Page  Datasheet

Juniper Networks SSG 5 and SSG 20

The Juniper Networks Secure Services Gateway 5 (SSG 5) and Secure Services Gateway 20 (SSG 20) are purpose-built security appliances that
deliver a perfect blend of performance, security, routing and LAN/WAN connectivity for small branch office and small business deployments.
Traffic flowing in and out of the branch office can be protected from worms, Spyware, Trojans, and malware by a complete set of Unified Threat
Management (UTM) security features including Stateful firewall, IPSec VPN, IPS, Antivirus (includes Anti-Spyware, Anti-Adware, Anti-Phishing), Anti-
Spam, and Web Filtering.
The rich set of UTM security features allows the SSG 5 and SSG 20 to be deployed as a stand alone network protection device. With its robust
routing engine, the SSG 5 and SSG 20 can also be deployed as a traditional branch office router or as a combination security and routing device to
help reduce IT capital and operational expenditures. The SSG 5 and SSG 20 provide customers with the following features and benefits:
• Extensible I/O architecture that delivers fixed LAN connectivity plus WAN I/O options on top of unmatched security to reduce costs and extend
investment protection.
• UTM security features backed by best-in-class security partners to ensure that the network is protected against all manner of attacks.
• Advanced security features such as network segmentation allows administrators to deploy security policies to isolate guests, wireless networks
and regional servers or databases to prevent unauthorized access and contain any attacks that may occur.
• Dedicated, security specific processing hardware and software platform delivers performance required to protect high speed LAN as well as
lower speed WAN connections.
Used by enterprises, service providers and stand alone businesses alike, the SSG 5 and SSG 20 are
ideally suited for locations that are smaller, with fewer employees yet still require advanced security
and routing features to protect business critical traffic traversing the WAN and high speed internal
networks. Typical deployments include small businesses, distributed branch offices, retail outlets,
and fixed telecommuter environments.

SSG 5:
The SSG 5 is a fixed form factor platform that delivers 160 Mbps of Stateful firewall traffic and
40 Mbps of IPSec VPN throughput. The SSG 5 Series is equipped with seven on-board 10/100
interfaces with optional fixed WAN ports (ISDN BRI S/T, V.92 or RS-232 Serial/Aux). Optional
support for 802.11 a/b/g and a broad array of wireless specific security allow the SSG 5 to
consolidate security, routing and wireless access point into a single device.

SSG 20:
The SSG 20 is a modular platform that delivers 160 Mbps of Stateful firewall traffic and 40 Mbps of
IPSec VPN throughput. The SSG 20 is equipped with five on-board 10/100 interfaces with two I/O
expansion slots that support I/O cards, such as ADSL2+, T1, E1, ISDN BRI S/T, V.92 for additional
WAN connectivity. Optional support for 802.11 a/b/g and a broad array of wireless specific security
allow the SSG 20 to consolidate security, routing and wireless access point into a single device.

Security Network segmentation

Proven Stateful firewall and IPSec VPN combined with best-in-class The SSG 5 and SSG 20 provide an advanced set of network
UTM security features including IPS (Deep Inspection), Antivirus segmentation features such as Security Zones, Virtual Routers and
(includes Anti-Spyware, Anti-Adware, Anti-Phishing), Anti-Spam, and VLANs that allow administrators to deploy different levels of security
Web Filtering protects both LAN and WAN traffic from worms, Spyware, to different user groups by dividing the network into distinct, secure
Trojans, malware and other emerging attacks. domains, each with their own security policy.

