Juniper solutions

for financial market

Ha Huy Hao
Country manager, Vietnam
hhhao@juniper.net
0903710317

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1

 Agenda

1. Financial Services Networks Requirements

2. Meeting the Needs with Juniper Solutions
3. Some Case Studies
4. Summary

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 2

 What are the top IT solutions that Asian financial
organizations want?
Top 4 criteria

Gartner Dec 2005

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 3

Some observations on the Financial industry
 Paradigm shift happening in Banks & finance houses requiring new
and additional investment
• Tighter regulations for funds transfers, account set-up and banking
transactions
• Legislation, Regulation and Standards of banking processes (Basel II, SOX…)
• Digitization of paperwork within bank branches
• ATM (cash machine) networks proliferation & evolution
• Focus on dollars earned per customers via cross selling & multi-channel
delivery
• Connect branches with efficient, cost effective yet secure connectivity

ALL the above requires new systems:

To secure your systems
To assure your applications running more efficiently

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 4

 Financial Services Network Architecture
Most financial services organizations adopt similar network
architectures, implementing distinct network and security
silos
 Enterprise Internal Network
• Where most employee computers reside
 Secure Servers Area (SSA)
• Where the most critical databases and servers reside
 Access Network
• Where remote employees, partners & customers access services
 Internet Access Subnet
• Where internal resources securely access the public Internet
 Market Data Feeds
• Where external news, info and trade info enters the org.

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 5

Financial Services Network Architecture
ATM
Exchanges & Sources
machines
Customers & Partners

• Within each silo, there

are typically independent
security and routing
functions as well as full
redundancy
• Each silo is duplicated for
Internet
each of the geographies
Access
Subnet in which the firm
Market Access operates, or at each
Data Feeds Network major data center
Enterprise • enables the financial
Internal services enterprise to
Network
divide and conquer the
massive challenges of
securing data and
maintaining high
Secure Server Area availability

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 6

 Juniper Networks Product Portfolio

J-Series Secure Access Intrusion Integrated Applications

Edge Routers Firewall / IPSec VPN Acceleration
Prevention
SSL VPN

Policy & Service BRAS & Circuit Small/Med Core Circuit Large Core Session Border
Control Aggregation Aggregation Metro Aggr’n Gateway

NMC-RX
JUNOScope E-series M-series T-series VF-series

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 7

 Agenda

1. Financial Services Networks Requirements

2. Meeting the Needs with Juniper Solutions
3. Some Case Studies
4. Summary

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 8

 To secure & assure financial networks
really means:

1. Containment – prevent proliferation of attacks

2. Compartmentalization– prevent unauthorized access to
systems
3. Continuity – ensure seamless operation even under attack or
equipment failure
4. Recovery - enable rapid recovery from attack or malicious
insider activity
5. Performance – network performance should not be reduced by
security measures

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 9

 Enterprise Internal Network
Internet
Access
Market Access
Subnet
Data FeedsNetwork
Enterprise
Internal
Network
Internet
Access Subnet
Secure Server Area

Enterprise
Internal Network

k ing ge
n an s a
Ba m e u ity s g
rt ers
ta il Hu urc Eq der o
M ro k
Re e so Tr
a B Segmentation
R VLAN
MPLS VPN
VPLS
= Malicious User

Secure Server
Area

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 10

 Purpose-Built security appliance
 Foundation for rock solid security solution
• Purpose-built appliance with security specific processing
• Controlled by security specific, real-time operating system
• Includes a set of robust security applications
• Networking roots to facilitate integration
Advantages
Integrated SecurityApplications
Integrated Security Applications  Eliminates OS hardening
•VPN
VPN IDP •Firewall
Firewall  Facilitates network integration
•Denial
Denial of Service
Service •Traffic
Traffic management
management
 Ensures application interoperability
Security -Specific,
Security–Specific, Real -Time
Real-Time OSOS
 Simplifies management
DynamicRouting
• Dynamic Routing • High
High Availability
Availability
Virtualization
• Virtualization • Centralized Management
Centralized Management  Matches or exceeds performance
requirements
Security
RISC specific
RAM
ASIC Interfaces
Interfaces
CPUProcessing

Purpose Built Hardware

Purpose --Built HardwarePlatform
Platform

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 11

MPLS VPN Securely “Compartmentalize”
Network Infrastructure
MPLS VPN transparently
segment network infrastructure
into virtual networks
Backbone
Router

Branch
Router

Redundant MPLS Paths (LSPs)

for Fast Re-route – Converged network with
Improve Network Resiliency Classes-of-Service supporting
MPLS VPN A
MPLS VPN B many different applications
Physical connection

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 12

 Juniper’s Enterprise Routers
Service Provider Equipment Quality for the Enterprise

M-series Routers J-series Routers

Head office, backbone, data center Remote, branch, and regional office
Leveraging modular JUNOS and Leveraging modular JUNOS and
purpose built ASICs high performance standard processors

J2300
M7i

J4300

M10i
J6300

Full support of advanced networking features including MPLS,

IPv6, QoS, etc on J-series as well as M/T series.

