Transcription
DATASHEETSSG140 SecureServices GatewayProduct OverviewThe SSG140 Secure ServicesGateway is a purpose-built securityappliance that delivers a perfectblend of performance, security,routing and LAN/WAN connectivityfor medium sized branch officesand business deployments. Trafficflowing in and out of the branchoffice or business is protectedfrom worms, spyware, trojans,and malware by a complete set ofUnified Threat Management securityfeatures that include statefulfirewall, IPsec VPN, IntrusionPrevention System (IPS), antivirus(includes anti-spyware, anti-adware,anti-phishing), anti-spam and Webfiltering.Product DescriptionThe Juniper Networks SSG140 Secure Services Gateway is a high-performance securityplatform for branch offices and small/medium sized standalone businesses that want tostop internal and external attacks, prevent unauthorized access, and achieve regulatorycompliance. The SSG140 is a modular platform that delivers more than 350 Mbps ofstateful firewall traffic and 100 Mbps of IPsec VPN traffic.Security: Protection against worms, viruses, trojans, spam, and emerging malware isdelivered by proven Unified Threat Management (UTM) security features that are backedby best-in-class partners. To address internal security requirements and facilitateregulatory compliance, the SSG140 supports an advanced set of network protectionfeatures such as security zones, virtual routers and VLANs that allow administratorsto divide the network into distinct, secure domains, each with its own unique securitypolicy. Policies protecting each security zone can include access control rules andinspection by any of the supported UTM security features.Connectivity and Routing: The SSG140 supports ten on-board interfaces (eight 10/100plus two 10/100/1000) complemented by four I/O expansion slots that can houseadditional WAN interfaces (T1, E1, ISDN BRI S/T and Serial), making the SSG140 themost extensible security platform in its class. This broad array of I/O options coupledwith WAN protocol and encapsulation support in its routing engine make the SSG140a platform that can easily be deployed as a traditional branch office router or as aconsolidated security and routing device to reduce CAPEX and OPEX.Access Control Enforcement: The SSG140 can act as an enforcement point in a JuniperNetworks Unified Access Control (UAC) deployment with the simple addition of theInfranet Controller. The Infranet Controller functions as a central policy managementengine, interacting with the SSG140 to augment or replace the firewall-based accesscontrol with a solution that grants/denies access based on more granular criteria thatinclude endpoint state and user identity, in order to accommodate the dramatic shifts inattack landscape and user characteristics.World Class Support: From simple lab testing to major network implementations,Juniper Networks Professional Services will collaborate with your team to identify goals,define the deployment process, create or validate the network design, and manage thedeployment to its successful conclusion.1
BRANCH OFFICEHEADQUARTERSWWWZONE AINTERNETSSG140M7iISG2000ZONE BThe SSG140 deployed at a branch office for secure Internet connectivity and site-to-site VPN to corporate headquarters. Internalbranch office resources are protected with unique security policies for each security zone.Features and BenefitsFeatureFeature DescriptionBenefitHigh performancePurpose-built platform is assembled from custombuilt hardware, powerful processing and a securityspecific operating system.Delivers performance headroom required to protectagainst internal and external attacks now and intothe future.Best-in-class UTM securityfeaturesUTM security features (antivirus, anti-spam, Webfiltering, IPS) stop all manner of viruses andmalware before they damage the network.Ensures that the network is protected against allmanner of attacks.Integrated antivirusAnnually licensed antivirus engine, provided byJuniper, is based on Kaspersky Lab engine.Stops viruses, spyware, adware and other