TỔNG QUAN CÁC LOẠI THIẾT BỊ BẢO MẬT

1. Firewall

Các sản phẩm Firewall của Cisco phân ra làm các loại chính sau

§ PIX Firewall

§ Cisco IOS Advanced Security Feature Set

§ Firewall module for Cisco Catalyst^® 6500 Series switches Cisco 7600 Series routers

a. PIX Firewall 500 Series

Firewall Performance

Cisco PIX 501: 60 Mbps

Cisco PIX 506E: 100 Mbps

Cisco PIX 515E: 188 Mbps

Cisco PIX 525: 330 Mbps

Cisco PIX 535: 1.6 Gbps

b. Cisco IOS Firewall and the Advanced Security Feature Set

Firewall Performance

Cisco SOHO 90: 10 Mbps

Cisco 830: 10 Mbps

Cisco 1710: 20 Mbps

Cisco 1711: 20 Mbps

Cisco 1712: 20 Mbps

Cisco 1721: 20 Mbps

Cisco 1751: 20 Mbps

Cisco 1760: 20 Mbps

Cisco 2611XM: 50 Mbps

Cisco 2621XM: 50 Mbps

Cisco 2651XM: 55 Mbps

Cisco 2691: 200 Mbps

Cisco 3725: 200 Mbps

Cisco 3745: 200 Mbps

c. FWSM (Firwall Service Module) for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers

5 Gbps throughput,

100,000 connections per second (cps), and

1 million concurrent connections

Up to four FWSMs can be installed in the same chassis

d. So sánh giữa PIX Firewall, Cisco IOS Security Feature Set, FWSM for Cisco Catalyst 6500 Series

Các đặc điểm chung

Feature	Benefit
Stateful inspection firewalling	Provides robust network and application security by enforcing administrator-defined access control policies while performing deep packet inspection and tracking the state of all network communications.
Application and protocol inspection	Delivers enhanced application and protocol security by using specialized inspection engines capable of examining data streams at Layers 4--.
Dynamic, per-user authentication and authorization	Provides flexible user authentication and authorization via integration with Cisco Secure Access Control Sever (ACS) using RADIUS and TACACS+ protocols, which allows for integration into numerous user databases, including Microsoft Active Directory, Microsoft Windows NT domains, LDAP directories, and one-time password systems.
Dynamic and static NAT and Port Address Translation (PAT)	Provides extensive NAT application and protocol support and protects internal network addresses from the outside, providing an additional level of security.
Content filtering	Improves employee productivity through integration with leading third-party URL filtering solutions; supports URL filtering and blocks malicious Java applets.
Remote management	Offers a wealth of remote-management methods for configuration, monitoring, and troubleshooting. Management solutions range from highly scalable, centralized management tools to integrated, Web-based management, to support for remote-monitoring protocols such as Simple Network Management Protocol (SNMP) and syslog.
Administrative access control based on AAA	Provides granular control for administrative access based on the AAA services provided by the TACACS+ and RADIUS protocols. This allows administrators to enforce access policies to the level of what services and commands are allowed to each admin user or group.
Multiple DMZ support	Supports additional physical or virtual network interfaces that can provide protected access to servers (such as Web, e-mail, FTP, or DNS) on a shared network (DMZ).
Extensive multimedia support, including streaming video, streaming audio, and voice applications	Provides rich stateful inspection firewalling services for wide range of VoIP standards and other multimedia standards, allowing businesses to securely take advantage of the many benefits that converged data, voice, and video networks provide, such as improved productivity and competitive advantage.
DoS protection	Provides several mechanisms to block and mitigate DoS attacks, such as TCP Intercept, TCP SYN cookies, DNS Guard, Flood Defender, Flood Guard, Mail Guard, and Unicast Reverse Path Forwarding (uRPF).
Secure dynamic routing	Supports Message Digest Algorithm 5 (MD5)-based and plain-text routing authentication for Routing Information Protocol (RIP) and Open Shortest Path First (OSPF), preventing route spoofing and various routing-based DoS attacks.

Các đặc điểm khác biệt

Cisco PIX Security Appliances

Customer Requirement	Cisco PIX Security Appliance Benefit
Purpose-built, best-of-breed, "all-in-one" security appliance	Cisco PIX security appliances provide state-of-the-art integrated network security services, including stateful inspection firewalling, protocol and application inspection, VPNs, inline intrusion protection, and rich multimedia and voice security.
Dedicated device for enterprise headends and data centers	Cisco PIX security appliances are security-specialized and run a hardened, embedded operating system, eliminating the common security holes of general purpose operating systems, and providing an unmatched system of overall security.
Separated security infrastructure	Cisco PIX security appliances can be implemented as dedicated security systems, that providing advanced security features allow an effective segregation of the security infrastructure from the rest of the network.
High availability	Cisco PIX security appliances can be deployed in pairs to provide stateful failover services that help to ensure resilient network protection for the most critical environments. The appliances configured as failover pairs continuously synchronize their connection state and device configuration data, and in the event of a system or network failure, network sessions are automatically transitioned between appliances, with absolute transparency to users

Cisco IOS Firewall

Customer Requirement	Cisco IOS Firewall Benefit
One-box solution combining powerful security, QoS, multiprotocol routing, integrated WAN interfaces, and voice application support	The Cisco IOS Advanced Security Feature Set provides a comprehensive, integrated security solution, including stateful packet filtering, intrusion detection and protection, per-user authentication and authorization, VPN capability, extensive QoS mechanisms, multiprotocol routing, voice application support, and integrated WAN interface support in one box.
Leverage network infrastructure for security	The Cisco IOS Firewall can be loaded on existing Cisco IOS routers, providing greater investment protection in the network infrastructure. Reusing the same hardware chassis and components not only reduces the cost of ownership, but also the costs of operation—the same management infrastructure can be used and no additional staff training is required.
Extensive VPN support integrated with firewalling in a single device	Deploying Cisco IOS Firewall with Cisco IOS encryption and QoS VPN features enables secure, low-cost transmissions over public networks. Cisco IOS Firewall provides the most extensive VPN support, including but not limited to Dynamic Multipoint VPN (DMVPN), IPSec stateful failover, Easy VPN Remote, Easy VPN Server, site-to-site VPNs, Advanced Encryption Standard (AES), VPN acceleration cards, Voice and Video-Enabled VPN (V3PN), and VPN QoS.

Cisco FWSM

Customer Requirement	Cisco FWSM Benefit
Large enterprise headends and data centers	The Cisco FWSM provides the fastest firewall performance in the industry—5 Gbps throughput, 100,000 connections per second (cps), and 1 million concurrent connections. Up to four FWSMs can be deployed in the same chassis for a total of 20 Gbps of throughput. A single FWSM can support up to 2000 virtual interfaces (256 per context), and a single chassis can scale up to a maximum of 4096 VLANs.
Leverage network and switching infrastructure at the headend or data center	The FWSM can be deployed in existing Cisco Catalyst 6500 Series switches or Cisco 7600 Series routers, providing greater investment protection.
Firewall virtualization	A single FWSM can be partitioned into multiple virtual firewalls (security contexts). Up to 256 security contexts can be defined per module. This allows service providers and large enterprises to segregate different customers or functional areas over the same physical infrastructure. Virtual firewall support will be introduced with the Cisco FWSM 2.1 in Q4 CY2003.
High availability	The FWSM can be deployed in pairs to provide intra- or interchassis stateful failover services that ensure resilient network protection for the most critical environments. Modules configured in failover mode continuously synchronize their connection state and device configuration data, and in the event of failure, modules failover with absolute transparency to users

2. IDS

IDS có hai dòng sản phẩm chính

Ø IDS 4200 sensors

Ø Catalyst® 6500 Series Intrusion Detection System (IDSM-2) Services Module

a. IDS 4200 sensors series

Cisco IPS 4255 Sensor
The Cisco IPS 4255 is a purpose-built appliance that supports unparalleled performance at 600 Mbps and can be used to protect gigabit subnets. Additionally, it delivers a high port density that allows effective mitigation of threats identified on multiple network subnets.
Cisco IDS 4250 XL Sensor
At 1 Gbps, the Cisco IDS 4250-XL offers unprecedented performance by providing customized hardware acceleration to protect fully-saturated gigabit links as well as multiple partially-utilized gigabit subnets.
Cisco IPS 4240 Sensor
At 250 Mbps, the Cisco IPS 4240 can be deployed to provide protection in switched environments, on multiple T3 subnets, and with the support of 10/100/1000 interfaces, it can also be deployed on partially utilized gigabit links.
Cisco IDS 4215 Sensor
The Cisco IDS 4215 delivers 80 Mbps of performance and is suitable for monitoring multiple T1 subnets. It supports up to five sniffing interfaces in a single 1 RU form factor.

