Page Datasheet Juniper NetworksISG Series ISG 1000 The Juniper Networks Integrated Security Gateways (ISG) are purpose-built security solutions that leverage a fourth generation security ASIC, the GigaScreen2, along with high speed microprocessors to deliver unmatched firewall and VPN performance. The Juniper Networks ISG 1000 and ISG 2000 are ideally suited for securing enterprise, carrier and data center environments where advanced applications such as VoIP and streaming media dictate consistent, scalable performance. Integrating best-in-class Deep Inspection firewall, VPN and DoS solutions, the ISG 1000 and ISG 2000 enable secure, reliable connectivity along with network and application-level protection for critical, hightraffic network segments. The ISG Series can be upgraded to support integrated Intrusion Detection and Prevention (IDP) to provide robust network and application layer protection against current and emerging threats. Leveraging the same software as found on Juniper Networks’ IDP platforms, but integrated into ScreenOS, the ISG Series provides a combination of best in class firewall, VPN, and IDP in a single solution. Plus, with dedicated processing modules called security modules, dedicated processing is provided to ensure multi-gigabit firewall, VPN, and IDP. With unmatched security processing power and network segmentation features, the ISG Series can be deployed to protect perimeter deployments as well as internal networks. ISG 1000: ISG 2000 The ISG 1000 is a fully integrated FW/VPN/IDP system with gigabit performance, a modular architecture and rich virtualization capabilities. The base FW/VPN system comes with four fixed 10/100/1000 interfaces and two additional I/O modules for interface expansion. The ISG 1000 also supports two security modules for IDP integration. ISG 2000: The ISG 2000 is a fully integrated FW/VPN/IDP system with multi-gigabit performance, a modular architecture and rich virtualization capabilities. The base FW/VPN system allows for up to four I/O modules and three security modules for IDP integration. The Juniper Networks Integrated Security Gateway features include: Security: Use the Stateful and Deep Inspection firewall, DoS protection and optional integrated IDP to prevent network and application level attacks and defend against the propagation of worms, Trojans, malware, spyware, hackers and a broad set of other attacks. Please refer to the ISG Series with IDP datasheet for more information on this option. Network friendly: Support for key routing protocols, such as OSPF, RIPv2, and BGP, along with transparent Layer 2 operation, NAT and Route mode help facilitate network integration. To satisfy complex internal network segmentation demands dictated by various government regulations such as SarbanesOxley and GLBA, the ISG Series delivers the most advanced set of network segmentation features including Virtual Systems, Security Zones, Virtual Routers and VLANs. Resiliency: Hardware component redundancy, multiple high availability options and route-based VPNs provide the reliability required for high speed network security deployments. Interface flexibility: Almost every network deployment can be met with a wide variety of copper and fiber interface options. Juniper Networks ISG Series Page ISG 1000(1) Maximum Performance and Capacity(1) ScreenOS version support ScreenOS 5.0 Firewall performance 1 Gbps 3DES performance 1 Gbps Concurrent