DATASHEET

SSG140 SECURE SERVICES GATEWAy

Product Overview
The SSG140 Secure Services Gateway is a purpose-built security appliance that delivers a perfect blend of performance, security, routing and LAN/WAN connectivity for medium sized branch offices and business deployments. Traffic flowing in and out of the branch office or business is protected from worms, spyware, trojans, and malware by a complete set of Unified Threat Management security features that include stateful firewall, IPsec VPN, intrusion prevention system (IPS), antivirus (includes antispyware, antiadware, antiphishing), antispam and Web filtering.

Product Description
The Juniper Networks® SSG140 Secure Services Gateway is a high-performance security platform for branch offices and small/medium sized standalone businesses that want to stop internal and external attacks, prevent unauthorized access, and achieve regulatory compliance. The SSG140 is a modular platform that delivers more than 350 Mbps of stateful firewall traffic and 100 Mbps of IPsec VPN traffic. Security: Protection against worms, viruses, trojans, spam, and emerging malware is delivered by proven unified threat management (UTM) security features that are backed by best-in-class partners. To address internal security requirements and facilitate regulatory compliance, the SSG140 supports an advanced set of network protection features such as security zones, virtual routers and VLANs that allow administrators to divide the network into distinct, secure domains, each with its own unique security policy. Policies protecting each security zone can include access control rules and inspection by any of the supported UTM security features. Connectivity and Routing: The SSG140 supports ten on-board interfaces (eight 10/100 plus two 10/100/1000) complemented by four I/O expansion slots that can house additional LAN and WAN interfaces (T1, E1, ADSL2/2+, G.SHDSL, ISDN BRI S/T, Serial, and 10/100/100), making the SSG140 the most extensible security platform in its class. This broad array of I/O options coupled with WAN protocol and encapsulation support in its routing engine make the SSG140 a platform that can easily be deployed as a traditional branch office router or as a consolidated security and routing device to reduce CapEx and OpEx. Access Control Enforcement: The SSG140 can act as an enforcement point in a Juniper Networks Unified Access Control (UAC) deployment with the simple addition of the IC Series Unified Access Control Appliance. The IC Series functions as a central policy management engine, interacting with the SSG140 to augment or replace the firewallbased access control with a solution that grants/denies access based on more granular criteria that include endpoint state and user identity, in order to accommodate the dramatic shifts in attack landscape and user characteristics. World Class Support: From simple lab testing to major network implementations, Juniper Networks Professional Services will collaborate with your team to identify goals, define the deployment process, create or validate the network design, and manage the deployment to its successful conclusion.

