SOLUTION BROCHURE
Juniper SolutionS for
Managed Security ServiceS
Enterprise Security Solution Overview
In today’s operating business environment, barely a day
passes where we do not hear of a new exploit, virus,
trojan, worm, data or security breach. Additionally, the
organizational footprint continues to expand which
pose additional challenges. Many enterprises face a
more distributed network architecture than ever before
with remote and satellite offices with global locations.
With consultants, vendors, partners and guests
accessing network resources, security has become
a top of mind issue both for IT and business lines in
the organization. External and internal vulnerabilities
affect every business regardless of size and every
vertical. Maintaining an aggressive security posture
while running a business presents major challenges
even to large well funded organizations. As a result,
organizations are increasingly outsourcing the
management of their security to carriers and Managed
Security Providers (MSPs).
When Juniper Networks
®solutions for threat
management and managed security technologies are
offered together, they provide a comprehensive and
highly scalable security functionality that delivers
exceptional value to the MSPs and its customers.
Exceptional, comprehensive functionality includes
integrated security policy, network and device level
management, virtualization of zones, routers, LANs
and systems, and advanced access management and
endpoint security.
Juniper products are well suited for deployment, both “in the cloud” or in a Customer Premises Equipment (CPE) environment. Built-in logging and tracking capabilities simplify management and help the MSP provide customers with actionable data for both analysis and maintenance, as well as for record keeping to satisfy government and/or industry security regulations. Juniper’s managed security solutions for the enterprise include:
Branch office Solution
This solution is anchored by a Juniper Networks SSG Series Secure Services Gateway, an integrated security and routing device that reduces IT expenses while providing advanced protection from worms, viruses, trojans and spyware. In addition, integrated intrusion prevention system technology provides protection against application layer attacks. Robust centralized administration simplifies policy management and facilitates deployment of thousands of devices.
campus Solution
Deploying Juniper integrated firewall/VPN devices protects high-speed networks from network and application level attacks. These devices enable virtualization and secure zones that simplify network integration and deployment of internal security.
extended enterprise Solution
Devices from Juniper Networks enable secure remote access while combining clientless, granular access control with superior endpoint security.
data center Solution
Juniper Networks high-performance firewall/VPN products protect high-speed networks from network and application level attacks. Virtualization and secure zones simplify network integration and deployment of internal security. High Availability (HA) components effectively reduce the high cost of downtime.
Challenges
The enterprise threat landscape continues to evolve, with increasingly complex and malicious attacks being directed at the corporate network. Additionally, threats are emerging and spreading more quickly than ever, exploiting the growing number of possible points of attack. These newer points of vulnerability are caused by increased user mobility, remote locations, and the number of devices accessing the network. The continued rollout of new applications also poses incremental risks for new attacks. For enterprise customers, these problems require additional diligence on the part of IT groups to manage threats. Tasks such as ongoing research into threat trends, management of a complex spectrum of network devices and critical applications, and ensuring service-level agreements (SLAs), create a reactive environment in enterprise IT organizations that can overburden an already struggling IT staff. As a result, many organizations are turning to MSPs for a solution that can be rolled out quickly and is comprehensive, integrated and easy to manage.
Juniper Networks Solution Portfolio for
Managed Enterprise Security
Both Juniper Networks SA Series SSL VPN Appliances and ISG Series Integrated Security Gateways provide best-in-class security, performance, reliability and ease of management. With robust and uniform management interfaces, Juniper products are ideal for integration into managed services offerings. Juniper’s true carrier-grade security and performance have been verified and are backed by independent third-party auditors, a claim unparalleled in the SSL VPN product category.
Juniper Networks Integrated Security devices are purpose-built to perform essential security functions. They are controlled by a security-specific, real-time operating system, Juniper Networks ScreenOS® and are optimized for maximum performance. This operating system has been designed from the ground up to perform security functions without incurring any additional overhead—overhead that often creates vulnerabilities in security products that rely on general-purpose operating systems. Juniper Networks SA Series SSL VPN Appliances provide security for all enterprise tasks with options for access control to protect the most sensitive applications and data. These products feature a user interface that guides administrators through the process of implementing a sweeping yet granular control over the users and groups authorized to access multiple levels of protected assets.
