1 Introduct To

Introduction to SRX-series Services Gateways
4-1
Copyright 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Routers
Traditionally, a router is used to forward packets based on a Layer 3 IP address
Uses some type of path determination mechanism
Packet processing is stateless and promiscuous Routers separate broadcast domains and provide WAN connectivity
2009 Juniper Networks, Inc. All rights reserved.
Layer 3 Packet Forwarding (Routing)

IP packets forwarded based on destination address
Maintain routing table entries
Static routes Dynamic routes (RIP, OSPF, BGP)
Longest prefix match

[ge-0/0/1] 10.1.1.1/24 10.1.1.10
RTR A
[ge-0/0/0] 10.2.2.1/24
10.2.2.2/24
10.3.3.10
Routing Table
Network 10.1.1.0/24 10.2.2.0/24 10.3.3.0/24 10.3.3.10/32 10.4.4.0/24
Interface ge-0/0/1 ge-0/0/0 ge-0/0/0 ge-0/0/2 ge-0/0/2
Gateway direct direct 10.2.2.2 10.4.4.2 direct

3
Traditional Routing Is Promiscuous

A traditional router is designed to provide stateless connectivity
Forwards all traffic by default Operates at Layer 3cannot detect security threats in higher-layer protocols Operates on each packet individuallycannot detect malformed sessions The network is immediately vulnerable
192.168.1.1
192.168.2.1
Typically, security is treated as a luxury add-on item

Router Positioning in the Enterprise

Enterprise Branch 1
Service Provider Network

Core
M-series Router
J-series Router
M-series and T-series Platforms

Enterprise Branch 2
Enterprise Head Office
Typical enterprise applications:

M-series platform at the edge for large customers or at an enterprise head office for smaller customers J-series router at the edge for small-sized and medium-sized customers or at the branch of a larger customer
Firewalls
Traditionally, a standalone firewall adds enhanced security in the enterprise network Firewall must perform:
Stateful packet processing
Keeps a session or state table based on IP header and higher-level information (TCP/UDP and Application layers)
NAT and PAT

Private-to-public and public-to-private translation
VPN establishment
Encapsulation, authentication, and encryption
Can also implement other security elements such as SSL, IDP, ALGs, and so forth
Stateful Packet Processing

Private Zone External Zone Web Server
Internet
200.5.5.5
ge-1/0/1.0
10.1.1.5
ge-0/0/0.0
Outgoing packet header information
SRC-IP 10.1.1.5
DST-IP 200.5.5.5
Protocol 6
SRC-Port 29218
DST-Port 80
+ session token = flow

Session table entry includes expected return flow
Outgoing flow initiates a session table entry
Source Address 10.1.1.5 . 200.5.5.5
Source Port
Session Table Destination Destination Protocol Interface Address Port 200.5.5.5 10.1.1.5 80 29218 6 6 ge-1/0/1.0 ge-0/0/0.0
29218
80
Session table is used by outgoing and incoming packets for bidirectional communication
NAT and PAT

NAT and PAT:
NAT converts IP addresses PAT converts TCP or UDP port numbers Typically used at the boundary between private and public addressing
Private 10.1.1.1
Protocol SRC-Port DST-Port
10.1.1.5
SRC-IP DST-IP
Public 201.1.8.1
SRC-IP DST-IP
Internet
10.1.1.5
221.1.8.5
36033
80
201.1.8.1
221.1.8.5
1025
80
NAT and PAT

Virtual Private Networks

Provide secure tunnels across the Internet
Encapsulation Encryption Authentication
Public 1.1.1.1
IPsec VPN
10.1.20.3
Private 10.1.20.1
10.1.20.4
Public 2.2.2.1
IP Packet
Encrypted Packet
Private 10.0.0.254 10.0.0.5 10.0.0.6
IP Packet
Firewall Positioning
Typical firewall positioning:
Network edge for a small office
Marketing Zone Administrative Zone
Branch office
IPsec VPN
Internet
IPsec VPN
Engineering Zone
Home Office/Retail Site
10
Current Trends
The current trends:
As boundaries of networks are virtualized, so are the requirements of network edge devices The functions of a router and a firewall are collapsing More protection required at the network edge
11
A New Perspective
SRX-series Services Gateways
Integrated security and network features with robust Dynamic Services Architecture
Marketing Zone Administrative Zone
Branch Office
IPsec VPN
Internet
IPsec VPN
Engineering Zone
Home Office/Retail Site

12
SRX 3600 Overview

Horizontal modular chassis
Redundant Routing Engine and SCB 6 interchangeable slots on front 6 interchangeable slots on back AC/DC power: 4 slots, hotswappable
Front View
13
SRX 3600 Overview

