`
`
`
`
`
`
`
`
`
`
`
`
`
`Exhibit 9
`
`
`
`Case 3:17-cv-05659-WHA Document 358-9 Filed 01/24/19 Page 2 of 20
`Case 3:17-cv-05659-WHA Document 358-9 Filed 01/24/19 Page 2 of 20
`
`este
`
`siSA lors
`NETWORKS
`
`SRX Series Service
`Gateways for the B
`
`SRX100, SRX110, SRX210, SRX220, SRX240; SR
`
`Ten
`
`ies Services Gatewaysfor
`
`
`@ next-generation
`security gateways that provide
`essential capabilities that
`connect, secure, and manage
`workforce ocations sized from
`hardfuls to hundreds of users. By
`
`idating fast, highly available
`switching, routing, security,
`and next generation firewail
`
`capabilities in a single device,
`enterprises can protect their
`resources as well as econom
`deiiver newserv.ces, safe
`
`connectivty, and a
`sfying end-
`user experience. All SRX Series
`
` Servic ateways, including
`products scaled for Enterprise
`branch, Enterprise edge, and
`Data Certer applications, are
`powered by Junos OS—the proven
`operating system that provides
`unmatched consistency, better
`performance with services, and
`superior infrastructure protection
`at a lower total cost of ownership.
`
`
`
` ct Description
`
`The Juniper Networks® SRX Series Services Gateways for the branch combine next
`generation firewall and unified threat management (JTM) services wth routing and
`switching in a single, high-performance, cost-effective network device.
`
`SRX Series for the branch runs Juniper Networks lunos® operating system, the proven
`OloO
` und the
`
`OSthat is used by core Internet routers in all of the top 100 service providers
`ee
`ee
`
`ss routing features of IPv4/IPV6, OSPF, 8GP, and
`world. The ngorous!y tested carrer-c!
`muiticast have beenprovenir over 15 years of worldwide deployments.
`SRX Series for the branch provides perimeter security, content security, application
`visib lity, tracking and policy enforcement, user role-based control, threat intelLigence
`through integration wth Juniper Networks Spotlight Secure* and network-wide threat
`
`5, network administrators can configure
`visibility and contral. Using zones and pol
`and deploy branch SRX Series gateways quickly and securely. Policy-based VPNs
`support more complex securty arch tectures that require dynamic addressing and
`so includes w.zardsforfirewall, IPsec VPN, Network
`
`split tunneling. The SRX Series é
`Address Transiation (NAT), and -nitia. setup to simpl fy configurations out of the box.
`For content security, SRX Series for the branch offers a complete suite of next
`generation firewall, unified threat management (UTM) and threat intel gence
`services consisting of: intrusion prevention systern (IPS), appiication security
`(AppSecure), user role-basedfirewal! controls, on-box and cloud-based antivirus,
`antispam, and enhanced Web filtering to protect your network from the ‘atest
`
`content-borne threats. Integrated threat inteiligence via Spotlight Secure offers
`adaptive threat protection against command andcontrol (C&C) related botrets and
`policy enforcement based on Geol? ard attacker fngerprinting technology(the latter
`for Web application protection)—al! of which are based on Juniper providedfeeds.
`Customers may also \everage their own custom and third-party feeds for protection
`from advanced maiware and otherthreats. The branch SRX Seriesintegrates with
`other Juniper security products to deliver enterprise-wide unified access control
`(JAC) and adaptive threat management.
`SRX Series for the branch are secure routers that bring high performance andproven
`
`deployment capabilities to enterprises that need to build a worldwide network of
`thousands ofsites. The wide variety of options allow configuration of perfarmance,
`functionality, and price scaled te support from a handful
`to thousands of users.
`
`
`
`ties, a simple-to-use Web-based GUI, or Juniper Networks Junos
`
`
`y Drector for centralized maragement.
`
`33 Space
`
`
`Deputy Clerk
`
`UNITED STATES DISTRICT COURT
`NORTHERN DISTRICT OF CALIFORNIA
`
`Trial Exhibit 345
`Case No. 17-CV-05659-WHA
`
` Entered:
`
`By:
`
`FINJAN-JN 045192
`
`
`
`Case 3:17-cv-05659-WHA Document 358-9 Filed 01/24/19 Page 3 of 20
`
`Architecture and Key Components
`Key Hardware Features of the Branch SRX Series Products
`
`Product
`SRxX100Services
`Gateway
`
`SRXN10 Services
`Gateway
`
`SRX210 Services
`
`
`SRK220 Services
`Gateway
`
`SRX240 Services
`Gateway
`
`
` Services
`teway
`
`
`SRX650Services
`Gateway
`
`>
`
`Description
`
`ght 10/100 Ethernet LAN ports and 1USB port (support for 3G USB)
`Full UTM'antivirus!, antisparn', enhanced Webfiltering, and contentfiltering
`intrusion prevention systern’, AppSecure’
`2 GB DRAM, 2 GB flash default
`» VDSL/ADSL2+ and Ethernet WAN interfaces
`+ Eight 10/100 Ethernet LAN ports and two USB port (support for 3G USB)
`
`Full UTM): antivirus’, antisparn’,
`enhanced Webfiltering’, intrusion prevention systern'’, AppSecure!
`Unified Access Control (UAC) and contentfiltering
`2 GB DRAM, 2 GBCF default
`
`+ Two 10/100/1000 Ethernet and 6 10/100 Ethernet LAN ports, 1 Mini-P'Mslot, and 2 USB ports (support for 3G USB
`
`Factory option of 4 dynarnic Power over Ethernet (PoE) ports 802.3af
`Support for TIVEserial, ADSL/2/2+, VDSL, GSHDSL, and Ethernet small forrn-factor pluggable transceiver (SFP)
`
`Content Security Accelerator hardware for faster performance of |PS and ExpressAV (with high memory version)
`
`FulLUTM® antivir
`antisparn', enhanced Webfiltering’, and conten: filtering
`
`ntrusion prevention sysierr, User role-based firewall, and AppSecure!
