Datasheet Juniper Networks ISG Series Product Description The Juniper Networks ISG 1000 and ISG 2000 are fully integrated firewall/VPN systems that provide: • Multi-gigabit performance • Modular architecture • Rich virtualization capabilities Juniper Networks Integrated Security Gateways (ISG) are ideally suited for securing enterprise, carrier and data center environments where advanced applications such as voice over IP (VoIP) and streaming media demand consistent, scalable performance. The Juniper Networks ISG 1000 and ISG 2000 solutions are purposebuilt security solutions that leverage a fourth generation security ASIC, the GigaScreen3, along with high-speed microprocessors to deliver unmatched firewall and virtual private network (VPN) performance. Integrating best-in-class firewall, VPN, and optional Intrusion Detection and Prevention (IDP), the ISG 1000 and ISG 2000 enable secure, reliable connectivity along with network and application-level protection for critical, high traffic network segments. They provide an ideal solution for large enterprise, data center, and service provider networks. The ISG Series firewall/VPN based systems deliver security features such as Intrusion Prevention System (IPS), anti-spam, Web filtering, and Internet Content Adaptation Protocol (ICAP) antivirus redirection support. The advanced system is further expandable with optionally integrated IDP or as a General Packet Radio Service (GPRS) firewall/VPN for mobile network service provider environments. The ISG Series firewall/VPN modular architecture enables deployment with a wide variety of copper and fiber interface options. Highly flexible segmentation and isolation of traffic belonging to different trust levels can be achieved using advanced features such as virtual systems, virtual LANs, and security zones. The ISG Series firewall/VPN allows multiple, separate firewall inspection or routing policies to simplify network design. This enables the enforcement of security policies to traffic streams – even in highly complex environments – without significant impact on the network itself. The flexibility and efficiency offered by the ISG Series architecture provides stateof-the-art performance and best-in-class functionality in three different deployment configurations: firewall/VPN, firewall/VPN/IDP, and IDP only – all in a single solution. The ISG 1000 supports up to two security modules, while the ISG 2000 can support up to three security modules. The security modules maintain their own dedicated processing and memory and incorporate technology designed to accelerate IDP packet processing. This reduces the number of separate security devices and management applications, and simplifies deployment effort and network complexity. The result? Higher cost savings. The ISG Series firewall/VPN with IDP utilizes the same award-winning software found on Juniper Networks IDP platforms, which are now fully integrated into Juniper Networks ScreenOS. ScreenOS is a purpose-built, hardened operating system that can be deployed in either inline or TAP mode to protect both perimeter deployments as well as internal networks. The IDP security module supports multi-method detection, combining eight different detection mechanisms – including stateful signatures and protocol anomaly detection. This helps businesses defend against security threats such as worms, trojans, malware, spyware, and hackers. The ISG 1000 and ISG 2000 can be deployed in a number of different configurations to protect both the perimeter and internal network resources. When deployed in a mobile operator network, the ISG 1000 and ISG 2000 GPRS solutions are GPRS Tunneling Protocol (GTP) aware and fully support GTP functionality in virtual systems. The ISG Series firewall/VPN can be deployed at the Gp interface connection between two Public Land Mobile Networks (PLMN), the Gn interface connection between the SGSN and the GGSN support nodes, and the Gi interface-connection between the GGSN and the Internet. In addition to countering sophisticated availably threats, Denial of Service (DoS) attacks, and malicious users, the ISG Series GPRS firewall/VPN can limit messages, throttle bandwidth-hungry applications that consume uplink/downlink traffic, and perform 3GPP R6 IE removal to help retain interoperability in roaming between 2G and 3G networks. 