LAN/WAN connectivity Seamlessly transform your network

The combination of LAN/WAN connectivity options and supporting Whether you are deploying a few SSGs to your local offices or
protocols provides customers with the ability to deploy the SSG 5 or SSG implementing thousands around the world, Juniper Networks
20 as a traditional LAN-based firewall or as a consolidated routing and Professional Services can help. From simple lab testing to major network
security device, thereby reducing TCO. implementations, we can identify the goals, define the deployment
process, create or validate the network design, and manage the
deployment. We collaborate with your team to transform your network
infrastructure to ensure that it is flexible, scalable, reliable, and secure.
 Juniper Networks Secure Services Gateway 5 and 20
Page 

SSG 20 SSG 5 SSG 20 SSG 5

Maximum Performance and Capacity (1)

Firewall and VPN User Authentication
ScreenOS version support ScreenOS 5.4 ScreenOS 5.4 Built-in (internal) database - user limit Up to 100 Up to 100
Firewall performance (Large packets) 160 Mbps 160 Mbps 3rd Party user authentication RADIUS, RSA SecurID, and LDAP
Firewall performance(2) (IMIX) 90 Mbps 90 Mbps XAUTH VPN authentication Yes Yes
Firewall Packets per second (64 byte) 30,000 30,000 Web-based authentication Yes Yes
VPN performance (3DES+SHA-1) 40 Mbps 40 Mbps 802.1X authentication Yes Yes
Concurrent sessions 4,000 4,000
New sessions/second 2,800 2,800 Mode of Operation
Policies 200 200 Layer 2 (transparent) mode(5) Yes Yes
Users supported Unrestricted Unrestricted Layer 3 (route and/or NAT) mode Yes Yes

Network Connectivity Address Translation

Fixed I/O 5x 10/100 7x 10/100 Network Address Translation (NAT) Yes Yes
Physical Interface Module (Mini-PIM) Slots 2 0 Port Address Translation (PAT) Yes Yes
WAN interface options ADSL2+, T1, E1, ISDN BRI S/T or Policy-based NAT/PAT Yes Yes
ISDN BRI S/T, V.92 RS-232 Serial/Aux or Mapped IP Yes Yes
(See Mini-PIM datasheets) V.92 Virtual IP Yes Yes
(factory configured)
Routing
LAN interface options None None
BGP Yes Yes
Wireless networking Dual Radio 802.11a + 802.11b/g (factory configured)
OSPF Yes Yes
Firewall RIPv1/v2 Yes Yes
Network attack detection Yes Yes Static routes Yes Yes
DoS and DDoS protection Yes Yes Source-based routing Yes Yes
TCP reassembly for fragmented Policy-based routing Yes Yes
packet protection Yes Yes ECMP Yes Yes
Malformed packet protection Yes Yes Routes 1,024 1,024
Multicast Yes Yes
Unified Threat Management/Content Security(3)
Reverse Forwarding Path (RFP) Yes Yes
IPS (Deep Inspection FW) Yes Yes
IGMP (v1, v2) Yes Yes
Protocol anomaly detection Yes Yes
IGMP Proxy Yes Yes
Stateful protocol signatures Yes Yes
PIM SM Yes Yes
Antivirus Yes Yes
PIM SSM Yes Yes
Signature database 100,000+
Mcast inside IPSec Tunnel Yes Yes
Protocols scanned POP3, SMTP, HTTP, IMAP, FTP
Anti-Phishing Yes Yes Encapsulations
Anti-Spyware Yes Yes PPP Yes Yes
Anti-Adware Yes Yes MLPPP Yes N/A
Anti-Keylogger Yes Yes Frame Relay Yes N/A
Anti-Spam Yes Yes MLFR (FRF 15, FRF 16) Yes N/A
Integrated URL filtering Yes Yes HDLC Yes N/A
External URL filtering(4) Yes Yes
Traffic Management (QoS)
VoIP Security Guaranteed bandwidth Yes Yes
H.323. ALG Yes Yes Maximum bandwidth Yes Yes
SIP ALG Yes Yes Ingress Traffic Policing Yes Yes
SCCP ALG Yes Yes Priority-bandwidth utilization Yes Yes
MGCP ALG Yes Yes DiffServ stamp Yes, per policy Yes, per policy
NAT for SIP, H.323, MGCP, SCCP Yes Yes Wi-Fi Multi-Media (WMM) Yes (with WLAN) Yes (with WLAN)

