Transcription
DATASHEETSSG320M ANDSSG350M SECURESERVICESGATEWAYSProduct OverviewThe Juniper Networks SSG300 lineconsists of purpose-built securityappliances that deliver the ideal blendof performance, security, routing,and LAN/WAN connectivity for large,regional branch offices and medium-Product DescriptionThe Juniper Networks SSG300 line of secure services gateways comprises highperformance security platforms that help businesses stop internal and external attacks,prevent unauthorized access, and achieve regulatory compliance. The Juniper NetworksSSG350M Secure Services Gateway provides 500 Mbps of stateful firewall performanceand 225 Mbps of IPsec VPN performance, while the Juniper Networks SSG320M SecureServices Gateway provides 400 Mbps of stateful firewall performance and 175 Mbps ofIPsec VPN performance.size, standalone businesses. TrafficThese products focus on three key disciplines:flowing in and out of a regional officeSecurity: Protection against worms, viruses, trojans, spam, and emerging malwareor business is protected from worms,is delivered by proven Unified Threat Management (UTM) security features that arespyware, trojans, and malware bybacked by best-in-class partners. To address internal security requirements and facilitatea complete set of Unified Threatregulatory compliance, the SSG300 line supports an advanced set of network protectionManagement security features,features such as security zones, virtual routers, and VLANs that allow administrators toincluding stateful firewall, IPsec VPN,divide the network into distinct, secure domains, each with their own unique securityintrusion prevention system (IPS),policy. Policies protecting each security zone can include access control rules andantivirus (includes antispyware,inspection by any of the supported UTM security features.antiadware, antiphishing), antispam,and Web filtering. The SSG300 linecomprises the SSG350M and theRegional OfficeHeadquartersSSG320M Secure Services Gateways.Zone AM7iSSG350MZone CINTERNETNetScreen-5400Zone BThe SSG350M deployed at a branch office for secure Internet connectivity and site-to-siteVPN to corporate headquarters. Internal branch office resources are protected with uniquesecurity policies applied to each security zone.1
Connectivity and Routing: The SSG300 line provides four onboardmanagement engine by interacting with the SSG300 line to augment10/100/1000 interfaces complemented by I/O expansion slots thator replace the firewall-based access control. It grants/denies accesscan house a mix of LAN or WAN interfaces, making the SSG300based on more granular criteria, including endpoint state and userline an extremely flexible platform. The broad array of I/O optionsidentity in order to accommodate the dramatic shifts in attackcoupled with WAN protocol and encapsulation support makes thelandscape and user characteristics.SSG300 line of gateways easily deployable as traditional branchoffice routers or as consolidated security and routing devices, whichcan help reduce CapEx and OpEx.In addition, Juniper Networks Professional Services will collaboratewith your team to identify goals, define the deployment process,create or validate the network design, and manage the deploymentAccess Control Enforcement: The SSG300 line of gateways can actto its successful conclusion. Whether it involves simple lab testingas enforcement points in a Juniper Networks Unified Access Controlor a major network implementation, Juniper Networks Professionaldeployment with the simple addition of the Juniper Networks ICServices is there to help you ensure success.Series UAC Appliances. The IC Series functions as a central policyFeatures and BenefitsFEATUREFEATURE DESCRIPTIONBENEFITHigh performancePurpose-built platform is assembled from custom-builthardware, powerful processing and a security-specificoperating system.Delivers performance headroom required to protectagainst internal and external attacks now and intothe future.Best-in-class UTM security