및 서비스게이트웨이 제품소개 SRX Series 서비스게이트웨이는혁신적인아키텍처를기반으로뛰어난보호, 성능, 확장성, 가용성, 보안서비스통합을제공하는차세대보안플랫폼입니다. 유연한프로세싱확장성, I/O 확장성, 서비스통합을위해전문설계된 SRX Series 는데이터센터통합및서비스통합을위한보안요구사항을충족시킵니다. SRX Series에는세계적인대형네트워크들에서데이터센터를위한가용성, 관리성, 보안을보장하는업계최고의운영체제인 Junos OS가탑재되어있습니다. 제품설명 주니퍼네트웍스 서비스게이트웨이및주니퍼네트웍스 서비스게이트웨이는중간규모의폼팩터로동급최고수준의확장성과서비스통합을지원하는차세대서비스게이트웨이입니다. 이들장치들은다음과같은중-대규모의엔터프라이즈, 공공기관및서비스제공업체네트워크에최적화되어있습니다. 엔터프라이즈서버팜 / 데이터센터 부서별또는영역별보안솔루션연결 클라우드및호스팅제공업체데이터센터 매니지드서비스구축 이동통신사업자환경혁신적인미드플레인디자인과주니퍼의다이내믹서비스아키텍처 (Dynamic Services Architecture) 를토대로설계된 SRX3000 라인은엔터프라이즈및서비스제공업체환경을위한가격 / 성능비의기준을새롭게정의했습니다. 각서비스게이트웨이는 SPC(Services Processing Card) 를추가에따라리니어한확장성을제공하기때문에 은최고 30Gbps의방화벽처리량을지원할수있습니다. SPC는다양한서비스를지원할수있도록설계되었기때문에각서비스단위로하드웨어를배치하지않고도향후새로운기능을지원할수있습니다. 모든서비스상에서 SPC 를이용함으로써특정서비스실행시운휴상태에있는리소스가사라지게되며하드웨어활용도를최고수준으로끌어올릴수있습니다. SRX3000 라인이시장최고수준의유연성과가격 / 성능비를발휘할수있는것은바로모듈형아키텍처를채용했기때문입니다. 주니퍼의다이내믹서비스아키텍처에기반한이게이트웨이는유연하게원하는개수의 IOC(I/O cards), NPC(Network Processing Card) 및 SPC(Service Processing Card) 를채용할수있기때문에성능및포트집적도간의최상의균형을유지하도록시스템을구성함으로써저마다다른네트워크요구사항에맞춰주니퍼네트웍스 SRX Series 서비스게이트웨이를구축할수있습니다. 이와같은유연성에힘입어 은기가빗이더넷 (Gigabit Ethernet) 또는 10 기가빗이더넷 (10 Gigabit Ethernet) 포트옵션을이용한 100 Gbps 이상의인터페이스, 10~30 Gbps의네트워크처리성능, 그리고특정비즈니스요구에부합하는서비스프로세싱등을구성할수있습니다. 이서비스게이트웨이에채용된스위치패브릭은 SPC, NPC 및 IOC의확장성을뒷받침합니다. 최고 320 Gbps의데이터전송속도를지원하는패브릭은모든특정컨피규레이션에서지원되는최고수준의프로세싱및 I/O 성능을실현합니다. 이와같은수준의확장성과유연성을통해보안솔루션이장애요인이되지않도록하면서서비스중단없이네트워크인프라스트럭처를확장하고성장시킬수있습니다. 1
SRX3000 라인의유연성은다이내믹서비스아키텍처의입증된이점과혁신에더욱박차를가하고있습니다. SRX3000 라인의전후방에 SPC를설치할수있기때문에이미드플레인설계로업계최고수준의유연성과확장성을달성할수있습니다. 필요한랙공간은절반으로줄이고 SPC의수를 2배로늘림으로써 SRX3000 라인은근본적인아키텍처혁신은물론, 혁신적인물리적인설계를제공합니다. SRX Series 서비스게이트웨이상의기능통합은주니퍼네트웍스 Junos OS 를통해수행됩니다. Junos OS의라우팅기술과 ScreenOS의보안기술이결합된 SRX Series 서비스게이트웨이는방화벽, IPsec VPN, IPS(Intrusion Prevention), DoS(Denial of Service), NAT(Network Address Translation) 및 QoS(Quality of Service) 를비롯한강력한일련의기능을구비하고있습니다. 또한단일 OS상에다양한기능을통합함으로써서비스게이트웨이를통한트래픽흐름을고도로최적화할수있습니다. Junos OS를통해 SRX Series는단일소스 OS, 단일릴리스트레인그리고주니퍼의캐리어급라우터및스위치전반을지원하는단일아키텍처를활용할수있습니다. 서비스게이트웨이는최고 30 Gbps 방화벽, 10 Gbps 방화벽및 IPS, 또는 10 Gbps의 IPsec VPN과함께초당최고 175,000건의신규연결을지원하는업계최고수준의보안솔루션입니다. 완벽한보안기능을갖춘 은중대규모의엔터프라이즈데이터센터, 호스팅또는코로케이션 (co-located) 데이터센터, 고도의보안이요구되는차세대엔터프라이즈서비스 / 애플리케이션등에적합합니다. 이는또한멀티테넌시 (multi-tenancy) 를요구하는클라우드제공업체인프라스트럭체를안전하게보호하기위해구축될수도있습니다. 탁월한확장성과유연성을갖추고있기때문에많은시스템이빼곡히설치되어있는데이터센터의레거시보안어플라이언스를통합하는데이상적일뿐만아니라, 높은서비스집적도를지원한다는점에서클라우드제공업체를위한최상의선택이라고할수있습니다. 서비스게이트웨이는 와동일한 SPC, IOC 및 NPC를사용하며최고 20 Gbps 방화벽, 6 Gbps 방화벽및 IPS, 또는초당최고 175,000건의신규연결을지원하는 6 Gbps의 IPsec VPN 등을지원할수있습니다. 은엔터프라이즈데이터센터 / 네트워크인프라스트럭처를보호하고세그먼트를분류하며다양한보안솔루션을연결하는데이상적입니다. 존 (zone) 단위로각기다른보안정책을지원하고네트워크의성장에따라확장할수있는강점을갖추고있다는점에서 은중소규모의서버팜또는호스팅사이트에이상적입니다. SRX3000 Line Service Processing Cards* SRX3000 라인을구동하는 두뇌 역할을담당하는 SPC는게이트웨이상의모든가용서비스를처리하도록설계되었습니다. 특정서비스또는기능을위해전용하드웨어를구축해야할필요가없기때문에어떤하드웨어는한계치까지혹사당하고다른하드웨어는운휴상태가되는비효율적인상황이발생하지않습니다. SPC 카드들은서로풀링 (pool) 되도록설계되어있기때문에, 추가로 SPC를탑재함으로써 SRX3000 라인의성능과기능을확장하는동시에관리부담과복잡성은획기적으로줄일수있습니다. 