VPN System Management

Concurrent VPN tunnels 25 25 WebUI (HTTP and HTTPS) Yes Yes
Tunnel interfaces 10 10 Command Line Interface (console) Yes Yes
DES (56-bit), 3DES (168-bit) Command Line Interface (telnet) Yes Yes
and AES encryptions Yes Yes Command Line Interface (SSH) Yes, v1.5 and v2.0 compatible
MD-5 and SHA-1 authentication Yes Yes NetScreen-Security Manager Yes Yes
Manual key, IKE, PKI (X.509) Yes Yes All management via VPN tunnel
Perfect forward secrecy (DH Groups) 1,2,5 1,2,5 on any interface Yes Yes
Prevent replay attack Yes Yes SNMP full custom MIB Yes Yes
Remote access VPN Yes Yes Rapid deployment Yes Yes
L2TP within IPSec Yes Yes Logging and Monitoring
IPSec NAT traversal Yes Yes Syslog (multiple servers) External, up to 4 servers
Redundant VPN gateways Yes Yes E-mail (2 addresses) Yes Yes
NetIQ WebTrends External External
SNMP (v2) Yes Yes
Traceroute Yes Yes
VPN tunnel monitor Yes Yes
 Page  Datasheet

SSG 20 SSG 5 SSG 20 SSG 5

Virtualization Wireless Radio Specifications (Wireless Models Only)

Maximum number of configurable security zones 8 8 Transmit Power Up to 200mW
Maximum number of virtual routers 3 3 Wireless Standards supported Dual Radio 802.11 a + 802.11b/g
Maximum number of 802.1q VLANs 10 10 Site Survey Yes
Maximum Configured SSIDs 16
High Availability (HA)(6)
Maximum Active SSIDs 4
Active/Passive Yes Yes
Atheros SuperG Yes
Configuration synchronization Yes Yes
Atheros eXtended Range (XR) Yes
Session synchronization for firewall and VPN Yes Yes
Wi-Fi CERTIFIED® Yes
Session failover for routing change Yes Yes
Device failure detection Yes Yes Wireless Security (Wireless Models Only)
Link failure detection Yes Yes Wireless Privacy WPA, WPA2 (AES or TKIP), IPSEC VPN, WEP
Authentication for new HA members Yes Yes Wireless Authentication PSK, EAP-PEAP, EAP-TLS, EAP-TTLS over 802.1x
Encryption of HA traffic Yes Yes MAC Access Controls Permit or Deny
Client Isolation Yes
IP Address Assignment
Static Yes Yes Antenna Option (Wireless Models Only)
DHCP, PPPoE client Yes Yes Diversity Antenna Included
Internal DHCP server Yes Yes Directional Antenna Future
DHCP relay Yes Yes Omni-directional Antenna Future

PKI Support
PKI Certificate requests (PKCS 7 and PKCS 10) Yes Yes (1) Performance, capacity and features listed are based upon systems running ScreenOS 5.4 and are the measured maximums under ideal testing conditions
unless otherwise noted. Actual results may vary based on ScreenOS release and by deployment.
Automated certificate enrollment (SCEP) Yes Yes (2) IMIX stands for Internet mix and is more demanding than a single packet size as it represents a traffic mix that is more typical of a customer’s network. The
IMIX traffic used is made up of 58.33% 64 byte packets + 33.33% 570 byte packets + 8.33% 1518 byte packets of UDP traffic.
Online Certificate Status Protocol (OCSP) Yes Yes (3) UTM Security features (IPS/Deep Inspection, Antivirus, Anti-Spam and Web filtering) are delivered by annual subscriptions purchased separately from Juniper
Networks. Annual subscriptions provide signature updates and associated support. The high memory option is required for UTM Security features.
Certificate Authorities Supported Verisign, Entrust, Microsoft, RSA Keon,
(4) Redirect Web filtering sends traffic to a secondary server and therefore entails purchasing a separate Web filtering license from either Websense or
iPlanet (Netscape), Baltimore, DOD PKI SurfControl.
(5) NAT, PAT, policy based NAT, virtual IP, mapped IP, virtual systems, virtual routers, VLANs, OSPF, BGP, RIPv2, Active/Active HA, and IP address assignment are
Administration not available in layer 2 transparent mode.
(6) Active Passive and HA Lite require the purchase of an Extended License. In addition to the HA features, an Extended License key increases a subset of the
Local administrators database size 20 20 capacities as outlined below.

