Juniper SSG-5-SB-BTW-E firewall (hardware)

Page Datasheet
Juniper NetworksSSG 5 and SSG 20
The Juniper Networks Secure Services Gateway 5 (SSG 5) and Secure Services Gateway 20 (SSG 20) are purpose-built security appliances that
deliver a perfect blend of performance, security, routing and LAN/WAN connectivity for small branch office and small business deployments.
Traffic flowing in and out of the branch office can be protected from worms, Spyware, Trojans, and malware by a complete set of Unified Threat
Management (UTM) security features including Stateful firewall, IPSec VPN, IPS, Antivirus (includes Anti-Spyware, Anti-Adware, Anti-Phishing), AntiSpam, and Web Filtering.
The rich set of UTM security features allows the SSG 5 and SSG 20 to be deployed as a stand alone network protection device. With its robust
routing engine, the SSG 5 and SSG 20 can also be deployed as a traditional branch office router or as a combination security and routing device to
help reduce IT capital and operational expenditures. The SSG 5 and SSG 20 provide customers with the following features and benefits:
• Extensible I/O architecture that delivers fixed LAN connectivity plus WAN I/O options on top of unmatched security to reduce costs and extend
investment protection.
• UTM security features backed by best-in-class security partners to ensure that the network is protected against all manner of attacks.
• Advanced security features such as network segmentation allows administrators to deploy security policies to isolate guests, wireless networks
and regional servers or databases to prevent unauthorized access and contain any attacks that may occur.
• Dedicated, security specific processing hardware and software platform delivers performance required to protect high speed LAN as well as
lower speed WAN connections.
Used by enterprises, service providers and stand alone businesses alike, the SSG 5 and SSG 20 are
ideally suited for locations that are smaller, with fewer employees yet still require advanced security
and routing features to protect business critical traffic traversing the WAN and high speed internal
networks. Typical deployments include small businesses, distributed branch offices, retail outlets,
and fixed telecommuter environments.
SSG 5:
The SSG 5 is a fixed form factor platform that delivers 160 Mbps of Stateful firewall traffic and
40 Mbps of IPSec VPN throughput. The SSG 5 Series is equipped with seven on-board 10/100
interfaces with optional fixed WAN ports (ISDN BRI S/T, V.92 or RS-232 Serial/Aux). Optional
support for 802.11 a/b/g and a broad array of wireless specific security allow the SSG 5 to
consolidate security, routing and wireless access point into a single device.
SSG 20:
The SSG 20 is a modular platform that delivers 160 Mbps of Stateful firewall traffic and 40 Mbps of
IPSec VPN throughput. The SSG 20 is equipped with five on-board 10/100 interfaces with two I/O
expansion slots that support I/O cards, such as ADSL2+, T1, E1, ISDN BRI S/T, V.92 for additional
WAN connectivity. Optional support for 802.11 a/b/g and a broad array of wireless specific security
allow the SSG 20 to consolidate security, routing and wireless access point into a single device.
Security
Proven Stateful firewall and IPSec VPN combined with best-in-class
UTM security features including IPS (Deep Inspection), Antivirus
(includes Anti-Spyware, Anti-Adware, Anti-Phishing), Anti-Spam, and
Web Filtering protects both LAN and WAN traffic from worms, Spyware,
Trojans, malware and other emerging attacks.
Network segmentation
The SSG 5 and SSG 20 provide an advanced set of network
segmentation features such as Security Zones, Virtual Routers and
VLANs that allow administrators to deploy different levels of security
to different user groups by dividing the network into distinct, secure
domains, each with their own security policy.
LAN/WAN connectivity
The combination of LAN/WAN connectivity options and supporting
protocols provides customers with the ability to deploy the SSG 5 or SSG
20 as a traditional LAN-based firewall or as a consolidated routing and
security device, thereby reducing TCO.
Seamlessly transform your network
Whether you are deploying a few SSGs to your local offices or
implementing thousands around the world, Juniper Networks
Professional Services can help. From simple lab testing to major network
implementations, we can identify the goals, define the deployment
process, create or validate the network design, and manage the
deployment. We collaborate with your team to transform your network
infrastructure to ensure that it is flexible, scalable, reliable, and secure.