동일한 SPC가 및 상에서지원됩니다. ( 주 : 적절한수준의시스템운영을위해최소한 NPC 1개와 SPC 1개가필요합니다.) SRX3000 Line I/O Cards* 기본내장형코퍼 (copper) SFP(Small Form-factor Pluggable transceiver) 와고가용성 (HA) 포트가완벽하게균형을이룬 SRX3000 라인은동급최고수준의 I/O 포트집적도를지원합니다. SRX3000 라인내각서비스게이트웨이는 1개또는여러 IOC를장착할수있으며이들각각은 16 기가빗인터페이스 (16 x 1 코퍼또는파이버기가빗이더넷 (fiber Gigabit Ethernet) 또는 20 기가빗인터페이스 (2 x 10 기가빗 XFP 이더넷 ) 을지원합니다. 다수의 IOC를유연하게제공할수있는 SRX3000 라인은인터페이스와프로세싱성능간에최적의균형을유지하도록설치될수있습니다. ( 주 : 적절한수준의시스템운영을위해최소한 NPC 1개와 SPC 1 개가필요합니다.) SRX3000 Line Network Processing Cards* 최고의프로세싱성능과유연성을보장하기위해 SRX3000 라인은 NPC를이용하여인바운드및아웃바운드트래픽을적절한 SPC 및 IOC로분배하고 QoS를적용하며 DoS/DDoS(Distributed Denial of Service) 를차단합니다. 는 1~3개 NPC를지원하도록구성될수있으며 는 1~2개의 NPC를지원하도록구성될수있습니다. SRX3000 라인에추가 NPC를제공하면각조직의고유한성능요구에맞춰솔루션을구성할수있습니다. ( 주 : 적절한수준의시스템운영을위해최소한 NPC 1개와 SPC 1개가필요합니다.) * 주니퍼네트웍스 SRX3000 라인은 CFM(Common Form-factor Module) SPC, NPC 및 IOC를활용합니다. 모든모듈은 및 상에서지원되지만, 주니퍼네트웍스 SRX5000 서비스게이트웨이라인과호환되지않습니다. 마찬가지로 SRX5000 라인모듈은 SRX3000 라인과호환되지않습니다. 2
주요특징및이점 네트워킹및보안 SRX3000 라인은강력한네트워킹및보안서비스를제공하도록설계되었습니다. Features Feature Description Benefits 맞춤형플랫폼 확장가능한성능 시스템및네트워크장애내구성 High availability (HA) 인터페이스유연성 네트워크세그먼트분할 강력한라우팅엔진 UTM (Unified Threat Management) AppSecure 처음부터전용하드웨어상에서개발 네트워킹및보안서비스를위해설계 다이내믹서비스아키텍처 (Dynamic Services Architecture) 를토대로확장가능한프로세싱성능제공 이중화된하드웨어에서입증된 OS 에이르는캐리어급이중화설계 전용고가용성인터페이스를이용한 Active/Passive 및 Active/ Active HA 컨피규레이션 다이내믹서비스아키텍처기반의모듈형 CFM 모듈을통한유연한 I/O 옵션제공 보안존, 버추얼 LAN 및버추얼라우터를통해관리자들이게스트및지역서버또는데이터베이스를분리하도록보안정책을구축할수있도록지원 데이터및컨트롤플레인을물리적및논리적으로분리하는전용라우팅엔진 IPS, 안티바이러스, 안티스팸, 웹필터링, 컨텐트필터링이포함된강력한 UTM 기능. 박스상에사전인스톨된기능들을신속하게활성화하여간편하고즉각적인제로 - 데이보호제공. Sophos & Kaspersky 의안티바이러스옵션, Websense 의웹필터링, Sophos 의안티스팸사용가능. Junos OS 상에면밀히통합된서비스로서멀티기가빗애플리케이션방화벽, IPsec VPN, IPS, DoS, 애플리케이션트래픽컨트롤및기타네트워크보안서비스포함. 탁월한성능및유연성을제공하여고속네트워크환경보호 적절한프로세싱성능으로신규서비스를활용하는단순하고비용효율적인솔루션 모든주요고속네트워크구축에필요한안정성제공 Utilizes a unique architectural design based on multiple processing cores and a separation of the data and control planes. 크리티컬네트워크를위한가용성및장애복원력확보 유연한 I/O 컨피규레이션및독립형확장성을제공하여모든특화된네트워크요구사항충족 다양한내부, 외부, DMZ(demilitarized zone) 하위그룹에대한맞춤형보안및네트워킹정책을구성할수있는기능 전용관리환경을통해통합라우팅및보안장치의구축은물론, 라우팅인프라스트럭처의보안보장 다수보안전문회사들의인텔리전스를활용하여동급최상의 UTM 보호, 강력한하이퍼포먼스컨텐트보안제공. 뛰어난통합을제공함으로써모든레벨의공격들로부터네트워크보안보장. Stateful GPRS 검사 이동통신사업자네트워크내에서 GPRS 방화벽지원. SRX3000 라인이스테이트풀 (Stateful) 방화벽기능들을제공하도록 함으로써이동통신사업자네트워크내부의주요 GPRS 노드들을보호. 사용자아이덴티티기반접근제어실행 NP-IOC Juniper Networks Junos Pulse 의표준기반접근제어기능들과 SRX3000 라인의면밀한통합을통해데이터센터리소스액세스보호. 다른카드들과마찬가지로이카드역시 ISSU(In-service software upgrade) 를지원함. 또한 In-service Hardware Upgrade 도지원. 기존 SRX3000 섀시및카드들과완벽한구버전호환 (backward compatible) 지원. AutoVPN 새로추가된것들을비롯한모든스포크 (spokes) 에대해사이트 - 투 - 사이트 VPN 을위한원타임허브 (hub) 구성가능. 구성옵션에는라우팅, 인터페이스, IKE, IPsec 등이포함됨. SRX3000 라인과 Juniper Networks Junos Pulse 의표준기반접근제어기능을통합함으로써데이터센터를위한에이전트기반 / 에이전트리스 (agentless) 아이덴티티보안서비스제공. 이를통해관리자는기업, 게스트, 모바일을비롯한다양한사용자액세스를유연하게관리할수있음. 게이트웨이용량을확장하고, 고속금융거래와같이지연에민감한애플리케이션들을지원함으로써비즈니스요구사항을만족시킴. 간편한노터치구축으로 IPsec VPN 네트워크를구성함으로써 IT 관리시간및비용을절감. 트래픽검사방법 주니퍼네트웍스 SRX Series 서비스게이트웨이는네트워크전반의애플리케이션및트래픽플로우를정확하게파악하는다양한감지방법을지원합니다.. Features Feature Description Benefits 프로토콜이상탐지 트래픽이상탐지 발표된 RFC 와비교해프로토콜사용량을확인함으로써위반또는남용을탐지 경험적규칙을통해탐색이나공격을야기할수있는비정상트래픽패턴을탐지 발견되지않은취약점으로부터네트워크를사전보호 탐색활동또는 DDoS(Distributed Denial of Service) 공격을사전에차단 IP 스푸핑차단네트워크내부및외부에서허용된주소의유효성을확인믿을수있는트래픽만을허용하고위장소스는차단 DoS 차단 SYN 플러드, IP, ICMP, 기타애플리케이션공격차단주요네트워크자산을 DoS 공격으로부터보호 UTM(Unified Threat Management) 기능 주니퍼네트웍스 UTM(Unified Threat Management) 은다수보안전문회사들의인텔리전스를활용하여동급최강의보호및하이퍼포먼스컨텐트보안과고도의네트워 크보안을보장합니다. 주니퍼 UTM 에는 AppSecure, IPS, 안티바이러스, 안티스팸, 웹필터링, 컨텐트필터링이포함됩니다. 3
