JuniperJuniper NetworksNetworks IPIP RoutersRouters && SecuritySecurity SolutionsSolutions TendenciasTendencias TecnologicasTecnologicas

Cuauhtemoc Trejo M. TAM Juniper Networks Mexico

[email protected]

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 1 The is Changing…Today:

limited WAN User experience Devices

LAN ience User exper

Intelligence Services

Connectivity

Connectivity

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 2 The Industry Has Two Choices

Continue growing service-specific …OR migrate to a single private networks & a commoditized infrastructure that delivers quality, Internet… security & reach

Private Networks Infranet Control over security, quality… Expensive No inter-carrier connectivity Private IP/ VPNs Email

Web Web VoIP IPSEC VPN Email Gaming Video Conferencing Public Internet

Single Network Global connectivity Low cost Segregated, uniquely managed virtual networks No control over security, quality… Assured end-to-end experience

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 3 The Internet is Changing…:

Assured WAN User experience Devices

Assured LAN User experience

Services Intelligence Connectivity

Connectivity

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 4 Intelligent Services – a Challenge and an Opportunity

Network Security becomes an integral part of the intelligent Network Services layer

Devices Building the WorldWide LAN:

Netscreen Technologies Peribit Networks Red Line Networks Funk Software

Services Intelligence Connectivity

Connectivity

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 5 Secure and Assured Portfolio Deliver high levels of security, uptime and performance with simplified Routing operations in converged IP and IP/MPLS infrastructures through professional-grade routers based on the advanced, modular JUNOS operating system.

Application Improve and control application performance for users accessing Acceleration centralized and web-based applications across a wide area network to improve user satisfaction while lowering infrastructure cost and complexity

Session Extends the reach of IP telephony beyond a single network by providing the advanced security, protocol interworking, NAT traversal and Quality Border of Service mechanisms required to interconnect two VOIP networks Controller for seamless call control and completion.

Intrusion Provide zero day protection against worms, Trojans, spyware, keyloggers, and other malware by identifying and stopping network & application-level Detection attacks as well as giving visibility to potential rogue servers and and Prevention applications, and other violations

Eliminate the need for client access software, changes to internal servers, Secure Access and costly ongoing maintenance & desktop support while providing added SSL VPN security through endpoint validation agents

Integrated Integrated security devices with Stateful firewall and IPSec VPN, Firewall/IPSec including models with integrated IDP at the Data Center or integrated VPN Antivirus, Web Filtering and wireless access at the branch office.

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 6 Global Commercial Customer Base Includes 25 of the largest 28 service providers

Americas EMEA APAC

Deutsche Telekom

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 7 Research & Education Customers National Networks Regional & Campus Networks North America North America ƒ Abilene - Internet2 • 16 GigaPoPs ƒ CA*net4 - Canada • 13 Supercomputer Centers & ƒ And 5 other National R&E Networks National Labs • 50+ Universities • Several State Government Nets Europe: GÉANT + 10 National R&E • Several K-12 Systems Networks Europe • 14 GigaPoPs • 1 Supercomputer Center Asia: APAN + 3 National R&E • 30+ Universities & Research Labs Asia Networks • 20+ Universities & Research Labs Latin America • 1 GigaPoP • 1 University

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 8 DREN

NREN CA*net4CA*net4

vBNS

Abilene TeraTeraGriGridd

SuperNet NASAneNASAnet t

ESnet

Copyright © 2003 Juniper Networks, Inc.All Juniper Partial Juniper www.juniper.net 9 EMEA R&E Networks

RHnet

GEANT SUNET FUNET

EENet NORDUNET LATNET UKERNA Forskningsnettet LITNET HEAnet SURFnet POL34 Belnet RESTENA RENATER SANET Aconet SWITCH ARNESHUNGARNET VTHD RoEduNet CARNet UNICOM-B RedIRIS GARR FCCN GRNET CYNET

IUCC

CopyrightSource: © 2003 w wJuniperw.d Networks,ante.n Inc.et/ geant/ www.juniper.net 10 JGN

APAN TransPac

K-REN

6-KANET

Source: www.apan.net Copyright © 2003 Juniper Networks, Inc. www.juniper.net 11 Copyright © 2003 Juniper Networks, Inc. www.juniper.net 12 Copyright © 2003 Juniper Networks, Inc. www.juniper.net 13 Japan Gigabit Network

ƒ Japan Gigabit Network (JGN) - nationwide, next generation network widely available for use at universities, research institutions, venture businesses & local governments in Japan.

ƒ IPv6 service offered to the public and academic institutions in Japan since Fall 2001 Juniper M20 Router running IPv6 in Otemachi IPv6 System Operation and Technical ƒ Juniper Networks - a key supplier of IPv6 routing platforms Development Center since 2001.