1

ISDN BRI S/T. Multilink PPP and HDLC. G. spyware. PPP. **uPIMs are only supported in ScreenOS 6. Improves security posture in a cost-effective manner by leveraging existing customer network infrastructure components and best-in-class technology. Four SSG140 interface expansion slots support optional T1. Best-in-class UTM security features Integrated antivirus Integrated antispam Integrated Web filtering Integrated IPS (Deep Inspection) Fixed Interfaces Network segmentation Robust routing engine High interface density Interface modularity Management flexibility Juniper Networks Unified Access Control enforcement point World-class professional services Auto-Connect VPN Provides a scalable VPN solution for mesh architectures with support for latency-sensitive applications such as VoIP and video conferencing. adware and other malware. security zones. to prevent unauthorized access. Controls/blocks access to malicious Web sites. to securely deploy. virtual LANs and virtual routers allow administrators to deploy security policies to isolate guests. monitor and manage security policies.* Proven routing engine supports OSPF. provided by Juniper. Benefit Delivers performance headroom required to protect against internal and external attacks now and into the future. Stops viruses. and manage the deployment. Eight fixed 10/100 interfaces and two 10/100/1000 interfaces. Bridge groups. Transforms the network infrastructure to ensure that it is secure. and flexible management. Annually licensed antivirus engine. device security state. UTM security features (antivirus. Internal branch office resources are protected with unique security policies for each security zone. thereby lowering operational and capital expenditures. Multilink Frame Relay. Annually licensed Web filtering solution. eliminating on-site visits thereby improving response time and reducing operational costs. Provides high-speed LAN connectivity.0 or higher releases. one USB port. future connectivity. wireless networks and regional servers or databases. Delivers LAN and WAN connectivity options on top of unmatched security to reduce costs and extend investment protection. scalable and reliable. WebUI or Juniper Networks Network and Security Manager (NSM). * Bridge groups supported only on uPIMs in Juniper Networks ScreenOS® Software 6. Prevents application-level attacks from flooding the network. Juniper Networks Professional Services will collaborate with your team to identify goals. Enables management access from any location. Automatically sets up and takes down VPN tunnels between spoke sites in a hub-and-spoke topology. Interacts with the centralized policy management engine (IC Series) to enforce session-specific access control policies using criteria such as user identity. Annually licensed antispam offering. BGP and RIP v1/2 along with Frame Relay. CLI. Provides unmatched interface density when compared to competitive offerings. and network location. provided by Juniper. and 10/100/1000 and SFP universal PIMs (uPIMs). Enables the deployment of consolidated security and routing device. Ensures that the network is protected against all manner of attacks. IPS) stop all manner of viruses and malware before they damage the network. Features and Benefits Feature High performance Feature Description Purpose-built platform is assembled from custom-built hardware. Eight 10/100 plus two 10/100/1000 interfaces plus a console and an Aux interface for management. flexible.Branch O ce WWW Headquarters ZONE A SSG140 ZONE B Internet M7i ISG2000 The SSG140 deployed at a branch office for secure Internet connectivity and site-to-site VPN to corporate headquarters. Annually licensed IPS engine is available with Juniper Networks Deep Inspection Firewall Signature Packs.** Use any one of three mechanisms. antispam. and one auxiliary port.0 and higher releases. 2 . is based on Websense SurfControl technology. powerful processing and a security-specific operating system. one console port. define the deployment process. external and DMZ sub-groups on the network. is based on Kaspersky Lab engine. Blocks unwanted email from known spammers and phishers. Powerful capabilities facilitate deploying security for various internal. create or validate the network design. provided by Juniper.SHDSL and serial physical interface modules (PIMs). Web filtering. E1. From simple lab testing to major network implementations. ADSL2/2+. is based on Sophos technology.

000 1. 2xE1. Web filtering. E1. and 10/100/1000 and SFP universal PIMs (uPIMs). 2xSerial. 1xISDN BRI S/T SFP.000+ POP3. RSA SecureID. IM yes yes yes yes yes yes yes SSG140 Specifications Maximum Performance and Capacity(1) ScreenOS version tested Firewall throughput (large packets) Firewall throughput (IMIX)(2) Firewall packets per second (64 byte) Advanced Encryption Standard (AES) 256+SHA-1 VPN throughput 3DES encryption +SHA-1 VPN throughput Maximum concurrent sessions New sessions/second Maximum security policies Maximum users supported ScreenOS 6. G. 3DES encryption (168-bit) and AES (256-bit) MD-5 and SHA-1 authentication Manual key. IPS (Deep Inspection). The SSG140 can be configured with any combination of the following best-in-class UTM and content security functionality: antivirus (includes antispyware. Four SSG140 interface expansion slots support optional T1.000 8. antiphishing). ADSL2/2+. FTP.000 PPS 100 Mbps 100 Mbps 48.2 350+ Mbps 300 Mbps 90.1X authentication Unified Access Control (UAC) enforcement point 250 RADIUS. Application-level gateway (ALG) SIP ALG MGCP ALG SCCP ALG Network Address Translation (NAT) for VoIP protocols yes yes yes yes yes IPsec VPN Concurrent VPN tunnels Tunnel interfaces DES encryption (56-bit). SMTP. 10/100/1000 1. 2x10/100/1000 4 2xT1. IKEv2 with EAP public key infrastructure (PKI) (X. IMAP. ISDN BRI S/T.323.5 yes yes yes yes yes yes Firewall Network attack detection DoS and DDoS protection TCP reassembly for fragmented packet protection Brute force attack mitigation SyN cookie protection Zone-based IP spoofing Malformed packet protection yes yes yes yes yes yes yes IPsec Network Address Translation (NAT) traversal Auto-Connect VPN Redundant VPN gateways User Authentication and Access Control Built-in (internal) database user limit Third-party user authentication RADIUS Accounting XAUTH VPN authentication Web-based authentication 802. Applicable Products SSG140 SSG140 high memory model only I/O options SSG140 Signature database Protocols scanned Antispyware Antiadware Anti-keylogger Instant message AV Antispam Integrated URL filtering External URL filtering(4) 200.SHDSL and serial physical interface modules (PIMs).509) Perfect forward secrecy (DH Groups) Prevent replay attack Remote access VPN Layer 2 Tunneling Protocol (L2TP) within IPsec 500 50 yes yes yes Network Connectivity Fixed I/O Physical Interface Module (PIM) slots Modular WAN/LAN interface options (PIMs/uPIMs) 8x10/100. ADSL2/2+. HTTP.Product Options Option DRAM Unified Threat Management/ Content Security (high memory option required) Option Description The SSG140 is available with either 256 MB or 512 MB of DRAM.000 Unrestricted VoIP Security H.2. and/or antispam. Internet Key Exchange (IKE). LDAP yes – start/stop yes yes yes yes Unified Threat Management(3) IPS (Deep Inspection firewall) Protocol anomaly detection Stateful protocol signatures IPS/DI attack pattern obfuscation Antivirus yes yes yes yes yes 3 .