External administrator database RADIUS/LDAP/SecurID

Root Admin, Admin, and Yes Yes Extended License Feature SSG 20 and SSG 5
Read Only user levels Sessions Increases max from 4000 to 8000
Software upgrades TFTP / WebUI / NSM / SCP / USB VPN Tunnels Increases max from 25 to 40
Configuration Roll-back Yes Yes VLANS Increases max from 10 to 50
External Flash VoIP Calls Increases max from 32 to 48
Additional log storage via USB High Availability Adds support for Stateful Active/Passive and/or HA Lite
Event logs and alarms Yes Yes IPS (Deep Inspection FW) Signature Packs
System config script Yes Yes Signature Packs provide the ability to tailor the attack protection to the specific deployment
ScreenOS Software Yes Yes and/or attack type. The following Signature packs are available for the SSG 5 and SG 20.
Dimensions and Power Signature Pack Target Deployment Defense Type Type of Attack
Dimensions (W/L/H) 11 5/8” x 7 3/8” x 1 3/4” 8 3/4” x 5 5/8” x 1 5/8” Object
29.5cm x 18.7cm x 4.5cm 22.2cm x 14.3cm x 4.1cm Base Branch Offices, small Client/Server and Range of signa-
Weight 3.3 lbs (1.5 kg) 2.1 lbs (0.95 kg) medium businesses worm protection tures and protocol
Rack mountable Yes Yes anomalies
Power Supply (AC) 100-240 VAC 100-240 VAC
Client Remote/Branch Perimeter defense, Attacks in the server-
Certifications Offices compliance for hosts to-client direction
Safety Certifications CSA, CB CSA, CB (desktops, etc)
EMC Certifications FCC Class B, CE Class B, FCC Class B, CE Class B, Server Small/Medium Perimeter defense, Attacks in the client-
A-Tick, VCCI class B A-Tick, VCCI class B Businesses compliance for to-server direction
server infrastructure
Environment
Temp and Humidity Worm Mitigation Remote/Branch Most comprehensive Worms, Trojans,
Operating Temp 0 to 40 Deg C 0 to 40 Deg C Offices of Large defense against backdoor attacks
( 32 to 104 Deg F) ( 32 to 104 Deg F) enterprises worm attacks
Non-Operating Temp -20 to 65 Deg C -20 to 65 Deg C
(-4 to 149 Deg F) (-4 to 149 Deg F)
Humidity 10 to 90% 10 to 90%
non-condensing non-condensing
MTBF (Bellcore model)
Non-Wireless 35.8 Yrs 40.5 Yrs
Wireless 28.9 Yrs 22.8 Yrs
 Page 

