User manual | ANEXO 1: Glosario de Términos Se presenta en este

ANEXO 1: Glosario de Términos

Se presenta en este anexo el glosario de términos técnicos utilizados en la elaboración de esta tesis.

AMENAZA

Es un peligro potencial para la información o sistemas. Puede utilizar una vulnerabilidad para dañar una empresa o individuo.

ANTISPAM

Es el método para evitar que correo electrónico de tipo “spam” o “correo basura” no llegue a la casilla de correo electrónico de los usuarios.

APPLIANCE

Equipo o sistema de cómputo que se vende listo para usar, en donde el hardware y software están previamente configurados y usualmente utiliza un sistema operativo propietario.

ATAQUE

Es la ejecución de una amenaza. Y puede ser de cuatro tipos. Interrupción, que corresponde a detener el flujo de la información. Intercepción, que corresponde a capturar parte de la información que fluye o está en un repositorio. Modificación, que corresponde a modificar el comportamiento de un sistema o información y

Fabricación, que corresponde a falsificar información o una identificación.

CONFIDENCIALIDAD DE LA INFORMACIÓN

Provee la habilidad de asegurar el nivel de acceso a cierta información y previene accesos no autorizados.

CONTRAMEDIDA

Reduce el riesgo de que una vulnerabilidad pueda ser explotada. Las contramedidas que consideramos en la presente investigación son los antivirus, firewalls, redes privadas virtuales, control de acceso y autenticación fuerte.

CONTROLADOR DE DOMINIO

Es el corazón del servicio de directorio de Microsoft. Entre sus funciones están la autenticación de los usuarios, que es que proceso de garantizar o denegar a un usuario el acceso a recursos de una red Microsoft.

COOKIE:

Archivo que se almacena en el disco duro de una computadora para guardar información de un visitante a un sitio web.

DIRECTORIO ACTIVO

Es la versión propietaria del servicio de directorio LDAP desarrollada por Microsoft para su plataforma Windows. Tiene la función de almacenar de manera centralizada y organizada, la información de una empresa. El directorio activo permite establecer políticas a nivel de empresa, desplegar programas y configuraciones de manera global.

DISPONIBILIDAD DE LA INFORMACIÓN

Busca que los sistemas vuelvan a funcionar en el menor tiempo posible y con la mayor cantidad de sus funcionalidades ante cualquier contrariedad.

EXPLOIT

Programa o software que explota la vulnerabilidad de otro programa o sistema para acceder al mismo de forma no autorizada y causar un comportamiento imprevisto.

GRANULARIDAD

Término que refiere a que tan específico de define el nivel de detalle de una política de seguridad. A mayor granularidad, mayor nivel de detalle.

INTEGRIDAD DE LA INFORMACIÓN

Asegura que la información del sistema sea correcta y consistente. Previene la modificación no autorizada de la información.

MALWARE

Programa, software o código malicioso cuyo objetivo es causar daños a una computadora, sistema o red.

NAT

(Network Address Translation). Traducción en tiempo real de las direcciones IP utilizadas en los paquetes que transportan los dispositivos de ruteo como routers o firewalls, cuando cruzan de una red a otra. Existen dos tipos de NAT: estático y dinámico. El NAT estático permite asociar una a una (1:1) una dirección IP de un segmento a otra de un segundo segmento de manera bidireccional. Una NAT dinámica traslada varias direcciones IP de un segmento a otra, en un único sentido.

PAT

(Port Address Translation). Traducción en tiempo real de direcciones IP y puertos

TCP o UDP cuando cruzan un dispositivo de ruteo. Con PAT una sola dirección IP de una red se puede convertir a varias de la otra red.

RAID

Arreglo o combinación de discos duros que funcionan conjuntamente alcanzando un tamaño y rendimiento que no se conseguiría con un sólo disco duro grande, y asegura la redundancia de datos para que éstos no se pierdan en caso de falla.

RED LAN

Redes de área local. Físicamente se encuentran en un mismo local o edificio, o se encuentran en locales cercanos.

RED MAN

Redes de área metropolitana. Físicamente conformada por varias redes LAN localizadas en una misma ciudad.

RED WAN

Físicamente está conformada por varias redes LAN y MAN que pueden estar localizadas en diferentes ciudades o países.

RIESGO

Es la posibilidad o probabilidad de que un ente explote o haga uso de una vulnerabilidad.

SEGURIDAD PERIMETRAL

Asume la integración de elementos y sistemas para la protección de perímetros, detección de tentativas de intrusión y/o disuasión de intrusos.

SERVIDORES PUBLICOS

Son aquellos elementos que por la aplicación que se ejecuta en ellos, son accedidos directamente desde el Internet. Puede tratarse de un servidor de correo, un servidor

Web o ftp, entre otros.

SERVICIO

Corresponde a la aplicación que se desea publicar hacia Internet. Puede tratarse de un portal Web, correo electrónico, transferencia de archivos, hasta un portal de transacciones bancarias.

SPYWARE

Programa espía que se instala en una computadora con o sin el consentimiento del usuario para recopilar información de los hábitos de navegación que se realizan en ella.

SSH

(Secure Shell). Protocolo cifrado para acceder en forma segura a maquinas remotas a través de una red.

SSL/TLS

(Secure Sockets Layer/Transport Layer Security). Es un protocolo que ofrece un canal seguro para la transferencia de información para aplicaciones de tipo clienteservidor. Este canal está diseñado para proveer privacidad y autenticación.

VPN

Red privada virtual. Tecnología para unir dos redes seguras a través de una red insegura (como por ejemplo: Internet).

VULNERABILIDAD

Es un software, hardware o procedimiento defectuoso que puede proporcionar una puerta abierta para accesos no autorizados

ANEXO 2: Hojas Técnicas de los productos que conforman la solución de seguridad

Se presenta en este anexo las hojas técnicas de las soluciones, equipos y software, que conforman la solución propuesta.

DATASHEET

SSG5 AND SSG20

SECURE SERVICES

GATEWAYS

Product Overview

The Juniper Networks SSG5 and SSG20

Secure Services Gateways are purposebuilt security appliances that deliver a perfect blend of performance, security, routing and LAN/WAN connectivity for small branch offices, fixed telecommuters and small standalone business deployments. Traffic flowing in and out of the branch office or business is protected from worms, spyware, trojans, and malware by a complete set of Unified Threat Management security features that include stateful firewall,

IPsec VPN, intrusion prevention system

(IPS), antivirus (includes antispyware, anti-adware, antiphishing), antispam and Web filtering.

Product Description

The Juniper Networks

SSG5 and SSG20 Secure Services Gateways are high-performance security platforms for small branch office and standalone businesses that want to stop internal and external attacks, prevent unauthorized access and achieve regulatory compliance. Both the SSG5 and SSG20 deliver 160 Mbps of stateful firewall traffic and

40 Mbps of IPsec VPN traffic.

Security: Protection against worms, viruses, trojans, spam, and emerging malware is delivered by proven unified threat management (UTM) security features that are backed by best-in-class partners. To address internal security requirements and facilitate regulatory compliance, the SSG5 and SSG20 both support an advanced set of network protection features such as security zones, virtual routers and VLANs that allow administrators to divide the network into distinct secure domains, each with its own unique security policy. Policies protecting each security zone can include access control rules and inspection by any of the supported UTM security features.

Regional Office

Headquarters

Zone A

SSG20

Internet

M7i

NetScreen-5400

Zone C

Zone B

The SSG20 deployed at a branch office for secure Internet connectivity and site-to-site VPN to corporate headquarters. Internal wired and wireless resources are protected with unique security policies applied to each security zone.

Connectivity and Routing: The SSG5 has seven on-board 10/100 interfaces with optional fixed WAN ports. The SSG20 has five

10/100 interfaces with two I/O expansion slots for additional WAN connectivity. The broad array of I/O options coupled with WAN protocol and encapsulation support in the routing engine make both the SSG5 and the SSG20 a solution that can easily be deployed as a traditional branch office router or as a consolidated security and routing device to reduce CapEx and OpEx. Both the SSG5 and SSG20 support 802.11 a/b/g as a factory configured option supported by a wide array of wireless specific security features.

Access Control Enforcement: The SSG5 and SSG20 can act as enforcement points in a Juniper Networks Unified Access

Control deployment with the simple addition of the IC Series UAC appliance. The IC Series functions as a central policy management engine, interacting with the SSG5 or SSG20 to augment or replace the firewall-based access control with a solution that grants/denies access based on more granular criteria that include endpoint state and user identity in order to accommodate the dramatic shifts in attack landscape and user characteristics.

World Class Support: From simple lab testing to major network implementations, Juniper Networks Professional Services will collaborate with your team to identify goals.

Features and Benefits

FEATURE

High performance

Best-in-class UTM security features UTM security features (antivirus, antispam, Web filtering, IPS) stop all manner of viruses and malware before they damage the network.

Integrated antivirus Annually licensed antivirus engine is based on

Kaspersky Lab engine.

Integrated antispam

Integrated Web filtering

Integrated IPS (Deep Inspection)

FEATURE DESCRIPTION

Purpose-built platform is assembled from custombuilt hardware, powerful processing and a securityspecific operating system.

Annually licensed anti-spam offering is based on

Sophos technology.

Annually licensed Web filtering solution is based on

Websense SurfControl technology.

Annually licensed IPS engine.

Fixed Interfaces

Network segmentation

Interface modularity

Robust routing engine

802.11 a/b/g wireless-specific security features

BENEFIT

Delivers performance headroom required to protect against internal and external attacks now and into the future.

Ensures that the network is protected against all manner of attacks.

Stops viruses, spyware, adware and other malware.

Blocks unwanted email from known spammers and phishers.

Controls/blocks access to malicious Web sites.

Seven fixed 10/100 interfaces on the SSG5, and five fixed 10/100 interfaces on the SSG20. The SSG5 is factory configured with either RS232 Serial/AUX or

ISDN BRI S/T or V.92 fixed WAN backup. Both models include one console port and one auxiliary port.

Security zones, virtual LANs and virtual routers allow administrators to deploy security policies to isolate guests, wireless networks and regional servers or databases.

Two interface expansion slots (SSG20 only) supporting optional ADSL 2+, T1, E1, ISDN BRI S/T,

Serial, SFP and v.92 Mini physical interface modules

(Mini-PIMs).*

Proven routing engine supports OSPF, BGP, and

RIP v1/2.

Wireless-specific privacy and authentication features augment the UTM security capabilities to protect wireless traffic.

Prevents application-level attacks from flooding the network.

Provides high-speed LAN connectivity, redundant WAN connectivity and flexible management.

Facilitates deployment of internal security to prevent unauthorized access, contain attacks and assist in achieving regulatory compliance.

Delivers combination of LAN and WAN connectivity on top of unmatched security to reduce costs and extend investment protection.

Enables the deployment of a consolidated security and routing device, thereby lowering operational and capital expenditures.

Provides additional device consolidation opportunities

(WLAN access point, security, routing) for small office environment.

*Serial and SFP Mini-PIMs only supported in ScreenOS 6.0 or greater releases

Features and Benefits (continued)

FEATURE

Juniper Networks Unified Access

Control enforcement point

Management flexibility

World-class professional services

FEATURE DESCRIPTION

Interacts with the centralized policy management engine (IC Series) to enforce session-specific access control policies using criteria such as user identity, device security state and network location.

Use any one of three mechanisms, command line interface (CLI), WebUI or Juniper Networks Network and Security Manager (NSM) to securely deploy, monitor and manage security policies.

BENEFIT

Improves security posture in a cost-effective manner by leveraging existing customer network infrastructure components and best-in-class technology.

Enables management access from any location, eliminating onsite visits thereby improving response time and reducing operational costs.

From simple lab testing to major network implementations, Juniper Networks Professional

Services will collaborate with your team to identify goals, define the deployment process, create or validate the network design and manage the deployment.

Transforms the network infrastructure to ensure that it is secure, flexible, scalable and reliable.

Product Options

OPTION

DRAM

Unified Threat Management/Content

Security (high memory option required)

I/O options

802.11 a/b/g connectivity

Extended license

OPTION DESCRIPTION

The SSG5 and SSG20 are available with either

128 MB or 256 MB of DRAM.

The SSG5 and SSG20 can be configured with any combination of the following best-in-class UTM and content security functionality: antivirus (includes antispyware, antiphishing), IPS (Deep Inspection), Web filtering and/or antispam.

Two interface expansion slots supporting optional

ADSL 2+, T1, E1, ISDN BRI S/T, Serial, SFP and v.92 Mini physical interface modules (Mini-PIMs).

The SSG5 and SSG20 can be factory configured for

802.11 a/b/g wireless LAN connectivity.

Key capacities can be increased (sessions, VPN tunnels, VLANs) and stateful high availability (HA) support for firewall and VPN can be added.

APPLICABLE PRODUCTS

SSG5 and SSG20

High memory SSG5 or SSG20 only

SSG20 only

SSG5 and SSG20

SSG5

SSG20

SSG5 WIRELESS

SSG20 WIRELESS

Specifications

(1)

Maximum Performance and Capacity

(2)

ScreenOS ® version tested

Firewall performance (Large packets)

Firewall performance (IMIX)

(3)

Firewall packets per second (64 byte)

Advanced Encryption Standard (AES) 256+SHA-1 VPN performance

3DES encryption +SHA-1 VPN performance

Maximum concurrent sessions

New sessions/second

Maximum security policies

Maximum users supported

Network Connectivity

Fixed I/O

Mini-Physical Interface Module (Mini-PIM) slots

WAN interface options

Firewall

Network attack detection

DoS and DDoS protection

TCP reassembly for fragmented packet protection

Brute force attack mitigation

SYN cookie protection

Zone-based IP spoofing

Malformed packet protection

Unified Threat Management

(4)

IPS (Deep Inspection firewall)

Protocol anomaly detection

Stateful protocol signatures

IPS/DI attack pattern obfuscation

Antivirus

Instant message AV

Signature database

Protocols scanned

Antispyware

Anti-adware

Anti-keylogger

Anti-spam

Integrated URL filtering

External URL filtering

(5)

VoIP Security

H.323. Application-level gateway (ALG)

SIP ALG

MGCP ALG

SCCP ALG

Network Address Translation (NAT) for VoIP protocols

SSG5 BASE/EXTENDED

ScreenOS 6.2

160 Mbps

90 Mbps

30,000 PPS

40 Mbps

8,000/16,000

2,800

200

Unrestricted

SSG20 BASE/EXTENDED

ScreenOS 6.2

160 Mbps

90 Mbps

30,000 PPS

40 Mbps

8,000/16,000

2,800

200

Unrestricted

7x10/100

Factory configured: RS232 Serial AUX or ISDN BRI

S/T or V.92

5x10/100

Mini-PIMs: 1xADSL 2+, 1xT1, 1xE1, V.92, ISDN BRI

S/T, 1xSFP, 1xSerial

Yes

200,000+

POP3, HTTP, SMTP, IMAP, FTP, IM

Yes

200,000+

POP3, HTTP, SMTP, IMAP, FTP, IM

Yes

Specifications (continued)

SSG5 BASE/EXTENDED

IPsec VPN

Auto-Connect VPN

Concurrent VPN tunnels

Tunnel interfaces

DES encryption (56-bit), 3DES encryption (168-bit) and

Advanced Encryption Standard (AES) (256-bit)

MD-5 and SHA-1 authentication

Manual key, Internet Key Exchange (IKE), IKEv2 with EAP public key infrastructure (PKI) (X.509)

Perfect forward secrecy (DH Groups)

Prevent replay attack

Remote access VPN

Layer2 Tunneling Protocol (L2TP) within IPsec

IPsec Network Address Translation (NAT) traversal

Redundant VPN gateways

User Authentication and Access Control

Built-in (internal) database - user limit

Third-party user authentication

RADIUS Accounting

XAUTH VPN authentication

Web-based authentication

802.1X authentication

Unified Access Control (UAC) enforcement point

PKI Support

PKI Certificate requests (PKCS 7 and PKCS 10)

Automated certificate enrollment (SCEP)

Online Certificate Status Protocol (OCSP)

Certificate Authorities supported

Self-signed certificates

Virtualization

Maximum number of security zones

Maximum number of virtual routers

Maximum number of VLANs

Routing

BGP instances

BGP peers

BGP routes

OSPF instances

OSPF routes

RIP v1/v2 instances

RIP v2 routes

Static routes

Source-based routing

Policy-based routing

Equal-cost multipath (ECMP)

100

RADIUS, RSA SecureID, LDAP

Yes

VeriSign, Entrust, Microsoft, RSA Keon, iPlanet

(Netscape) Baltimore, DoD PKI

Yes

3/4

10/50

3/4

10/16

1,024

Yes

25/40

Yes

1,2,5

Yes

SSG20 BASE/EXTENDED

Yes

25/40

Yes

1,2,5

Yes

100

RADIUS, RSA SecureID, LDAP

Yes

VeriSign, Entrust, Microsoft, RSA Keon, iPlanet

(Netscape) Baltimore, DoD PKI

Yes

3/4

10/50

3/4

10/16

1,024

Yes

Specifications (continued)

SSG5 BASE/EXTENDED

Routing (continued)

Multicast

Reverse Path Forwarding (RPF)

Internet Group Management Protocol (IGMP) (v1, v2)

IGMP Proxy

PIM single mode

PIM source-specific multicast

Multicast inside IPsec tunnel

ICMP Router Discovery Protocol (IRDP)

Encapsulations

Point-to-Point Protocol (PPP)

Multilink Point-to-Point Protocol (MLPPP)

Frame Relay

Multilink Frame Relay (MLFR) (FRF 15, FRF 16)

HDLC

IPv6

Dual stack IPv4/IPv6 firewall and VPN

IPv4 to/from IPv6 translations and encapsulations

Syn-Cookie and Syn-Proxy DoS Attack Detection

SIP, RTSP, Sun-RPC, and MS-RPC ALG’s

RIPng

BGP

Transparent mode

NSRP

DHCPv6 Relay

Mode of Operation

Layer 2 (transparent) mode (6)

Layer 3 (route and/or NAT) mode

Address Translation

Network Address Translation (NAT)

Port Address Translation (PAT)

Policy-based NAT/PAT (L2 and L3 mode)

Mapped IP (MIP) (L3 mode)

Virtual IP (VIP) (L3 mode)

MIP/VIP Grouping (L3 mode)

Dual untrust

Bridge groups*

IP Address Assignment

Static

DHCP, PPPoE client

Internal DHCP server

DHCP relay

Traffic Management Quality of Service (QoS)

Guaranteed bandwidth

Maximum bandwidth

Ingress traffic policing

Priority-bandwidth utilization

Differentiated Services stamping

Yes

N/A

Yes

300

4/5

Yes

Yes - per policy

Yes

Yes - per policy

*Bridge groups supported only on uPIMs in ScreenOS 6.0 and greater releases

Yes

300

4/5

Yes

SSG20 BASE/EXTENDED

Yes

Yes - per policy

Yes

Yes - per policy

Specifications (continued)

High Availability (HA)

(7)

Active/Active - L3 mode

Active/Passive -Transparent & L3 mode

Configuration synchronization

Session synchronization for firewall and VPN

Session failover for routing change

VRRP

Device failure detection

Link failure detection

Authentication for new HA members

Encryption of HA traffic

System Management

WebUI (HTTP and HTTPS)

Command line interface (console)

Command line interface (telnet)

Command line interface (SSH)

Network and Security Manager (NSM)

All management via VPN tunnel on any interface

Rapid deployment

Administration

Local administrator database size

External administrator database support

Restricted administrative networks

Root Admin, Admin and Read Only user levels

Software upgrades

Configuration rollback

Logging/Monitoring

Syslog (multiple servers)

Email (two addresses)

NetIQ WebTrends

SNMP (v2)

SNMP full custom MIB

Traceroute

VPN tunnel monitor

External Flash

Additional log storage

Event logs and alarms

System configuration script

ScreenOS Software

SSG5 BASE/EXTENDED

Yes

Yes v1.5 and v2.0 compatible

Yes

RADIUS, RSA SecurID, LDAP

Yes

TFTP, WebUI, NSM, SCP, USB

Yes

Yes - up to 4 servers

Yes

USB 1.1

Yes

SSG20 BASE/EXTENDED

Yes

Yes v1.5 and v2.0 compatible

Yes

RADIUS, RSA SecureID, LDAP

Yes

TFTP, WebUI, NSM, SCP, USB

Yes

Yes - up to 4 servers

Yes

USB 1.1

Yes

SSG5 BASE/EXTENDED

Dimensions and Power

Dimensions (W x H x D)

Weight

Rack mountable

Power supply (AC)

Maximum thermal output

Certifications

Safety certifications

EMC certifications

Mean Time Between Failures (MTBF)

Non-wireless

Wireless

8.8 x 1.6 x 5.6 in (22.2 x 4.1 x 14.3 cm)

2.1 lb (0.95 kg)

Yes

100-240 VAC

122.8 BTU/Hour

CSA, CB

FCC class B, CE class B, A-Tick, VCCI class B

40.5 years

22.8 years

Security Certifications

Common Criteria: EAL4

FIPS 140-2: Level 2

ICSA Firewall and VPN

Operating Environment

Operating temperature

Yes

32° to 104° F (0° to 40° C)

Non-operating temperature

Humidity

-4° to 149° F (-20° to 65° C)

10% to 90% noncondensing

Wireless Radio Specifications (Wireless Models Only)

Transmit power Up to 200 mW

Wireless standards supported

Site survey

Maximum configured SSIDs

Maximum active SSIDs

Atheros SuperG

Atheros eXtended Range (XR)

Wi-Fi Certified ®

Wireless Security (Wireless Models Only)

Wireless privacy

Wireless authentication

MAC access controls

Dual Radio 802.11 a + 802.11b/g

Yes

WPA, WPA2 (AES or TKIP), IPsec VPN, WEP

PSK, EAP-PEAP, EAP-TLS, EAP-TTLS over 802.1x

Permit or Deny

Yes Client isolation

Antenna Option (Wireless Models Only)

Diversity antenna

Directional antenna

Omni-directional antenna

Included

Optional

SSG20 BASE/EXTENDED

11.6 x 1.8 x 7.4 in (29.5 x 4.5 x 18.7 cm)

3.3 lb (1.5 kg)

Yes

100-240 VAC

122.8 BTU/Hour

CSA, CB

FCC class B, CE class B, A-Tick, VCCI class B

35.8 years

28.9 years

Yes

32° to 104° F (0° to 40° C)

-4° to 149° F (-20° to 65° C)

10% to 90% noncondensing

Yes

Up to 200 mW

Dual Radio 802.11 a + 802.11b/g

Yes

WPA, WPA2 (AES or TKIP), IPsec VPN, WEP

PSK, EAP-PEAP, EAP-TLS, EAP-TTLS over 802.1x

Permit or Deny

Yes

Included

Optional

(1) Some features and functionality only supported in releases greater than ScreenOS 5.4.

