DATASHEET

SSG140 SECURE SERVICES GATEWAY

Product Overview
The SSG140 Secure Services Gateway is a purpose-built security appliance that delivers a perfect blend of performance, security, routing and LAN/WAN connectivity for medium sized branch offices and business deployments. Traffic flowing in and out of the branch office or business is protected from worms, spyware, trojans, and malware by a complete set of Unified Threat Management security features that include stateful firewall, IPsec VPN, intrusion prevention system (IPS), antivirus (includes antispyware, antiadware, antiphishing), antispam and Web filtering.

Product Description
The Juniper Networks® SSG140 Secure Services Gateway is a high-performance security platform for branch offices and small/medium sized standalone businesses that want to stop internal and external attacks, prevent unauthorized access, and achieve regulatory compliance. The SSG140 is a modular platform that delivers more than 350 Mbps of stateful firewall traffic and 100 Mbps of IPsec VPN traffic. Security: Protection against worms, viruses, trojans, spam, and emerging malware is delivered by proven unified threat management (UTM) security features that are backed by best-in-class partners. To address internal security requirements and facilitate regulatory compliance, the SSG140 supports an advanced set of network protection features such as security zones, virtual routers and VLANs that allow administrators to divide the network into distinct, secure domains, each with its own unique security policy. Policies protecting each security zone can include access control rules and inspection by any of the supported UTM security features. Connectivity and Routing: The SSG140 supports ten on-board interfaces (eight 10/100 plus two 10/100/1000) complemented by four I/O expansion slots that can house additional LAN and WAN interfaces (T1, E1, G.SHDSL, ISDN BRI S/T, Serial, and 10/100/100), making the SSG140 the most extensible security platform in its class. This broad array of I/O options coupled with WAN protocol and encapsulation support in its routing engine make the SSG140 a platform that can easily be deployed as a traditional branch office router or as a consolidated security and routing device to reduce CapEx and OpEx. Access Control Enforcement: The SSG140 can act as an enforcement point in a Juniper Networks Unified Access Control (UAC) deployment with the simple addition of the IC Series Unified Access Control Appliance. The IC Series functions as a central policy management engine, interacting with the SSG140 to augment or replace the firewallbased access control with a solution that grants/denies access based on more granular criteria that include endpoint state and user identity, in order to accommodate the dramatic shifts in attack landscape and user characteristics. World Class Support: From simple lab testing to major network implementations, Juniper Networks Professional Services will collaborate with your team to identify goals, define the deployment process, create or validate the network design, and manage the deployment to its successful conclusion.