RSA Keon.L3 mode Active/passive .Specifications (continued) PKI Support PKI certificate requests (PKCS 7 and PKCS 10) Automated certificate enrollment (SCEP) Online Certificate Status Protocol (OCSP) Certificate Authorities supported yes yes yes Verisign.Transparent & L3 mode Configuration synchronization Session synchronization for firewall and VPN Session failover for routing change VRRP Device failure detection Link failure detection Authentication for new HA members Encryption of HA traffic yes yes yes yes yes yes yes yes yes yes Encapsulations Point-to-Point Protocol (PPP) Multilink Point-to-Point Protocol (MLPPP) MLPPP max physical interfaces Frame relay MLFR max physical interfaces HDLC yes yes 4 yes 4 yes Multilink Frame Relay (MLFR) (FRF 15. RTSP. v2) IGMP Proxy Protocol Independent Multicast (PIM) single mode PIM source-specific multicast Multicast inside IPsec tunnel 6 24 2.048 3 2.per policy yes . Microsoft.Point-to-Point Protocol over Ethernet (PPPoE) client Internal DHCP server DHCP relay yes yes yes yes Traffic Management Quality of Service (QoS) Guaranteed bandwidth Maximum bandwidth Ingress traffic policing Priority-bandwidth utilization Differentiated Services marking yes . 4 . DOD PKI yes IPv6 Dual stack IPv4/IPv6 firewall and VPN IPv4 to/from IPv6 translations and encapsulations Syn-Cookie and Syn-Proxy DoS Attack Detection SIP.048 yes yes yes yes yes yes yes yes yes yes Address Translation Network Address Translation (NAT) Port Address Translation (PAT) Policy-based NAT/PAT (L2 and L3 mode) Mapped IP (MIP) (L3 mode) Virtual IP (VIP) (L3 mode) MIP/VIP Grouping (L3 mode) yes yes yes 1.048 64 2. Sun-RPC. and MS-RPC ALG’s RIPng BGP Transparent mode NSRP 40 6 yes 100 DHCPv6 Relay yes yes yes yes yes yes yes yes yes Self signed certificates Virtualization Maximum number of security zones Maximum number of virtual routers Bridge groups* Maximum number of VLANs Mode of Operation Layer 2 (transparent) mode(5) Layer 3 (route and/or NAT) mode yes yes Routing BGP instances BGP peers BGP routes OSPF instances OSPF routes RIPv1/v2 instances RIP v2 routes Static routes Source-based routing Policy-based routing Equal-cost multipath (ECMP) Multicast Reverse Forwarding Path (RFP) Internet Group Management Protocol (IGMP) (v1. FRF 16) yes *Bridge groups supported only on uPIMs in ScreenOS 6.500 16 yes IP Address Assignment Static Dynamic Host Configuration Protocol (DHCP).per policy yes yes yes .per policy High Availability (HA) Active/active .0 and higher releases. Entrust.048 2. iPlanet (Netscape) Baltimore.

