Juniper新一代安全業(yè)務(wù)網(wǎng)關(guān)SRX

Juniper新一代安全業(yè)務(wù)網(wǎng)關(guān)SRX第一頁，共五十一頁。Juniper下一代安全業(yè)務(wù)網(wǎng)關(guān)下一代安全業(yè)務(wù)網(wǎng)關(guān)可升級(jí)的性能豐富的服務(wù)功能防火墻/UAC執(zhí)行點(diǎn)IDPIPSECVPNRouting/QoS3U,4+3CFMs,8+4GE,2RE*,1+1PS,20/6/6Gbps,1Msessions,175kcps,10kIPSECtunnels5U,6+6CFMs,8+4GE,2RE*,2+2PS,30/10/10Gbps,2Msessions,175kcps,20kIPSECtunnels8U,6slots,2RE*,1+1SCB,2+2PS,60/15/15Gbps,8Msessions,350kcps,30kIPSECtunnels16U,12slots,2RE*,2+1SCB,3+1AC,2+2DC,120/30/30Gbps,8Msessions,350kcps,60kIPSECtunnelsSRX210SRX650SRX3600SRX3400SRX5600SRX5800SRX100SRX240第二頁，共五十一頁。SRX系列—基于JUNOS的業(yè)務(wù)安全網(wǎng)關(guān)DynamicServicesConsolidateManagementFrameworkAppLayer

ForwardingThreat

PreventionAccessControlSRXDynamicServicesGatewayRoutingFirewallIPSIPSecVPNNATUAC？第三頁，共五十一頁。電信級(jí)路由操作系統(tǒng)JUNOS和安全操作系統(tǒng)ScreenOS的完美融合來自JUNOS的MPLS/NSF/NSR等高級(jí)功能來自JUNOS的層次化CLI配置風(fēng)格來自ScreenOS的安全特性:安全域/NAT/IPsecVPN/Screen/深度檢測(cè)/UTMCommit/JUNOSScripts等高級(jí)管理特性模塊化設(shè)計(jì)故障和內(nèi)存保護(hù)獨(dú)立進(jìn)程，獨(dú)立重啟10+年研發(fā)，TL-9000認(rèn)證M40eMX960M7iM10iT320T640M320M120JUNOSM20kernel協(xié)議接口管理機(jī)箱管理SNMP安全性J2300/J4350/J6350SRX軟件：新一代安全操作系統(tǒng)JUNOS第四頁，共五十一頁。集成的業(yè)界最好的解決方案JUNOS高性能網(wǎng)絡(luò)操作系統(tǒng)10多年的創(chuàng)新以及開發(fā)服務(wù)于有最多需求的客戶ScreenOSJuniper安全設(shè)備的基礎(chǔ)市場(chǎng)領(lǐng)先的創(chuàng)新以及特性#1高端防火墻市場(chǎng)份額第一[Infonetics06/09]滿足服務(wù)提供商需求的性能以及可靠性，還有企業(yè)的安全特性在單一的OS中，提供簡(jiǎn)化的操作，可靠的/性能以及增強(qiáng)的功能*InfoneticsNetworkSecurityAppliancesandSoftware-QuarterlyWorldwideMarketShareandForecastsfor3Q07第五頁，共五十一頁。高端安全產(chǎn)品可伸縮的性能豐富的特性防火墻IDPIPSECVPN路由QoS可擴(kuò)展的安全服務(wù)集成的網(wǎng)絡(luò)服務(wù)統(tǒng)一管理(NSM)10Gbps30Gbps50Gbps150Gbps健壯的防火墻/高端安全產(chǎn)品適用于IPv6獲得以下的認(rèn)證CCEAL3/4FIPS140-2ScreenOSJUNOSSRX5800ISG2000ISG1000NS-5200NS-5400SRX3400SRX3600SRX5600第六頁，共五十一頁。SRX高端平臺(tái)硬件設(shè)計(jì)中央服務(wù)平面在高速交換背板基礎(chǔ)上建立帶有獨(dú)立的控制和數(shù)據(jù)平面適應(yīng)性平臺(tái)可擴(kuò)展的，處理能力提供性能以及容量上的擴(kuò)展性可用性所有部件均采用冗余備份ServiceProcessingCardsFabricInput/OutputCardsRE第七頁，共五十一頁。SRX軟件能力高度集成的服務(wù)高級(jí)服務(wù)以及特性的可見性在同一張卡上提供新增服務(wù)高密度，可編程的處理能力智能化的任務(wù)分擔(dān)將計(jì)算分布到整個(gè)系統(tǒng)中優(yōu)異的分布式模型用于會(huì)話的建立以及服務(wù)的提供可擴(kuò)展的服務(wù)在網(wǎng)絡(luò)各“層”上的服務(wù)豐富的第三層特性–路由/QoS/NAT完整的L4-7支持–FW,VPN,IDP,UTMServicesProcessingCardFabricQoSDoSNATVPNFWIDP第八頁，共五十一頁。SRX5000系列動(dòng)態(tài)服務(wù)網(wǎng)關(guān)SRX5000系列服務(wù)網(wǎng)關(guān)2008年9月發(fā)布革命性的架構(gòu)集成的服務(wù)可伸縮的性能簡(jiǎn)化的操作世界上最高速的安全解決方案ScreenOS的歷史，在JUNOS里面延續(xù)基于動(dòng)態(tài)服務(wù)的架構(gòu)，加速了新服務(wù)的部署第九頁，共五十一頁。SRX5000