b. Catalyst® 6500 Series Intrusion Detection System (IDSM-2) Services Module

O IDS 4200 SERIES SENSORS

3. VPN

Các nhóm sản phẩn sử dụng trong VPN

VPN Client

ü Cisco Easy VPN

ü Cisco VPN 3002 Hardware Clients

ü Cisco VPN Client

VPN Appliances

ü Cisco PIX 500 Series Firewalls

ü Cisco VPN 3000 Series Concentrators

VPN Integrated Switch/Router Services

ü Cisco 7400 Series Routers

ü Cisco 7300 Series Routers

ü Cisco 7200 Series Routers

ü Cisco 3700 Series Multiservice Access Routers

ü Cisco 3600 Series Multiservice Platforms

ü Cisco 2600 Series Multiservice Platforms

ü Cisco 1700 Series Modular Access Routers

ü Cisco 800 Series Routers

ü Cisco SOHO 90 Series Secure Broadband Routers

ü IPSec VPN Services Module (VPNSM) for Cisco Catalyst 6500 Switches and Cisco 7600 Series Routers

a. VPN Client

Cisco Easy VPN

Cisco VPN 3002 Hardware Clients

Cisco VPN Client

b. VPN Appliances

Cisco PIX

VPN 3000 Series Concentrator

	Cisco VPN 3005	Cisco VPN 3015	Cisco VPN 3020	Cisco VPN 3030	Cisco VPN 3060	Cisco VPN 3080
Simultaneous IPSec Remote Access Users¹	200	100	750	1,500	5,000	10,000
Simultaneous WebVPN (Clientless) Users²	50	75	200	500	500	500
Maximum LAN-to-LAN Sessions	100	100	250	500	1,000	1,000
Encryption Throughput	4 Mbps	4 Mbps	50 Mbps	50 Mbps	100 Mbps	100 Mbps
Encryption Method	SW	SW	HW	HW	HW	HW
Available Expansion Slots	0	4	1	3	2	0
Encryption (SEP) Module	0	0	1	1	2	4
Redundant SEP	-	-	Option	Option	Option	Yes
System Memory	32/64 MB (fixed)	128 MB	256 MB	128/256 MB	256/512 MB	256/512 MB
Hardware Configuration	1U	Scalable 2U	Fixed 2U	Scalable 2U	Scalable 2U	Fixed 2U
Dual Power Supply	Single	Option	Option	Option	Option	Yes
Client License	Unlimited	Unlimited	Unlimited	Unlimited	Unlimited	Unlimited

c. VPN Integrated Switch/Router Services

Cisco IPSec VPN Services Module Features for 6500 Catalyst Switch module

Feature	Description
High-speed VPN Performance	High-speed VPN performance provides up to 1.9 Gbps 3DES IPSec throughput at large packets and 1.6 Gbps at 300 byte packets.
VPN is Integrated into the Infrastructure	This feature supports Cisco Catalyst 6500 Series and Cisco 7600 Series chassis as well as both LAN and WAN interfaces, enabling an integrated security approach to building a VPN in your infrastructure. No separate VPN devices are needed within your campus, intranet, Internet data center, or point of presence (POP).
Comprehensive VPN Features	This feature provides hardware acceleration for both IPSec and GRE, comprehensive site-to-site IPSec, remote-access IPSec, and public key infrastructure (PKI).
Can Accommodate Diverse Network Traffic Types and Topologies	Cisco IOS^® Software supports secure, reliable transport of virtually any type of network traffic, including multiprotocol, multicast, and IP telephony across the IPSec VPN. Rich routing capabilities enable meshed and hierarchical network topologies.
Ensures VPN Resiliency and High Availability	Routing over IPSec tunnels, DPD, HSRP+RRI, intrachassis and interchassis stateful failover for both IPSec and GRE provide superior VPN resiliency and high availability.
VPN and Network Infrastructure Management	•Comprehensive systems for managing solutions from a single platform to hundreds or even thousands of platforms. Element management using the router Management Center and VPN monitor components of the CiscoWorks VPN/Security Management Solution. •Comprehensive end-to-end VPN management of numerous platforms throughout your network using the Cisco IP Solution Center for service provider and large enterprise VPN, security, and quality-of-service.

4. Antivirus

II. Các sản phẩm Security của SonicWall

Các sản phẩm của SonicWall có đặc điểm là kết hợp các tính năng Firewall cũng như VPN vào một sản phẩm

PRO 5060

The PRO 5060 is a high-performance, multi-service security gateway for medium-to-large networks integrating gigabit-class firewall, VPN, intrusion prevention, anti-virus and content filtering into a single platform that's easy to install and manage.

High-performance architecture delivering 1+ Gbps stateful packet inspection firewall and 500 Mbps 3DES/AES VPN throughput
Two gigabit-class configurations: (6) 10/100/1000 copper gigabit Ethernet interfaces OR (2) SX/SC fixed multimode fiber and (4) 10/100/1000 copper gigabit Ethernet interfaces
Integrated SonicWALL security services including Intrusion Prevention Service, Network Anti-Virus and Content Filtering Service
Distributed wireless LAN capabilities allow easy integration of advanced WLAN services within existing network and security architectures utilizing SonicWALL SonicPoints
SonicOS Enhanced which provides:

ISP Failover and Hardware Failover for powerful business continuity
WAN Redundancy and Load Balancing for greater redundancy and network performance
Object-based Management for simple and consistent implementation and management of security policies

PRO 4060

SonicWALL PRO 4060 is a total security platform for complex networks, utilizing six fully configurable Ethernet interfaces to provide powerful, enterprise-class firewall throughput and VPN concentration.

High performance, stateful packet inspection firewall and 3DES/AES VPN throughput
Six fully configurable 10/100 auto-sensing Ethernet interfaces provide greater network configuration flexibility and internal security
Integrated SonicWALL security services including Intrusion Prevention Service, Network Anti-Virus and Content Filtering Service
Distributed wireless LAN capabilities allow easy integration of advanced WLAN services within existing network and security architectures utilizing SonicWALL SonicPoints
SonicOS Enhanced which provides:

ISP Failover and Hardware Failover for powerful business continuity
WAN Redundancy and Load Balancing for greater redundancy and network performance
Object-based Management for simple and consistent implementation and management of security policies

PRO 3060

SonicWALL PRO 3060 is a total security platform for complex networks, utilizing six fully configurable Ethernet interfaces to provide cost-effective, enterprise-class firewall throughput and VPN concentration.

High performance, stateful packet inspection firewall and 3DES/AES VPN throughput
Total security platform for enterprise-class firewall and VPN performance
Flexible and comprehensive deployment options for integration into existing networks
Support for SonicOS Enhanced which provides:

Six fully configurable 10/100 auto-sensing Ethernet interfaces provide greater network configuration flexibility and internal security
WAN ISP Failover to a second WAN port ensures highly reliable network connectivity for complete business continuity
Object/Policy-based management enables simple and consistent implementation and management of security policies

PRO 2040

SonicWALL PRO 2040 is a comprehensive network security, mobility and productivity solution utilizing a high performance architecture to deliver business-class firewall and VPN performance, advanced features and configuration flexibility in an affordable, rack-mounted appliance.

High performance architecture with stateful packet inspection firewall and 3DES/AES VPN throughput
Total security platform delivering business-class performance, advanced features and configuration flexibility
Integrated support for SonicWALL security services including Complete Anti-Virus, Global Security Client and Content Filtering Service
Support for SonicOS Enhanced which adds:

Fourth user-defined port for greater network configuration flexibility
ISP Failover for powerful business continuity
WAN Redundancy and Load Balancing for greater redundancy and network performance
Object-Based Management for simple and consistent implementation and management of security policies

PRO 1260

The SonicWALL PRO 1260 is a total security and switching platform delivering rock-solid network security and flexibility to small business and remote office networks through an integrated deep inspection firewall/VPN and wire-speed 24-port, auto-MDIX Layer 2 switch.

High-performance, stateful deep packet inspection firewall with powerful 3DES/AES VPN throughput
Integrated gateway anti-virus, intrusion prevention and content filtering capabilities provide multi-layered security
24-port auto-MDIX Layer 2 switch for networking multiple home or office computers together
Dynamic DNS drastically reduces the costs associated with hosting e-mail servers, Web servers and site-to-site VPN
Optional port can be configured as a DMZ for public-facing servers or Internet resources
Easy-to-use configuration wizards simply configuration and management

TZ 170 SP Wireless

SonicWALL TZ 170 SP Wireless is a total wired and wireless security platform ensuring continuous network uptime for critical, secure data connectivity through integrated and automated failover and failback technologies. This high-performance stateful deep packet inspection firewall provides secure 802.11b/g wireless connectivity along with automated broadband-to-broadband-to-analog WAN redundancy for unparalleled network uptime.

Impenetrable security for both the wired and wireless networks through a single security platform
High-performance, stateful deep packet inspection firewall with powerful 3DES/AES VPN throughput
Built-in analog modem and failover/failback technologies ensure continuous uptime for IPSec VPN tunnels
Supports the industry standard 802.11b/g wireless LAN (WLAN) technology for high-speed wireless performance
Advanced WLAN features such as Wireless Intrusion Detection Services (WIDS), wireless firewalling, secure wireless roaming and Wireless Guest Services (WGS)
Support for SonicOS Enhanced which adds:

ISP Failover for powerful business continuity
WAN Redundancy and Load Balancing for greater redundancy and network performance
Object-based Management for simple and consistent implementation and management of security policies

TZ 170 Wireless

SonicWALL TZ 170 Wireless is a total security platform delivering enterprise-class wireless security to small networks, integrating secure 802.11b/g wireless, firewall and VPN technologies in a cost-effective, easy-to-use solution. Available in multiple node configurations, this high-performance stateful deep packet inspection firewall provides impenetrable security on both the wireless and wired LANs.