(2) Performance, capacity and features listed are based upon systems running ScreenOS 6.2 and are the measured maximums under ideal testing conditions unless otherwise noted. Actual results may vary based on ScreenOS release and deployment. For a complete list of supported ScreenOS versions for SSG Series gateways, please visit the Juniper Customer Support Center

(www.juniper.net/customers/support/) and click on ScreenOS Software Downloads

(3) IMIX stands for Internet mix and is more demanding than a single packet size as it represents a traffic mix that is more typical of a customer’s network. The IMIX traffic used is made up of 58.33%

64 byte packets + 33.33% 570 byte packets + 8.33% 1518 byte packets of UDP traffic.

(4) UTM Security features (IPS/Deep Inspection, antivirus, antispam and Web filtering) are delivered by annual subscriptions purchased separately from Juniper Networks. Annual subscriptions provide signature updates and associated support. The high memory option is required for UTM Security features.

(5) Redirect Web filtering sends traffic from the firewall to a secondary server. The redirect feature is free, however it does require the purchase of a separate Web filtering license from either Websense or SurfControl.

(6) NAT, PAT, policy-based NAT, virtual IP, mapped IP, virtual systems, virtual routers, VLANs, OSPF, BGP, RIPv2, active/active HA and IP address assignment are not available in layer 2 transparent mode.

(7) Active/passive and active/active HA requires the purchase of an Extended License. In addition to the HA features, an Extended License key increases a subset of the capacities as outlined below.

Active/active HA is only supported in ScreenOS 6.0 or greater releases.

IPS (Deep Inspection firewall) Signature Packs

Signature packs provide the ability to tailor the attack protection to the specific deployment and/or attack type. The following signature packs are available for the SSG5 and SSG20:

SIGNATURE PACK

Base

Client

Server

Worm mitigation

TARGET DEPLOYMENT

Branch offices, small/medium businesses

Remote/branch offices

Small/medium businesses

Remote/branch offices of large enterprises

DEFENSE TYPE

Client/server and worm protection

Perimeter defense, compliance for hosts (desktops, etc.)

Perimeter defense, compliance for server infrastructure

Most comprehensive defense against worm attacks

TYPE OF ATTACK OBJECT

Range of signatures and protocol anomalies

Attacks in the server-to-client direction

Attacks in the client-to-server direction

Worms, trojans, backdoor attacks

Firewall Extended Licenses

EXTENDED LICENSE FEATURE

Sessions

VPN tunnels

VLANs

VoIP calls

High availability

SSG20 AND SSG5

Increases max from 8,000 to 16,000

Increases max from 25 to 40

Increases max from 10 to 50

Increases max from 64 to 96

Adds support for stateful active/active or active/passive with ScreenOS 6.0 and above

Juniper Networks Services and Support

Juniper Networks is the leader in performance-enabling services and support, which are designed to accelerate, extend, and optimize your high-performance network. Our services allow you to bring revenue-generating capabilities online faster so you can realize bigger productivity gains and faster rollouts of new business models and ventures. At the same time, Juniper Networks ensures operational excellence by optimizing your network to maintain required levels of performance, reliability, and availability. For more details, please visit www.juniper.net/us/en/products-services/.

Ordering Information

MODEL NUMBER

SSG5

SSG-5-SB

DESCRIPTION

SSG-5-SB-BT

SSG-5-SB-M

SSG-5-SB-W-xx

SSG-5-SB-BTW-xx

SSG-5-SB-MW-xx

SSG-5-SH

SSG-5-SH-BT

SSG-5-SH-M

SSG-5-SH-W-xx

SSG-5-SH-BTW-xx

SSG-5-SH-MW-xx

SSG5 with 128 MB Memory, RS232 Serial backup interface

SSG5 with 128 MB Memory, ISDN BRI S/T backup interface

SSG5 with 128 MB Memory, v.92 backup interface

SSG5 with 128 MB Memory, RS232 Serial backup interface, 802.11a/b/g Wireless

SSG5 with 128 MB Memory, ISDN BRI S/T backup interface, 802.11a/b/g Wireless

SSG5 with 128 MB Memory, v.92 backup interface,

802.11a/b/g Wireless

SSG5 with 256 MB Memory, RS232 Serial backup interface

SSG5 with 256 MB Memory, ISDN BRI S/T backup interface

SSG5 with 256 MB Memory, v.92 backup interface

SSG5 with 256 MB Memory, RS232 Serial backup interface, 802.11a/b/g Wireless

SSG5 with 256 MB Memory, ISDN BRI S/T backup interface, 802.11a/b/g Wireless

SSG5 with 256 MB Memory, v.92 backup interface,

802.11a/b/g Wireless

SSG20

SSG-20-SB

SSG-20-SB-W-xx

SSG-20-SH

SSG-20-SH-W-xx

SSG20 with 128 MB Memory, 2-port Mini-PIM slots

SSG20 with 128 MB Memory, 2-port Mini-PIM slots,

802.11a/b/g Wireless

SSG20 with 256 MB Memory, 2-port Mini-PIM slots

SSG20 with 256 MB Memory, 2-port Mini-PIM slots,

802.11a/b/g Wireless

SSG20 I/O Options

JXM-1SERIAL-S

JXM-1SFP-S

JXM-1T1-S

JXM-1E1-S

JXM-1ADSL2-A-S

JXM-1ADSL2-B-S

JXM-1V92-S

1-port Serial Mini Physical Interface Module*

1-port SFP Mini Physical Interface Module**

1-port T1 Mini Physical Interface Module

1-port E1 Mini Physical Interface Module

1-port ADSL2+ Annex A Mini Physical Interface

Module

1-port ADSL2+ Annex B Mini Physical Interface

Module

1-port v.92 Mini Physical Interface Module

JXM-1BRI-ST-S

JX-SFP-1GE-LX

JX-SFP-1GE-SX

JX-SFP-1GE-T

JX-SFP-1FE-FX

1-port ISDN S/T BRI Mini Physical Interface Module

Small Form Factor Pluggable 1000BASE-LX Gigabit

Ethernet Optical Transceiver Module

Small Form Factor Pluggable 1000BASE-SX Gigabit

Ethernet Optical Transceiver Module

Small Form Factor Pluggable 1000BASE-T Gigabit

Ethernet Copper Transceiver Module

Small Form Factor Pluggable 100BASE-FX Fast

Ethernet Optical Transceiver Module

MODEL NUMBER DESCRIPTION

SSG5 / SSG20 Accessories and Upgrades

SSG-5-ELU Extended license upgrade key for SSG5

SSG-20-ELU

SSG-5-20-MEM-256

SSG-5-RMK

SSG-20-RMK

SSG-ANT

SSG-ANT-DIR

SSG-ANT-OMNI

Extended license upgrade key for SSG20

SSG5 and SSG20 256 MB memory upgrade module

SSG5 rack mount kit - holds 2 units

SSG20 rack mount kit

SSG Series wireless replacement antenna

SSG5 and SSG20 dual band directional antenna

SSG5 and SSG20 dual band omni-directional antenna

SSG-CBL-ANT-10M 10 meters (30 feet) low loss cable for SSG-ANT-XXX

Unified Threat Management/Content

Security (High Memory Option Required)

Antivirus (incl. antispyware, antiphishing) NS-K-AVS-SSG5

NS-K-AVS-SSG20

NS-DI-SSG5

NS-DI-SSG20

NS-WF-SSG5

NS-WF-SSG20

NS-SPAM2-SSG5

NS-SPAM2-SSG20

NS-RBO-CS-SSG5

NS-RBO-CS-SSG20

NS-SMB2-CS-SSG5

NS-SMB2-CS-SSG20

IPS (Deep Inspection)

Web Filtering

Anti-spam

Remote Office Bundle (Includes AV, DI, WF)

Main Office Bundle (Includes AV, DI, WF, AS)

• Note: The appropriate power cord is included based upon the sales order “Ship To” destination.

• Note: XX denotes region code for wireless devices. Not all countries are supported. Please see

Wireless Country Compliance Matrix for certified countries.

• Note: For renewal of Content Security Subscriptions, add “-R” to above SKUs.

• Note: For 2 year Content Security Subscriptions, add “-2” to above SKUs.

• Note: For 3 year Content Security Subscriptions, add “-3” to above SKUs.

About Juniper Networks

Juniper Networks, Inc. is the leader in high-performance networking. Juniper offers a high-performance network infrastructure that creates a responsive and trusted environment for accelerating the deployment of services and applications over a single network. This fuels high-performance businesses.

Additional information can be found at www.juniper.net.

* The Serial Mini-PIM is only supported in ScreenOS 6.0 or greater releases

** The SFP Mini-PIM is only supported in ScreenOS 6.0 or greater releases

Corporate and Sales Headquarters

Juniper Networks, Inc.

1194 North Mathilda Avenue

Sunnyvale, CA 94089 USA

Phone: 888.JUNIPER (888.586.4737) or 408.745.2000

Fax: 408.745.2100 www.juniper.net

APAC Headquarters

Juniper Networks (Hong Kong)

26/F, Cityplaza One

1111 King’s Road

Taikoo Shing, Hong Kong

Phone: 852.2332.3636

Fax: 852.2574.7803

EMEA Headquarters

Juniper Networks Ireland

Airside Business Park

Swords, County Dublin, Ireland

Phone: 35.31.8903.600

EMEA Sales: 00800.4586.4737

Fax: 35.31.8903.601

NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper

Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

1000176-005-EN Dec 2009

To purchase Juniper Networks solutions, please contact your Juniper Networks representative at 1-866-298-6428 or authorized reseller.

Printed on recycled paper

DATASHEET

SA SERIES SSL VPN

APPLIANCES

SA2500, SA4500, SA6500

Product Overview

The Juniper Networks SA2500, SA4500, and SA6500 SSL VPN Appliances meet the needs of companies of all sizes. With the SA6500, Juniper continues to demonstrate its SSL

VPN market leadership by delivering a highly scalable solution based on realworld performance Juniper Networks

SA Series SSL VPN Appliances lead the SSL VPN market with a complete range of remote access appliances. The

SA Series now includes Junos Pulse which provides a simple, intuitive client that provides secure, authenticated access for remote users from any

Web-enabled device to corporate resources. The SA Series combines the security of SSL with standardsbased access controls, granular policy creation, and unparalleled flexibility.

The result provides ubiquitous security for all enterprise tasks with options for increasingly stringent levels of access control to protect the most sensitive applications and data. Juniper Networks

SA Series SSL VPN Appliances deliver lower total cost of ownership over traditional IPsec client solutions and unique end-to-end security features.

Product Description

The Juniper Networks

SA2500, SA4500, and SA6500 SSL VPN Appliances meet the needs of companies of all sizes. With the SA6500, Juniper continues to demonstrate its SSL VPN market leadership by delivering a highly scalable solution based on real-world performance testing. SA Series SSL VPN Appliances use SSL, the security protocol found in all standard

Web browsers. The use of SSL eliminates the need for pre-installed client software, changes to internal servers, and costly ongoing maintenance and desktop support. Juniper

Networks SA Series also offers sophisticated partner/customer extranet features that enable controlled access to differentiated users and groups without requiring infrastructure changes, demilitarized zone (DMZ) deployments, or software agents.

The SA Series now includes Juniper Networks Junos ® Pulse, a dynamic, integrated, multiservice network client for mobile and non-mobile devices. Junos Pulse enables optimized, accelerated anytime, anywhere access to corporate data. Pulse enables secure SSL access from a wide range of mobile and non-mobile devices, including smartphones, netbooks, notebooks, Wi-Fi or 3G-enabled devices. Junos Pulse delivers enterprises improved productivity and secure, ubiquitous access to corporate data and applications, anytime, anywhere. For more details on Junos Pulse, please visit www.juniper.net/us/en/ products-services/software/junos-platform/junos-pulse/.

Architecture and Key Components

The SA2500 SSL VPN Appliance enables small- to medium-size businesses (SMBs) to deploy cost-effective remote and extranet access, as well as intranet security. Users can access the corporate network and applications from any machine over the Web. The SA2500 offers high availability (HA) with seamless user failover. And because the SA2500 runs the exact same software as the larger SA4500 and SA6500, even smaller organizations gain the same high-performance, administrative flexibility, and end user experience.

The SA4500 SSL VPN Appliance enables mid-to-large size organizations to provide costeffective extranet access to remote employees and partners using only a Web browser. SA4500 features rich access privilege management functionality that can be used to create secure customer/partner extranets. This functionality also allows the enterprise to secure access to the corporate intranet, so that different employee and visitor populations can use exactly the resources they need while adhering to enterprise security policies. Built-in compression

for all traffic types speeds performance, and hardware-based SSL acceleration is available for more demanding environments. The

SA4500 also offers HA with seamless user failover.

The SA6500 SSL VPN Appliance is purpose-built for large enterprises and service providers. It features best-in-class performance, scalability, and redundancy for organizations with high volume secure access and authorization requirements.

Additionally, the SA6500 offers HA with seamless user failover.

The SA6500 also features a built-in compression for Web and files, and a state-of-the-art SSL acceleration chipset to speed

CPU-intensive encrypt/decrypt processes.

Because each of the SA Series SSL VPN Appliances runs on the same software, there is no need to compromise user or administrator experience based on which one you choose. All devices offer leading performance, stability, and scalability.

Therefore, deciding which device will best fit the needs of your organization is easily determined by matching the required number of concurrent users, and perhaps system redundancy and largescale acceleration options, to the needs of your growing remote access user population.

• SA2500: Supports SMBs as a cost-effective solution that can easily handle up to 100 concurrent users on a single system or two-unit cluster.

• SA4500: Enables mid-to-large size organizations to grow to as many as 1,000 concurrent users on a single system and offers the option to upgrade to hardware-based SSL acceleration for those that demand the most performance available under heavy load.

• SA6500: Purpose-built for large enterprises and service providers, the SA6500 features best-in-class performance, scalability, and redundancy for organizations with high volume secure access and authorization requirements, with support for as many as 10,000 concurrent users on a single system or tens of thousands of concurrent users across a four-unit cluster.

SA6500 Standard Features

• Dual, mirrored hot swappable Serial Advanced Technology

Attachment (SATA) hard drives

• Dual, hot swappable fans

• Hot swappable power supply

• 4 gigabyte SDRAM

• 4-port copper 10/100/1000 interface card

• 1-port copper 10/100/1000 management interface

• Hardware-based SSL acceleration module

SA6500 Optional Features

• Second power supply or DC power supply available

• 4-port small form-factor pluggable (SFP) interface card

Features and Benefits

Junos Pulse

Junos Pulse is an integrated, multi-service network client enabling anytime, anywhere connectivity, security, and acceleration with a simplified user experience that requires minimal user interaction. Junos

Pulse makes secure network and cloud access easy through virtually any device – mobile or non-mobile, Wi-Fi or 3G-enabled, managed or unmanaged – over a broad array of computing and mobile operating systems. The following table provides the key features and benefits of

Junos Pulse working with the SA Series appliances.

FEATURES

Layer 3 SSL VPN (Network Connect)

Location awareness

BENEFITS

• Layer 3 VPN connectivity with granular access control

• SSL mode only; no ESP (Encapsulating Security Payload) mode

• Seamless roaming from remote access (to Juniper SA Series) to local LAN access (via

Juniper UAC)

• Junos Pulse can be pre-configured by admins to automatically prompt end-users for credentials to authenticate to the SA Series when they are remote

Endpoint security • Full Host Checker capability to check endpoint security

• Enhanced Endpoint Security delivers on-the-fly malware protection, pre-connection scanning policies, and real-time protection supported by both the SA Series and UAC

Split tunneling options (enable or disable without route monitoring)

Flexible launch options (standalone client, browser-based launch)

Pre-configuration options (pre-configured installer to contain list of SA Series appliances)

• Key split tunneling options of Network Connect supported

• Enforces secure, granular access control

• Users can easily launch Junos Pulse via the web from the SA Series landing page

• Remote users can simply launch Junos Pulse from their desktop

• Admins can pre-configure a Junos Pulse deployment with a list of corporate SA Series appliances for end-users to choose from

Connectivity options (max/idle session timeouts, automatic reconnect, logging)

• Admins can set up flexible connectivity options for remote users

For more details on Junos Pulse, please visit www.juniper.net/us/en/products-services/software/junos-platform/junos-pulse/.

High Scalability Support on SA6500 SSL VPN

Appliance

The SA6500 is designed to meet the growing needs of large enterprises and service providers with its ability to support thousands of users accessing the network remotely. The following list shows the number of concurrent users that can be supported on the SA6500 platform:

• Single SA6500: Supports up to 10,000 concurrent users

• Two-unit cluster of SA6500s: Supports up to 18,000 concurrent users

• Three-unit cluster of SA6500s: Supports up to 26,000 concurrent users

• Four-unit cluster of SA6500s: Supports up to 30,000 concurrent users

All performance testing is done based on real-world scenarios with simulation of traffic based on observed customer networks.

End-to-End Layered Security

The SA2500, SA4500, and SA6500 provide complete end-to-end layered security, including endpoint client, device, data, and server layered security controls.

Table 1: End-to-End Layered Security Features and Benefits

FEATURE

Antimalware support with

Enhanced Endpoint Security

FEATURE DESCRIPTION BENEFITS

Dynamically download Webroot’s market-leading antimalware software to enforce endpoint security on devices which may not be corporate-assigned computers being used for network access.

Protects endpoints from infection in real-time from antimalware and thereby protects corporate resources from harm during network access. Enables dynamic enforcement of antimalware protection on unmanaged assets, such as PC’s of external partners, customers or suppliers.

SMS auto-remediation

Host Checker

Host Checker API

Trusted Network Connect

(TNC) support on Host

Checker

Policy-based enforcement

Hardened security appliance

Automatically remediates non-compliant endpoints by updating software applications that do not comply to corporate security policies. Dynamically initiates an update of these software applications on the endpoint using Microsoft’s SMS protocol.

Improves productivity of remote users who will gain immediate access to the corporate network without having to wait for periodic updates of software applications, and ensures compliance with corporate security policies.

Client computers can be checked both prior to and during a session to verify an acceptable device security posture requiring installed/running endpoint security applications

(antivirus, firewall, other). Also supports custom built checks including verifying ports opened/closed, checking files/processes and validating their authenticity with

Message Digest 5 (MD5) hash checksums, verifying registry settings, machine certificates, and more.

Includes cache cleaner that erases all proxy downloads and temp files at logout.

Verifies/ensures that endpoint device meets corporate security policy requirements before granting access, remediating devices, and quarantining users when necessary. Also, ensures no potentially sensitive data is left behind on the endpoint device.

Uses current security policies with remote users and devices; easier management.

Created in partnership with best-in-class endpoint security vendors. Enables enterprises to enforce an endpoint trust policy for managed PCs that have personal firewall, antivirus clients, or other installed security clients, and quarantine non-compliant devices.

Allows interoperability with diverse endpoint security solutions from antivirus to patch management to compliance management solutions.

Enables customers to leverage existing investments in endpoint security solutions from third-party vendors.

Allows the enterprise to establish trustworthiness of non-API compliant hosts without writing custom API implementations or locking out external users, such as customers or partners that run other security clients.

Designed on a purpose-built operating system.

Enables access to extranet endpoint devices like PCs from partners that may run different security clients than that of the enterprise.

Not designed to run any additional services and is thus less susceptible to attacks; no backdoors to exploit or hack.

Security services with kernellevel packet filtering and safe routing

Secure virtual workspace

Undesirable traffic is dropped before it is processed by the TCP stack.

Ensures that unauthenticated connection attempts such as malformed packets or denial of service (DoS) attacks are filtered out.

Ensures that all corporate data is securely deleted from unsecure kiosks after a session.

Coordinated threat control

A secure and separate environment for remote sessions that encrypts all data and controls I/O access (printers, drives).

Enables SA Series SSL VPN Appliances and Juniper

Networks IDP Series Intrusion Detection and Prevention

Appliances to tie the session identity of the SSL VPN with the threat detection capabilities of the IDP Series, taking automatic action on users launching attacks.

Effectively identifies, stops, and remediates both network and application-level threats within remote access traffic.

