Page Datasheet
Juniper NetworksISG Series
ISG 1000
The Juniper Networks Integrated Security Gateways (ISG) are purpose-built security solutions that
leverage a fourth generation security ASIC, the GigaScreen2, along with high speed microprocessors
to deliver unmatched firewall and VPN performance. The Juniper Networks ISG 1000 and ISG 2000
are ideally suited for securing enterprise, carrier and data center environments where advanced
applications such as VoIP and streaming media dictate consistent, scalable performance. Integrating
best-in-class Deep Inspection firewall, VPN and DoS solutions, the ISG 1000 and ISG 2000 enable
secure, reliable connectivity along with network and application-level protection for critical, hightraffic network segments.
The ISG Series can be upgraded to support integrated Intrusion Detection and Prevention (IDP)
to provide robust network and application layer protection against current and emerging threats.
Leveraging the same software as found on Juniper Networks’ IDP platforms, but integrated into
ScreenOS, the ISG Series provides a combination of best in class firewall, VPN, and IDP in a single
solution. Plus, with dedicated processing modules called security modules, dedicated processing
is provided to ensure multi-gigabit firewall, VPN, and IDP. With unmatched security processing
power and network segmentation features, the ISG Series can be deployed to protect perimeter
deployments as well as internal networks.
ISG 1000:
ISG 2000
The ISG 1000 is a fully integrated FW/VPN/IDP system with gigabit performance, a modular
architecture and rich virtualization capabilities. The base FW/VPN system comes with four fixed
10/100/1000 interfaces and two additional I/O modules for interface expansion. The ISG 1000
also supports two security modules for IDP integration.
ISG 2000:
The ISG 2000 is a fully integrated FW/VPN/IDP system with multi-gigabit performance, a modular
architecture and rich virtualization capabilities. The base FW/VPN system allows for up to four I/O
modules and three security modules for IDP integration.
The Juniper Networks Integrated Security Gateway features include:
Security:
Use the Stateful and Deep Inspection firewall, DoS protection and
optional integrated IDP to prevent network and application level attacks
and defend against the propagation of worms, Trojans, malware,
spyware, hackers and a broad set of other attacks. Please refer to the
ISG Series with IDP datasheet for more information on this option.
Network friendly:
Support for key routing protocols, such as OSPF, RIPv2, and BGP, along
with transparent Layer 2 operation, NAT and Route mode help facilitate
network integration. To satisfy complex internal network segmentation
demands dictated by various government regulations such as SarbanesOxley and GLBA, the ISG Series delivers the most advanced set of
network segmentation features including Virtual Systems, Security
Zones, Virtual Routers and VLANs.
Resiliency:
Hardware component redundancy, multiple high availability options
and route-based VPNs provide the reliability required for high speed
network security deployments.
Interface flexibility:
Almost every network deployment can be met with a wide variety of
copper and fiber interface options.
Juniper Networks ISG Series
Page ISG 1000(1)
Maximum Performance and Capacity(1)
ScreenOS version support
ScreenOS 5.0
Firewall performance
1 Gbps
3DES performance
1 Gbps
Concurrent sessions
250,000 New sessions/second
20,000
Policies
10,000
Interfaces
4 fixed 10/100/1000 ports, up to 4 mini GBIC
(SX or LX), up to
8 10/100/1000, up to
20, 10/100
Mode of Operation
Layer 2 mode (transparent mode)(2)
Layer 3 mode (route and/or NAT mode) NAT (Network Address Translation)
PAT (Port Address Translation)
Policy-based NAT
Mapped IP
Virtual IP
Users supported
Yes
Yes
Yes
Yes
Yes
4,096(3)
8(4)
Unrestricted
ISG 2000(1)
ScreenOS 5.2
2 Gbps
1 Gbps
512,000
29,000
30,000
Up to 8 Mini GBIC (SX or LX), up to
8 10/100/1000,
up to 28 10/100
Yes
Yes
Yes
Yes
Yes
8,192(3)
8(4)
Unrestricted
Firewall
Number of network attacks detected
31
31
Network attack detection
Yes
Yes
DoS and DDoS protections