Impenetrable security for both the wired and wireless networks through a single security platform
High-performance, stateful deep packet inspection firewall with powerful 3DES/AES VPN throughput
Supports the industry standard 802.11b/g wireless LAN (WLAN) technology for high-speed wireless performance
Advanced WLAN features such as Wireless Intrusion Detection Services (WIDS), wireless firewalling, secure wireless roaming and Wireless Guest Services (WGS)
Support for SonicOS Enhanced which adds:

Optional port that can be configured as an additional LAN, WAN, DMZ or WLAN
ISP Failover for powerful business continuity
WAN Redundancy and Load Balancing for greater redundancy and network performance
Object-based Management for simple and consistent implementation and management of security policies

TZ 170 SP

SonicWALL TZ 170 SP is a total security platform ensuring continuous network uptime for critical, secure data connectivity through integrated and automated broadband and analog failover and failback technologies. This high performance stateful deep packet inspection firewall offers automated broadband-to-broadband-to-analog WAN redundancy for unparalleled network uptime.

High-performance, stateful deep packet inspection firewall with powerful 3DES/AES VPN throughput
Built-in analog modem and failover/failback technologies ensure continuous uptime for IPSec VPN tunnels
Integrated 5-port auto-MDIX switch for networking multiple home or office computers together
Support for SonicOS Enhanced which adds:

Optional port that can be configured as an additional LAN, WAN, DMZ or WLAN
ISP Failover for powerful business continuity
WAN Redundancy and Load Balancing for greater redundancy and network performance
Object-based Management for simple and consistent implementation and management of security policies

TZ 170

SonicWALL TZ 170 is a total security platform, delivering rock-solid network security, flexibility and reliability to home, small, remote and branch offices. This high performance stateful deep packet inspection firewall ships in multiple node configurations and offers a choice between absolute ease of use for basic networks and ultimate flexibility for networks with more complex needs.

SonicWALL security processor delivers high-speed stateful packet inspection firewall and 3DES/AES VPN performance
Optional Port can be configured as a WorkPort creating an independent, isolated zone of trusted network security
Integrated 5-port auto-MDIX switch for networking multiple home or office computers together
Support for SonicOS Enhanced which adds:

ISP Failover for powerful business continuity
WAN Redundancy and Load Balancing for greater redundancy and network performance
Object-based Management for simple and consistent implementation and management of security policies
Policy-based NAT for greater control and flexibility to support and manage various NAT requirements

TZ 150

The SonicWALL TZ 150 delivers layered protection to small and home offices through an integrated stateful deep packet inspection firewall in an easy-to-use, low cost platform. Its compact form factor includes a single Ethernet WAN port and four-port LAN switch, allowing multiple devices to connect safely to the network.

High-performance, stateful deep packet inspection firewall with powerful 3DES/AES VPN throughput
Integrated support for SonicWALL security services including Gateway Anti-Virus/Intrusion Prevention Service, Network Anti-Virus and Content Filtering Service
4-port auto-MDIX LAN switch for networking multiple home or office computers together
Dynamic DNS drastically reduces the costs associated with hosting e-mail servers, Web servers and site-to-site VPN
Comprehensive logging capabilities assist with remote troubleshooting
Easy-to-use configuration wizards simply configuration and management

III. Các sản phẩm Security của Checkpoint

Đặc điểm của sản phẩm Checkpoint

- Có 2 dòng sản phẩm: hardware và software

- Các sản phẩm theo xu hướng kết hợp các nhiều tính năng trong một sản phẩm: Firwall, VPN, Anti-virus

Check Point Product	Platform	Model	Throughput or Concurrent User Category¹	Price
Check Point Connectra	Check Point	1050	50 Concurrent Users	$10,000 (License Included)
	Check Point	1100	100 Concurrent Users	$15,000 (License Included)
	Check Point	1250	250 Concurrent Users	$24,000 (License Included)
	Check Point	2100	100 Concurrent Users	$24,000 (License Included)
	Check Point	2250	250 Concurrent Users	$36,000 (License Included)
	Check Point	2250U	Coming Soon	$54,000 (License Included)
	Check Point	6250	250 Concurrent Users	$44,000 (License Included)
	Check Point	6500	500 Concurrent Users	$60,000 (License Included)
	Check Point	6500U	Coming Soon	$90,000 (License Included)
	SecurePlatform	SW50	50 Concurrent Users	$8,000 (License Included)
	SecurePlatform	SW100	100 Concurrent Users	$15,000 (License Included)
	SecurePlatform	SW250	250 Concurrent Users	$30,000 (License Included)
	SecurePlatform	SW500	500 Concurrent Users	$50,000 (License Included)
	SecurePlatform	SW1000	1000 Concurrent Users	$60,000 (License Included)
Safe@Office	Check Point	Safe@Office 105	1.5-100 Mbps	$299 (License Included)
	Check Point	Safe@Office 110	1.5-100 Mbps	$599 (License Included)
	Check Point	Safe@Office 225	1.5-100 Mbps	$1,099 (License Included)
	Check Point	Safe@Office 225U	100-200 Mbps	$1,799 (License Included)
	Check Point	Safe@Office 405W	1.5-100 Mbps	$499 (License Included)
	Check Point	Safe@Office 410W	1.5-100 Mbps	$799 (License Included)
	Check Point	Safe@Office 425W	1.5-100 Mbps	$1,299 (License Included)
	Check Point	Safe@Office 425UW	100-200 Mbps	$1,999 (License Included)
	Nokia	IP40	1.5-100 Mbps	$549 (License Included)
Check Point Express*	Dell	PowerEdge 650	1-3 Gbps	$1,595
	Dell	PowerEdge 2650	1-3 Gbps	$2,627
	HP	ML 350 G3	1-3 Gbps	$2,967
	IBM	x305	1-3 Gbps	$1,232
	IBM	x335	1-3 Gbps	$3,016
	Nokia	IP130	100-200 Mbps	$1,495
	Solaris	Mid Range	1-3 Gbps	$2,995
	Sun	iForce VPN/Firewall Appliance	1-3 Gbps	$2,750
Check Point InterSpect	Check Point	InterSpect 210	200-500 Mbps	$9,000 (License Included)
	Check Point	InterSpect 210N	200-500 Mbps	$11,000 (License Included)
	Check Point	InterSpect 410	500-1000 Mbps	$18,000 (License Included)
	Check Point	InterSpect 610	1-3 Gbps	$36,000 (License Included)
	Check Point	InterSpect 610F	1-3 Gbps	$39,000 (License Included)
VPN-1 Pro	3Com	Security Switch 6200	1-3 Gbps	$25,000
	Bivio	1000	1-3 Gbps	$48,000
	Bivio	1000S	>3 Gbps	$96,000
	Bivio	1000E	1-3 Gbps	$29,000
	Bivio	1000ES	1-3 Gbps	$58,000
	Celestix	FV830	100-200 Mbps	$1,499
	Celestix	FV930	200-500 Mbps	$3,999
	Check Point	VPN-1 Edge S8 (License Included)	1.5-100 Mbps	$399 (License Included)
	Check Point	VPN-1 Edge X16 (License Included)	1.5-100 Mbps	$799 (License Included)
	Check Point	VPN-1 Edge X32 (License Included)	1.5-100 Mbps	$1,199 (License Included)
	Check Point	VPN-1 Edge XU (License Included)	100-200 Mbps	$1,999 (License Included)
	Corrent	SR500	>3 Gbps	$35,900
	Corrent	SR600	>3 Gbps	$39,900
	Crossbeam	C10	1-3 Gbps	$9,995
	Crossbeam	C30	1-3 Gbps	$24,000
	Crossbeam	X45	>3 Gbps	$63,000
	Crossbeam	X80	>3 Gbps	$73,000
	HP	DL320 G2	200-500 Mbps	$5,752
	HP	DL360 G3	1-3 Gbps	$7,188
	HP	ML370 G3	1-3 Gbps	$7,936
	HP	DL380 G3	1-3 Gbps	$7,900
	HP	DL580 G2	1-3 Gbps	$20,838
	IBM	x345	1-3 Gbps	$2,449
	i-Security	SP-3040	200-500 Mbps	$4,799
	i-Security	SP-4060	1-3 Gbps	$7,199
	i-Security	SP-4500	1-3 Gbps	$13,899
	Intrusion	PDS 2315	200-500 Mbps	$2,495
	Intrusion	PDS 2415	200-500 Mbps	$3,995
	Intrusion	PDS 5115	200-500 Mbps	$3,995
	Intrusion	PDS 5315	200-500 Mbps	$5,995
	Intrusion	PDS 5415	200-500 Mbps	$5,495
	Intrusion	PDS 5515	200-500 Mbps	$7,995
	Intrusion	PDS 7215	500-1000 Mbps	$12,995
	Intrusion	PDS 7315	1-3 Gbps	$17,495
	Linux	Basic	200-500 Mbps	$500
	Linux	Mid Range	200-500 Mbps	$2,000
	Linux	High Performance	1-3 Gbps	$4,000
	Nokia	IP130	100-200 Mbps	$1,495
	Nokia	IP350	200-500 Mbps	$5,795
	Nokia	IP380	500-1000 Mbps	$9,995
	Nokia	IP530	500-1000 Mbps	$16,495
	Nokia	IP710	1.3 Gbps	$19,995
	Nokia	IP740	1-3 Gbps	$29,995
	Nokia	IP1220	1-3 Gbps	$32,995
	Nokia	IP1260	>3 Gbps	$48,995
	Nokia	IP2250	>3 Gbps	$79,995
	Nortel	ASF 5106	200-500 Mbps	$5,495
	Nortel	ASF 5114	1-3 Gbps	$15,995
	Nortel	ASF 5109	1-3 Gbps	$11,995
	Nortel	ASF 5409	500-1000 Mbps	$23,990
	Nortel	ASF 5614	>3 Gbps	$43,990
	Nortel	ASF 5714	>3 Gbps	$51,990
	Nortel	ASF 6414	>3 Gbps	$44,990
	Resilience	DX4210	500-1000 Mbps	$7,995
	Resilience	DX4220	500-1000 Mbps	$9,995
	Resilience	DX4230	1-3 Gbps	$11,395
	Resilience	DX4240	1-3 Gbps	$12,795
	Resilience	DX4510	500-1000 Mbps	$16,495
	Resilience	DX4520	500-1000 Mbps	$17,995
	Resilience	DX4530	1-3 Gbps	$24,495
	Resilience	DX4540	1-3 Gbps	$28,995
	Resilience	DX4610	500-1000 Mbps	$17,995
	Resilience	DX4620	500-1000 Mbps	$18,995
	Resilience	DX4630	1-3 Gbps	$24,995
Resilience	DX4640	1-3 Gbps	$29,995
Resilience	MX4250	1-3 Gbps	$23,995
Resilience	MX4270	>3 Gbps	$42,595
Resilience	MX4550	1-3 Gbps	$49,995
Resilience	MX4570	>3 Gbps	$90,995
Resilience	MX4650	1-3 Gbps	$51,995
Resilience	MX4670	1-3 Gbps	$92,995
SecureGuard	SA1200/SA1300	1-3 Gbps	$6,552
SecureGuard	SA2700/SA2800	1-3 Gbps	$12,845
SecurePlatform	Basic	200-500 Mbps	$500
SecurePlatform	Mid-Range	1-3 Gbps	$2,000
SecurePlatform	High Performance	>3 Gbps	$5,000
SecurePlatform +SecureXL Turbocard	High Performance	1-3 Gbps	$20,000
Siemens	4Your Safety	1-3 Gbps	$3,100
smart-platform.com	SMARTGig	>3 Gbps	$4,995
Solaris	Basic	100-200 Mbps	$995
Solaris	Mid Range	1-3 Gbps	$2,995
Solaris	High Performance	1-3 Gbps	$5,000
Sun	iForce VPN/Firewall Appliance	>3 Gbps	$2,750
Windows	Basic	200-500 Mbps	$1,500
Windows	Mid Range	200-500 Mbps	$3,000
Windows	High Performance	500-1000 Mbps	$5,000
VPN-1 Pro (Chassis/blade platforms)	Blade Fusion	IP-X 100	200-500 Mbps	$8,995
	Blade Fusion	IP-X 1000	>3 Gbps	$34,995
	Crossbeam	X40	>3 Gbps	$52,600+
	Crossbeam	X80	>3 Gbps	$73,000
VPN-1 Pro (PCI-based platforms)	14 South Networks	Security Appliance Card NL	200Mbps	$2,495
	14 South Networks	Security Appliance Card CX	200-500 Mbps	$3,695 (License Included)
	14 South Networks	Security Appliance Card LX	200Mbps	$4,995 (License Included)
VPN-1 VSX	Crossbeam	X40 - VSX	>3 Gbps	$52,600+
	Crossbeam	X80 - VSX	>3 Gbps	$73,000
	Intrusion	PDS 7330 - VSX	1-3 Gbps	$17,495
	Nortel	ASF 5114 - VSX	1-3 Gbps	$15,995
	Nokia	IP740 - VSX	1-3 Gbps	$29,995
	Nokia	IP1260 - VSX	>3 Gbps	$48,995
	SecurePlatform	High Performance	>3 Gbps	$5,000
FireWall-1 GX	Nokia	IP740 - GX	1-3 Gbps	$29,995

