Signature | SG140-D | User manual | SSG 140 Datasheet

Page Datasheet
Juniper NetworksSSG 140
The Juniper Networks Secure Services Gateway 140 (SSG 140) is a purpose-built security appliance that delivers a perfect blend of performance,
security, routing, and LAN/WAN connectivity for medium sized branch offices and business deployments. Traffic flowing in and out of the branch
office is protected from worms, Spyware, Trojans, and malware by a complete set of Unified Threat Management (UTM) security features including
Stateful firewall, IPSec VPN, IPS, Antivirus (includes Anti-Spyware, Anti-Adware, Anti-Phishing), Anti-Spam, and Web Filtering.
The rich set of UTM security features allows the SSG 140 to be deployed as a stand alone network protection device. With its robust routing engine,
the SSG 140 can also be deployed as a traditional branch office router or as a combination security and routing device to help reduce IT capital and
operational expenditures. The SSG 140 provides customers with the following features and benefits:
• Extensible I/O architecture that delivers LAN and WAN connectivity options on top of unmatched security to reduce costs and extend investment
protection.
• UTM security features backed by best-in-class security partners to ensure that the network is protected against all manner of attacks.
• Advanced security features such as network segmentation allows administrators to deploy security policies to isolate guests, wireless networks
and regional servers or databases to prevent unauthorized access and contain any attacks that may occur.
• Dedicated, security specific processing hardware and software platform delivers performance required to protect high speed LAN as well as
lower speed WAN connections.
Used by enterprises, service providers and stand alone businesses alike, the SSG 140 is ideally suited for medium size offices that require advanced
security and routing features to protect business critical traffic traversing the WAN and high speed LAN. Deployment examples include small to
medium sized stand alone businesses and branch office environments.
Front
The SSG 140 is a modular platform that delivers over 350 Mbps of Stateful
firewall traffic and 100 Mbps of IPSec VPN. The SSG 140 supports 8 on-board
10/100 + 2 10/100/1000 interfaces and four I/O expansion slots that support
T1, E1, ISDN BRI S/T, and Serial connectivity.
Back
Security
Proven Stateful firewall and IPSec VPN combined with best-in-class
UTM security features including IPS, Antivirus (includes Anti-Spyware,
Anti-Adware, Anti-Phishing), Anti-Spam, and Web Filtering protects both
LAN and WAN traffic from worms, Spyware, Trojans, malware and other
emerging attacks.
Network segmentation
The SSG 140 provides an advanced set of network segmentation
features such as Security Zones, Virtual Routers and VLANs that allow
administrators to deploy different levels of security to different user
groups by dividing the network into distinct, secure domains, each with
their own security policy.
LAN/WAN connectivity
The combination of LAN/WAN connectivity options and supporting
protocols provides customers with the ability to deploy the SSG 140 as a
traditional LAN-based firewall or as a consolidated routing and security
device, thereby reducing TCO.
Seamlessly transform your network
Whether you are deploying a few SSGs to your local offices or
implementing thousands around the world, Juniper Networks
Professional Services can help. From simple lab testing to major network
implementations, we can identify the goals, define the deployment
process, create or validate the network design, and manage the
deployment. We collaborate with your team to transform your network
infrastructure to ensure that it is flexible, scalable, reliable, and secure.
Juniper Networks Secure Services Gateway 140
Page SSG 140
Maximum Performance and Capacity
ScreenOS version support Firewall performance (Large packets)
Firewall performance (IMIX)(2)
Firewall packets per second (64 byte)
3DES+SHA-1 VPN performance
Concurrent sessions
New sessions/second
Policies
Users supported
ScreenOS 5.4
350+ Mbps
300 Mbps
100,000 PPS
100 Mbps
32,000
8,000
500
Unrestricted
Network Connectivity
Fixed I/O Physical Interface Module (PIM) Slots
WAN interface options
8 10/100, 2 10/100/1000
4
2xT1, 2xE1, 1xISDN BRI S/T, 2xSerial
(1)
Mode of Operation
Layer 2 (transparent) mode(3) Layer 3 (route and/or NAT) mode Yes
Yes
Address Translation
Network Address Translation (NAT)
Port Address Translation (PAT)
Policy-based NAT/PAT
Mapped IP
Virtual IP
Yes
Yes
Yes
Yes
Yes
Firewall
Network attack detection
Yes
DoS and DDoS protection
Yes