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 13

 Next Generation Router Design for
Mission Critical Applications

Control

Interface Mgmt

Chassis Mgmt
Protocols
Control Forwarding

Services
SNMP
Engine Engine
Forward
Services
Services? Engine

1990’s Router Architecture Router Architecture for NG

Monolithic Design
 Shared processing cycles
 Shared memory address space
or all processes
 Performance & service trade-
off
 Unpredictable QoS
performance
… jeopardizes security, uptime,
performance, services
Network Infrastructure
 Secure & Reliable
 Realize predictable QoS
 Support full MPLS features
 Service without performance
compromise
… enables high security, uptime,
performance, services
support

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 14

 Juniper Routers Benefits
strong Security high Uptime
 Modular design, processes
 Guaranteed resources each run on protected

Interface Mgmt
memory

Chassis Mgmt
per function

Protocols

Services
SNMP
Control Forwarding  Clean interface between
 Clean separation of
Engine Engine processes
functions
 Minor problems do not
 Full router control while lead to system crashes
Services under attack
Engine  Next Gen CLI prevents
operator error

predictable Performance reduced Operations cost

Juniper  Predictable  One software train
facilitates easy
% of Line Rate

Addition of
performance even
new service under load maintenance and s/w
features
6.4 7.0 7.1
stability
 Comprehensive QOS
functions to classify,  Structured quarterly
Traditional release process
prioritize and
Router
schedule traffic
One Train!  Features shared across
Complexity of all platforms
Packet Processing

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 15

 Secure Server Area
Internet
Access
Market Access
Subnet
ata FeedsNetwork
Enterprise
Internal
Network

Enterprise
Secure Server Area
Market Access
Internal
Data Feeds Network
Network

To Remote
Backup Site

Secure Server Area

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 16

 Secure Server Area Requirement
 Houses firm’s most critical systems and data
 Challenging requirements:
• High Throughput & Support Large # Connections
– Since so many users are accessing the SSA at any point in time
• Low Latency & Predictable QoS
– Routers, firewalls, IPS, web servers, app servers may affect overall end-
user performance experience
• High Availability
– Since so much critical info is centrally located in the SSA, just a few
moments of downtime could result in significant loss
• Highly Security up to Application Layer
– Systems contained in SSA must be most secured and resilient to attack
since so many operations rely on these systems

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 17

 Integrated Security Gateway (ISG) 2000
ideal platform for securing SSA
Best-of Breed Security in a Single Platform

 Predictable Performance
Next-Generation Security ASIC (GigaScreen³)
• 2 Gbps Stateful Firewall - any packet size
• 1 Gbps 3DES & AES IPSec VPN - any packet size
• 1 Gbps+ IDP
 Integration
• Security applications – FW + Deep Inspection + VPN + IDP
 Scalability
• New flexible architecture designed to accommodate future performance,
capacity and functionality needs
• Up to 28 ports, up to 500 VLANs
 Attack Protection
• Network attack protection, including DoS attacks
• Deep Inspection to protect against attacks in Internet-facing protocols
• Modular IDP blade

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 18

 Juniper DX Application Front End
 Unique Benefits
• Accelerate user downloads up to 70%
• Increase Web/App server capacity up to 10X
• Decrease bandwidth usage up to 70%

 Accelerates Applications
• Siebel, SAP, Lotus, Oracle, etc.
• Custom web applications and Portals
• SLB replacement for legacy apps, mail, DNS,
etc.

 Deployment
• Replace or complement existing SLB
(customer does not have to throw it away)
• No server or application changes
• No changes to client or applications

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 19

 Access Network
Internet Connects with
Access
Market Access
Subnet Customers, Partners
ata FeedsNetwork
Enterprise and Branches
Internal
Network

Secure Server Area

Dual Homed Internet
Connection

ATM
Dedicated Links to machines
Customers, Partners
and Branches

Access
Network

Aggregation
of WiFi
Access Points
Enterprise within
Internal Network Premises

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 20

 Next generation ATM machines & networks
 ATM machines are proliferating in APAC
 Transformation of ATM machines and networks are happening
• Terminals: From Dump ATM terminals to multi-media Windows based ATM terminals