Managed Security Solution components
virtual routers (vrs):
• VRs isolate and separate public and private IP addresses for greater security than a shared router, supporting overlapping IP address space and providing greater security than a shared router instance for both trusted and untrusted networks.
Stateful Ha for firewall and vpn:
• Stateful failover for firewall and VPN at remote sites is critical to continued business operations.
traffic Management and Quality of Service (QoS):
• Prioritizes application level traffic
such as VoIP and optimize bandwidth on a per-policy basis for specific application and specific tunnels.
integrated antivirus Support:
• Integrated antivirus from Kaspersky, a best-in-class vendor, helps block viruses at the gateway. Optional file-based Kaspersky antivirus engine and database can stop viruses, spyware and adware from penetrating the network.
integrated anti-Spam Support:
• Spammers will commonly spoof their addresses so using a public domain offering as opposed to a best-in-class offering can provide a false sense of security. An optional anti-spam solution from Symantec (Brightmail) provides best-in-class gateway-based spam prevention.
denial of Service (doS) protections (prevention):
• The best way to protect the
network is via a layered security solution by using DoS protection per interface and configurable per-zone.
integrated Web filtering:
• Flexible, best-in-class offerings provide optimum protection. Integrated Web Filtering option with SurfControl and Websense redirect support across the product line.
Juniper Networks security solutions provide small, mid-size and large enterprises with remote access, plus advanced partner/customer extranet features that facilitate secure business-to-business communications while providing protection from all manner of attacks.
Solution Planning, Implementation and
Deployment
In today’s operating business environment, the network is a strategic asset that supports business processes. As a result, the network and the core business are tightly linked, with many of the IT and business challenges that organizations face being tightly linked as well.
Juniper Networks managed security solution elements that address today’s IT challenges include but are not limited to: security threats and vulnerabilities, VPN, IP/ MPLS routing, remote access, extranets, IP telephony, application acceleration and data center optimization technologies.
Additionally, Juniper addresses key business challenges by offering solutions that address: business continuity, branch office optimization, converged enterprise and branch office connectivity and secure business infrastructure.
perimeter defense Begins with network-level protection
To protect against network-level attacks, Juniper Networks devices use a dynamic packet filtering method known as stateful inspection to unmask malicious traffic. With this method, firewalls collect information on various components in a packet header, including source and destination IP addresses, source and destination port numbers, and packet sequence numbers. When a responding packet arrives, the firewall will compare the information reported in its header with the state of its associated session. If they do not match, the packet is dropped.
Stateful inspection provides more security than other firewall technologies (such as packet filtering) because it opens “pinholes” through which traffic can pass. By default, the Juniper Networks firewall denies all traffic in all directions. Then, by using centralized policy-based management, enterprises can create security policies that define the parameters of traffic flow permitted to pass from specified sources to specified destinations.
Secure, reliable WAN connectivity also plays an important role in network-level protection. By deploying robust VPNs, remote sites can be securely connected to other remote sites, and to centralized data and applications using high-bandwidth shared media such as the Internet. Juniper Networks ScreenOS features such as Auto Connect VPN can help ease the administration and management of VPNs, particularly in hub-and-spoke topologies, allowing secure connections to be automatically set up and taken down without manual configuration.
Business speed and responsiveness
For the Business
Business flexibility Business safety Performance at Scale For IT Open Systems Flexibility Operational Risk Mitigation Requirements Requirements
virtualization Boosts Security by dividing the network into
Multiple network Segments
Virtualization technologies in Juniper Networks integrated firewall/IPsec VPN security solutions enable users to segment their network into many separate compartments, all controlled through or they can further divide the network into distinct, secure segments with their own firewalls and separate security policies. Juniper’s firewall/VPN devices support the following virtualization technologies:
• Security Zones: Supported on every product, security zones represent virtual sections of the network, segmented into logical areas. Security zones can be assigned to a physical interface or, on the larger devices, to a virtual system. When assigned to a virtual system, multiple zones can share a single physical interface, lowering ownership costs by effectively increasing interface densities.