IV. Các sản phẩm Security của Fortinet

FortiGate Antivirus Firewall Capabilities

Được ICSA chứng nhận 4 công nghệ:

Intrustion Detection

Firewall

Antivirus

IPsec

Các dòng sản phẩm

SERVICE PROVIDERS

- FortiGate-5140

- FortiGate-5050

- FortiGate-5020

- FortiGate-4000

- FortiGate-3600

- FortiGate-3000

ENTERPRISE

- FortiGate-1000

- FortiGate-800

- FortiGate-500A

- FortiGate-500

- FortiGate-400A

- FortiGate-400

- FortiGate-300A

SOHO & SMB

- FortiGate-300

- FortiGate-200A

- FortiGate-200

- FortiGate-100A

- FortiGate-100

- FortiGate-60

- FortiGate-50A

1.1 SOHO & SMB

FortiGate Antivirus Firewalls for Telecommuters, SOHOs, and Small/Medium-Sized Businesses
The FortiGate-50A, 60, 100, 100A, 200, 200A and 300 model Antivirus Firewalls are the ultimate all-in-one, real-time network protection solutions. These easy-to-deploy and easy-to-administer systems deliver exceptional value and performance for small offices, home offices, small and medium sized businesses and branch office applications. With a complete complement of services — including antivirus, firewall, VPN, intrusion detection and prevention, content filtering, and traffic shaping — a wide range of organizations can now enjoy protection from the most damaging threats without penalties in performance, cost, or manageability. The FortiGate installation wizard guides users through a simple process that enables most installations to be up and running in minutes. With throughput ranging from 30Mbps to 200Mbps, FortiGate-50A, 60, 100, 100A, 200, 200A and 300 can enable any organization to stay connected and protected against network-based threats.

FortiGate-50A	$495.00
The FortiGate-50A Antivirus Firewall addresses the needs of small office/home office (SOHO) applications. Easily installed using the browser-based Installation Wizard, the FortiGate-50A Antivirus Firewall is up and running in minutes, providing comprehensive protection and content control at a very affordable price. The FortiGate-50A provides all the same functionality as other FortiGate devices and is targeted for telecommuters and small remote offices with 5 or less employees.
	Ideally suited for remote offices, retail stores, broadband telecommuter sites and many other applications Provides complete real-time network protection through a combination of network-based antivirus, web and email content filtering, firewall, VPN, network-based intrusion detection and prevention, and traffic shaping

FortiGate-60	$695.00
The FortiGate-60 system is an ideal solution for small offices. The FortiGate-60 features dual WAN link support for redundant internet connections, and an integrated 4-port switch that eliminates the need for an external hub or switch, giving networked devices a direct connection to the FortiGate-60.
	Dual WAN link support for redundant Internet connections, and an integrated 4-port switch provide flexible deployment Delivers superior performance and reliability from hardware accelerated, ASIC-based architecture

FortiGate-100	$1,395.00
The FortiGate-100 Antivirus Firewall addresses small office applications that require extra features and performance. The FortiGate-100 Antivirus Firewall includes a DMZ port to support local email and web servers, and is compact enough to fit anywhere.
	Perfect solution for small business, remote/satellite offices Easy to use and deploy with quick and easy configuration wizard walks administrators through initial setup with graphical user interface

FortiGate-100A	$1,695
The FortiGate-100A system is an ideal solution for small offices. The FortiGate-100A features dual WAN link support for redundant internet connections, and an integrated 4-port switch that eliminates the need for an external hub or switch, giving networked devices a direct connection to the FortiGate-100A.
	Dual DMZ ports provide additional network segmentation for web and mail servers Dual WAN ports support redundant, load-balanced links to multiple ISPs

FortiGate-200	$2,995.00
The FortiGate-200 Antivirus Firewall provides the best combination of performance and value for small businesses and branch offices. It includes an internal hard drive for logging and analysis of usage and attacks. The FortiGate-200 antivirus firewall is easily managed in both stand-alone and multi-site applications, and is fully compatible with all members of the scalable FortiGate family.
	Internal logging capabilities are built into the FortiGate-200 through internal, high capacity hard drive Features Internal, External and DMZ interfaces for basic network segregation

FortiGate-200A	$3,495
The FortiGate-200A Antivirus Firewall is an ideal solution for small to medium sized businesses. The FortiGate-200A platform features dual WAN link support for redundant internet connections, and an integrated 4-port switch that eliminates the need for an external hub or switch, giving networked devices a direct connection to the FortiGate-200A unit.
	Delivers high performance for small to mid-sized organizations that require real-time network security services Features 4 routed 10/100 interfaces with a 4-port Internal switch interface

FortiGate-300	$5,995.00
The FortiGate-300 Antivirus Firewall addresses the needs of medium-sized businesses and enterprise branch offices, and is especially well suited for large remote access populations, with support for 1,500 concurrent remote users.
	Boasts the best combination of price, performance, and value relative to all other products on the market Front-panel LCD and keypad on FortiGate-300 ease deployment by setting basic system parameters without an external console

1.2 Enterprise

FortiGate Antivirus Firewalls for Enterprise
The FortiGate™ Enterprise Series, which includes the FortiGate-300A, 400, 400A, 500, 500A, 800 and 1000 Antivirus Firewall models, meets enterprise-class requirement for performance, availability and reliability. They include all of the key capabilities provided by other FortiGate models, with integrated, real-time antivirus, firewall, VPN, network intrusion detection and prevention, and traffic-shaping services. With throughputs up to 1Gbps, high-availability features including automatic failover with no session loss, and multi-zone capabilities, units in the FortiGate Enterprise Series are the choice for mission critical applications.