`2 GB DRAM,2 GB flash default
`
`slots
`
` Factory option of 8 PoE port
`wards compatible with 802.3a*
`
`GSHDSL., and Ethernet SFP
`Support for T1/E1
`
`for faster performance of
`|PS and ExpressAV
`t
`
`Full UTM! antivirus! antisparn’. enhanced Webfiltering’, and contentfiltering
` 2 GB DRAM, 2 GBCF default
`* 1610/100/1000Ethernet LANports, 4 Mini-PIM slots
`
`+ Factory option of 16 PoF= ports; PoE+ 802.3at, backwards compatible with 802.3af
`Support for T1/E1,
`serial, A
`2/2+,VOSL,GSHDSL, and Ethernet SFP
`
`
`
`
`Content Security Accelerator hardware for faster performance
`of IPS and ExpressAV
`
`
`Full UTM? antivirus], antisparn', enhanced Webfiltering’, and conten! filtering
`ntrusion prevention system’. AppSecure!
`
`
`+ Ten fixed Ethernet ports (€ 10/100/1000 copper, 4 SFP). 2 Mini-PIM slots, 6 GPMslots or multiple GP!
`combinations
`Support for T1/E1, serial, ADSL2/2+, VDSL, G.SHDSL, DS3/E3, Gigabit Ethernet ports: supports up to 52 Ethernet
`ports including SFP; 40 switch ports with optional PoE including 802.3at, PoE+. backwards compatible with 802.3af
`(or 50 non-PoE 16/100/1000 copper ports)
`Content Security Accelerator hardware for faster performance of |PS and ExpressAV
`Full UTM! antivirus’. antispam, enhanced Webfiltering’. and contentfiltering
`ntrusion prevention system’, User role-basedfirewall, and AppSecure!
`Threat intelligence for protection from command and control (C&C) botnets, Web application threats, and advanced
`malware, and policy enforcement based on GeoiP data
`
`2 GB DRAM default, 2
`com
`t flash default (SRX550)
`
`4 GB DRAMdefault. 8 GB compact flash default (SRX550 High Memory)
`Optional redundant AC power: siandard AC power supplythat is PoE-ready: PoF power up to 250 wai
`supply or 500 watts dual power supply
`
`» Four fixed ports 10/100/1000Et
`N ports, 8 GPMslots or multiple GPM and XPIM combinations
`
`
`
`
`
`
`Ethernet ports including
`- Support for T1, 1, DS3,
`supports up to 52
`» 48 switch ports
`
`optional PoE including 802 3at,
`PoE+, backwards compatible with 802.3af (or 52 noni-PoF 10/100/1000copper ports)
`Content Security Accelerator hardware for faster performance of PS and ExpressAV
`
`FullUTM? antivirus’, antispam', enhanced Webfiltering', and content filtering
`
`ntrusion prevention system’, User role-based firewall. and AppSecure'
`Threat intelligence for protection from command and control (C&C) botnets. Web application threats. and advanced
`malware, and policy enforcernent based on GeolP data
`
`Modular Servi
`and Routing Engine, future internal failover and hot-swap
`2 G8 DRAMdefault. 2 GB compact flash default. external compact ‘lash slot for additional storage
`
`Optional redundant AC power: standard AC power supply that is PoE-ready:
`PoE power up to 250 watts single power
`
`supply o
`O watts dual power supply
`
`Mand XPIM
`
`
`
`5 single power
`
`
`
`
`scription|ware with noat
`
`
`
`
`
`FINJAN-JN 045193
`
`
`
`Case 3:17-cv-05659-WHA Document 358-9 Filed 01/24/19 Page 4 of 20
`
`
`To address the evolving threat landscape that has made it
`
`mperative to integrate external threat intelligence into the
`firewall for thwarting advanced malware and other threats, some
`gence via
`SRX Series Services Gateways include threat int
`integration with Spotlight Secure. The Spotlight Secure threat
`
`
`5 to deliver open, consolidated, actionable intelligence to
`
`
`ries Services Gateways across the organizationfor policy
`enforcement. These sources include Juriper threat feeds, third
`party threat feeds and threat detection technoiogies that the
`customer can deploy.
`
`
`Administrators are able to define enforcement poi
`
`
`feeds via a single, centralized managemertpoint, Junos Space
`Security Director.
`
`
`Manyorganizations use both a router and a firewali/VPN at their
`
`network edgeto fulfill
`their networking and security needs. Por
`
`
`many organizations, the SRX Seres for the branchcanfulfi
` routing,
`both roles with one solution. Juniper built best-in-c
`
`switching and fire
`capabiities into one product.
`
`SX Series for the branch checks the traffic to seeifit is
`legitimate and permissible, and only ferwards it on whenit 's.
`
`This reduces the load on the network,
`allocates bandwidth forall
`other mission-critical applications, and secures the network from
`MauCcIOUS USers.
`
`The main purpose of 2 secure router is to provide firewall
` iL (zone) functionality
`protection and apply policies. The firew:
`nspects traffic flows and state to ensure that originating and
`returning information in a session is expected and permitted for
`a particular zone. The security policy determinesif the session
`canoriginate in one zone and traverse to another zone. Due to
`the architecture, SRX Series receives packets from a wide variety
`of every session, of every
`of clients and servers and keeps trac
`
`ws the enterprise to make
`application, and of every user. This é
`sure that only iegitimate traffic is on its network andthat traffic is
`f.owing in the expected direction.