2 Features and Benefits Feature Feature Description Benefit Purpose-built platform Dedicated, security-specific processing hardware and software platform. Delivers the required performance to protect high-speed LAN environments. Predictable Performance ASIC based architecture provides linear performance for all packet sizes at multi-gigabit speeds. Ensures low latency in sensitive applications such as VoIP and streaming media. System and network resiliency Hardware component redundancy, multiple high availability options and route-based VPNs. Provides the reliability required for high speed network deployments. Best-in-class network security features Embedded Web filtering, anti-spam, IPS, ICAP antivirus redirect, and optionally integrated IDP. Additional security features backed by best-in-class security partners such as Symantec and SurfControl. Interface flexibility Modular architecture enables deployment with a wide variety of copper and fiber interface options. Simplifies network integration and helps to reduce the cost of future network upgrades. Network segmentation Security zones, virtual LANs and virtual routers allow administrators to deploy security policies to isolate guests, wireless networks and regional servers or databases.* Powerful capabilities facilitate deploying security for various internal, external and DMZ sub-groups on the network, to prevent unauthorized access. Centralized Management Centralized management of Juniper Networks firewall and IDP products enabled through NSM. Tight integration across multiple platforms enables simple and intuitive network-wide security management. Robust routing engine Proven routing engine supports OSPF, BGP and RIP v1/2 along with Frame Relay, Multilink Frame Relay, PPP, Multilink PPP and HDLC. Enables the deployment of consolidated security and routing device, thereby lowering operational and capital expenditures. Comprehensive threat protection Dedicated processing modules provide best-in-class multi-gigabit firewall/VPN/IDP capability in a single solution. Unmatched performance ensures that the network is protected against all manner of attacks in high speed networks. World-class professional services From simple lab testing to major network implementations, Juniper Networks Professional Services will collaborate with your team to identify goals, define the deployment process, create or validate the network design, and manage the deployment. Transforms the network infrastructure to ensure that it is secure, flexible, scalable, and reliable. Option Option Description Applicable Products Integrated anti-spam Blocks unwanted email from known spammers and phishers using an annually licensed anti-spam offering based on Symantec technology. ISG 1000 & ISG 2000 Integrated IPS (Deep Inspection) Prevents application level attacks from flooding the network using a combination of stateful signatures and protocol anomaly detection mechanisms. IPS is annually licensed. ISG 1000 & ISG 2000 Integrated Web filtering Block access to malicious Web sites using the annually licensed Web filtering solution based on SurfControl’s market leading technology. ISG 1000 & ISG 2000 ICAP antivirus redirect ICAP antivirus content redirection allows the implementation of a third party, large enterprise antivirus solution at the perimeter. ISG 1000 & ISG 2000 Optionally integrated IDP Dedicated IDP security modules