Juniper Networks Secure Services Gateway 5 and 20
Page Maximum Performance and Capacity
ScreenOS version support Firewall performance (Large packets)
Firewall performance(2) (IMIX)
Firewall Packets per second (64 byte)
VPN performance (3DES+SHA-1)
Concurrent sessions
New sessions/second
Policies
Users supported
SSG 20
SSG 5
ScreenOS 5.4
160 Mbps
90 Mbps
30,000 40 Mbps 4,000
2,800
200
Unrestricted
ScreenOS 5.4
160 Mbps
90 Mbps
30,000
40 Mbps
4,000
2,800
200
Unrestricted
(1)
Network Connectivity
Fixed I/O 5x 10/100
7x 10/100
Physical Interface Module (Mini-PIM) Slots
2
0
WAN interface options
ADSL2+, T1, E1, ISDN BRI S/T or
ISDN BRI S/T, V.92
RS-232 Serial/Aux or
(See Mini-PIM datasheets)
V.92
(factory configured)
LAN interface options
None
None
Wireless networking
Dual Radio 802.11a + 802.11b/g (factory configured)
Firewall
Network attack detection
DoS and DDoS protection
TCP reassembly for fragmented
packet protection
Malformed packet protection
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes Yes
Yes
Yes
Yes
Yes
Yes
Yes
Unified Threat Management/Content Security(3)
IPS (Deep Inspection FW)
Protocol anomaly detection
Stateful protocol signatures Antivirus
Signature database
Protocols scanned
Anti-Phishing Anti-Spyware Anti-Adware Anti-Keylogger Anti-Spam
Integrated URL filtering
External URL filtering(4)
100,000+
POP3, SMTP, HTTP, IMAP, FTP
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
VoIP Security H.323. ALG SIP ALG SCCP ALG
MGCP ALG
NAT for SIP, H.323, MGCP, SCCP
Yes
Yes
Yes
Yes
Yes
VPN
Concurrent VPN tunnels
Tunnel interfaces
DES (56-bit), 3DES (168-bit)
and AES encryptions
MD-5 and SHA-1 authentication
Manual key, IKE, PKI (X.509)
Perfect forward secrecy (DH Groups)
Prevent replay attack Remote access VPN
L2TP within IPSec IPSec NAT traversal
Redundant VPN gateways
Yes
Yes
Yes
Yes
Yes
25
10
25
10
Yes
Yes
Yes
1,2,5
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
1,2,5
Yes
Yes
Yes
Yes
Yes
SSG 20
SSG 5
Firewall and VPN User Authentication
Built-in (internal) database - user limit
Up to 100
Up to 100
3rd Party user authentication
RADIUS, RSA SecurID, and LDAP
XAUTH VPN authentication
Yes
Yes
Web-based authentication
Yes
Yes
802.1X authentication
Yes
Yes
Mode of Operation
Layer 2 (transparent) mode(5) Layer 3 (route and/or NAT) mode Yes
Yes
Yes
Yes
Address Translation
Network Address Translation (NAT)
Port Address Translation (PAT)
Policy-based NAT/PAT
Mapped IP
Virtual IP
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Routing
BGP
Yes
OSPF
Yes
RIPv1/v2 Yes
Static routes
Yes
Source-based routing
Yes
Policy-based routing
Yes
ECMP
Yes
Routes
1,024
Multicast
Yes
Reverse Forwarding Path (RFP)
Yes
IGMP (v1, v2)
Yes
IGMP Proxy
Yes
PIM SM
Yes
PIM SSM
Yes
Mcast inside IPSec Tunnel
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
1,024
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Encapsulations
PPP
Yes
MLPPP
Yes
Frame Relay
Yes
MLFR (FRF 15, FRF 16) Yes
HDLC
Yes
Yes
N/A
N/A
N/A
N/A
Traffic Management (QoS)
Guaranteed bandwidth
Yes
Maximum bandwidth
Yes
Ingress Traffic Policing
Yes
Priority-bandwidth utilization
Yes
DiffServ stamp
Yes, per policy
Wi-Fi Multi-Media (WMM)
Yes (with WLAN)
Yes
Yes
Yes
Yes
Yes, per policy
Yes (with WLAN)