App Secure 주니퍼네트웍스 AppSecure는최신애플리케이션탐지및분류기능을사용한차세대보안기능스위트로서네트워크전반에대한획기적인가시성, 실행, 제어, 보호를제공 합니다. Features Feature Description Benefits AppTrack 애플리케이션볼륨 / 사용량에대한바이트, 패킷, 세션별상세분석. 애플리케이션사용정보를추적하여위험성높은애플리케이션을탐지하고트래픽패턴을분석함으로써네트워크관리와제어를강화. AppFirewall AppQoS AppDoS Application signatures SSL 인스펙션 다이나믹애플리케이션네임또는그룹네임별로트래픽을허용또는차단하는정교한애플리케이션제어정책. 애플리케이션정보및컨텍스트를기반으로트래픽에대한우선순위를설정. 다단계탐지기법을통해애플리케이션을대상으로한분산 DoS 공격을탐지하고공격을무력화시킴. 700개이상의시그니처로애플리케이션과네스티드애플리케이션 (nested applications) 을탐지. 모든 TCP/UDP 포트상에서 SSL 내부의암호화된 HTTP 트래픽을검사. 전통적인포트및프로토콜분석이아닌애플리케이션및사용자역할을기 반으로보안정책생성및적용을고급화. 애플리케이션정보와컨텍스트를기반으로대역폭을제한하고쉐이핑하며, 트래픽을우선순위화함으로써애플리케이션성능및전반적인네트워크성 능을향상시킴. 합법적인트래픽은허용하고악성트래픽은탐지하여차단함으로써애플리 케이션타겟공격으로인한서비스중단을방지. 정확하게파악한애플리케이션정보를가시성, 실행, 제어, 보호에사용. 애플리케이션탐지기능과결합되어 SSL 암호화된트래픽에내재된위협 에대한가시성과보호를강화. IPS 기능 주니퍼네트웍스 IPS 제품은최고수준의네트워크보안을위해다양한고유의기능들을제공합니다. Features Feature Description Benefits Stateful 시그니처검사 프로토콜디코딩 해당되는프로토콜컨텍스트에따라결정된네트워크트래픽의관련부분 에만시그니처가적용됨 500 개이상의컨텍스트와함께 65 개이상의프로토콜디코딩이지원되기때문에적절한프로토콜활용보장. 오탐최소화및유연한시그니처개발지원 정확한프로토콜컨텍스트를통해시그니처의정확도향상 시그니처1 트래픽이상, 공격, 스파이웨어및애플리케이션을식별할수있도록 공격을정확하게식별하고알려진취약점을악용하려는시도탐지 6,000개이상의시그너처제공 트래픽표준화 리어셈블리 (reassembly), 표준화및프로토콜디코딩제공 난독화 (obfuscation) 방법을사용해다른 IDP 탐지를우회하려는시도차단 제로데이 (Zero-day) 보호 새롭게발견된취약점에대해프로토콜이상탐지및당일지원을제공 모든신종익스플로이트출현시즉각적으로네트워크보호체제완비 권장정책 일반엔터프라이즈가네트워크를보호하는데중요한역할을담당하는주 니퍼네트웍스의보안팀에의해공격시그너처그룹파악 설치및유지보수를단순화하는동시에최고수준의네트워크보안보장 액티브 / 액티브트래픽모니 터링 액티브 / 액티브 SRX3000 라인섀시클러스터상에서 IPS 모니터링영향을최소화한섀시클러스터업그레이드와같은최신기능들과액티브 / 액티브 IPS 모니터링지원 패킷캡처 (Packet capture) IPS 정책이규칙별로패킷캡처로깅 (packet capture logging) 을지원. 주변트래픽에대한심층분석을실행하고타겟보호를위한추가적인대응 책을결정. 추가 UTM 기능 주니퍼네트웍스 SRX3000 상에서제공되는 UTM 서비스에는업계최강의안티바이러스, 안티스팸, 컨텐트필터링및기타컨텐트보안서비스들이포함됩니다. 기능기능설명이점 안티바이러스안티스팸통합웹필터링컨텐트필터링 안티바이러스에는레퓨테이션 (reputation), 클라우드기반안티바이러 스기능이포함되어스파이웨어, 애드웨어, 바이러스, 키로거, 기타 POP3 HTTP, SMTP, IMAP, FTP 프로토콜을통해들어오는멀웨어를탐지하고차단. 이서비스는보안전문기업인 Sophos Labs 과의제휴을통해제 공됨. 보안전문기업인 Sophos Labs 과의제휴을통해다단계스팸방어, 최신 피싱 URL 탐지, 표준기반 /MIME, Open PGP 및 TLS 암호화, MIME 타 입 /Extension Blocker 제공. 웹보안전문기업인 Websense 와의제휴를통해더욱정교한카테고리 분류 (90+ 카테고리 ) 를통한강력한웹필터링및실시간위협파악제공. MIME 타입, 파일확장자, 프로토콜명령어를기반으로한효과적인컨텐트필터링. 안티바이러스전문기업들과의제휴를통해데이터유출및생산성손실을초래할수있는멀웨어공격에대한정교한보호제공. 정교한이메일필터링및 Content Blocker를통해소셜네트워킹공격을통한 APT(advanced persistent threats) 및최신피싱공격들에대한방어제공. 악성 URL로인한생산성손실을방지하고, 주요비즈니스트래픽을위한네트워크대역폭유지를지원. 네트워크상의악성컨텐트또는외부컨텐트로인한생산성손실을방지하고, 주요비즈니스트래픽을위한네트워크대역폭유지를지원. 4