TCP reassembly for fragmented packet protection
Yes
Brute force attack mitigation)
Yes
SYN cookie protection
Yes
Zone-based IP spoofing
Yes
Malformed packet protection
Yes
Unified Threat Management/Content Security(4)
IPS (Deep Inspection FW)
Protocol anomaly detection
Stateful protocol signatures
IPS/DI attack pattern obfuscation
Antivirus
Signature database
Protocols scanned
Anti-Spyware
Anti-Adware
Anti-Keylogger
Anti-Spam
Integrated URL filtering
External URL filtering(5)
VPN
Concurrent VPN tunnels
Tunnel interfaces
DES (56-bit), 3DES (168-bit) and AES encryption
MD-5 and SHA-1 authentication
Manual key, IKE, PKI (X.509)
Perfect forward secrecy (DH Groups)
Prevent replay attack Remote access VPN
L2TP within IPSec
IPSec NAT traversal
Redundant VPN gateways
Yes
Yes
Yes
Yes
Yes
100,000+
POP3, SMTP, HTTP, IMAP, FTP
Yes
Yes
Yes
Yes
Yes
Yes
125
50
Yes
Yes
Yes
1,2,5
Yes
Yes
Yes
Yes
Yes
VoIP Security H.323. ALG SIP ALG MGCP
SCCP
NAT for VoIP protocols Firewall and VPN User Authentication
Built-in (internal) database - user limit
3rd Party user authentication
XAUTH VPN authentication
Web-based authentication
802.1X authentication
SSG 140
Yes
Yes
Yes
Yes
Yes
250
RADIUS, RSA SecurID, and LDAP
Yes
Yes
Yes
Routing
BGP OSPF
RIPv1/v2 Dynamic routing
Static routes
Source-based routing
Policy-based routing
ECMP
Routes
Multicast
Reverse Forwarding Path (RFP)
IGMP (v1, v2)
IGMP Proxy
PIM SM
PIM SSM
Mcast inside IPSec Tunnel
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
2048
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Encapsulations
PPP
MLPPP
MLPP max physical interfaces Frame Relay
MLFR (FRF 15, FRF 16) MLFR max physical interfaces HDLC
Yes
Yes
8
Yes
Yes
8
Yes
Traffic Management (QoS)
Guaranteed bandwidth
Maximum bandwidth
Ingress Traffic Policing
Priority-bandwidth utilization
DiffServ stamp
Yes
Yes, per physical interface
Yes
Yes
Yes, per policy
System Management
WebUI (HTTP and HTTPS)
Command Line Interface (console)
Command Line Interface (telnet)
Command Line Interface (SSH)
NetScreen-Security Manager
All management via VPN tunnel on any interface
SNMP full custom MIB
Rapid deployment
Logging and Monitoring
Syslog (multiple servers)
E-mail (2 addresses)
NetIQ WebTrends
SNMP (v2)
Traceroute
VPN tunnel monitor
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
Yes
Yes
External
Yes
Yes
Yes
Page Datasheet
SSG 140
Virtualization
Maximum number of security zones
Maximum number of virtual routers
Number of VLANs supported
40
3
100
High Availability (HA)
Dedicated HA interfaces
Active/Passive
Configuration synchronization
Session synchronization for firewall and VPN
Session failover for routing change
Device failure detection
Link failure detection
Authentication for new HA members
Encryption of HA traffic
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
IP Address Assignment
Static
DHCP, PPPoE client
Internal DHCP server
DHCP relay
Yes
Yes
Yes
Yes
PKI Support
PKI Certificate requests (PKCS 7 and PKCS 10)
Yes
Automated certificate enrollment (SCEP)
Yes
Online Certificate Status Protocol (OCSP)
Yes
Certificate Authorities supported
Verisign, Entrust, Microsoft, RSA Keon, iPlanet (Netscape), Baltimore, DOD PKI
Administration
Local administrators database
External administrators database
Restricted administrative networks
Root Admin, Admin, and Read Only user levels
Software upgrades
Configuration roll-back
External Flash
Additional log storage
Event logs and alarms
System config script
ScreenOS Software
20
RADIUS/LDAP/SecureID
6
Yes
Yes
Yes
USB1.1
Yes
Yes
Yes
SSG 140
Dimensions and Power
Dimensions (H/W/L)
Weight
Rack mountable
Power Supply (AC)
Maximum thermal output 1.75” x 17.5” x 15”
10.2 Lbs
Yes, 1 RU
AC input voltage Operating range:
90 to 240 VAC
AC input line frequency 50 or 60 Hz
AC system current rating 2 A
580 BTU/hour (170 W)
Certifications
Safety Certifications
UL, CUL, CSA, CB
EMC Certifications
FCC class B, CE class B,
C-Tick, VCCI class A
Environment
Operational temperature: 32° to 122° F,
0° to 50° C
Non-operational temperature: -4° to 158° F,
-20° to 70° C
Humidity: 10 to 90% non-condensing
MTBF (Bellcore model)
16 Years
(1) Performance, capacity and features listed are based upon systems running ScreenOS 5.4 and are the measured maximums
under ideal testing conditions unless otherwise noted. Actual results may vary based on ScreenOS release and by deployment.
(2) IMIX stands for Internet mix and is more demanding than a single packet size as it represents a traffic mix that is more
typical of a customer’s network. The IMIX traffic used is made up of 58.33% 64 byte packets + 33.33% 570 byte packets +
8.33% 1518 byte packets of UDP traffic.