Ease of Administration

In addition to enterprise-class security benefits, the SA2500, SA4500, and SA6500 have a wealth of features that make it easy for the administrator to deploy and manage.

Table 2: Ease of Administration Features and Benefits

FEATURE FEATURE DESCRIPTION

Bridge CA (Certificate

Authority) support

Enables the SA Series to support federated PKI deployments with client certificate authentication. Bridge

CA is a PKI extension (as specified in RFC 5280) to cross-certify client certificates that are issued by different trust anchors (Root CAs). Also, enables the customer to configure policy extensions in the SA Series admin

UI, to enforce during certificate validation. These policy extensions can be configured as per RFC 5280 guidelines.

Based on industry standard protocols and security methods

Extensive directory integration and broad interoperability

No installation or deployment of proprietary protocols is required.

Integration with strong authentication and identity and access management platforms

Multiple hostname support

Existing directories in customer networks can be leveraged for authentication and authorization, enabling granular secure access without recreating those policies.

Ability to support SecurID, Security Assertion Markup

Language (SAML), and public key infrastructure (PKI)/ digital certificates.

Ability to host different virtual extranet websites from a single SA Series SSL VPN Appliance.

BENEFITS

Enables customers who use advanced PKI deployments to deploy the SA Series to perform strict standardscompliant certificate validation, before allowing data and applications to be shared between organizations and users.

SA Series investment can be leveraged across many applications and resources over time.

Existing directory investments can be leveraged with no infrastructure changes; no APIs for directory integration, as they are all native/built in.

Leverages existing corporate authentication methods to simplify administration.

Customizable user interface

Juniper Networks Network and

Security Manager (NSM)

In Case of Emergency (ICE)

Cross-platform support

Creation of completely customized sign-on pages.

Intuitive centralized UI for configuring, updating, and monitoring SA Series appliances within a single device/ cluster or across a global cluster deployment.

Provides licenses for a large number of additional users on an SA Series SSL VPN Appliance for a limited time when a disaster or epidemic occurs.

Ability for any platform to gain access to resources such as Windows, Mac, Linux or various mobile devices including iPhone, WinMobile, Symbian, and Android.

Saves the cost of incremental servers, eases management overhead, and provides a transparent user experience with differentiated entry URLs.

Provides an individualized look for specified roles, streamlining the user experience.

Enables companies to conveniently manage, configure and maintain SA Series appliances and other Juniper devices from one central location.

Enables a company to continue business operations by maintaining productivity, sustaining partnerships, and delivering continued services to customers when the unexpected happens.

Provides flexibility in allowing users to access corporate resources from any type of device using any type of operating system.

Rich Access Privilege Management Capabilities

The SA2500, SA4500, and SA6500 provide dynamic access privilege management capabilities without infrastructure changes, custom development, or software deployment/maintenance. This facilitates the easy deployment and maintenance of secure remote access, as well as secure extranets and intranets. When users log into the SA Series SSL VPN Appliance, they pass through a pre-authentication assessment, and are then dynamically mapped to the session role that combines established network, device, identity, and session policy settings. Granular resource authorization policies further ensure exact compliance to security restrictions.

Table 3: Access Privilege Management Features and Benefits

FEATURE

UAC-SA federation

Certificate authentication to backend servers

FEATURE DESCRIPTION

Seamlessly provision SA Series user sessions into Juniper

Networks Unified Access Control upon login – or the alternative (provisioning of UAC sessions into the SA

Series). Users need to authenticate only one time to get access in these types of environments.

Enables customers to enforce client authentication on their secure backend servers and allows the SA to present an admin-configured certificate to these servers for authentication.

BENEFITS

Provides users – whether remote or local – seamless access with a single login to corporate resources that are protected by access control policies from UAC or the SA

Series. Simplifies end user experience.

Allows customers to mandate strict SSL policies on their backend servers by configuring client authentication.

FEATURE

Client cert auth for ActiveSync

Multiple sessions per user

User-record synchronization

VDI (Virtual Desktop

Infrastructure) support

ActiveSync feature

Dynamic role mapping with custom expressions

Resource authorization

FEATURE DESCRIPTION

Any mobile device supporting ActiveSync along with client side certificates can now be challenged by the SA

Series for a valid client certificate before being allowed access to the ActiveSync server.

Allows remote users to launch multiple sessions to the

SA Series appliance.

Supports synchronization of user records such as user bookmarks across different non-clustered SA Series appliances.

Allows interoperability with VMware View Manager and

Citrix XenDesktop to enable administrators to deploy virtual desktops with the SA Series appliances.

Provides secure access connectivity from mobile devices

(such as Symbian, Windows Mobile, or iPhone) to the

Exchange server with no client software installation.

Enables up to 5000 simultaneous sessions on the

SA6500.

Combines network, device, and session attributes to determine which types of access are allowed. A dynamic combination of attributes on a per-session basis can be used to make the role mapping decision.

Provides extremely granular access control to the URL, server, or file level, for different roles of users.

BENEFITS

Enables the administrator to enforce strict mobile authentication policies for ActiveSync access from mobile devices.

Enables remote users to have multiple authenticated sessions open at the same time.

Ensures ease of experience for users who often travel from one region to another and therefore need to connect to different SA Series appliances.

Provides seamless access to remote users to their virtual desktops hosted on VMware or Citrix servers. Provides dynamic delivery of the Citrix ICA client or the VMware

View client, including dynamic client fallback options to allow users to easily connect to their virtual desktops.

Enables customers to allow a large number of users including employees, contractors and partners to access corporate resources through mobile phones via

ActiveSync.

Enables the administrator to provision by purpose for each unique session.

Allows administrators to tailor security policies to specific groups, providing access only to essential data.

Granular auditing and logging Can be configured to the per-user, per-resource, perevent level for security purposes as well as capacity planning.

Provides fine-grained auditing and logging capabilities in a clear, easy to understand format.

Flexible Single Sign-On (SSO) Capabilities

The SA2500, SA4500, and SA6500 offer comprehensive single sign-on features. These features increase end user productivity, greatly simplify administration of large diverse user resources, and significantly reduce the number of help desk calls.

Table 4: Flexible Single Sign-on Features and Benefits

FEATURE

Kerberos Constrained

Delegation

FEATURE DESCRIPTION BENEFITS

Support for Kerberos Constrained Delegation protocol.

When a user logs into the SA Series with a credential that cannot be proxied through to the backend server, the SA Series appliance will retrieve a Kerberos ticket on behalf of the user from the Active Directory infrastructure.

The ticket will be cached on the SA Series appliance throughout the session. When the user accesses

Kerberos-protected applications, the SA Series will use the cached Kerberos credentials to log the user into the application without prompting for a password.

Eliminates the need for companies to manage static passwords resulting in reduced administration time and costs.

Kerberos SSO and NTLMv2 support

SA Series will automatically authenticate remote users via Kerberos or NTLMv2 using user credentials.

Password management integration

Standards-based interface for extensive integration with password policies in directory stores (LDAP, Microsoft

Active Directory, NT, and others).

Simplifies user experience by avoiding having users enter credentials multiple times to access different applications.

Leverage existing servers to authenticate users; users can manage their passwords directly through the SA Series interface.

Web-based Single Sign-On

(SSO) basic authentication and NT LAN Manager (NTLM)

Web-based SSO forms-based, header variable-based, SAMLbased

Allows users to access other applications or resources that are protected by another access management system without re-entering login credentials.

Ability to pass user name, credentials, and other customer-defined attributes to the authentication forms of other products and as header variables.

Alleviates the need for end users to enter and maintain multiple sets of credentials for web-based and Microsoft applications.

Enhances user productivity and provides a customized experience.

Provision by Purpose

The SA2500, SA4500, and SA6500 include three different access methods. These different methods are selected as part of the user’s role, so the administrator can enable the appropriate access on a per-session basis, taking into account user, device, and network attributes in combination with enterprise security policies.

Table 5: Provisioning Features and Benefits

FEATURE

IPsec/IKEv2 support for mobile devices

Clientless core Web access

Secure Application Manager

(SAM)

Network Connect (NC)

Junos Pulse

FEATURE DESCRIPTION

Allows remote users to connect from devices such as PDA’s, mobile devices and smartphones which support IKEv2 VPN connectivity.

Administrator can also enable strict certificate authentication for access via IPsec/IKEv2.

Access to web-based applications, including complex JavaScript, XML, or Flash-based apps and Java applets that require a socket connection, as well as standards-based email like Outlook Web Access (OWA), Windows and

UNIX file share, telnet/SSH hosted-applications,

Terminal Emulation, SharePoint, and others.

A lightweight Java or Windows-based download enabling access to client/server applications.

Provides complete network-layer connectivity via an automatically provisioned cross-platform download; Windows Logon/GINA integration for domain SSO; installer services to mitigate need for admin rights. Allows for split tunneling capability.

Single, integrated remote access client that can also provide LAN access control, WAN acceleration and Dynamic VPN features to remote users, in conjunction with Juniper

Networks UAC, WXC Series Application

Acceleration Platforms and SRX Series Services

Gateways devices respectively.

BENEFITS

Extends Juniper’s leading mobility and access control features of SA Series to broad range of devices and OS platforms that support IKEv2 VPN connectivity. Enables remote users to securely authenticate to the SA Series appliance from platforms that support IKEv2 VPN connectivity.

Provides the most easily accessible form of application and resource access from a variety of end user machines, including handheld devices; enables extremely granular security control options; completely clientless approach using only a Web browser.

Enables access to client/server applications using just a

Web browser; also provides native access to terminal server applications without the need for a pre-installed client.

Users only need a Web browser. Network Connect transparently selects between two possible transport methods to automatically deliver the highest performance possible for every network environment. When used with Juniper Networks Installer Services, no admin rights are needed to install, run, and upgrade Network

Connect; optional standalone installation is available as well. Split tunneling capability provides flexibility to specify which subnets or hosts to include or exclude from being tunneled.

Pulse replaces the need to deploy and maintain multiple, separate clients for different functionalities – such as VPN, LAN access control and WAN acceleration. By seamlessly integrating all these functionalities into one single, easy-to-use client, administrators can save on client management and deployment costs to end users.

Product Options

The SA2500, SA4500, and SA6500 appliances include various license options for greater functionality.

User License

With the release of the SA2500, SA4500, and SA6500 appliances, purchasing has been simplified, thanks to a combination of features that were once separate upgrades. Now, there is only one license that is needed to get started: the user licenses. Current customers with the older generation hardware

(Juniper Networks SA2000, SA4000, and SA6000) will also benefit from these changes as systems are upgraded to version 6.1

(or higher) software.

User licenses provide the functionality that allows the remote, extranet, and intranet user to access the network. They fully meet the needs of both basic and complex deployments with diverse audiences and use cases, and require little or no client software, server changes, DMZ build-outs, or software agent deployments. And for administrative ease of user license counts, each license only enables as many users as specified in the license and are additive. For example, if a 100 user license was originally purchased and the concurrent user count grows over the next year to exceed that amount, simply adding another 100 user license to the system will now allow for up to 200 concurrent users. Key features enabled by this license include:

• Junos Pulse, SAM and Network Connect provide cross-platform support for client/server applications using SAM, as well as full network-layer access using the SSL transport mode of Junos

Pulse and the adaptive dual transport methods of Network

Connect. The combination of SAM, Junos Pulse and Network

Connect with Core Clientless access provides secure access to virtually any audience, from remote/mobile workers to partners or customers, using a wide range of devices from any network.

• Provision by purpose goes beyond role-based access controls and allows administrators to properly, accurately, and dynamically balance security concerns with access requirements.

• Advanced PKI support includes the ability to import multiple root and intermediate certificate authorities (CAs), Online

Certificate Status Protocol (OCSP), and multiple server certificates.

• User self-service provides the ability for users to create their own favorite bookmarks, including accessing their own workstation from a remote location, and even changing their password when it is set to expire.

• Multiple hostname support (for example, https://employees.

company.com, https://partners.company.com and https:// employees.company.com/engineering) can all be made to look as though users are the only ones using the system, complete with separate logon pages and customized views that uniquely target the needs and desires of that audience.

• User interfaces are customizable for users and delegated administrative roles.

• Advanced endpoint security controls such as Host Checker,

Cache Cleaner, and Secure Virtual Workspace work to ensure that users are dynamically provisioned to access systems and resources only to the degree that their remote systems are compliant with the organization’s security policy, after which remnant data is scrubbed from the hard drive so that nothing is left behind.

• Provides support of up to 240 VLANs.

Secure Meeting License (Optional)

The Juniper Networks Secure Meeting upgrade license extends the capabilities of the SA Series SSL VPN Appliances by providing secure anytime, anywhere, cost-effective online Web conferencing and remote control PC access. Secure Meeting enables real-time application sharing so that authorized employees and partners can easily schedule online meetings or activate instant meetings through an intuitive Web interface that requires no training or special deployments. Help desk staff or customer service representatives can provide remote assistance to any user or customer by remotely controlling his/her PC without requiring the user to install any software. Best-in-class Authentication,

Authorization, and Accounting (AAA) capabilities enable companies to easily integrate Secure Meeting with their existing internal authentication infrastructure and policies. Juniper’s market-leading, hardened, and Common Criteria-certified SSL

VPN appliance architecture, and SSL/HTTPS transport security for all traffic, means that administrators can rest assured that their Web conferencing and remote control solution adheres to the highest levels of enterprise security requirements.

The Secure Meeting upgrade is available for the SA2500, SA4500, and SA6500.

Instant Virtual System License (Optional)

Juniper Networks Instant Virtual System (IVS) option is designed to enable administrators to provision logically independent SSL

VPN gateways within a single appliance/cluster. This allows service providers to offer network-based SSL VPN managed services to multiple customers from a single device or cluster, as well as enabling enterprises to completely segment SSL VPN traffic between multiple groups. IVS enables complete customer separation and provides segregation of traffic between multiple customers using granular role based VLAN (802.1Q) tagging.

This enables the secure segregation of end user traffic even if two customers have overlapping IP addresses, and enables provisioning of specific VLANs for different user constituencies such as remote employees and partners of customers.

Domain Name Service (DNS)/Windows Internet Name Service

(WINS), AAA, log/accounting servers, and application servers such as Web mail and file shares to name a few, can reside either in the respective customer’s intranets or in the service provider network.

Service providers can provision an overall concurrent number of users on a per-customer basis with the flexibility to distribute further to different user audiences such as remote employees, contractors, partners, and others. The SA Series extends programmatic support to configure and manage IVS. This enables service providers to integrate IVS management into their own operations support systems (OSS). It also enables enterprises that use Instant Virtual Systems to leverage XML import/export capabilities for management of the individual virtual systems.

The IVS upgrade is available for the SA4500 and SA6500.

High Availability License (Optional)

Juniper Networks has designed a variety of HA clustering options to support the SA Series, ensuring redundancy and seamless failover in the rare case of a system failure. These clustering options also provide performance scalability to handle the most demanding usage scenarios. The SA2500 and SA4500 can be purchased in cluster pairs, and the SA6500 can be purchased in multi-unit clusters or cluster pairs to provide complete redundancy and expansive user scalability. Both multi-unit clusters and cluster pairs feature stateful peering and failover across the

LAN and WAN, so in the unlikely event that one unit fails, system configurations (like authentication server, authorization groups, and bookmarks), user profile settings (like user-defined bookmarks and cookies), and user sessions are preserved.

Failover is seamless, so there is no interruption to user/enterprise productivity, no need for users to log in again, and no downtime.

Multi-unit clusters are automatically deployed in active/active mode, while cluster pairs can be configured in either active/active or active/passive mode.

High availability licenses allow you to share licenses from one SA

Series appliance with one or more additional SA Series appliances

(depending on the platform in question). These are not additive to the concurrent user licenses. For example, if a customer has a 100 user license for the SA4500 and then purchases another SA4500 with a 100 user cluster license, this will provide a total of 100 users that are shared across both appliances, not per appliance.

The HA option is available for the SA2500, SA4500, and SA6500.

ICE License (Optional)

SSL VPNs can help keep organizations and businesses functioning by connecting people even during the most unpredictable circumstances—hurricanes, terrorist attacks, transportation strikes, pandemics, or virus outbreaks—the result of which could mean the quarantine or isolation of entire regions or groups of people for an extended period of time. With the right balance of risk and cost, the new Juniper Networks SA Series ICE offering delivers a timely solution for addressing a dramatic peak in demand for remote access to ensure business continuity whenever a disastrous event strikes. ICE provides licenses for a large number of additional users on an SA Series SSL VPN Appliance for a limited time. With ICE, businesses can:

• Maintain productivity by enabling ubiquitous access to applications and information for employees from anywhere, at any time, and on any device.

• Sustain partnerships with around-the-clock, real-time access to applications and services while knowing resources are secured and protected.

• Continue to deliver exceptional service to customers and partners with online collaboration.

• Meet federal and government mandates for contingencies and continuity of operations (COOP) compliance.

• Balance risk and scalability with cost and ease of deployment.

The ICE license is available for the SA4500 and the SA6500 and includes the following features:

• Baseline

• Secure Meeting

Antimalware Support with Enhanced Endpoint Security (EES)

(Optional)

The amount of newly discovered malicious programs that can harm endpoint devices such as PCs continues to grow. According to the

1985-2008 AV-test.org report, there were over seven million new malware programs discovered in 2008, and just over five million were discovered in 2007. Malware is known to cost enterprises an increasing amount of money every year in terms of efforts involved to quarantine and remediate appropriate endpoints.

In order to prevent endpoints from being infected with malware,

Juniper Networks offers the Enhanced Endpoint Security license option. This license is a full-featured, dynamically deployable antimalware module that is an OEM of Webroot’s industry-leading

Spy Sweeper product. This dynamic antimalware download capability is also available with Unified Access Control. With this new capability, organizations can ensure that unmanaged and managed

Microsoft Windows endpoint devices conform to corporate security policies before they are allowed access to the network, applications, and resources. For example, potentially harmful keyloggers can be found and removed from an endpoint device before the user enters sensitive information such as their user credentials. The Enhanced

Endpoint Security license protects endpoints from infection in realtime and ensures only clean endpoints are granted access to the network. Enhanced Endpoint Security licenses are available as 1-year,

2-year, and 3-year subscription options (see the Ordering Information section for more details).

The Enhanced Endpoint Security option is available for the SA2500,

SA4500, and SA6500.

Premier Java RDP Applet (Optional)

Until now, client access software for Microsoft’s Terminal Server has been cut-and-dried. Microsoft’s Terminal Services client is restricted and can only be used on Windows clients with MS Internet Explorer.

With the Premier Java RDP Applet option, users can remotely access centralized Windows applications independently of the client platform (Mac, Linux, Windows, and so on) through Java-based technology.

As a platform-independent solution, the Premier Java RDP Applet lets you use the entire range of Windows applications running on the Windows Terminal Server, regardless of how the client computer is equipped. By centrally installing and managing all the

Windows applications, you can significantly reduce your total cost of ownership. The Premier Java RDP Applet is an OEM of the HOBlink

JWT (Java Windows Terminal) product created by HOB Inc., a leading

European software company specializing in Java programming.

The Premier Java RDP option is available for the SA2500, SA4500, and SA6500.