중앙관리 주니퍼네트웍스 Junos Space Security Director가확장성있고능동적인보안관리를제공함으로써보안정책관리의범위, 간편성, 정확성을향상시킵니다. 이를통해관리자는표준웹브라우저로액세스가능한단일웹기반인터페이스를통해보안정책을단계별로처음부터끝까지관리할수있습니다. Junos Space Security Director는애플리케이션아이덴티피케이션 (application identification), 방화벽, IPS, NAT, VPN 보안관리를중앙화하여직관적이고신속한정책관리를실현합니다. Junos Space Security Director는 Junos Space 네트워크매니지먼트플랫폼상에서실행됩니다. 따라서주니퍼및써드파티 Junos Space 생태계혁신기술을사용할수있을뿐만아니라, 네트워크전반에대한폭넓은관리기능을제공합니다. Services Gateway Services Gateway 사양 Maximum Performance and Capacity 1 Junos OS version tested Junos OS 12.1X44 Junos OS 12.1X44 Firewall performance (max) 30 Gbps 55 Gbps Firewall performance (IMIX) 10 Gbps 20 Gbps Firewall packets per second (64 bytes) 3.5 Mpps 6.5 Mpps Maximum AES256+SHA-1 VPN performance 8 Gbps 15 Gbps Maximum 3DES+SHA-1 VPN performance 8 Gbps 15 Gbps Maximum IPS performance (NSS 4.2.1) 8 Gbps 15 Gbps Maximum AppTrack performance 16 Gbps 24 Gbps Maximum concurrent sessions 2.25/3 million 2 2.25/6 million 2 New sessions/second, (sustained, TCP, three-way) 150,000 150,000/270,000 2 Maximum security policies 40,000 40,000 Maximum user supported Unrestricted Unrestricted Latency Sub-10 µs Sub-10 µs Network Connectivity Fixed I/O 8 10/100/1000 + 4 SFP 8 10/100/1000 + 4 SFP LAN interface options 16 x 1 10/100/1000 copper 16 x 1-Gigabit Ethernet SFP 2 x 10-Gigabit Ethernet XFP 16 x 1 10/100/1000 copper 16 x 1-Gigabit Ethernet SFP 2 x 10-Gigabit Ethernet XFP Maximum available slots for IOCs Four (front slots) Six (front slots) Processing Scalability Maximum available slots for SPCs 3 Up to four SPCs supported per chassis 4 (any slot) Up to seven SPCs supported per chassis (any slot) Maximum available slots for NPCs 3 Up to two NPCs supported per chassis 4 (three rear slots) Up to three NPCs supported per chassis (three rear-right slots) 1 Performance, capacity, and features listed are based upon systems running Junos OS12.1.X44 and are measured under ideal testing conditions. Actual results may vary based on Junos OS releases and by deployment. For a complete list of supported Junos OS versions for the SRX Series Services Gateways, please visit the Juniper Customer Support Center (www.juniper.net/customers/ support/). 2 Additional Extreme License required for 3 million and 6 million sessions. 3 Each SRX3000 line of Services Gateways employ multiple common form-factor module (CFM) expansion slots on the front and rear of the chassis to allow custom configurations of I/O and processing capacities based on customer requirements. SPCs and NPCs are supported on all available CFM slots. However, for proper system functionality and allowing for I/O expansion, the supports a maximum of up to four SPCs and two NPCs per chassis, and the supports a maximum of up to seven SPCs and three NPCs per chassis. Please refer to the respective hardware guides for more information on SPCs and NPCs as well as for guidelines on placements. 4 Refer to user guide for guidelines when using DC power supplies. 5
사양 ( 계속 ) Firewall Network attack detection DoS and DDoS protection TCP reassembly for fragmented packet protection Brute-force attack mitigation SYN cookie protection Zone-based IP spoofing Malformed packet protection IPsec VPN Site-to-site tunnels 7,500 7,500 Tunnel interfaces 7,500 7,500 DES (56-bit), 3DES (168-bit), and AES encryption MD5 and SHA-1 authentication Manual key, IKE, PKI (X.509) Perfect forward secrecy (DH groups) 1,2,6 1,2,6 Prevent replay attack Remote access VPN IPv4 and IPv6 VPN Redundant VPN gateways Intrusion Prevention System