Yes
Yes
TCP reassembly for fragmented
packet protection
Yes
Yes
Malformed packet protections
Yes
Yes
Yes
Yes
Deep Inspection firewall(5)
Stateful protocol signatures
Yes
Yes
Deep Inspection Protocols supported
HTTP, FTP, SMTP, HTTP, FTP, SMTP,
POP3, IMAP, DNS,
POP3, IMAP, DNS
NetBIOS/SMB,
MS-RPC, P2P, IM
Number of applications attacks
detected w/DI
over 280
over 650
Brute force attack mitigation
Future
Yes
CPU protection
Future
Yes
DI attack pattern obfuscation
Future
Yes
Syn cookie protection
Future
Yes
Zone-based IP spoofing
Future
Yes
URL filtering (external)
Yes (Websense, SurfControl)
VPN
Concurrent VPN tunnels Tunnel interfaces
DES (56-bit), 3DES (168-bit) and
AES encryption
MD-5 and SHA-1 authentication
Manual Key, IKE, PKI (X.509)
Perfect forward secrecy (DH Groups)
Prevent replay attack Remote access VPN
L2TP within IPSec
IPSec NAT traversal
Redundant VPN gateways
Firewall and VPN User Authentication
Built-in (internal) database - user limit
3rd Party user authentication
XAUTH VPN authentication
Web-based authentication
System Management
WebUI (HTTP and HTTPS)
Command Line Interface (console)
Command Line Interface (telnet)
Command Line Interface (SSH)
System Management
NetScreen-Security Manager
All management via VPN tunnel on
any interface
SNMP full custom MIB
Rapid deployment
Logging/Monitoring
Syslog (multiple servers)
E-mail (2 addresses)
NetIQ WebTrends
SNMP (v2)
Traceroute
VPN tunnel monitor
Virtualization
Maximum number of Virtual Systems
Maximum number of security zones
Maximum number of virtual routers
Number of VLANs supported
ISG 1000(1)
ISG 2000(1)
2,000(3)
Up to 512(3)
10,000(3)
Up to 1,024(3)
Yes
Yes
Yes
1,2,5
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
1,2,5
Yes
Yes
Yes
Yes
Yes
5,000(3) 15,000(3)
RADIUS, RSA SecurID, and LDAP
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes, v1.5 and v2.0 compatible
Yes
Yes
Yes
Yes
No
Yes
Yes
No
External, up to 4 servers
Yes
Yes
External
External
Yes
Yes
Yes
Yes
Yes
Yes
0 default, upgradeable 0 default, upgradeable
to 50(6)
to 10(6)
20 default, upgradeable 26 default, upgradeable
to 126(6)
to 40(6)
3 default, upgradeable 3 default, upgradeable
to 53(6)
to 13(6)
250
500
Page Datasheet
Routing
OSPF/BGP dynamic routing
RIPv1, RIPv2 dynamic routing
BGP dynamic routing
Static routes
Source-based routing
ECMP flow based routing
ISG 1000(1)
ISG 2000(1)
up to 8 instances each(3) up to 8 instances each(3)
up to 12 instances Up to 50 instances
supported(3)
supported(3)
64 instances, 128 peers 64 instances, 128 peers
10,000
20,000
Yes
Yes
Yes
Yes
High Availability (HA)
Active/Active
Active/Passive
Redundant interfaces
Configuration synchronization
Session synchronization for firewall and VPN
Session failover for routing change
Device failure detection
Link failure detection
Authentication for new HA members
Encryption of HA traffic
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
VoIP
H.323 ALG
SIP ALG
NAT for H.323/SIP
Yes
Yes
no
Yes
Yes
Yes
Yes
Yes, No
Yes
Yes
Yes
No, No
No
Yes
IP
Address Assignment
Static
DHCP, PPPoE client
Internal DHCP server
DHCP relay
PKI Support
PKI Certificate requests (PKCS 7 and PKCS 10) Yes
Yes
Automated certificate enrollment (SCEP)
Yes
Yes
Online Certificate Status Protocol (OCSP)
Yes
Yes
Certificate Authorities Supported
Verisign, Entrust, Microsoft, RSA Keon,
iPlanet (Netscape), Baltimore, DOD PKI
Administration
Local administrators database
External administrator database
Restricted administrative networks
Root Admin, Admin, and
Read Only user levels
Software upgrades
Configuration Roll-back
20
20
RADIUS/LDAP/SecurID
6
6
Yes
Yes
TFTP/WebUI/NSM
Yes
ISG 1000(1)
Traffic Management
Guaranteed bandwidth
Maximum bandwidth
Priority-bandwidth utilization
DiffServ stamp
No No
Yes, per physical interface only
No
No
Yes, per policy
Yes, per policy
External Flash
CompactFlash™
Event logs and alarms
System config script
NetScreen ScreenOS Software
Supports 128 or 512 MB
Industrial-Grade SanDisk
Yes
Yes
Yes
Yes
Yes
Yes
Dimensions and Power
Dimensions (H/W/L)
Weight
Rack mountable
Power Supply (AC)
Power Supply (DC)
Redundant Power Supply
5.25/17.5/17.258 inches 5.25/17.5/23 inches
30 lbs.