• Networks: From slow and expensive leased line/X.25/FR to mosre cost effective high speed broadband

• Protocols: From SNA to IP (VPN or managed IP)

• Applications: From just cash dispenser to value-added services (eg. VoIP/ videoconference with bank agent,
digitization of cheque deposit…)

 Juniper solutions: 5GT @every ATM machine; NS FW/VPN appliance @ hub site for high performance
FW/VPN aggregation

Hub site

IP
IP over IPsec VPN over BB

Windows-based
ATMs @
branches

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 21

 IPSec VPN and SSL VPN – Juniper provides
marketing leading solutions for both

Mobile
Users
Remote Office
Branch Office

Business
Fixed Partners
telecommuters HQ

Remote, Branch Office

Application Type Application Type Mobile User
Telecommuter
Partner Extranet

Type of Connection Fixed Type of Connection Mobile or Fixed

VPN Type IPSec VPN VPN Type SSL VPN

Access Requirement Network Access Access Requirement Per Application Access

Sales
Control Requirement IP to IP control Control Requirement User to Application control

Remote Network Security Managed, Trusted Remote Network Security HRUnTrusted

UnManaged,

Finance
Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 22
Extranet Deployment – connecting your
partners (eg. Broker firm, agencies….)
Traditional Extranet
Extensive Deployment Requirements:
 Duplication & Migration of Servers into DMZ
 Harden OS/Server Farms & Ongoing Patch Maintenance
 Maintenance of public facing infrastructure
 AAA limitation to only those integrated resources
 Custom API development for non-Web content
Copyright © 2003 Juniper Networks, Inc.
SSL VPN-Based Extranet
Fast and Secure Deployment:
 Keep all Servers where they are
 Secure Gateway is harden, intermediates all request
 Multiple Hostnames & Customizable UI
 Rich AAA control of network resources
 Dynamic Authentication Policies
 Expressive Role Definition & Mapping Rules
 Web Single Sign-On & Password Mgmt Integration
 Support Web, File and Client/Server content applications
Proprietary and Confidential www.juniper.net 23
 Market Data Feeds
Internet
Access
Market Access
Subnet
Data FeedsNetwork
Enterprise
Internal
Network

Secure Server Area

Tunnels to
News Feeds

Dedicated Links
Markets and Feeds

Market Data Feeds

Intrusion Detection

ESP

Secure Server
Area

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 24

 Market Data Feeds Requirement
 Unique to financial services industry the need for Market
Data Feeds network
 Need to security aggregate streaming data feeds which
carry latency sensitive real-time market data for a
multitude of sources
• Streaming, real-time ticker data streams, business-wire news, other
perishable data
• Require low latency and linear throughput; large portion of data could
arrive in small packets
• May employ anti-spoofing and DDoS prevention via M/J series and NS
FW/VPN
• IDP in detection mode may be needed to detect protocol anomalies

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 25

 Agenda

1. Who is Juniper Networks?

2. Financial Services Networks Requirements
3. Meeting the Needs with Juniper Solutions
4. Some Case Studies
5. Summary

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 26

 Security (Firewall + IDP) deployment in stock
exchange
Since 1975, the Stock Exchange of
Thaland (Set) has been the
investment center of Thailand’s
captial markets. It handles an avg
daily turnover of $490M, and
provides a comprehensive range of
products, services & trading
infrasture to
Copyright © 2003 Juniper Networks, Inc.
Challenges
the SET launched a new corporate bond exchange
service in 03, has plans to introduce a new
derivatives market in 05. The growth is driving the
need to protect its network from ever-increasing
hackers, viruses and other potential threats.
Solution
Juniper Networks’ ASIC based, deep inspection
firewalls and IDP systems to protect its server
array and other mission-critical assets – defending
against hacking threats, while continuously
monitoring the network for viruses and other
anomalies.
Benefits
• Fully-Integrated end-to-end protection
• High-strength, synergistic protection
measures
• High reliability and performance
• Extensive functionality
• Best value for money
Proprietary and Confidential www.juniper.net 27
 Global Firewall/VPN Deployment
SWIFT
SWIFT has deployed 12,000+ Juniper
NetScreen appliances . In the coming
years, SWIFT is planning to deploy
more – which is expected to represent
one of the world’s largest VPN
deployments.
stomer Reference : http://www.juniper.net/company/presscenter/pr/2004/nspr_200404056_546.html
Copyright © 2003 Juniper Networks, Inc.
Problem
 Lack of security on its new global IP data network
infrastructure and IP-based messaging platform
Solution
 NetScreen-5200 (12)
 NetScreen-5XP and 5GT (12,000) deployed in
remote sites
 NSM to secure its new global IP data network and
IP-based messaging platform, SWIFTNet
Results
 Deployment has been running successfully at
100% capacity since June 2003
 Reliable security and flexible networking
functionality
 Uniform GUI across the product line, simplicity
deployment for SWIFT and its’ members saving
operational cost for both parties
Proprietary and Confidential www.juniper.net 28
 Next generation of Automated Teller Machine
(ATM) network deployment
Major Bank in Taiwan
Solution
 2x NS500 in HQ dedicated to handle ATM
Requirements IPSec VPN
 120x 5GT distributed to 120 ATM sites
 Changing their leased-line network to for IPSec VPN connection
Broadband to lower cost
 ATM network has to be totally
Results
separated from the branch office  Lower cost of managing the bank’s ATMs
network  Improved its transaction capacity at its 120
Active/Passive HA branch ATMs
 Assured mission critical networks by using HA