active/active HA and IP address assignment are not available in layer 2 transparent mode. The high memory option is required for UTM Security features. LDAP 6 yes TFTP.1 yes yes yes (1) Performance. (2) IMIX stands for Internet mix and is more demanding than a single packet size as it represents a traffic mix that is more typical of a customer’s network. WebUI.33% 1518 byte packets of UDP traffic. The IMIX traffic used is made up of 58. capacity and features listed are based upon systems running ScreenOS 6. small/medium businesses Remote/branch offices Small/medium businesses Remote/branch offices of large enterprises Defense Type Client/server and worm protection Perimeter defense.63 kg) yes. policy-based NAT. virtual IP. virtual routers.8 dB Administration Local administrator database size External administrator database support Restricted administrative networks Root Admin. RSA SecureID. antispam and Web filtering) are delivered by annual subscriptions purchased separately from Juniper Networks.5 x 1.0 compatible yes yes No Maximum thermal output Noise Level 20 RADIUS. RIPv2. SCP. The following signature packs are available for the SSG140: Signature Pack Base Client Server Worm mitigation Target Deployment Branch offices. however it does require the purchase of a separate Web filtering license from either Websense or SurfControl. NSM. (4) Redirect Web filtering sends traffic from the firewall to a secondary server.2 lb (4. AC Input line frequency 50 Hz or 60 Hz AC system current rating 2 A 580 BTU/hour (170 W) 48. Actual results may vary based on ScreenOS release and deployment.1 cm) 10. and Read Only user levels Software upgrades Configuration roll-back Certifications Safety certifications Electromagnetic compatibility (EMC) certifications Network Equipment Building System (NEBS) Mean time between failures (MTBF) (Bellcore model) UL. mapped IP.net/customers/support/) and click on ScreenOS Software Downloads. For a complete list of supported ScreenOS versions for SSG Series gateways. USB yes Dimensions and Power Dimensions (W x H x D) Weight Rack mountable Power supply (AC) 17. trojans. virtual systems. (3) UTM Security features (IPS/Deep Inspection.Specifications (continued) System Management WebUI (HTTP and HTTPS) Command line interface (console) Command line interface (telnet) Command line interface (SSH) Network and Security Manager (NSM) All management via VPN tunnel on any interface Rapid deployment yes yes yes yes – v1. compliance for hosts (for example desktops) Perimeter defense. Annual subscriptions provide signature updates and associated support.5 x 38. (5) NAT. VLANs. OSPF.8 x 15 in (44. IPS (Deep Inspection Firewall) Signature Packs Signature packs provide the ability to tailor the attack protection to the specific deployment and/or attack type. please visit the Juniper Customer Support Center (www.33% 64 byte packets + 33. compliance for server infrastructure Most comprehensive defense against worm attacks Type of Attack Object Range of signatures and protocol anomalies Attacks in the server-to-client direction Attacks in the client-to-server direction Worms. CUL. CE class B No 16 years Security Certifications Common Criteria: EAL4 Future Future yes FIPS 140-2: Level 2 ICSA Firewall and VPN Logging/Monitoring System log (multiple servers) Email (2 addresses) NetIQ WebTrends SNMP (v3) SNMP full custom MIB Traceroute VPN tunnel monitor yes – up to 4 servers yes yes yes yes yes yes Operating Environment Operating temperature Non-operating temperature Humidity 32° to 104° F (0° to 40° C) -4° to 158° F (-20° to 70° C) 10% to 90% noncondensing External Flash Additional log storage Event logs and alarms System configuration script ScreenOS Software USB 1. CB FCC class B.juniper. backdoor attacks 5 . PAT. antivirus. CSA.33% 570 byte packets + 8. BGP. 1RU 100-240 VAC.5 and v2.2 and are the measured maximums under ideal testing conditions unless otherwise noted. Admin.5 x 4. The redirect feature is free.