• virtual Systems (vSyS): Available on the Juniper Networks NetScreen Series Security Systems, virtual systems are an additional level of partitioning that creates multiple independent virtual environments, each with its own set of users, firewalls, VPNs, security policies and management interfaces. By providing administrators with the ability to quickly segment networks into multiple secure environments managed through a single device, VSYS enables network operators to build multi-customer solutions with fewer physical firewalls and reduced administrative attention. This reduces both capital and operational expenses.
virtual routers:
• Supported on all products, virtual routers enable administrators to partition a single device so that it functions like multiple physical routers. Each VR can support its own domains, ensuring that no routing information is exchanged with domains established on other VRs. This enables a single device to support multiple customer environments, lowering total cost of ownership.
vlans:
• Supported on all SSG platforms, VLANs are a logical, not physical, division of a network that enables administrators to identify and segment traffic at a very granular level. Security policies can specify the way traffic should be routed from each VLAN to a security zone, virtual system or physical interface. This makes it easy for administrators to identify and organize traffic from multiple departments and define what resources each can access.
comprehensive High availability Solutions ensure uptime
A security system is only as good as its reliability and uptime. Juniper Networks security solutions include reliable, HA systems based on the NetScreen Redundancy Protocol (NSRP). Firewalls and VPNs can be synchronized between HA pairs to provide sub-second failover to a backup device. Configuration options include:
• active/passive: Master device shares all network, configuration, and current session information with the backup so that, in the event of a failure, the backup can take over in a seamless manner. Juniper Networks Network and Security Manager provides centralized, policy-based control.
• active/active: Both devices are active, sharing an approximate equal amount of the load. If one fails, the other unit takes over to maintain traffic flow and security. active/active/full Mesh:
• Both devices are configured to be active, with traffic flowing through each. Should one device fail, the other device becomes the master and continues to handle 100 percent of the traffic. The redundant physical paths provide maximum resiliency and uptime.
device integration Made easy
Networks are never static. Potentially costly and time-consuming changes and additions occur all the time. When the network topology changes, or as new offices, business partners and customers are added to the network, network interoperability becomes especially important. To simplify network integration and help minimize administrative effort when changes are required, Juniper Networks integrated security solutions can operate in three different modes:
Transparent mode affords the simplest way to add security to the network. In
transparent mode, organizations can deploy a Juniper Networks firewall/VPN appliance without making any other changes to the network since firewall, VPN and DoS mitigation functions all work without an IP address, making the device “invisible” to the user. Route mode enables the security device to actively participate in network routing by supporting both static and dynamic routing protocols, including BGP, OSPF, RIPv1, RIPv2, and equal-cost multipath (ECMP). Route mode enables administrators to quickly deploy multilayer security solutions with a minimum of manual configuration.
Network Address Translation (NAT) mode automatically translates an IP address or a group of IP addresses to a single address to hide an organization’s private addresses from public view.
Juniper Networks integrated security devices support both static and dynamic address assignment through Dynamic Host Configuration Protocol (DHCP) or Point-to-Point Protocol over Ethernet (PPPoE), enabling Juniper solutions to operate in any network environment.
for low-cost rapid deployment, drop Ship devices—
not administrators
To avoid the high cost of sending administrators to configure systems at remote sites, Juniper Networks integrated security devices can be installed by non-technical users. With the Network and Security Manager Rapid Deployment functionality, network administrators do not need to pre-configure the devices or handle them in any way. At the remote site, the new device simply needs to be cabled up and loaded with a small configuration file, which a central administrator has either emailed or sent on CD to the remote location. The initial configuration file establishes a secure connection to Network and Security Manager which then pushes the complete configuration files to the new device.
controlling access to Known Malware and phishing Web Sites
Employees who access inappropriate Web sites from the corporate network risk bringing malicious software into the organization. Worse, their errors in judgment could also expose the company to litigation for not having adequate controls in place. Juniper Networks integrated security devices are the ideal solution to help organizations devise and enforce responsible Web usage policies. Two approaches are available: external and integrated Web filtering. External Web filtering, available on all Juniper Networks firewall and VPN devices, redirects traffic from the device to a dedicated SurfControl or Websense Web filtering server for enforcement of the organization’s policies. Integrated Web filtering, available on Juniper Networks SSG Series Secure Services Gateways and
Maintained by SurfControl, a Juniper Networks security alliance partner, the database lists more than 13 million URLs organized into more than 54 categories of potentially problematic content. Customers can rapidly deploy integrated or external Web filtering using default configurations based on the SurfControl database. Web filtering profiles can be customized by using black lists or white lists, plus a number of predefined and user-defined categories.