malware.Integrated anti-spamAnnually licensed anti-spam offering, provided byJuniper, is based on Symantec technology.Blocks unwanted email from known spammers andphishers.Integrated Web filteringAnnually licensed Web filtering solution, provided byJuniper, is based on SurfControl’s technology.Controls/blocks access to malicious Web sites.Integrated IPS (DeepInspection)Annually licensed IPS engine.Prevents application-level attacks from flooding thenetwork.Fixed InterfacesEight fixed 10/100 interfaces and two 10/100/1000interfaces, one USB port, one console port, and oneauxiliary port.Provides high-speed LAN connectivity, futureconnectivity, and flexible management.Network segmentationBridge groups, security zones, virtual LANs andvirtual routers allow administrators to deploysecurity policies to isolate guests, wireless networksand regional servers or databases.*Powerful capabilities facilitate deploying security forvarious internal, external and DMZ sub-groups onthe network, to prevent unauthorized access.Robust routing engineProven routing engine supports OSPF, BGP and RIPv1/2 along with Frame Relay, Multilink Frame Relay,PPP, Multilink PPP and HDLC.Enables the deployment of consolidated securityand routing device, thereby lowering operational andcapital expenditures.High interface densityEight 10/100 plus two 10/100/1000 interfaces plus aconsole and an Aux interface for management.Provides unmatched interface density whencompared to competitive offerings.Interface modularityFour SSG140 interface expansion slots supportoptional T1, E1, ISDN BRI S/T, ADSL2 , G.SHDSLand serial physical interface modules (PIMs), and10/100/1000 and SFP universal PIMs (uPIMs).**Delivers LAN and WAN connectivity options on topof unmatched security to reduce costs and extendinvestment protection.Management flexibilityUse any one of three mechanisms, CLI, WebUI orJuniper Networks Network and Security Manager(NSM), to securely deploy, monitor and managesecurity policies.Enables management access from any location,eliminating on-site visits thereby improving responsetime and reducing operational costs.Juniper Networks UnifiedAccess Control enforcementpointInteracts with the centralized policy managementengine (Infranet Controller) to enforce sessionspecific access control policies using criteria suchas user identity, device security state, and networklocation.Improves security posture in a cost-effectivemanner by leveraging existing customer networkinfrastructure components and best-in-classtechnology.World-class professionalservicesFrom simple lab testing to major networkimplementations, Juniper Networks ProfessionalServices will collaborate with your team to identifygoals, define the deployment process, create orvalidate the network design, and manage thedeployment.Transforms the network infrastructure to ensurethat it is secure, flexible, scalable and reliable.Auto-Connect VPNAutomatically sets up and takes down VPN tunnelsbetween spoke sites in a hub-and-spoke topology.Provides a scalable VPN solution for mesharchitectures with support for latency-sensitiveapplications such as VoIP and video conferencing.* Bridge groups supported only on uPIMs in ScreenOS 6.0 and greater releases**uPIMs are only supported in ScreenOS 6.0 or greater releases2
Product OptionsOptionOption DescriptionApplicable ProductsDRAMThe SSG140 is available with either 256 MB or512 MB of DRAM.SSG140Unified Threat Management/Content Security (high memoryoption required)The SSG140 can be configured with anycombination of the following best-in-class UTMand content security functionality: antivirus(includes anti-spyware, anti-phishing), IPS (DeepInspection), Web filtering, and/or anti-spam.SSG140 high memory model onlyI/O optionsFour SSG140 interface expansion slots supportoptional T1, E1, ISDN BRI S/T, ADSL2 , G.SHDSLand serial physical interface modules (PIMs), and10/100/1000 and SFP universal PIMs (uPIMs).SSG140Unified Threat Management(3)IPS (Deep Inspection firewall)YesProtocol anomaly detectionYesStateful protocol