MULTISERVICES DPC

deploy Ethernet and accelerate their next-generation network              Features and Benefits
deployments. By combining ...
Increasing Internet Access Security via NAT                            Lawful Intercept Capabilities via Flow-Tap
In addit...
For a complete list of supported software features, please consult the Junos OS documentation at
Juniper Networks Services and Support                                  Ordering Information
Corporate and Sales Headquarters                    APAC Headquarters                        EMEA Headquarters            ...
Upcoming SlideShare
Loading in …5

Multiservices DPC


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Multiservices DPC

  1. 1. DATASHEET MULTISERVICES DPC Product Description Product Overview Juniper Networks® Multiservices DPC significantly expands the flexibility of the Juniper Networks MX Series 3D Universal Edge Routers portfolio by enabling a broad range of Service providers and enterprises are services and applications in a single DPC form factor that can also serve as an integral seeking to offer value-added services part of a security solution. Session border control (SBC) functions, intrusion prevention such as network-based security, system (IPS), deep packet inspection, stateful firewall, Network Address Translation tunnel services, and voice services (NAT), flow monitoring, and anomaly detection can be layered simultaneously on to their network infrastructure. The each MS-DPC, creating a rich, scalable services plane. The MS-DPC utilizes a flexible Juniper Networks Multiservices DPC architecture, and silicon innovation provides high-performance service processing which is (MS-DPC) for the MX Series 3D extensible to a variety of applications. Universal Edge Routers provides dedicated high-performance MS-DPCs are full slot modules that supply hardware acceleration for an array of packet processing for flows and sessions, processing-intensive services for the MX Series portfolio—the MX960, MX480, and MX240. and integrates advanced security These services include advanced SBC functions, stateful firewall, NAT, IPsec, anomaly capabilities that protect the network detection, J-Flow accounting, and tunnel services. This wide array of services enables infrastructure as well as user data. service providers to secure their network infrastructure; to collect rich statistics for billing, capacity planning, and security purposes; and to deliver new revenue-generating services, all with a single module. Enterprises will benefit with the added security and monitoring services that are now available on the MX Series with the addition of the MS-DPC. The MS-DPC implements all services on the router itself, eliminating discrete devices and layers of network and management complexity and resulting in lower cost of ownership. Multiple MS-DPCs can be deployed in a single MX Series platform, increasing performance incrementally and cost-effectively to meet growing demand. Many of these services can be combined onto a single MS-DPC which enables providers to conserve connectivity slots in their routers, reduce capital expenses, and dramatically simplify sparing. Architecture and Key Components The MX Series 3D Universal Edge Routers Portfolio This MX Series portfolio of Ethernet services routers establishes a new industry standard for carrier Ethernet capacity, density, and performance. Optimized for emerging Ethernet network architectures and services, the MX Series is purpose built for the most demanding carrier and enterprise applications, and leverages Juniper Networks Junos® operating system to enable carriers and enterprises to seamlessly and cost-effectively 1
  2. 2. deploy Ethernet and accelerate their next-generation network Features and Benefits deployments. By combining a best-in-class hardware platform Protecting the Stateful Firewall with the reliability and service flexibility of Junos OS, the MX Series The MS-DPC can be used to provide stateful firewall services delivers a combination of features and capabilities previously integrated with the router to provide protection for the service unattainable in carrier Ethernet deployments. provider and enterprise network, as well as a revenue-generating The Multiservices DPC (MS-DPC) managed service that protects customer infrastructure. Traffic The Multiservices DPC provides hardware acceleration for an from any ingress Dense Port Concentrator (DPC) can be classified array of packet processing-intensive services such as SBC and routed to the stateful firewall and then either dropped or functions, stateful firewall, NAT, flow monitoring, and even forwarded from the proper egress DPC. This integration allows elementary anomaly detection, and each service can be layered customers to eliminate external firewalls that consume router simultaneously on each MS-DPC, creating a rich, scalable ports and additional management resources. Alternately, the “services plane.” This wide array of services enables service integrated firewall function