featuresUTM security features (antivirus, antispam, Webfiltering, IPS) stop all manner of viruses and malwarebefore they damage the network.Ensures that the network is protected against allmanner of attacks.Integrated antivirusAnnually licensed antivirus engine, provided by Juniper,is based on Kaspersky Lab engine.Stops viruses, spyware, adware and other malware.Integrated antispamAnnually licensed antispam offering, provided byJuniper, is based on Sophos technology.Blocks unwanted email from known spammers andphishers.Integrated Web filteringAnnually licensed Web filtering solution, provided byJuniper, is based on Websense SurfControl technology.Controls/blocks access to malicious Web sites.Integrated intrusion preventionsystem (IPS) (Deep Inspection)Annually licensed IPS engine is available with JuniperNetworks Deep Inspection Firewall Signature Packs.Prevents application-level attacks from flooding thenetwork.Fixed InterfacesFour fixed 10/100/1000 interfaces, two USB ports, oneconsole port and one auxiliary port are standard on allSSG300 line models.Provides high-speed LAN connectivity, futureconnectivity and flexible management.Network segmentationBridge groups, security zones, virtual LANs and virtualrouters allow administrators to deploy security policiesto isolate guests, wireless networks and regional serversor databases.*Powerful capabilities facilitate deploying security forvarious internal, external and DMZ sub-groups on thenetwork, to prevent unauthorized access.Interface modularitySix interface expansion slots support optional T1, E1,Serial, ADSL/ADSL2/ADSL2 , G.SHDSL, 10/100/1000,and SFP connectivity.Delivers combination of LAN and WAN connectivityon top of unmatched security to reduce costs andextend investment protection.Robust routing engineProven routing engine supports OSPF, BGP and RIP v1/2along with Frame Relay, Multilink Frame Relay, PPP,Multilink PPP and HDLC.Enables the deployment of consolidated securityand routing device, thereby lowering operational andcapital expenditures.Juniper Networks Unified AccessControl enforcement pointInteracts with the centralized policy managementengine (IC Series) to enforce session-specific accesscontrol policies using criteria such as user identity,device security state and network location.Improves security posture in a cost-effectivemanner by leveraging existing customer networkinfrastructure components and best-in-classtechnology.Management flexibilityUse any one of three mechanisms, CLI, WebUI or JuniperNetworks Network and Security Manager (NSM), tosecurely deploy, monitor and manage security policies.Enables management access from any location,eliminating on-site visits thereby improving responsetime and reducing operational costs.Auto-Connect VPNAutomatically sets up and takes down VPN tunnelsbetween spoke sites in a hub-and-spoke topology.Provides a scalable VPN solution for mesharchitectures with support for latency-sensitiveapplications such as VoIP and video conferencing.World-class professional servicesFrom simple lab testing to major networkimplementations, Juniper Networks ProfessionalServices will collaborate with your team to identifygoals, define the deployment process, create or validatethe network design and manage the deployment.Transforms the network infrastructure to ensure thatit is secure, flexible, scalable and reliable.* Bridge groups supported only on uPIMs in ScreenOS 6.0 and greater releases2