SA6500

SA2500 SA4500

Specifications

SA2500 SA4500 SA6500

Dimensions and Power

Dimensions (W x H x D)

Weight

Rack mountable

A/C power supply

System battery

Efficiency

Material

MTBF

Fans

17.26 x 1.75 x 14.5 in

(43.8 x 4.4 x 36.8 cm)

14.6 lb (6.6 kg) typical (unboxed)

Yes, 1U

100-240 VAC, 50-60 Hz,

2.5 A Max, 200 W

CR2032 3V lithium coin cell

80% minimum, at full load

18 gauge (.048”) cold-rolled steel

75,000 hours

Three 40 mm ball bearing fans, one 40 mm ball bearing fan in power supply

17.26 x 1.75 x 14.5 in

(43.8 x 4.4 x 36.8 cm)

15.6 lb (7.1 kg) typical (unboxed)

Yes, 1U

100-240 VAC, 50-60 Hz,

2.5 A Max, 300 W

CR2032 3V lithium coin cell

80% minimum, at full load

18 gauge (.048”) cold-rolled steel

72,000 hours

Three 40 mm ball bearing fans, one 40 mm ball bearing fan in power supply

17.26 x 3.5 x 17.72 in

(43.8 x 8.8 x 45 cm)

26.4 lb (12 kg) typical (unboxed)

Yes, 2U, 19 inch

100-240 VAC, 50-60 Hz,

2.5 A Max, 400 W

CR2032 3V lithium coin cell

80% minimum, at full load

18 gauge (.048 in) cold-rolled steel

98,000 hours

Two 80 mm hot swap, one 40 mm ball bearing fan in power supply

Panel Display

Power LED, HD activity,

HW alert

HD activity and fail LED on drive tray

Ports

Traffic

Management

Fast Ethernet

Gigabit Ethernet

Console

Environment

Operating temp

Storage temp

Relative humidity (operating)

Relative humidity (storage)

Altitude (operating)

Altitude (storage)

Certifications

Common Criteria EAL3+ certification

Safety certifications

Yes

Two RJ-45 Ethernet - 10/100/1000 full or half-duplex (auto-negotiation)

N/A

IEEE 802.3u compliant

IEEE 802.3z or IEEE 802.3ab compliant

One RJ-45 serial console port

41° to 104° F (5° to 40° C)

-40° to 158° F (-40° to 70° C)

8% to 90% noncondensing

5% to 95% noncondensing

10,000 ft (3,048 m) maximum

40,000 ft (12,192 m) maximum

Yes

Two RJ-45 Ethernet - 10/100/1000 full or half-duplex (auto-negotiation)

N/A

IEEE 802.3u compliant

IEEE 802.3z or IEEE 802.3ab compliant

One RJ-45 serial console port

41° to 104° F (5° to 40° C)

-40° to 158° F (-40° to 70° C)

8% to 90% noncondensing

5% to 95% noncondensing

10,000 ft (3,048 m) maximum

40,000 ft (12,192 m) maximum

Yes

Four RJ-45 Ethernet – full or half-duplex

(auto-negotiation); for link redundancy to internal switches

SFP module optional

One RJ-45 Ethernet - 10/100/1000 full or half-duplex (auto-negotiation)

IEEE 802.3u compliant

IEEE 802.3z or IEEE 802.3ab compliant

One RJ-45 serial console port

41° to 104° F (5° to 40° C)

-40° to 158° F (-40° to 70° C)

8% to 90% noncondensing

5% to 95% noncondensing

10,000 ft (3,048 m) maximum

40,000 ft (12,192 m) maximum

Yes

Emissions certifications

Warranty

EN60950-1:2001+ A11, UL60950-1:2003,

CAN/CSA C22.2 No. 60950-1-03, IEC

60950-1:2001

FCC Class A, EN 55022 Class A,

EN 55024 Immunity, EN 61000-3-2,

VCCI Class A

90 days;

Can be extended with support contract

EN60950-1:2001+ A11, UL60950-1:2003,

CAN/CSA C22.2 No. 60950-1-03, IEC

60950-1:2001

FCC Class A, EN 55022 Class A,

EN 55024 Immunity, EN 61000-3-2,

VCCI Class A

90 days;

Can be extended with support contract

EN60950-1:2001+ A11, UL60950-1:2003,

CAN/CSA C22.2 No. 60950-1-03, IEC

60950-1:2001

FCC Class A, EN 55022 Class A,

EN 55024 Immunity, EN 61000-3-2,

VCCI Class A

90 days;

Can be extended with support contract

Juniper Networks Services and Support

Ordering Information

DESCRIPTION MODEL NUMBER

SA2500

Base System

SA2500

User Licenses

SA2500-ADD-10U

SA2500-ADD-25U

SA2500-ADD-50U

SA2500-ADD-100U

Feature Licenses

SA2500-MTG

Clustering Licenses

SA2500-CL-10U

SA2500 Base System

Add 10 simultaneous users to SA2500

Add 25 simultaneous users to SA2500

Add 50 simultaneous users to SA2500

Add 100 simultaneous users to SA2500

Secure Meeting for SA2500

SA2500-CL-25U

SA2500-CL-50U

SA2500-CL-100U

Clustering: Allow 10 users to be shared from another SA2500

Clustering: Allow 25 users to be shared from another SA2500

Clustering: Allow 50 users to be shared from another SA2500

Clustering: Allow 100 users to be shared from another SA2500

SA4500

Base System

SA4500

User Licenses

SA4500-ADD-50U

SA4500-ADD-100U

SA4500-ADD-250U

SA4500-ADD-500U

SA4500-ADD-1,000U

Feature Licenses

SA4500-MTG

SA4500-IVS

SA4500-ICE

SA4500-ICE-CL

SA4500 Base System

Add 50 simultaneous users to SA4500

Add 100 simultaneous users to SA4500

Add 250 simultaneous users to SA4500

Add 500 simultaneous users to SA4500

Add 1,000 simultaneous users to SA4500

Secure Meeting for SA4500

Instant Virtual System for SA4500

In Case of Emergency License for SA4500

In Case of Emergency Clustering License for SA4500

Clustering Licenses

SA4500-CL-50U

SA4500-CL-100U

SA4500-CL-250U

SA4500-CL-500U

Clustering: Allow 50 users to be shared from another SA4500

Clustering: Allow 100 users to be shared from another SA2500

Clustering: Allow 250 users to be shared from another SA4500

Clustering: Allow 500 users to be shared from another SA4500

MODEL NUMBER DESCRIPTION

SA6500

Base System

SA6500

User Licenses

SA6500-ADD-100U

SA6500-ADD-250U

SA6500-ADD-500U

SA6500-ADD-1,000U

SA6500-ADD-2,500U

SA6500-ADD-5,000U

SA6500-ADD-7,500U

SA6500-ADD-10,000U

SA6500-ADD-125,00U*

SA6500-ADD-15,000U*

SA6500 Base System

Add 100 simultaneous users to SA6500

Add 250 simultaneous users to SA6500

Add 500 simultaneous users to SA6500

Add 1,000 simultaneous users to SA6500

Add 2,500 simultaneous users to SA6500

Add 5,000 simultaneous users to SA6500

Add 7,500 simultaneous users to SA6500

Add 10,000 simultaneous users to SA6500

Add 12,500 simultaneous users to SA6500

Add 15,000 simultaneous users to SA6500

SA6500-ADD-20,000U* Add 20,000 simultaneous users to SA6500

SA6500-ADD-25,000U* Add 25,000 simultaneous users to SA6500

Feature Licenses

SA6500-MTG

SA6500-IVS

Secure Meeting for SA6500

Instant Virtual System for SA6500

SA6500-ICE

SA6500-ICE-CL

In Case of Emergency License for SA6500

In Case of Emergency Clustering License for SA6500

Clustering Licenses

SA6500-CL-100U

SA6500-CL-250U

SA6500-CL-500U

SA6500-CL-1000U

SA6500-CL-2500U

SA6500-CL-5000U

SA6500-CL-7500U

SA6500-CL-10000U

SA6500-CL-12500U

SA6500-CL-15000U

SA6500-CL-20000U

SA6500-CL-25000U

Clustering: Allow 100 users to be shared from another SA6500

Clustering: Allow 250 users to be shared from another SA6500

Clustering: Allow 500 users to be shared from another SA6500

Clustering: Allow 1,000 users to be shared from another SA6500

Clustering: Allow 2,500 users to be shared from another SA6500

Clustering: Allow 5,000 users to be shared from another SA6500

Clustering: Allow 7,500 users to be shared from another SA6500

Clustering: Allow 10,000 users to be shared from another SA6500

Clustering: Allow 12,500 users to be shared from another SA6500

Clustering: Allow 15,000 users to be shared from another SA6500

Clustering: Allow 20,000 users to be shared from another SA6500

Clustering: Allow 25,000 users to be shared from another SA6500

*Multiple SA6500s required

Ordering Information (continued)

MODEL NUMBER DESCRIPTION

Enhanced Endpoint Security Licenses for SA2500, SA4500, and SA6500

ACCESS-EES-10U-1YR Enhanced Endpoint Security subscription,

10 concurrent users, 1-year

ACCESS-EES-25U-1YR

ACCESS-EES-50U-1YR

ACCESS-EES-100U-1YR

ACCESS-EES-250U-1YR

ACCESS-EES-500U-1YR

Enhanced Endpoint Security subscription,

25 concurrent users, 1-year

Enhanced Endpoint Security subscription,

50 concurrent users, 1-year

Enhanced Endpoint Security subscription,

100 concurrent users, 1-year

Enhanced Endpoint Security subscription,

250 concurrent users, 1-year

Enhanced Endpoint Security subscription,

500 concurrent users, 1-year

ACCESS-EES-1000U-1YR

ACCESS-EES-2500U-1YR

ACCESS-EES-5000U-1YR

ACCESS-EES-7500U-1YR

ACCESS-EES-10U-2YR

ACCESS-EES-25U-2YR

Enhanced Endpoint Security subscription,

1000 concurrent users, 1-year

Enhanced Endpoint Security subscription

2500 concurrent users, 1-year

Enhanced Endpoint Security subscription

5000 concurrent users, 1-year

Enhanced Endpoint Security subscription

7500 concurrent users, 1-year

Enhanced Endpoint Security subscription

, 10 concurrent users, 2-years

Enhanced Endpoint Security subscription

, 25 concurrent users, 2-years

ACCESS-EES-50U-2YR

ACCESS-EES-100U-2YR

ACCESS-EES-250U-2YR

ACCESS-EES-500U-2YR

ACCESS-EES-1000U-2YR

Enhanced Endpoint Security subscription

, 50 concurrent users, 2-years

Enhanced Endpoint Security subscription

, 100 concurrent users, 2-years

Enhanced Endpoint Security subscription

, 250 concurrent users, 2-years

Enhanced Endpoint Security subscription

, 500 concurrent users, 2-years

Enhanced Endpoint Security subscription

1,000 concurrent users, 2-year s

ACCESS-EES-2500U-2YR

Enhanced Endpoint Security subscription

2,500 concurrent users, 2-year s

ACCESS-EES-5000U-2YR

Enhanced Endpoint Security subscription

5,000 concurrent users, 2-year s

ACCESS-EES-7500U-2YR

Enhanced Endpoint Security subscription

7,500 concurrent users, 2-years

ACCESS-EES-10U-3YR

ACCESS-EES-25U-3YR

ACCESS-EES-50U-3YR

ACCESS-EES-100U-3YR

ACCESS-EES-250U-3YR

ACCESS-EES-500U-3YR

ACCESS-EES-1000U-3YR

ACCESS-EES-2500U-3YR

ACCESS-EES-5000U-3YR

ACCESS-EES-7500U-3YR

Enhanced Endpoint Security subscription

, 10 concurrent users, 3-years

Enhanced Endpoint Security subscription

, 25 concurrent users, 3-years

Enhanced Endpoint Security subscription

, 50 concurrent users, 3-years

Enhanced Endpoint Security subscription

, 100 concurrent users, 3-year s

Enhanced Endpoint Security subscription

, 250 concurrent users, 3-years

Enhanced Endpoint Security subscription

, 500 concurrent users, 3-year s

Enhanced Endpoint Security subscription

1,000 concurrent users, 3-years

Enhanced Endpoint Security subscription

2,500 concurrent users, 3-years

Enhanced Endpoint Security subscription

5,000 concurrent users, 3-year s

Enhanced Endpoint Security subscription

7,500 concurrent users, 3-years

MODEL NUMBER DESCRIPTION

Premier RDP Applet Licenses for SA2500, SA4500, and SA6500

ACCESS-RDP-50U-1YR Java RDP Applet 1-year subscription for 50 simultaneous users

ACCESS-RDP-100U-1YR

ACCESS-RDP-250U-1YR

ACCESS-RDP-500U-1YR

ACCESS-RDP-1000U-1YR

Java RDP Applet 1-year subscription for 100 simultaneous users

Java RDP Applet 1-year subscription for 250 simultaneous users

Java RDP Applet 1-year subscription for 500 simultaneous users

Java RDP Applet 1-year subscription for 1,000 simultaneous users

ACCESS-RDP-2000U-1YR

ACCESS-RDP-2500U-1YR

Java RDP Applet 1-year subscription for 2,000 simultaneous users

Java RDP Applet 1-year subscription for 2,500 simultaneous users

ACCESS-RDP-5000U-1YR Java RDP Applet 1-year subscription for 5,000 simultaneous users

ACCESS-RDP-7500U-1YR

ACCESS-RDP-10KU-1YR

ACCESS-RDP-50U-2YR

ACCESS-RDP-100U-2YR

Java RDP Applet 1-year subscription for 7,500 simultaneous users

Java RDP Applet 1-year subscription for 10,000 simultaneous users

Java RDP Applet 2-year subscription for 50 simultaneous users

Java RDP Applet 2-year subscription for 100 simultaneous users

ACCESS-RDP-250U-2YR

ACCESS-RDP-500U-2YR

Java RDP Applet 2-year subscription for 250 simultaneous users

Java RDP Applet 2-year subscription for 500 simultaneous users

ACCESS-RDP-1000U-2YR Java RDP Applet 2-year subscription for 1,000 simultaneous users

ACCESS-RDP-2000U-2YR Java RDP Applet 2-year subscription for 2,000 simultaneous users

ACCESS-RDP-2500U-2YR Java RDP Applet 2-year subscription for 2,500 simultaneous users

ACCESS-RDP-5000U-2YR Java RDP Applet 2-year subscription for 5,000 simultaneous users

ACCESS-RDP-7500U-2YR Java RDP Applet 2-year subscription for 7,500 simultaneous users

ACCESS-RDP-10KU-2YR Java RDP Applet 2-year subscription for 10,000 simultaneous users

ACCESS-RDP-50U-3YR

ACCESS-RDP-100U-3YR

Java RDP Applet 3-year subscription for 50 simultaneous users

Java RDP Applet 3-year subscription for 100 simultaneous users

ACCESS-RDP-250U-3YR

ACCESS-RDP-500U-3YR

Java RDP Applet 3-year subscription for 250 simultaneous users

Java RDP Applet 3-year subscription for 500 simultaneous users

ACCESS-RDP-1000U-3YR Java RDP Applet 3-year subscription for 1,000 simultaneous users

ACCESS-RDP-2000U-3YR Java RDP Applet 3-year subscription for 2,000 simultaneous users

ACCESS-RDP-2500U-3YR Java RDP Applet 3-year subscription for 2,500 simultaneous users

ACCESS-RDP-5000U-3YR Java RDP Applet 3-year subscription for 5,000 simultaneous users

ACCESS-RDP-7500U-3YR Java RDP Applet 3-year subscription for 7,500 simultaneous users

ACCESS-RDP-10KU-3YR Java RDP Applet 3-year subscription for 10,000 simultaneous users

Ordering Information (continued)

DESCRIPTION MODEL NUMBER

Accessories

UNIV-CRYPTO

UNIV-PS-400W-AC

UNIV-80G-HDD

UNIV-MR2U-FAN

UNIV-MR1U-RAILKIT

UNIV-MR2U-RAILKIT

UNIV-SFP-FSX

UNIV-SFP-FLX

UNIV-SFP-COP

SA6500-IOC

Field upgradeable SSL acceleration module for SA4500

Field upgradeable secondary 400 W power supply for SA6500

Field replaceable 80 GB hard disk for SA6500

Field replaceable fan for SA6500

Rack mount kit for SA2500 and SA4500

Rack mount kit for SA6500

Mini-GBIC transceiver - fiber SX for SA6500

Mini-GBIC transceiver - fiber LX for SA6500

Mini-GBIC transceiver - copper for SA6500

GBIC I/O card

About Juniper Networks

Additional information can be found at www.juniper.net.

Corporate and Sales Headquarters

Juniper Networks, Inc.

1194 North Mathilda Avenue

Sunnyvale, CA 94089 USA

Phone: 888.JUNIPER (888.586.4737) or 408.745.2000

Fax: 408.745.2100 www.juniper.net

APAC Headquarters

Juniper Networks (Hong Kong)

26/F, Cityplaza One

1111 King’s Road

Taikoo Shing, Hong Kong

Phone: 852.2332.3636

Fax: 852.2574.7803

EMEA Headquarters

Juniper Networks Ireland

Airside Business Park

Swords, County Dublin, Ireland

Phone: 35.31.8903.600

EMEA Sales: 00800.4586.4737

Fax: 35.31.8903.601

Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

1000220-009-EN June 2010

To purchase Juniper Networks solutions, please contact your Juniper Networks representative at 1-866-298-6428 or authorized reseller.

Printed on recycled paper

Product Data Sheet

RSA

Authentication Manager

Enterprise-class security engine for RSA SecurID

authentication

At a Glance

— Enterprise-class two-factor security engine powers the authentication of more than 25 million RSA

SecurID

® users worldwide

— Scales to meet the needs of small to large enterprises

— Interoperable with more than 350 products from more than 200 vendors at no additional charge

— Enables a flexible array of centrally managed credential methods

Identity Assurance

Identity assurance is the set of capabilities and methodologies that minimize business risk associated with identity impersonation and inappropriate account use.

Identity assurance brings confidence to organizations by allowing trusted identities to freely and securely interact with systems and access information, opening the door for new ways to generate revenue, satisfy customers and control costs.

RSA Authentication Manager

RSA Authentication Manager is the de facto standard in identity assurance. The system comprehensively addresses the four capabilities required for identity assurance: credential management and policy, authentication, authorization and intelligence. The RSA Identity Assurance portfolio extends user authentication from a single security measure to a continual trust model that is the basis of how an identity is used and what it can do. Trusted identities managed by RSA bring confidence to everyday transactions and support new business models by providing secure access for employees, customers and partners while striking the right balance between risk, cost and convenience.

RSA

Authentication Manager software is the management component of the RSA SecurID

® solution. It is used to verify authentication requests and centrally administer user authentication policies for access to enterprise networks.

Working in conjunction with RSA SecurID authenticators and

RSA

Authentication Agent software, the solution provides two-factor user authentication that protects access to more

VPNs, wireless networks, web applications, business applications and operating environments, including the

Microsoft

Windows

® operating system, than any other system available today.

High Performance and Scalability

RSA Authentication Manager software is designed to fit the needs of organizations of all sizes. Built upon an enterpriseclass multi-processor architecture, it is capable of handling tens of thousands of users, as well as hundreds of simultaneous authentications per second. It is deployed in banking, government, manufacturing, retail, high tech and healthcare worldwide, including many small to mediumsized businesses. It is available in two versions: Base

Edition and Enterprise Edition.

Database Replication

The database replication feature of the RSA Authentication

Manager enables flexible network configuration and load balancing for improved performance that ultimately lowers management costs.

The Base Edition provides one primary server and one replica server. User administration is handled by the primary server and all information is duplicated to the replica. Both servers are capable of handling authentication requests;

RSA Authentication Agents balance the work load between servers by detecting response times and directing the request accordingly, to ensure optimum performance.

The Enterprise Edition offers one primary and multiple replicas (up to 5 on the RSA SecurID Appliance; 10 or more on the software release), along with the ability to have up to six separate realms. This provides administrators with the ability to track user authentication to their network anytime in the world in real time, update security policy simultaneously across the worldwide network and develop a global network topology that increases network performance.

Manageability and Control

RSA Authentication Manager software offers a high level of management flexibility and control. There is no desktop admin software to install; a built-in web server allows for access to the management console from any web browser.

The included Juniper

Steel Belted RADIUS server is similarly managed from completely within the intuitive, easy-tonavigate administration console.

Native LDAP integration enables RSA Authentication

Manager to point to a single authoritative data store in real time for user and group information. Supported identity sources include Microsoft Active Directory

® or Sun One

™

, and no schema changes are required to the underlying database infrastructure. A Microsoft Management Console snap-in supports manipulation of user records directly from an MMC interface.

Both the Base and Enterprise Editions include RSA

Credential Manager, a completely integrated software module that enables user self service (Base and Enterprise) and workflow provisioning (Enterprise only) to dramatically speed the on-boarding of users to their credentials.

Auditing and Reporting

Because RSA Authentication Manager logs all transactions and user activity, administrators can utilize it as an auditing, accounting and compliance tool. It includes report templates that can be easily tailored to administration needs, including activity, exception, incident and usage summaries.

In addition to the reporting capabilities the product supports a live activity monitor that shows all or administrator-selected activity across a global deployment.

User ID: asmith

PIN: kzw08 token code: 449054

RSA

Authentication

Agent

Seed

Algorithm

Time

User ID: asmith

PIN: kzw08 token code: 449054

RAS, VPN,

SSL-VPN, WLAN, web and more

Same seed

RSA

Authentication

Manager

449054

Same algorithm

Same time

RSA SecurID Time-synchronous

Two-factor Authentication

Array of Credentialing Methods

RSA Authentication Manager supports authenticators in a variety of form factors from the traditional hardware tokens to software-based tokens that install on PCs and smart phones, to the On-demand Authenticator that delivers onetime token codes using Short Message Service (SMS) or email. All of these credentials are centrally managed from a common interface.

Turnkey Interoperability

RSA Authentication Manager is interoperable with many of the major network infrastructure and operating system products on the market - including more than 350 products from over

200 vendors – providing an organization with maximum flexibility and investment protection. Leading vendors of remote access products, VPNs, firewalls, wireless network devices, web servers and business applications have built in support for RSA Authentication Manager.

www.rsa.com

EMC, RSA, RSA Security, SecurID and the RSA logo are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other products and services mentioned are trademarks of their respective companies.

SIDAM_DS_0710

Product Data Sheet

RSA SecurID

700 Authenticator

Convenient, reliable and secure choice for two-factor authentication

At a Glance

— Convenient keyfob form factor is easy for users to carry and use

— High-quality solution combined with a lifetime warranty creates a reliable choice

— Advanced time-based algorithm and tamperevident body ensures secure authentication

The RSA SecurID 700 authenticator is the most popular form factor in the SecurID authenticator portfolio offered by RSA, the Security Division of EMC, due to its convenience, reliability and security. Thousands of organizations worldwide rely upon the SecurID 700 to protect valuable network and customer resources. Used in conjunction with

RSA

Authentication Manager, the SecurID 700 adds an additional layer of security by requiring users to identify themselves with two unique factors – something they know, a PIN, and something they have, a unique one-time password (OTP) that changes every 60-seconds – before they are granted access to the secured application.

Convenient Form Factor

With its robust key ring, small size and easy-to-read LCD display, the SecurID 700 is a convenient form factor for employees, partners and customers. Loss of the authenticator is minimized as it easily fits on a ring of keys or in a pocket or purse. Users can easily read the OTP displayed on the authenticator and know when the number is going to change by watching the countdown indicator. The

SecurID 700 is convenient for IT managers too, as it comes pre-seeded and is ready-to-use out-of-the-box. It is integrated with over 350 certified third-party applications, helping to lower deployment costs by providing the assurance that important applications are “RSA SecurID

Ready.” The SecurID 700 can also be customized with company artwork to reinforce the issuer’s brand.