can be used as a first line of defense providers to offer voice convergence; secure their network in a layered security architecture and can offload bulk stateful infrastructure; collect rich statistics for billing, capacity planning, filtering from the standalone firewall. and security purposes; and deliver new revenue-generating The MS-DPC’s stateful firewall evaluates packets in the context services—all with a single module. of the specific flows to which they belong and performs IP packet Modular Software Applications integrity checks, enabling the DPC to identify and isolate malicious payloads slipped into active data streams. It also performs The following services can be run on the Juniper Networks statistical modeling to identify unusual traffic patterns such MS-DPCs. Each service requires a software license. as denial of service/distributed denial of service (DoS/DDoS), • SBC functions, which include both Signaling Gateway functions network scanning, or probing. This powerful solution identifies as well as Media Gateway functions, support a wide variety and isolates a wide range of attacks including: DOS attacks (such of IP multimedia subsystem (IMS) and non-IMS applications as SYN flood); network-level attacks such as IP fragmentation or by permitting the MX Series to dynamically control and Internet Control Message Protocol (ICMP) “ping of death” attacks; manage real-time multimedia traffic flows at the network transport layer attacks such as port scans or teardrop attacks. edge (between the IP edge and the access network). The SBC The stateful firewall function also supports ALGs for special application also permits critical functions such as bandwidth handling of unique protocols such as H.323, FTP, Session Initiation policing and granular quality of service (QoS), as well as access Protocol (SIP), and ICMP. control and accounting features. • Stateful firewall provides a per-flow state table and performs Intrusion prevention system, Deep Packet Inspection via packet inspection that drops packets not complying with the Dynamic Application Awareness protocol state. Stateful firewall includes attack detection, which Dynamic Application Awareness uses stateful monitoring to provides anomaly-based attack detection and prevention. provide comprehensive details of application layer traffic patterns • Dynamic Application Awareness provides IPS and deep packet and statistics that service providers can use to support revenue- inspection functions that together enable the stateful detection, generating residential and business broadband services. From a identification, and analysis of application layer traffic (L4-L7) services perspective, Junos OS’s Dynamic Application Awareness on a per subscriber, per session, and per application basis. can identify and enforce premium class services, ensure • NAT supports the static or dynamic translation of private IP adherence to service-level agreements, ensure subscriber fairness, addresses to public IP addresses (v6 and v4), as well as Port and align network resources to application requirements. Network Address Translation (PAT). Planners can also use this information to design new revenue- • IPsec provides high-performance Data Encryption Standard generating differentiated service offerings. Enterprises can use (DES), triple Data Encryption Standard (3DES), and Advanced Dynamic Application Awareness to monitor traffic by application, Encryption Standard (AES) encryption for protecting the router. and to use QoS to adjust application performance to satisfy • J-Flow accounting offers a high-performance, flow-based organizational goals and policies. statistics collection solution by statefully tracking flows and The application layer information gathered by Junos OS’s exporting standards-based v5, v8 and v9 flow records. Dynamic Application Awareness also is useful to service providers • Tunnel services provide a broad set of capabilities that allows and enterprises that are seeking to streamline and improve providers to use different encapsulation mechanisms such as their operations environment. Junos OS’s Dynamic Application IP over IP, Physical Interface Module sparse mode (PIM SM), Awareness integrated IPS capability can detect and mitigate and generic routing encapsulation (GRE), including enhanced attacks against the network infrastructure, which increases GRE functions such as pre-fragmentation, key stamping, and network security and promotes service uptime. Statistics verification of GRE packets. concerning these events can be exported to reporting tools for use with security planning, bandwidth provisioning, traffic engineering, capacity planning, and forecasting activities. 2