(3) NAT, PAT, policy based NAT, virtual IP, mapped IP, virtual systems, virtual routers, VLANs, OSPF, BGP, RIPv2, Active/Active HA,
and IP address assignment are not available in layer 2 transparent mode.
(4) UTM Security features (IPS/Deep Inspection, Antivirus, Anti-Spam and Web filtering) are delivered by annual subscriptions
purchased separately from Juniper Networks. Annual subscriptions provide signature updates and associated support. The
high memory option is required for UTM Security features.
(5) Redirect Web filtering sends traffic to a secondary server and therefore entails purchasing a separate Web filtering license
from either Websense or SurfControl.
IPS (Deep Inspection FW) Signature Packs
Signature Packs provide the ability to tailor the attack protection to the specific deployment
and/or attack type. The following Signature packs are available for the SSG 140.
Signature Pack
Target Deployment
Defense Type
Type of Attack
Object
Base
Branch Offices, small
medium businesses
Client/Server and
worm protection
Range of signatures and protocol
anomalies
Client
Remote/Branch
Offices
Perimeter defense,
compliance for hosts
(desktops, etc)
Attacks in the serverto-client direction
Server
Small/Medium Businesses
Perimeter defense,
compliance for server
infrastructure
Attacks in the clientto-server direction
Worm Mitigation
Remote/Branch
Offices of Large
enterprises
Most comprehensive
defense against
worm attacks
Worms, Trojans,
backdoor attacks
Page Ordering Information
Product
Part Number
SSG 140 SSG 140 System, 256 MB memory, 0 PIM cards, AC power
SSG 140 System, 512 MB memory, 0 PIM cards, AC power
SSG 140 I/O Options
1 Port ISDN BRI S/T Interface
2 Port E1 PIM with integrated CSU/DSU
2 Port T1 PIM with integrated CSU/DSU
2 Port Serial PIM
SSG-140-SB
SSG-140-SH
JX-1BRI-ST-S
JX-2E1-RJ48-S
JX-2T1-RJ48-S
JX-2Serial-S
Unified Threat Management/Content Security (High Memory Option Required)
Antivirus (Anti-Spyware, Anti-Phishing)
NS-K-AVS-SSG140
IPS (Deep Inspection)
NS-DI-SSG140
Anti-Spam NS-SPAM-SSG140
Web Filtering NS-WF-SSG140
Remote Office Bundle (AV, IPS, WF)
NS-RBO-CS-SSG140
Main Office Bundle (AV, IPS, WF, AS)
NS-SMB-CS-SSG140
SSG 140 Memory Upgrades, Spares and Communications Cables
512 MB memory upgrade for the SSG 140 Power Cable, Australia
Power Cable, China
Power Cable, Europe
Power Cable, Italy
Power Cable, Japan
Power Cable, UK
Power Cable, US
Blank I/O plate EIA530 cable (DCE)
EIA530 cable (DTE)
RS232 cable (DCE)
RS232 cable (DTE)
RS449 cable (DCE)
RS449 cable (DTE)
V.35 cable (DCE)
V.35 cable (DTE)
X.21 cable (DCE)
X.21 cable (DTE)
SSG-100-MEM-512
CBL-JX-PWR-AU
CBL-JX-PWR-CH
CBL-JX-PWR-EU
CBL-JX-PWR-IT
CBL-JX-PWR-JP
CBL-JX-PWR-UK
CBL-JX-PWR-US
JX-Blank-FP-S
JX-CBL-EIA530-DCE
JX-CBL-EIA530-DTE
JX-CBL-RS232-DCE
JX-CBL-RS232-DTE
JX-CBL-RS449-DCE
JX-CBL-RS449-DTE
JX-CBL-V35-DCE
JX-CBL-V35-DTE
JX-CBL-X21-DCE
JX-CBL-X21-DTE
Note: The appropriate power cord is included based upon the sales order “Ship To”
destination.
CORPORATE HEADQUARTERS
AND SALES HEADQUARTERS
FOR NORTH AND SOUTH AMERICA
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089 USA
Phone: 888-JUNIPER (888-586-4737)
or 408-745-2000
Fax: 408-745-2100
www.juniper.net
100181-003 Nov 2006
EAST COAST OFFICE
Juniper Networks, Inc.
10 Technology Park Drive
Westford, MA 01886-3146 USA
Phone: 978-589-5800
Fax: 978-589-0800
ASIA PACIFIC REGIONAL
SALES HEADQUARTERS
EUROPE, MIDDLE EAST, AFRICA
REGIONAL SALES HEADQUARTERS
Juniper Networks (Hong Kong) Ltd.
Suite 2507-11, 25/F
ICBC Tower,
Citibank Plaza, 3 Garden Road,
Central, Hong Kong
Phone: 852-2332-3636
Fax: 852-2574-7803
Juniper Networks (UK) Limited
Building 1
Aviator Park, Station Road
Addlestone
Surrey, KT15 2PG, U. K.
Phone: 44(0)-1372-385500
Fax: 44(0)-1372-385501
Copyright 2006, Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper
Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks
in this document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper
Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper
Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.