Reliable Authentication Solution

The SecurID 700 authenticator is designed to withstand the worst imaginable conditions, offering industry-leading reliability. From temperature cycling to mechanical shocks to being immersed in water, the SecurID 700 is subjected to rigorous tests to ensure that customers do not face hidden costs due to token failures. The combination of this highlevel of quality with a lifetime warranty allows organizations to reduce the overhead costs of distributing replacement tokens and drive down the overall cost of security while providing a consistent and easy-to-use authentication experience for end-users.

Strong Security

The SecurID 700 offers a time-based OTP solution that ensures a strong level of security. It has a unique symmetric key that is combined with a proven algorithm to generate a new one-time password every 60 seconds. RSA technology synchronizes each authenticator with the security server, ensuring a high level of security. The one-time password, something you have, is coupled with a secret personal identification number (PIN), something you know, to create a combination that is nearly impossible for a hacker to guess. The SecurID 700 is also tamper evident, meaning that if someone opened the token for nefarious purposes, it would be evident to the user of the device.

The RSA SecurID 700 authenticator is a smart choice for companies that are looking for a convenient, reliable and secure authentication solution. Its use by millions of users world-wide for secure access to enterprise and consumer applications demonstrates that the SecurID 700 is a proven solution that can be counted on to protect your organization’s resources.

Environmentally friendly

In an effort to help preserve the environment,

RSA reuses almost 100% of all returned authenticators. Customers can send the authenticator back to RSA and RSA will recycle the token at no additional charge.

Technical Specifications

Height: 20mm; 27mm at highest point

Width: 68mm

Thickness: 9mm

Weight: 15 grams

Materials: Plastic – ABS

Power: 3v Lithium (Coin cell)

Display: Liquid Crystal (LCD)

Server support: RSA Authentication Manager 5.1 or higher; RSA SecurID

Authentication Engine

Operating temperature: -15°C to 60°C

Lifetime: Purchased in increments of 24, 36, 48, or 60 months

Warranty: Lifetime warranty

Tamper evidence: Conforms to ISO 13491-1; ISO DIS 13491-2:2005

Product safety standards: RoHS, WEEE, CE, cRoHS,

Regulatory standards: FCC Part 15 Class A and Class B, EN55022

Class A and Class B

RSA, RSA Security, SecurID and the RSA logo are either registered trademarks or trademarks of RSA Security Inc. in the United States and/or other countries.

EMC is a registered trademark of EMC Corporation. All other products and services mentioned are trademarks of their respective companies.

SID700 DS 0709

ANEXO 3: Hojas Técnicas de los productos que participaron en el proceso de selección

Se presenta en este anexo las hojas técnicas de los productos, equipos y software, que participaron del proceso de selección de componentes para la solución de seguridad propuesta.

CHECK POINT

SECURITY APPLIANCES

Introduction ………………………………………………………………… 1

UTM-1 Appliances ………………………………………………………… 2

Series 80 Appliance ………………………………………………………… 3

Power-1 Appliances ………………………………………………………… 4

IP Appliances ……………………………………………………………… 5

VSX-1 Appliances …………………………………………………………… 6

DLP-1 Appliances…………………………………………………………… 7

Smart-1 ……………………………………………………………………… 8

Smart-1 SmartEvent ……………………………………………………… 9

Integrated Appliance Solutions …………………………………………… 10

Appliance Specifications ………………………………………………… 13

Introduction

Check Point appliances deliver a powerful turnkey solution for deploying Check Point award-winning software solutions to address virtually any security need. Based on the new Check Point Software

Blade architecture, Check Point appliances provide the highest level of flexibility, scalability, and extensibility in the industry. All Check Point appliances are built around a unified security architecture, enabling organizations to perform all aspects of security management via a single, unified console.

With Check Point appliances, organizations of all sizes can tailor their network security infrastructure to meet their functional and performance needs —with centralized management, simple deployment, and full extensibility.

CHECK POINT APPLIANCE OPTIONS

Check Point offers the following appliance options to effectively deliver comprehensive security applications:

•

Dedicated Appliances

—Check Point dedicated hardware platforms devoted to a single security application such as intrusion prevention (IPS) and data loss prevention (DLP). Dedicated appliances provide hardware resources for a single application, delivering higher performance.

•

Integrated Appliances

—Check Point integrated appliances take an all-in-one approach, combining multiple security applications on a single enterprise-class platform. Because applications are consolidated within a unified security architecture, organizations can reduce TCO and simplify security configuration.

•

Bladed Hardware

—Check Point bladed hardware platforms include a chassis with multiple hardware blades that run independent security applications. Each blade is equivalent to an independent server or appliance, and contains dedicated resources for each security application. Bladed hardware platforms deliver built-in failover and load-balancing utilities, as well as an increase in system performance.

UTM-1 Appliances

All inclusive. All secured.

OVERVIEW

UTM-1

™

appliances offer the ideal combination of proven security technologies and easy-to-use deployment and management features. With a full line of hardware-based solutions, Check Point UTM-1 appliances consolidate key security applications such as firewall, VPN, intrusion prevention, and antivirus and more into a single, easy-to-manage solution. UTM-1 Appliances are based on the Check Point Software Blade architecture that enables flexible and fast deployment of additional security capabilities, such as

VoIP protections, without the addition of new hardware.

UTM-1

appliances deliver a comprehensive set of security features including firewall, intrusion prevention, antivirus, anti-spyware, anti-spam, Web filtering, Web application security—as well as secure site-to-site and remote access connectivity.

UTM-1 Edge

™

family of appliances deliver integrated firewall, intrusion prevention, VPN, and antivirus for branch offices of up to 100 users, ensuring small offices stay as secure as the corporate office.

Benefits n

Industry-leading application- and network-layer firewall n

Site-to-site and remote-access VPNs n

Gateway antivirus and anti-spyware n

Intrusion prevention with type-based protections and security updates n

Web security with URL filtering and integrated security for

Web applications n

Email security and anti-spam, including the Check Point six dimensions of comprehensive messaging security n

Software Blade architecture for fast and flexible deployment of new security services

UTM-1

appliances come in six models and

UTM-1 Edge

family of appliances consists of X-Series and N-Series models. UTM-1 Edge X-Series appliances come in four models and UTM-1 Edge N-Series appliances come in two models that let organizations choose the right solution to meet price and performance requirements.

UTM-1 Edge N-Series

UTM-1 130

UTM-1 3070

For more information: www.checkpoint.com/products/utm

Series 80 Appliance

Enterprise-grade branch office security

OVERVIEW

The

Series 80 Appliance

sraises the bar on remote and branch office security by extending Software Blades to the edge of the network—delivering enterprise-grade security in a high-performance desktop form factor. The Series 80 appliance delivers IPsec/

SSL VPN and the same industry-proven firewall technology that secures the Global 100—all right out-of-the box. Based on the

Check Point Software Blade architecture, the Series 80 appliance enables flexible, single-click upgrades of additional security capabilities, including IPS, antivirus and anti-malware, anti-spam and email security, and URL filtering. And, the Series 80 can be easily configured, deployed and managed without the need for corporate IT staff.

Benefits n

Delivers flexible and manageable enterprise-grade security for branch offices n

Includes Best-in-Class Integrated Firewall and IPsec/

SSL VPN n

Provides the best price/performance in its class with proven throughput of 1.5 Gbps for firewall, 220 Mbps for

VPN and 720 Mbps for IPS n

Protects against emerging threats with optional Software

Blades such as IPS, antivirus, email security, and more n

High port density provides enhanced performance and minimizes the overhead of switches and routers in remote environments n

New intuitive and fast start-up wizard allows hassle-free configuration, deployment and management n

Centrally managed by SmartCenter and Provider-1

Series 80

For more information: www.checkpoint.com/products/series-80-appliance

Power-1 Appliances

Security for high-performance environments

OVERVIEW

Check Point Power-1

™

appliances enable organizations to maximize security in high-performance environments such as large campuses or data centers. They combine integrated firewall, IPsec VPN, and intrusion prevention with advanced acceleration and networking technologies, delivering a high-performance security platform for multi-Gbps environments. The Check Point Software

Blade architecture enables flexible and fast deployment of additional security capabilities, such as VoIP protections and UTM functionality, on Power-1 appliances.

Benefits n

Streamlines deployment of enterprise security for large offices and data centers n

Ensures availability of business-critical applications with up to 30 Gbps firewall throughput and up to 15 Gbps intrusion prevention throughput n

Provides comprehensive security including Firewall, IPS,

IPsec VPN, Advanced Networking, and Acceleration &

Clustering Software Blades n

Protects against emerging threats with optional Software

Blades such as VoIP, Web Security, Antivirus, and more n

Simplifies administration with a single management conn sole for all sites

Power-1 11000 series adds performance extensibility via field upgradeability and enables customers to boost performance by 100% from lowest to highest model

Power-1

appliances, which include

Power-1 5075

Power-1 9075

, and the

Power-1 11000

series, let organizations choose the proper levels of performance and port density for their environments.

Power-1 5075

Power-1 9075

Power-1 11000 series

For more information: www.checkpoint.com/products/power-1

IP Appliances

Flexible networking and performance options

OVERVIEW

Proven for years in complex networking and performancedemanding environments,

Check Point IP

appliances offer customers integrated turnkey security functionality such as firewall,

VPN, and intrusion prevention across a wide range of models.

Optimized for Check Point Security Gateway software, the IP appliances offer unsurpassed scalability, high performance, manageability, and high port densities that reduces operational costs in complex, mission-critical security environments. IP appliances enable customers to extend a unified security architecture from the network core out to branch and remote offices.

Benefits n

Integrated security appliances based on Check Point

Software Blade architecture for fast, flexible deployment of security functionality n

Scalable, modular, and configurable security architecture with multiple acceleration (ADP service modules), security, and interface options insures investment protection n

Achieve high performance across a broad spectrum of n traffic types

Enterprise-class high availability, scalability, and fault tolern ance to insure network resiliency and business continuity

Carrier-grade serviceability and redundancy n

Streamlined IT efficiency with advanced management tools for installation, configuration, and maintenance

IP appliances

come in six models that deliver security solutions ideal for large enterprises, carrier-grade networks and remote and branch offices.

IP295

IP695

IP2455

Accelerated Data Path (ADP) for IP Appliances

For more information: www.checkpoint.com/products/ip-appliances

VSX-1 Appliances

Virtualized security

OVERVIEW

The

VSX-1

™

appliances are virtualized security gateways that enable the creation of hundreds of security systems on a single hardware platform, delivering deep cost savings and infrastructure consolidation. Based on the proven security of VPN-1

Power

™

, VSX provides best-in-class firewall, VPN, URL filtering, and intrusion-prevention technology to multiple networks, securely connecting them to each other and shared resources such as the Internet and DMZs. All security systems, virtual and real, are centrally managed through Check Point SmartCenter

™

or Provider-1

management consoles.

Ideal for MSPs, VSX-1 becomes the ideal platform for new subscription revenue opportunities by delivering new security services easily and efficiently.

Benefits n

Unique and comprehensive virtualized security solution with firewall, VPN, IPS, and URL filtering n

Consolidates from five to hundreds of security gateways on a single device, increasing device utilization and reducing power, space, and cooling n

Linear scalability with performance up to 27 Gbps n

Flexible deployment options including software and a full line of turnkey appliances n

Single proven security management architecture

VSX-1

appliances come in three models that allow organizations to choose the right solution for their performance and scalability needs.

VSX-1 3070

VSX-1 9070

VSX-1 9090

For more information: www.checkpoint.com/products/vpn-1_power_vsx

DLP-1 Appliances

Check Point makes DLP work

OVERVIEW

Check Point DLP-1

™

solves the longstanding problem with data loss prevention technology—enabling organizations to effectively protect sensitive company and customer data, without placing an additional burden on your scarce IT resources. Check Point

DLP combines state-of-the-art prevention and enforcement with end user remediation capabilities, for the ideal blend of security and usability.

UserCheck

™

, Check Point’s unique user remediation function, educates users on self-incident handling and corporate data policies, while empowering them to remediate events in real-time. Files that are sent or uploaded to the web are processed by

Check Point MultiSpect

™

, a multi-data classification engine that inspects traffic flow for all data-in-motion, and provides high accuracy in correlating users, data types, and processes.

Benefits n

Easily defines data policies while assuring consistent enforcement across the entire network n

Prevents data loss by inspecting traffic in real-time, and proactively blocking the transmission of sensitive information n

Includes more than 250 pre-defined best-practices policies and rules for easy administration n

High performance from 700Mbps to over 2.5Gbps

Centralized Check Point management for unprecedented visibility and control n

Open scripting language to create customized data types for easily extensible and granular prevention

DLP-1 2571

DLP-1 9571

For more information: www.checkpoint.com/products/dlp

Smart-1 Appliances

Extensible security management

OVERVIEW

Smart-1

appliances deliver Check Point’s market leading security management software blades on a dedicated hardware platform specifically designed for mid-size and large enterprise security networks. Based on Check Point’s software blade architecture, the line of four Smart-1 appliances are first to deliver a unified management solution for network, IPS and endpoint security with unsurpassed extensibility.

Benefits n

Provides a comprehensive set of security management

Software Blades in four turnkey security management appliances n

Maximize efficiency with a single unified management console for network and endpoint security n

Reduce costs and conserve resources with up to 12 TB of integrated storage capabilities n

Ensure operational continuity for the most demanding environments n

Simplify large scale security policy provisioning with multi-domain management (Provider-1)

Smart-1 150:

Security management for large service providers with more than 150 gateways and including up to

12 TB of integrated log storage

Smart-1 50:

Security management for enterprises and service providers with 50 to 150 gateways, including up to

4 TB of integrated log storage

Smart-1 25:

Security management for enterprises with 25 to

50 gateways, including up to 2 TB of integrated log storage

Smart-1 5:

Security management for businesses with

5 to 25 gateways including up to 500 GB of integrated log storage

Smart-1 5

Smart-1 50

Smart-1 150

For more information: www.checkpoint.com/products/smart-1

Smart-1 SmartEvent Appliances

Unified security event management

OVERVIEW

Smart-1 SmartEvent

appliances deliver Check Point’s SmartEvent Software Blade event management software blades on a dedicated hardware platform. Smart-1 SmartEvent appliances are specifically designed for mid-size and large enterprise security networks, providing comprehensive security event analysis in a turnkey, plug-and-play appliance. Based on Check Point’s software blade architecture, Smart-1 SmartEvent appliances are first to deliver a unified event management solution for network, IPS and endpoint security with unsurpassed extensibility.

Benefits n

Provides a comprehensive set of security management

Software Blades in three turnkey security management appliances n

Maximize efficiency with a single unified management console for network and endpoint security event management n

Reduce costs and conserve resources with up to 4 TB of built-in storage capabilities n

Ensure operational continuity for the most demanding environments

Smart-1 SmartEvent 50:

Security Management for enterprises that need maximum flexibility, high performance and up to 2 years of log storage

Smart-1 SmartEvent 25:

Security Management for enterprises that want maximum flexibility and up to 1 year of log storage

Smart-1 SmartEvent 5:

Security Management for businesses that want an affordable solution that can scale as their business grows

Smart-1 SmartEvent 5

Smart-1 SmartEvent 25

Smart-1 SmartEvent 50

For more information: www.checkpoint.com/products/smartevent

Check Point Integrated

Appliance Solutions

Integrated hardware and software from Check Point and IBM

OVERVIEW

Check Point Integrated Appliance Solutions (IAS)

provide organizations with the ultimate choice in appliances—integrated software and hardware bundles customized to their exact specifications. These customized platforms enable them to provision security services based on exact corporate needs.

Organizations can choose from Check Point Software Blades such as firewall, IPSec VPN, and intrusion prevention, and additional blades including UTM functionality. They can also chose to deploy Check Point’s virtualized security gateway, VPN-1 Power VSX

™

, as well as Provider-1 for management of large deployments with separate security domains.

Check Point integrates the selected software onto an IBM System x

™

server or IBM BladeCenter

to provide a comprehensive solution that includes direct technical support from Check Point

Benefits n

Provides a software/hardware combination trusted by the largest organizations in the world n

Reduces complexity by ensuring compatibility of the latest certified components and servers n

Increases flexibility for security services provisioning by allowing customers to choose from multiple Check Point solutions n

Delivers scalable performance and port density based on customer needs n

Protects against emerging threats with service-based Check Point Software Blades including IPS, Antivirus, Anti-Malware, and URL Filtering

M series

Integrated Appliance Solutions are predefined models that can be customized to meet specific needs. The

model delivers UTM functionality. The

and

models both provide maximum security for high-performance environments with integrated firewall, VPN, and intrusion prevention.

IAS M8

For more information: www.checkpoint.com/products/ias

Integrated Appliance Solution

Bladed Hardware

Customized security with superior network performance

OVERVIEW

Check Point Integrated Appliance Solution (IAS) Bladed Hardware

provides a customized, integrated security solution on a single, high-performance chassis. By integrating essential Check Point Security Gateway Software Blades with Crossbeam’s

X-Series carrier-grade chassis, IAS Bladed Hardware can effectively serve the needs of the most demanding, highest performance environments. Alternatively, the VPN-1 Power VSX provides a dedicated gateway for multi-layer, multi-domain virtualized security.

Leveraging the Check Point Software Blade Architecture, IAS Bladed Hardware provides customized security solutions to meet specific customer needs—including unified management of physical and virtual environments.

Benefits n

Provides a customized, integrated security solution on a single, high-performance chassis n

Integrates best-in-class award-winning security software blades with carrier-grade chassis for a comprehensive security solution n

Enables true performance scalability, with up to 40Gbps firewall throughput n

Increases flexibility for security services provisioning by allowing customers to choose from multiple Check Point solutions n

Provides a single point of contact for hardware, software, and support

With Check Point

IAS Bladed Hardware

, customers can choose among two hardware chassis and two security software bundles for a customized solution that best fits their individual needs. The Crossbeam X80 hardware chassis provides scalability and performance, while the X45 chassis provides performance in a space-saving design. The Check Point Security Gateway SG805 software bundle is designed for physical environments, while the VPN-1 Power VSX provides a virtualized security solution.

Crossbeam X80

For more information: www.checkpoint.com/products/ias-bladed-hardware

Check Point Integrated

Appliance Solutions

Integrated hardware and software from Check Point and HP ES

OVERVIEW

Check Point Integrated Appliance Solutions (IAS) D-Series Appliances

provide organizations to create customized security solution—integrated software and hardware—built on a baseline set of standardized platforms for delivery of security services. This choice allows organizations to combine the proven security of Check Point on high performance-oriented platforms with a single point of contact for fulfillment and support of all issues.

Organizations can customize their security solution using Check Point Software Blades such as firewall, IPSec VPN, and intrusion prevention, advanced networking and more. Organizations can also chose to deploy Check Point’s virtualized security gateway,

VPN-1 Power VSX™, Provider-1 for management of large deployment with separate security domains, End Point Suite POINTSEC.

Benefits n

Provides a customized security software and hardware bundle on high performance-oriented platforms n

Allows customers to extend security by simple software blades upgrade n

Delivers high firewall performance of up to 20 Gbps based on customer needs n

Increases flexibility for security services provisioning by allowing customers to choose from multiple Check Point solutions n

Provides a single point of contact for hardware, software and support

D-Series

Integrated Appliance Solutions are predefined models that can be customized to meet specific needs. There are eleven (11) models to choose from to meet your security needs. The VSX and VSLS provides virtualized security solution and the UTM models deliver UTM functionality.

Appliance Specifications

UTM-1 Series

Models

Software

Edition

10/100 Ports

10/100/1000

Ports

Firewall

Throughput

VPN

Throughput

Concurrent

Sessions

IPS Throughput

UtM-1 edge

UtM-1 edge n-series

UTM-1 Edge X,

UTM-1 Edge W,

UTM-1 Edge X ADSL,

UTM-1 Edge W ADSL

Embedded

NGX

UTM-1 Edge N

UTM-1 Edge NW

Embedded

NGX

6 -

190 Mbps

35 Mbps

8,000

5 Mbps

1.0 Gbps

200 Mbps

60,000

30 Mbps

UtM-1 130 UtM-1 270 UtM-1 570

UTM-1 132

UTM-1 136

R65, R70,

R71

1.5 Gbps

120 Mbps

600,000

1.0 Gbps

UTM-1 272

UTM-1 276

R65, R70,

R71

1.5 Gbps

120 Mbps

600,000

1.0 Gbps

UTM-1 572

UTM-1 576

R65, R70,

R71

2.5 Gbps

300 Mbps

650,000

1.7 Gbps

UtM-1

1070

UtM-1

2070

UtM-1

3070

UTM-1 1073

UTM-1 1076

UTM-1 2073

UTM-1 2076

R65, R70,

R71

R65, R70,

R71

UTM-1 3073

UTM-1 3076

R65, R70,

R71

3 Gbps

350 Mbps

1.1 million

2.2 Gbps

3.5 Gbps

450 Mbps

1.1 million

2.7 Gbps

4.5 Gbps

1.1 Gbps

1.1 million

4 Gbps

Licensed Users 8/16 32/Unlimited Unlimited Unlimited Unlimited Unlimited Unlimited Unlimited

VLANs

UTM Out of the Box

Security

Acceleration

Multisite

Management

Storage

1,024

Yes

80 GB

1,024

Yes

160 GB

1,024

Yes

160 GB

1,024

Yes

160 GB

1,024

Yes

160 GB

1,024

Yes

160 GB

Form Factor

Dimensions

(standard)

Dimensions

(metric)

Weight

Desktop

8 x 1.2 x 4.8 in.