enable high speed packet inspection. Requires no network changes to add full IDP functionality, helping to protect against layer 4-7 attacks including zero-day, worms, trojans, and spyware, etc. Additional hardware and system upgrade required. ISG 1000 & ISG 2000 GPRS firewall/VPN for Mobile Networks Support for GPRS networks to provide stateful firewalling and filtering capabilities that mitigate a wide variety of attacks on the Gp, Gn, and Gi interfaces to protect key nodes within the mobile operators’ network. Additional license required. ISG 1000 & ISG 2000 Product Options 3 Specifications Juniper Networks ISG 1000 Juniper Networks ISG 2000 Maximum Performance and Capacity(1) Minimum ScreenOS version support Firewall performance (Large packets) Firewall performance (Small packets) Firewall Packets Per Second (64 byte) AES256+SHA-1 VPN performance 3DES+SHA-1 VPN performance Maximum concurrent sessions(3) New sessions/second Maximum security policies Maximum users supported ScreenOS 6.0 2 Gbps 1 Gbps 1.5 M PPS 1 Gbps 1 Gbps 500,000 20,000 10,000 Unrestricted ScreenOS 6.0 4 Gbps 2 Gbps 3 M PPS 2 Gbps 2 Gbps 1,000,000 23,000 30,000 Unrestricted Network Connectivity Fixed I/O Interface expansion slots LAN interface options 4 10/100/1000 ports 2 Up to 8 mini-GBIC (SX, LX, or TX), up to 8 10/100/1000, up to 20 10/100 0 4 Up to 16 mini-GBIC (SX, LX, or TX), up to 8 10/100/1000, up to 28 10/100 Firewall Network attack detection Denial of Service (DoS) and Distributed Denial of Service (DDoS) protection TCP reassembly for fragmented packet protection Brute force attack mitigation SYN cookie protection Zone-based IP spoofing Malformed packet protection Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Integrated IPS (Optional Integrated IDP)(2)(10) Stateful protocol signatures Yes Attack detection mechanisms Stateful signatures, traffic anomaly detection, protocol anomaly detection (zero-day coverage), backdoor detection Attack response mechanisms Drop connection, close connection, session packet log, session summary, email, custom Attack notification mechanisms Session packet log, session summary, email, SNMP, system log, WebTrends Worm protection Yes Simplified installation through recommended policies Yes Trojan protection Yes Spyware/adware/keylogger protection Yes Other malware protection Yes Protection against attack proliferation from infected systems Yes Reconnaissance protection Yes Request and response side attack protection Yes Compound attacks – combines stateful signatures and protocol anomalies Yes Create custom attack signatures Yes Access contexts for customization 500+ Attack editing (port range, etc) Yes Stream signatures Yes Protocol thresholds Yes Stateful protocol signatures Yes Approximate number of attacks covered 5,500+* Detailed threat descriptions and remediation/patch info Yes Enterprise security profiler Yes Create and enforce appropriate application usage policies Yes Attacker and target audit trail and reporting Yes Deployment modes In-line or in-line TAP Frequency of updates daily and emergency *As of January 2008, there are 5,560 signatures with approximately 10 new signatures added every week. Yes Stateful signatures, traffic anomaly detection, protocol anomaly detection (zero-day coverage), backdoor detection Drop connection, close connection, session packet log, session summary, email, custom Session packet log, session summary, email, SNMP, system log, WebTrends Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes 500+ Yes Yes Yes Yes 5,500+* Yes Yes Yes Yes In-line or in-line TAP daily and emergency 4 Juniper Networks ISG 1000 Juniper Networks ISG 2000 Unified Threat Management / Content Security(5) Deep Inspection signature packs(4) IPS (Deep Inspection firewall)(4) Protocol anomaly detection Stateful protocol signatures IPS/Deep Inspection attack pattern obfuscation ICAP antivirus