coordinated threat control
The increased need for remote access by the extended enterprise comprised of employees, partners and customers must be balanced with steps to ensure valuable resources and assets are protected from intentional or unintentional attacks. Granular access capabilities and endpoint security technologies provide the ability for IT to control access to applications and resources. A common way of adding security to a remote access deployment is to utilize intrusion prevention system technologies. However, deploying this technology behind SSL VPN can be limiting. When malicious traffic is detected, it can be difficult to correlate the malicious tunneled traffic to a specific user, and sometimes impossible to identify a user with both encrypted and non-encrypted traffic. However, the identification of the user and the source of the malicious traffic are key to maintaining a secure network for the extended enterprise. Valid users whose remote access device may have been compromised must be notified and directed to “clean” their device of any malware. Malicious users, on the other hand, must have their access blocked to prevent further network attacks. Containment and restricting any further access is imperative to safeguard all resources. The challenge is for enterprises to secure and assure each and every session, so that they can deliver high end user productivity while protecting information assets.
INTERNET
HEADQUARTERS OFFICE M Series SSG Series WX Series/ WXC SeriesIC Series REMOTE SALES OFFICEVoIP PILOT ISG Series/ IDP Series Voice Gateway J Series ISG Series/ IDP Series ISG Series/ IDP Series MANUFACTURING PLANT SSG Series STANDALONE OFFICE SSG Series RETAIL SITE SMALL REGIONAL OFFICE LARGE REGIONAL OFFICE J Series J Series DATA CENTER SA Series M Series SSG Series
PRIVATE WAN
WX Series/ WXC Series WX Series/ WXC Series WX Series/ WXC Series IC Series figure 1: Juniper’s Solutions forJuniper’s coordinated threat control technology enables the SA Series SSL VPN Appliances and the Juniper Networks IDP Series Intrusion Detection and Prevention Appliances to tie the SSL VPN session identity with the threat detection capabilities of an intrusion prevention system to effectively identify, stop and remediate both network and application-level threats within remote access traffic. With this technology, when the IDP Series appliance detects a threat or any traffic that breaks an administrator-configured rule, it signals the SA Series SSL VPN Appliance. The SA Series appliance uses the information from the IDP Series appliance to identify the user session that is the source of the undesired traffic, and to stop the threat.
rapid deployment of new Services
Juniper solutions for threat management ensure that all solution elements and platforms work in concert to deliver the required functionality. Consequently, services can be brought online quickly, rather than having to wait for deployment, testing and fine tuning. Another component of rapid deployment is the built-in flexibility that allows for customizing the solution to specific customer environments.
For new security product purchases, the MSP can provide a pre-configuration service that stages the device based on the customer’s needs prior to shipment. Once the device arrives at the customer’s location, they can work with the MSP to complete the installation, which generally requires only that the customer mount the unit as desired and attach all necessary power and network cabling.
As new devices are brought online in the customer’s environment, they are automatically brought under the protection umbrella afforded by the MSP. Noncompliant or unsecured devices can be automatically identified and remediation efforts initiated, ensuring that network security is not compromised and critical SLA requirements are not adversely affected as new devices are brought into compliance.
increased operational efficiencies and cost reduction
One of the biggest benefits of managed services is reduced cost of ownership and management through scalability and built-in reliability of the solution. This is accomplished through solution elements and products that comprise the solution’s architecture— integrated and purpose-built firewall/VPN appliances, seamless failover, multi-site clustering and component level redundancy. Furthermore, to avoid the high cost of sending administrators to configure systems at remote sites, Juniper Networks integrated security devices can be installed by non-technical users and then managed by an MSP through its operations center, giving users access to insights into early-warning threat detection and intelligence information so that they can refine and deploy their organizations’ governance policies and more.
Managed Security Services functionality (Sample list)
Integrated security policy, network and device level management: Security management must be consistent and straight forward. Using two applications to manage a single device is cumbersome and can lead to configuration errors. Integrated security management consists of firewall, VPN, NAT, Traffic Management Security policy, network, and device level management and monitoring.
Security zone architecture:
• Segmenting the network in a logical, easy to configure and manage manner is critical for protecting internal resources from attacks and/ or unauthorized use/access. Security zones provide the ability to enforce security via logical group functions like marketing or finance, for example, as opposed to specific IP subnets or addresses.
