISG Series GPRS firewall/VPN can limit messages, throttlebandwidth-hungry applications that consume uplink/downlink traffic, and perform 3GPPR6 IE removal to help retain interoperability in roaming between 2G and 3G networks.

Features and BenefitsFeatureFeature DescriptionBenefitPurpose-built platformDedicated, security-specific processing hardware andsoftware platform.Delivers the required performance to protect high-speed LANenvironments.Predictable PerformanceASIC based architecture provides linear performancefor all packet sizes at multi-gigabit speeds.Ensures low latency in sensitive applications such as VoIP andstreaming media.System and network resiliencyHardware component redundancy, multiple highavailability options and route-based VPNs.Provides the reliability required for high speed networkdeployments.Best-in-class network security featuresEmbedded Web filtering, anti-spam, IPS, ICAP antivirusredirect, and optionally integrated IDP.Additional security features backed by best-in-class securitypartners such as Symantec and SurfControl.Interface flexibilityModular architecture enables deployment with a widevariety of copper and fiber interface options.Simplifies network integration and helps to reduce the cost offuture network upgrades.Network segmentationSecurity zones, virtual LANs and virtual routers allowadministrators to deploy security policies to isolateguests, wireless networks and regional servers ordatabases.*Powerful capabilities facilitate deploying security for variousinternal, external and DMZ sub-groups on the network, toprevent unauthorized access.Centralized ManagementCentralized management of Juniper Networks firewalland IDP products enabled through NSM.Tight integration across multiple platforms enables simple andintuitive network-wide security management.Robust routing engineProven routing engine supports OSPF, BGP and RIPv1/2 along with Frame Relay, Multilink Frame Relay,PPP, Multilink PPP and HDLC.Enables the deployment of consolidated security and routingdevice, thereby lowering operational and capital expenditures.Comprehensive threat protectionDedicated processing modules provide best-in-classmulti-gigabit firewall/VPN/IDP capability in a singlesolution.Unmatched performance ensures that the network is protectedagainst all manner of attacks in high speed networks.World-class professional servicesFrom simple lab testing to major networkimplementations, Juniper Networks ProfessionalServices will collaborate with your team to identifygoals, define the deployment process, create orvalidate the network design, and manage thedeployment.Transforms the network infrastructure to ensure that it issecure, flexible, scalable, and reliable.OptionOption DescriptionApplicable ProductsIntegrated anti-spamBlocks unwanted email from known spammers andphishers using an annually licensed anti-spam offeringbased on Symantec technology.ISG 1000 & ISG 2000Integrated IPS (Deep Inspection)Prevents application level attacks from flooding thenetwork using a combination of stateful signaturesand protocol anomaly detection mechanisms. IPS isannually licensed.ISG 1000 & ISG 2000Integrated Web filteringBlock access to malicious Web sites using theannually licensed Web filtering solution based onSurfControl’s market leading technology.ISG 1000 & ISG 2000ICAP antivirus redirectICAP antivirus content redirection allows theimplementation of a third party, large enterpriseantivirus solution at the perimeter.ISG 1000 & ISG 2000Optionally integrated IDPDedicated IDP security modules enable high speedpacket inspection. Requires no network changes toadd full IDP functionality, helping to protect againstlayer 4-7 attacks including zero-day, worms, trojans,and spyware, etc. Additional hardware and systemupgrade required.ISG 1000 & ISG 2000GPRS firewall/VPN for MobileNetworksSupport for GPRS networks to provide statefulfirewalling and filtering capabilities that mitigate a widevariety of attacks on the Gp, Gn, and Gi interfacesto protect key nodes within the mobile operators’network. Additional license required.ISG 1000 & ISG 2000Product Options

SpecificationsJuniper NetworksISG 1000Juniper NetworksISG 2000Maximum Performance and Capacity(1)Minimum ScreenOS version supportFirewall performance (Large packets)Firewall performance (Small packets)Firewall Packets Per Second (64 byte)AES256 SHA-1 VPN performance3DES SHA-1 VPN performanceMaximum concurrent sessionsNew sessions/secondMaximum security policiesMaximum users supportedScreenOS 6.01 Gbps1 Gbps1.5 M PPS1 Gbps1 Gbps500,00020,00010,000UnrestrictedScreenOS 6.04 Gbps2 Gbps3 M PPS2 Gbps2 Gbps1,000,00023,00030,000Unrestricted4 10/100/1000 ports2Up to 8 mini-GBIC (SX, LX, or TX), up to 8 10/100/1000,up to 20 10/10004Up to 16 mini-GBIC (SX, LX, or TX), up to 8 10/100/1000,up to 28 10/100Network ConnectivityFixed I/OInterface expansion slotsLAN interface optionsFirewallNetwork attack detectionDenial of Service (DoS) and Distributed Denial of Service (DDoS) protectionTCP reassembly for fragmented packet protectionBrute force attack mitigationSYN cookie protectionZone-based IP spoofingMalformed packet esIntegrated IPS (Optional Integrated IDP)(2)(10)Stateful protocol signaturesAttack detection mechanismsYesStateful signatures, traffic anomaly detection, protocolanomaly detection (zero-day coverage), backdoor detectionAttack response mechanismsDrop connection, close connection, session packet log,session summary, email, customAttack notification mechanismsSession packet log, session summary, email,SNMP, system log, WebTrendsWorm protectionYesSimplified installation through recommended policiesYesTrojan protectionYesSpyware/adware/keylogger protectionYesOther malware protectionYesProtection against attack proliferation from infected systemsYesReconnaissance protectionYesRequest and response side attack protectionYesCompound attacks – combines stateful signatures and protocol anomaliesYesCreate custom attack signaturesYesAccess contexts for customization500 Attack editing (port range, etc)YesStream signaturesYesProtocol thresholdsYesStateful protocol signaturesYesApproximate number of attacks covered5,000 *Detailed threat descriptions and remediation/patch infoYesEnterprise security profilerYesCreate and enforce appropriate application usage policiesYesAttacker and target audit trail and reportingYesDeployment modesIn-line or in-line TAPFrequency of updatesdaily and emergency*As of March 2007, there are 5,148 signatures with approximately 10 new signatures added every week.YesStateful signatures, traffic anomaly detection, protocolanomaly detection (zero-day coverage), backdoor detectionDrop connection, close connection, session packet log,session summary, email, customSession packet log, session summary, email,SNMP, system log, WebTrendsYesYesYesYesYesYesYesYesYesYes500 YesYesYesYes5,000 *YesYesYesYesIn-line or in-line TAPdaily and emergency