52 lbs.
19” standard, 19” standard, 23” optional
23” optional
100 to 240 VAC, 100 to 240 VAC, 250 watts
250 watts
-36 to -72 VDC, -36 to -60 VDC,
250 watts
250 watts
No (single,
Yes (dual, hot swappable)
field replaceable)
Certifications
Safety Certifications
EMC Certifications
UL, CUL, CSA, CB
UL, CUL, CSA, CB
FCC class A, CE class A, FCC class A, CE class A,
C-Tick, VCCI class A
C-Tick, VCCI class A
Environment
Operational temperature:
Non-operational temperature: Humidity: MTBF (Bellcore model)
Other
Security
32° to 122° F, 0° to 50° C
-4° to 158° F, -20° to 70° C
10 to 90%
non-condensing
7.6 years
NEBS Level 3
No
32° to 122° F,
0° to 50° C
-4° to 158° F,
-20° to 70° C
10 to 90%
non-condensing
7.6 years
NEBS Level 3
Pending
(1) Performance, capacity and features listed are based upon measured maximums under ideal testing conditions. Performance may vary
with other ScreenOS releases and by deployment. Actual throughput may vary based upon packet size and enabled features.
(2) NAT, PAT, policy based NAT, virtual IP, mapped IP, virtual systems, virtual routers, VLANs, OSPF, BGP, RIPv2,
Active/Active HA, and IP address assignment are not available in layer 2 transparent mode.
(3) Shared among all Virtual Systems.
Yes
ISG 2000(1)
(4) Not available with Virtual Systems.
(5) Deep Inspection is automatically disabled when integrated IDP is installed.
(6) Additional license required.
Page Ordering Information
Licensing Options: The ISG 1000 and ISG 2000 are available with two licensing options
to provide two different levels of functionality and capacity.
•Advanced Models: The Advanced software license provides all of the features and
capacities listed within this spec sheet.
•Baseline Models: The Baseline software license provides an entry-level solution for
customer environments where features such as Deep Inspection™, OSPF and BGP
dynamic routing, advanced High Availability, and full capacity are not critical requirements. The following table shows the features and capacities that differ between the
Baseline and Advanced models:
Baseline
ISG 1000
ISG 2000
Sessions
125,000
256,000
Concurrent VPN tunnels 1,000
1,000
Deep Inspection Firewall
No
No
VLANs
50
100
OSPF/BGP
No
No
High Availability (HA)
A/P
A/P
Integrated IDP
No
No
Advanced
ISG 1000
ISG 2000
250,000
2,000
Yes
250
Yes
A/A
Optional Upgrade
512,000
10,000
Yes
500
Yes
A/A
Optional Upgrade
Product
Part Number
ISG 1000 Systems
NS-ISG-1000 System (inc AC power supply, No I/O cards)
NS-ISG-1000 System (inc DC power supply, No I/O cards)
NS-ISG-1000 Baseline System (inc AC power supply, No I/O cards)
NS-ISG-1000 Baseline System (inc DC power supply, No I/O cards)
NS-ISG-1000
NS-ISG-1000-DC
NS-ISG-1000B
NS-ISG-1000B-DC
ISG 2000 Systems
NS-ISG-2000 System (inc AC power supplies, No I/O cards)
NS-ISG-2000 System (inc DC power supplies, No I/O cards)
NS-ISG-2000 Baseline System (inc AC power supplies, No I/O cards)