世界最快的安全解決方案世界最大容量的防火墻集成式的服務(wù)可擴(kuò)展的性能簡(jiǎn)化的操作以JUNOS和Juniper動(dòng)態(tài)服務(wù)架構(gòu)(DSA)驅(qū)動(dòng)第十頁，共五十一頁。SRX5800豎插機(jī)箱2個(gè)專用交換矩陣模塊（缺?。?2個(gè)插槽（SPC/IOC）接口IOC模塊（內(nèi)置NP模塊）40-SFP4-10GigFlexIO2slotFPC16xGE,4x10GmodulesSPC模塊尺寸–16U性能FW–150GbpsVPN–30GbpsIDP–30Gbps并發(fā)會(huì)話數(shù)–8M新建會(huì)話–350K并發(fā)VPN隧道數(shù)–100k第十一頁，共五十一頁。SRX5600橫插機(jī)箱1個(gè)交換矩陣模塊6個(gè)插槽（SPC/IOC）接口模塊40-SFP4-10GigFlexIO2slotFPC16xGE,4x10GmodulesSPC模塊尺寸–8U性能FW–60GbpsVPN–15GbpsIDP–15Gbps并發(fā)會(huì)話數(shù)–8M新建會(huì)話數(shù)–350k并發(fā)VPN隧道數(shù)–100k第十二頁，共五十一頁。FlexIOC低成本，模塊化的I/O卡全寬度支持兩種插拔模塊16xSFP,16xCopper&4xXFP基于現(xiàn)有的架構(gòu)可以與當(dāng)前40xSFP/4xXFPIOC卡互操作20Gbps最大吞吐Vs.40Gbpsfor4x10Gor40x1GIOCs16x10/100/10004x10GigXFPNEW!第十三頁，共五十一頁。服務(wù)處理卡Fabric輸入/輸出卡 流查找 分類 DoS/DDoS 限速 入流包 出流包服務(wù)處理 FW/IPSecVPN/IDP NAT/路由路由/設(shè)備管理 QoS/ShapingSRX5K包流–完全集成式RE第十四頁，共五十一頁。SRX3000