ƒ “I appreciate Juniper Networks IPv6 implementation, as it provides us the same level of packet forwarding capacity, scalability as its IPv4. Also, it can run IPv4 and IPv6 simultaneously, while providing the interoperability with other IPv6 vendors' routers. I, especially, appreciate Juniper Network's prompt and adequate technical supporting to try to deliver the production- caliber quality operation.” Dr. Esaki, head of JGN IPv6 operation

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 14 v4 & V6 on a single infrastructure

ESnet Announcement 8/28/02 Department of Energy's Global Research Network Teams With Juniper Networks to Deploy Simultaneous IPv4 and IPv6 Operation Delivers Scalability and Performance without Compromise to Advance Global Internet Expansion ƒ A single set of routers ƒ Simultaneous IPv6 implementation

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 15 Juniper IPv4 vs IPv6 Forwarding ƒ Both forwarding tables (IPv4 & IPv6) • Built by the Routing Engine • Stored in memory on the Forwarding Engine’s ASIC ƒ All forwarding decisions made in hardware ƒ Internet Routing Table • From University of Oregon Route Views Server • Approximately 112,000 Routes

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 16 TeraGrid

ƒ Distributed Terascale Facility ƒ $53 Million NSF Funded Supercomputer Project ƒ Distributed across NCSA; Argonne; SDSC; Caltech • 8 Terraflops at NCSA (Illinois) • Petabytes of data at SDSC (California) ƒ Network has: • 6 T640s • 16 SONET OC-192 Circuits • 12 - 10 Gigabit Links

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 17 AbileneAbilene RouterRouter SelectionSelection

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 18 Juniper Networks M and T Architecture

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 19 Juniper M & T Series Routers

T640 M320 M40e T320

M20 M7i/M10i

M-series T-series

JUNOS Common software and features Across all platforms

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 20 Juniper Routers Advantage

most Secure highest Uptime ƒ Modularity for full router ƒ Strong attack defense t t m g control while under attack m ensures system stability s y g t P ol Forwarding Control i r e M M M ƒ oc ƒ u Minor problems do not s Next Gen CLI for fast c t

Engine Plane c a o f SN ssi

r lead to system crashes editing of filters while Se a Pr e h t

under attack C

In ƒ Next Gen CLI prevents Services ƒ Dedicated processing to operator error Plane support many filter terms ƒ Rescue config button without degradation for fast recovery

excellent Performance reduced Operational cost Juniper ƒ Predictable ƒ One software train performance for ƒ Multiple management Addition of voice, video and other tools, including J-Web new service 6.4 7.0 7.1

ne Rate time critical apps

i features ƒ XML-based API ƒ Comprehensive QOS ƒ Restoration features Traditional functions to classify, % of L One Router ƒ Feature licensing prioritize and Train! Complexity of schedule traffic ƒ Interoperability Packet Processing

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 21 ASIC Based Forwarding and Services ƒ All packet forwarding and advanced services are executed in hardware on a custom designed ASIC, not on a CPU ƒ This ASIC is a programmable, high performance packet classifier and forwarding engine optimized for IPv4, Packet Forwarding IPv6, and MPLS 120% 100% ƒ Acts as a centralized resource enabling 80% breakthrough support for performance- 60% based, enhanced services on all 40% interfaces 20% • filter based forwarding, packet filtering, 0% packet sampling, rate limiting, traffic Increasing number of packet filters policing, and port mirroring Juniper Routers CPU-based router

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 22 Design and Operations Simplicity New Features and Functionality

5.65.6 5.75.7 6.06.0 6.16.1 6.26.2 6.36.3

Single Binary Image on All Platforms

Fewer variables and a simpler process mean less time is spent planning, provisioning, and deploying your networks ‹ CLI enhancements (access controls, command line completion, context sensitive help, rich set of show commands, ect.) ‹ Industry-standard management protocols (XML, SYSlog, and SNMP) ‹ User-friendly configuration syntax: hierarchical (easy to read), editor supports local scoping, and comments/inactive command support

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 23 Physical Interface Cards (PICs) Mix and Match PICs enable maximum configuration flexibility

ƒ Each FPC has 4 PIC slots, any PIC can go into any slot

ƒ Example: an M10 can be configured with OC-48 SONET, Gig-E, Fast-E, DS-3, and OC-12 SONET

ƒ PIC choices include: Fast-E, Gig-E, T1, DS-3, OC3 (SONET & ATM) , OC12 (SONET & ATM), OC-48 SONET, OC-192 SONET, 10 Gig-E