redirection Anti-spam Integrated URL filtering External URL filtering(6) Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Voice over IP (VoIP) Security H.323 ALG SIP ALG MGCP ALG SCCP ALG NAT for VoIP protocols Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes GPRS Security(10) GTP tunnels(7) GTP packet inspection (IPS or IDP?) 200,000 Yes 400,000 Yes IPSec VPN Concurrent VPN tunnels(8) Tunnel interfaces(8) DES (56-bit), 3DES (168-bit) and AES (256-bit) MD-5 and SHA-1 authentication Manual key, IKE, PKI (X.509), IKEv2 with EAP Perfect forward secrecy (DH Groups) Prevent replay attack Remote access VPN L2TP within IPSec IPSec NAT traversal Redundant VPN gateways 2,000 Up to 512 Yes Yes Yes 1, 2, 5 Yes Yes Yes Yes Yes 10,000 Up to 1,024 Yes Yes Yes 1, 2, 5 Yes Yes Yes Yes Yes User Authentication and Access Control Built-in (internal) database - user limit (8) Third-party user authentication RADIUS Accounting XAUTH VPN authentication Web-based authentication 802.1X authentication Unified access control enforcement point 50,000 Remote Authentication Dial In User Service (RADIUS), RSA SecurID, and LDAP Yes – start/stop Yes Yes Yes Yes 50,000 RADIUS, RSA SecureID, LDAP Yes – start/stop Yes Yes Yes Yes PKI Support PKI Certificate requests (PKCS 7 and PKCS 10) Automated certificate enrollment (SCEP) Online Certificate Status Protocol (OCSP) Certificate Authorities supported Self-signed certificates Yes Yes Yes VeriSign, Entrust, Microsoft, RSA Keon, iPlanet (Netscape) Baltimore, DoD PKI Yes Yes Yes Yes VeriSign, Entrust, Microsoft, RSA Keon, iPlanet (Netscape) Baltimore, DoD PKI Yes 5 Juniper Networks ISG 1000 Juniper Networks ISG 2000 Virtualization(10) Maximum number of virtual systems Maximum number of security zones Maximum number of virtual routers Maximum number of VLANs 0 default, upgradeable to 50 20 default, upgradeable to 120 3 default, upgradeable to 53 4,094 0 default, upgradeable to 250 26 default, upgradeable to 526 3 default, upgradeable to 253 4,094 Routing BGP instances BGP peers BGP routes OSPF instances OSPF routes RIP v1/v2 instances RIP v2 tablesize Dynamic routing Static routes Source-based routing Policy-based routing ECMP Multicast Reverse Path Forwarding (RPF) IGMP (v1, v2) IGMP Proxy PIM SM PIM SSM Multicast inside IPSec tunnel 8 128 10,000 8 4,096 Up to 12 instances supported 10,000 Yes 10,000 Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes 64 128 20,000 8 6,000 Up to 50 instances supported 20,000 Yes 20,000 Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes IPv6 Dual stack IPv4/IPv6 firewall and VPN Syn-Cookie and Syn-Proxy DoS Attack Detection SIP, RTSP, Sun-RPC, and MS-RPC ALG’s IPv4 to/from IPv6 translations and encapsulations Virtualization (VSYS, Security Zones, VR, VLAN) RIPng Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Mode of Operation Layer 2 (transparent) mode(7) Layer 3 (route and/or NAT) mode Yes Yes Yes Yes Address Translation Network Address Translation (NAT) Port Address Translation (PAT) Policy-based NAT/PAT Mapped IP Virtual IP (VIP)(9) MIP/VIP Grouping Yes Yes Yes 4.096 8 Yes Yes Yes Yes 8,192 8 Yes IP Address Assignment Static DHCP, PPPoE client Internal DHCP server DHCP relay Yes Yes, No Yes Yes Yes No, No No Yes 6 Traffic Management Quality of Service (QoS) Maximum bandwidth Jumbo Frames DiffServ marking Yes – per physical interface only Yes (11) Yes - per policy Yes – per physical interface only Yes(11) Yes - per policy High Availability (HA) Active/Active - Transparent & L3 Mode Active/Passive Configuration synchronization Session synchronization for firewall and VPN Session failover for routing change Device failure detection Link failure detection Authentication for new HA members Encryption of HA traffic Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes System Management WebUI (HTTP and HTTPS) Command line interface (console) Command