最具效益的網(wǎng)絡(luò)安全解決方案在不影響安全下最大化了靈活性不可超越的性價(jià)比由JUNOS以及Juniper動(dòng)態(tài)服務(wù)架構(gòu)(DSA)驅(qū)動(dòng)第十五頁，共五十一頁。SRX3400:產(chǎn)品簡(jiǎn)介硬件模塊化的機(jī)箱7槽(4槽在前面,3槽在后面)3U機(jī)箱高度雙REready1+1電源固定接口12built-in(8-10/100/1000+4-SFP)2EthernetManagementPorts模塊化接口16-10/100/100016-SFP2-XFP性能&處理能力FW–10/20GbpsVPN–6GbpsIDP–6Gbps并發(fā)會(huì)話數(shù)–2.25M每秒新建會(huì)話數(shù)–175kFrontRear第十六頁，共五十一頁。SRX3600:產(chǎn)品簡(jiǎn)介硬件模塊化的機(jī)箱12槽(6在前面,6槽在后面)5U機(jī)箱高度雙REready2+2電源固定接口12built-in(8-10/100/1000+4-SFP)2EthernetManagementPorts模塊化接口16-10/100/100016-SFP2-XFP性能&處理能力FW–10/20/30GbpsVPN–10GbpsIDP–10Gbps并發(fā)會(huì)話數(shù)–2.25M每秒新建會(huì)話數(shù)–175kFrontRear第十七頁，共五十一頁。1.5服務(wù)處理卡流查找分類DoS/DDoS限速入流包出流包 服務(wù) FW/VPN/IDP NAT/路由RE路由/設(shè)備管理 QoS/ShapingFabricFabric網(wǎng)絡(luò)處理卡 超賣控制輸入輸出卡SRX3K包流–完全集成式第十八頁，共五十一頁。Juniper完整的中低端UTM產(chǎn)品系列CentrallymanagedbyNSMTelecommuter/SmallOfficeSmalltoMediumBranchLargeBranch/RegionalOfficeSRX100SRX210防火墻性能（最大）750MbpsIPS性能80MbpsVPN性能75Mbps最大的并發(fā)會(huì)話數(shù)量64KSRX240防火墻性能（最大）1.5GbpsIPS性能250MbpsVPN性能250Mbps最大的并發(fā)會(huì)話數(shù)量128KSRX650防火墻性能（最大）7GbpsIPS性能900MbpsVPN性能1.5Gbps最大的并發(fā)會(huì)話數(shù)512k第十九頁，共五十一頁。SRX650固定接口4xGE(routingonly)GPIM插槽數(shù)量8USB接口(flash)2perprocessorPoE以太網(wǎng)供電Upto48ports(250Wor500W)PSTNvoiceportsUpto8Analog,2xT1/E1,perGPIM（2010年）AV&IDPHWCSAStandard防火墻包轉(zhuǎn)發(fā)能力（64字節(jié)）900Kpps防火墻吞吐量7Gbps2.5Gbps(IMIX)VPN吞吐量1.5GbpsIDP吞吐量900Mbps最大并發(fā)連接512,000每秒新建連接30,000高可用性支持A/AorA/P,Hots,Dualprocessors,Dualpower定位在企業(yè)核心或大型分支機(jī)構(gòu)模塊化可擴(kuò)展的接口,最大支持52個(gè)千兆可選的冗余電源可擴(kuò)展語音功能(fieldupgradableviaPIMsin2010)路由和UTM功能的完美融合–Firewall/VPN,IPS(IDP),anti-virus,anti-spam,webfiltering,content-filtering,UACEnforcement第二十頁，共五十一頁。SRX240固定接口16xGEMini-PIM插槽43GwirelessoptionMini-PIMUSBports(flash)2PoE以太網(wǎng)供電16ports(150W)可選PSTN語音接口2xFXS,2xFXO&mini-PIM（09年底）AV&IDP硬件加速:CSA高內(nèi)存版本支持防火墻包轉(zhuǎn)發(fā)能力（64字節(jié)）200Kpps防火墻吞吐量1.5Gbps500Mbps(IMIX)VPNPerformance250MbpsIDPPerformance250Mbps最大并發(fā)連接64k/128k每秒新建連接9000HighAvailabilityA/AorA/P面向中小型分支機(jī)構(gòu)廣域網(wǎng)模塊支持路由功能（JUNOS）UTM功能–Firewall/VPN,IPS(IDP),anti-virus,anti-spam,webfiltering,content-filtering,UACEnforcementUTMrequiresHighmemorymini-PIM語音卡-(Q4’09)出廠內(nèi)置語音模塊(Q4’09)第二十一頁，共五十一頁。SRX210固定接口2xGE+6xFEMini-PIM插槽13GwirelessslotPCExpressCardUSBports(Flash)2以太網(wǎng)供電PoE4ports(50Wtotal)可選的語音接口2xFXS,2xFXO&mini-PIMAV&IDP硬件加速:CSA高內(nèi)存版本支持防火墻包轉(zhuǎn)發(fā)能力（64字節(jié)）80Kpps防火墻吞吐量750Mbps250Mbps(IMIX)VPN吞吐量75MbpsIDP吞吐量80Mbps最大并發(fā)連接32k/64k每秒新建連接2000HighAvailabilityA/AorA/P面向小型企業(yè)與分支機(jī)構(gòu)可支持廣域網(wǎng)接口路由、NAT完整的UTM功能–Firewall/VPN,IPS(IDP),anti-virus,anti-spam,webfiltering,content-filtering,UACEnforcementUTM需要高內(nèi)存版本支持AvailableVoiceversionwithmini-PIMoptions-(Q3‘09)Factory-configuredvoicemodel(Q3’09)第二十二頁，共五十一頁。SRX100固定接口8xFEMini-PIM插槽NoOptional3Gwireless*PCExpressCardUSBports(Flash)1PoE不支持OptionalWANmodelsVDSL2OptionalWLANmodels802.11nVoicePortsNo防火墻包轉(zhuǎn)發(fā)能力（64字節(jié)）60Kpps防火墻吞吐量175Mbps(IMIX)VPNPerformance75MbpsIDPPerformance80MbpsHighAvailabilityA/AorA/PIdealformicro-branch,

