This statement of direction sets forth Juniper
Networks’ current intention and is subject to
change at any time without notice. No purchases
are contingent upon Juniper Networks delivering
any feature or functionality depicted in this
presentation.
This presentation contains proprietary roadmap
information and should not be discussed or shared
without a signed non-disclosure agreement (NDA).
3
We are all living in the wonderful world of digital transformation. No matter the size of your company or the industry you’re operating in, there’s some company ready to completely disrupt what you’re doing.
-Richard L. Villars, VP DC & Cloud Research IDC
4
Raising to the Challenge
Migrate WorkloadsCloud
Rapid IT Deployment
Continuous Innovation
Faster route to Market
Reduced Costs
5
Enterprise IT Transformation – XaaS
Traditional DCPrivate Cloud
Public Cloud
PaaS
IaaS
IaaS
SaaS
Multicloud
7
Enterprise IT organizations that will commit to multicloud architecture
(IDC)85%
Cloud Adoption is a Strategic Imperative
Cloud 2.0 – Massive Adoption
Enterprises identified Security Risks as the biggest barrier in recent IDC survey
8
Multicloud Security - Key Requirements
SD & PE
Transit VPC - vSRX
Virtualized Apps
Bare Metal Apps
SRX4100/4200
SRX4600/4800
vSRX/cSRX
Private Cloud
Public Cloud 2
Public Cloud 1
Internet
App Server
Web Server
App Server
Web Server
• Micro-Segmentation
• High performance
• Automation
• Visibility & Analytics
• Hypervisor Support
• Global Unified Policy
Management
• Secure any-any Connectivity
• Compliance & Consistent
Security
• Service Specific Clouds
• Multiple Cloud Integration
• Policy Automation
9
Juniper Security Portfolio for Multicloud
Sky ATP
SDSN – Software Defined Secure Networks
Security Director
Virtual & Container NGFW
vSRX
4Gb/s (2 vCPU)25Gb/s (16 vCPU)
cSRX
Branch NGFW
SRX300
SRX320
SRX340
SRX345
Mid-range NGFW
SRX1500
SRX4100
SRX4200
SRX4600
High-End NGFW
SRX5400SRX5600
SRX5800
Mid-range NGFW
SRX1500
SRX4100
SRX4200
SRX4600
UNIFIED POLICYCreate and centrally manage policy
GLOBAL THREAT
DETECTIONUnify threat intelligence from multiple sources
NETWORK WIDE ENFORCEMENTAutomatically enforce policy across customer premises and cloud
HIGH PERFORMANCE NGFW –PHYSICAL & VIRTUAL SDSN ENFORCEMENT POINTS Reduces both opexand capex with better price performanceHigher scale with IMIX firewall throughput from 1 Gbps to 320 GbpsMultiple Services: Application Security, IPS, Content Security, ATP
10
Juniper Private Cloud Security Solution
Juniper Portfolio for Private Cloud Key Requirements
• Micro-segmentation - vSRX, NSX Integration, Contrail
• High performance – vSRX multicore, SRX1500, SRX4100, SRX4200, SRX 5XXX, SRX4600
• Automation – SD/PE integration, REST/Netconf, Cheff/Puppet/Ansible, AppFormix
• Visibility & Analytics – Security Director, Jweb, Juniper Secure Analytics (JSA)
• Hypervisor Support – cSRX/Docker, VMWare/NSX, KVM/Contrail
WAN
VM Isolation
Department 2Department 1
Department 3 Department 4
Other VM
Web VM
APPVM
DBVM
Other VM
Web VM
APPVM
DBVM
Other VM
Web VM
APPVM
DBVM
Other VM
Web VM
APPVM
DBVM
vSRX vSRX
vSRX vSRX
VMWare
Virtual Environment/Private Cloud
Enterprise Applications
SRX1K
SRX4K
SRX5K
SRX
SD & PE
Remote Office
Headquarters
Remote Office
IP/MPLS
Private Cloud
11
Juniper Public Cloud Security SolutionAWS Marketplace
Azure Marketplace
Juniper Portfolio for Public Cloud Key Requirements
• Platform Integration – vSRX on AWS (BYOL & PAYG), vSRX on Azure (BYOL)
• Automation – PE integration on public cloud, Cloud-Init, Transit VPC, Auto-Scale/ELB
• Visibility & Analytics – Security Director, AppFormix
Public Cloud
SD & PE
Transit VPC - vSRX
Public Cloud 2
Public Cloud 1
Internet
App
Server
Web
Server
App
Server
Web
Server
12
vSRX - Juniper Virtual NGFW for Multicloud
High performance NGFW - Scale up to 100 Gbps - Lowest TCO
Firewall Foundational Services
Rich Firewall Services
Firewall VPN NAT Routing
Application Security
User firewall
Unified Threat Management
Anti-virus
Intrusion Prevention Web/Content Filtering
Anti-spam
Advanced Threat Prevention
(ATP)
Sky ATP
GeoIP & Custom feeds
Malware Detection
Centralized Management Reporting Analytics Automation
Lic
en
sin
g B
ase
d o
n F
ea
ture
s
an
d
Thro
ugh
pu
t
60
Day E
valu
ation
Lic
en
se
13
• Contrail Service Chaining
• VMware NSX
• SD, CLI, Jweb, NetConf/REST API
• Amazon AWS
• Microsoft Azure
• Google Cloud*
• VMware – vCenter
• Open Stack – Plugin
• Contrail Service Orchestrator (CSO)
• VMware ESXi 5.x, 6.0
• KVM - Centos & Ubuntu
• Microsoft – HyperV
Platforms
IaaS Policy & SDN
Orchestration
vSRX - Ideal form factor for Multicloud Ecosystem
*Roadmap
14
Juniper Multicloud Security Solution
Internet
Public
Clouds
App Server
Web Server
Virtualized Apps
Bare Metal Apps IPSec VPN
SRX1K/4K/5K
vSRX
vSRX/cSRX
Private CloudSD & PE
Transit VPC
Juniper Portfolio for Multicloud Key Requirements