203.2 x 30.5 x 122mm

0.7kg

(1.6 lbs.)

Desktop

8 x 1.2 x 4.8 in.

203.2 x 30.5 x 122mm

0.7kg

(1.6 lbs.)

Desktop/1U

10.6 x 5.7 x 1.6 in.

270 x 145 x 40mm

1.6kg

(3.52 lbs.)

16.8 x 10 x 1.73 in.

429 x 255 x 44mm

3.7kg

(8.1lbs.)

16.8 x 10 x 1.73 in.

429 x 255 x 44mm

3.7kg

(8.1 lbs.)

16.8 x 10 x 1.73 in.

429 x 255 x 44mm

3.7kg

(8.1 lbs.)

17.4 x 15 x 1.73 in.

443 x 381 x 44mm

6.5kg

(14.3 lbs.)

17.4 x 15 x 1.73 in.

443 x 381 x 44mm

6.5kg

(14.3 lbs.)

Operating

Environment

Power Input

Temperature: 5° to 40° C; Humidity: 10% to 85% non-condensing; Altitude: 2,500m

100/240V, 50/60Hz

Power Supply

Spec (Max)

Power

Consumption

(Max)

18W

60W

46.9W

65W

26.2W

65W

41.1W

65W

40.1W

250W

63.1W

250W

77.5W

Compliance

UL 60950; FCC Part 15, Subpart B, Class A; EN 55024; EN 55022; VCCI V-3; AS/NZS 3548:1995; CNS 13438 Class A

(test passed; country approval pending); KN22, KN61000-4 Series, TTA; IC-950; ROHS

1 Maximum of 256 VLANs per interface

2 UTM-1 Edge operating environment: Temperature: 0º to 40º C, Humidity: 10%–90% non-condensing, Altitude: 4500m (15,000ft )

Software Edition

10/100/1000 Ports

Firewall Throughput

VPN Throughput

Concurrent Sessions

IPS Throughput

Licensed Users

VLANs

AV Throughput

Disk or Flash Based

Enclosure

Dimensions (standard)

Dimensions (metric)

Weight

Operating Environment

Power Input

Power Supply Spec (max)

Power Consumption (max)

Compliance

Appliance Specifications

Series 80

series 80

R71

1.5 Gbps

220 Mbps

150,000

720 Mbps

Unlimited

1024

100 Mbps

Flash

Desktop

8.75 x 1.75 x 6 in.

220 x 44 x 152.4mm

3.6kg (8 lbs.)

Temperature: 0° to 40° C;

Humidity: 5% to 95% non-condensing

100/240V, 50/60Hz, 240W

12V/2A DC 24W

16.68W

EMC: EN55022+24_2007-ITE;

FCC: FCCP15B+ICES-003-ITE;

Safety: UL/c-UL 60950-1_2nd_2007(US+CA);

IEC 60950_1_2nd_2005-CB

Appliance Specifications

Power-1 Series

Software Edition

10/100/1000 Ports

10Gb Ports

Firewall Throughput

VPN Throughput

Concurrent Sessions

IPS Throughput 1

Licensed Users

VLANs

UTM Out of the Box

Security Acceleration

Integrated Multigateway

Management

Storage

Enclosure

Dimensions (standard)

Dimensions (metric)

Weight

Operating Environment

Power Input

Power Supply Spec (max power-1 5075

R65, R70, R71

10/14

2 Optional

9 Gbps

2.4 Gbps

1.2 million

7.5 Gbps 2

Unlimited

1,024

Optional

Yes

power-1 9075

R65, R70, R71

14/18

4 Optional

16 Gbps

3.7 Gbps

1.2 million

10 Gbps 2

Unlimited

1,024

Optional

Yes

11065

R65, R70, R71

14/18

4 Optional

15 Gbps

3.7 Gbps

1.2 million

10 Gbps 2

Unlimited

1,024

Optional

Yes

power-1 11000 series

11075

R65, R70, R71

14/18

4 Optional

20 Gbps

4 Gbps

1.2 million

12 Gbps 2

Unlimited

1,024

Yes

Optional

11085

R65, R70, R71

14/18

4 Optional

30 Gbps

4.5 Gbps

1.2 million

15 Gbps 2

Unlimited

1,024

Optional

Yes

160 GB

17 x 20 x 3.46 in.

2 x 160 GB

17 x 20 x 3.46 in.

2 x 250 GB

17 x 22.8 x 3.46 in.

17 x 22.8 x 3.46 in. 17 x 22.8 x 3.46 in.

431 x 509.5 x 88mm 431 x 509.5 x 88mm 431 x 580 x 88mm 431 x 580 x 88mm 431 x 580 x 88mm

14.5kg

(31.9 lbs.)

16.5kg

(36.3 lbs.)

23.4kg

(51.6 lbs.)

23.4kg

(51.6 lbs.)

23.4kg

(51.6 lbs.)

Temperature: 5° to 40° C; Humidity: 10% to 85% non-condensing; Altitude: 2,500m

100/240V, 50/60Hz 4

250W 400W 500W 500W 500W

Power Consumption (max) 164.1W

200.7W

253.2W

Compliance

UL 60950; FCC Part 15, Subpart B, Class A; EN 55024; EN 55022; VCCI V-3AS/NZS 3548:1995;

CNS 13438 Class A (test passed; country approval pending); KN22KN61000-4 Series, TTA; IC-950; ROHS

1 Performance data represents the maximum capabilities of the systems as measured under optimal testing conditions.

Deployment and policy considerations may impact performance results.

Test based on real-world traffic blend using the default profile

Maximum of 256 VLANs per interface

4 Redundant power supply

Appliance Specifications

IP Series

ip282 ip295 ip395 ip565 ip695 ip1285 ip2455

Software Edition

10/100/1000 Ports

10 GbE Ports

Firewall Throughput

VPN Throughput

Concurrent Sessions

IPS Throughput

VLANs

ADP Module

VPN Acceleration

Storage

Disk-Based or Flash

Enclosure

Dimensions (standard)

Dimensions (metric)

Weight

R65, R70, R71 R65, R70, R71 R65, R70, R71 R65, R70, R71 R65, R70, R71 R65, R70, R71 R65, R70, R71

1.5Gbps

1.0 Gbps

6/8

1.5 Gbps

1.0 Gbps

4/8

3.0 Gbps

677 Mbps

4/12

7 Gbps

1.7 Gbps

4/16

4/28

4/32

10 1

7.2/11.7 Gbps

10.3/17.5 Gbps

11/30 Gbps

1.9/ 3.3 Gbps

1.9/8.3 Gbps

900,000

1.4 Gbps

900,000 1 million 1 million 1 million 1 million 1 million

9 Gbps

1024

Optional

40GB

Disk

1.4 Gbps 3

1024

Optional

2.9 Gbps

1024

Included

3 2.9 Gbps

1024

Included

3 4 Gbps

1024

Optional

Included

40 GB 80 GB 80 GB 80 GB

Disk or Flash Disk or Flash Disk or Flash Disk or Flash

7 Gbps 3

1024

Optional

Included

80 GB

Disk or Flash

1024

Optional

Included

80 GB

Disk or Flash

1U/half rack

8.52 x 18 x

1.71 in

216 x 457 x

44 mm

5.1kg

(11.25 lbs)

1U/half rack

8.52 x 18 x 1.71 in.

216 x 457 x 44mm

5.1kg

(11.25 lbs)

17 x 16 x 1.71 in.

432 x 406 x 44mm

7.71kg

(17.0 lbs)

17.23 x 22 x 1.71 in.

438 x 559 x 44mm

11.84kg

(26.1 lbs)

17.23 x 24 x 1.71 in.

438 x 610 x 44mm

12.38kg

(27.3 lbs)

17.23 x 24.11 x 3.46 in.

438 x 613 x 88mm

19.6kg

(43.2 lbs)

17.23 x 24.11 x 3.46 in.

438 x 613 x 88mm

20.57kg

(45.35 lbs)

Operating Environment Temperature: 5° to 40° C

; Humidity: 10% to 85% non-condensing; Altitude: 2,500m

Power Input

Power Supply Spec

(max)

Power Consumption

(max)

133W

150W

100W

100/240V, 50/60Hz

225W

165W

250W

700W

DC Power Supply

Optional

Compliance

Optional

Performance without ADP/with ADP

Preliminary results

4 Maximum of 256 VLANs per interface

5 IP395 can go to 50° C

Safety: UL60950-1, First Edition: 2003, CAN/CSAC22.2, No 60950:2000, IEC60950-1: 2001, EN60950-1:2001+A11 with Japanese National Deviations; Emission Compliance: FCC Part 15, Subpart B, Class A, EN50024,EN55022A:

1998, CISPR 22 Class A: 1985, EN61000-3-2, EN61000-3-3; Immunity: EN55024: 1998

Appliance Specifications

VSX-1 Series

Software Edition (VSX Version)

10/100/1000 Ports

Firewall Throughput

VPN Throughput

Concurrent Sessions

Licensed Users

VLANs

Virtual Systems (included/capacity)

UTM Out of the Box

Security Acceleration

Multisite Management

Storage

Enclosure

Dimensions (standard)

Dimensions (metric)

Weight

Operating Environment

Power Input

Power Supply Spec (max)

Power Consumption (max)

Management server resides on separate server

VsX-1 3070 VsX-1 9070 VsX-1 9090

R65

14/18

R65

28/36

4.5 Gbps

1.1 Gbps

1 million

Unlimited

4096

5/10

Optional

Yes

Optional

160 GB

13.5 Gpbs

3.5 Gbps

1.1 million

Unlimited

4096

10/150

Optional

Yes

Optional

2 x 160 GB

27 Gpbs

7 Gpbs

1.8 million

Unlimited

4096

10/150

Optional

Yes

Optional

4 x 160 GB

17.4 x 15 x 1.73 in.

17 x 20 x 3.46 in.

17 x 20 x 7 in.

443 x 381 x 44mm

6.5kg (14.3 lbs.)

431 x 509.5 x 88mm

16.5kg (36.3 lbs.)

431 x 509.5 x 176mm

33kg (72.6 lbs.)

Temperature: 5° to 40° C; Humidity: 10% to 85% non-condensing; Altitude: 2,500m

250W

77.5W

100/240V, 50/60Hz

400W

200.7W

800W

400.5W

Appliance Specifications

DLP-1 Series

Software Edition

Number of Users

Messages/Hour

Throughput

Built-in Interfaces

Optional Interfaces

Storage Size

Enclosure

Dimensions (standard)

Dimensions (metric)

Weight

Dual, Hot-Swappable Power Supplies

Power Input

Power Supply Spec (max)

Power Consumption (max)

Operating Environment

Compliance

DLp-1 2571 DLp-1 9571

R71

1000

70,000

700 Mbps

6 Copper 1 GbE

Built-in 4-Port Copper Bypass Card

R71

5000

350,000

2.5 Gbps

10 Copper 1 GbE

LOM, 2x4 1 GbE Fiber, 2x4 1GbE Copper,

2x2 10 GbE, Modular 4-Port Copper

Bypass Card

2x2TB (Mirrored – RAID 1)

500GB

17.4 x 15 x 1.73 in.

443 x 381 x 44mm

6.5kg (14.3 lbs.)

17 x 20 x 3.46 in.

431 x 509.5 x 88mm

16.5kg (36.3 lbs.)

Yes

100/240V, 50/60Hz

250W 400W

77.5W

200.7W

Temperature: 5° to 40° C; Humidity: 10% to 85% non-condensing; Altitude: 2,500m

UL 60950; FCC Part 15, Subpart B, Class A; EN 55024; EN 55022; VCCI V-3AS/NZS

3548:1995; CNS 13438 Class A (test passed; country approval pending);

KN22KN61000-4 Series, TTA; IC-950; ROHS

Appliance Specifications

Smart-1 Series

Software Edition

Managed Gateways

Managed Domains

Management HA

Logs/sec

Built-in Interfaces

LCD Display

Storage

Storage Type

Fiber Channel SAN Card

Out-of-Band Management

Enclosure

Dimensions (standard)

Dimensions (metric)

Weight

Power Supply

Power Input

DC Option

Power Supply Spec (max)

Power Consumption (max)

Operating Environment

Compliance smart-1 5 smart-1 25 smart-1 50 smart-1 150

R65, R70

5 up to 25

Included

7,500

5 Copper GbE

Yes

1 x 0.5 TB

17 x 10.9 x 1.75 in.

431 x 277 x 44mm

6kg

(13.2 lbs.)

100/240V, 50/60Hz

150W

70.5W

R65, R70

25 up to 50

Included

14,000

5 Copper GbE

4 x 0.5 TB

RAID 10

Integrated

17 x 21.7 x 1.75 in.

431 x 551 x 44mm

13kg

(28.7 lbs.)

100/240V, 50/60Hz

2 x 250W

135.8W

R65, R70

50 up to 150

1 up to 3/5/10

Included

30,000

4 Copper GbE

Yes

4 x 1 TB

RAID 10

Optional

Integrated

22.8 x 17.4 x 3.5 in.

580 x 442 x 88mm

23.5kg

(51.8 lbs.)

90/264V, 47/63Hz

Yes

2 x 600W

505.3W

Temperature: Ambient operating 0° to 40° C; Humidity: 5% to 95% non-condensing (RH)

CE, FCC Class A, RoHS

R65, R70

150 up to unlimited

3 up to 5/10/50

Included

30,000

4 Copper GbE

Yes

4 x 1 TB, up to 12 TB

RAID 10

Optional

Integrated

24.9 x 17.4 x 5.2 in.

632 x 442 x 131mm

29.5kg

(65 lbs.)

90/264V, 47/63Hz

3 x 930W

399.6W

Appliance Specifications

Smart-1 SmartEvent Series

Software Edition

Managed Gateways

Managed Domains

Management HA

Logging Capacity (Recommended)

Storage

Storage Type

Built-in Interfaces

Fibre Channel SAN card

Out-of-band management

LCD Display

Enclosure

Dimensions (standard)

Dimensions (metric)

Weight

Power Supply

Power Input

DC Option

Power Supply Spec (max)

Power Consumption (avg)

Operating Environment

Compliance smart-1 smartevent 5 smart-1 smartevent 25 smart-1 smartevent 50

R70.2

5 up to 25

Included

2GB per day

1 x 0.5 TB

R70.2

25 up to 50

Included

10GB per day

4 x 0.5 TB

RAID 10

R70.2

50 up to 150

1 up to 3/5/10

Included

25GB per day

4 x 1 TB

RAID 10

5 Copper GbE

Yes

17 x 10.9 x 1.75 in.

431 x 277 x 44mm

6kg (13.2 lbs.)

100/240V, 50/60Hz

5 Copper GbE

Integrated

17 x 21.7 x 1.75 in.

431 x 551 x 44mm

13kg (28.7 lbs.)

100/240V, 50/60Hz

4 Copper GbE optional

Integrated

Yes

22.8 x 17.4 x 3.5 in.

580 x 442 x 88mm

23.5kg (51.8 lbs.)

90/264V, 47/63Hz

Yes

150W

61.7W

2 x 250W

122W

2 x 600W

350.8W

Temperature: Ambient operating 0° to 40° C; Humidity: 5% to 95% non-condensing (RH)

CE, FCC, Class A, RoHS

Appliance Specifications

Check Point Integrated Appliance Solutions

ias

M2 ias

M6 ias

Software Edition

10/100/1000 Ports

Firewall Throughput

VPN Throughput

Concurrent Sessions

IPS Throughput 2

Licensed Users

VLANs

UTM Out of the Box

Security Acceleration

R65, R70

4/10

7 Gbps

2.4 Gbps

1.2 million

4 Gbps 3

Unlimited

256

Optional

Yes

R65, R70

10/10

16 Gbps

3 Gbps

1.2 million

7.1 Gbps 3

Unlimited

256

Optional

Yes

R65, R70

14/18

20 Gbps

4 Gbps

1.2 million

8.6 Gbps 3

Unlimited

256

Optional

Yes

Integrated Multigateway

Management

Storage

Enclosure

Optional

2 x 73 GB

Optional

2 x 73 GB

Optional

2 x 73 GB

Dimensions (standard)

Dimensions (metric)

Weight

17.3 x 27.5 x 1.75 in.

Operating Environment

Power Input

Power Supply Spec (max) 650W

100/240V, 50/60Hz

650W

Power Consumption (max) 180W 212W

1 IAS = Integrated Appliance Solutions

2 Performance data represents the maximum capabilities of the systems as measured under optimal testing conditions.

Deployment and policy considerations may impact performance results.

Test based on real-world traffic blend using the default profile

Redundant power supply

17.5 x 27.5 x 3.36 in.

440 x 698 x 44mm

16.1kg

(35.5 lbs.)

443 x 698 x 44mm

16.1kg

(35.5 lbs.)

444 x 698 x 84.8mm

26.1kg

(57.5 lbs.)

Temperature: 5° to 40° C; Humidity: 10% to 85% non-condensing; Altitude: 2,500m

1300W

342W

Appliance Specifications

Integrated Appliance Solution Bladed Hardware Series

crossbeam X45 crossbeam X80

Throughput

Form Factor/Size

Interfaces/Connectivity

Green IT Compliancy

Other

Check Point Software

Operating System

Operating Environment

Up to 8 Gbps per APM

Up to 20 Gbps per chassis

13.5 x 17.5 x 19 in. - 19 in. rack mountable

Data: 2 x 10 Gigabit Ethernet- SR/LR via XFP and

10 x 1 Gigabit Ethernet- SX/LX via SFP

Up to 8 Gbps per APM

Up to 40 Gbps per chassis

30 x 17.5 x 17.5 in.

Per Network Processor Module ( NPM);

2x10 GbBase-SR/LR via XFP

10x1 GbBase-SX/LX via SFP

Processor

System Memory

Disk Size

Power

Module Support

Management

Single or dual dual, or Quad-core CPU

Up to 16 GB per APM

Single, dual dual-core, or Quad Core CPU

Up to 16 GB per APM

120 GB HDD per APM

1-2 PS, 1,200W or 2,700W

120-240 VAC, 2,400W rated max

200-240 VAC, 2,700W rated max

120 GB HDD per APM

1-4 PS, 1,200W or 2,700W

120-240 VAC, 3,600W rated max

200-240 VAC, 5,000W rated max

X80-DC: -48 volt DC, 100A

Up to 2 NPM, up to 5 APM, up to 2 CPM

Supports up to 7 modules total

Up to 4 NPM, up to 10 APM, up to 2 CPM

Supports up to 14 modules total

Command Line Interface (SSH, telnet, console), Greenlight Element Manager (GEM) EMS (https),

SNMP V1,2,3 support, Standard Syslog

Certification

Status Indicators

Regulatory Compliance for Chassis

Common Criteria EAL4 with Check Point Software Technologies VPN-1 R65

Power Supply and Module Active/Failed Status LED, Port link (NPM, CPM),

Minor/Major/Critical Alarm LEDs

RoHS; UL 60950, IEC 950, FCC 47 CFR Part 15 Class A, EN 55022 : EN 55024, VCCI V-3 : AS/NZS 3548 : 1995 :

CNS 13438 Class A

High efficiency power system up to 91 percent, Member of The Green Grid;

WEEE Directive, ISO 14001, RoHS

Single or Dual System High Availability GUI- or CLIbased management, scales to 2 Network Processing

Modules (NPM), 3 Application Processing Modules

(APM) and 2 Control Processing Modules (CPM)

VPN-1 NGX R65, Security Gateway

R70 & R71, VPN-1 Power VSX R65 & R67

Single or Dual System High Availability GUI- or CLIbased management, scales to 4 Network Processing

Modules (NPM), 8 Application Processing Modules

(APM) and 2 Control Processing Modules (CPM)

VPN-1 NGX R65, Security Gateway R70 & R71,

VPN-1 Power VSX R65 & R67

XOS 7.2.1, 7.3.0.3, 8.0.1, 8.1.0, 8.5.0, and 9.0

Temperature: 0° to 40° C (32° to 104° F); Humidity: 10% to 90% non-condensing;

Altitude: 3,048m (10,000 ft.)

Appliance Specifications

Check Point Integrated Appliance Solutions

D1 Gateway D1 Gateway pair D2 Gateway D6 Gateway D8 Gateway

Software Edition

Virtual Firewalls

10/100/1000

Ports

10 Gb Ports

Firewall

Throughput

VPN Throughput

Concurrent

Sessions

IPS Throughput

VLANs

Lights Out

Management

Storage

Memory

Dimensions

(standard)

Dimensions

(metric)

Weight

Power Input

R70 4003

6/6

R70 4003

6/6

NGX R70 PWR

6/10

NGX R70 PWR

6/10

NGX R70 PWR

8/18

2 Gbps

1.2 Gbps

1.2 million

254

Included

2 Gbps

1.2 Gbps

1.2 million

254

Included

7 Gbps

2.4 Gbps

1.2 million

256

Included

16 Gbps

3 Gbps

1.2 million

256

Included

20 Gbps

4 Gbps

1.2 million

256

Included

160 GB

1 GB

160 GB

1 GB

2 x 73 GB

(8 Max)

2 GB

2 x 73 GB

(8 Max)

4 GB

2 x 73 GB

(12 Max)

8 GB

1.69 x 17.64 x 27.56 in. 1.69 x 17.64 x 27.56 in. 1.70 x 16.78 x 27.25 in. 1.70 x 16.78 x 27.25 in. 3.38 x 17.54 x 29.25 in.