`
`
`High Avaiability
`Junos Services Redundancy Protocol (ISRP) is a core feature
`of the SRX Series for the branch. JSRP enables a pair of SRX
`Series systems to be easily integrated into a high availability
`network architecture, with redundant physical connections
`cent network switches. With
`
`between the systemsand the ac
`
`address many common
`tink redundancy, Juniper Networks cai
`
`cal port going bad
`causes of system failures,s
`ore
` connected, to ensure that a connection
`bie getting dis
`
`
`yle without having to fail over the entire system. This
`is consistent with a typical active/standbynature of routing
`resiliency protocols.
`
`ow
`
`FINJAN-JN 045194
`
`
`
`traffic or the content that is traveling across your network
`
`“Trust” Zone
`
`Call
`
`intranet
`
`tl:
`
`
`
`
`Firewalls. zones.
`Figure 1
`jes
`andpolic
`
`to protect your environment
`against threats, manage how
`your network bandwidthis allocated, and contro! who has access
`to what.
`
`
`AppSecure is 2 suite of application security capabilities for
`Junper Networks SRX Series services Gatewaysthat identifies
`
`
`applications for greatervisibiity, enforcement, contra, and
`protection of the network.
`
`Intrusion Prevention
`
`The intrusion prevention system (IPS) understands application
`behaviors and weaknesses to prevent application-borne security
`threats that are difficuit to detect and stap.
`
`Unified Thr
`Series can include comprehensive content security against
`
`ns, spam and other
`maiware,viruses, phishing attacks, intrusial
`
`TM). Get a best-
`threats with unified threat management (L
`of-breed solution with anti-virus, anti-spam, webfiltering and
`
`contertfiltering at a great value by easily adding these services
`to your SRX Series Services Gateway. Cloud-based and on-box
`solutions are both ava
`
`
`
`
`Firewall
`
`Juniper offers a range of userrole-based firewail control solutons
`that support dynamic security policies. Userrole-based firewa.i
`capabilities are integrated with the SRX Series Services Gateways
`for standard next generation firewali controls. More extensive,
`scalable, granular access controls for creating dynamic policies
`are ava lable through the integration of SRX with a Juniper
`Unified Access Control solution.
`
`protection with application awareness and extensive userrole-
`based control options plus best-
`“Untrust” Zone
`of-breed UTMto protect
`and
`control your busines
`Next generation firewall
` able to performfull packet
`inspection and can apply
`security policies based orlayer 7
`information. This means you can
`c
`
`te security policies based on
`the appiication running across
`your network, the user who1s
`receiving or sending network
`
`a
`
`SER
`
`
`
`Case 3:17-cv-05659-WHA Document 358-9 Filed 01/24/19 Page 5 of 20
`
`Acteendby
`
`Active/Standby
`
`INTERNETj_Active iii—d———|
`\see
`aad Standby
`
` EXwil EXSeries
`tb
`2 i
`
`|
`
`
`
`Failure
`
`(INTERNET )
`
`Se
`
`
`
`Active/Active
`
`Active/Active
`
`Active
`
`(INTERNET
`( INTERNET
`— » SRX240,
`me Active
`eee
`AC V2Aence
`
` EX Series
`
`EX Series
`EX Series
`
`
`| La
`al
`ih
`a
`
`
`
`When SRX Series Services Gatewaysfor the branch are
`configured as an active/active HA parr,traffic and configuration
`is mirrored automatically te provide active firewali and VPN
`session maintenance in case ofa failure. The branch SRX Series
`synchronizes both configuration and runtime information. As a
`result, during failover, synchronization of the following information
`is shared: connection/session state and fiow information, IPSec
`security associations, Network Address Translation (NAT) traffic,
`address backinformation, configuration changes, and mere. In
`contrast to the typical router active/standbyresiliency protocals
`such asVirtual Router Redundancy Protocol (VRRP), all dynamic
`flow and session information is lost and must be reestablishec
`
`
`in the event of a failover. Someor ail
`network sessions will have
`to restart depending on the convergencetime of the links or
`
`nodes. By mainta
`ung state, not only 's the sess on preserved,
`but security is kept intact. In an unstabie network, this active/
`active configuration aiso mitigateslink flapping affecting session
`performance.
`
` ut the
`
`In order to optimize the throughput and latency of the combined
`router and firewall, lunas OS implements session-based
`forwarding, an innovation that combines the session state
`information of a tradit ona! firewal and the next-hop forwarding
`
`of a classic router into a single operation. With Juros OS, a
`essionthat is permitted by the forwardingpolicy is added to
`
`the forwarding tabie along with a po:nter to the next-hop route.
`Established sessions havea singie table lookup toverify that the
`session has been permitted and to find the next hop. Th's efficient
`algorithm improves throughput and lowers latency for session
`traffic when compared with a classic router that performs muitipie
`tabie icokups to verify session information and then to find a next-
`hop route.
`
`Figure 3 shows the session-basedforwarding a.gorithm. When a
`news
`nis established, the session-based architecture withir
`
`Junos OSverifies that the session s allowed by the forwarding
`
`policies. If the session is
`allowed, Junos OS wil:
`icok up the next-
`hop route in the routing table.It then inserts the session and the
`next-hoproute into the session and forwarding table and forwards
`the packet. Subsequert packets for the esta lished session
`require a single table lookupin the session and forwarding table,
`and are forwarded to the egress interface.
`
`Security Policy Evaluation
`
`and Next-Hep Lookup
`
`Session and
`
`
`Forwarding Table
`
`
`TTS teen<
`ae
`Forwarding for
`|.
`Egress
`Ingress
`Intertace
`Pe ger
`Permitted Trattic
`""" "Interface
`Disallowed by
`Policy: Droosed
`
`Figure 3: Session-based forwarding algorithm
`
`4
`
`FINJAN-JN 045195
`
`
`
`Case 3:17-cv-05659-WHA Document 358-9 Filed 01/24/19 Page 6 of 20
`
`
`
`i
`
`{
`
`soe
`
`rm Ld.