line interface (telnet) Command line interface (SSH) NetScreen-Security Manager All management via VPN tunnel on any interface Rapid deployment Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Administration Local administrator database size External administrator database support Restricted administrative networks Root Admin, Admin and Read Only user levels Software upgrades Configuration rollback 256 RADIUS, LDAP Yes Yes Yes Yes 256 RADIUS, LDAP Yes Yes Yes Yes Logging/Monitoring Syslog (multiple servers) Email (two addresses) NetIQ WebTrends SNMP (v2) SNMP full/custom MIB Traceroute VPN tunnel monitor Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes External Flash Additional log storage Event logs and alarms System configuration script ScreenOS Software Supports 128 or 512 MB Industrial-Grade SanDisk Yes Yes Yes Supports 128 or 512 MB Industrial-Grade SanDisk Yes Yes Yes Dimensions and Power Dimensions (WXHXD) Weight Rack mountable Power supply (AC)* Power supply (DC)* Maximum thermal output 17.5 X 5.25 X 17.3 in (44.5 X 13.3 X 43.9 cm) 30 lbs/14 kgs Yes, 3 U’s Single, field upgradeable Single, field upgradeable 444 BTU/Hour (W) 17.5 X 5.25 X 23 in 44.5 X 13.3 X 58.4 cm 50 lbs/23 kgs Yes, 3 U’s Dual, redundant Dual, redundant 537 BTU/Hour (W) 7 Certifications Safety certifications EMC certifications NEBS MTBF (Bellcore model) UL, CUL, CSA, CB FCC class A, CE class A, C-Tick, VCCI class A Yes 7.6 years UL, CUL, CSA, CB FCC class A, CE class A, C-Tick, VCCI class A Yes 7.6 years Security Certifications Common Criteria: EAL4 and EAL4+ FIPS 140-2: Level 2 ICSA Firewall and VPN Yes Yes Yes Yes Yes Yes Operating Environment Operating temperature Non-operating temperature Humidity 32° to 122° F, 0° to 50° C - 4° to 158° F, -20° to 70° C 10 to 90% non-condensing 32° to 122° F, 0° to 50° C - 4° to 158° F, -20° to 70° C 10 to 90% non-condensing (1) Performance, capacity and features listed are based upon systems running ScreenOS 6.1 and are the measured maximums under ideal testing conditions unless otherwise noted. Actual results may vary based on ScreenOS release and by deployment. (2) Additional IDP license and hardware upgrade required. (3) Concurrent sessions listed are based upon maximums with current shipping ISG hardware. Older ISG units may need the optional memory upgrade to achieve maximum concurrent session capacity. FW/ VPN concurrent sessions maximum for older ISG units without the optional memory upgrade are 250,000 for the ISG 1000 and 500,000 for the ISG 2000. Older ISG units with the optional IDP upgrades installed already have the maximum concurrent session capacity and do not require a memory upgrade. (4) IPS (Deep Inspection firewall) is automatically disabled when optionally integrated IDP is installed. (5) Security features (IPS/Deep Inspection, anti-spam and Web filtering) are delivered by annual subscriptions purchased separately from Juniper Networks. Annual subscriptions provide signature updates and associated support. (6) Redirect Web filtering sends traffic to a secondary server and therefore entails purchasing a separate Web filtering license from either Websense or SurfControl (7) NAT, PAT, policy based NAT, virtual IP, mapped IP, virtual systems, virtual routers, VLANs, OSPF, BGP, RIPv2, Active/Active HA, and IP address assignment are not available in layer 2 transparent mode. (8) Shared among all virtual systems. (9) Not available with virtual systems. (10) Additional license required. (11) Requires 4-Port Mini GBIC modules - NS-ISG-SX4, NS-ISG-LX4 or NS-ISG-TX4. Ordering Information ISG 1000 Systems Part Number ISG 1000 Software Options NS-ISG-1000 system (inc AC power supply, no I/O cards) NS-ISG-1000 system (inc DC power supply, no I/O cards) NS-ISG-1000 Baseline system (inc AC power supply, no I/O cards) NS-ISG-1000 Baseline system (inc DC power supply, no I/O cards) NS-ISG-1000 