432 x 448.1 x 700mm 432 x 448.1 x 700mm 432 x 426.2 x 692.2mm 432 x 426.2 x 692.2mm 859 x 445.5 x 743mm

14.3 kg (31.49 lbs.)

90/132V, 180/264V,

47/63Hz

430W

14.3 kg (31.49 lbs.)

90/132V, 180/264V,

47/63Hz

430W

17.92 kg (39.5 lbs.)

100/240V, 50-60Hz

460W

17.92 kg (39.5 lbs.)

100/240V, 50/60Hz

460W

100/240V, 50/60Hz

460W

Power Supply

Spec (max)

Power

Consumption

(max)

Operating

Environment

75W 75W 170W 181W 290W

Compliance

Temperature: 10° to 35° C (50° to 95° F); Humidity: 10% to 90% non-condensing; Attitude: 3,050m (10,000 ft.)

CISPR 22; EN55022; EN55024;

FCC CFR 47, Pt 15; ICES-003; CNS13438;

GB9254; EN 61000-3-2; EN 61000-3-3;

EN 60950-1; IEC 60950-1

CISPR 22; EN55022; EN55024; FCC CFR 47, Pt 15; ICES-003;

CNS13438; GB9254; K22; K24; EN 61000-3-2; EN 61000-3-3;

EN 60950-1; IEC 60950-1 continues on next page

Appliance Specifications

Check Point Integrated Appliance Solutions

continued from previous page

Software Edition

Virtual Firewalls

10/100/1000

Ports

10 Gb Ports

Firewall

Throughput

VsX 50

Virtual firewall D8

NGX R67 VSX

50/250

4/4

VPN Throughput

Concurrent

Sessions

IPS Throughput

VLANs

Lights Out

Management

4/8

20 Gbps

(System Aggregate)

4 Gbps

(System Aggregate)

1.2 million

(System Aggregate)

256 per Firewall

Included

Storage

2 x 73 GB

(12 Max)

1 6GB Memory

Dimensions

(standard)

Dimensions

(metric)

Weight

Power Input

Power Supply

Spec (max)

Power

Consumption

(max)

VsLs 50

Virtual firewall D8

NGX R67 VSX

100/250

4/4

4/8

20 Gbps

(System Aggregate)

4 Gbps

(System Aggregate)

1.2 million

(System Aggregate)

256 per Firewall

Included

VsX 100

Virtual firewall D8

NGX R67 VSX

100/250

4/4

4/8

20 Gbps

(System Aggregate)

4 Gbps

(System Aggregate)

1.2 million

(System Aggregate)

256 per Firewall

Included

VsLs 100

Virtual firewall D8

NGX R67 VSX

100/250

4/4

4/8

20 Gbps

(System Aggregate)

4 Gbps

(System Aggregate)

1.2 million

(System Aggregate)

256 per Firewall

Included

UtM appliance

& UtM appliance pair

R70.1

4 x RJ-45 Base-T

600 Mbps

100 Mbps

600,000

46 GB

1 GB

3.38 x 17.54 x 29.25 in. 3.38 x 17.54 x 29.25 in. 3.38 x 17.54 x 29.25 in. 3.38 x 17.54 x 29.25 in.

16.8 x 10 x 1.73 in.

859 x 445.5 x 743mm 859 x 445.5 x 743mm 859 x 445.5 x 743mm 859 x 445.5 x 743mm

100/240V, 50/60Hz

430W

75W

2 x 73 GB

(12 Max)

16 GB

100/240V, 50/60Hz

430W

75W

2 x 73 GB

(12 Max)

16 GB

100/240V, 50/60Hz

460W

170W

2 x 73 GB

(12 Max)

16 GB

100/240VAC, 50/60Hz

460W

181W

380 Mbps

1,024

429 x 255 x 44mm

3.7kg (8.1 lbs.)

100/240V, 50/60Hz

65W

41.1W

Operating

Environment

Compliance

Temperature: 10° to 35° C (50° to 95° F);

Humidity: 10% to 90% non-condensing; Attitude: 3,050m (10,000 ft.)

CISPR 22; EN55022; EN55024; FCC CFR 47, Pt 15; ICES-003;

CNS13438; GB9254; K22; K24; EN 61000-3-2; EN 61000-3-3;

EN 60950-1; IEC 60950-1

Temperature: 5° to 40° C;

Humidity: 10% to 85% non-condensing;

Altitude: 2,500m

UL 60950; FCC Part 15, Subpart B, Class A;

EN 55024; EN 55022; VCCI V-3; AS/NZS

3548:1995; CNS 13438 Class A (test passed; country approval pending); KN22,

KN61000-4 Series, TTA; IC-950; ROHS

Contact Check Point now

www.checkpoint.com/contactus

By phone in the US: 1-800-429-4391 option 5 or

1-650-628-2000

CHECK POINT

Worldwide Headquarters

5 Ha’Solelim Street, Tel Aviv 67897, Israel | Tel: 972-3-753-4555 | Fax: 972-3-624-1100 | Email: [email protected]

U.S. Headquarters

800 Bridge Parkway, Redwood City, CA 94065 | Tel: 800-429-4391; 650-628-2000 | Fax: 650-654-4233 | www.checkpoint.com

Endpoint Security On Demand, the Check Point logo, Check Point Full Disk Encryption, Check Point Horizon Manager, Check Point Media Encryption, Check Point NAC, Check Point Network

Voyager, Check Point OneCheck, Check Point R70, Check Point Security Gateway, Check Point Update Service, Check Point WebCheck, ClusterXL, Confidence Indexing, ConnectControl,

Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoreXL, DefenseNet, DLP-1, DynamicID, Endpoint Connect VPN Client, Eventia, Eventia Analyzer,

Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless

Security, Integrity SecureClient, InterSpect, IP Appliances, IPS-1, IPS Software Blade, IPSO, Software Blade, IQ Engine, MailSafe, the More, better, Simpler Security logo, MultiSpect, NG, NGX,

Open Security Extension, OPSEC, OSFirewall, Pointsec, Pointsec Mobile, Pointsec PC, Pointsec Protector, Policy Lifecycle Management,Power-1, Provider-1, PureAdvantage, PURE Security, the puresecurity logo, [email protected], [email protected], Secure Virtual Workspace, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer,

SecureUpdate, SecureXL, SecureXL Turbocard, Security Management Portal, , SiteManager-1, Smart-1, SmartCenter, , SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole,

SmartDashboard, SmartDefense, SmartDefense Advisor, SmartEvent, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartProvisioning, SmartReporter, SmartUpdate, SmartView, SmartView

Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SmartWorkflow, SMP, SMP On-Demand, SofaWare, Software Blade architecture, the softwareblades logo, SSL Network Extender,

Stateful Clustering, Total Security, the totalsecurity logo, TrueVector, UserCheck, UTM-1, UTM-1 Edge, UTM-1 Edge Industrial, UTM-1 Total Security, VPN-1, VPN-1 Edge, VPN-1 MASS, VPN-1

Power, VPN-1 Power Multi-core, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VE, VPN-1 VSX, VSX-1, Web

Intelligence, ZoneAlarm, ZoneAlarm Antivirus, ZoneAlarm DataLock, ZoneAlarm Extreme Security, ZoneAlarm ForceField, ZoneAlarm Free Firewall, ZoneAlarm Pro, ZoneAlarm Internet Security Suite,

ZoneAlarm Security Toolbar, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates.

ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 5,987,611, 6,496,935, 6,873,988, 6,850,943, 7,165,076, 7,540,013 and 7,725,737 and may be protected by other U.S. Patents, foreign patents, or pending applications.

September 28, 2010

Citrix Access Gateway

Datasheet

Citrix Access Gateway is the leading secure access solution for applications and desktops

• HDX SmartAccess –

Delivers simple and seamless secure access anywhere

• Data security through adaptive application-level control

• Broad client support

• Flexible deployment options with virtual and physical appliances

• World-class scalability and performance

• Accelerated virtual desktops and applications

Easy and secure application access from anywhere

Citrix Access Gateway

™

is a secure access solution that provides administrators granular application-level policy and action controls to secure access to virtual desktops, applications and data while allowing users to work from anywhere. It offers flexible deployment options with both physical and virtual appliances, a single point of management, and tools to help ensure compliance and the highest levels of information security across and outside the enterprise.

At the same time, it empowers users with a single point of access—optimized for roles, devices and networks—to the enterprise applications and data they need. This unique combination of capabilities helps maximize the productivity of today’s mobile workforce.

Features

All Access Gateway appliances include secure access to Citrix

XenDesktop

and Citrix

XenApp

™

deployments at no additional cost, making it the most integrated and cost-effective solution for these environments. Expanded capabilities are also available with Universal Licenses that enable Access Gateway to secure all types of applications and data, and enforce strong data security through adaptive policies. Universal Licenses can be purchased separately and are included with Platinum Editions of XenApp, XenDesktop and Citrix

NetScaler

.

www.citrix.com

Citrix Access Gateway

Datasheet

Feature

Easy desktop and application access

Provides secure access to all applications and data from any device with a single point of access that simplifies the user experience.

Secure access to XenApp and XenDesktop

Provides secure access to XenDesktop and

XenApp sessions without requiring a VPN connection.

Secure network access

Full VPN support enables network-level access to any server within the protected network.

Secure browser-only access

Provides secure access to web applications, e-mail, and file shares using only a browser

(no additional client components required).

Single point of access

Provides a robust landing page for users to easily access all their applications, files, e-mail, and other IT resources.

User localization

Localizes user interfaces in English, Spanish,

French, German, and Japanese.

Included appliance features

•

Endpoint analysis

Ensures that devices are safe to connect to the network and users have a method to easily update their devices to meet established policies.

Broad client support

Supports major platforms including

Windows

32 and 64-bit operating systems

(including Windows 7) and Mac

Os X.

ntegrated endpoint scanning

Continually scans client devices to determine if client security products

(anti-virus, personal firewall, or other mandatory corporate programs) are active.

Enhanced machine identity scans

Determines machine identity by scanning for known corporate images on client devices.

Quarantine groups / remediation

Provides clients that fail endpoint analysis scanning with limited access to remediation sites to bring client devices into compliance with the organization’s security policies.

Extensible endpoint analysis

Extends endpoint analysis capabilities using industry-standard development tools.

•

Requires

Universal

License

•

• 2

1. Requires MPX 5500 or NetScaler

2. Requires Advanced Access

Controller server

Citrix Access Gateway

Datasheet

Feature

Scenario-based policy control (SmartAccess)

Provides control to configure the most secure access to data and applications by dynamically adjusting access based on device configuration, location, and identity

Application and data security

Protects and keeps private all data transmitted between the client and gateway.

Accelerated secure access

Ensures that users have a secure and optimized access experience to avoid common networking performance issues.

Included appliance features

Requires

Universal

License

Adaptive access control

Provides access control on resources based on endpoint analysis results.

Adaptive access control for virtual hosted applications and desktops

Provides adaptive access control to applications and desktops controlled by

XenDesktop and XenApp.

Adaptive application and action control

Controls the behavior of XenDesktop and

XenApp sessions by preventing operations that may compromise data to unsecure devices.

Standards-based security

Ensures that all communications are secure with SSL/TLS encryption.

Extensive authentication support

Provides strong authentication with 2-factor methods and authenticates users against

LDAP and RADIUS servers to leverage existing directories within the organization.

Client certificate support

Validates certificates prior to granting access to protected resources in order to verify managed client devices.

Basic split tunneling control

Disables access to all network resources not hosted on the protected network.

Enhanced split tunneling control

Can disable split tunneling on clients to shut down direct Internet access but still permit access to resources on the client’s local subnet.

Browser cache cleanup

Removes objects and data stored on the local browser during the SSL VPN session.

Branch Repeater integration

When used together with the Citrix

Branch

Repeater ™ and Citrix Acceleration plug-in,

Citrix Access Gateway can optimize connections to XenDesktop, XenApp, and other traffic within a VPN connection to ensure the best performance over a WAN and overcome common usability problem that exist as a result of network issues.

•

1. Requires MPX 5500 or NetScaler

Citrix Access Gateway

Datasheet

Feature

Fault tolerance

Creates secure access deployments that guarantee a high-level of availability and reliability.

Simplified administration

Maximizes the efficiency of the IT organization by simplifying common installation and management tasks.

Basic high availability configuration

Links appliances to create an active-passive pair, ensuring sessions remain active if the master fails.

Optional global server load balancing

(GSLB)

Routes client connections to the best VPN site based on availability, health, proximity, and responsiveness.

Centralized administration

Configures and manages Access Gateway appliances from a single management console.

Wizard-driven configuration

Provides an intuitive series of click-through screens and simple instructions to guide administrators through installation and configuration.

Multiple virtual VPN servers

A single appliance can emulate multiple SSL

VPNs by hosting one or more virtual servers each with a unique IP, FQDN, and certificate.

Historical charting

Provides administrators with a graphical view of system and user activities.

Administrative auditing

Monitors all configuration changes made by administrators to ensure accountability and easy roll-back of configuration errors.

Auto-downloading / Auto-updating client plug-in

Automatically downloads the Citrix Secure

Access plug-in when the user connects to

Access Gateway and ensures that they always receive the latest version of the client software.

Support for automated distribution of

Access Gateway plug-in

Simplifies client installation by allowing deployment of the Access Gateway plug-in through systems and client management solutions.

Included appliance features

•

Requires

Universal

License

•

1. Requires MPX 5500 or NetScaler

2. Requires NetScaler

Citrix Access Gateway

Datasheet

Platform specifications

Maximum VPN users

Access Gateway VPX virtual appliance on XenServer and

VMWare

ESX

™

500

Chassis dimensions

Weight

Power

Interface ports

Warranty, software and firmware updates

12 months included,

(software updates only)

Access Gateway

2010

500

HH: 1.72” (4.36 cm)

(1U rackmount)

W: 17.22” (43.73 cm)

D: 18.4” (46.72 cm)

12.57 lbs (5.7 kg)

Access Gateway

MPX 5500

5,000

H: 1.72” (4.36 cm)

(1U rackmount)

W: 17.22” (43.73 cm)

D: 21.75” (55.2 cm)

22 lbs (9.97 kg)

Access Gateway

9010 FIPS

5,000

H: 3.5” (8.9 cm)

(2U rackmount)

W: 17” (43.2 cm)

D: 16” (40.6 cm)

34 lbs (15.4 kg)

100-240VAC Full Range

50-60 Hz 250W

100-264VAC Full Range

47-63 Hz

90-264VAC Full Range

47-63 Hz 335W

1 Serial Port

1 USB Port

2 x 10/100/1000 BASE-T

8x10/100/1000 BASE-T

12 months included, additional plan available

4 x 10/100/1000 BASE-T

1 x 10/100/1000 BASE-T

12 months included, additional plan available

www.citrix.com

About Citrix

Citrix Systems, Inc. (NASDAQ:CTXS) is a leading provider of virtual computing solutions that help companies deliver IT as an on-demand service. Founded in 1989, Citrix combines virtualization, networking, and cloud computing technologies into a full portfolio of products that enable virtual workstyles for users and virtual datacenters for IT. More than 230,000 organizations worldwide rely on Citrix to help them build simpler and more cost-effective IT environments. Citrix partners with over 10,000 companies in more than 100 countries. Annual revenue in 2009 was $1.61 billion.

, Citrix Access Gateway

™

, XenApp

™

, XenDesktop

, NetScaler

and

Branch Repeater

™

are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered in the

United States Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are property of their respective owners.

0910/PDF

FirePass SSL VPN

DATASHEET

What’s Inside:

Improved User Experience

Network Access

Application Access—

Secure Access to Specific

Applications

Portal Access—Proxy-Based

Access to Web Applications,

Files, and Email

Portal Access—

Comprehensive Security

Dynamic Policy Engine—

Total Administrative Control

Customization

iControl SSL VPN Client

API for Secure Application

Access

FirePass Product Details

FirePass Specifications

More Information

Increase Productivity with Flexible,

F5 BIG-IP

Local

F5 BIG-IP

Local

F5 BIG-IP

Local

F5 BIG-IP

Local

Secure Remote Access

As more mobile and remote workers use an increasing number of different devices to access corporate applications and data from many locations, your business benefits from more flexible and productive users. But securing applications, data, the network, and client devices from unauthorized access and attacks can quickly add management complexity and cost.

The FirePass

SSL VPN appliance and Virtual Edition (VE) provide secure remote access to enterprise applications and data for users over any device or network. FirePass ensures easy access to applications by delivering outstanding performance, scalability, availability, policy management, and endpoint security. The result is unified security enforcement and access control that increases the agility and productivity of your workforce.

Key Benefits:

Increase worker productivity

Provide fast and secure, always connected remote access from any location, from any device.

Gain ultimate flexibility

Quickly and easily deploy a virtual appliance to add remote access functionality to your existing virtual infrastructure.

Decrease costs

Reduce deployment and support costs with easy management, simple deployment, and secure application access.

Increase security

Deliver granular access control to intranet resources on a group basis, enhancing security.

Reduce risk with endpoint security

Verify the user quickly and easily with endpoint security to validate compliance with corporate policy.

DATASHEET

FirePass SSL VPN

BIG-IP Edge Client uses cutting edge roaming, domain detection, and automatic connection to deliver a seamless transition between locations.

Improved User Experience

FirePass helps ensure user productivity by minimizing the time and effort required to gain access to authorized files and applications.

“Always connected” remote access

Some access clients need constant reconnection throughout the day as users move locations or restart applications. The BIG-IP

Edge Client

™

solution is a state-of-the-art, integrated client that provides location awareness and zone determination to deliver a remote access solution unlike any other. Cutting-edge roaming, domain detection, and automatic connection create a seamless transition as users move between locations. BIG-IP Edge Client helps ensure continued user productivity whether the user is at home on a wireless network, using an air card in transit, giving a presentation from corporate wireless, in a café on guest wireless, or docked on a LAN connection. BIG-IP Edge Client is supported in FirePass 6.1 and 7.0.

BIG-IP

Edge

Client

BIG-IP

Edge

Client

BIG-IP

Edge

Client

At home

(wireless) Commuting

(air card)

BIG-IP

Edge

Client

Always connected application access

BIG-IP

Edge

Client

BIG-IP

Edge

Client

In the office

(docked LAN connection)

Presenting

(corporate wireless)

In the café

(wireless)

Seamless VPN access

When the user first enters credentials as part of the Windows logon process, BIG-IP Edge

Client caches them and then automatically tries them in the first attempt to log onto the

VPN. This streamlines the user experience to help improve productivity.

DATASHEET

FirePass SSL VPN

Network Access

FirePass provides LAN-type network access connectivity for all applications by supporting existing network infrastructure, identity management systems, and client-server operating systems.

FirePass Network Access for Microsoft Windows (Windows 7, Vista, XP), Mac, and

Linux Systems

• Eliminates the need for special administrative privileges for FirePass client component updates with Windows Installer Service, lowering management costs.

• Provides secure remote access to the entire network for all IP-based (TCP, UDP) applications.

• Includes standard features across all desktop and laptop platforms, as well as split tunneling, compression, activity-based timeouts, and automatic application launching.

• Provides remote access—unlike IPSec VPNs—without requiring preinstalled client software and configuration of the remote device. Client- or server-side application changes are not required.

• Enables administrators to restrict and protect resources accessible through the connector by instituting rules that limit access to a specific network or port.

• Uses the standard HTTPS protocol with SSL as the transport, so the device works through all HTTP proxies including public access points, private LANs, and over networks and ISPs that don’t support IPSec VPNs.

• Utilizes GZIP compression to compress traffic before it is encrypted, reducing the amount of traffic that is sent across the Internet and improving performance.

• Supports the latest OSs and Browsers—FirePass 7.0 supports 32-bit versions of:

Windows 7, Vista, and XP; Mac OS X Leopard and Snow Leopard; Internet Explorer 6,

7, and 8; Firefox 3.x; and Safari 4. It supports 64-bit versions of: Windows 7, Vista, and

XP; Linux (contact F5 or Reseller for list), Internet Explorer 7 (except Win 7) and 8; and Firefox 3.0. Talk to an F5 sales representative or reseller to review compatibility for your environment.

Client Security

• Safe Split Tunneling—To protect against back-door attacks when accessing the network with split tunneling, FirePass provides a dynamic firewall that protects Windows, Mac, and Linux users when using the full network access feature. This prevents hackers from routing through the client to the corporate network or users from inadvertently sending traffic to the public network.

• Endpoint Client Checking—FirePass increases security by detecting the presence of required processes (for example, virus scans, anti-malware, personal firewalls, OS patch levels, registry settings, and more) and the absence of other processes (for example, key logger) on the Mac, Linux or Windows client before enabling full network access.

• Hardware Endpoint Inspectors—FirePass inspects client machine features such MAC address, CPU ID, and HDD ID to identify remote devices. FirePass authorizes machines without the complexity of deploying machine certificates.

DATASHEET

FirePass SSL VPN

FirePass policies enable secure application access to a full set of corporate services, including kiosks, mobile devices, or laptops.

Windows Network Access Features

• Standalone Windows Client—FirePass establishes a network connection after entering user credentials. Software can be automatically distributed to the client using Microsoft’s

MSI installer technology.

• Windows Logon/GINA Integration—Enables implied, transparent user logon to the corporate network by integrating with the GINA (“Ctrl + Alt + Del” prompt) logon process.