1

Blocks unwanted email from known spammers and phishers. ISDN BRI S/T. security zones. Web filtering. Benefit Delivers performance headroom required to protect against internal and external attacks now and into the future. Controls/blocks access to malicious Web sites. PPP. Powerful capabilities facilitate deploying security for various internal. Enables management access from any location. one console port. Delivers LAN and WAN connectivity options on top of unmatched security to reduce costs and extend investment protection. IPS) stop all manner of viruses and malware before they damage the network. antispam. external and DMZ sub-groups on the network. G. provided by Juniper. create or validate the network design. Features and Benefits Feature High performance Feature Description Purpose-built platform is assembled from custom-built hardware. one USB port. thereby lowering operational and capital expenditures. wireless networks and regional servers or databases. **uPIMs are only supported in ScreenOS 6. E1. 2 . Bridge groups. Eight fixed 10/100 interfaces and two 10/100/1000 interfaces. powerful processing and a security-specific operating system. Multilink Frame Relay. Enables the deployment of consolidated security and routing device. Stops viruses. * Bridge groups supported only on uPIMs in Juniper Networks ScreenOS® Software 6. Automatically sets up and takes down VPN tunnels between spoke sites in a hub-and-spoke topology. From simple lab testing to major network implementations.** Use any one of three mechanisms. and flexible management. CLI. to securely deploy. and network location. and manage the deployment. adware and other malware. Four SSG140 interface expansion slots support optional T1. to prevent unauthorized access. spyware. is based on Sophos technology. scalable and reliable. WebUI or Juniper Networks Network and Security Manager (NSM). Annually licensed IPS engine is available with Juniper Networks Deep Inspection Firewall Signature Packs. and one auxiliary port. Prevents application-level attacks from flooding the network. and 10/100/1000 and SFP universal PIMs (uPIMs). define the deployment process. provided by Juniper. future connectivity. Interacts with the centralized policy management engine (IC Series) to enforce session-specific access control policies using criteria such as user identity.0 and higher releases. Improves security posture in a cost-effective manner by leveraging existing customer network infrastructure components and best-in-class technology. provided by Juniper.Branch O ce WWW Headquarters ZONE A SSG140 ZONE B Internet M7i ISG2000 The SSG140 deployed at a branch office for secure Internet connectivity and site-to-site VPN to corporate headquarters. eliminating on-site visits thereby improving response time and reducing operational costs. virtual LANs and virtual routers allow administrators to deploy security policies to isolate guests. Annually licensed antivirus engine. Best-in-class UTM security features Integrated antivirus Integrated antispam Integrated Web filtering Integrated IPS (Deep Inspection) Fixed Interfaces Network segmentation Robust routing engine High interface density Interface modularity Management flexibility Juniper Networks Unified Access Control enforcement point World-class professional services Auto-Connect VPN Provides a scalable VPN solution for mesh architectures with support for latency-sensitive applications such as VoIP and video conferencing. is based on Kaspersky Lab engine.SHDSL and serial physical interface modules (PIMs). device security state. UTM security features (antivirus. Annually licensed Web filtering solution. Provides high-speed LAN connectivity. Multilink PPP and HDLC. Ensures that the network is protected against all manner of attacks. Juniper Networks Professional Services will collaborate with your team to identify goals. Eight 10/100 plus two 10/100/1000 interfaces plus a console and an Aux interface for management. Annually licensed antispam offering. Internal branch office resources are protected with unique security policies for each security zone.0 or higher releases. is based on Websense SurfControl technology.* Proven routing engine supports OSPF. monitor and manage security policies. flexible. Provides unmatched interface density when compared to competitive offerings. BGP and RIP v1/2 along with Frame Relay. Transforms the network infrastructure to ensure that it is secure.

2xE1.SHDSL and serial physical interface modules (PIMs). RSA SecureID.000+ POP3.000 PPS 100 Mbps 100 Mbps 48. IPS (Deep Inspection).2 350+ Mbps 300 Mbps 90. 2x10/100/1000 4 2xT1. E1. 3DES encryption (168-bit) and AES (256-bit) MD-5 and SHA-1 authentication Manual key.000 Unrestricted VoIP Security H.2. IMAP.5 Yes Yes Yes Yes Yes Yes Firewall Network attack detection DoS and DDoS protection TCP reassembly for fragmented packet protection Brute force attack mitigation SYN cookie protection Zone-based IP spoofing Malformed packet protection Yes Yes Yes Yes Yes Yes Yes  Psec Network Address Translation (NAT) I traversal Auto-Connect VPN Redundant VPN gateways User Authentication and Access Control Built-in (internal) database user limit Third-party user authentication RADIUS Accounting XAUTH VPN authentication Web-based authentication 802.000 8.509) Perfect forward secrecy (DH Groups) Prevent replay attack Remote access VPN Layer 2 Tunneling Protocol (L2TP) within IPsec 500 50 Yes Yes Yes Network Connectivity Fixed I/O Physical Interface Module (PIM) slots Modular WAN/LAN interface options (PIMs/uPIMs) 8x10/100. SMTP. antiphishing). HTTP. G. The SSG140 can be configured with any combination of the following best-in-class UTM and content security functionality: antivirus (includes antispyware. 2xSerial. Applicable Products SSG140 SSG140 high memory model only I/O options SSG140 Signature database Protocols scanned Antispyware Antiadware Anti-keylogger Instant message AV Antispam Integrated URL filtering External URL filtering(4) 200. 10/100/1000 1. FTP.000 1. Four SSG140 interface expansion slots support optional T1. Internet Key Exchange (IKE). IM Yes Yes Yes Yes Yes Yes Yes SSG140 Specifications Maximum Performance and Capacity(1) ScreenOS version tested Firewall throughput (large packets) Firewall throughput (IMIX)(2) Firewall packets per second (64 byte) Advanced Encryption Standard (AES) 256+SHA-1 VPN throughput 3DES encryption +SHA-1 VPN throughput Maximum concurrent sessions New sessions/second Maximum security policies Maximum users supported ScreenOS 6. Web filtering. and 10/100/1000 and SFP universal PIMs (uPIMs).1X authentication Unified Access Control (UAC) enforcement point 250 RADIUS. and/or antispam.Product Options Option DRAM Unified Threat Management/ Content Security (high memory option required) Option Description The SSG140 is available with either 256 MB or 512 MB of DRAM. ISDN BRI S/T. Application-level gateway (ALG) SIP ALG MGCP ALG SCCP ALG Network Address Translation (NAT) for VoIP protocols Yes Yes Yes Yes Yes IPsec VPN Concurrent VPN tunnels Tunnel interfaces DES encryption (56-bit).323. LDAP Yes – start/stop Yes Yes Yes Yes Unified Threat Management(3) IPS (Deep Inspection firewall) Protocol anomaly detection Stateful protocol signatures IPS/DI attack pattern obfuscation Antivirus Yes Yes Yes Yes Yes 3 . 1xISDN BRI S/T SFP. IKEv2 with EAP public key infrastructure (PKI) (X.