sessions 250,000 New sessions/second 20,000 Policies 10,000 Interfaces 4 fixed 10/100/1000 ports, up to 4 mini GBIC (SX or LX), up to 8 10/100/1000, up to 20, 10/100 Mode of Operation Layer 2 mode (transparent mode)(2) Layer 3 mode (route and/or NAT mode) NAT (Network Address Translation) PAT (Port Address Translation) Policy-based NAT Mapped IP Virtual IP Users supported Yes Yes Yes Yes Yes 4,096(3) 8(4) Unrestricted ISG 2000(1) ScreenOS 5.2 2 Gbps 1 Gbps 512,000 29,000 30,000 Up to 8 Mini GBIC (SX or LX), up to 8 10/100/1000, up to 28 10/100 Yes Yes Yes Yes Yes 8,192(3) 8(4) Unrestricted Firewall Number of network attacks detected 31 31 Network attack detection Yes Yes DoS and DDoS protections Yes Yes TCP reassembly for fragmented packet protection Yes Yes Malformed packet protections Yes Yes Yes Yes Deep Inspection firewall(5) Stateful protocol signatures Yes Yes Deep Inspection Protocols supported HTTP, FTP, SMTP, HTTP, FTP, SMTP, POP3, IMAP, DNS, POP3, IMAP, DNS NetBIOS/SMB, MS-RPC, P2P, IM Number of applications attacks detected w/DI over 280 over 650 Brute force attack mitigation Future Yes CPU protection Future Yes DI attack pattern obfuscation Future Yes Syn cookie protection Future Yes Zone-based IP spoofing Future Yes URL filtering (external) Yes (Websense, SurfControl) VPN Concurrent VPN tunnels Tunnel interfaces DES (56-bit), 3DES (168-bit) and AES encryption MD-5 and SHA-1 authentication Manual Key, IKE, PKI (X.509) Perfect forward secrecy (DH Groups) Prevent replay attack Remote access VPN L2TP within IPSec IPSec NAT traversal Redundant VPN gateways Firewall and VPN User Authentication Built-in (internal) database - user limit 3rd Party user authentication XAUTH VPN authentication Web-based authentication System Management WebUI (HTTP and HTTPS) Command Line Interface (console) Command Line Interface (telnet) Command Line Interface (SSH) System Management NetScreen-Security Manager All management via VPN tunnel on any interface SNMP full custom MIB Rapid deployment Logging/Monitoring Syslog (multiple servers) E-mail (2 addresses) NetIQ WebTrends SNMP (v2) Traceroute VPN tunnel monitor Virtualization Maximum number of Virtual Systems Maximum number of security zones Maximum number of virtual routers Number of VLANs supported ISG 1000(1) ISG 2000(1) 2,000(3) Up to 512(3) 10,000(3) Up to 1,024(3) Yes Yes Yes 1,2,5 Yes Yes Yes Yes Yes Yes Yes Yes 1,2,5 Yes Yes Yes Yes Yes 5,000(3) 15,000(3) RADIUS, RSA SecurID, and LDAP Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes, v1.5 and v2.0 compatible Yes Yes Yes Yes No Yes Yes No External, up to 4 servers Yes Yes External External Yes Yes Yes Yes Yes Yes 0 default, upgradeable 0 default, upgradeable to 50(6) to 10(6) 20 default, upgradeable 26 default, upgradeable to 126(6) to 40(6) 3 default, upgradeable 3 default, upgradeable to 53(6) to 13(6) 250 500 Page Datasheet Routing OSPF/BGP dynamic routing RIPv1, RIPv2 dynamic routing BGP dynamic routing Static routes Source-based routing ECMP flow based routing ISG 1000(1) ISG 2000(1) up to 8 instances each(3) up to 8 instances each(3) up to 12 instances Up to 50 instances supported(3) supported(3) 64 instances, 128 peers 64 instances, 128 peers 10,000 20,000 Yes Yes Yes Yes High Availability (HA) Active/Active Active/Passive Redundant interfaces Configuration synchronization Session synchronization for firewall and VPN Session failover for routing change Device failure detection Link