`3G
`NY
`>|Connectivity
`os SRX110 =)
`|
`;
`|
`Small Office
`
`VDSL
`
`|
`
`= oo i
`_ SRX650 SRX65O__
`
`WLCB800
`
` EX4200_
`
`EX4200
`
`||
`
`i
`
`leg
`|
`|
`Server Z Server
`SIP
`i
`App Server
`|
`_ Private Data Center
`
`uC
`
`|
`
`i
`'
`
`—
`
`|
`
`f
`
`‘
`
`Internet
`
`ee
`
`‘
`
`"game
`
`SF.com
`a
`
`Private WAN
`
`
`
`
`
`
`
`
`
`4G LTE
`i
`Web
`Hosted
`|
`
`
`_ Large HA Office Server—Server i TVEI VDSL TVE]
`
`SFP
`
`DS3/E3
`
`i
`Po
`Cr.|e]
`| SRXSSO.
`0 SRXSSO |
`a a
`/EX3300__
`Texs300;
`|
`|
`WLC100
` @ is} @
`|
`WLAS32
`|
`[]
`:
`Fe j
`_ Mid-sized HA Branch
`| Small, Link HA Branch
`
`
`
`Wook
`SRXCEO
`
`SRX210
`i]
`7 =,
`i]
`|
`
`BC ETE
`4
`cxm
`| &S
`—ew
`7
`-_—
`a
`Small Branch with
`Cellular Backup
`
`|
`i
`co
`
`Figure 4: Thedistributed enterprise
`
`ii
`
`||
`
`|
`|||
`|
`|
`|
`||
`i
`|
`
`|
`
`|
`
`|
`|
`|
`|
`|
`|
`
`|
`|
`
`5
`
`FINJAN-JN 045196
`
`|
`|
`|
`
`||
`
`|
`i
`
`|
`|
`|
`
`|
`|
`
`|
`|
`|
`|
`i
`|
`
`||
`
`SRXNIO
`
`SRX100
`
`
`
`
`
`Le ee sit Si emacs
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 358-9 Filed 01/24/19 Page 7 of 20
`
`eres
`
`Sanyices
`
`ewayst
`
`eB Brare
`
`Jats Sheet
`
`
`
`IPv4, IPv6, ISO Connectioniess Network Service (CLNS)
`Routine and Multicast
`outing and Mutticast
`Static routes
`RIPv2 +v1
`SPF/OSPFy3
`ru
`BGP
`eh
`BGP Router Reflector
`IS-IS
`
`Muiticast (Internet Group Management Protocal
`(IGMPVv1/2/3), PIM-SM/DM/SSM,Session Description
`
`Protocol (SDP), Distance Vector Multicast Routing Protocol
`=
`6
`:
`os
`:
`(DVMRP), source-specific, Multicast inside IPsec tunnel),
`MSDP
`MPLS (RSVP, LDP, Circuit Cross-connect (CCC), Transiational
`Cross-connect (TCC), Layer 2 VPN (VPLS), Layer 3 VPN,
`VPLS, NGMVPN)
`
`We ghted random early detection (WRED
`Queuing based on VLAN, data-link connection identifier
`(DCI), interface, bundies, or multi-field (M&) filters
`.Guaranteed bandwidth
`Maximum bandwidth
`Ingresstraffic pol. cing
`Priority-bandwicth utilization
`DiffServ marking
`Virtual channeis
`
`Securi
`woes
`
`
`
`Fire
`- Firewall, Zones, screens, polices
`Stateful firewall, statelessfilters
`» Network attack detection
`» Screens denial of servce (DoS) and provides distributed
`denial of service (DDoS) protection (anamaly-based)
`- Prevent replay attack; Anti-Replay
`
`IP Address Management
`Static
`DHCP, PPPoE client
`Internal DHCP server, DHCP Relay
`
`Address Tre
`on
`
`Source NAT with ort Address Translation (PAT)
`Static NAT
`Destination NAT with PAT
`Persistent NAT, NAT64
`
`Encat
`
`Ethernet (MAC and VAN tagged)
`Point-to-Point Protocol (PPP) (synchronous)
`- Multilink Point-to-Point Protocol (M_LPPP)
`Frame Relay
`
`- Multilink Frame Relay (MLFR) (FREAI5, FREI6), FREAZ
`High-Level Data Link Control (HDLC)
`Seria. (RS-232, RS-449, X.2), V.35, EIA-530)
`802.1q VLAN support
`Point-to-Point Protocol over Ethernet (PPPoE)
`
`L2 Switchine
`80230, 802.10, RSTP, MSTP, 802.3ad (_AC?)