per policy High Availability (HA) Active/active .500 16 Yes IP Address Assignment Static Dynamic Host Configuration Protocol (DHCP).Specifications (continued) PKI Support PKI certificate requests (PKCS 7 and PKCS 10) Automated certificate enrollment (SCEP) Online Certificate Status Protocol (OCSP) Certificate Authorities supported Yes Yes Yes Verisign.L3 mode Active/passive .per policy Yes Yes Yes . RSA Keon.048 64 2.048 Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Address Translation Network Address Translation (NAT) Port Address Translation (PAT) Policy-based NAT/PAT (L2 and L3 mode) Mapped IP (MIP) (L3 mode) Virtual IP (VIP) (L3 mode) MIP/VIP Grouping (L3 mode) Yes Yes Yes 1. Sun-RPC.048 2. and MS-RPC ALG’s RIPng BGP Transparent mode NSRP 30 6 Yes 100 DHCPv6 Relay Yes Yes Yes Yes Yes Yes Yes Yes Yes Self signed certificates Virtualization Maximum number of security zones Maximum number of virtual routers Bridge groups* Maximum number of VLANs Mode of Operation Layer 2 (transparent) mode(5) Layer 3 (route and/or NAT) mode Yes Yes Routing BGP instances BGP peers BGP routes OSPF instances OSPF routes RIPv1/v2 instances RIP v2 routes Static routes Source-based routing Policy-based routing Equal-cost multipath (ECMP) Multicast Reverse Forwarding Path (RFP) I  nternet Group Management Protocol (IGMP) (v1. Microsoft. RTSP. iPlanet (Netscape) Baltimore. Entrust.Point-to-Point Protocol over Ethernet (PPPoE) client Internal DHCP server DHCP relay Yes Yes Yes Yes Traffic Management Quality of Service (QoS) Guaranteed bandwidth Maximum bandwidth Ingress traffic policing Priority-bandwidth utilization Differentiated Services marking Yes .per policy Yes .Transparent & L3 mode Configuration synchronization Session synchronization for firewall and VPN Session failover for routing change VRRP Device failure detection Link failure detection Authentication for new HA members Encryption of HA traffic Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Encapsulations Point-to-Point Protocol (PPP) Multilink Point-to-Point Protocol (MLPPP) MLPPP max physical interfaces Frame relay MLFR max physical interfaces HDLC Yes Yes 4 Yes 4 Yes Multilink Frame Relay (MLFR) (FRF 15. v2) IGMP Proxy P  rotocol Independent Multicast (PIM) single mode PIM source-specific multicast Multicast inside IPsec tunnel 6 24 2. 4 .0 and higher releases. FRF 16) Yes *Bridge groups supported only on uPIMs in ScreenOS 6.048 3 2. DOD PKI Yes IPv6 Dual stack IPv4/IPv6 firewall and VPN IPv4 to/from IPv6 translations and encapsulations Syn-Cookie and Syn-Proxy DoS Attack Detection SIP.

