Sie sind auf Seite 1von 33

Offre de Service IP VPN

Connexion IP Haut Dbit


26/11/07
Philippe Assimon
passimon@juniper.net

Copyright 2007 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

Dfinition du Service : Phase 1


 Objectif : fournir linterconnexion des LANs de
lentreprise utilisatrice
 Comment :
Connexion IP Haut Dbit vendue pour chaque site de
lentreprise
Interface de livraison : Ethernet
Respect de ladressage IP du client
Topologie dinterconnexion : Etoile ou maille
Dbit suivant type de racco : de 64Kbps 1Gbps

 Contrat de service : il porte sur les connexions IP


haut dbit avec un niveau dengagement dfinir
Copyright 2007 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

Dfinition du Service : Phase 1(suite)


 Niveaux dengagements Bronze :
GTR : Garantie de Temps de Rtablissement
IGS : Indisponibilit globale du service : somme des
indisponibilits rencontres sur tout les sites.
Pas de QOS : best effort

 Niveaux dengagements Silver :


Niveaux dengagements bronze +
QOS : 2 classes de services : 1 pour la data + 1 pour le
best effort

 Niveaux dengagements Gold :


Silver +
1 classe de service pour la voix
Copyright 2007 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

Spcifications du service
 1 Site client

CE
AT

Liaison WAN distante :


LS, ADSL, SDSL,
Ethernet, PE

1 routeur + 1 accs + 1 port


ou une fraction de port de PE
+ 1 VRF unique par client

AT  1 VPN
cest un groupe de sites
clients en toile ou maills
Backbone MPLS

Ct
client

Ct
AT
FAS + Mensuel = (Capex + Opex mensuel)+ marge

Copyright 2007 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

Spcifications du service
Tous les sites dune mme entreprise

10.5

10.1

se voient

10.2
10.1
10.4
Backbone MPLS

10.2

10.3
10.4

10.5
10.3
Copyright 2007 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

Spcifications du service
10.5

10.1

10.2
10.1
10.4
Backbone MPLS

10.2

10.3
10.4

10.5
10.3
Copyright 2007 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

Cas particulier de la redondance


 Rentre en ligne de compte pour le calcul de lIMS
Lien principal

Lien principal
VRRP

VRRP
Lien secours

Copyright 2007 Juniper Networks, Inc.

Proprietary and Confidential

Balance de charge
Lien secondaire

www.juniper.net

Spcifications du service : Phase 2


 SLA pour la QOS :
Bronze : Round Trip Time de 100 ms
Silver : Round Trip Time de 70 ms / taux de perte de
paquet 5 % pour la classe C1
Gold : Round Trip Time de 50 ms / Jitter : 10 ms / taux
de perte de paquet =0 pour la classe voix.

 Ncessite une infrastructure pour faire ces


mesures : agent RPM + un outil de mesure de
performance du type E-Health de Concord

Copyright 2007 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

Spcifications du service : Phase 2


 Encryptage de donnes via IPSec
 Pourquoi encrypter les donnes?
Pour les banques/ assurances: conformit aux normes
S/O et Ble II.
Pour larme, la police, la gendarmerie
Pour les laboratoires de recherches
Pour les entreprises en dialogue avec les banques
Pour le E-Gov : dclaration fiscale, demande de
permis, etc

 Ncessite un CPE avec possibilit dencryptage


matriel. : J-Series / SSG
Copyright 2007 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

Spcifications du service : Phase 3


 Accs @ mutualis
10.1
10.2

Backbone MPLS

10.3
10.4

10.5
Copyright 2007 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

10

Spcifications du service : Phase 3


 Laccs @ mutualis permet doffrir un service
complet et ouvre le champ dautres services :

Passerelle Internet scurise


Relai de messagerie
Service dAntivirus, Anti-Spam, etc
Mise en place dun firewall ddi en CPE

 Ncessite la mise en place dune VRF particulire


pour un passage sur @ avec une plage de
translation dadresse en sortie de PE.
 ETC
Copyright 2007 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

11

Exemple de passerelle @ mutualise


 Mapping VLAN to VRF avec un Firewall Virtuel
par client

Trunk
Ethernet

DMZ mutualise

Avec VLANs
Copyright 2007 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

12

Caractristiques du backbone MPLS


 La mise en place de services, puis de services
additionnels pour les clients est simple
 Le choix de Juniper permet davoir une
automatisation du provisionnement des clients
par :
Les scripts qui sont parties intgrantes de JUNOS
La plateforme dactivation SDX qui permet
dautomatiser le provisioning
La gamme complte des CPEs permet une grande
varit doffre de connexions haut dbit et/ou de
scurit
Copyright 2007 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

13

Caractristiques du backbone MPLS


 Mutualisation des investissements

Outil de provisioning
Outil de dploiement
Outils dexploitation
Infrastructure matrielle : liens backbones, chassis,
infrastructure
Passerelle @ mutualise : firewall, relai de
messagerie, serveur AAA, etc..