FortiGate-300A	$6,495
The FortiGate-300A Antivirus Firewall provides performance, flexibility, and security necessary to protect today's growing small and medium sized enterprise networks. The FortiGate-300A platform features two 10/100/1000 tri-speed ethernet ports for networks running at or upgrading to gigabit speeds.
	Boasts the best combination of price, performance, and value relative to all other products on the market Features 2 Gigabit Ethernet interfaces and 4 user-definable 10/100 interfaces

FortiGate-400	$7,995.00
The FortiGate-400 Antivirus Firewall delivers enterprise-class security and availability. It can detect viruses and worms, and filter web traffic in real time, and also provides high-performance firewall, VPN and traffic shaping functions. The FortiGate-400 Antivirus Firewall includes a high-availability port and fail-over logic to support redundant configurations, making it ideal for mission-critical applications.
	Excellent solution for mid-sized enterprises looking for a comprehensive network protection solution Multi-zone functionality allows granular segmentation for better control over security policies and network traffic

FortiGate-400A
The FortiGate-400A Antivirus Firewall provides performance, flexibility, and security necessary to protect today?s growing enterprise networks. The FortiGate-400A platform features two 10/100/1000 tri-speed ethernet ports for networks running at or upgrading to gigabit speeds and 4 user-definable 10/100 ports provide redundant WAN links, high availability, and multi-zone capabilities, allowing administrators a high degree of flexibility to segment their network into zones and create policies to control network traffic between zones.
	2 Gigabit Ethernet interfaces and 4 user-definable 10/100 interfaces combine to provide increased scalability for growing mid -sized enterprises Can be deployed as a high performance antivirus and content filtering gateway, or as a complete network protection solution leveraging firewall, intrusion detection and prevention, and VPN capabilities

FortiGate-500	$9,995.00
The FortiGate-500 Antivirus Firewall is a multi-zone network protection solution that enables organizations to segment their internal and external networks into independent security "zones," each with unique access and security policies. With 12 user-configurable ports in a 1U high unit, the FortiGate-500 Antivirus Firewall achieves a level of density, performance, and cost per port unmatched by any other system.
	12 10/100 Base-T Ethernet ports combined with multi-zone functionality provides best of class flexibility in deployment Provides award-winning network protection functionality including network-based antivirus, web content filtering, firewall, VPN and network-based intrusion detection and prevention

FortiGate-500A
The FortiGate-500A Antivirus Firewall provides performance, flexibility, and security necessary to protect today's growing enterprise networks. The FortiGate-500A platform features two 10/100/1000 tri-speed ethernet ports provide flexibility for networks running at or upgrading to gigabit speeds, 4 user-definable 10/100 ports for redundant WAN links, high availability, and multi-zone capabilities that allow administrators a high degree of flexibility to segment their network into zones for granular control of network traffic, and an internal 4-port switch for direct connectivity with the FortiGate-500A.
	Ideally suited for enterprise networks, the FortiGate-500A is unmatched in capabilities, speed, and price/performance Features 6 routed 10/100 ports with 4 switched 10/100 ports to provide flexibility in deployment of Fortinet's best of class functionality

FortiGate-800	$11,995.00
The FortiGate-800 Antivirus Firewall provides the performance, flexibility, and security necessary to protect today's most demanding large enterprise networks. The FortiGate-800 can be deployed as a high performance antivirus and content filtering gateway, or as a complete network protection solution leveraging firewall, VPN, and IDP capabilities. The FortiGate-800 Antivirus Firewall features 4 10/100/1000 tri-speed ethernet ports for networks running at gigabit speeds and 4 user-definable 10/100 ports that provide granular security through multi-zone capabilities, allowing administrators to segment their network into zones and create policies between zones.
	4 10/100/1000 tri-speed ethernet ports reduce costs for networks upgrading to gigabit speeds Ideal solution for enterprises that require high performance, flexible deployment, and granular control over network traffic

FortiGate-1000	$12,995.00
The FortiGate-1000 Antivirus Firewall provides gigabit-level performance and security capabilities that meet the needs of the most demanding enterprise networks. The FortiGate-1000 can be deployed as a high performance antivirus and content filtering gateway, or as a complete network protection solution leveraging firewall, VPN, and NIDS capabilities.
	Gigabit-level performance and security capabilities that meet the needs of the most demanding large enterprise networks Provides granular security with independent security zones and policies mapped to VLAN tags

1.3 Service Provider

FortiGate Antivirus Firewalls for Large Enterprises and Service Providers
Fortinet´s Series for Large Enterprises and Service providers, which includes the FortiGate-5000 Series, FortiGate-4000, FortiGate-3000 and FortiGate-3600 Antivirus Firewalls, delivers best-of-breed, network-based antivirus protection. They can provide real-time antivirus protection for email and Web traffic in conjunction with existing firewall, VPN and IDS systems, or can be deployed for full network protection services with a simple configuration change. These gigabit-capacity units are designed to meet the most stringent requirements for performance and reliability, and include redundant, hot-swappable power supplies and fans to minimize single-point failures, and also support redundant fail-over with no interruption in service. The high capacity, reliability and easy management of units in this series make them natural choices for managed service offerings

FortiGate-5000 Series
The FortiGate-5000 systems are a family of chassis based modular systems that provide the highest scalability for Antivirus firewalls. Three chassis are available, a FortiGate-5020 (2 slot), FortiGate-5050 (5 slot) and the FortiGate-5140 (14 slot). The family also consists of two modules; a FortiGate-5001 Antivirus Firewall processing module and a FortiGate-5003 Switch module. All members of the FortiGate-5000 family can contain multiple FortiGate-5001 modules but the FortiGate-5003 can only be used in the FortiGate-5050 and FortiGate-5140 chassis.
	The first security-based ATCA Platform Most scalable (up to 112 GigE interfaces), multi-function security platform available Allows customers to design and create remarkably secure networks Multiple security functions into an ASIC-accelerated security platform Lower capital and operational expenditures when compared to combining multiple vendors Performs the following security functions in an integrated solution: stateful firewall, antivirus, IDS/IPS, VPN, anti-spam, web content filtering, and bandwidth shaping In a class by itself: No other security solutions provide the performance scalability, density of ports and firewall, antivirus, IPS/IDS, VPN, anti-spam and Web content filtering integration

FortiGate-4000	$64,995.00
FortiGate-4000 systems are comprised of a FortiGate-4000 Chassis, a varying number of FortiBlade-4010 Modules, and a combination of network interface modules that provide varying throughput and interface requirements. The FortiGate-4000 system provides redundant, hot-swappable cooling fans and power supplies to ensure high-availability power and cooling. Each of the FortiBlade-4010 Modules is equipped with the FortiASIC™ Content Processor chip and provides high performance firewall, VPN, antivirus, intrusion detection and prevention, Web and email content filtering and traffic shaping services.
	Scalable architecture supports optimal content security solution for Large Enterprise and Managed Security Service Providers (MSSPs) FortiBlade Modules can be clustered using active-active and active-passive configurations to support high-availability operation for mission-critical applications

FortiGate-3600	$29,995.00
The FortiGate-3600 Antivirus Firewall establishes a new level of price-performance for gigabit capacity network security systems. With six gigabit-capacity interfaces and up to 4 Gbps throughput, the FortiGate-3600 enables a new generation of protection against today?s increasingly content-based attacks.
	Optimal solution for large enterprises and Managed Security Service Providers (MSSPs) Provides 4 gigabit fiber (SX or LX) ports and 2 gigabit copper ports for the most demanding large enterprise and service provider networks

FortiGate-3000	$19,995.00
The FortiGate-3000 Antivirus Firewall is a carrier-class device with three gigabit capacity ports and a full complement of network protection features. Multiple FortiGate-3000s can be deployed in redundant clusters to ensure nonstop operation.
	Ideal solution for large enterprises and Managed Security Service Providers (MSSPs) looking to add new security services Highly available architecture and redundant hot-swappable power supplies ensure non-stop operation

V. Các sản phẩm Security của WatchGuard

Firebox® X

For small- to mid-sized enterprises seeking to secure a central office network with a fully model-upgradeable firewall appliance that integrates multiple security capabilities for total network protection.