managedtelecommuters,SOHOFixedI/O–8x10/100EthernetportsRouting,NGNATFullUTMfeatures–Firewall/VPN,IPS(IDP),anti-virus,anti-spam,webfiltering,content-filtering,UACEnforcementUTMrequiresHighMemorymodel(SoftwareUTM,noCSA)ExpressCardslotonVDSL&802.11nplatforms第二十三頁，共五十一頁。SRX分支機(jī)構(gòu)產(chǎn)品特色性能“內(nèi)容安全硬件加速”IDP&Antivirus硬件加速功能“ExpressAV”–Antivirusstreammatching集成的多業(yè)務(wù)安全平臺(tái)路由（廣域網(wǎng)模塊支持）、交換、防火墻、VPN動(dòng)態(tài)VPN客戶端（類似于NC，僅SRX200系列支持）入侵防御功能(完整IDP功能）防病毒、防垃圾郵件與網(wǎng)頁過濾語音功能、無線、應(yīng)用加速功能（未來）3G模塊支持PoE、PoE+可靠性設(shè)計(jì)基于多核處理器轉(zhuǎn)發(fā)與控制分離架構(gòu)JSRP高可用性支持（A/A、A/P）基于JUNOS的多業(yè)務(wù)安全平臺(tái)第二十四頁，共五十一頁。SRX2103G無線廣域網(wǎng)Deployments-PrimaryconnectionwherewiredbroadbandisnotavailableBackupconnectivitywithwiredprimary.Outofbandmanagement,remotedeployment.AvailableonSRX210HQDatacenter3GWirelessDynamicVPNServicesINTERNETRetailBranchRegional第二十五頁，共五十一頁。分支機(jī)構(gòu)無線AP解決方案Juniper802.11n室內(nèi)解決方案Backwardscompatibleto.11a/b/gDualmoderadiosupport300Mbps(Aggregate)Singleradio200Mbps(160Mbpstypical)SpatialStreams:2x2:2,2x3:2,3x3:2UL2043Plenumratedforoverceilingmounting.50Meterrange(indoor)UnitcanbemountedonceilingorwallVirtualAPtechnology–Supportofupto16simultaneousSSIDs802.11eWMMcapable1GigabitEthernetPOEsupportOptionalExternalPowerSupplySerialConsolSupportL2ManagedbySRXBranchProductsAdditionallicensingcostforBranchSRXtomanagemultipleaccesspoints–Clustersof4,8,16APs.第二十六頁，共五十一頁。軟件特性802.1QVLANsupportUpto4,096VLANsupport(platformdependent)RoutedVLANInterface(RVI)GARPVLANRegistrationProtocol(GVRP)QOSonVLANinterfaceL3Strictpriorityqueuing(LLQ)L3SmoothedDeficitWeightedRoundRobin(SDWRR)L3WeightedRandomEarlyDiscard(WRED)L3Perportandperqueueshaping802.1xPortbasedAuthentication802.3ad(AX)linkaggregation*STP,SpanningTreeProtocol802.1DSpanningTreeProtocol802.1SMultipleSTP802.1wRapidSTPJumboFrameSupport(9,216Byte)*以太網(wǎng)交換SRX210SRX240SRX650硬件(主機(jī)板上的以太網(wǎng))SRX1008Fixed10/100(SwitchedorRouted)SRX210Fixed210/100/1000+610/100(SwitchedorRouted)802.3afoptionalPOE(2FE+2GE)SRX240Fixed16Ports10/100/1000(SwitchedorRouted)PoweroverEthernet(optionalallports)802.3af,802.3atSRX650Fixed4ports10/100/1000(Routed)硬件（Ethernet模塊）SRXMini-PIM(SRX210/SRX240)1PortSFP16portGigEXPIMforSRX650Double-highFull-duplex20Gbpsbackplane16portGEandoptionalPoE24portGigEincluding4SFPslotsXPIMforSRX650Double-high-double-wideOptionalPOE-24portGEwithPoEincl4SFPslotsFull-duplex20GbpsbackplaneOpticsSRXGESFPLH|SRXGESFPLX|SRXGESFPSX|