Modes of operation: In-line and in-line tap Stateful protocol signatures Attack detection mechanisms Attack response mechanisms Stateful signatures, protocol anomaly detection (zero-day coverage), application identification Drop connection, close connection, session packet log, session summary, email, custom session Stateful signatures, protocol anomaly detection (zero-day coverage), application identification Drop connection, close connection, session packet log, session summary, email, custom session Attack notification mechanisms Structured system logging Structured system logging Worm protection Simplified installation through recommended policies Trojan protection Spyware/adware/keylogger protection Other malware protection Application denial of service protection Protection against attack proliferation from infected systems Reconnaissance protection Request and response-side attack protection Compound attacks combines stateful signatures and protocol anomalies Create custom attack signatures Access contexts for customization 500+ 500+ Attack editing (port range, other) Stream signatures Protocol thresholds Stateful protocol signatures 6
사양 ( 계속 ) Intrusion Prevention System (continued) Approximate number of attacks covered 8,000+ 8,000+ Detailed threat descriptions and remediation/patch info Create and enforce appropriate application-usage policies Attacker and target audit trail and reporting Frequency of updates Daily and emergency Daily and emergency Unified Threat Management Antivirus (Sophos AV) throughput 2.5 Gbps 4.5 Gbps Enhanced Web filter throughput 8 Gbps 14 Gbps GPRS Security GPRS stateful firewall GTP tunnels 250,000 500,000 Destination Network Address Translation Destination NAT with PAT Destination NAT within same subnet as ingress interface IP Destination addresses and port numbers to one single address and a specific port number (M:1P) Destination addresses to one single address (M:1) Destination addresses to another range of addresses (M:M) Source Network Address Translation Source NAT with PAT port-translated Source NAT without PAT fix-port Source NAT IP address persistency Source pool grouping Source pool utilization alarm Source IP outside of the interface subnet Interface source NAT interface DIP Oversubscribed NAT pool with fallback to PAT when the address pool is exhausted Symmetric NAT Allocate multiple ranges in NAT pool Proxy ARP for physical port Source NAT with loopback grouping DIP loopback grouping User Authentication and Access Control Built-in (internal) database RADIUS accounting Web-based authentication UAC enforcement point Public Key Infrastructure (PKI) Support PKI certificate requests (PKCS 7 and PKCS 10) Automated certificate enrollment (SCEP) Certificate authorities supported Self-signed certificates 7