Product OptionsOPTIONOPTION DESCRIPTIONAPPLICABLE PRODUCTSNetwork Equipment BuildingSystems (NEBS) complianceNEBS-compliant versions of the SSG350M areavailable.SSG350MDRAMAll models in the SSG300 line are available with1 GB of DRAM. The SSG320M and SSG350M are alsoavailable in 256 MB-DRAM versions.SSG350MUTM/Content Security (highmemory option required)With the addition of licensing keys, the SSG300line can be configured with any combination of thefollowing best-in-class UTM and content securityfunctionality: antivirus (includes antispyware,antiphishing), IPS (Deep Inspection firewall), Webfiltering and/or antispam.SSG350M high-memory model onlyI/O optionsThree (SSG320M) or five (SSG350M) expansion slotssupport optional T1, E1, Serial, ADSL2 , G.SHDSL,10/100/1000, and SFP.SSG350MSSG320MSSG320M high-memory model 50MMaximum Performance and Capacity(1)ScreenOS version testedScreenOS 6.2ScreenOS 6.2Firewall performance (Large packets)450 Mbps550 MbpsFirewall performance (IMIX)(2)400 Mbps500 MbpsFirewall Packets Per Second (64 byte)175,000 PPS225,000 PPSAES256 SHA-1 VPN performance175 Mbps225 Mbps3DES SHA-1 VPN performance175 Mbps225 MbpsMaximum concurrent sessions64,000128,000New sessions/second10,00012,500Maximum security xed I/O4x10/100/10004x10/100/1000Physical Interface Module (PIM) Slots35WAN interface options (PIMS)Serial, T1, E1, ADSL/ADSL2/ADSL2 , G.SHDSLSerial, T1, E1, ADSL/ADSL2/ADSL2 , G.SHDSLLAN interface options (uPIMS)8x10/100/1000, 16x10/100/1000, and 6xSFP8x10/100/1000, 16x10/100/1000, and 6xSFPMaximum users supportedConvertible to Juniper Networks Junos operating system8.0 or higher Network Connectivity3
Specifications (continued)SSG320MSSG350MFirewallNetwork attack detectionYesYesDoS and DDoS protectionYesYesTCP reassembly for fragmented packet protectionYesYesBrute force attack mitigationYesYesSYN cookie protectionYesYesZone-based IP spoofingYesYesMalformed packet protectionYesYesIPS (Deep Inspection firewall)YesYesProtocol anomaly detectionYesYesStateful protocol signaturesYesYesIPS/DI attack pattern obfuscationYesYesYesYesSignature database200,000 200,000 Protocols scannedPOP3, HTTP, SMTP, IMAP, FTP, IMPOP3, HTTP, SMTP, IMAP, FTP, esYesInstant message AVYesYesAntispamYesYesIntegrated URL filteringYesYesExternal URL filtering(4)YesYesH.323 ALGYesYesSIP ALGYesYesMGCP ALGYesYesSCCP ALGYesYesNAT for VoIP protocolsYesYesConcurrent VPN tunnels500500Tunnel interfaces100300DES (56-bit), 3DES (168-bit) and AES (256-bit)YesYesMD-5 and SHA-1 authenticationYesYesManual key, IKE, IKEv2 with EAP, PKI (X.509)YesYesPerfect forward secrecy (DH Groups)1,2,51,2,5Prevent replay attackYesYesRemote access VPNYesYesL2TP within IPsecYesYesIPsec NAT traversalYesYesAuto-Connect VPNYesYesRedundant VPN gatewaysYesYesBuilt-in (internal) database - user limit500500Third-party user authenticationRADIUS, RSA SecureID, LDAPRADIUS, RSA SecureID, LDAPRADIUS AccountingYes – start/stopYes – start/stopXAUTH VPN authenticationYesYesWeb-based authenticationYesYes802.1X authenticationYesYesUnified Access Control enforcement pointYesYesUnified Threat Management(3)AntivirusVoIP SecurityIPsec VPNUser Authentication and Access Control4
Specifications (continued)SSG320MSSG350MPKI SupportPKI Certificate requests (PKCS 7 and PKCS 10)YesYesAutomated certificate enrollment (SCEP)YesYesOnline Certificate Status Protocol (OCSP)YesYesCertificate Authorities supportedVeriSign, Entrust, Microsoft, RSA Keon, iPlanet(Netscape) Baltimore, DoD PKIVeriSign, Entrust, Microsoft, RSA Keon, iPlanet(Netscape) Baltimore, DoD PKISelf-signed certificatesYesYesMaximum number of security zones4040Maximum number of virtual routers58Bridge groups*YesYesMaximum number of VLANs125125BGP instances88BGP peers3648BGP routes10,00010,000OSPF instances33OSPF routes10,00010,000RIP v1/v2 instances128128RIP v2 routes10,00010,000Static routes10,00010,000Source-based routingYesYesPolicy-based routingYesYesECMPYesYesMulticastYesYesReverse Path Forwarding (RPF)YesYesIGMP (v1, v2)YesYesIGMP ProxyYesYesPIM SMYesYesPIM SSMYesYesMulticast inside IPsec tunnelYesYesPPPYesYesMLPPPYesYes610Frame RelayYesYesMLFR (FRF .15, FRF .16)YesYes610YesYesDual stack IPv4/IPv6 firewall and VPNYesYesIPv4 to/from IPv6 translations and encapsulationsYesYesSyn-Cookie and Syn-Proxy DoS Attack DetectionYesYesSIP, RTSP, Sun-RPC, and MS-RPC ALG’sYesYesRIPngYesYesBGPYesYesTransparent modeYesYesNSRPYesYesDHCPv6 RelayYesYesLayer 2 (transparent) mode(5)YesYesLayer 3 (route and/or NAT) modeYesYesVirtualizationRoutingEncapsulationsMLPP max physical interfacesMLFR max physical interfacesHDLCIPv6Mode of Operation*Bridge groups supported only on uPIMs in ScreenOS 6.0 and greater releases5