net APAC Headquarters Juniper Networks (Hong Kong) 26/F. registered marks.net.601 To purchase Juniper Networks solutions.31. Corporate and Sales Headquarters Juniper Networks. Inc. Juniper Networks delivers the software.2100 juniper. Europe Power Cable. and availability.586. Spares and Communications Cables SSG-100-MEM-512 512 MB DIMM Memory upgrade Power Cable. Junos. WF) Main Office Bundle (AV. WF. please contact your Juniper Networks representative at 1-866-298-6428 or authorized reseller. transfer. the Juniper Networks logo. AC power I/O Options JX-1BRI-ST-S JX-2E1-RJ48-S JX-2T1-RJ48-S JX-2Serial-S JX-1ADSL-A-S JX-1ADSL-B-S JX-2SHDSL-S JXU-6GE-SFP-S JXU-1SFP-S JXU-8GE-TX-S JXU-16GE-TX-S 1-port ISDN BRI S/T PIM 2-port E1 PIM with integrated CSU/DSU 2-port T1 PIM with integrated CSU/DSU 2-port Serial PIM 1-port ADSL 2/2+ Annex A PIM 1-port ADSL 2/2+ Annex B PIM 2-port 2-wire or 1-port 4-wire G. from consumers to cloud providers. Inc.8903.0 or higher releases.31.745. Juniper Networks ensures operational excellence by optimizing the network to maintain required levels of performance. 1194 North Mathilda Avenue Sunnyvale. please visit www.600 EMEA Sales: 00800. Copyright 2011 Juniper Networks. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks. UK Power Cable.21 cable (DTE) CBL-JX-PWR-AU CBL-JX-PWR-CH CBL-JX-PWR-EU CBL-JX-PWR-IT SSG140 SSG-140-SB SSG-140-SH SSG140 with 256 MB memory. Cityplaza One 1111 King’s Road Taikoo Shing. modify. For more details.4737) or 408.2000 Fax: 408. reliability. Japan Power Cable. 1000181-007-EN Nov 2011 Printed on recycled paper 6 .2332.juniper.2574.3636 Fax: 852. IPS.8903. Model Number Description Unified Threat Management/Content Security (High Memory Option Required) NS-K-AVS-SSG140 NS-DI-SSG140 NS-SPAM2-SSG140 NS-WF-SSG140 NS-RBO-CS-SSG140 NS-SMB2-CSSSG140 Antivirus (antispyware. achieving a faster time to value for your network. in the United States and other countries. 0 PIM cards.juniper. Hong Kong Phone: 852. Italy Power Cable. US Blank I/O plate EIA530 cable (DTE) RS232 cable (DTE) RS449 cable (DTE) 35 cable (DTE) X. 0 PIM cards. China Power Cable. CA 94089 USA Phone: 888.JUNIPER (888. Inc. and ScreenOS are registered trademarks of Juniper Networks.4586. All rights reserved. County Dublin. or registered service marks are the property of their respective owners. Additional information can be found at www. The company serves customers and partners worldwide.net/us/en/ products-services. service marks. Australia Power Cable. Ireland Phone: 35. Our services allow you to maximize operational efficiency while reducing costs and minimizing risk. From devices to data centers. antiphishing) IPS (Deep Inspection) Antispam Web filtering Remote Office Bundle (AV. IPS. AC power SSG140 with 512 MB memory. extend. silicon and systems that transform the experience and economics of networking.SDHSL PIM 6-port SFP Gigabit Ethernet Universal PIM* (SFP sold separately) 1-port SFP 100 Mbps or Gigabit Ethernet Universal PIM* (SFP sold separately) 8-port Gigabit Ethernet 10/100/1000 Copper Universal PIM* 16-port Gigabit Ethernet 10/100/1000 Copper Universal PIM* CBL-JX-PWR-JP CBL-JX-PWR-UK CBL-JX-PWR-US JX-Blank-FP-S JX-CBL-EIA530-DTE JX-CBL-RS232-DTE JX-CBL-RS449-DTE JX-CBL-V35-DTE JX-CBL-X21-DTE Note: The appropriate power cord is included based upon the sales order “Ship To” destination. or otherwise revise this publication without notice. * uPIMs are only supported in ScreenOS 6. AS) Ordering Information Model Number Description Memory Upgrades. NetScreen.745.Juniper Networks Services and Support Juniper Networks is the leader in performance-enabling services that are designed to accelerate. and optimize your high-performance network. All other trademarks.7803 EMEA Headquarters Juniper Networks Ireland Airside Business Park Swords.4737 Fax: 35. Juniper Networks reserves the right to change. About Juniper Networks Juniper Networks is in the business of network innovation.

Sign up to vote on this title
UsefulNot useful