 Accroissement de comptence
Mutualisation des quipes

Copyright 2007 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

14

Etude de cas : Client National


 Client National :

1000 bureaux
44 nuds de Wilaya
8 nuds de rgion incluant les centres de calcul
Un existant

 Service attendus
Interconnexion de rseaux
Scurit : UTM
Voix sur IP

Copyright 2007 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

15

Architecture prvue et existante


Site central
@

Hierarchique avec des LS


Et des sites Wilaya de
Concentration Intermdiaires.
Vers les sites centraux

Wilaya

Bureau

Copyright 2007 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

16

Architecture possible : Etoile ou Maillage


Bureau

Site central

Backbone MPLS
Wilaya

Bureau
@
VRF Jaune : ip priv
Bureau

Copyright 2007 Juniper Networks, Inc.

Proprietary and Confidential

VRF Bleu : accs @


www.juniper.net

17

Etude de cas : Client National


 Services fournis :
Interconnexion de rseau
Profile Gold : QOS pour la VOIP + engagement de
GTR
Offre Spcifique : secours par ddoublement des
routeurs pour les Sites Centraux (cas de la
Lien principal
VRRP
redondance)
Lien secours
Accs @ mutualis

 Scurit (voir diapos suivantes)

Copyright 2007 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

18

Etude de cas : Client National


 Volet Scurit :
CPE de type Firewall avec capacit UTM
Gestion de lanti Spam, anti Virus, Deep Inspection
Anti Intrusion, web filtering, anti phishing

 Mise en place dune solution de gestion des


CPEs UTM pour 1000 sites par Algrie Telecom

Copyright 2007 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

19

Avantage dune solution MPLS


 Pas de rebond de trafic inutile sur les sites
concentrateurs
 Accs @ mutualis
 Souplesse topologique : toile/maillage ou partiel
entre les deux topologies
 CPEs moins cher que ceux ncessaires la
concentrations de LS
 Solution gre par loprateur
 Indpendante du type de mdia

Copyright 2007 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

20

Avantage dune solution MPLS


 Scurit assure par des plateformes
composites:
Meilleur du routage
Meilleur de lUTM

 Gamme SSG ou J Series chez JUNIPER


 Possibilit de charger des politiques de scurits
via NSM sur un grand nombre dquipements
 Solution Routeur avec une migration vers
Firewall

Copyright 2007 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

21

Produits

Copyright 2007 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

22

Portfolio Entreprise Juniper


M-series Routers

Head office, backbone,


and data centers
M7i

M10i

M320

J-series Routers
Remote, branch, and
regional offices

J2320

J2350

J4350

J6350

SSG 300

SSG 500

Firewalls & Secure


Services Gateways
Advanced Security for
remote, branch, and
regional offices

SSG 5

SSG 20

SSG 140

WAN Acceleration
Increased application
performance in the
network
Copyright 2007 Juniper Networks, Inc.

WX and WXC Family


Proprietary and Confidential

www.juniper.net

23

J2320

 Extensive Connectivity

J4350

 Unmatched Performance
with Services

J2350

J Series Product Family Overview


Unmatched performance with
services enabled
Four on-board Gigabit
Ethernet ports
Expandable WAN and LAN
interfaces via modules

J6350

 Best Price to Performance


Up to 30% lower price than
similar products and more
than 2x faster
c

Copyright 2007 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

24

J2320 Components
 1 RU High, Full Rack Width,  Encryption Card
15 Depth
Optional base model,
included in high-memory
 Three modular PIM slots
model
 4-port 10/100/1000 Ethernet
 Avaya IP Telephony
ports
Support
 Internal and external
compact flash
PIM slots
Power switch

Console
Copyright 2007 Juniper Networks, Inc.

2 x USB
Aux
4 x 10/100/1000 Ethernet
Proprietary and Confidential

www.juniper.net

25

J2350 Components
 1.5 RU High, Full Rack
 Encryption Card
Width, 15 Depth
Optional base model,
included in high-memory
 Five modular PIM slots
model
 4-port 10/100/1000 Ethernet
 Avaya IP Telephony
ports
Support
 NEBS and DC power
options
5 PIM slots

Power switch

Console

Copyright 2007 Juniper Networks, Inc.