Central Hub site

IP
IP over IPsec VPN over BB

… 150 branch ATMs

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 29

 Firewall/VPN Deployment in Australia
St. George Bank
"By consolidating our security
infrastructure with Juniper
Networks NetScreen products,
we enjoyed immediate
savings in maintenance costs
and equipment footprint,"
Michael McCutcheon
Senior manager
Infrastructure and Architecture Planning
St. George Bank
ress Release: http://www.juniper.net/company/presscenter/pr/2004/pr-040722.html
Copyright © 2003 Juniper Networks, Inc.
Challenge
 Maintaining 18 software-based firewalls is
expensive
 Protect digital assets while providing services to
customers connected via the internet
Solution
 NetScreen-5200 (4)
Results
 Reduced total cost of ownership
 Increased network performance
 Reduced equipment footprint
 Reduced complexity in reducing 18 machines to 4
makes for much easier and flexible ongoing
administration and scalability
Proprietary and Confidential www.juniper.net 30
 SSL VPN Remote Access Deployment
- a global bank with HQ in Europe
“Juniper IVE makes it easy to
grant secure access to
employees around the world
in a way that makes fiscal
sense, while building upon our
existing infrastructure and
adding another layer of
protection for our clients’
financial information.”
Director of Remote/Mobile Computing
Copyright © 2003 Juniper Networks, Inc.
Challenge
 This bank needed a way to keep their
employees connected WW
 Solutions must require no network changes
Solution
 Secure Access series
 Stringent security penetration tests were done
to ensure appliance has strong security
Results
 A cost-effective, highly scalable remote access
solutions
 Keep employees connected at all times, from all
locations, which is crucial in banking industry
Proprietary and Confidential www.juniper.net 31
 SSL VPN Extranet Deployment
Challenge
 Securely share information with partners to
increase operational efficiency

Solution
 Secure Access series

“With Juniper, we have

a cost-effective, scalable
Results
partner
 Bank partners can easily log on to the partner
extranet solution to give third extranet from anywhere they have an Internet
parties access to important Connection
information and applications  Receive Access to only the files, applications, and
information that it deems appropriate so that
at all confidential info cannot be infiltrated
times from any location.”  “We see value in extending the IVE deployment
to internal users for numerous other
– David LaBianca applications”
Vice President,
Information Security & Privacy

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 32

 Router/MPLS Deployment
 OMHEX – Largest Securities market in Northern
Europe
 Hosts, operates and maintains 1,000s of servers
responsible for 38,000 trading hours
 Major operation centers in London, New York,
Sydney, and Stockholm
Requirements
 Highly reliable network backbone
 Migrate from ATM to IP/MPLS
 Predictable QoS performance
 Support high performance and reliable
multicast applications”

Solution
 Deploy M-series routers, migrate backbone
Stockholm Helsinki
network to IP/MPLS
 MPLS Fast Reroute – multicast applications
no longer affected by link errors
MPLS  Maps multicast trading info to CCC tunnels
and provide QoS
 JUNOS operating system and rich
London Sydney reliability features provides high network
Full mesh tunnels for 9 data centers and 6 availability
hub sites in 9 countries

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 33

 Agenda

1. Who is Juniper Networks?

2. Financial Services Networks Requirements
3. Meeting the Needs with Juniper Solutions
4. Some Case Studies
5. Summary

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 34

 Summary

• The financial vertical is going thru a lot of

changes:
• to comply with new regulations
• to provide more services per customers
to increase revenue
• To drive more app. efficiency

• “Status Quo” solutions are not enough to

satisfy the need of FSI today

• Juniper’s value propositions match well with

what the finance customers want

Secure & Assure Your finance networks

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 35