failure detection Authentication for new HA members Encryption of HA traffic Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes VoIP H.323 ALG SIP ALG NAT for H.323/SIP Yes Yes no Yes Yes Yes Yes Yes, No Yes Yes Yes No, No No Yes IP Address Assignment Static DHCP, PPPoE client Internal DHCP server DHCP relay PKI Support PKI Certificate requests (PKCS 7 and PKCS 10) Yes Yes Automated certificate enrollment (SCEP) Yes Yes Online Certificate Status Protocol (OCSP) Yes Yes Certificate Authorities Supported Verisign, Entrust, Microsoft, RSA Keon, iPlanet (Netscape), Baltimore, DOD PKI Administration Local administrators database External administrator database Restricted administrative networks Root Admin, Admin, and Read Only user levels Software upgrades Configuration Roll-back 20 20 RADIUS/LDAP/SecurID 6 6 Yes Yes TFTP/WebUI/NSM Yes ISG 1000(1) Traffic Management Guaranteed bandwidth Maximum bandwidth Priority-bandwidth utilization DiffServ stamp No No Yes, per physical interface only No No Yes, per policy Yes, per policy External Flash CompactFlash™ Event logs and alarms System config script NetScreen ScreenOS Software Supports 128 or 512 MB Industrial-Grade SanDisk Yes Yes Yes Yes Yes Yes Dimensions and Power Dimensions (H/W/L) Weight Rack mountable Power Supply (AC) Power Supply (DC) Redundant Power Supply 5.25/17.5/17.258 inches 5.25/17.5/23 inches 30 lbs. 52 lbs. 19” standard, 19” standard, 23” optional 23” optional 100 to 240 VAC, 100 to 240 VAC, 250 watts 250 watts -36 to -72 VDC, -36 to -60 VDC, 250 watts 250 watts No (single, Yes (dual, hot swappable) field replaceable) Certifications Safety Certifications EMC Certifications UL, CUL, CSA, CB UL, CUL, CSA, CB FCC class A, CE class A, FCC class A, CE class A, C-Tick, VCCI class A C-Tick, VCCI class A Environment Operational temperature: Non-operational temperature: Humidity: MTBF (Bellcore model) Other Security 32° to 122° F, 0° to 50° C -4° to 158° F, -20° to 70° C 10 to 90% non-condensing 7.6 years NEBS Level 3 No 32° to 122° F, 0° to 50° C -4° to 158° F, -20° to 70° C 10 to 90% non-condensing 7.6 years NEBS Level 3 Pending (1) Performance, capacity and features listed are based upon measured maximums under ideal testing conditions. Performance may vary with other ScreenOS releases and by deployment. Actual throughput may vary based upon packet size and enabled features. (2) NAT, PAT, policy based NAT, virtual IP, mapped IP, virtual systems, virtual routers, VLANs, OSPF, BGP, RIPv2, Active/Active HA, and IP address assignment are not available in layer 2 transparent mode. (3) Shared among all Virtual Systems. Yes ISG 2000(1) (4) Not available with Virtual Systems. (5) Deep Inspection is automatically disabled when integrated IDP is installed. (6) Additional license required. Page Ordering Information Licensing Options: The ISG 1000 and ISG 2000 are available with two licensing options to provide two different levels of functionality and capacity. •Advanced Models: The Advanced software license provides all of the features and capacities listed within this spec sheet. •Baseline Models: The Baseline software license provides an entry-level solution for customer environments where features such as Deep Inspection™, OSPF and BGP dynamic routing, advanced High Availability, and full capacity are not critical requirements. The following table shows the features and capacities that differ between the Baseline and Advanced models: Baseline