Aux

2 x USB
4 x 10/100/1000 Ethernet
Proprietary and Confidential

www.juniper.net

26

J4350 Components
DRAM (under
the cover)

4 fixed GE LAN ports

4 slots for
PIMs only

2 slots for
EPIMs or PIMs

4 PIM slots and 2 EPIM/PIM


slots
Supports Avaya media
gateway
DC version available

Power
Button

2x USB
4x
Console Aux
10/100/1000

1 GB or 256 MB DRAM default, max 2 GB


256 MB compact flash default, max 1 GB
Hardware encryption acceleration
(optional)
NEBS compliant models available
AC or DC
power supply
Copyright 2007 Juniper Networks, Inc.

Proprietary and Confidential

Power
Switch
www.juniper.net

27

J6350 Components
DRAM (under
the cover)

4 fixed GE LAN ports

2 slots for
PIMs only

4 slots for
EPIMS or PIMs 2 PIM slots and 4 EPIM/PIM

slots

Supports Avaya media


gateway
DC version available

Power Button

4x
10/100/1000

Console Aux

2x USB

1 GB DRAM default, max 2 GB


256 MB compact flash default, max 1 GB
Hardware encryption acceleration
standard
NEBS compliant models available
Redundant AC or DC
power supplies
Copyright 2007 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

28

SSG & J-Series Portfolio


ScreenOS
= Common Hardware
Platforms, JUNOS
& ScreenOS

SS G
G
5531
2M
0M
-S

Additional M-series,
T-series not shown

JUNOS
Micro Branch,
Small Office,
Managed Service
Copyright 2007 Juniper Networks, Inc.

Small Branch,
SME

Branch/Regional,
Medium Enterprise
Proprietary and Confidential

Medium Ent to Large HQ

www.juniper.net

29

Secure Service Gateway Family


 SSG 5 - Six fixed form factor models
160 Mbps FW / 40 Mbps VPN
 SSG 20 2 modular models
160 Mbps FW / 40 Mbps VPN
 SSG 140
350+ Mbps FW / 100 Mbps VPN
 SSG 320M
450+ Mbps FW / 175 Mbps VPN
 SSG 350M
550+ Mbps FW / 225 Mbps VPN
 SSG 520M
650+ Mbps FW / 300 Mbps VPN
 SSG 550M
1+ Gbps FW / 500 Mbps VPN

SSG 5
SSG 20
SSG 140
SSG 320M
SSG 350M

SSG 520M

SSG 550M
Copyright 2007 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

30

ScreenOS: Proven Enterprise Class Security


UTM Features / Content Security
AntiAnti-virus/Antivirus/Anti-spyware
Web filtering

AntiAnti-span
IPS (Deep Inspection)

Network Security Features


FW
IPSec VPN

DoS/DDoS
User auth.

Networking
Security Zones
Dynamic Routing

Deployment Modes
WAN Encapsulations

SSG PurposePurpose-Built Hardware Platform


Mgmt/Modem

LAN & WAN I/O

 Integrated Unified Threat Management


(UTM) security features
IPS (Deep Inspection), Antivirus (includes AntiSpyware, Anti-Phishing) Anti-Spam, Web filtering

 Network security features / Access control


Stateful firewall, IPSec VPN, NAT, DoS protection,
user authentication, Auto-Connect VPN

 Rich networking and virtualization


capabilities
Segmentation (Zones, VLANs) to divide the
network into secure segments
Combines ScreenOS deployment modes,
dynamic routing and high availability with
select JUNOS WAN encapsulations

ScreenOS
Copyright 2007 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

31

Unified Threat Management (UTM) Features


Stop Common and Emerging Threats

Outbound Threats

Inbound Threats

IPS

Juniper IDP detects/stops Worms,


Trojans, DoS (L4 & L7), Recon, Scans

Web
Filtering

SurfControl to block to Spyware /


Phishing / Unapproved Site Access

AV

Kaspersky Lab AV stops Viruses,


file-based Trojans, Spyware,
Adware, Keyloggers

Anti
Spam

Symantec stops Spam / Phishing

Core
Security

Juniper IDP detects/stops


Worms, Trojans

Juniper Stateful Firewall, VPN,


Access Control

Juniper Stateful Firewall, VPN,


Access Control

Copyright 2007 Juniper Networks, Inc.

Kaspersky Lab AV stops Viruses,


file-based Trojans or spread of
Spyware, Adware, Keyloggers

Proprietary and Confidential

www.juniper.net

32

MERCI

Copyright 2007 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

33