`802.1x, LLDP, 802.Jad (O-in-O), IGMP Snooping
`Layer 2 switching with high availability
`
`raffic Management Qualityc
`802.\p, DSCP, EXP
`
`
`
`Marking, policing, and shaping
`Class-based queuing with proritization
`BSS
`EH
`WINTER
`Neen
`
`+ Unified Access Control
`- TCP reassembyy for fragmented packet protection
`- Brute force attack mitigation
`- SYN cookie protection
`
`- Zone-based IP spoofing
`~ Malformed packet protection
`JITM
`
`+
`Intrusion Prevention System (IPS)
`- Protocol anomaly detection
`
`- Stateful protocol signatures
`-
`Intrus.on prevention system (IPS) attack pattern
`obfuscation
`
`- User role-based policies
`Customersignatures creation
`Multiple times a week and emergency updates
` AppSecure
`- AppTrack (application visibility and tracking)
`- AppFirewal (policy enforcement by application name)
`- Customsignatures
`- AppQos (networktraffic prioritization and bandwidth
`management)
`- Dynamic signature updates
`- Jser-based app.ication poticy enforcement
`» Antivirus
`- Express AV (stream-based AV, not available on SRX100
`and SRX10)
`- File-based antivirus
`Shamemurawatatices
`Protocals scanned: POP3, HTTP, SMTP, IMAP, FTP
`
`SRAGSO See ordenng secthonform information
`
`
` 50 High Memory unit dor
`
`bam, We
`
`
`
`
`
`FINJAN-JN 045197
`
`
`
`Case 3:17-cv-05659-WHA
`
`Document 358-9 Filed 01/24/19 Page8 of 20
`
`
`
`
`
`é OSPFYy3
`
`RIPng
`IPv6 Muiticast Listener Discovery (MLD)
`
` CXINC
`1 3G/4G/LTE Broadband Data Bridge supported
`on all branch SRX Series devices
`3G USB medem support for S2X100, SRX710, and SRX210
`
`ying
`urement, and Mc
`
` ime performance monitering (
`
` >M)
`Sessions, packets, and bandwidth usage
`Juniper J-Flow montoring and accounting services
`IP Monitoring
`
`
`
`Syslog
`Traceroute
`
`Antispyware
`Arti-adware
`
`Antikey.ogger
`- Cloud-based antivirus
`Antispam
`Integrated enhanced Webfiterng
`- Category granularity (90+ categories)
`- Real time threat score
`Redirect Webfiltering
`Content Security Accelerator in SRX210 high memory,
`SRX220, SRX240, SRX550, and SRX650*
`SRX21C high memory, SRX220 high
`ExpressAV option
`memory, SRX240,
`50, and SRX650*
`Content filtering
`- Based on MIME type,file extension, and protocol
`commands
`
`
`Auto VPN(Zero Touch Hub)
`Tunnels (GRE, IP-IP, IPsec)
`IPsec, Data Encryption Standard (DES) (56-bit), triple Dat
`Encryption Standard (3DES) (68-bit), Advanced Encryption
`Stardard (AES) (28-bit+) encryption
`
`Message Digest 5 (MD5),SHA-1 , SHA-128, SHA-256
`authentication
`
`
`
`Multi-Proxy ID for s'te-to-site VPN
`
`Extensive control- and data-piane structured and
`unstructured syslog
`
`Juniper Networks Network and Security Manager support
`(NSM)
`
`Juniper Networks Junos Space Security Director support
`
`Junos Pulse Dynamic VPN cliert; browser-based remote
`
`
`Juniper Networks
`STRM Series Security Threat Response
`access feature requiringalicense
`Managers support
`IPv4 and IPv6 VPN
`
`Juniper Networks Advanced Insight Solutions support
`
`External administrator de
`atabase (RADIUS, DAP, SecurelD)
`
`
`
`
`Time Transport Protocol (CRTP)
`
`
`
`JSRP
`Statefu: failover and dual box ci
`SRX550/SRX650:
`- Redundant power (optional)
`- GPIM hot swap
`- Future internal failover and SRE hot swap (OIR) on
`SRX650
`
`kup Unk via 3G/4G LTE wire.ess or otherWAN
`Active/active—..3 mode®
`
`Active/passive
`mode?
`Configuration synchronization®
`
`and VPN?
`Session synchronization for firewe
`Session failover for routing change®
`Device failure detection?
`lank failure detection®
`
`Auto-configuration
`Configuration rollback
`Rescue configuration with butten
`Commit confirm for changes
`Auto-record for diagnostics
`Software upgrades (USB upgrade option)
`Juniper Networks J-Web
`Command-line interface
`Smart image download
`Certifications
`
`NEBS Compliance for SRX240, SRX65C°
`Department of Deferse (DoD) Certification for S2X Series
`
`
`Services Gateways,including testing and certification by the
`Department of Deferse Joint Interoperability Test Command
`
`(ITC) for interoperability with DoD networks and addition of
`the SRX Seres Services Gateways to the Unified Capabilities
`
`Approved Product List (UC APL)
`
`IP Monitoring with route and interface failover
`
`
`
`
`tted on the low memaryversion Peas
`niption license UTIs not
` purchaseof memory software license key
`
`
`
`
`
`FINJAN-JN 045198
`
`
`
`Case 3:17-cv-05659-WHA Document 358-9 Filed 01/24/19 Page 9 of 20
`
`Product Comparison
`
`SRX100
`
`SRX110
`
`SRX210
`
`SRX220
`
`SRX240
`
`SRX550
`
`SRX650
`
`Maximum Performance and Capacity
`Junos OSversiontested
`Junos OS
`121%44-D15
`
`Junos OS
`12.1X44-DI5
`
`
`Junos OS
`Junos OS
`W21X44-DIS8_—-12.1K44-D15
`
`Junos OS
`WARS
`
`Junos OS
`W57P
`
`Junos OS
`W4R5
`
`
`
`700 Mbps
`
`700 Mbps
`
`850 Mbps
`
`950 Mbps
`
`1.8 Gbps
`
`7 Gbps
`
`7Gbps
`
`Unrestricted—Unrestri Unrestricted
`
`Firewall performance
`(large packets)
`25Gbps
`2 Gbps
`600 Mbps
`300 Mbps
`200 Mbps
`200 Mbps
`Firewall performance (MIX)
`250 Mbps
`850 Kpps
`700 Kpps
`200 Kpps
`125 Kpps
`70 Kpps
`70 Kpps
`Firewall + routing PPS (64 Byte)
`95 Kpps
`2 Gbas
`2 Gbps
`830 Mbps
`350 Mbps
`100 Mbps
`100 Mbps
`Firewell perforrmance® (HTT®)
`290 Mbps
`1.5 Gbps
`1.0 Gbps
`300 Mbps
`100 Mbps
`65 Mbps
`65 Mbps
`= ine throughput (large
`85 Mbps
`packets
`3,000
`2.000
`1.000
`52
`128
`28
`IPsec VPNtunnels
`256
`
`
`AppSecure firewall throughput®=90 Mbps 90 Mbps 250 Mbps 300 Mbps 750 Mbps 2.0 Gbps 19 Gbps
`
`
`
`
`
`65 Mbps
`IPS (intrusion prevention system)
`75 Mbps®
`75 Mbps
`80 Mbps
`230 Mbps
`800 Mbps
`1Gbps
`Antivirus
`25 Mbps
`25 Mbps
`30 Mbps
`35 Mbps
`85 Mbps
`300 Mbps
`350 Mbps
`(Sophos AV)
`(SophosAV)
`(SophosAV)
`(SophosAV)
`(SophosAV)
`(Sophos AV)
`(Sophos AV)
`1,600
`1800
`2,200
`2,800
`8,500
`27000
`35.000
`Connections per second
`32”?