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 24 Flexible PIC Concentrators (FPC)

ƒ Multiple interface media per FPC slot ƒ PIC hot insert/removal ƒ Adding additional flexible PIC controllers (FPCs) adds additional shared memory • Available to any interface in the system • There is never a possibility of “memory starvation”

PIC 1 x OC-192c

PIC 4 x OC-48c PIC 1 x 10GE PIC Tunnel

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 25 Software Usability and Operations

ƒ Command Line Interface interfaces { • User & group access control fxp0 { • Flexible config management unit 0 { family inet { • Commit & rollback address 10.0.0.20/24; } • Hierarchical, easy to read } } } ƒ Protocols & Tools routing-options { • SNMP v1, 2 (v3 in 5.4) static { route default { • Telnet and FTP gateway 10.0.0.1; retain; • Syslog and NTP no-readvertise; } • TACACS+ and RADIUS } } • SSH and SCP • Ping and Traceroute Benefit: Simpler Operations

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 26 IPv6 Available Features ƒ Supported on all M-series and T-series platforms

Addressing & Routing Operations & Forwarding Protocols Transition

ƒ Forwarding in hardware ƒ IS-IS ƒ Common support ƒ Addressing ƒ OSPFv3 ƒ ICMPv6 • Link, site, global ƒ MP-BGP over v4/v6 ƒ SNMP over v6 + MIBs • Stateless ƒ IP applications autoconfiguration ƒ RIPng • Ping, telnet, ssh, ftp… ƒ Neighbor discovery ƒ Static ƒ Transition ƒ IPv6 Packet Filtering ƒ IPv6 VPN • Configured tunnels ƒ EUI 64 Autogeneration (RFC2547bis) • Dual stack ƒ Unicast RPF ƒ PIM v2 • Transport IPv6 in MPLS ƒ FBF and CBF for IPv6 ƒ MLD ƒ Destination/Source Class Usage

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 27 Service-Built M7i router

ƒ Leverages production proven technology • Internet Processor II technology • Feature rich JUNOS 6.0 software

ƒ Uses existing M5/M10 PIC’s • Broad set of interfaces available (45) • Provides investment protection

ƒ 2 Rack Units high

ƒ Four configurations: Ideal for: • 4 open slots, 2 x FE fixed ƒ PE services, low density PoPs • 4 open slots, 2 x FE fixed, adaptive services module ƒ Carrier class head office CPE • 4 open slots, 1 x GE fixed (SFP) • 4 open slots, 1 x GE fixed (SFP), adaptive services module

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 28 M7i with Adaptive Services Module

ƒ Hardware-accelerated packet processing with programmable ASICs • Based on Adaptive Services PIC technology • High performance services ASM • Optional, must be ordered w/ chassis NAT IPsec ƒ J-Protect security toolkit • High speed NAT Firewall Accounting • High speed Stateful Firewall • High speed IPSec ƒ J-Flow accounting • High speed accounting

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 29 Security in the Intelligent Infrastructure

ƒ The network infrastructure is becoming more intelligent • MPLS • “Infranet” ƒ The intelligent infrastructure provides end-to-end services to applications: • Quality of Service (QoS) • Security • Reliability • Measurement ƒ Every device in the path of packets needs to provide these services in tandem with all other devices • Security devices are no exception

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 30 J-series Services Router

ƒ2XT1/E1/Serial platform ƒ2 fixed FE LAN + 1 fixed 2 port card ƒ1 FE & 1 primary port active, additional w/license J2300 ƒ1 expansion slot for backup ISDN/dial interfaces

ƒNxT1/E1 ƒ2 fixed FE LAN + 6 open interface slots ƒ1 FE port active, additional w/ license J4300

ƒ DS3 platform ƒ 2 fixed FE LAN + 6 open interface slots ƒ Both FE ports active ƒ Redundant power supply J6300

I/O Cards: 2xT1, 2xE1, 2xSerial, 2xFE (J4300/J6300), DS3 (J6300)

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 31 Juniper Advantages for R&E Nets ƒ JUNOS • Running in production networks for 10+ years • High Performance IPv4; Scalable Multicast that works; IPv6 features and functionality • Same JUNOS on all M&T Series Routers ƒ Hardware Performance • Advanced Features at line rate ƒ Routers that don’t get in the way of Network Research • No performance or operational bottlenecks allow network researchers to focus on network research not router trouble shooting

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 32 Network Security: New Challenges 1. Merging Network Security into an intelligent network infrastructure 2. Disappearance of the Trusted Network. Users and their devices are always “inside” 3. Applications impose tougher demands on network equipment : 4. New types of endpoints, less trust and less control 5. Attacks target applications, spread quickly and are increasingly more difficult to detect

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 33 Security in the Intelligent Infrastructure

Traditional Approach Internet

ST IPS/IDP Firewalls

IPS/IDP

Anti Virus

DMZ

HR All devices need to participate in the FiSananceles intelligent infrastructure DMZ Department Servers

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 34 Security in the Intelligent Infrastructure

Integrated Integrated Routing, Firewall, Infrastructure Internet VPN, DDoS, IPS/IDP, AV, etc.