• Standalone VPN Client CLI—Command-line interface support offers single sign-on support through integration with third-party applications (such as remote dialer software).

• Windows VPN Dialer—Provides a simplified user experience for those more comfortable with the dialup interface.

• Automatic Drive Mapping—Network drives can be automatically mapped to a user’s

Windows PC.

• Static IP Support—Assigns a static IP based on the user when the user establishes a network access VPN connection, lowering administrative support costs.

• Transparent Network Access—Eliminates network access browser window pop-ups and prevents users from accidentally terminating the connection.

Mobile Device Support

• Enables secure application access from Windows Mobile and smartphones.

• Provides access to both client/server- and web-based applications.

Kiosk Mobile Device Laptop

Kiosk Policy

Cache/Temp File

Cleaner

Mini Browser

Policy

FirePass SSL VPN Value Proposition

•

Browser-based ubiquitous access

•

Lower support and management costs

•

Endpoint security

•

Granular access control

•

Group policy enforcement

Corporate Policy

Firewall/Virus

Check

Terminal Servers Files Intranet Email

C/S Application

Full Network

Corporate Services

DATASHEET

FirePass SSL VPN

Application Access—Secure Access to Specific Applications

FirePass enables administrators to grant certain users—for example, business partners using equipment not maintained by the company—access to specific extranet applications and sites. FirePass protects network resources by only permitting access to applications that are cleared by the system administrator.

Specific Client/Server Application Access

• Enables a native client-side application to communicate back to certain corporate application servers via a secure connection between the browser and the FirePass device.

• Requires no pre-installation or configuring of any software.

• Involves no additional network-side software to access the application servers.

• Accesses applications via standard protocols: HTTP and SSL/TLS. It works with all HTTP proxies, access points, and private LANs, and over networks and ISPs that do not support traditional IPSec VPNs.

• Includes supported applications such as Outlook to Exchange Clusters, Passive FTP,

Citrix Nfuse, and network drive mapping.

• Supports custom CRM applications as well as applications that use static TCP ports.

• Supports auto-login to AppTunnels, Citrix, and WTS applications to simplify the user experience.

• Integrates with Citrix SmartAccess to deliver endpoint inspection results to Citrix applications and send SmartAccess filters to XenApp based on the results of endpoint scans.

• Supports the auto-launch of client-side applications to simplify user experience and lower support costs.

• Enables lock-down Java-based application tunnels for non-Windows and Windows systems to prevent the execution of ActiveX controls.

• Offers complete DHCP support for clients using network access, automating IP address assignment and dynamic DNS registration of addresses. DHCP support provides easier multi-unit deployments while remote-access IP address range can overlap with internal LAN.

• Delivers support for Microsoft Communicator via Portal Access, enhancing VoIP communications.

• Offers unique support for the compression of client/server application traffic over the

WAN, enhancing performance.

Terminal Server Access

• Provides secure web-based access to Microsoft Terminal Servers, Citrix MetaFrame applications, Windows XP Remote Desktops, and VNC servers.

• Provides Terminal Services for VMware View web client to enable user access from virtual desktops.

• Supports group access options, user authentication, and automatic log-on capabilities for authorized users.

• Supports automatic downloading and installation of the correct Terminal Services or Citrix remote platform client component, if not currently installed on the remote device, saving time.

DATASHEET

FirePass SSL VPN

• Supports remote access to XP desktops for remote troubleshooting using RDP and non-XP desktops with the built-in VNC feature.

• Provides Java-based Terminal Services support for Citrix and Microsoft.

Dynamic App Tunnels

• Provides maximum support for accessing a wide variety of client/server- and web-based applications.

• Offers a better alternative to reverse proxies for accessing applications from Windows client devices.

• Eliminates the need for web application content interoperability testing.

• Requires only “power user” privileges for installation and no special privileges for execution.

• Provides added support for auto-launching web application tunnels, simplifying the user experience.

Host Access

• Enables secure web-based access to legacy VT100, VT320, Telnet, X-Term, and IBM

3270/5250 applications.

• Requires no modifications to the applications or application servers.

• Eliminates the need for third-party host access software, reducing total cost of

ownership (TCO).

Portal Access—Proxy-Based Access to Web Applications,

Files, and Email

FirePass Portal Access capability works on any client OS with a browser: Windows, Linux,

Mac, smartphones, PDAs, and more.

Web Applications

• Provides access to internal web servers, including Microsoft Outlook Web Access, Lotus iNotes, and Microsoft SharePoint Server as easily as from inside the corporate LAN.

• Delivers granular access control to intranet resources on a group policy basis. For example, employees can gain access to all intranet sites; partners can be restricted to a specific web host.

• Dynamically maps internal URLs to external URLs, so the internal network structure does not reveal them.

• Manages user cookies at the FirePass device level to avoid exposing sensitive information.

• Passes user credentials to web hosts to support automatic login and other user-specific access to applications. FirePass also integrates with existing identity management servers

(for example, CA Netegrity) to enable single sign-on to applications.

• Proxies login requests from web hosts to avoid having users cache their passwords on client browsers.

• Enables or restricts access to specific parts of an application with granular access control list (ACL) for increased security and reduced business risks.

DATASHEET

FirePass SSL VPN

• Provides split-tunneling support for web applications, resulting in faster user performance when accessing public websites.

• Validates back-end certificate with rapid reverse-proxy to quickly authenticate the server’s certificate.

• Offers dynamic server-side and DNS caching for increased web application (reverse proxy) performance and faster page download times.

• Delivers out-of-the-box reverse proxy support for rewriting a wide variety of JavaScript content in web pages, saving time.

• Provides Java patch ACL support to limit client-initiated connections through FirePass using Portal Access.

• Enables NTLMv2 support for access to web applications.

• Delivers DNS relay proxy service, enabling client-side name resolution without requiring any special runtime rights (for example, modification of hosts). Also enables redirection of ports to more fully support applications such as Outlook and Windows drive mapping.

File Server Access

• Enables users to browse, upload, download, copy, move, or delete files on shared directories.

• Supports: SMB Shares; Windows Workgroups; NT 4.0 and Win2000 domains; Novell

5.1/6.0 with Native File System pack; and NFS servers.

Email Access

• Provides secure web-based access to POP/IMAP/SMTP email servers from standard and mobile device browsers.

• Enables users to send and receive messages, download attachments, and attach network files to emails.

Mobile Device Support

• Provides secure access from Apple iPhone, Windows Mobile, PDAs, smartphones, cell phones, WAP, and iMode phones to email and other web-based applications.

• Dynamically formats email from POP/IMAP/SMTP email servers to fit the smaller screens of mobile phones and PDAs.

• Supports the sending of network files as email attachments and the viewing of text and

Word documents.

• Supports ActiveSync applications, enabling PDA synchronization of email and calendar on Exchange Server from a PDA device, without requiring the pre-installed VPN client component.

DATASHEET

FirePass SSL VPN

Portal Access—Comprehensive Security

FirePass delivers multiple layers of control for securing information access from public systems.

Client Security

• Protected Workspace—Users of the 32-bit version of Windows XP/Vista/7 or the 64-bit version of Windows Vista/7 can be automatically switched to a protected workspace for their remote access session. In a protected workspace mode, the user cannot write files to locations outside the protected workspace; the temporary folders and all of their contents are deleted at the end of the session.

• Cache Cleanup—The cache cleanup control removes—and empties from the recycle bin—the following data from the client PC: cookies, browser history, auto-complete information, browser cache, temp files, and all ActiveX controls installed during the remote access session.

• Secure Virtual Keyboard—For additional password security, FirePass offers the patentpending Secure Virtual Keyboard which enables secure password entry from the mouse instead of the keyboard.

• Download Blocking—For systems unable to install a “cleanup” control, FirePass can be configured to block all file downloads to avoid the issue of inadvertently leaving behind temporary files, yet still enable access to applications.

• Automatic File Virtualization—In protected workspace mode, temporary files and registry settings are written to a virtual file system rather than to the local machine.

• Encrypted Saved Content—All temporary content saved on the remote system is encrypted in the event that the protected workspace doesn’t exit normally, such as in a power failure, rendering the content unreadable.

• Portal Support for Popular Mobile Clients—FirePass supports portal access with iPhone,

BlackBerry, and Opera Mini browsers.

Content Inspection and Web Application Security

For users accessing web applications on the corporate network, FirePass enhances application security and prevents application-layer attacks (for example, cross-site scripting, invalid characters, SQL injection, buffer overflow) by scanning web application access for application layer attacks—then blocking user access when an attack is detected.

Integrated Virus Protection

FirePass can scan web and file uploads using either an integrated scanner or external scanner via ICAP API. Infected files are blocked at the gateway and not allowed onto email or file servers on the network, for increased protection.

Flexible Remote Access

FirePass Virtual Edition (VE) makes it easy to quickly deploy a virtual appliance to add SSL

VPN functionality to an existing virtual infrastructure. This offers greater flexibility in disaster recovery scenarios or during a surge in remote access demand. Virtual editions of FirePass and

BIG-IP Local Traffic Manager can be combined to provide industry-leading application delivery and remote access in the same environment.

DATASHEET

FirePass SSL VPN

FirePass VE is an easy way to add flexible remote access to your current virtual environment.

Employees

Contractors

Customers

Users

Firewall

BIG-IP

Local

Traffic

Manager FirePass

BIG-IP

Local

Traffic

Manager FirePass

DMZ

FirePass

Physical

Virtual

Internal

External

Server

Dynamic Policy Engine—Total Administrative Control

The FirePass policy engine enables administrators to easily manage user authentication and authorization privileges.

Dynamic Policy-Based Access

Administrators have quick and granular control over their network resources. Through policy management support, they can authorize access to applications based on the user and device. Administrators can easily implement existing policies with import and export of pre-logon policies.

Visual Policy Editor

The Visual Policy Editor creates a flow-chart style graphical view of your access policies, giving you point-and-click ease in profiling and managing groups, users, devices, or any combination of the three. This simplifies the definition and management of endpoint policies, lowers administrative costs, and increases the ability to quickly ensure the protection of company resources.

DATASHEET

FirePass SSL VPN

The Visual Policy Editor makes it easy to create access policies.

CAPTCHA protects against

DoS and script-based brute force attacks.

User Authentication

Users can be authenticated against an internal FirePass database, using passwords. FirePass can also be easily configured to work with RADIUS, Active Directory, RSA 2-Factor, LDAP authentication methods, basic and form-based HTTP authentication, identity management servers (for example, Netegrity), and Windows domain servers. With Active Directory, users can change current or expired passwords and receive warnings when passwords are set to expire. Support for nested Active Directory configurations enables the use of a more complex, hierarchical directory structure.

Two-Factor Authentication

Many organizations use “two-factor” authentication (such as tokens or SmartCards) that require more than just a user ID and password. FirePass supports two-factor authentication including RSA SecurID ® Native ACE authentication.

Challenge Response Test

Administrators can implement CAPTCHA, an easy challenge response test for humans that protects the organization from DoS and script-based brute force attacks.

Client-side and Machine Certificates/PKI Support

FirePass integrates seamlessly with the existing PKI infrastructure and enables the administrator to restrict or permit access based on the device being used to access FirePass. FirePass can check for the presence of a client-side digital certificate or Windows machine certificate during user login. Based on the presence of a valid certificate, FirePass can support access to a broader range of applications. FirePass can also use client-side or machine certificates as a form of twofactor authentication and prohibit all network access for users without a valid certificate.

Group Management

Access privileges can be granted to individuals or to groups of users (for example: sales, partners, or IT). This enables FirePass to restrict individuals and groups to particular resources.

Group Policy Enforcement

Group policy provides an exclusive mechanism to apply and enforce policies on client systems not part of the network domain. You can use the Visual Policy Editor to design group policies, in the form of templates, that restrict user authority and access while enforcing compliance with PCI, HIPAA, and GLBA. (Note: Group Policy Objects are only available on Active

Directory.)

DATASHEET

FirePass SSL VPN

Dynamic Group Mapping

FirePass dynamically maps users to FirePass groups using various dynamic group mapping mechanisms such as Active Directory, RADIUS, LDAP, client certificates, landing URI, and virtual host name as well as pre-logon session variables.

Single Sign-On (SSO) Support

SSO configuration uses authentication session variables to extract SSO information from certificates and authentication information from username and password settings. Advanced session variables help system administrators extend and customize FirePass, enabling them to manipulate and create new session variables for custom deployments. They also can collect and capture RADIUS attributes plus LDAP, Active Directory, and certificate field values.

Session Timeouts and Limits

Administrators can configure inactivity and session timeouts to protect against a hacker attempting to take over a session from a user who forgets to logoff at a kiosk.

Role-Based Administration

Organizations have the flexibility to provide some administrative functions (enrolling new users, terminating sessions, re-setting passwords) to some administrator-users, without exposing all functions to them (for example, shutting down the server or deleting a certificate).

Logging and Reporting

FirePass delivers built-in logging support for logging user, administrator, session, application, and system events. Additionally, FirePass provides logs in silo format for integration with an external syslog server. The administration console offers a wide range of audit reports to help comply with security audits. Summary reports aggregate usage by day of the week, time of day, accessing OS, features used, websites accessed, session duration, session termination type, and other information for a user-specified time interval. A single URL is used to retrieve summary/group reports in either HTML or spreadsheet format.

Customization

FirePass provides advanced customization features, enabling the administrator to design a unique GUI or existing corporate website portal to best reflect corporate and user requirements.

Localized User GUI

FirePass enables all fields on the user web page to be localized, including the names of the feature (for example, web applications). This helps companies localize the user’s GUI, not just user favorites—increasing business value and lowering TCO.

Complete Login and Webtop Customization

With FirePass, administrators can completely customize an entire login and webtop web page to best suit their existing corporate website portals. Administrators can use WebDAV capabilities to upload custom pages, for an enhanced user experience.

DATASHEET

FirePass SSL VPN

iControl SSL VPN Client API for Secure Application Access

As the only SSL VPN product with an open client API and SDK, FirePass enables automated, secure access from the Win32 client OS (XP, Vista, 7) by providing secure system-to-system or application-to-application communication. Applications can automatically start and stop network connections transparently without requiring users to log into the VPN. This enables faster, easier connections for users while reducing client application installation costs.

FirePass Product Details

The range of FirePass appliances and Virtual Edition address the concurrent user access needs of small to large enterprises.

FirePass 1200

The FirePass 1200 device is designed for small to medium enterprises and branch offices, and supports from 10 to 100 concurrent users.

FirePass 4100

The FirePass 4100 controller is designed for medium-size enterprises and, from a price/ performance standpoint, is recommended for up to 500 concurrent users.

FirePass 4300

The FirePass 4300 appliance is designed for medium to large enterprises and service providers and supports up to 2000 concurrent users.

FirePass Virtual Edition

FirePass Virtual Edition runs in a VMware ESX 4.0 virtual environment and is designed for medium to large enterprises and service providers supporting up to 2000 concurrent users.

Clustering

The FirePass 4100 and 4300 appliances and Virtual Edition have built-in clustering support.

They can be combined with F5 BIG-IP ® Global Traffic Manager ™ and BIG-IP ® Local Traffic

Manager

™

to provide industry-leading scalability, performance, and availability.

Failover

FirePass appliances and Virtual Edition can also be configured for stateful failover between pairs of servers (an active server and a standby server) to avoid having to re-logon to another

FirePass device or Virtual Edition in the unlikely event of a primary unit failure.

SSL Accelerator Hardware Option

FirePass 4100 offers a unique Hardware SSL Acceleration option to offload the SSL key exchange as well as the encryption and decryption of SSL traffic. This enables significant performance gains in large enterprise environments for processor-intensive ciphers such as 3DES and AES.

DATASHEET

FirePass SSL VPN

FIPS SSL Accelerator Hardware Option

FirePass is FIPS compliant* to meet the strong security needs of government, finance, healthcare, and other security-conscious organizations. FirePass 4100 and 4300 devices offer support for FIPS 140 Level-2 enabled tamper-proof storage of SSL keys, as well as

FIPS-certified cipher support for encrypting and decrypting SSL traffic in hardware. FIPS SSL

Accelerator is available as a factory install option to the base 4100 and 4300 platform.

* FIPS 140-2 meets the security criteria of CESG (UK’s National Technical Authority For Information Assurance) for use in private data traffic.

FirePass Specifications

The FirePass appliance is available in three models and as a Virtual Edition to address the concurrent user access needs of small to large enterprises.

FirePass Virtual Edition

Virtual Specifications

F5 BIG-IP

Local

Traffic

Manager

F5 BIG-IP

Local

Traffic

Manager

F5 BIG-IP

Local

Traffic

Manager

F5 BIG-IP

Local

Traffic

Manager

Recommended Conc. Users: Up to 2000*

Clustering Support:

Yes – up to 10 virtual appliances

* Note: Actual performance varies depending on hardware platform, resources available, and configuration.

Host System

Requirements

It is highly recommended that the host system contain

CPUs based on AMD-V or Intel-VT technology.

Hypervisor:

VMware ESX 4.0 or ESXi 4.0

VMware vSphere Client

VMware virtual hardware version 7

Processor:

1 CPU

(4 CPUs or more are recommended for more than 500 concurrent users.)

Memory:

2 GB RAM

(8 GB or more are recommended for more than 500 concurrent users.)

Network Adapters: 3 network interfaces

Disk Space:

30 GB hard drive of thin provisioning

DATASHEET

FirePass SSL VPN

4300 and 4100 Series 1200 Series

Physical Specifications 4300

Recommended Conc. Users:

2000

Max. Conc. Users per Appliance :

2000

Interfaces:

4 (10/100/1000) LAN ports

Dimensions:

3.5” H x 17.5” W x 23.5” D

2U industry standard rack mount chassis

Weight:

43 lbs

Processors:

Two Opteron 2.2 GHz - dual core

Power Supply:

Dual 475 W 90/240 +/- 10% VAC auto switching

Typical Power Consumption:

275 W

Maximum Heat Output:

939 BTU/hr

Device Redundancy:

Watchdog timer, failsafe cable

(primary and secondary)

Clustering support: Yes – up to 10 appliances

FIPS SSL Accelerator Card Option:

Yes – factory only

Hard Drive Capacity:

160 GB

RAM: 8 GB standard

Temperature (operating):

41° F to 104° F (5° C to 40° C)

Non-Operating Ambient

Temperature Range:

-40° F to 149° F (-40° C to 65° C)

Relative humidity 10% to 95% at

40° C non-condensing

Humidity (relative):

20% to 90% at 40° C

Safety Agency Approval:

UL 60950 (UL 1950-3), CSA-C22.2

No 60950-00 (Bi-national standard with UL 60950

CB test certification to IEC 950,

EN 60950

Electromagnetic Emissions

Certifications:

EN55022 1998 Class A

FCC Part 15B Class A

VCCI Class A

4100

500

2000

4 (10/100/1000) LAN ports

3.5” H x 17.5” W x 23.5” D

2U industry standard rack mount chassis

40 lbs

Two Opteron 2.0 GHz - single core

425 W 90/240 +/- 10% VAC auto switching

Optional redundant power supply

275 W

939 BTU/hr

Watchdog timer, failsafe cable

(primary and secondary)

Yes – up to 10 appliances

Yes – factory only

160 GB

4 GB standard on 4110, 4120, 4130 – factory upgradable to 8 GB

(4140 and 4150 8 GB standard)

41° F to 104° F (5° C to 40° C)

-40° F to 149° F (-40° C to 65° C)

Relative humidity 10% to 95% at

40° C non-condensing

20% to 90% at 40° C

UL 60950 (UL 1950-3), CSA-C22.2

No 60950-00 (Bi-national standard with UL 60950)

CB test certification to IEC 950,

EN 60950

EN55022 1998 Class A

FCC Part 15B Class A

VCCI Class A

1200

100

2 (10/100) LAN ports

1.7”H x 16.7” W x 11” D

1U industry standard rack mount chassis

10 lbs

Intel Celeron 2.0GHz - single core

Single full-range 250 W

180 W

785 BTU/hr

Watchdog timer, failsafe cable

(primary and secondary)

40 GB

512 MB

41° F to 104° F (5° C to 40° C)

-40° F to 149° F (-40° C to 65° C)

Relative humidity 5% to 85% at

40° C non-condensing

20% to 90% at 40° C

UL 60950 (UL 1950-3), CSA-C22.2

No 60950-00 (Bi-national standard with UL 60950)

CB test certification to IEC 950,

EN 60950

EN55022 1998 Class A

FCC Part 15B Class A

VCCI Class A

DATASHEET

FirePass SSL VPN

More Information

Visit these resources on F5.com

to learn more about FirePass.

White papers

F5 FirePass Endpoint Security

Get to Know GPO

Podcast

Secure Remote Access for Disaster Recovery

Case study

City of Diamond Bar Deploys FirePass

Deployment guides

F5 FirePass controller with BIG-IP LTM and GTM

(FirePass v6.x, LTM, and GTM 9.4.2), Deployment Guide

FirePass and VMware View Deployment Guide

F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119 888-882-4447 www.f5.com

F5 Networks, Inc.

Corporate Headquarters [email protected]

F5 Networks

Asia-Pacific [email protected]

F5 Networks Ltd.

Europe/Middle-East/Africa [email protected]

F5 Networks

Japan K.K.

[email protected]

© 2010 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, BIG-IP, FirePass, iControl, TMOS, and VIPRION are trademarks or registered trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. CS03-00005 0710

Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project