사양 ( 계속 ) Virtualization Maximum number of security zones 512 512 Maximum number of virtual routers 1,000 1,000 Maximum number of VLANs per interface 4,096 4,096 Maximum number of L3 subinterfaces 16,384 5 16,384 5 Logical Systems 32 32 Routing BGP instances 1,000 1,000 BGP peers 2,000 2,000 BGP routes 1,000,000 6 1,000,000 6 OSPF instances 256 256 OSPF routes 1,000,000 6 1,000,000 6 RIP v1/v2 instances 50 50 RIP v2 table size 30,000 30,000 Dynamic routing Static routes Filter-based forwarding (FBF) Equal-cost multipath (ECMP) Reverse path forwarding (RPF) Multicast IPv6 Firewall/stateless filters VPN Dual stack IPv4/IPv6 firewall RIPng BFD, BGP ICMPv6 OSPFv3 Class of service Mode of Operation Layer 2 (transparent) mode Layer 3 (route and/or NAT) mode IP Address Assignment Static Dynamic Host Configuration Protocol (DHCP) Internal DHCP server DHCP relay 5 Maximum number of supported L3 subinterfaces in HA configuration is 1,000. 6 Maximum number of BGP and OSPF routes recommended is 100,000. 8
사양 ( 계속 ) Maximum bandwidth Filters for CoS Classification Scheduling Shaping Intelligent Drop Mechanisms (WRED) Three-level scheduling Weighted round-robin for each level of scheduling Priority of routing protocols High Availability Active/passive, active/active Low impact chassis cluster upgrades Configuration synchronization Session synchronization for firewall and IPsec VPN Session failover for routing change Device failure detection Link and upstream failure detection Interface link aggregation/lacp Redundant data and control links 7 8 Management WebUI (HTTP and HTTPS) Command-line interface (console) Network and Security Manager version 2008.2 or later Administration Local administrator database support External administrator database support Restricted administrative networks Root admin, admin, and read-only user levels Configuration rollback Logging/Monitoring Structured system log SNMP (v2/v3) Traceroute 7 To enable dual control links on the SRX3000 line, the SRX3K CRM module must be installed on each cluster member. 8 Please check the technical publication documents and release notes for the list of compatible features for ISSU. 9
사양 ( 계속 ) Dimensions and Power Dimensions (W x H x D) Weight 17.5 x 5.25 x 25.5 in (44.5 x 13.3 x 64.8 cm) Chassis: 32.3 lb (14.7 kg) Fully configured: 75 lb (34.1 kg) Power supply (AC) 100 to 240 VAC 100 to 240 VAC Power supply (DC) -40 to -72 VDC -40 to -72 VDC Maximum power draw 1,100 W (AC power) 1,050 W (DC power) 17.5 x 8.75 x 25.5 in (44.5 x 22.2 x 64.8 cm) Chassis: 43.6 lb (19.8 kg) Fully configured: 115.7 lb (52.6 Kg) 1,750 W (AC power) 1,850 W (DC power) Power supply redundancy 1 + 1 2 + 1 / 2 + 2 Certifications Safety certifications Electromagnetic compatibility (EMC) certifications Designed for NEBS Level 3 NIST FIPS-140-2 Level 2 (with Junos OS 10.4R4) (with Junos OS 10.4R4) ISO Common Criteria NDPP+TFFW EP (with Junos OS 12.1x44) (with Junos OS 12.1x44) ICSA Network Firewall IPsec USGv6 (with Junos OS 11.4R1) (with Junos OS 11.4R1) 3GPP TS 20.060 Compliance 9 R6: 3GPP TS 29.060 version 6.21.0 R7: 3GPP TS 29.060 version 7.3.0 R8: 3GPP TS 29.060 version 8.3.0 Environmental Operating temperature (long term) 41 to 104 F (5 to 40 C) 41 to 104 F (5 to 40 C) Operating temperature (short term 10 ) 23 to 131 F (-5 to 55 C) 23 to 131 F (-5 to 55 C) Humidity (long