SRXGESFP1000Base-T|SRXFEFXSFPSRX100*NotsupportedonSRX100第二十七頁，共五十一頁。UnifiedThreatManagement(UTM)FeaturesWebsensetoblocktounapprovedsiteaccessWebFilteringKasperskyLabAVstopsViruses,Trojans,Spyware,Adware,KeyloggersKasperskyLabAVstopsviruses,trojansorspreadofspyware,adware,keyloggersAntivirusSymantecstopsSpam/PhishingAntispamJuniperIDPdetects/stopsWorms,Trojans,DoS(L4&L7),ScansIPSFirewall,VPN,UnifiedAccessControlCoreSecurityFirewall,VPN,UnifiedAccessControlSRXSeriesblockstransmissionoffilesforDataLossPreventionContentFilteringInternal

ThreatsExternal

ThreatsINTERNETJuniperIDPdetects/stopsWorms,Trojans,DoS(L4&L7),Scans第二十八頁，共五十一頁。JuniperNetworksUnified

AccessControl(UAC)UACAgentEXSeriesL2Switch802.1XSwitches&AccessPointsAPPLICATIONSJuniperFirewall

PlatformsPOLICYSERVERIdentityStoresICSeries1UACEnforcementPointsDataAppInternetNSSSGISG223ControlAccesstoProtectedResourcesDynamicallyProvisionPolicyEnforcementAuthenticateUser,Pro,DetermineLocationComprehensive,vendor-agnostic,standards-basedaccesscontrolacross

heterogeneousenvironmentsdeliveringinvestmentprotection1SRX第二十九頁，共五十一頁。SRX210RemoteAccessDynamicVPNService–

AccessManagerClientAdynamicIPSECClientthatisautomaticallydownloaded5-user,10-user,25-user,50-user(SRX240)licenseoptionwithsimultaneoustunnelenforcementSupportedontheSRX100*,