Full model upgradeability enables you to upgrade your Firebox® X appliance with a simple license key that easily unlocks more security capabilities and features as your needs grow.
An Intelligent Layered Security (ILS) architecture provides better protection by integrating firewall and VPN, Gateway AntiVirus for E-mail, intrusion prevention, zero day protection through deep application inspection, Web filtering, spam blocking, and authentication capabilities into a single appliance.
Rich, intuitive interfaces with easy setup wizards, real-time monitoring, reporting, and alerts give you more time to focus on your core business.
Seamless VPN integration with Firebox® X Edge appliances enables you to secure your entire network – from your central office down to your telecommuters and remote offices – and easily manage it from one central location.

2.2 Firebox® X Edge

Firebox® X Edge

A line of VPN endpoint/firewall security appliances for smaller businesses (10 to 50 computers) seeking to secure their network, or for small- to mid-sized enterprises seeking to extend the integrated security of their Firebox X-protected network to telecommuters and remote offices.

Full model and service upgradeability enables you to upgrade your Firebox® X Edge appliance with a simple license key that easily unlocks more security capabilities and features as your needs grow.
Integrated firewall/vpn and security capabilities to protect your network. Wireless models extend your security to wireless users and includes secure IPSec VPN connectivity.
Web-based intuitive interface with smart defaults, easy setup wizards, default application-specific security policies give you more time to focus on your business.

2.3 Firebox® SOHO 6

Firebox® SOHO 6

For small businesses and branch or remote offices who want more than a stateful packet firewall.

2.4 Firebox® Vclass

Firebox® Vclass

For medium-sized enterprises needing advanced networking features and high-speed network security.

Provides superior cut-through architecture performance, advanced networking features, and thousands of VPN tunnels at an incredible price.
Integrates firewall/VPN, application layer intrusion prevention, and QoS traffic management functionality with Gigabit and 10/100 Ethernet connections.
Built-in management tools for consistent network security: auto device discovery, installation wizards, real-time monitoring, and policy checking.

2.5 Firebox® III

Firebox® III

Our third-generation Firebox appliance provides firewall/VPN and Mobile User VPN at an affordable price.

VI. Các sản phẩm Security của Juniper

Products

E-series

E-series Platforms

Carrier-class routing
Subscriber Management and IP Services
Wire-speed performance with next-generation architecture

The Juniper Networks E-series platform is a central component of the infranet edge. With a proven architecture that has been deployed in many different roles in the world’s largest broadband networks, the E-series family is capable of providing multiple services – including broadband remote access server, broadband video services, dedicated access, voice over IP, Internet access, security services, network address translation, and others – on a single platform. The modular architecture of the E-series ensures that Service Provider need only deploy the number and types of routers that fit their needs and budget, while they retain the ability to add capacity and services as their needs grow.

E-series platforms provide port variety, performance, and flexible IP service capabilities to meet requirements of Infranets. The ability to combine a wide range of high-performance interfaces ranging from DS-0 through OC-48c/STM-16 with a consistent feature set and predictable performance enables the E-series to deliver critical applications at the edge, including voice, video and data. Hardware-based Multiprotocol Label Switching (MPLS) and fine-grained Quality of Service (QoS) features ensure the ability to support a variety of traffic types ranging from the best-effort requirements of IP traffic to the time-sensitive requirements of legacy ATM, and Frame Relay traffic.

The installation of a single E-series router allows service providers to offer dedicated access services for some users, broadband subscriber management for others, and next-generation IP services for others. Additionally, when combined with the SDX-300 Service Deployment System, service providers have a new level of control to quickly define and activate policy-based IP services on a per subscriber basis.

The E-series family includes five models: the high-capacity ERX-1440, the mid-range ERX-1410, the ERX-710 and ERX-705, and the compact ERX-310. All models feature a full suite of Internet routing protocols, including BGP-4, IS-IS, OSPF, and RIP. E-series edge routers provide scalable capacity for tens of thousands of users, making them ideal for service providers that operate high capacity POPs. The E-series family provides switch fabric options that operate at 5, 10, or 40 Gbps, and supports high-port density WAN interfaces in a compact package. A wide range of interface options includes OC-3/STM-1, OC-12/STM-4, OC-48/STM-16, Fast Ethernet, and Gigabit Ethernet, as well as channelized DS-1, DS-3, E1, and E3.

J-SERIES

J-series

J2300 Services Router - Fixed platform with one primary and one expansion slot for 1 and 2x T1/E1 sites
J4300 Services Router - Modular platform with six open slots for Nx T1/E1 sites
J6300 Services Router - Modular platform with six open slots for DS3 sites

The J-series Services Router delivers the advanced JUNOS modular operating system in a hardware platform ideal for smaller sites, including remote, branch, and regional offices. The modular JUNOS software runs many functions independently to deliver high levels of security, uptime and performance with reduced operations effort. J-series provides enterprises, government organizations, and research and education groups a forward-looking platform to build converged IP and IP/MPLS infrastructures.

JUNOS is an advanced, modular operating system for networking with a rich feature set developed over the past six years and now deployed in the top 25 carrier networks in the world. The modular and coherent design of the JUNOS operating system is fundamentally different than legacy routing systems. By running multiple functions in parallel on assigned processing resources, JUNOS delivers high stability with the flexibility to enable advanced routing, QOS, security, and management policies with predictable performance.

With the JUNOS operating system Juniper's routers deliver the following benefits to enterprises and those who manage their networks.

Security - From a heritage of operating in the open, hostile environments of service providers, Juniper delivers the most advanced set of mechanisms for fully protecting routers from outside threats. Juniper routers give network staff complete control over the router, even while under attack, with the console port always available to add new filters and policies in a few, fast simple steps.
High Uptime - The modular and fault-protected software design of JUNOS delivers high levels of resiliency and stability in J-series. Unlike traditional routers where any small bug can quickly spread into a larger problem, each software module in JUNOS runs independently and cannot impact other areas. Other resiliency features include next generation CLI for accurate configuration and a rescue button for fast system recovery.
Predictable Performance - Juniper's routers maintain high levels of QoS control and throughput when needed most during the most-demanding periods of network congestion. Modular software architectures are essential for the sorting and scheduling of traffic to assure that the most important applications have first priority to networking resources.
Reduced Operation - JUNOS, JUNOS CLI and Juniper's management platforms reduce the operations complexities that occur in networks to ease remote support and management. Advances in remote operations include a rescue button that any on-site personnel can activate; commit check, commit confirm and configuration rollback to ensure the validity of configuration changes; and auto record features that support rapid diagnostics. Additionally, JUNOS has ONE code train, and the JUNOS operating system is standard across the routing product line to greatly reduce the effort required for software patches and upgrades.

PRODUCTS

M-SERIES

M-series

Cost efficient scalability
Best-in-class IP routing and MPLS capabilities
Proven dependability features to ensure traffic can quickly reroute around failures

Juniper Networks M-series portfolio uniquely combines best-in-class IP/MPLS capabilities with unmatched dependability, security, and service richness to enable providers to transform from Internet to Infranet. The M-series is extremely versatile and can be deployed at the edge of provider networks, in small and medium cores, in peering, route reflector, and data center applications. However, the most significant M-series innovations over the last few years have dramatically expanded its edge capabilities. Today the M-series is predominantly being deployed at the IP/MPLS edge to support high-performance Layer 2 and Layer 3 services--we call this location and functionality the infranet multiservice edge.

As providers build infranets the first step is to deploy a fundamentally high performance, secure, and reliable IP/MPLS infrastructure. The second step in the transformation is to consolidate all services onto that single multiservice infrastructure. The infranet multiservice edge is a critical location in this infrastructure because this is where thousands of enterprise customer connections (represented by DSx/VC/VLAN/DLCI) are managed and VPNs and services are signaled across the network to other edge platforms. The multiservice edge platform must support:

Control plane scale & stability for 1000’s interfaces & VPNs
Forwarding plane scale & stability for multiple services per customer
Security & reliability for 1000’s of customers on one platform
Rich support for current & emerging layer 2 and layer 3 services
One multiservice platform to maximize ROI

The M-series meets these needs to reliably and stably scale edge services in the world’s largest networks. Constructed with a clean separation between control plane, forwarding plane, and services plane, M-series routers support multiple services without compromise on a single platform - maximizing revenue and minimizing operational and capital costs. This hardware approach is combined with the highly scalable, secure, and reliable JUNOS software. A single service-rich JUNOS image operates across all M-series and T-series ensuring minimized operational expense and continuity of service as providers upgrade to larger platforms.

From a Layer 2 perspective the J-FASE (Juniper Frame and ATM Service Emulation) toolkit combined with M-series performance enables accurate emulation of ATM and Frame Relay services over MPLS. In the same platform, rich Ethernet services are supported enabling providers to capture revenue from this emerging service. In addition, tools such as Layer 2.5 Interworking VPNs are available to smoothly migrate customers from ATM/FR to Ethernet services as demand dictates.

Adding even more value, the same M-series platform also delivers rich Layer 3 services including the industry's most scalable and comprehensive VPN portfolio, granular per logical interface QoS, hardware- based IPv6, wide ranging multicast support, and high- performance security capabilities such as NAT, stateful firewall, and IPSec encryption.

The unique architectural approach and ability to scale services has proven its success, as Juniper Networks provides the IP/MPLS foundation for over 600 networks in 47 countries, including 24 of the top 25 service provider networks in the world.