System Management
WebUI (HTTP and HTTPS)
Yes
Yes
Command Line Interface (console)
Yes
Yes
Command Line Interface (telnet)
Yes
Yes
Command Line Interface (SSH)
Yes, v1.5 and v2.0 compatible
NetScreen-Security Manager
Yes
Yes
All management via VPN tunnel
on any interface
Yes
Yes
SNMP full custom MIB
Yes
Yes
Rapid deployment
Yes
Yes
Logging and Monitoring
Syslog (multiple servers)
External, up to 4 servers
E-mail (2 addresses)
Yes
Yes
NetIQ WebTrends
External
External
SNMP (v2)
Yes
Yes
Traceroute
Yes
Yes
VPN tunnel monitor
Yes
Yes
Page Datasheet
SSG 20
SSG 5
Virtualization
Maximum number of configurable security zones 8
Maximum number of virtual routers
3
Maximum number of 802.1q VLANs 10
8
3
10
High Availability (HA)(6)
Active/Passive
Yes
Configuration synchronization
Yes
Session synchronization for firewall and VPN
Yes
Session failover for routing change
Yes
Device failure detection
Yes
Link failure detection
Yes
Authentication for new HA members
Yes
Encryption of HA traffic
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
IP
Yes
Yes
Yes
Yes
Address Assignment
Static
Yes
DHCP, PPPoE client
Yes
Internal DHCP server
Yes
DHCP relay
Yes
PKI Support
PKI Certificate requests (PKCS 7 and PKCS 10) Yes
Yes
Automated certificate enrollment (SCEP)
Yes
Yes
Online Certificate Status Protocol (OCSP)
Yes
Yes
Certificate Authorities Supported
Verisign, Entrust, Microsoft, RSA Keon,
iPlanet (Netscape), Baltimore, DOD PKI
Administration
Local administrators database size
20
20
External administrator database
RADIUS/LDAP/SecurID
Root Admin, Admin, and Yes
Yes
Read Only user levels
Software upgrades
TFTP / WebUI / NSM / SCP / USB
Configuration Roll-back
Yes
Yes
External Flash
Additional log storage
Event logs and alarms
System config script
ScreenOS Software
via USB
Yes
Yes
Yes
Yes
Yes
Yes
Dimensions and Power
Dimensions (W/L/H)
11 5/8” x 7 3/8” x 1 3/4” 8 3/4” x 5 5/8” x 1 5/8”
29.5cm x 18.7cm x 4.5cm 22.2cm x 14.3cm x 4.1cm
Weight
3.3 lbs (1.5 kg)
2.1 lbs (0.95 kg)
Rack mountable
Yes
Yes
Power Supply (AC)
100-240 VAC
100-240 VAC
Certifications
Safety Certifications
CSA, CB EMC Certifications
FCC Class B, CE Class B,
A-Tick, VCCI class B
Environment
Temp and Humidity
Operating Temp Non-Operating Temp
Humidity MTBF (Bellcore model)
Non-Wireless Wireless CSA, CB
FCC Class B, CE Class B,
A-Tick, VCCI class B
SSG 20
Wireless Radio Specifications (Wireless Models Only)
Transmit Power
Up to 200mW
Wireless Standards supported
Dual Radio 802.11 a + 802.11b/g
Site Survey
Yes
Maximum Configured SSIDs
16
Maximum Active SSIDs
4
Atheros SuperG
Yes
Atheros eXtended Range (XR)
Yes
Wi-Fi CERTIFIED® Yes
Wireless Security (Wireless Models Only)
Wireless Privacy
WPA, WPA2 (AES or TKIP), IPSEC VPN, WEP
Wireless Authentication
PSK, EAP-PEAP, EAP-TLS, EAP-TTLS over 802.1x
MAC Access Controls
Permit or Deny
Client Isolation
Yes
Antenna Option (Wireless Models Only)
Diversity Antenna
Included
Directional Antenna
Future
Omni-directional Antenna
Future
(1) Performance, capacity and features listed are based upon systems running ScreenOS 5.4 and are the measured maximums under ideal testing conditions
unless otherwise noted. Actual results may vary based on ScreenOS release and by deployment.