NS-ISG-1000-DC NS-ISG-1000B NS-ISG-1000B-DC ISG 2000 Systems Part Number VSYS upgrade 0 to 5 VSYS upgrade 5 to 10 VSYS upgrade 10 to 25 VSYS upgrade 25 to 50 GPRS firewall/VPN license NS-ISG-2000 system (inc AC power supplies, no I/O cards) NS-ISG-2000 system (inc DC power supplies, no I/O cards) NS-ISG-2000 Baseline system (inc AC power supplies, no I/O cards) NS-ISG-2000 Baseline system (inc DC power supplies, no I/O cards) NS-ISG-2000 NS-ISG-2000-DC NS-ISG-2000B NS-ISG-2000B-DC Integrated IDP Upgrades Part Number Security module for IDP on ISG 1000 and ISG 2000 systems IDP upgrade kit for ISG 1000 system, including IDP license key, additional memory, and 5-device NSM IDP upgrade kit for ISG 2000 system, including IDP license key, additional memory, and 5-device NSM ISG 1000 and ISG 2000 I/O Modules I/O Module - 2 Port mini GBIC-SX I/O Module - 2 Port mini GBIC-LX I/O Module - 4 Port mini GBIC-SX I/O Module - 4 Port mini GBIC-LX I/O Module - 4 Port mini GBIC-TX I/O Module - 4 Port 10/100 Fast Ethernet I/O Module - 8 Port 10/100 Fast Ethernet I/O Module - 2 Port 10/100/1000 Gigabit Ethernet NS-ISG-SEC ISG 2000 Software Options VSYS upgrade 0 to 5 VSYS upgrade 5 to 25 VSYS upgrade 25 to 50 VSYS upgrade 50 to 100 VSYS upgrade 100 to 250 GPRS firewall/VPN license NS-ISG-1000-IKT ISG 1000 and ISG 2000 Spares NS-ISG-2000-IKT SX transceiver (mini-GBIC) LX transceiver (mini-GBIC) ISG 1000 AC power supply ISG 1000 DC power supply ISG 2000 AC power supply ISG 2000 DC power supply Japan power cord option Fan module Rack mount kit (19 in., all mounting hardware) Rack mount Kkt (23 in., all mounting hardware) Blank interface panel ISG 2000 blank power supply cover Part Number NS-ISG-SX2 NS-ISG-LX2 NS-ISG-SX4 NS-ISG-LX4 NS-ISG-TX4 NS-ISG-FE4 NS-ISG-FE8 NS-ISG-TX2 Part Number NS-ISG-1000-VSYS-5 NS-ISG-1000-VSYS-10 NS-ISG-1000-VSYS-25 NS-ISG-1000-VSYS-50 NS-ISG-1000-GKT Part Number NS-ISG-2000-VSYS-5 NS-ISG-2000-VSYS-25 NS-ISG-2000-VSYS-50 NS-ISG-2000-VSYS-100 NS-ISG-2000-VSYS-250 NS-ISG-2000-GKT Part Number NS-SYS-GBIC-MSX NS-SYS-GBIC-MLX NS-ISG-1000-PWR-AC NS-ISG-1000-PWR-DC NS-ISG-2000-PWR-AC2 NS-ISG-2000-PWR-DC2 NS-ISG-2000-Japan NS-ISG-FAN NS-ISG-2000-RCK-01 NS-ISG-2000-RCK-02 NS-ISG-IPAN2 NS-ISG-2000-PPAN2 Note: The appropriate power cord is included based upon the sales order “Ship To” destination. Note: Every virtual system includes 1 additional virtual router and 2 additional security zones, usable in the virtual or root system. 8 About Juniper Networks Juniper Networks, Inc. is the leader in high-performance networking. Juniper offers a high-performance network infrastructure that creates a responsive and trusted environment CORPORATE HEADQUARTERS AND SALES HEADQUARTERS FOR NORTH AND SOUTH AMERICA Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA Phone: 888.JUNIPER (888.586.4737) or 408.745.2000 Fax: 408.745.2100 www.juniper.net EUROPE, MIDDLE EAST, AFRICA REGIONAL SALES HEADQUARTERS Juniper Networks (UK) Limited Building 1 Aviator Park Station Road Addlestone Surrey, KT15 2PG, U.K. Phone: 44.(0).1372.385500 Fax: 44.(0).1372.385501 Copyright 2008 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. JUNOS and JUNOSe are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. 110036-015 Jan 2008 for accelerating the deployment of services and applications over a single network. This fuels high-performance businesses. Additional information can be found at www.juniper.net. EAST COAST OFFICE Juniper Networks, Inc. 10 Technology Park Drive Westford, MA 01886-3146 USA Phone: 978.589.5800 Fax: 978.589.0800 ASIA PACIFIC REGIONAL SALES HEADQUARTERS Juniper Networks (Hong Kong) Ltd. 26/F, Cityplaza One 1111 King’s Road Taikoo Shing, Hong Kong Phone: 852.2332.3636 Fax: 852.2574.7803 To purchase Juniper Networks solutions, please contact your Juniper Networks sales representative at 1-866-298-6428 or authorized reseller.