SRX300 Line of Services Gateways for the Branch

Product Overview

The SRX300 line of services gateways combines security, routing, switching, and WAN interfaces with next- generation firewall and advanced threat mitigation capabilities for cost- effective, secure connectivity across distributed enterprise locations. By consolidating fast, highly available switching, routing, security, and next-generation firewall capabilities in a single device, enterprises can remove network complexity, protect and prioritize their resources, and improve user and application experience while lowering total cost of ownership (TCO).

Product Description

Juniper Networks® SRX300 line of services gateways delivers a next-generation networking and security solution that supports the changing needs of cloud-enabled enterprise networks. Whether rolling out new services and applications across locations, connecting to the cloud, or trying to achieve operational efficiency, the SRX300 line helps organizations realize their business objectives while providing scalable, easy to manage, secure connectivity and advanced threat mitigation capabilities. Next-generation firewall and unified threat management (UTM) capabilities also make it easier to detect and proactively mitigate threats to improve the user and application experience.

The SRX300 line consists of four models:

• SRX300: Securing small branch or retail offices, the SRX300 Services Gateway consolidates security, routing, switching, and WAN connectivity in a small desktop device. The SRX300 supports up to 1 Gbps firewall and 300 Mbps IPsec VPN in a single, consolidated, cost-effective networking and security platform.

• SRX320: Securely connecting small distributed enterprise branch offices, the SRX320 Services Gateway consolidates security, routing, switching, and WAN connectivity in a small desktop device. The SRX320 supports up to 1 Gbps firewall and 300 Mbps IPsec VPN in a single, consolidated, cost-effective networking and security platform.

• SRX340: Securely connecting midsize distributed enterprise branch offices, the SRX340 Services Gateway consolidates security, routing, switching, and WAN connectivity in a 1 U form factor. The SRX340 supports up to 3 Gbps firewall and   600 Mbps IPsec VPN in a single, consolidated, cost-effective networking and security platform.

• SRX345: Best suited for midsize to large distributed enterprise branch offices, the SRX345 Services Gateway consolidates security, routing, switching, and WAN connectivity in a 1 U form factor. The SRX345 supports up to 5 Gbps firewall and 800 Mbps IPsec VPN in a single, consolidated, cost-effective networking and security platform.

SRX300 Highlights

The SRX300 line of services gateways consists of secure routers that bring high performance and proven deployment capabilities to enterprises that need to build a worldwide network of thousands of remote sites. Ethernet, serial, T1/E1, ADSL2/2+, VDSL2, and 3G/4G LTE wireless are all available options for WAN or Internet connectivity to link sites. Industry best, high-performance IPsec VPN solutions provide comprehensive encryption and authentication capabilities to secure intersite communications. Multiple form factors with Ethernet switching support on native Gigabit Ethernet ports allow cost- effective choices for mission-critical deployments. Juniper Networks Junos® automation and scripting capabilities and Junos Space Security Director reduce operational complexity and simplify the provisioning of new sites.

The SRX300 line of devices recognizes more than 3,500 Layer 3-7 applications, including Web 2.0 and evasive peer-to-peer (P2P) applications like Skype, torrents, and others. Correlating application information with user contextual information, the SRX300 line can generate bandwidth usage reports, enforce access control policies, prioritize and rate-limit traffic going out of WAN interfaces, and proactively secure remote sites. This optimizes resources in the branch office and improves the application and user experience.

For the perimeter, the SRX300 line offers a comprehensive suite of application security services, threat defenses, and intelligence services. The services consist of intrusion prevention system (IPS), application security user role-based firewall controls, and on-box and cloud-based antivirus, anti-spam, and enhanced Web filtering, protecting networks from the latest content-borne threats. Integrated threat intelligence via Juniper Networks Spotlight Secure offers adaptive threat protection against Command and Control (C&C)-related botnets and policy enforcement based on GeoIP. Customers can also leverage their own custom and third-party feeds for protection from advanced malware and other threats. Integrating the Juniper Networks Sky Advanced Threat Protection solution, the SRX300 line detects and enforces automated protection against known malware and zero-day threats with a very high degree of accuracy.

The SRX300 line enables agile SecOps through automation capabilities that support Zero Touch Deployment, Python scripts for orchestration, and event scripting for operational management. SRX300 services gateways run Juniper Networks Junos operating system, a proven, carrier-hardened network OS that powers the top 100 service provider networks around the world. The rigorously tested, carrier-class, rich routing features such as IPv4/ IPv6, OSPF, BGP, and multicast have been proven in over 15 years of worldwide deployments.