  3. 3. Increasing Internet Access Security via NAT Lawful Intercept Capabilities via Flow-Tap In addition to supporting both IPv4 and IPv6, the Juniper Networks Flow-Tap provides the ability to intercept IP packets in an active Multiservices DPC provides static and dynamic NAT as well as monitoring router and send a copy of the packets that match filter port address translation (PAT). NAT shields private (internal) IP criteria to one or more content destinations. Some applications of addresses behind a public (global) IP address, thus preventing Flow-Tap include flexible trend analysis for the detection of new hackers from hijacking network resources or using them to launch security threats, and lawful intercept. Filter criteria is specified distributed DoS attacks. It also keeps companies from engaging using Dynamic Tasking Control Protocol (DTCP) over SSH. DTCP in fruitless searches for blocks of public IP addresses, instead supports operations to add, delete, and list filters applied for allowing them to maintain internal addresses without sacrificing all IPv4 traffic through the router, and operational filters do not Internet access. A rich set of ALGs provides appropriate treatment add any perceptible delay in the forwarding path. Filters are for applications requiring multiple flows such as SIP, DNS, H.323, not persistent, and filters installed by one user are not visible to FTP, and ICMP. others. Flow-Tap provides a strong administration model, which includes access control via user classes. Providers can offer a network-based NAT service, offloading the task of IP address management from the customer. Further, Traffic Profiling via J-Flow Accounting class-of-service (CoS) for the MS-DPC adds a new rule-based J-Flow builds a state table of flows, and then collects statistics on service that provides DiffServ Code Point (DSCP) marking and each flow and exports standard v5 and v8 flow records. The flow forwarding-class assignment for traffic transiting the MS-DPC. export is compatible with industry-standard flow collectors and This service enables providers to specify matching by application, applications designed to receive flow export. J-Flow can monitor application set, source, destination address and match direction, traffic at the department or application level for customer billing using a similar structure to other rule-based services such as or interdepartmental charge back purposes. It can also provide stateful firewall. These service actions enable providers to usage statistics between IP addresses so that providers can plan associate the DSCP alias or value, forwarding-class name, for capacity and traffic engineering implementations or provide an system log activity, or a preconfigured application profile with the outsourced traffic planning service to enterprise customers. J-Flow matched packet flows. can also assist in tracking security violations by including counts Network-Based Security Service via VPN-Aware NAT/ for certain packets that might be executing a DoS or some other Firewall form of malicious activity. The MS-DPC can invoke a stateful firewall/NAT instance on a per- Tunnel Services VPN basis, intelligently classifying packets and then translating Tunnel services can be used for a number of revenue-generating IP addresses for traffic bound for the Internet, while leaving them services. Supporting GRE and IP-over-IP encapsulation, tunnel unchanged for packets traveling over a Layer 3 VPN. This allows services can be used to provide transport for Layer 3 VPNs in providers to offer a single access circuit to businesses for both non-MPLS networks. Using PIM-SM tunnel services can support Internet access and L3 2547 VPN services. This function also efficient communications between members of sparsely enables fully secure extranet solutions by providing firewall/NAT distributed multicast groups. Virtual tunnel interfaces can functions between two separate Layer 3 VPNs. support Virtual Private LAN Service. Juniper Networks also offers Protecting User Data via IPsec Encryption standalone integrated firewall/VPN platforms. The MS-DPC implements IPsec encryption using AES, DES, and 3DES. Enterprises can provide IPsec encryption to enhance end- user security. Providers can offer IPsec encryption of access links from the customer premise’s device to the provider edge router, charging a premium for secure access to the network. The packets can then be securely forwarded or mapped into Layer 3 VPNs for transport across the provider network. This application is particularly useful when offering a service to a customer whose access links are provisioned by a third-party provider. Providers can also offer IPsec encryption of unicast or multicast traffic over Layer 3 VPNs for an added layer of security for the most concerned customers. IPsec may also be used to encrypt backhaul traffic by setting up encrypted tunnels across untrusted third-party wholesale networks. 3