• Secure Connectivity – vSRX in Public cloud (Transit VPC & Full Mesh VPN deployments),
Physical/Virtual DC Edge SRX, vSRX Auto-Scale*
• Compliance & Consistent Security – Portable security policies across private/public cloud
• Unified Management – Security Director as single pane of security management
Private Cloud
Public Cloud
Multicloud
15
Unified Management & User Intent Policy
ENHANCED VISIBILITY & CONTROL - SD• Application Visibility & Control, Firewall Policy, Threat Maps, Events & Logs,
Dashboard• Automate Operations and Rule Placement, Reduce User errors , Improves
Response Time• Reduce scope of work by 20x
ADAPTIVE & AGILE SECURITY POLICY• Meta Data Based Policy –Allows to create user intent based policy using meta
data and helps to be agile in the cloud (Avoids manual workflow)• AWS Lamda based sync up of meta data and inventory in a VPC with SD
DYNAMIC POLICY ACTIONS• Agility of cloud can be preserved by deploying dynamic policy changes in response
to a condition (such as an attack)
SecurityDirector
Amazon EC2
Finance Operations
vSRX AWS Lamda
SecurityDirector
Predefine
Policy
DetermineCondition
SRXGlobally apply policy
16
Automate Entire Security Life CycleEnsure Consistent deployment in multicloud environment
Reduces workload Build out from days to minutes
Auto Remediation to improve Network Availability and reduces Mean Time To Repair
BUILD• Initial configuration• Software upgrade• Space discovery• Zero Touch Provisioning
CONFIGURE• Pre/Post change checks• Configuration generation• Deployment• Archive configurations
OPERATE• Event Scripts to check health• Troubleshoot issues• Auto Remediation
17
Multicloud Security – Juniper Offerings - Summary
SD & PE
Transit VPC - vSRX
Virtualized Apps
Bare Metal Apps
SRX4100/4200
SRX4600/4800
vSRX/cSRX
Private Cloud
Public Cloud 2
Public Cloud 1
Internet
App Server
Web Server
App Server
Web Server
• vSRX – Cloud Native
• VMWare NSX Integration
• Contrail Security
• SRX Encryption – IPSec
• High performance physical
Firewalls
• Global Policy Management –
Security Director (SD)
• vSRX Transit VPC
• vSRX on AWS
• vSRX on Azure
• Adaptive Security Policy
(Metadata based Policy)
18
Comprehensive solution for Multicloud deployment – helps customers to raise to the challenge of cloud adoption
High-performance and scale of Juniper security lowers customers TCO
Flexible licensing and business models to match varied customer requirements
Unified Management and Network as Enforcement through SDSN
Key Takeaways
19
Use Cases
Micro-segmentationRetail hosting virtual workloads in private DC
• Differentiated security across various application groups
• Security as agile as the workloads
• High performance security –cannot be bottleneck to application traffic
NSX Integration, Contrail micro-segmentation
Compliance & Consistent SecurityHealth Insurance running applications & partner services on AWS
• Consistent security between DC and public cloud
• Secure connectivity between VPCs across multiple regions
• Redundancy in connectivity
Encryption & Security everywhere, Unified management by SD, Multiple Availability Zones for Redundancy
Secure ConnectivityFinancial enterprise with a mix of on-prem and AWS assets
• Secure connectivity between VPCs across multiple regions
• Secure connectivity from DC to AWS VPCs
• IPS and Stateful packet inspection between VPCs
Transit VPC
22
• Cross-region, cross-account
VPCs can connect to the
Transit VPC via IPSec
tunnels
• BGP-based dynamic routing
combined with multi-AZ
deployment creates a robust
network infrastructure
• Transit VPC can establish
VPN connections to VGWs
attached to Spoke VPCs
automatically with zero touch
Transit VPC
vSRX vSRX
VPC 1 VPC 2 VPC N
Internet
Transit VPC
VPN overDirect Connect
Backup VPN
AZ 1 AZ 2
23
Amazon EC2
US West
Amazon EC2
US Central
Transit VPC
vSRX vSRX
Secure Connectivity
VPN gateway VPN gateway
Amazon EC2
US East
VPN gateway
AWS Direct Connect
AZ1 AZ2
24
• Deploys two vSRXs (highly
available design)
• The VGW Poller function runs
every minute looking for
appropriately tagged VGWs
• A PUT event inside AWS S3
triggers the Juniper
Configurator function to
generate and push the
required configurations to the
vSRXs
Juniper Transit VPC Architecture
25
Demo Topology
vSRX1
Linux AMI
IP Sec Tunnel
US East (N. Virginia)
Linux AMI
IP Sec Tunnel
US West (Oregon)
vSRX2
26
Resources
• BYOL Juniper Transit VPC is now in the Marketplace:https://aws.amazon.com/marketplace/pp/B077NR8G4Q?qid=1512381707615&sr=0-
6&ref_=srh_res_product_title
• Juniper Transit VPC implementation guide:https://www.juniper.net/assets/jp/jp/local/pdf/implementation-guides/8010096-en.pdf
• NXTWORK 2017 - SECURITY SESSIONS
• Zero Trust Security with Software-Defined Secure Networks (Technical Deep Dive) • Security NOW: Stop Threats Faster. (Business Solutions) • Extending Enterprise Security to Multicloud and Public Cloud (Technology Focus)