SRX210,andSRX240NotsupportedonSRX650AutomaticclientupgradecapabilitiesSelf-provisioningfromSRX210,SRX240IPSecwithTCP-basedfallbackforNATtraversalInitialreleasetosupportWindowsplatforms—XP,Vista,Win2000WiredWireless3GWirelessDynamicVPNServicesINTERNET*SupportedinJUNOS10.0第三十頁，共五十一頁。JuniperUnifiedManagementUnifiedmanagementacrossJuniper’snetworkinfrastructureNetworklifecyclemanagement—Provision,Monitor,andTroubleshootConsistentandOpenstandardsNBIforeasyintegrationwith

3rdpartyNMSEMSNMSVisibilityDiagnosticsSNMP,Syslog,XMLSNMP,SyslogNetConf,DMI,Syslog,SflowSecurityThreatResponseManagerNetwork&SecurityManager(NSM)JUNOScopeAdvancedInsightManagerNETWORKMANAGEMENT

ONEJUNOSCLI,JUNOScript

ONEJ-WebWebUIHTTP/

HTTPSXMLTelnet,

SSH,XMLSwitchingSecurityRoutingMXSeriesMSeriesISG/IDPSSLVPNInfranet

ControllerSRX5600第三十一頁，共五十一頁。NetworkandSecurityManagerAlongwithSRX,NSMManagesJuniper’sentireenterpriseportfolio*NSMisagreatwaytoportScreenOScustomersovertoaJUNOSsolutionandtohelpmanageamixedenvironmentCommonManagementalsooffers

hugeup-sellopportunity第三十二頁，共五十一頁。SecurityThreatResponseManagerSTRMsupportsSRXSeriesIntrusionPreventionSystem(IPS)220+out-of-theboxreporttemplatesFullycustomizablereportingengine:

creating,brandingandschedulingdeliveryofreportsCompliancereportingpackagesforPCI,SOX,FISMA,GLBA,andHIPAAReportsbasedoncontrolframeworks:NIST,ISOandCoBIT第三十三頁，共五十一頁。RapidDeploymentSimplifieddeployment-Eliminateneedfor-Pre-stagingdeviceITatpointofinstallationReduce-ProvisioningtimeInstallationcostNo“truckroll”AUniqueIDfortrackingpurposesUntrustInterfaceconfigurationConfigurationparameterstoenable“registration”ofdevicetomanagementserverUser/PasswordManagementServerIPAddress/DomainNameOnetimepassword1.GenerateandexportstartupconfigtoUSBNetworkandSecurity

ManagerUSBLoadsstartupconfigValidationofstartupconfigSecurecommunicationtoNSMSRX2105.Download

Running

Config6.SRXInService第三十四頁，共五十一頁。JuniperBranchProducts

SSG,SRX,andJSeriesProductsSSGFamilyFW,VPN,NAT,UACIPv6SecurityWireless(WLAN)UnifiedThreatManagementIntrusionPrevention:DIAntivirus—KasperskyWebfiltering—WebsenseAntispam—SymantecJSeriesFW,VPN,NAT,UACRouting,Switching,QOS,MPLSWX—ISM200ApplicationAccelerationVoIP—AvayaInteg.GwayUnifiedThreatManagementFullIDP—JuniperAntivirus—KasperskyWebfiltering—WebsenseAntispam—Symantec

SRXUnifiedThreatManagementFullIDP—JuniperAntivirus—KasperskyWebfiltering—WebsenseAntispam—Symantec