ST IPS/IDP Firewalls

IPS/IDP

Anti Virus

DMZ

HR FiSananceles

DMZ Department Servers

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 35 Worldwide threat management 2005- 2009, IDC white paper.

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 36 Evolution of the Enterprise Gateway Increasing Demands Require New Approaches

ƒ Increasing use of small packet applications: multi-media, A ver age streaming media, VoIP, etc. Pa cke Lat t S ƒ Make traffic decisions with low enc ize y/J itt latency to ensure applications er Tol era are not affected nce & ƒ Increasing demand for remote s ion ct ion network connectivity: from ne t n ec n on Co nn io ti home, on the road, on the go- f co at ec o / ic t # ue pl o PDA’s wireless al p /pr v A ss ne ƒ Application vulnerabilities are re wa on the rise, application attacks a are growing in sophistication Time

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 37 Introducing NetScreen-Integrated Security Gateway (ISG) 2000 BestBest--ofof BreedBreed SecuritySecurity inin aa SingleSingle PlatformPlatform • Predictable Performance – Next-Generation Security ASIC (GigaScreen³) • 2 Gbps Stateful Firewall - any packet size • 1 Gbps 3DES & AES IPSec VPN - any packet size • 1 Gbps+ IDP • Integration • Core networking capabilities via ScreenOS– Security Zones & Virtual Systems, OSPF, BGP & RIPv2 routing, A/P & A/A High Availability • Security applications -- FW/Deep Inspection/VPN • Scalability • New flexible architecture designed to accommodate future performance, capacity and functionality needs • Up to 28 ports, up to 500 VLANs, • Attack Protection • Network attack protection, including DoS attacks (Screens) • Deep Inspection to protect against attacks in Internet-facing protocols

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 38 Forecast and assumptions (IDC)

Continuing expansion of the UTM security appliance. Security event correlation married to UTM management. Opportunities in small and medium-sized enterprises. The number of small and medium-sized companies is huge. Addressing new applications such as voice, Web services, and storage networks.

Wireless (WLAN) security Change in form factor. Security appliance form factors will continue to change. The standalone black box is beginning to be replaced by appliance blades or Cards . Firewall routers . boon or bane? The increasing incorporation of firewall technology into routers by networking vendors such as Cisco, Enterasys, and Juniper can be a blessing or a curse for the threat management markets.

More new players and no consolidation.

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 39 SSG: New Family

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 40 APM advisors report: Traffic Management

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 41 Juniper’s Broad Product Portfolio Meeting a Diverse Range of Requirements

Central Policy-Based Secure Remote Access Routing Unified Access Management Access (SSL VPN) Control

Integrated Firewall/IPSEC VPN Integrated Intrusion Secure Security Detection Services Gateways and Prevention Gateways

Core and Aggregation WAN Application VF-Series Routing Acceleration Acceleration

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 42 Evolving Challenges and Requirements

Different Users with different relationship to business Different Devices with different levels of IT control Different Locations with different relationship to business

Need Access to Differentiated Information and Application Services

A New Security and Assurance Paradigm

Security throughout the computing environment • Trust = binary Æ Trust = variable • Perimeter Security ÆPervasive Security

Increase Intelligence in the Network • User/device separate from network Æ Blended •Network level Æ network, application, device, user

Assurance throughout the computing environment • Best Effort Æ Predictable Service Delivery • Support quality Æ Enhance quality

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 43 Best in Class Platforms for Carriers and Enterprises

Inside Enterprise Carrier Core Access Extended Enterprise Gateway Edge Network Enterprise Customers Sales Mobile Workers Day Extenders HR Business Finance Partners

Fixed Telecommuters

Branch Department DMZ Offices Servers Data Center ƒ Purpose-built platforms delivering performance, stability and control ƒ Applications and services supported at scale ƒ User and application aware

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 44 Secure + Assured + Open

= Juniper Secured and Assured Solutions

CCopyrightopyright © 20032004 JuniperJuniper Networks,Networks, Inc.Inc. Proprietary and Confidential www.juniper.netwww.juniper.net 45 www.juniper.net www.juniper.net/education Preguntas?

Copyright © 2003 Juniper Networks, Inc. www.juniper.net 46