(2) IMIX stands for Internet mix and is more demanding than a single packet size as it represents a traffic mix that is more typical of a customer’s network. The
IMIX traffic used is made up of 58.33% 64 byte packets + 33.33% 570 byte packets + 8.33% 1518 byte packets of UDP traffic.
(3) UTM Security features (IPS/Deep Inspection, Antivirus, Anti-Spam and Web filtering) are delivered by annual subscriptions purchased separately from Juniper
Networks. Annual subscriptions provide signature updates and associated support. The high memory option is required for UTM Security features.
(4) Redirect Web filtering sends traffic to a secondary server and therefore entails purchasing a separate Web filtering license from either Websense or
SurfControl.
(5) NAT, PAT, policy based NAT, virtual IP, mapped IP, virtual systems, virtual routers, VLANs, OSPF, BGP, RIPv2, Active/Active HA, and IP address assignment are
not available in layer 2 transparent mode.
(6) Active Passive and HA Lite require the purchase of an Extended License. In addition to the HA features, an Extended License key increases a subset of the
capacities as outlined below.
Extended License Feature
Sessions
VPN Tunnels
VLANS
VoIP Calls
High Availability SSG 20 and SSG 5
Increases max from 4000 to 8000
Increases max from 25 to 40
Increases max from 10 to 50
Increases max from 32 to 48
Adds support for Stateful Active/Passive and/or HA Lite
IPS (Deep Inspection FW) Signature Packs
Signature Packs provide the ability to tailor the attack protection to the specific deployment
and/or attack type. The following Signature packs are available for the SSG 5 and SG 20.
Signature Pack
Target Deployment
Defense Type
Type of Attack
Object
Base
Branch Offices, small
medium businesses
Client/Server and
worm protection
Range of signatures and protocol
anomalies
Client
Remote/Branch
Offices
Perimeter defense,
compliance for hosts
(desktops, etc)
Attacks in the serverto-client direction
Server
Small/Medium
Businesses
Perimeter defense,
compliance for
server infrastructure
Attacks in the clientto-server direction
Worm Mitigation
Remote/Branch
Offices of Large
enterprises
Most comprehensive
defense against
worm attacks
Worms, Trojans,
backdoor attacks
0 to 40 Deg C ( 32 to 104 Deg F)
-20 to 65 Deg C (-4 to 149 Deg F)
10 to 90% non-condensing
0 to 40 Deg C
( 32 to 104 Deg F)
-20 to 65 Deg C
(-4 to 149 Deg F)
10 to 90%
non-condensing
35.8 Yrs
28.9 Yrs
40.5 Yrs
22.8 Yrs
SSG 5
Page Ordering Information
Product
Part Number
SSG 5 SSG 5 with Serial backup, 128 MB Memory
SSG 5 with ISDN BRI S/T backup, Interface,128 MB Memory
SSG 5 with v.92 backup, 128 MB Memory
SSG 5 with Serial backup, Wireless 802.11a/b/g,128 MB Memory
SSG 5 with ISDN BRI S/T backup, Wireless 802.11a/b/g, 128 MB memory
SSG 5 with v.92 backup, Wireless 802.11a/b/g, 128 MB Memory
SSG 5 with Serial backup, 256 MB memory
SSG 5 with ISDN BRI S/T backup, 256 MB memory
SSG 5 with v.92 backup, 256 MB memory
SSG 5 with Serial backup, Wireless 802.11a/b/g, 256 MB memory
SSG 5 with ISDN BRI S/T backup, Wireless 802.11a/b/g, 256 MB memory