• deployment modes: Seamless deployment is facilitated in existing networks by adding full security functionality without network address change at install to support multiple deployment modes: NAT, route, transparent mode.
• lan and Wan connectivity: Customers want the ability to extend their investment protection as they move toward next-generation networks (broadband, metro Ethernet). LAN and WAN I/O options (SSG500 line only) plus supporting protocols and encapsulations provide unmatched connectivity flexibility in the mid-range market. dynamic routing protocol support:
• A common deployment is to use OSPF for internal networks and BGP for external connections, although most competitors do not support this. RIP, OSPF and BGP eases integration of security into existing networks and makes it easier to support dynamically routed VPNs.
• dynamic route-based vpn: Outlying offices need maximum reliability at all levels— device, as well as link layer. Dynamic route-based VPNs provide this level of resiliency. With multiple VPN tunnels defined to a given location, routing protocols will ensure that the optimal tunnel will be used for traffic dynamically.
feature Benefit
firewall • Protection from network and application layer attacks while maximizing performance
• Virtualization and secure zones to segment the network into secure domains, each with their own security policies for protection from malicious users
vpn • Complete line of firewall/VPN solutions ranging from the small branch office to high-speed data center environments
Secure access • Delivers Juniper’s industry-leading SSL VPN features, including Secure Virtualization, Access Privilege Management, Host Check, Monitoring and Reporting
• Works with Multi-factored Authentication and integrates with most Authentication, Authorization and Accounting (AAA) solutions offering rich audit logs
• Number 1 in market share, Gartner Magic Quadrant, Forrester Wave, and numerous other awards—customers deploy with confidence
Managed Security
Services • Integrated security intelligence that keeps organizations ahead of the threat • Provides MSPs with the technology that helps enterprises save
up to 55 percent over inhouse security costs and helps them comply with regulatory compliance requirements
Solution components Beyond Security
While this solution brief has focused on Juniper’s security solutions for managed services, there are also solutions that address but are not limited to:
Business Continuity—fostering robust business continuity practices and networking •
with secure any time, anywhere access to corporate applications
Branch Office Optimization—centralizing enterprise applications such as ERP and •
CRM while delivering a high-level user experience to remote locations
Converged Enterprise and Branch Connectivity—delivering cost reduction, flexibility •
and enhanced productivity through converged applications via consistent service and low latency IP/MPLS transport
Secure Business Infrastructure—Layers 2 through 7 comprehensive security and •
connectivity, end-to-end
Summary: Conquering Today’s
Enterprise Threats
Today’s enterprises are not only faced with often highly competitive environments, but they are also faced with a highly volatile and fluid set of security threats. While addressing these security threats do not contribute to the bottom-line, ignoring them can affect the long term survivability of the organization. As a result, enterprises look to their carrier and MSP for comprehensive security solutions that meet their needs while offloading the much of the management and SLA concerns.
Concurrently, MSPs are faced with the challenge of offering solutions that solve the security challenge which organizations face. With a fully integrated solution that can be easily managed from one user interface, Juniper’s solutions scale to the largest and most distributed topologies. By solving both IT as well as business challenges, enterprises are truly secured against today and tomorrow’s business threats and MSPs can offer differentiated solutions that help them keep and retain customers.
About Juniper Networks
Juniper Networks, Inc. is the leader in high-performance networking. Juniper offers a high-performance network infrastructure that creates a responsive and trusted environment for accelerating the deployment of services and applications over a single network. This fuels high-performance businesses. Additional information can be found at www.juniper.net.
corporate and Sales Headquarters Juniper Networks, Inc.
1194 North Mathilda Avenue Sunnyvale, CA 94089 USA Phone: 888.JUNIPER (888.586.4737) or 408.745.2000 Fax: 408.745.2100 www.juniper.net apac Headquarters
Juniper Networks (Hong Kong) 26/F, Cityplaza One
1111 King’s Road Taikoo Shing, Hong Kong Phone: 852.2332.3636 Fax: 852.2574.7803 eMea Headquarters Juniper Networks Ireland Airside Business Park Swords, County Dublin, Ireland Phone: 35.31.8903.600 Fax: 35.31.8903.601
Copyright 2009 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