Specifications (continued)SSG320MSSG350MAddress TranslationNetwork Address Translation (NAT)YesYesPort Address Translation (PAT)YesYesPolicy-based NAT/PAT (L2 and L3 mode)YesYesMapped IP (L3 mode)4,0004,000Virtual IP (L3 mode)3232MIP/VIP Grouping (L3 mode)YesYesStaticYesYesDHCP, PPPoE clientYesYesInternal DHCP serverYesYesDHCP relayYesYesGuaranteed bandwidthYes - per policyYes - per policyMaximum bandwidthYes - per policyYes - per policyIngress traffic policingYesYesPriority-bandwidth utilizationYesYesDiffServ markingYes - per policyYes - per policyActive/Active - L3 modeYesYesActive/Passive - Transparent & L3 modeYesYesConfiguration synchronizationYesYesSession synchronization for firewall and VPNYesYesVRRPYesYesSession failover for routing changeYesYesDevice failure detectionYesYesLink failure detectionYesYesAuthentication for new HA membersYesYesEncryption of HA trafficYesYesWebUI (HTTP and HTTPS)YesYesCommand line interface (console)YesYesCommand line interface (telnet)YesYesCommand line interface (SSH)Yes v1.5 and v2.0 compatibleYes v1.5 and v2.0 compatibleNetwork and Security Manager (NSM)YesYesAll management via VPN tunnel on any interfaceYesYesRapid deploymentNoNoLocal administrator database size2020External administrator database supportRADIUS, RSA SecurID, LDAPRADIUS, RSA SecureID, LDAPRestricted administrative networks5050Root Admin, Admin and Read Only user levelsYesYesSoftware upgradesTFTP, WebUI, NSM, SCP, USBTFTP, WebUI, NSM, SCP, USBConfiguration rollbackYesYesSyslog (multiple servers)Yes - up to 4 serversYes - up to 4 serversEmail (two addresses)YesYesNetIQ WebTrendsYesYesSNMP (v2)YesYesSNMP full custom MIBYesYesTracerouteYesYesVPN tunnel monitorYesYesIP Address AssignmentTraffic Management Quality of Service (QoS)High Availability (HA)System ManagementAdministrationLogging/Monitoring6
Specifications (continued)SSG320MSSG350MExternal FlashAdditional log storageUSB 1.1USB 1.1Event logs and alarmsYesYesSystem configuration scriptYesYesScreenOS SoftwareYesYesDimensions (W x H x D)17.5 x 1.8 x 15.1 in(44.5 x 4.5 x 38.3 cm)17.5 x 2.6 x 15.1 in(44.5 x 6.6 x 38.3 cm)Weight15.0 lb (no interface modules)6.8 kg25.0 lb (no interface modules one power supply) (11.34 kg)Rack mountableYes, 1 RUYes, 1.5 RUPower supply (AC) 100-240 VAC275 W300 WAverage power consumption80 W (No PIMs)80 W (No PIMs)Maximum power consumption320 W350 WInput frequency47-63 Hz47-63 HzMaximum current consumption100 – 240 VAC, 3.2 A – 1.3 A100 – 240 VAC, 3.5 A – 1.5 AMaximum Inrush current100 – 240 VAC, 42 A – 62 A100 – 240 VAC, 13 A – 75 AAverage heat dissipation273 BTU (No PIMs)273 BTU (No PIMs)Maximum heat dissipation1091 BTU1195 BTUPower supply (DC)N/A-48 to -60 VDC, 300 wattsNoise level40.0 dB59.2 dBSafety certificationsCSA, TUV, CBCSA, TUV, CBEMC certificationsFCC class A, CE class A, C-Tick, VCCI class AFCC class A, CE class A, C-Tick, VCCI class ANEBSNoLevel 3MTBF (Bellcore model)7.2 years6.8 yearsCommon Criteria: EAL4FutureFutureFIPS 140-2: Level 2FutureFutureICSA Firewall and VPNYesYesOperating temperature32 to 122 F (0 to 50 C)32 to 122 F (0 to 50 C)Non-operating temperature-4 to 158 F (-20 to 70 C)-4 to 158 F (-20 to 70 C)Humidity10% to 90% noncondensing10% to 90% noncondensingDimensions and PowerCertificationsSecurity CertificationsOperating Environment(1) Performance, capacity and features listed are based upon systems running ScreenOS 6.2 and are the measured maximums under ideal testing conditions unless otherwise noted. Actual resultsmay vary based on ScreenOS release and by deployment. For a complete list of supported ScreenOS versions for SSG Series gateways, please visit the Juniper Customer Support Center (www.juniper.net/customers/support/) and click on ScreenOS Software Downloads.(2) IMIX stands for Internet mix and is more demanding than a single packet size as it represents a traffic mix that is more typical of a customer’s network. The IMIX traffic used is made up of 58.33%64 byte packets 33.33% 570 byte packets 8.33% 1518 byte packets of UDP traffic.