signaturesYesIPS/DI attack pattern obfuscationYesAntivirusSSG140SpecificationsMaximum Performance and Capacity(1)YesSignature database200,000 Protocols scannedPOP3, HTTP, SMTP, IMAP,FTP, stant message AVYesAnti-spamYesScreenOS 6.2Integrated URL filteringYesFirewall throughput (large packets)350 MbpsExternal URL filtering(4)YesFirewall throughput (IMIX)(2)300 MbpsVoIP SecurityScreenOS version testedFirewall packets per second (64 byte)100,000 PPSAdvanced Encryption Standard (AES)256 SHA-1 VPN throughput100 Mbps3DES encryption SHA-1 VPN throughput100 MbpsMaximum concurrent sessions48,000New sessions/second8,000Maximum security policies1,000Maximum users supportedUnrestrictedNetwork ConnectivityFixed I/OPhysical Interface Module (PIM) slotsModular WAN/LAN interface options (PIMs/uPIMs)8x10/100, 2x10/100/100042xT1, 2xE1, 2xSerial,1xISDN BRI S/TSFP, 10/100/1000FirewallH.323. Application-level gateway (ALG)YesSIP ALGYesMGCP ALGYesSCCP ALGYesNetwork Address Translation (NAT) for VoIPprotocolsYesIPsec VPNConcurrent VPN tunnels500Tunnel interfaces50DES encryption (56-bit), 3DES encryption(168-bit) and AES (256-bit)YesMD-5 and SHA-1 authenticationYesManual key, Internet Key Exchange (IKE),IKEv2 with EAP public key infrastructure(PKI) (X.509)YesNetwork attack detectionYesPerfect forward secrecy (DH Groups)DoS and DDoS protectionYesPrevent replay attack1,2,5YesTCP reassembly for fragmented packetprotectionYesRemote access VPNYesYesBrute force attack mitigationYes Layer 2 Tunneling Protocol (L2TP) withinIPsecSYN cookie protectionYesYes IPsec Network Address Translation (NAT)traversalYesZone-based IP spoofingMalformed packet protectionYesAuto-Connect VPNYesRedundant VPN gatewaysYes3
Specifications (continued)Encapsulations (continued)User Authentication and Access ControlBuilt-in (internal) database user limitThird-party user authenticationRADIUS Accounting250Multilink Frame Relay (MLFR) (FRF 15, FRF 16)MLFR max physical interfacesRADIUS, RSA SecureID,LDAPHDLCYes – start/stopIPv6Yes4YesXAUTH VPN authenticationYesDual stack IPv4/IPv6 firewall and VPNYesWeb-based authenticationYesYes802.1X authenticationYesIPv4 to/from IPv6 translations andencapsulationsUnified Access Control (UAC) enforcementpointYesSyn-Cookie and Syn-Proxy DoS AttackDetectionYesSIP, RTSP, Sun-RPC, and MS-RPC ALG’sYesRIPngYesBGPYesTransparent modeYesNSRPYesDHCPv6 RelayYesPKI SupportPKI certificate requests (PKCS 7 and PKCS 10)YesAutomated certificate enrollment (SCEP)YesOnline Certificate Status Protocol (OCSP)YesCertificate Authorities supportedSelf signed certificatesVerisign, Entrust,Microsoft, RSA Keon,iPlanet (Netscape)Baltimore, DOD PKIYesVirtualizationMode of OperationLayer 2 (transparent) mode(5)YesLayer 3 (route and/or NAT) modeYesAddress TranslationMaximum number of security zones40Network Address Translation (NAT)YesMaximum number of virtual routers6Port Address Translation (PAT)YesBridge groups*Maximum number of VLANsYesPolicy-based NAT/PAT (L2 and L3 mode)100Mapped IP (MIP) (L3 mode)Yes1,500RoutingVirtual IP (VIP) (L3 mode)16BGP instances6MIP/VIP Grouping (L3 mode)YesBGP peers24BGP routes2,048OSPF instancesOSPF routesRIPv1/v2 instances32,04864RIP v2 routes2,048Static routes2,048Source-based routingYesPolicy-based routingYesEqual-cost multipath (ECMP)YesMulticastYesReverse Forwarding Path (RFP)Yes Internet Group Management Protocol(IGMP) (v1, v2)YesIP Address AssignmentStaticYesDynamic Host Configuration Protocol(DHCP),Point-to-Point Protocol overEthernet (PPPoE) clientYesInternal DHCP serverYesDHCP relayYesTraffic Management Quality of Service (QoS)Guaranteed bandwidthYes - per policyMaximum bandwidthYes - per policyIngress traffic policingPriority-bandwidth utilizationDifferentiated Services markingYesYesYes - per policyHigh Availability (HA)Active/active - L3 modeYesYesIGMP ProxyYesActive/passive - Transparent & L3 modeP rotocol Independent Multicast (PIM)single modeYesConfiguration synchronizationYesSession synchronization for firewall and VPNYesPIM source-specific multicastYesSession failover for routing changeYesMulticast inside IPsec tunnelYesVRRPYesDevice failure detectionYesLink failure detectionYesAuthentication for new HA membersYesEncryption of HA trafficYesEncapsulationsPoint-to-Point Protocol (PPP)YesMultilink Point-to-Point Protocol (MLPPP)YesMLPPP max physical interfacesFrame relay4Yes*Bridge groups supported only on uPIMs in ScreenOS 6.0 and greater releases4