Ordering Information
Product Part Number Product Part Number

SSG 5 SSG 5 / SSG 20 Accessories & Upgrades

SSG 5 with Serial backup, 128 MB Memory SSG-5-SB Extended License Upgrade Key for SSG 5 SSG-5-ELU
SSG 5 with ISDN BRI S/T backup, Interface,128 MB Memory SSG-5-SB-BT Extended License Upgrade Key for SSG 20 SSG-20-ELU
SSG 5 with v.92 backup, 128 MB Memory SSG-5-SB-M SSG 5 and SSG 20 256MB Memory Upgrade Module SSG-5-20-MEM-256
SSG 5 with Serial backup, Wireless 802.11a/b/g,128 MB Memory SSG-5-SB-W-xx SSG 5 Rack Mount Kit - holds 2 units SSG-5-RMK
SSG 5 with ISDN BRI S/T backup, Wireless 802.11a/b/g, 128 MB memory SSG-5-SB-BTW-xx SSG 20 Rack Mount Kit SSG-20-RMK
SSG 5 with v.92 backup, Wireless 802.11a/b/g, 128 MB Memory SSG-5-SB-MW-xx SSG Wireless Replacement Antenna SSG-ANT
SSG 5 with Serial backup, 256 MB memory SSG-5-SH
SSG 5 with ISDN BRI S/T backup, 256 MB memory SSG-5-SH-BT Unified Threat Management/Content Security (High Memory Option Required)
SSG 5 with v.92 backup, 256 MB memory SSG-5-SH-M Anti-Virus (Anti-Spyware, Anti-Phishing) NS-K-AVS-SSG5
SSG 5 with Serial backup, Wireless 802.11a/b/g, 256 MB memory SSG-5-SH-W-xx NS-K-AVS-SSG20
SSG 5 with ISDN BRI S/T backup, Wireless 802.11a/b/g, 256 MB memory SSG-5-SH-BTW-xx IPS (Deep Inspection) NS-DI-ISG-SSG5
SSG 5 with v.92 backup, Wireless 802.11a/b/g, 256 MB memory SSG-5-SH-MW-xx NS-DI-ISG-SSG20
Web Filtering NS-WF-SSG5
SSG 20 NS-WF-SSG20
SSG 20 with 2 port Mini-PIM slots, 128 MB Memory SSG-20-SB Anti-Spam NS-SPAM-SSG5
SSG 20 with 2 port Mini-PIM slots, NS-SPAM-SSG20
Wireless 802.11a/b/g, 128 MB Memory SSG-20-SB-W-xx Remote Office Bundle (Includes AV, DI, WF) NS-RBO-CS-SSG5
SSG 20 with 2 port Mini-PIM slots, 256 MB memory SSG-20-SH NS-RBO-CS-SSG20
SSG 20 with 2 port Mini-PIM slots, Main Office Bundle (Includes AV, DI, WF, AS) NS-SMB-CS-SSG5
Wireless 802.11a/b/g, 256 MB memory SSG-20-SH-W-xx NS-SMB-CS-SSG20

SSG 20 I/O Options

• Note: The appropriate power cord is included based upon the sales order “Ship To” destination.
1 port T1 Mini Physical Interface Module JXM-1T1-S
• Note: XX denotes Region Code for Wireless devices. Not all countries are supported. Please see Wireless Country Compliance Matrix for certified countries.
1 port E1 Mini Physical Interface Module JXM-1E1-S www.jnpr.net/products/integrated/ssg_5_20.html
• Note: For 2nd year renewal of Content Security Subscriptions add “-R” to above SKUs.
1 port ADSL2+ Annex A Mini Physical Interface Module JXM-1ADSL2-A-S
1 port ADSL2+ Annex B Mini Physical Interface Module JXM-1ADSL2-B-S
1 port v.92 Mini Physical Interface Module JXM-1V92-S
1 port ISDN S/T BRI Mini Physical Interface Module JXM-1BRI-ST-S

CORPORATE HEADQUARTERS EAST COAST OFFICE ASIA PACIFIC REGIONAL EUROPE, MIDDLE EAST, AFRICA Copyright 2006, Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper
AND SALES HEADQUARTERS SALES HEADQUARTERS REGIONAL SALES HEADQUARTERS Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks
Juniper Networks, Inc. in this document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper
FOR NORTH AND SOUTH AMERICA
10 Technology Park Drive Juniper Networks (Hong Kong) Ltd. Juniper Networks (UK) Limited Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper
Juniper Networks, Inc. Westford, MA 01886-3146 USA Suite 2507-11, 25/F Building 1 Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
1194 North Mathilda Avenue Phone: 978-589-5800 ICBC Tower, Aviator Park, Station Road
Sunnyvale, CA 94089 USA Fax: 978-589-0800 Citibank Plaza, 3 Garden Road, Addlestone
Phone: 888-JUNIPER (888-586-4737) Central, Hong Kong Surrey, KT15 2PG, U. K.
or 408-745-2000 Phone: 852-2332-3636 Phone: 44(0)-1372-385500
Fax: 408-745-2100 Fax: 852-2574-7803 Fax: 44(0)-1372-385501
www.juniper.net

100176-002 Oct 2006