SSG 5 with v.92 backup, Wireless 802.11a/b/g, 256 MB memory
SSG-5-SB
SSG-5-SB-BT
SSG-5-SB-M
SSG-5-SB-W-xx
SSG-5-SB-BTW-xx
SSG-5-SB-MW-xx
SSG-5-SH
SSG-5-SH-BT
SSG-5-SH-M
SSG-5-SH-W-xx
SSG-5-SH-BTW-xx
SSG-5-SH-MW-xx
SSG 20 SSG 20 with 2 port Mini-PIM slots, 128 MB Memory
SSG 20 with 2 port Mini-PIM slots,
Wireless 802.11a/b/g, 128 MB Memory
SSG 20 with 2 port Mini-PIM slots, 256 MB memory
SSG 20 with 2 port Mini-PIM slots,
Wireless 802.11a/b/g, 256 MB memory
SSG-20-SH-W-xx
SSG 20 I/O Options
1 port T1 Mini Physical Interface Module
1 port E1 Mini Physical Interface Module
1 port ADSL2+ Annex A Mini Physical Interface Module
1 port ADSL2+ Annex B Mini Physical Interface Module
1 port v.92 Mini Physical Interface Module
1 port ISDN S/T BRI Mini Physical Interface Module
JXM-1T1-S
JXM-1E1-S
JXM-1ADSL2-A-S
JXM-1ADSL2-B-S
JXM-1V92-S
JXM-1BRI-ST-S
CORPORATE HEADQUARTERS
AND SALES HEADQUARTERS
FOR NORTH AND SOUTH AMERICA
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089 USA
Phone: 888-JUNIPER (888-586-4737)
or 408-745-2000
Fax: 408-745-2100
www.juniper.net
100176-002 Oct 2006
EAST COAST OFFICE
Juniper Networks, Inc.
10 Technology Park Drive
Westford, MA 01886-3146 USA
Phone: 978-589-5800
Fax: 978-589-0800
SSG-20-SB
SSG-20-SB-W-xx
SSG-20-SH
Product
SSG 5 / SSG 20 Accessories & Upgrades Extended License Upgrade Key for SSG 5 Extended License Upgrade Key for SSG 20
SSG 5 and SSG 20 256MB Memory Upgrade Module
SSG 5 Rack Mount Kit - holds 2 units
SSG 20 Rack Mount Kit
SSG Wireless Replacement Antenna
Part Number
SSG-5-ELU
SSG-20-ELU
SSG-5-20-MEM-256
SSG-5-RMK
SSG-20-RMK
SSG-ANT
Unified Threat Management/Content Security (High Memory Option Required) Anti-Virus (Anti-Spyware, Anti-Phishing)
NS-K-AVS-SSG5
NS-K-AVS-SSG20
IPS (Deep Inspection)
NS-DI-ISG-SSG5
NS-DI-ISG-SSG20
Web Filtering
NS-WF-SSG5
NS-WF-SSG20
Anti-Spam
NS-SPAM-SSG5
NS-SPAM-SSG20
Remote Office Bundle (Includes AV, DI, WF)
NS-RBO-CS-SSG5
NS-RBO-CS-SSG20
Main Office Bundle (Includes AV, DI, WF, AS)
NS-SMB-CS-SSG5
NS-SMB-CS-SSG20
• Note: The appropriate power cord is included based upon the sales order “Ship To” destination.
• Note: XX denotes Region Code for Wireless devices. Not all countries are supported. Please see Wireless Country Compliance Matrix for certified countries.
www.jnpr.net/products/integrated/ssg_5_20.html
• Note: For 2nd year renewal of Content Security Subscriptions add “-R” to above SKUs.
ASIA PACIFIC REGIONAL
SALES HEADQUARTERS
EUROPE, MIDDLE EAST, AFRICA
REGIONAL SALES HEADQUARTERS
Juniper Networks (Hong Kong) Ltd.
Suite 2507-11, 25/F
ICBC Tower,
Citibank Plaza, 3 Garden Road,
Central, Hong Kong
Phone: 852-2332-3636
Fax: 852-2574-7803
Juniper Networks (UK) Limited
Building 1
Aviator Park, Station Road
Addlestone
Surrey, KT15 2PG, U. K.
Phone: 44(0)-1372-385500
Fax: 44(0)-1372-385501
Copyright 2006, Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper
Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks
in this document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper
Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper
Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.