T-series Core Platforms

T-series Platforms

Proven Core Platform

Juniper's 3rd generation service provider core platforms
Deployed in over 75 service provider networks worldwide
Leveraging production-hardened JUNOS^TM routing software

Highly Reliable, Available

Clean separation of control plane, forwarding plane, and services
Fully modular software and hardware architectures
Fully redundant design with a rich resiliency feature set

Optimal Scalability: The 3-Dimensional Strategy

Right-sized platforms: Maximum densities in a 19 1/2" rack footprint
Rich software & services: The original purpose-built, modular OS - JUNOS
Multi-chassis extensibility: Enabled by Matrix^TM technology

Juniper Networks extends its leadership to help you transform the business of networking by delivering the most feature rich, stable, and resilient core routing solutions in the industry - The T-series.

At the heart of the Infranet is the network core, which provides connectivity from network edge to network edge. In the Internet model, the core of the network was concerned primarily with raw forwarding speed, expecting most service creation and other forms of network intelligence to come from the edge of the network. The Infranet, however, is predicated on the idea that an assured user experience requires network intelligence to protect user traffic from ingress to egress and all along the network path. Juniper Networks platforms free you from the traditional trade-off between rich services and performance by offering sophisticated processing capability on a true multi-service platform. With the T-series platforms companies can reduce operational and capital expenses, while easily providing a customized solution set and user experience, paving the way to flexible, powerful, and profitable network service delivery.

Juniper Networks continues a long tradition of core product innovation (M40, M160), and consolidates its leadership in the core by introducing the T-series routers: the first deployed, generally available multi-terabit, multi-chassis capable platforms.

The T-series third-generation platforms deliver breakthrough economics by requiring fewer routers and eliminating intermediate layers, thus reducing complexity and dramatically lowering capital expenditures and operational overhead. T-series routers offer unprecedented network asset longevity and greater returns on investments with interface (PIC) portability across all M-series and T-series platforms. The Internet-hardened and highly dependable JUNOS software, ensures that service providers and information intensive enterprises can strategically invest and transition to a common MPLS infrastructure with no impact to service levels, as they grow the traffic handling capacities to multi-terabit rates.

TX Matrix Platform

The TX Matrix platform is the newest member of the industry leading T-series family of core routing platforms and is the central switching and routing head in a T640 multi-chassis system. Juniper Networks Matrix technology enables the optical extension of the switch fabric and allows customers to interconnect T640's to the TX Matrix at distances of up to 100 meters away. The TX Matrix allows customers to interconnect up to (4) T640 routing nodes today, for 2.5 terabits of routing capacity delivering over 3 billion packets per second of throughput, and is architected to scale well beyond by leveraging a highly extensible Clos switch fabric design. The TX Matrix is an extension of the industry hardened T640 Routing Node, leveraging proven silicon to ensure a stable, reliable, and highly available core solution. And like all Juniper T-series, M-series, and J-series products, the TX Matrix runs the industry's premier routing operating system - JUNOS - ensuring full features, stability, and resiliency are available from day one.

T640 Routing Node

The T640 Routing Node is the industry's first 40G capable platform, delivering 640Gbps of capacity and up to 770 million packets per second of throughput. And with over 75 customers world wide, and over 2 years of service in the worlds largest networks, the T640 has established itself as the industry's premier core solution. The T640 is another example of Juniper's passion for utilizing its leadership in silicon, software, and systems design in delivering the greatest possible capacity in the least amount of space, deploying (32) 10G ports in a facilities-friendly 19", half-rack form factor. The T640 offers a full set of physical interface cards (PICs) including SONET, Ethernet, ATM, Services, and more. The T640 can be deployed as a standalone unit, or in combination with the TX Matrix platform to form a powerful multi-terabit, multi-chassis core solution.

T320 Router

When space is limited, and the benefits of the T-series core solutions are a requirement, the T320 router fits the bill. At 19" wide and a third of a rack in height, the T320 can be deployed in almost any facility as a small core router. The T320 offers up to (16) 10G ports yielding up to 320Gbps of capacity, and supports the same physical interface cards (PIC's) as its big brother, the T640. The T320 also leverages the same JUNOS software, packet forwarding engine, switch fabric, routing engines, and control boards ensuring a cohesive solution and providing for sparing efficiencies and investment protection. The T320 fills out the line of the industry leading T-series family of core platforms, from small core to the ultra large core deployment requirements.

Integrated Firewall/IPSEC VPN

Security Products

Strong security for access control, user authentication and network and application-level attack protection
Lower capital investment, support, deployment and ops costs for overall lower TCO
Predictable performance for a highly reliable, available and secure network

Juniper Networks provides end-to-end security solutions that enable you to effectively protect your network. A layered security approach enables administrators to protect your communications and resources at the perimeter, in the infrastructure and as you extend out to remote sites and users. Juniper Networks offers integrated firewall/IPSec VPN appliances and systems to meet the specific needs of each of your network segments to ensure that there are no weak links in your security. The Juniper Networks NetScreen-5GT series incorporates antivirus features using Trend Micro's leading antivirus technology.

A Stateful Inspection firewall enables administrators to effectively control who and what has access the network while authenticating users to ensure they are who they say they are. The predictable, high performance of our solutions also gives you the strong denial-of-service (DoS) protection you need to help you withstand system overloads. Firewalls also enable network segmentation to minimize unauthorized roaming and contain attacks in your infrastructure. Deep Inspection firewall technology protects the network perimeter from application-level attacks by applying a deeper level of understanding to make access control decisions based on the intent of that traffic.

Predictable firewall performance and system reliability enable protection against DoS attacks as well as application-level attacks, secure wireless LANs, consolidate firewall deployments and maintain a consistent level of security. Our high physical and virtual interface densities allow administrators to create secure network segments or customer environments with a distinct firewall, security policy and management. If you're a service provider, you can leverage our segmentation capabilities to create secure customer environments on a single appliance.

The Juniper Networks integrated firewall/IPSec VPN appliances and systems have received the Common Criteria and ICSA Firewall certifications. These certifications include a stringent and extensive certification process to verify that products effectively satisfy the security requirements of today's networks. As a result, companies can be assured that Juniper Networks security products meet the highest standards and offer solutions that secure corporate network environments.

The Juniper Networks integrated firewall/IPSec VPN appliances and systems have an integrated ICSA certified IPSec VPNs that allow companies to establish secure communications between your employees, business partners and customers. Secure dynamic VPNs provide a fault tolerant solution, combining the resiliency and efficiencies of route-based VPNs with the security and ease of use of policy-based firewalls. Administrators can apply Juniper Networks unique security zones to the VPN traffic to gain the additional security you need, without compromising the performance or management simplicity of route-based VPNs.

Juniper Networks integrated firewall/VPN solutions can be managed using either the command line interface (CLI), a Web based graphical user interface (WebUI) or via a central management console (Juniper Networks NetScreen Security Manager), simplifying configuration, deployment, and ongoing management.

The award winning performance and reliability of our purpose-built security solutions is derived from a tightly integrated set of advanced hardware and software components. The purpose-built hardware platform has been designed from the ground up to perform computationally intensive security functions, without compromising throughput. We were the first vendor to embed security functionality directly into an ASIC, which is one of the components that allow Juniper Networks to offer multi-Gig VPN and stateful inspection firewall performance. The ASIC is linked to a RISC CPU by a high-speed interface. To control the hardware platform, our engineering team started from scratch and created a real-time, security specific operating system with a rich set of networking and reliability features to simplify network integration and maximize uptime, allowing corporations to control your costs as your network security requirements change.

Administrators can choose the performance needed for each and every network segment and are not forced to compromise security or performance in any deployment. The integrated firewall/IPSec VPN product line also offers the performance needed to grow to ensure that you can maximize your investment. And to help maintain and lower the acquisition and support costs, the operating system is field upgradeable, so that new features can be easily added to further extend the life of the product.

SSL VPN

Security Access Products

Selection of appliances and features enable a tailored solution for companies of all sizes and access requirements
Unique security capabilities provide end-to-end protection, end user's device to the internal servers
Juniper Networks is the proven market leader, with more than 55% market share as of Q2'04, according to Infonetics Research

Juniper Networks Netscreen SSL VPNs lead the market with complete range of SSL VPN appliances, with the form factors and features tailored to meet the needs of companies of all sizes. Netscreen SSL VPNs are based on the Instant Virtual Extranet (IVE) platform, which uses SSL, the security protocol found in all standard Web browsers. The use of SSL eliminates the need for client software deployment, changes to internal servers, and costly ongoing maintenance and desktop support. Juniper Networks SSL VPN appliances combine the overall category benefit of a lower total cost of ownership compared to traditional solutions, with unique end-to-end security features. Dynamic access privilege management adds granular access control for each user and for each resource.