`32K”
`64K?
`96K’
`256 K
`375 K
`512 K
`Maximumconcurrent sessions
`2GB DRAM
`2GB DRAM
`2GB DRAM
`2GBBRAM
`2 GB DRA
`eng GB’
`26GB DRAM
`DRAM options
`384
`384
`512
`2 04 8
`Maximum security policies
`4,096 Maximumusers supported
`
`Unrestricted
`
`
`Network Connectivity
`8 x10/100
`Fixed /O
`4x
`6x
`16x
`Bx
`2k
`
`
`TO/IGO/IO00=IO/IOB/1ID00 §=«1D/IGONGOO=10/100/10G0 —_10/100/1000
`ADSL2+
`BASE-T+6x
`BASE-T
`BASE-T
`BASE-T + 4
`BASE-T
`WAN(Annex
`10/100
`SFP
`Aor B)
`N/A
`
`iOslots
`
`N/A
`
`1x SRX Series 2x SRX
`Mini- PIM
`Series
`Mini-PiM
`
`4xSRX
`
`Series
`aries
`Mini-FiM
`Mini-PIN
`6xGPIM
`or multiple
`
`GPM
`and XPIM
`combinations
`
`8xGPIM
`or multiple
`GPIM
`and XPIM
`combinations
`
`ye
`-
`F
`services and Routing
`;
`.
`No
`20
`No
`No
`services and
`Routing Engine
`No
`No
`No
`See ordering
`See ordering
`ss
`;
`ANIZL AN
`intarts
`+
`See ordering
`See ordering
`mS
`!
`1
`WAN/LAN interface
`options
`ma
`gaan
`:
`:
`
`
`
`
`WAREAN INESE information—information information—informationeee Goon WA Na
`
`
`Upto4ports Upto & ports
`Maximurn number of PoE ports
`NVA
`N/A
`Up to 48
`{PoE o
`nal on sore SRX
`of 802 3af
`of B802.3af/
`ports of
`Series models)
`with
`at with
`802.3af/
`maximum
`maxinum
`at with
`50 W
`20 W
`maxirnum
`247.
`
`
`
`
`
`USB
`
`1
`
`2
`
`2
`
`2
`
`2
`
`2
`
`2 per SRE
`
`
`
`
`
`
`
`FINJAN-JN 045199
`
`
`
`Case 3:17-cv-05659-WHA Document 358-9 Filed 01/24/19 Page 10 of 20
`
`SRxX100
`
`SRX110
`
`SRX210
`
`SRX220
`
`SRX240
`
`SRX550
`
`SRX650
`
`HBBE
`
`Routing
`Routing (Packet Mode) PPS
`
`BGPinstances
`
`1O0Kpps
`5
`
`1OOKpps
`
`BGP peers
`BGP routes
`OSPFinstances
`
`OSPF routes
`RIP v1/ v2 instances
`RIP y2 routes
`Static routes
`
`Source based routing
`Policy-based routing
`Equal-cost multipath (ECMP)
`Reverse path forwarding (RPF)
`IPsec VPN
`Concurrent VPNtunnels
`Tunnel interfaces
` S (56-bit). 3DES (168-bii)
`MD-5, SHA-1 and SHA-2
`authentication
`Key
`Manual key, internet
`
`3
`f
`public key
`}
`
`rward secrecy (DH
`
`Groups)
`Prevent replay attack
`Dynamic remote access VPN
`
`Redundant VPN gateways
`@S5 users
` Number of remote ac
`
`8
`BK
`4
`BK
`4
`BK
`BK
`
`Yes
`Yes
`Yes
`Yes
`
`128
`10
`
`Yes
`
`Yes
`
`Yes
`
`12.5
`
`Yes
`Yes
`Yes
`
`Yes
`
`N wn
`
`Yes
`
`
`Yes
`25 users
`
`User Authentication and Access Control
`
`Third-party user authentication
`RADSecurelD,
`LDAP
`
`
`
`RADIUS accounting
`XAUTH VPN, Web-based, 802.X
`authentication
`
`Yes
`Yes
`
`
`
`1S0Kpps
`10
`16
`16K
`10
`16K
`
`16K
`16K
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`Yes
`Yes
`Yes
`50users
`
`srequesis(PKCS7
`
`Yes
`
`Yes
`e Authorities
`ppored
`
`Virtualization
`Maximum number of security
`zones
`Maxirnum number of virtual
`routers
`
`10
`
`3
`
`Yes
`
`10
`
`us
`
`16
`
`
`
`
`
`
`
`200Kpps
`16
`16
`32 «
`
`300Kpes
`
`1O00Kpps
`
`JOOOKpps
`64
`
`256OO
`800 K
`
`
`
`3,000
`512
`Yes
`
`
`
`2,000
`a
`
`Yes
`
`Y25
`
`Yes
`Yes
`Yes
`Yes
`150 users
`
`N at
`
`Yes
`Yes
`Yes
`Yes
`250 users
`
`
`
`RADIU
`5.RSA
`
`SecureiD,
`LDAP
`
`RADIUS, RSA
`SecurelD,
`LDAP
`
`RADIUS. RSA
`
`
`
`
`
`Yes
`500 users
`
`RADIUS. RSA
`SecurelD,
`LDAP