  4. 4. Specifications For a complete list of supported software features, please consult the Junos OS documentation at Stateful Firewall IPsec Features • Stateful packet filtering • Dynamic endpoints • Checks for the packets in IP stack • Fully qualified domain name (FQDN) • Assists in the detection of DoS attacks • IPv6 for IPsec (RFC 2460) • Firewall for inter-VPN traffic Monitoring and J-Flow Accounting • TCP Intercept, flow and session limits • cflowd v5 v8 and v9 format IPS Tunneling Services • Intrusion prevention system • GRE, IP-IP, PIM-SM, PIM-SIM-DM, virtual tunnel interfaces Peer to Peer Signature Support (VTs), multicast tunnel interfaces (MTs) • 100Bao, Aimstar, Applejuice, Ares, BitTorrent, DirectConnect, Certifications and Approvals eDonkey2000, FastTrack, Freenet, GoBoogy, GnucleusLAN, Gnutella, Gnutella2, HotLine, ICQ, IRC, Jabber/XMPP, Joltid Safety PeerEnabler, Kademlia, KuGoo, Kuro, MMS, MSNPv10, MSNPv11, • CAN/CSA-C22.2 No. 60950-00/UL 60950 (Third Edition) MSNPv12, MSNPv13, Mute, Napster, Oscar (AOL), OpenFT • Safety of Information Technology Equipment (giFT), Poco, QQ, RTSP, SCTP, Skybe, Soribada, Telsa, TOC • EN 60950, Safety of Information Technology Equipment (AOL) WinNY, WPNP, Yahoo IM, Peercast, IceShare, Freecast, Soulseel, Xunlei Certification • FIPS 140-2 Level 1 certification NAT • Stateful Firewall - ICSA certified • NAT, Network Address Port Translation (NAPT) and Proxy Address Resolution Protocol (ARP) Electromagnetic • EMC AS / NZS 3548 Class A (Australia/New Zealand) Stateful Firewall/NAT ALGs • BSMI Class A (Taiwan) • BOOTP, DCE RPC and DCE RPC portmap, Exec, FTP, H.323, • EN 55022 Class A Emissions (Europe) ICMP, IIOP, Login, NetBIOS, NetShow, RealAudio, RPC and • FCC Part 15 Class A (USA) RPC portmap, RTSP, Shell, SNMP, SQLNet, TFTP, Traceroute, WinFrame and SIP • VCCI Class A (Japan) • Immunity EN-61000-3-2 Power Line Harmonics Attack Detection • EN-61000-4-2 ESD • Anomaly-based attack detection • EN-61000-4-3 Radiated Immunity • Active and expired flow recording • EN-61000-4-4 EFT • System logging • EN-61000-4-5 Surge • SYN-cookie activation • EN-61000-4-6 Low Frequency Common Immunity IPsec Encryption • EN-61000-4-11 Voltage Dips and Sags • Encryption Algorithms (RFC 2405, RFC 2410) NEBS - AES (128, 192, and 256 bits) • Designed to meet these standards: - 3DES - DES - GR-63-CORE; NEBS, Physical Protection– - Null - GR-1089-CORE; EMC and Electrical Safety for Network • Authentication Hash Algorithms (RFC 2403, RFC 2404) Telecommunications Equipment - Message Digest 5 (MD5) - SR-3580 NEBS Criteria Levels (Level 3 Compliance) - SHA-1 ETSI • Internet Key Exchange (IKE) Modes • ETS-300386-2 Telecommunications Network Equipment • Main/Aggressive mode supported for IKE security association • Electromagnetic Compatibility Requirements (SA) setup • Quick Mode supported for IPsec SA setup • Digital Certificates (X.509) VeriSign • Entrust 4
  5. 5. Juniper Networks Services and Support Ordering Information PART NUMBER DESCRIPTION Juniper Networks is the leader in performance-enabling services and support, which are designed to accelerate, extend, and MS-DPC Multiservices DPC for MX Series (MX960, MX480, MX240) optimize your high-performance network. Our services allow S-ATO Application awareness identification – you to bring revenue-generating capabilities online faster so P2P license for M Series and MX Series you can realize bigger productivity gains and faster rollouts of S-IDP IPS license for M Series and MX Series new business models and ventures. At the same time, Juniper S-NAT-FW-MULTI NAT/firewall - multi instance Networks ensures operational excellence by optimizing your S-NAT-FW-SINGLE NAT/firewall - single instance network to maintain required levels of performance, reliability, and S-ACCT J-Flow accounting availability. For more details, please visit S-ES IPsec products-services/. S-TUNNEL Tunnel SFP-1GE-T Small form-factor pluggable 1000BASE-T Gigabit Ethernet Optic Module (Copper) S-LSSL-4, S-LSSL-64, Multilink S-LSSL-255 S-Service-SFO Stateful failover S-ACCT-5M J-Flow Monitoring chassis-based license S-ES-2K IPsec chassis-based license in 2K increments S-ES-4K S-ES-6K S-SFW-NAT-2 Stateful Firewall /Network Address Translation S-SFW-NAT-5 chassis-based licenses S-SFW-NAT-7 S-SFW-NAT-10 S-SFW-NAT-12 S-SFW-NAT-15 S-SFW-NAT-17 S-SFW-NAT-20 About Juniper Networks Juniper Networks, Inc. is the leader in high-performance networking. Juniper offers a high-performance network infrastructure that creates a responsive and trusted environment for accelerating the deployment of services and applications over a single network. This fuels high-performance businesses. Additional information can be found at 5
  6. 6. Corporate and Sales Headquarters APAC Headquarters EMEA Headquarters To purchase Juniper Networks solutions, Juniper Networks, Inc. Juniper Networks (Hong Kong) Juniper Networks Ireland please contact your Juniper Networks 1194 North Mathilda Avenue 26/F, Cityplaza One Airside Business Park representative at 1-866-298-6428 or Sunnyvale, CA 94089 USA 1111 King’s Road Swords, County Dublin, Ireland authorized reseller. Phone: 888.JUNIPER (888.586.4737) Taikoo Shing, Hong Kong Phone: 35.31.8903.600 or 408.745.2000 Phone: 852.2332.3636 EMEA Sales: 00800.4586.4737 Fax: 408.745.2100 Fax: 852.2574.7803 Fax: 35.31.8903.601 Copyright 2010 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. 1000258-003-EN Jan 2010 Printed on recycled paper 6