ISG 1000 ISG 2000 Sessions 125,000 256,000 Concurrent VPN tunnels 1,000 1,000 Deep Inspection Firewall No No VLANs 50 100 OSPF/BGP No No High Availability (HA) A/P A/P Integrated IDP No No Advanced ISG 1000 ISG 2000 250,000 2,000 Yes 250 Yes A/A Optional Upgrade 512,000 10,000 Yes 500 Yes A/A Optional Upgrade Product Part Number ISG 1000 Systems NS-ISG-1000 System (inc AC power supply, No I/O cards) NS-ISG-1000 System (inc DC power supply, No I/O cards) NS-ISG-1000 Baseline System (inc AC power supply, No I/O cards) NS-ISG-1000 Baseline System (inc DC power supply, No I/O cards) NS-ISG-1000 NS-ISG-1000-DC NS-ISG-1000B NS-ISG-1000B-DC ISG 2000 Systems NS-ISG-2000 System (inc AC power supplies, No I/O cards) NS-ISG-2000 System (inc DC power supplies, No I/O cards) NS-ISG-2000 Baseline System (inc AC power supplies, No I/O cards) NS-ISG-2000 Baseline System (inc DC power supplies, No I/O cards) NS-ISG-2000 NS-ISG-2000-DC NS-ISG-2000B NS-ISG-2000B-DC Integrated IDP Upgrades Security module for IDP on ISG 1000 and ISG 2000 systems IDP Upgrade Kit for ISG 1000 system, including IDP Lic Key, additional memory, and 5-device NSM IDP Upgrade Kit for ISG 2000 system, including IDP Lic Key, additional memory, and 5-device NSM ISG 1000 and ISG 2000 I/O Modules I/O Module - Dual Port Mini GBIC-SX I/O Module - Dual Port Mini GBIC-LX I/O Module - 4 Port 10/100 Fast Ethernet I/O Module - 8 Port 10/100 Fast Ethernet I/O Module - Dual Port 10/100/1000 Gig Ethernet NS-ISG-SEC NS-ISG-1000-IKT NS-ISG-2000-IKT NS-ISG-SX2 NS-ISG-LX2 NS-ISG-FE4 NS-ISG-FE8 NS-ISG-TX2 ISG 1000 Software Options VSYS Upgrade 0 to 5 VSYS Upgrade 5 to 10 NS-ISG-1000-VSYS-5 NS-ISG-1000-VSYS-10 ISG 2000 Software Options VSYS Upgrade 0 to 5 VSYS Upgrade 5 to 25 VSYS Upgrade 25 to 50 VSYS Upgrade 0 to 25 VSYS Upgrade 0 to 50 NS-ISG-2000-VSYS-5 NS-ISG-2000-VSYS-25 NS-ISG-2000-VSYS-50 NS-ISG-2000-VSYS-025 NS-ISG-2000-VSYS-050 ISG 1000 and ISG 2000 Spares SX transceiver (mini-GBIC) LX transceiver (mini-GBIC) ISG 1000 AC power supply ISG 1000 DC power supply ISG 2000 AC power supply ISG 2000 DC power supply Japan power cord option Fan module Rack Mount Kit (19 in., all mounting hardware) Rack Mount Kit (23 in., all mounting hardware) Blank Interface Panel ISG 2000 Blank Power Supply Cover NS-SYS-GBIC-MSX NS-SYS-GBIC-MLX NS-ISG-1000-PWR-AC NS-ISG-1000-PWR-DC NS-ISG-2000-PWR-AC2 NS-ISG-2000-PWR-DC2 NS-ISG-2000-JAPAN NS-ISG-FAN NS-ISG-2000-RCK-01 NS-ISG-2000-RCK-02 NS-ISG-IPAN2 NS-ISG-2000-PPAN2 Every Virtual System includes 1 additional virtual router and 2 additional security zones, usable in the virtual or root system CORPORATE HEADQUARTERS AND SALES HEADQUARTERS FOR NORTH AND SOUTH AMERICA Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA Phone: 888-JUNIPER (888-586-4737) or 408-745-2000 Fax: 408-745-2100 www.juniper.net 110036-006 Oct 2005 EAST COAST OFFICE Juniper Networks, Inc. 10 Technology Park Drive Westford, MA 01886-3146 USA Phone: 978-589-5800 Fax: 978-589-0800 ASIA PACIFIC REGIONAL SALES HEADQUARTERS EUROPE, MIDDLE EAST, AFRICA REGIONAL SALES HEADQUARTERS Juniper Networks (Hong Kong) Ltd. Suite 2507-11, Asia Pacific Finance Tower Citibank Plaza, 3 Garden Road Central, Hong Kong Phone: 852-2332-3636 Fax: 852-2574-7803 Juniper Networks (UK) Limited Juniper House Guildford Road Leatherhead Surrey, KT22 9JH, U. K. Phone: 44(0)-1372-385500 Fax: 44(0)-1372-385501 Copyright 2005, Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.