term) 5% to 85% noncondensing 5% to 85% noncondensing Humidity (short term 10 ) 5% to 93% noncondensing but not to exceed 0.026kg water/kg of dry air 9 SRX3000 line gateways operating with Junos OS release 10.0 and later are compliant with the R6, R7, and R8 releases of 3GPP TS 20.060 with the following exceptions (not supported on the SRX3000 line): - Section 7.5A Multimedia Broadcast and Multicast Services (MBMS) messages - Section 7,5B Mobile Station (MS) info change messages - Section 7.3.12 Initiate secondary PDP context from GGSN 10 Short term is not greater than 96 consecutive hours, and not greater than 15 days in 1 year 5% to 93% noncondensing but not to exceed 0.026kg water/kg of dry air 주니퍼네트웍스서비스및지원 주니퍼는하이퍼포먼스네트워킹의가치를가속, 확장, 최적화시키는 Performance-Enabling 서비스및지원을제공합니다. 이러한서비스를통해매출과직결되는역량들을신속하게제공함으로써생산성을향상시키고, 새로운비즈니스모델을지원하며, 시장확대와고객만족증대를실현시킵니다. 동시에주니퍼는뛰어난운영효율성을통해성능, 안정성, 가용성, 확장성요구를만족시키고운영비용을절감시키며 IT 위험요소들을제거합니다. 10
주문정보 Model Number Base System BASE-AC BASE-DC BASE-DC2 BASE-AC BASE-DC BASE-DC2 Description chassis, midplane, fan, routing engine, SFB-12 Gigabit Ethernet, AC PEM* - no power cord - no SPC - no NPC chassis, midplane, fan, routing engine, SFB-12 Gigabit Ethernet, DC PEM - no SPC - no NPC chassis, midplane, fan, routing engine, SFB-12 Gigabit Ethernet, DC2 PEM - no SPC - no NPC chassis, midplane, fan, routing engine, SFB-12 Gigabit Ethernet, 2xAC PEM* - no power cords - no SPC - no NPC chassis, midplane, fan, routing engine, SFB-12 Gigabit Ethernet, 2xDC PEM - no SPC - no NPC chassis, midplane, fan, routing engine, SFB-12 Gigabit Ethernet, 2xDC PEM - no SPC - no NPC SRX3K-PWR-DC2 Enhanced DC power entry module for SRX3000 line SRX3000 Line Components SRX3K-SPC-1-10-40 SRX1K3K-NP-2XGE-SFPP SRX3K-NPC SRX3K-16GE-TX SRX3K-16GE-SFP SRX3K-2XGE-XFP SRX3K-CRM Transceivers SRX3000 line Services Processing Card with 1 GHz processor and 4 GB memory SRX3000 line Network Processing and I/O Card SRX3000 line Network Processing Card 16 x 1 10/100/1000 Copper CFM I/O Card for SRX3000 line 16 x 1 Gigabit SFP Ethernet I/O Card for SRX3000 line, no transceivers 2 x 10 Gigabit XFP Ethernet I/O Card for SRX3000 line, no transceivers Clustering module for the SRX3000 line to enable redundant control links in high-availability clusters SRX-SFP-1GE-LH Small form factor pluggable 1000BASE-LH Gigabit Ethernet optic module SRX-SFP-1GE-LX Small form-factor pluggable 1000BASE-LX Gigabit Ethernet optic module SRX-SFP-1GE-SX Small form-factor pluggable 1000BASE-SX Gigabit Ethernet optic module SRX-SFP-1GE-T Small form-factor pluggable 1000BASE-T Gigabit Ethernet module SRX-XFP-10GE-SR 10-Gigabit Ethernet pluggable transceiver, short reach multimode SRX-XFP-10GE-LR 10-Gigabit Ethernet pluggable transceiver, 10 Km, single mode SRX-XFP-10GE-ER 10-Gigabit Ethernet pluggable transceiver, 40 Km, single mode Logical System License SRX-3400-LSYS-1 SRX-3400-LSYS-5 SRX-3400-LSYS-25 SRX-3600-LSYS-1 SRX-3600-LSYS-5 SRX-3600-LSYS-25 1 incremental Logical Systems License for 5 incremental Logical Systems License for 25 incremental Logical Systems