virtual routers. For a complete list of supported ScreenOS versions for SSG Series gateways. WebUI. SCP. CE class B No 16 years Security Certifications Common Criteria: EAL4 Future Future Yes FIPS 140-2: Level 2 ICSA Firewall and VPN Logging/Monitoring System log (multiple servers) Email (2 addresses) NetIQ WebTrends SNMP (v3) SNMP full custom MIB Traceroute VPN tunnel monitor Yes – up to 4 servers Yes Yes Yes Yes Yes Yes Operating Environment Operating temperature Non-operating temperature Humidity 32° to 104° F (0° to 40° C) -4° to 158° F (-20° to 70° C) 10% to 90% noncondensing External Flash Additional log storage Event logs and alarms System configuration script ScreenOS Software USB 1.1 Yes Yes Yes (1)  Performance. trojans. (2)  IMIX stands for Internet mix and is more demanding than a single packet size as it represents a traffic mix that is more typical of a customer’s network. Annual subscriptions provide signature updates and associated support. antivirus. however it does require the purchase of a separate Web filtering license from either Websense or SurfControl. (5)  NAT.0 compatible Yes Yes No Maximum thermal output Noise Level 20 RADIUS.juniper. USB Yes Dimensions and Power Dimensions (W x H x D) Weight Rack mountable Power supply (AC) 17. virtual IP. (4)  Redirect Web filtering sends traffic from the firewall to a secondary server.net/customers/support/) and click on ScreenOS Software Downloads. RSA SecureID.5 x 1. RIPv2. PAT. CB FCC class B. BGP. 1RU 100-240 VAC.5 x 4. The redirect feature is free.2 lb (4. CSA. virtual systems. OSPF.63 kg) Yes. AC Input line frequency 50 Hz or 60 Hz AC system current rating 2 A 580 BTU/hour (170 W) 48. active/active HA and IP address assignment are not available in layer 2 transparent mode.33% 64 byte packets + 33.33% 1518 byte packets of UDP traffic. VLANs. please visit the Juniper Customer Support Center (www. The high memory option is required for UTM Security features.2 and are the measured maximums under ideal testing conditions unless otherwise noted.Specifications (continued) System Management WebUI (HTTP and HTTPS) Command line interface (console) Command line interface (telnet) Command line interface (SSH) Network and Security Manager (NSM) All management via VPN tunnel on any interface Rapid deployment Yes Yes Yes Yes – v1.33% 570 byte packets + 8.8 x 15 in (44. (3)  UTM Security features (IPS/Deep Inspection. The IMIX traffic used is made up of 58. Actual results may vary based on ScreenOS release and deployment. compliance for server infrastructure Most comprehensive defense against worm attacks Type of Attack Object Range of signatures and protocol anomalies Attacks in the server-to-client direction Attacks in the client-to-server direction Worms. and Read Only user levels Software upgrades Configuration roll-back Certifications Safety certifications Electromagnetic compatibility (EMC) certifications Network Equipment Building System (NEBS) Mean time between failures (MTBF) (Bellcore model) UL. mapped IP.5 and v2.8 dB Administration Local administrator database size External administrator database support Restricted administrative networks Root Admin. antispam and Web filtering) are delivered by annual subscriptions purchased separately from Juniper Networks. NSM.5 x 38. CUL. IPS (Deep Inspection Firewall) Signature Packs Signature packs provide the ability to tailor the attack protection to the specific deployment and/or attack type. policy-based NAT. compliance for hosts (for example desktops) Perimeter defense.1 cm) 10. backdoor attacks 5 . LDAP 6 Yes TFTP. Admin. capacity and features listed are based upon systems running ScreenOS 6. The following signature packs are available for the SSG140: Signature Pack Base Client Server Worm mitigation Target Deployment Branch offices. small/medium businesses Remote/branch offices Small/medium businesses Remote/branch offices of large enterprises Defense Type Client/server and worm protection Perimeter defense.