NS-ISG-2000 Baseline System (inc DC power supplies, No I/O cards)
NS-ISG-2000
NS-ISG-2000-DC
NS-ISG-2000B
NS-ISG-2000B-DC
Integrated IDP Upgrades
Security module for IDP on ISG 1000 and ISG 2000 systems IDP Upgrade Kit for ISG 1000 system, including IDP Lic Key,
additional memory, and 5-device NSM
IDP Upgrade Kit for ISG 2000 system, including IDP Lic Key,
additional memory, and 5-device NSM
ISG 1000 and ISG 2000 I/O Modules
I/O Module - Dual Port Mini GBIC-SX
I/O Module - Dual Port Mini GBIC-LX
I/O Module - 4 Port 10/100 Fast Ethernet
I/O Module - 8 Port 10/100 Fast Ethernet
I/O Module - Dual Port 10/100/1000 Gig Ethernet
NS-ISG-SEC
NS-ISG-1000-IKT
NS-ISG-2000-IKT
NS-ISG-SX2
NS-ISG-LX2
NS-ISG-FE4
NS-ISG-FE8
NS-ISG-TX2
ISG 1000 Software Options
VSYS Upgrade 0 to 5
VSYS Upgrade 5 to 10
NS-ISG-1000-VSYS-5
NS-ISG-1000-VSYS-10
ISG 2000 Software Options
VSYS Upgrade 0 to 5
VSYS Upgrade 5 to 25
VSYS Upgrade 25 to 50
VSYS Upgrade 0 to 25
VSYS Upgrade 0 to 50
NS-ISG-2000-VSYS-5
NS-ISG-2000-VSYS-25
NS-ISG-2000-VSYS-50
NS-ISG-2000-VSYS-025
NS-ISG-2000-VSYS-050
ISG 1000 and ISG 2000 Spares
SX transceiver (mini-GBIC)
LX transceiver (mini-GBIC)
ISG 1000 AC power supply ISG 1000 DC power supply
ISG 2000 AC power supply
ISG 2000 DC power supply
Japan power cord option
Fan module
Rack Mount Kit (19 in., all mounting hardware)
Rack Mount Kit (23 in., all mounting hardware)
Blank Interface Panel
ISG 2000 Blank Power Supply Cover
NS-SYS-GBIC-MSX
NS-SYS-GBIC-MLX
NS-ISG-1000-PWR-AC
NS-ISG-1000-PWR-DC
NS-ISG-2000-PWR-AC2
NS-ISG-2000-PWR-DC2
NS-ISG-2000-JAPAN
NS-ISG-FAN
NS-ISG-2000-RCK-01
NS-ISG-2000-RCK-02
NS-ISG-IPAN2
NS-ISG-2000-PPAN2
Every Virtual System includes 1 additional virtual router and 2 additional security zones,
usable in the virtual or root system
CORPORATE HEADQUARTERS
AND SALES HEADQUARTERS
FOR NORTH AND SOUTH AMERICA
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089 USA
Phone: 888-JUNIPER (888-586-4737)
or 408-745-2000
Fax: 408-745-2100
www.juniper.net
110036-006 Oct 2005
EAST COAST OFFICE
Juniper Networks, Inc.
10 Technology Park Drive
Westford, MA 01886-3146 USA
Phone: 978-589-5800
Fax: 978-589-0800
ASIA PACIFIC REGIONAL
SALES HEADQUARTERS
EUROPE, MIDDLE EAST, AFRICA
REGIONAL SALES HEADQUARTERS
Juniper Networks (Hong Kong) Ltd.
Suite 2507-11, Asia Pacific Finance Tower
Citibank Plaza, 3 Garden Road
Central, Hong Kong
Phone: 852-2332-3636
Fax: 852-2574-7803
Juniper Networks (UK) Limited
Juniper House
Guildford Road
Leatherhead
Surrey, KT22 9JH, U. K.
Phone: 44(0)-1372-385500
Fax: 44(0)-1372-385501
Copyright 2005, Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of
Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered
service marks in this document are the property of Juniper Networks or their respective owners. All specifications are subject to change
without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information
in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Open as PDF
Similar pages