VoIPJuniperOpenCommunicationsPoweroverEthernetFW,VPN,NAT,UACSSG320MSSG5WirelessSSG20WirelessJ2320J2350SSG140SSG350MSSG520SSG520MJ6350SSG550SSG550MJ4350ScreenOSSRX100SRX210SRX240SRX650第三十五頁，共五十一頁。Juniper防火墻產(chǎn)品市場(chǎng)定位Juniper防火墻有著非常完整的產(chǎn)品線，能夠覆蓋從soho級(jí)到運(yùn)營(yíng)商核心級(jí)所有用戶的需求。SSG系列中低端防火墻針對(duì)中小型企業(yè)購(gòu)買成本及維護(hù)成本是首要的需求路由、安全功能Allinone統(tǒng)一的配置界面JuniperSSG系列產(chǎn)品具備無可比擬的優(yōu)勢(shì)購(gòu)買成本較低無需管理多臺(tái)設(shè)備性能可接受高端防火墻針對(duì)運(yùn)營(yíng)商及大型企業(yè)性能與穩(wěn)定性是用戶首要的需求防火墻不能因?yàn)殚_啟新業(yè)務(wù)成為網(wǎng)絡(luò)處理能力的瓶頸防火墻需具備高穩(wěn)定性，不能影響業(yè)務(wù)的正常開展JuniperISG/SRX3000/SRX5000的目標(biāo)客戶SRX產(chǎn)品系列的定位對(duì)當(dāng)前SSG/ISG產(chǎn)品線的補(bǔ)充完善SRX當(dāng)前主推的型號(hào)——SRX650、SRX3400、SRX3600、SRX5800第三十六頁，共五十一頁。SRX高端產(chǎn)品的競(jìng)爭(zhēng)優(yōu)勢(shì)性能SRX5000系列無與倫比的性能——單體吞吐量120Gbps靈活的配置——根據(jù)客戶需求靈活選擇SPC的數(shù)量，達(dá)到所需的性能硬件轉(zhuǎn)發(fā)與控制分離（路由引擎、SPC、NPC由獨(dú)立硬件處理，并可按需配置）交換矩陣，徹底擺脫現(xiàn)有防火墻通過總線進(jìn)行內(nèi)部數(shù)據(jù)交換的現(xiàn)狀，提供高性能的交換矩陣，真正無阻塞交換（SRX5000采用MX系列的交換矩陣；SRX3000系列采用SF16矩陣）接口數(shù)量總數(shù)多（SRX5800最大可支持240個(gè)GE，24個(gè)萬兆；SRX3600缺省有12個(gè)千兆口，總千兆接口100+，總?cè)f兆口12個(gè)）功能JUNOS的優(yōu)勢(shì)路由QoS配置回退完整的IDP功能（獨(dú)立硬件處理，多核處理器中獨(dú)立的core）基于硬件的DoS攻擊防護(hù)功能（Screen功能）基于策略的流量統(tǒng)計(jì)、基于策略的新建會(huì)話統(tǒng)計(jì)等第三十七頁，共五十一頁。為什么要賣SRX5800？實(shí)現(xiàn)競(jìng)爭(zhēng)對(duì)手無法做到容量和性能，滿足未來業(yè)務(wù)流量快速增長(zhǎng)SRX高端特有的技術(shù)優(yōu)勢(shì)，技術(shù)特色明顯如果能賣SRX5000，一般就賣SRX5800，不賣SRX5600，因?yàn)閮r(jià)格成本基本一樣SRX5800SRX5600第三十八頁，共五十一頁。為什么要賣SRX3400/3600？解決ISG2000和NS5200競(jìng)爭(zhēng)力不夠的問題，性價(jià)比好，技術(shù)特色明顯SRX3400價(jià)格與ISG2000相當(dāng)，接口配置相同時(shí)比ISG2000稍便宜。性能容量遠(yuǎn)在ISG2000之上，各項(xiàng)性能提高2~8倍SRX高端特有的技術(shù)優(yōu)勢(shì)，容易在競(jìng)爭(zhēng)中勝出SRX3400SRX3600第三十九頁，共五十一頁。為什么要賣SRX650？?jī)r(jià)格彌補(bǔ)了ISG1000與SSG550之間的空檔性能彌補(bǔ)了原來4G~10G之間的空擋很高的性價(jià)比，性能指標(biāo)遠(yuǎn)在ISG1000之上在接口密度高時(shí)，有更高的性價(jià)比可配置雙電源，競(jìng)爭(zhēng)有力武器外表好，個(gè)頭大，有面子SRX650ISG1000SSG550第四十頁，共五十一頁。推薦SRX高端產(chǎn)品時(shí)與客戶的話題防火墻的發(fā)展趨勢(shì)可按需擴(kuò)展的動(dòng)態(tài)可適應(yīng)型體系架構(gòu)高可靠性安全性與QoS第四十一頁，共五十一頁。42Softwarebasedfirewall(1994CheckPointFirewall-1)Softwarebasedrouter(1987CiscoAGS)ASICbasedfirewall(1999NetscreenNS-1000)Workstation+

