Manuals / Juniper Networks / Computer Equipment / Network Router

Juniper Networks V10000 warranty Introduction, Scope, Design Considerations, Internet, User Lan

Models: V10000

1 12
Download 12 pages 47.26 Kb
Page 3
Image 3
Introduction

IMPLEMENTATION GUIDE - Juniper Networks SRX Series Services Gateways/Websense V10000

Introduction

A powerful new paradigm of Internet-enabled relationships is transforming businesses across the globe. Companies that embrace “Web 2.0” technologies empower effective and lasting connections with employees, customers,

and partners. These are powerful tools that can create and sustain competitive advantage—but the underlying technologies can also expose the business to complex and dynamic new risks. Juniper Networks® SRX Series Services Gateways, combined with Websense’s V10000 Web Security Gateways, help companies enjoy the benefits of Web 2.0 solutions while mitigating the associated security challenges with power, speed, and flexibility.

Scope

This document is targeted at system engineers, network administrators, and other technical audiences interested in designing and implementing Juniper Networks SRX Series Services Gateways with Websense TRITON V10000 Web Security Gateway appliances.

Design Considerations

Figure 1 illustrates a common network design solution using the SRX Series and V10000 appliances. The SRX Series is responsible for redirecting specific traffic from the User LAN --for example, HTTP/HTTPS --to the V10000 appliances. The network administrator configures the TRITON V10000 appliances to provide multi-vector inbound and outbound real-time content inspection to protect against malware and sensitive data loss. The policy-based user interface increases user productivity by basing privileges on user or group identity in your corporate user directory. The V10000 proxies user traffic to the Internet. When the user traffic is unauthorized based on protocol or dynamic website policy, the user’s browser is redirected to the “Block Page” served by the V10000.

The enterprise network includes the SRX Series and the Websense TRITON V10000 appliances in the “management” segment of the network, and the enterprise users are identified in the “User LAN” segment of the network. This deployment architecture leverages the flexibility of the SRX Series to securely separate the user traffic from the network administration of the SRX Series and the Websense security appliances.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

For the one V10000 appliance solution, three physical

 

INTERNET

 

 

 

 

 

ports are utilized: “C”, “P1,” and “N.” The “C” port of the

 

 

 

 

 

 

appliance is the management port through which the

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

administrator manages the appliance. The “C” port is also

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

the destination for the “Block Page” redirection. The “P1”

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

port is the proxy port of the V10000 that provides the

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Websense

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

real-time malware and dynamic website classification. The

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

V10000

SRX Series connects the V10000 to both the user LAN and

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

SRX

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

the Internet. The “N” port is used to provide application

 

 

 

 

 

 

 

 

 

Series

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

and Web protocol-specific blocking and bandwidth

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

V10000

 

 

 

 

 

 

 

L2 Switch

 

 

 

 

throttling. Over 120 Web protocols are recognized by

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

protocol “fingerprint” (this permits the identification

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

of applications such as Skype, BitTorrent, and Yahoo

 

 

 

 

 

 

 

 

 

 

 

 

USER LAN

 

 

 

 

 

Chat.) Malware “phone-home” communications are

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

also recognized and denied access to the Internet. To

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

implement this capability, a layer 2 switch is needed to

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

L2 Switch

 

 

 

 

 

 

 

 

 

 

 

 

 

 

mirror user traffic. When the P1 port allows user traffic,

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

the V10000 establishes a new traffic flow (proxy) via

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Figure 1: Reference network

the same P1 port. When traffic is not permitted, the

 

 

 

 

V10000 issues a redirect message via the P1 port to the

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

user browser. The user browser is redirected to a “Block Page” that is served by the V10000 at the C port. These two scenarios are illustrated in the following ladder diagrams.

Copyright © 2010, Juniper Networks, Inc.

3

Page 2 Page 4
Page 3
Image 3
Juniper Networks V10000 warranty Introduction, Scope, Design Considerations, Internet, User Lan, Reference network
Page 2 Page 4