`Yes
`Yes
`
`Yes
`
`Yes
`
`FINJAN-JN 045200
`
`
`
`Case 3:17-cv-05659-WHA Document 358-9 Filed 01/24/19 Page 11 of 20
`
`Bre
`2
`hee
`
`
`SRX100
`
`SRX110
`
`SRX210
`
`SRX220
`
`SRX240
`
`SRX550
`
`SRX650
`
`Encapsulations
`PPP/M.. PPP
`PPPoE
`PPPoA
`
`> maxirriumphysical
`ML
`interfaces
`
`Frame Relay
`ML.FR (FRF 15, FRF 16)
`
`interfaces
`MLFR maximumphysical
`
`HDLC
`Wireless
`
`N/A
`Yes
`N/A
`
`N/A
`
`N/A
`N/A
`
`N/A
`
`N/A
`
`N/A
`Yes
`Yes
`
`N/A
`
`N/A
`NVA
`
`N/A
`
`N/A
`
`Yes
`Yes
`Yes
`
`1
`
`Yes
`Yes
`
`]
`
`Yes
`
`Yes
`Yes
`Yes
`
`2
`
`Yes
`Yas
`
`2
`
`Yes
`
`Yes
`Yes
`Yes
`
`4
`
`Yes
`Yes
`
`4
`
`Yes
`
`Yes
`Yes
`Yes
`
`12
`
`Yes
`Yes
`
`12
`
`Yes
`
`Yes
`Yes
`Yes
`
`12
`
`Yes
`Yes
`
`2
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`Yes
`
`
`
`Yas
`
`Yes
`
`Yes
`
`Yes
`
`Ves
`
`Yes
`
`Yes
`
`Yes
`
`CXIN13G 4G LTE Bridge support
`Junos/SRX Senes management
`of CxM
`Flashand Memory
`268
`2 GBA GB"
`26GB
`2GB
`268
`2GB
`Mernory (DRAM)
`2GB
`
`(SRXIOOH2)—(SRXTIOH2) =2 (SRX220H2) (SRX240H2) (SRX650)
`
`
`
`
`Fixed
`memory
`26GB
`
`pe
`Memory slots
`Flash memory
`
`JSB port for external storage
`Dimensions and Power
`Dirnensions (Wx H x D)
`
`Weight (device and power
`supply)
`
`Kft
`40MM
`2GBCF
`internalon
`SRE, external
`slot ermpt
`
`up to2GBCF
`supported
`Yes
`
`Fixed
`memory
`26B
`
`Fixed
`memory
`2GBCF,
`externally
`accessible
`
`Fixed
`memory
`2GBCF,
`externally
`accessible
`
`Fixed
`memory
`265
`
`‘
`2DIMM
`2 GB/8 GB
`CF internal
`
`Yes
`
`Yes
`
`Yes
`
`Yes
`
`Yas
`
`Yes
`
`B5x*x14«
`5.8 in (21.6 x
`3.6147 0m)
`
`25lbQ1kg)
`
`W.02 % 1.72 x
`8.385 in
`(28% 4.37 x
`2l.3cm)
`67 lb
`(3.06 kg)
`
`14.31x173x*
`W.02 x1.73 x
`712in(28.0x% 7Nin (363%
`44x%18lem)
`44x18lem)
`
`33Ib05kg)
`non-PoE /
`44\b
`(2 kg) PoE
`No interface
`modules
`
`3.43Ib
`(1.56 kg)
`non-PoE
`No interface
`modules
`
`
`
`(5.6 kg) PoF
`No interface
`modules
`
`175 #35%
`18.2 in (444
`x88 x 462
`cm)
`21.96 tb
`(9.96kg)
`Nointerface
`modules
`1 power
`supply
`
`W5x35x%
`18.2 in (444
`xB.8 x 462
`cm)
`249 \b
`G13 kg)
` Nointerface
`modules
`1 power
`supply
`
`Yes, 2 RU
`Yes, 2 RU
`Yes. TRU
`Yes, 1RU
`Yes. TRU
`Yes. 1] RU
`Yes, TRU
`Rack-mountable
`
`
`
`
`
`
`Power supply (AC) 150 W forLM=100-240100-240 100-240 100-240 100-240 100-240
`VAC, 30 W
`VAC, 60 W
`VAC,
`VAC,
`and HM
`VAC.
`VAC,
`
`
`
`60 Wnon- 190 W for HM_-single 64560 W non- single 645
`PoE/
`PoE /
`with BC
`W oF
`W or
`360 Wfor
`150 W PoE
`200 W PoF
`dual 645 W
`dual 645 W
`
`PoE
`150 W
`
`MaximumPoE power
`
`N/A
`
`NWA
`
`50 W
`
`120 W
`
`247 N
`redundant, or
`4946 W non-
`redundant
`
`247 W
`redundant, or
`494 Wnon
`redundant
`
`
`
`FINJAN-JN 045201
`
`
`
`Case 3:17-cv-05659-WHA Document 358-9 Filed 01/24/19 Page 12 of 20
`
`Average power consumption
`
`SRX100
`low
`
`SRXT1I0
`24W
`
`SRX210
`28 W.
`84 W(POF)
`
`SRX220
`28W
`
`input frequency
`Maximurr current consumption
`
`50-60 Hz
`100
`VAC
`
`50-60 Hz
`
`1.75 A @100
`VAC
`
`Maximurn inrush current
`
`604
`
`7OA
`
`Average heatdissipation
`
`35 BTU/hr
`
`81 BTU/hr
`
`Maxirnurr heat dissipation
`
`80 BTU/hr
`
`99 BTU/hr
`
`SRX240
`SRX240H?
`- 74.