routingdaemonWorkstation+software(1991DECSEAL)ASICbasedrouter(1998JuniperM40)“就像廣泛應(yīng)用于企業(yè)和服務(wù)提供商骨干網(wǎng)上的基于ASIC結(jié)構(gòu)的路由器/交換機(jī)競(jìng)爭(zhēng)一樣，安全領(lǐng)域同樣存在軟件和硬件產(chǎn)品之間的競(jìng)爭(zhēng)。任何關(guān)注高性能網(wǎng)絡(luò)安全的經(jīng)理們都應(yīng)當(dāng)備加關(guān)注于此?！?/p>

ByKevinTollyTollyResearch/TheTollyGroup總裁防火墻架構(gòu)演進(jìn)路線…NOW:

ASIC+MultiCore

routerMatrixNOW:

MultiCore+NP

SwitchFabricbased第四十二頁，共五十一頁。43路由器集成包過濾功能19891994第一臺(tái)商用軟件防火墻DECSEAL發(fā)布防火墻上集成用戶認(rèn)證功能防火墻集成NAT功能防火墻集成IPsecVPN防火墻集成虛擬系統(tǒng)1991199319992002防火墻功能演進(jìn)路線…防火墻集成IPS功能2002七層線速級(jí)能力2004UTM功能防火墻2006防火墻集成MPLS2008第四十三頁，共五十一頁。44GartnerNextGenerationFireWall(NGFW)Asamininum,anNGFWwillhavethefollowingattributes:Supportin-linebump-in-the-wireconfigurationwithoutdisruptingnetworkoperations.Actasaplatformfornetworktrafficinspectionandnetworksecurityenforcement,withthefollowingminimumfeatures:Standardfirst-generationfirewallcapabilities:Usepacketfiltering,network-addresstranslation(NAT),statefulprotocolinspection,VPNcapabilitiesandsoonIntegratedratherthanmerelycolocatednetworkintrusionprevention:Supportvulnerability-facingsignaturesandthreat-facingsignatures.TheIPSinteractionwiththefirewallshouldbegreaterthanthesumoftheparts,suchasprovidingasuggestedfirewallruletoblockanaddressthatiscontinuallyloadingtheIPSwithbadtraffic.Thisexamplifiesthat,intheNGFW,itisthefirewallcorrelatesratherthantheoperatorhavingtoderiveandimplementsolutionsacrossconsoles.HavinghighqualityintheintegratedIPSengineandsignaturesisprimarycharacteristic.IntegrationcanincludefeaturessuchasprovidingsuggestedblockingatthefirewallbasedonIPSinspectionofsitesonlyprovidingmalware.Applicationawarenessandfullstackvisibility:Identifyapplicationsandenforcenetworksecuritypolicyattheapplicationlayerindependentofportandprotocolversusonlyports,protocolsandservices.ExamplesincludetheabilitytoallowSkypeusebutdisablewithinSkypeortoalwaysblockGoToMyPC.Extrafirewallintelligence:Bringinformationfromsourcesoutsidefirewalltomakeimprovedblockingdecisions,orhaveanoptimizedblockingrulebase.Examplesincludeusingdirectoryintegrationtotieblockingtouseridentity,orhavingblacklistsandwhitelistsof