Professional Documents
Culture Documents
Firewall and IPsec VPN Final1
Firewall and IPsec VPN Final1
Specification
Junos OS Software version
tested
Firewall performance
(max)
IPS performance
VPN performance
Maximum concurrent
sessions
New sessions/second
(sustained, TCP, 3-way)
Maximum security
policies
economically to support
Junos OS
12.1X44-D15
700 Mbps
75 Mbps
65 Mbps
32,000
1,800
384
Features
Consolidated
Switching,
Routing, and Security means
enterprises can economically
deliver new applications and
services
with
secure
connectivity.
The Juniper Networks SRX Series Services Gateways product family can
deliver next-generation firewall protection with application awareness and
user role-based controls, plus best-in-class unified threat management (UTM)
options to protect and control your business assets.The SRX220 Services
Gateway is ideally suited for securing small to midsize businesses and
distributed enterprise locations
Junos OS Software version tested
Junos OS 12.1X44-D15
950 Mbps
IPS performance
80 Mbps
VPN performance
100 Mbps
96,000
2,800
2,048
Features
Features
Network segmentation allows you to tailor polices for zones, VLANs, and IPsec
VPNs, and you can use virtual routers for internal, external, and DMZ subgroups.
supports up to 5.5 Gbps firewall, 1 Gbps IPsec VPN, and 800 Mbps intrusion
prevention system (IPS).
The SRX550 supports next-generation firewall capabilities such as intrusion
prevention, application visibility and control, and unified threat management
(UTM) features including antivirus, antispam, and enhanced Web filtering.
Integrated security intelligence offers adaptive threat protection against
command and control (C&C)-related botnets, malware, and Web application
threats. The SRX550 also enforces policies based on GeoIP data from Juniperprovided feeds. IT organizations can use their own custom and third-party
feeds for advanced threat protection.
The SRX550 is optimized for securing and connecting midsized or large
branch locations that are geographically dispersed. It provides cost-effective,
scalable integration of routing, security, and other midrange applications for
branch sites. IT staff can deploy and manage SRX550 appliances in dispersed
sites using the centralized Junos Space Security Director management
platform.
NSS Labs, the worlds leading information security company, recommends
the SRX550 because it delivers outstanding performanceeven under the
highest loadsin an architecture that consolidates next-generation firewall
security with rich networking capabilities.
Specifications:
Junos OS Software version tested
Junos OS 12.1
5.5 Gbps
IPS performance
800 Mbps
VPN performance
1.0 Gbps
375,000
27,000
7,256
Features
Specifications
Junos OS Software version tested
Junos OS 12.1X44
10 Gbps
IPS performance
3 Gbps
VPN performance
4 Gbps
1.5 million
70,000
40,000
Features
Specifications:
Junos OS Software version tested
Junos OS 15.1x49
IPS performance
100 Gbps
VPN performance
200 Gbps
230 million
2 million
Unrestricted
Features
Express Path, an optimization capability available on the nextgeneration line cards (IOC2), securely optimizes SRX5800 performance to
improve IMIX bandwidth by identifying traffic flows that do not require
additional inspection or deep processing.
Robust Routing Engine separates data and control planes to allow use
of consolidated routing and security devices.
DoS and DDoS protection (Layers 3 and 4): A denial-of-service attack (DoS attack) is
a cyber-attack where the perpetrator seeks to make a machine or network resource
unavailable to its intended users, such as to temporarily or indefinitely interrupt or
suspend services of a host connected to the Internet. Denial of service is typically
accomplished by flooding the targeted machine or resource with superfluous requests in
an attempt to overload systems and prevent some or all legitimate requests from being
fulfilled.[1] It is analogous to a group of people crowding the entry door or gate to a shop
or business, and not letting legitimate parties enter into the shop or business, disrupting
normal operations.
Distributed denial of service (DDoS) attacks are launched from multiple connected
devices that are distributed across the Internet. These multi-person, multi-device barrages are
generally harder to deflect, mostly due to the sheer volume of devices involved.
TCP reassembly for fragmented packet protection: Also known as Teardrop attacks,
these assaults target TCP/IP reassembly mechanisms, preventing them from putting
together fragmented data packets. As a result, the data packets overlap and quickly
overwhelm the victim's servers, causing them to fail.
Teardrop attacks are a result of an OS vulnerability common in older versions of
Windows, including 3.1, 95 and NT. While patches were thought to have put a stop to
these attacks, a vulnerability resurfaced in Windows 7 and Windows Vista, making
Teardrop attacks once again a viable attack vector.
The vulnerability was re-patched in the latest version of Windows, but operators should
keep an eye out to ensure that it stays patched in all future versions.So this firewall is
helpful in mitigating these types of attacks.
Brute force attack mitigation: A common threat web developers face is a passwordguessing attack known as a brute force attack. A brute-force attack is an attempt to
discover a password by systematically trying every possible combination of letters,
numbers, and symbols until you discover the one correct combination that works. If your
web site requires user authentication, you are a good target for a brute-force attack.
security-association manual-sa1 {
manual {
direction bidirectional {
protocol esp;
spi 2312;
authentication {
algorithm hmac-md5-96;
key ascii-text 1234123412341234;
}
encryption {
algorithm 3des-cbc;
key ascii-text 123456789009876543211234;
}
}
}
}
unit 0 {
tunnel {
source 10.5.5.5;
destination 10.6.6.6;
}
family inet {
ipsec-sa manual-sa1;
address 10.1.1.8/32 {
destination 10.1.1.9;
}
}
The SA and ES interfaces for Gateway B are configured as follows:
[edit security ipsec]
security-association manual-sa1 {
manual {
direction bidirectional {
protocol esp;
spi 2312;
authentication {
algorithm hmac-md5-96;
key ascii-text 1234123412341234;
}
encryption {
algorithm 3des-cbc;
key ascii-text 123456789009876543211234;
}
}
}
}
[edit interfaces es-0/1/0]
unit 0 {
tunnel {
source 10.6.6.6;
destination 10.5.5.5;
}
family inet {
ipsec-sa manual-sa1;
address 10.1.1.9/32; {
destination 10.1.1.8;
}
}
}
Security Associations
A security association (SA) is a unidirectional agreement between the VPN participants
regarding the methods and parameters to use in securing a communication channel.
Full bidirectional communication requires at least two SAs, one for each direction.
Through the SA, an IPsec tunnel can provide the following security functions:
SA lifetime.
For inbound traffic, Junos OS looks up the SA by using the following triplet:
Destination IP address.
Security protocol, either AH or ESP.
Triple DES (3DES)A more powerful version of DES in which the original DES
algorithm is applied in three rounds, using a 168-bit key. DES provides significant
performance savings but is considered unacceptable for many classified or sensitive
material transfers.
Advanced Encryption Standard (AES)An encryption standard which offers
greater interoperability with other devices. Junos OS supports AES with 128-bit, 192-bit,
and 256-bit keys.
.