`SRX240H2
`DC -72W
`SRX240H2-
`POE
`86.W
`50-60 Hz
`
`MA@100
`VAC, 3.04
`@ 100 VAC
`
`(PoE)
`
`404.45A for
`PoE
`253 BTU/hr
`(SRX240H2)
`246 BTU
`(SRX240H2-
`DC
`294 BTU/hr
`
`(SRX40H2-
`PoE)
`427 BTU/hr
`(SRX240H2)
`409 BTU/hr
`(SRX240H2
`DC)
`560 BTU/hr
`(SRX240H2
`PoF)
`No
`
`50-60 Hz
`
`044A @100
`VAC
`
`BOA
`
`104 BTU/
`hour
`(SRX220HZ2)
`
`
`
`50-60 Hz
`044A @100
`VAC. 113A
`
`100 VAC
`
`E)
`
`
`
`126 BTU/hr
`(SRX21GHEZ)
`157 BTU/hr
`
`(SRX210HE2-
`
`
`No
`
`No
`
`Redundant power supply (hot
`swappable)
`
`Acoustic noise level
`
`(Per
`‘SO 7779 Standard)
`Environment
`Operational temperature
`
`Nonoperational temperature
`
`Humidity (operating)
`Humidity (nonoperating)
`Mean tirne betweenfailures
`(Telcordia model)
`
`0 dB
`(fanless}
`
`OdB
`(fanless)
`
`29.1dB
`
`511 dB
`
`70.0 dB
`
`32° to 1049 F
`
`(0°
`to 4C€
`
`
`
`32° to 10490 F
`(0° to 40°C)
`4© to 158°F,
`
`
`
`
`24.8 years
`
`24.8 years
`
`32° to 104° F
`(0° to 40°C)
`-40° to
`158°F,
`(-40° to
`70°C)
`10% 70 90%noncondensing
`5%to 95%noncondensing,
`14.03 years
`(SRX?71CHE2)
`
`32°to 1040 F
`(09to 40°C)
`4° t0. 1580 F,
` {oO
`(-20°
`70°C)
`
`RX240H
`
` 11.63years
`
`
`
`
`
`
`
`SRX550
`85 W
`
`SRX650
`22W
`
`50-60 H2
`
`50-60 Hz
`
`75 A @100
`VAC with
`
`single
`PSL
`with Po=.
`10.5
`
`A@100 VAC
`with dual
`PSUwith PoE
`
`
`238 BTU/hr
`
`534 @100
`VAC with
`single PSU
`with PoE, 6.3
`A @100 VAC
`with dual
`PSUwith PoE
`45 A for Ve
`cycle
`319 BTU/hr
`
`1449 BTU/hr
`
`699 BTU/hr
`
`Yes (up to
`maximum
`capacity of
`single PSU}
`51.8 dB
`
`Yes (up to
`maximum
`
`capacity
`of
`single PSU)
`609 dB
`
`32° to 104° F
`(0° to 40°C)
`49 19 1589 F,
`(20° to
`70°C)
`
`2° t0 1040 F
`(0° to 40°C)
`4° to 158° F,
`{-20°
`to
`
`9.6 years
`with
`redundant
`power
`
`9.6 years
`with
`redundant
`power
`
`FINJAN-JN 045202
`
`
`
`Case 3:17-cv-05659-WHA Document 358-9 Filed 01/24/19 Page 13 of 20
`
`
`
`SRX100
`
`SRX110
`
`SRX210
`
`SRX220
`
`SRX240
`
`SRX550
`
`SRX650
`
`Certifications and Network Homologation
`USA
`
`Safety certifications
`EMC certifications
`
`Network homologation
`Canada
`
`
`Safety certifications
`EMC certifications
`
`Network homologation
`Australia
`
`UL 60950-1
`FCC Class B
`TIA-96
`
`UL 60950-1
`FCC Class B
`TIA-968
`
`UL 60950-1
`UL 60950-1
`FCC Class 8!
`FCC Class A
`968
`968
`
`
`UL 60950-1
`ECC Class A
`TIA-968
`
`UL 60950-1
`FCC Class A
`“A 966
`
`UL 60950-1
`FCC Class A
`
`TIA-966
`
`CSA 60950-1
`ICES class B
`cS-03
`
`CSA 60950-1
`ICES class B
`
`cS
`
`CSA 60950-1
`ICES class B’
`CS-03
`
`CSA 60950-1
`ICES Class A
`CS-03
`
`
`CSA 60950-1
`ICES class A
`
`CSA 60950-1
`ICES classA
`CS-03
`
`CSA 60950-1
`ICES class A
`
`03
`
`
`Safety certifications
`
`EMC certifications
`
`AS/NZS
`AS/NZS
`AS/NZS
`60950-1
`60950-1
`60950-1
`AS/NZS
`AS/NZS
`AS/NZS
`CISPR22
`CISPR22
`CISPR22
`Class B
`Class A
`Class A
`AS / ACIF
`AS / ACIF
`AS/ACIF
`AS/ACIFS
`ASSACFES
`Network homologation
`$ 002.S
`$902.5
`O16
`S$ 002.S
`O16
`016, S 043.1,
`O16,S 043.1,
`016, S 043.1
`$043.2
`$043.2
`
`AS/NZS
`60950-1
`
`
`
`AS/NZS
`60950-1
`
`$043.2
`
`.
`
`
`
`AS/NZS
`60950-1
`
`
`
`New Zealand
`Safety certifications
`
`EMCcertifications
`
`AS/NZS
`AS/NZS
`AS/NZS
`AS/NZS
`AS/NZS
`AS/NZS
`60950-1
`60950-1
`60950-1
`60950-1
`60950-1
`60950-1
`AS/NZS
`AS/NZS
`AS/NZS
`AS/NZS
`AS/NZS
`AS/NZS
`AS/NZS
`CISPR22
`
`CISPR22
`“ISPR22
`CISPR22
`CISPR22
`CISPR22
`CISPR22
`
`Class B
`Cl