Industry – Public Sector
Challenge –
The Economic and Financial Crimes Commission (EFCC) is a Nigerian law enforcement agency that investigates financial crimes such as advance fee fraud (419 fraud) and money laundering.
EFCC sought for a Technology partner that could assist in the interconnection of all their branch offices with their data centre at the Headquarter in Abuja through the deployment of a WAN solution that supports technologies that enabling future growth and the addition of value-added services to the network.
Selection Criteria-
The criteria taken into consideration to support the WAN deployment generally included:
- Low latency
- Minimal packet loss
- Flexible and Scalable
- Quality of service (Qos)
- Network resiliency and security
- Ease of Management
- Ease of operation
Result-
Layer3 deployed an enterprise WAN for EFCC. This consisted of various network segments and configurations that enabled the enterprise generate revenue in today’s highly connected, dynamic environment. The enterprise WAN itself consists of various business site types that must be interconnected to enable business and revenues. The corporate LAN and data centre in Abuja are at the core of the enterprise WAN.
The deployment leveraged on Layer3’s existing MPLS network to interconnect all their remote offices in different states across Nigeria to improve operational efficiency, reduce operational expense while ensuring flexibility and value for investment as well as security and carrier-class reliability.
IMPLEMENTATION STRATEGY / PROCEDURES
The enterprise WAN solution comprised of these Juniper products:
- SRX1500 (Firewall)
- SRX300 (Firewall)
- EX4600 (Firewall)
- Junos Space
- SRX1500
The Juniper Networks® SRX1500 Services Gateway is a high-performance next-generation firewall and security services gateway that protects mission-critical enterprise campuses, regional headquarters, and data centre networks. The SRX1500 is the only product in its class that not only provides best-in-class security and threat mitigation capabilities, but also integrates carrier-class routing and feature-rich switching in a single platform.
The SRX1500 is purpose-built to protect 10GbE network environments, consolidating multiple security services and networking functions in a highly available appliance. It supports up to 9 Gbps of firewall performance, 4 Gbps of intrusion prevention, and 1.3 Gbps of IPsec VPN in enterprise campus, regional headquarters, and data centre deployments
Software Specifications
Routing Protocols
- IPv4, IPv6, ISO, Connectionless Network Service (CLNS)
- Static routes
- RIP v1/v2
- OSPF/OSPF v3
- Encapsulation: VLAN, Point-to-Point Protocol (PPP), Frame Relay, High-Level Data Link Control (HDLC), serial, Multilink Point-to-Point Protocol (MLPPP), Multilink Frame Relay (MLFR), and Point-to-Point Protocol over Ethernet (PPPoE)
- Virtual routers
- Policy-based routing, source-based routing
- Equal-cost multipath (ECMP)
QoS Features
- Support for 802.1p, DiffServ code point (DSCP), EXP
- Classification based on VLAN, data-link connection identifier (DLCI), interface, bundles, or multifield filters
- Marking, policing, and shaping
- Classification and scheduling
- Weighted random early detection (WRED)
- Guaranteed and maximum bandwidth
- Ingress traffic policing
- Virtual channels
- Hierarchical shaping and policing
Firewall Services
- Stateful and stateless firewall
- Zone-based firewall
- Screens and distributed denial of service (DDoS) protection
- Protection from protocol and traffic anomaly
- Integration with Pulse Unified Access Control (UAC)
- Integration with Aruba Clear Pass Policy Manager
- User role-based firewall
- SSL Inspection (Forward-proxy)
Network Address Translation (NAT)
- Source NAT with Port Address Translation (PAT)
- Bidirectional 1:1 static NAT
- Destination NAT with PAT
- Persistent NAT
- IPv6 address translation
VPN Features
- Tunnels: Site-to-Site, Hub and Spoke, Dynamic Endpoint, AutoVPN, ADVPN, Group VPN (IPv4/ IPv6/ Dual Stack)
- Juniper Secure Connect: Remote access / SSL VPN
- Configuration payload: Yes
- IKE Encryption algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB
- IKE authentication algorithms: MD5, SHA-1, SHA-128, SHA-256, SHA-384
- Authentication: Pre-shared key and public key infrastructure (PKI) (X.509)
- IPsec (Internet Protocol Security): Authentication Header (AH) / Encapsulating Security Payload (ESP) protocol
- IPsec Authentication Algorithms: hmac-md5, hmac-sha-196, hmac-sha-256
- IPsec Encryption Algorithms: Prime, DES-CBC, 3DES-CBC, AEC-CBC, AES-GCM, SuiteB
- Perfect forward secrecy, anti-reply
- Internet Key Exchange: IKEv1, IKEv2
- Monitoring: Standard-based dead peer detection (DPD) support, VPN monitoring
- VPNs GRE, IP-in-IP, and MPLS
- SRX300
The SRX300 line of service gateways delivers a next-generation security, networking, and SDWAN solution that helps support the changing needs of any cloud-enabled enterprise network. Whether an enterprise is rolling out new services and applications across multiple locations, connecting to the cloud, or improving operational efficiency, SRX300 service gateways provide scalable, secure, and easy-to-manage connectivity.
As the network traffic grows, high-density native Gigabit Ethernet ports available on the SRX300 line provide secure connectivity to help you keep pace. Securing small branch or retail offices, the SRX300 Services Gateway consolidates security, routing, switching, and WAN connectivity in a small desktop device. The SRX300 supports up to 1 Gbps firewall and 300 Mbps IPsec VPN in a single, cost-effective networking and security platform
- EX4600
The EX4600 offers an economical, power-efficient, and compact solution for aggregating 10GbE expansions from access devices in building and enterprise deployments. The switch’s dual-speed interfaces also support environments transitioning from 1GbE to 10GbE. The EX4600 can be deployed in the distribution layer with multichassis link aggregation (MC-LAG) (see Figure 1) to deliver higher resiliency with a distributed control plane, NSB, NSR, and unified ISSU. Multichassis LAG enables two EX4600 switches to act as separate devices with their own control planes, while eliminating STP by allowing link aggregation on the connected devices. In addition, unified ISSU allows each of the EX4600 switches to be upgraded individually without service interruption.V
Junos Space Network Management Platform works with our management applications to simplify and automate management of Juniper’s switching, routing, and security devices. As part of a complete solution, the platform provides broad fault, configuration, accounting, performance, and security management (FCAPS) capability, same day support for new devices and Junos OS releases, a task-specific user interface, and northbound APIs for integration with existing network management systems (NMS) or operations/business support systems (OSS/BSS).
The platform helps network operators at enterprises and service providers scale operations, reduce complexity, and enable new applications and services to be brought to market quickly, through multilayered network abstractions, operator-centric automation schemes, and a simple point-and-click UI.