(3) UTM Security features (IPS/Deep Inspection, antivirus, antispam and Web filtering) are delivered by annual subscriptions purchased separately from Juniper Networks. Annual subscriptions providesignature updates and associated support. The high memory option is required for UTM security features.(4) Redirect Web filtering sends traffic from the firewall to a secondary server. The redirect feature is free. However, it does require the purchase of a separate Web filtering license from either Websenseor SurfControl.(5) NAT, PAT, policy-based NAT, virtual IP, mapped IP, virtual systems, virtual routers, VLANs, OSPF, BGP, RIPv2, Active/Active HA and IP address assignment are not available in Layer 2 transparent mode.Juniper Networks Services and SupportJuniper Networks is the leader in performance-enabling services and support, which are designed to accelerate, extend, and optimizeyour high-performance network. Our services allow you to bring revenue-generating capabilities online faster so you can realize biggerproductivity gains and faster rollouts of new business models and ventures. At the same time, Juniper Networks ensures operationalexcellence by optimizing your network to maintain required levels of performance, reliability, and availability. For more details, please visitwww.juniper.net/us/en/products-services/.7
Ordering InformationMODEL NUMBERDESCRIPTIONSSG-320M-SBSSG320M, ScreenOS, base memory (256 MB),MODEL NUMBERHW security, AC power -TAASSG320M, ScreenOS, base memory (1 GB),NS-K-AVS-SSG350HW security, AC power supplyNS-K-AVS-SSG320SSG350M, ScreenOS, base memory (256 MB),NS-DI-SSG350HW security, AC power supplyNS-DI-SSG320SSG350M, ScreenOS, base memory (1 GB),NS-WF-SSG350HW security, AC power supplyNS-WF-SSG320SSG350M gateway, ScreenOS, base memory (256MB), 5 PIM slots, HW Crypto, AC power supply, TAA,19” rack mountNS-SPAM2-SSG350SSG-350M-SH-TAASSG350M gateway, ScreenOS, base memory (1 GB),5 PIM slots, HW Crypto, AC power supply, TAA, 19”rack mountSSG-350M-SB-DCN-TAASSG350M gateway, ScreenOS, base memory (256MB), 5 PIM slots, HW Crypto, DC power supply, fanfilter, NEBS, TAA, 19” rack mountSSG-350M-SH-DCN-TAASSG350M gateway, ScreenOS, base memory (1 GB),5 PIM slots, HW Crypto, DC power supply, fan filter,NEBS, TAA, 19” rack mountDESCRIPTIONUnified Threat Management/Content Security(High Memory Option Required)Antivirus (includes antispyware, antiphishing)IPS (Deep Inspection)Web mote Office Bundle (includes AV, DI, WF)NS-RBO-CS-SSG320NS-SMB2-CS-SSG350Main Office Bundle (includes AV, DI, WF, AS)NS-SMB2-CS-SSG320SSG300 Line Memory Upgrades, Sparesand Communications CablesCBL-JX-PWR-AUPower cable, AustraliaCBL-JX-PWR-CHPower cable, ChinaCBL-JX-PWR-EUPower cable, Europe2-port T1 PIM with integrated CSU/DSUCBL-JX-PWR-ITPower cable, ItalyJX-2E1-RJ48-S2-port E1 PIM with integrated CSU/DSUCBL-JX-PWR-JPPower cable, JapanJX-2Serial-S2-port Synchronous Serial PIMCBL-JX-PWR-UKPower cable, UKJX-1ADSL-A-S1-port ADSL 2/2 Annex A PIMCBL-JX-PWR-USPower cable, USAJX-1ADSL-B-S1-port ADSL 2/2 Annex B PIMSSG-300-MEM-1GB1 Gigabyte memory upgrade for the SSG300 line2-port 2-wire or 1-port 4-wire G.SHDSL PIMSSG-350-FLTRReplacement air filter for SSG300 line1-port ISDN BRI S/T PIMJX-CBL-EIA530-DTEEIA530 cable (DTE)JXU-6GE-SFP-S6-port SFP Gigabit Ethernet Universal PIM2JX-CBL-RS232-DTERS232 cable (DTE)JXU-8GE-TX-S8-port Gigabit Ethernet 10/100/1000 CopperUniversal PIM2JX-CBL-RS449-DTERS449 cable (DTE)JX-CBL-V35-DTEV.35 cable (DTE)16-port Gigabit Ethernet 10/100/1000 CopperJX-CBL-X21-DTX.21 cable (DTE)Universal PIM2JX
Integrated Web filtering Annually licensed Web filtering solution, provided by Juniper, is based on Websense SurfControl technology. Controls/blocks access to malicious Web sites. Integrated intrusion prevention system (IPS) (Deep Inspection) Annually licensed IPS engine is available with Juniper