Specifications (continued)Dimensions and PowerSystem ManagementWebUI (HTTP and HTTPS)YesCommand line interface (console)YesCommand line interface (telnet)YesCommand line interface (SSH)Dimensions (W x H x D)WeightYes – v1.5 and v2.0compatibleNetwork and Security Manager (NSM)YesAll management via VPN tunnel on anyinterfaceYesRapid deploymentNo17.5 x 1.8 x 15 in (44.5 x4.5 x 38.1 cm)10.2 lb (4.63 kg)Rack mountableYes, 1RUPower supply (AC)100-240 VAC,AC Input line frequency50 Hz or 60 HzAC system currentrating 2 AMaximum thermal output580 BTU/hour (170 W)Noise LevelAdministrationLocal administrator database sizeExternal administrator database supportRADIUS, RSA SecureID,LDAP6Root Admin, Admin, and Read Only userlevelsSoftware upgradesCertifications20Restricted administrative networksTFTP, WebUI, NSM, SCP,USBYesLogging/MonitoringSystem log (multiple servers)Yes – up to 4 serversEmail (2 addresses)YesNetIQ WebTrendsYesSNMP (v2)YesSNMP full custom MIBYesTracerouteYesVPN tunnel monitorYesExternal FlashAdditional log storageUSB 1.1Event logs and alarmsYesSystem configuration scriptYesScreenOS SoftwareYesSafety certificationsUL, CUL, CSA, CBElectromagnetic compatibility (EMC)certificationsNetwork Equipment Building System (NEBS)YesConfiguration roll-back48.8 dBMean time between failures (MTBF)(Bellcore model)FCC class B, CE class BNo16 yearsSecurity CertificationsCommon Criteria: EAL4FutureFIPS 140-2: Level 2FutureICSA Firewall and VPNYesOperating EnvironmentOperating temperature32 to 122 F (0 to 50 C)Non-operating temperature-4 to 158 F(-20 to 70 C)Humidity10% to 90%noncondensing(1) Performance, capacity and features listed are based upon systems running ScreenOS 6.2 andare the measured maximums under ideal testing conditions unless otherwise noted. Actualresults may vary based on ScreenOS release and deployment. For a complete list of supportedScreenOS versions for SSG Series gateways, please visit the Juniper Customer Support Center(http://www.juniper.net/customers/support/) and click on ScreenOS Software Downloads.(2) IMIX stands for Internet mix and is more demanding than a single packet size as it representsa traffic mix that is more typical of a customer’s network. The IMIX traffic used is made up of58.33% 64 byte packets 33.33% 570 byte packets 8.33% 1518 byte packets of UDP traffic.(3) UTM Security features (IPS/Deep Inspection, antivirus, anti-spam and Web filtering) aredelivered by annual subscriptions purchased separately from Juniper Networks. Annualsubscriptions provide signature updates and associated support. The high memory option isrequired for UTM Security features.(4) Redirect Web filtering sends traffic from the firewall to a secondary server. The redirect featureis free, however it does require the purchase of a separate Web filtering license from eitherWebsense or SurfControl.(5) NAT, PAT, policy-based NAT, virtual IP, mapped IP, virtual systems, virtual routers, VLANs,OSPF, BGP, RIPv2, active/active HA and IP address assignment are not available in layer 2transparent mode.IPS (Deep Inspection firewall) Signature PacksSignature Packs provide the ability to tailor the attack protection to the specific deployment and/or attack type. The following Signaturepacks are available for the SSG140:Signature PackTarget DeploymentDefense TypeType of Attack ObjectBaseBranch offices, small/mediumbusinessesClient/server and worm protectionRange of signatures and protocolanomaliesClientRemote/branch officesPerimeter defense, compliance forhosts (for example desktops)Attacks in the server-to-clientdirectionServerSmall/medium businessesPerimeter defense, compliance forserver infrastructureAttacks in the client-to-serverdirectionWorm MitigationRemote/branch offices of largeenterprisesMost comprehensive defense againstworm attacksWorms, trojans, backdoor attacks5