Features and Benefits

 

1- MACsec for LAN/WAN links available in 15.1X49-D100 and later releases

 2- SSL forward proxy and Sky ATP are supported on SRX340 and higher platforms

SRX300 Specifications

Software Specifications

Routing Protocols

IPv4, IPv6, ISO, Connectionless Network Service (CLNS)

Static routes

RIP v1/v2

OSPF/OSPF v3

BGP with Route Reflector

IS-IS

Multicast: Internet Group Management Protocol (IGMP) v1/v2, Protocol Independent Multicast (PIM) sparse mode (SM)/dense mode (DM)/source-specific multicast (SSM), Session Description Protocol (SDP), Distance Vector Multicast Routing Protocol (DVMRP), Multicast Source Discovery Protocol (MSDP), Reverse Path Forwarding (RPF)

Encapsulation: VLAN, Point-to-Point Protocol (PPP), Frame Relay, High-Level Data Link Control (HDLC), serial, Multilink Point-to-Point Protocol (MLPPP), Multilink Frame Relay (MLFR), and Point-to-Point Protocol over Ethernet (PPPoE)

Virtual routers

Policy-based routing, source-based routing

Equal-cost multipath (ECMP)

QoS Features

Support for 802.1p, DiffServ code point (DSCP), EXP

Classification based on VLAN, data-link connection identifier (DLCI), interface, bundles, or multifield filters

Marking, policing, and shaping

Classification and scheduling

Weighted random early detection (WRED)

Guaranteed and maximum bandwidth

Ingress traffic policing

Virtual channels

Hierarchical shaping and policing

Switching Features

ASIC-based Layer 2 Forwarding

MAC address learning

VLAN addressing and integrated routing and bridging (IRB) support

Link aggregation and LACP

LLDP and LLDP-MED

STP, RSTP, MSTP

MVRP

802.1X authentication

Firewall Services

Stateful and stateless firewall

Zone-based firewall

Screens and distributed denial of service (DDoS) protection

Protection from protocol and traffic anomaly

Integration with Pulse Unified Access Control (UAC)

Integration with Aruba Clear Pass Policy Manager

User role-based firewall

SSL Inspection (Forward-proxy)2

Network Address Translation (NAT)

Source NAT with Port Address Translation (PAT)

Bidirectional 1:1 static NAT

Destination NAT with PAT

Persistent NAT

IPv6 address translation

VPN Features

Tunnels: Generic routing encapsulation (GRE)3, IP-IP3, IPsec

Site-site IPsec VPN, auto VPN, group VPN

IPsec crypto algorithms: Data Encryption Standard (DES), triple DES (3DES), Advanced EncryptionStandard (AES-256), AES-GCM

IPsec authentication algorithms: MD5, SHA-1, SHA-128, SHA-256

Pre-shared key and public key infrastructure (PKI) (X.509)

Perfect forward secrecy, anti-reply

IPv4 and IPv6 IPsec VPN

Multi-proxy ID for site-site VPN

Internet Key Exchange (IKEv1, IKEv2), NAT-T

Virtual router and quality-of-service (QoS) aware

Standard-based dead peer detection (DPD) support

VPN monitoring

Network Services

Dynamic Host Configuration Protocol (DHCP) client/server/ relay

Domain Name System (DNS) proxy, dynamic DNS (DDNS)

Juniper real-time performance monitoring (RPM) and IP- monitoring

Juniper flow monitoring (J-Flow)3

High Availability Features

Virtual Router Redundancy Protocol (VRRP)3

Stateful high availability

Dual box clustering

Active/passive

Active/active

Configuration synchronization

Firewall session synchronization

Device/link detection

In-Band Cluster Upgrade (ICU)

Dial on-demand backup interfaces

IP monitoring with route and interface failover

Management, Automation, Logging, and Reporting

SSH, Telnet, SNMP

Smart image download

Juniper CLI and Web UI

Junos Space and Security Director

Python

Junos OS event, commit, and OP script

Application and bandwidth usage reporting

Auto installation

Debug and troubleshooting tools

Zero-Touch Provisioning with Contrail Service Orchestration

3GRE, IP-IP, J-Flow monitoring, and VRRP are not supported in stateful high-availbility mode.

Advanced Routing Services

Packet mode

MPLS (RSVP, LDP)

Circuit cross-connect (CCC), translational cross-connect (TCC)

L2/L3 MPLS VPN, pseudowires

Virtual private LAN service (VPLS), next-generation multicast VPN (NG-MVPN)

MPLS traffic engineering and MPLS fast reroute

Application Security Services4

Application visibility and control

Application-based firewall

Application QoS

Application-based advanced policy-based routing

Threat Defense and Intelligence Services5

Intrusion prevention

Antivirus

Antispam

Category/reputation-based URL filtering

Spotlight Secure threat intelligence

Protection from botnets (command and control)

Adaptive enforcement based on GeoIP

Sky Advanced Threat Prevention to detect and block zero- day attacks6