Juniper Networks Netscreen SSL VPN Appliance Line

Product	Designed For	Enterprise Class Features Include
Netscreen Remote Acess 500	Small to mid-sized companies	Secure access for remote/mobile employees, with no client software Plug-n-play deployment Robust security features Network Connect is the default access method
Netscreen Secure Access 1000 Simplified administration available via Central Manager	Small to mid-sized enterprises	Secure LAN, intranet and extranet access for employees, business partners and customers Three access methods allow administrators to provision access by purpose Dynamic access privilege management Available with Baseline and Advanced feature sets Core, Secure Application Manager and Network Connect access methods supported
Netscreen Secure Access 3000 Simplified administration available via Central Manager	Mid-sized to large enterprises	Scalable platform enables medium to large enterprises to offer secure extranet, intranet and LAN access from one platform. Enterprise performance/high availability Dynamic access privilege management, with 3 access methods Available with Baseline and Advanced feature sets FIPS compliant platform available Core, Secure Application Manager and Network Connect access methods supported Hardware Clustering for increased reliability and performance
Netscreen Secure Access 5000 Simplified administration available via Central Manager	Large and multinational enterprises	High performance platform for the largest and most complex secure extranet, intranet and LAN access deployments Hardware-based performance enhancements Hardware-based SSL acceleration Hardware-based HTTP compression Virtually unlimited scalability Dynamic access privilege management with 3 access methods Available with Baseline and Advanced feature sets FIPS compliant platform available Core, Secure Application Manager and Network Connect access methods supported Hardware Clustering for increased reliability and performance

Intrusion Detection and Prevention

The Juniper Networks Intrusion Detection and Prevention (Juniper Networks IDP) solution provides inline attack protection against worms, viruses and Trojans. Using multiple methods of detection along with powerful signature customization capabilities, Juniper Networks IDP effectively identifies and stops attacks on the network, minimizing the time and costs associated with intrusions.

Juniper Networks IDP integrates application and network profiling to provide administrators with an up to the minute assessment of network activity that helps them avoid the uncertainty found in the trial and error deployment process that typical IDS/IPS solutions go through. Juniper Networks IDP allows administrators to quickly and confidently deploy inline prevention.

When deployed inline, Juniper Networks IDP effectively identifies and stops network and application level attacks before they inflict any damages, minimizing the time and costs associated with intrusions. When an attack does occur, Juniper Networks IDP provides a powerful attack reporting and forensics that accelerate the investigative process thereby minimizing the damages inflicted on the network.

Juniper Networks IDP not only helps protect the network against attacks, it provides IT with information on rogue servers and applications that may have been added to the network without their knowledge. Armed with this knowledge IT can proactively protect the network by modifying the security policy.

Juniper Networks IDP provides:

On-demand view of both network and application level traffic data
Built-in tools to correlate data points during any phase of an attack and
The ability to quickly act to prevent or contain the attack using the IDP solution

Juniper Networks IDP is controlled using a rules-based management approach to deploy advanced attack protection, detect attacks, and prevent them from impacting the network. Leveraging Juniper Networks IDP, IT departments can solve the following problems.

Problem	Juniper Networks IDP Solution
Lack of in-depth feedback on network and application level activity prevents administrators from deploying inline prevention, instead, attack prevention solutions are deployed in sniffer or a passive mode, minimizing the benefits.	Juniper Networks IDP accelerates the deployment of inline prevention with Enterprise Security Profiler (ESP), a module within Juniper Networks IDP that provides a view of both network and application-level data that is unmatched by any other solution. With a detailed, on-demand view of network and application level data, administrators can quickly learn what is happening on the network and then translate that data into comprehensive network security policies using Juniper Networks IDP’s rule-based management GUI. Other solutions do not provide the same level of detail, making it difficult to deploy them in an inline prevention mode.
Sifting through thousands of arcane logs makes the investigation of an attack difficult and time consuming.	Juniper Networks IDP accelerates attack and incident investigation to stop or prevents attacks from proliferating throughout the network. Juniper Networks IDP gives the IT team deep insight into network and application level data with ESP, along with the ability to correlate that data and then take an immediate action against an attack.
Rogue applications and servers are being added to the network without IT knowledge, introducing possible vulnerabilities.	Juniper Networks IDP ESP facilitates application updates by providing data on which applications are deployed and specifics about their location. With this information, an IT administrator can be proactive about prioritizing which applications need to be updated to protect against possible vulnerabilities.

B. Giải pháp khuyến cáo sử dụng cho các tổ chức

Quy mô		Firewall	VPN	IDS	Anti-virus
SOHO (<50>	Cisco	PIX 515	PIX 515	IDS 4215 Sensor IPS 4240 Sensor
	SonicWall	TZ150 TZ170 PRO1260	TZ150 TZ170 PRO1260	TZ150 TZ170 PRO1260	TZ150 PRO1260
	Checkpoint	Safe@Office (hardware)	Safe@Office (Hardware)		Safe@Office (Hardware)
	Fortinet	FortiGate-300 FortiGate-200A FortiGate-200 FortiGate-100A FortiGate-100	FortiGate-300 FortiGate-200A FortiGate-200 FortiGate-100A FortiGate-100	FortiGate-300 FortiGate-200A FortiGate-200 FortiGate-100A FortiGate-100	FortiGate-300 FortiGate-200A FortiGate-200 FortiGate-100A FortiGate-100
	WatchGuard	Firebox® X500 SOHO 6 Firebox® V10	Firebox X5(12 users) Firebox X15(30 users) SOHO 6tc Firebox® V10
	Juniper
Medium (50-100 hosts)	Cisco	PIX 525	PIX 525	IDS 4250XL Sensor IPS 4255 Sensor
	SonicWall	PRO2040	PRO2040		PRO2040
	Checkpoint	iForce VPN/Firewall (H) InterSpect Firewall-1 (S)	Connectra (H) VPN Edge(H) iForce VPN/Firewall (H) VPN-1 Pro	InterSpect	InterSpect
	Fortinet	FortiGate-1000 FortiGate-800 FortiGate-500A FortiGate-500 FortiGate-400A FortiGate-400 FortiGate-300A	FortiGate-1000 FortiGate-800 FortiGate-500A FortiGate-500 FortiGate-400A FortiGate-400 FortiGate-300A	FortiGate-1000 FortiGate-800 FortiGate-500A FortiGate-500 FortiGate-400A FortiGate-400 FortiGate-300A	FortiGate-1000 FortiGate-800 FortiGate-500A FortiGate-500 FortiGate-400A FortiGate-400 FortiGate-300A
	WatchGuard	Firebox® X700 Firebox® V60 Firebox® V60L	Firebox X50(>30) Firebox® V60 Firebox® V60L	Firebox III (Firewall/VPN/IDP)
	Juniper
Enterprise (>100 host)	Cisco	PIX 535	PIX 535	IPS 4255
	SonicWall	PRO3060 PRO4060 PRO5060	PRO3060 PRO4060 PRO5060	PRO4060 PRO5060	PRO4060 PRO5060
	Checkpoint	InterSpect (H) MX4250 (H) MX4270 (H) MX4550 (H) MX4570 (H) Firewall-1 (S)	Connectra (H) MX4250 (H) MX4270 (H) MX4550 (H) MX4570 (H) VPN-1 Pro	InterSpect	InterSpect
	Fortinet	FortiGate-5140 FortiGate-5050 FortiGate-5020 FortiGate-4000 FortiGate-3600 FortiGate-3000	FortiGate-5140 FortiGate-5050 FortiGate-5020 FortiGate-4000 FortiGate-3600 FortiGate-3000	FortiGate-5140 FortiGate-5050 FortiGate-5020 FortiGate-4000 FortiGate-3600 FortiGate-3000	FortiGate-5140 FortiGate-5050 FortiGate-5020 FortiGate-4000 FortiGate-3600 FortiGate-3000
	WatchGuard	Firebox® X1000 Firebox® X2500 (>500) Firebox® V200 Firebox® V100 Firebox® V80	Firebox® V200
	Juniper

C. Đánh giá và so sánh

I. Đánh giá và so sánh của các tổ chức

ICSA Labs (www.icsalabs.com) : division of TruSecure Corporation

II. Đánh giá và so sánh của BKIS

(cập nhật sau khi thử nghiệm)

D. Thông tin liên hệ và tham khảo

Cisco Systems

www.cisco.com

Sonic Wall

www.sonicwall.com

ITC JSC
Ha Noi
Phone: (84) 04.943.0724
E-mail: info@itc.com.vn
Web: http://www.itc.com.vn/

Ho Chi Minh City
Phone: (84) 08.925.3304
E-mail: info@itc.com.vn
Web: http://www.itc.com.vn/

Checkpoint

www.checkpoint.com

M-Security Technology Indochina Pte Ltd
Hanoi Representative Office
10/F Unit 1001, Tung Shing Square,
2 Ngo Quyen Street, Hanoi, Vietnam
Main Line: (844) 935 0970
Main Fax: (844) 935 0971

Misoft Software Development Technology

11 Phan Huy Chú - Quận Hoàn Kiếm, Hà Nội
Điện thoại: (84-4) 9331613 Fax: (84-4) 9331612
email: misoft@misoft.com.vn

Fortinet

www.fortinet.com

WatchGuard

www.watchguard.com

Juniper

www.juniper.net

Planet

Liên Hệ Với Chúng Tôi

Tổng lượt truy cập

Thursday, October 14, 2010

Các thiết bị an ninh mạng

A. Tổng quan về các dòng sản phẩm của các hãng khác nhau.

I. Các sản phẩm Security của Cisco