Performance-Enabling Services and SupportModel NumberDescriptionJuniper Networks is the leader in performance-enablingservices and support, which are designed to accelerate, extend,and optimize your high-performance network. Our servicesallow you to bring revenue-generating capabilities online fasterso you can realize bigger productivity gains, faster rollouts ofnew business models and ventures, and greater market reach,while generating higher levels of customer satisfaction. At thesame time, Juniper Networks ensures operational excellenceby optimizing your network to maintain required levels ofperformance, reliability, and availability. For more details, pleasevisit www.juniper.net/products-services.Unified Threat Management/Content Security(High Memory Option Required)Ordering InformationSSG140 Memory Upgrades, Spares and Communications CablesModel NumberDescriptionSSG140NS-K-AVS-SSG140Antivirus (anti-spyware, anti-phishing)NS-DI-SSG140IPS (Deep Inspection)NS-SPAM-SSG140Anti-spamNS-WF-SSG140Web filteringNS-RBO-CSSSG140Remote Office Bundle (AV, IPS, WF)NS-SMB-CSSSG140Main Office Bundle (AV, IPS, WF, AS)*uPIMs are only supported in ScreenOS 6.0 or greater releasesSSG-100-MEM512512 MB DIMM Memory upgradeCBL-JX-PWR-AUPower Cable, AustraliaSSG-140-SBSSG140 with 256 MB memory, 0 PIM cards, AC powerCBL-JX-PWR-CHPower Cable, ChinaSSG-140-SHSSG140 with 512 MB memory, 0 PIM cards, AC powerCBL-JX-PWR-EUPower Cable, EuropeCBL-JX-PWR-ITPower Cable, ItalySSG140 I/O OptionsJX-1BRI-ST-S1-port ISDN BRI S/T PIMCBL-JX-PWR-JPPower Cable, JapanJX-2E1-RJ48-S2-port E1 PIM with integrated CSU/DSUCBL-JX-PWR-UKPower Cable, UKJX-2T1-RJ48-S2-port T1 PIM with integrated CSU/DSUCBL-JX-PWR-USPower Cable, USJX-2Serial-S2-port Serial PIMJX-Blank-FP-SBlank I/O plateJX-1ADSL-A-S1-port ADSL 2/2 Annex A PIM1-port ADSL 2/2 Annex B PIMJX-CBL-EIA530DTEEIA530 cable (DTE)JX-1ADSL-B-SJX-2SHDSL-S1-port G.SHDSL PIMRS232 cable (DTE)JXU-6GE-SFP-S6-port SFP Gigabit Ethernet Universal PIM*JX-CBL-RS232DTEJXU-1SFP-S1-port SFP 100 Mbps or Gigabit Ethernet UniversalPIM * (SFP sold separately)JX-CBL-RS449DTERS449 cable (DTE)JXU-8GE-TX-S8-port Gigabit Ethernet 10/100/1000 CopperUniversal PIM*JX-CBL-V35-DTE35 cable (DTE)JX-CBL-X21-DTEX.21 cable (DTE)JXU-16GE-TX-S16-port Gigabit Ethernet 10/100/1000 CopperUniversal PIM*Note: The appropriate power cord is included based upon the sales order “Ship To” destinationAbout Juniper NetworksJuniper Networks, Inc. is the leader in high-performancenetworking. Juniper offers a high-performance networkinfrastructure that creates a responsive and trusted environmentfor accelerating the deployment of services and applicationsover a single network. This fuels high-performance businesses.Additional information can be found at www.juniper.net.Corporate And Sales HeadquartersAPAC HeadquartersEMEA HeadquartersJuniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, CA 94089 USAPhone: 888.JUNIPER (888.586.4737)or 408.745.2000Fax: 408.745.2100Juniper Networks (Hong Kong)26/F, Cityplaza One1111 King’s RoadTaikoo Shing, Hong KongPhone: 852.2332.3636Fax: 852.2574.7803Juniper Networks IrelandAirside Business ParkSwords, County Dublin, IrelandPhone: 35.31.8903.600Fax: 35.31.8903.601To purchase Juniper Networks solutions, pleasecontact your Juniper Networks representativeat 1-866-298-6428 or authorized reseller.1000181-001-EN Feb 20096Copyright 2009 Juniper Networks, Inc. All rightsreserved. Juniper Networks, the Juniper Networkslogo, JUNOS, NetScreen, and ScreenOS areregistered trademarks of Juniper Networks,Inc. in the United States and other
Juniper, is based on Kaspersky Lab engine. Stops viruses, spyware, adware and other malware. integrated anti-spam Annually licensed anti-spam offering, provided by Juniper, is based on Symantec technology. Blocks unwanted email from known spammers and phishers. integrated Web filtering Annually lice