antiphishing) IPS (Deep Inspection) Antispam Web filtering Remote Office Bundle (AV. and availability. 1194 North Mathilda Avenue Sunnyvale. Inc. and optimize your high-performance network. Spares and Communications Cables SSG-100-MEM-512 512 MB DIMM Memory upgrade Power Cable. registered marks. For more details.juniper.0. extend. Additional information can be found at www. * uPIMs are only supported in ScreenOS 6. Juniper Networks ensures operational excellence by optimizing the network to maintain required levels of performance. The Netherlands Phone: 31. 1000181-010-EN Apr 2013 Printed on recycled paper 6 . the Juniper Networks logo. China Power Cable. Boeing Avenue 240 1119 PZ Schiphol-Rijk Amsterdam.SDHSL PIM 6-port SFP Gigabit Ethernet Universal PIM* (SFP sold separately) 1-port SFP 100 Mbps or Gigabit Ethernet Universal PIM* (SFP sold separately) 8-port Gigabit Ethernet 10/100/1000 Copper Universal PIM* 16-port Gigabit Ethernet 10/100/1000 Copper Universal PIM* CBL-JX-PWR-JP CBL-JX-PWR-UK CBL-JX-PWR-US JX-Blank-FP-S JX-CBL-EIA530-DTE JX-CBL-RS232-DTE JX-CBL-RS449-DTE JX-CBL-V35-DTE JX-CBL-X21-DTE Note: The appropriate power cord is included based upon the sales order “Ship To” destination. Inc. please contact your Juniper Networks representative at 1-866-298-6428 or authorized reseller.0. Italy Power Cable. Model Number Description Unified Threat Management/Content Security (High Memory Option Required) NS-K-AVS-SSG140 NS-DI-SSG140 NS-SPAM2-SSG140 NS-WF-SSG140 NS-RBO-CS-SSG140 NS-SMB2-CSSSG140 Antivirus (antispyware.700 Fax: 31.net.juniper. AC power SSG140 with 512 MB memory.586.207.125. From devices to data centers.207. silicon and systems that transform the experience and economics of networking. WF) Main Office Bundle (AV. in the United States and other countries. Juniper Networks assumes no responsibility for any inaccuracies in this document.4737) or 408. AS) Ordering Information Model Number Description Memory Upgrades. The company serves customers and partners worldwide. modify. Copyright 2013 Juniper Networks.745.juniper.2100 www. All other trademarks. NetScreen.701 To purchase Juniper Networks solutions.2000 Fax: 408. CA 94089 USA Phone: 888. All rights reserved. IPS. WF. Europe Power Cable. Australia Power Cable. Inc. reliability. Juniper Networks delivers the software. AC power I/O Options JX-1BRI-ST-S JX-2E1-RJ48-S JX-2T1-RJ48-S JX-2Serial-S JX-2SHDSL-S JXU-6GE-SFP-S JXU-1SFP-S JXU-8GE-TX-S JXU-16GE-TX-S 1-port ISDN BRI S/T PIM 2-port E1 PIM with integrated CSU/DSU 2-port T1 PIM with integrated CSU/DSU 2-port Serial PIM 2-port 2-wire or 1-port 4-wire G.21 cable (DTE) CBL-JX-PWR-AU CBL-JX-PWR-CH CBL-JX-PWR-EU CBL-JX-PWR-IT SSG140 SSG-140-SB SSG-140-SH SSG140 with 256 MB memory.net/us/en/ products-services. UK Power Cable.125. About Juniper Networks Juniper Networks is in the business of network innovation. transfer. service marks. please visit www. Junos. Japan Power Cable. achieving a faster time to value for your network.net APAC and EMEA Headquarters Juniper Networks International B. or registered service marks are the property of their respective owners.JUNIPER (888. or otherwise revise this publication without notice. Juniper Networks reserves the right to change.Juniper Networks Services and Support Juniper Networks is the leader in performance-enabling services that are designed to accelerate. US Blank I/O plate EIA530 cable (DTE) RS232 cable (DTE) RS449 cable (DTE) 35 cable (DTE) X.V. IPS. 0 PIM cards. and ScreenOS are registered trademarks of Juniper Networks.745. Our services allow you to maximize operational efficiency while reducing costs and minimizing risk. Juniper Networks. Corporate and Sales Headquarters Juniper Networks. from consumers to cloud providers.0 or higher releases. 0 PIM cards.