License for 1 incremental Logical Systems License for 5 incremental Logical Systems License for 25 incremental Logical Systems License for Model Number AppSecure Subscription -APPSEC-A-1 -APPSEC-A-3 -APPSEC-A-1 -APPSEC-A-3 SRX3K-SVCS-OFFLOAD- RTU IPS Subscription SRX3K-IDP SRX3K-IDP-3 Extreme LTU SRX3K-EXTREME-LTU C19 Straight Power Cables Description One year subscription for Application Security and IPS updates for Three year subscription for Application Security and IPS updates for One year subscription for Application Security and IPS updates for Three year subscription for Application Security and IPS updates for not an annual license subscription One year IPS signature subscription for SRX3000 line Three year IPS signature subscription for SRX3000 line Expanded performance and capacity Extreme License for SRX3000 line CBL-PWR-C19S-132-UK Power cord, AC, Great Britain & Ireland, C19 at 70-80 mm, 13 A/250 V, 2.5 mm, straight CBL-PWR-C19S-151-US15 CBL-PWR-C19S-152-AU Power cord, AC, Japan/US, NEMA 5-15 to C19 at 70-80 mm, 15 A/125 V, 2.5 m, straight Power cord, AC, Australia/New Zealand, C19 at 70-80 mm, 15 A/250 V, 2.5 m, straight CBL-PWR-C19S-162-CH Power cord, AC, China, C19, 16 A/250 V, 2.5 m, straight CBL-PWR-C19S-162-EU Power cord, AC, Continental Europe, C19, 16 A/250 V, 2.5 m, RA CBL-PWR-C19S-162-IT Power cord, AC, Italy, C19 at 70-80 mm, 16 A/250 V, 2.5 m, straight CBL-PWR-C19S-162-JP Power cord, AC, Japan, NEMA 6-20 to C19, 16 A/250 V, 2.5 m, straight CBL-PWR-C19S-162-JPL CBL-PWR-C19S-162-US Power cord, AC, Japan/US, C19 at 70-80 mm, 16 A/250 V, 2.5 m, straight, locking plug Power cord, AC, Japan/US, NEMA 6-20 to C19 at 70-80 mm, 16 A/250 V, 2.5 m, straight CBL-PWR-C19S-162-USL Power cord, AC, US, NEMA L6-20 to C19, 16 A/250 V, 2.5 m, straight, locking plug * AC power cords are not included. One C19-Straight cable with appropriate wall-plug for the final destination of the system is required for each power supply. 주니퍼네트웍스에대하여 주니퍼네트웍스는하이퍼포먼스네트워킹으로네트워크업계를선도해나가고있습니다. 주니퍼는단일네트워크상에서서비스와애플리케이션운용을가속화시키는안정적인네트워크환경구축을위해하이퍼포먼스네트워크인프라스트럭처를제공하는데주력합니다. 이러한하이퍼포먼스네트워크는고객의하이퍼포먼스비즈니스를위한원동력이되고있습니다. 자세한정보는 www.juniper.co.kr 에서확인할수있습니다. 11
한국주니퍼네트웍스 ( 주 ) 서울시강남구역삼 1 동 736-1 캐피탈타워 19 층 TEL: 02)3483-3400 FAX: 02)3483-3488 www.juniper.co.kr 본사 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA Phone: 888.JUNIPER (888.586.4737) or 408.745.2000 Fax: 408.745.2100 www.juniper.net 아태지역본부 Juniper Networks (Hong Kong) 26/F, Cityplaza One 1111 King s Road Taikoo Shing, Hong Kong Phone: 852.2332.3636 Fax: 852.2574.7803 EMEA 본부 Juniper Networks Ireland Airside Business Park Swords, County Dublin, Ireland Phone: 31.0.207.125.700 EMEA Sales: 00800.4586.4737 Fax: 31.0.207.125.701 주니퍼네트웍스솔루션에대한구매문의는한국주니퍼네트웍스 ( 전화 02-3483-3400, 이메일 salesinfo-korea@juniper.ent) 로연락주십시오. 저작권c 2013 주니퍼네트웍스사. 모든권리보유. 주니퍼네트웍스, 주니퍼네트웍스로고, Junos, NetScreen 및 ScreenOS는미국과기타국가에서주니퍼네트웍스의등록상표입니다. Junos는주니퍼네트웍스의등록상표입니다. 여타모든상표, 서비스마크, 등록상표또는등록서비스마크는해당소유업체의자산입니다. 주니퍼네트웍스는본문서의오류에대해그어떠한책임도지지않습니다. 주니퍼네트웍스는사전통보없이본자료를변경, 수정, 교체또는정정할수있는권한을보유하고있습니다. 1000267-015-KOR Mar 2014 12