Maximum of seven SPCs on any slot Maximum of three NPCs on rear right slot
Rear View
Performance and capacities

Firewall: 30 Gbps IDP: 10 Gbps Concurrent sessions: 2.25M Firewall packets per second: 6 MMps
+
PEM 0 PEM 1 PEM 2 PEM 3
AUX ROUTING ENGINE ONLINE FAIL
OK/ MASTER STATUS RESET HDD
USB 0
SRX3K-RE-12-10
RESET STATUS PFE CONTROLLER FAIL OVER
7 8 9
RE0
10 11 12
RE1
14
SRX 5600 Overview

Redundant Routing Engine and SCB 6 interchangeable slots AC/DC power: 4 slots, hotswappable
4x10 GigE IOC
Craft Interface

Firewall: 60 Gbps IDP: 15 Gbps Concurrent sessions: 4M New sessions per second: 350K
8 RU
SPC 40x1 GigE IOC
SCB/RE
15
SRX 5800 Overview

Craft Interface
4x10 GigE IOC
Vertical modular chassis

Redundant Routing Engine and SCB 12 interchangeable slots AC/DC power: 4 slots, hotswappable
16 RU

Firewall: 120 Gbps IDP: 30 Gpbs Concurrent sessions: 4M New sessions per second: 40x1 GigE IOC 350K
SCB/RE
SPC
16
Physical Packet FlowFirst Packet

Because no session exists, packet is sent to SPC serving as CP
2
SPC - CP
1
IOC checks incoming packet to see if there is existing session
IOC
6
3 Session
create
Session 4 install
Install 5 Ack
7
IOC
Outgoing packet
Terms:
CP notifies IOCs of new session
SPC
FWD to egress IOC
IOC: Media connection to networks SPC: Contains flow module CP: Performs first path processing and load-balances sessions across SPCs
17
Physical Packet FlowSubsequent Packet
SPC - CP
1 4
IOC checks incoming packet to see if there is existing session
IOC
3
IOC SPC
2
Outgoing packet
Because there is an existing session, packet is sent directly to SPC
FWD to egress IOC
18
JUNOS Software Security Platforms Versus a Traditional Router

JUNOS software for SRX-series services gateways starts off as completely secure No Traffic Permitted
Add Rules to Allow Traffic
Restrictive
Ideal
Add Security to Block Traffic
Vulnerable
Traditional router starts off as completely vulnerable All Traffic Permitted
19
JUNOS Software for SRX-series Services Gateways

JUNOS software for SRX-series services gateways provides routing and security
Best-in-class high-performance firewall derived from ScreenOS software, including security policies and zones IPsec VPNs IDP Integration ScreenOS
SRX 5600 services gateway
SRX 5800 services gateway
20
JUNOS Software Features (1 of 2)

JUNOS software for SRX-series services gateways includes the following elements:
JUNOS software as the base operating system Session-based forwarding Some ScreenOS-like security features
Packet-based features:
Control plane OS Routing protocols Forwarding features:
Per-packet stateless filters Policers CoS
J-Web
21
JUNOS Software Features (2 of 2)

Session-based features:
Implements some ScreenOS features and functionality through the use of new daemons First packet of flow triggers session creation based on:
Source and destination IP address Source and destination port Protocol Session token
Zone-based security features

Packet on the incoming interface is associated with the incoming zone Packet on the outgoing interface is associated with the outgoing zone
Core security features:

Firewall, VPN, NAT, ALGs, IDP, and SCREEN options
22
Control Plane Versus Data Plane

Control Plane:
Implemented on the Routing Engine JUNOS software kernel, daemons, chassis management, user interface, routing protocols, system monitoring, clustering control
Data Plane:
Implemented on the IOCs and SPCs Forwarding packets, session setup and maintenance, load-balancing, security policy, screen options, IDP, VPN
23
Logical Packet Flow

Forwarding Lookup Flow Module
SCREEN D-NAT Route Zones Policy S-NAT Services Session Options ALG No Match Session ?
First Path
Yes SCREEN TCP Options NAT Services ALG
Fast Path
Per Packet Filters

Per-Packet Policers / Shapers Event Scheduler
24
Session Management
Sessions are maintained in the session hash table for packet matching and processing When no traffic matches the session during the service timeout, the session is aged out Run-time changes during the lifetime of the session might be propagated into the session
Routing changes are always propagated into the session Security policy changes are propagated based on configuration
25
Packet Flow Example (1 of 3)

10.1.10.0/24
.1 .254
Private Zone
External Zone
.254
Web Server
Internet
10.1.10.5
10.1.1.0/24
200.5.5.5
1.1.8.0/24
10.1.20.0/24 Host-B
.1
10.1.2.0/24
1.1.7.0/24
.254
1.1.70.0/24
.1 B
.254
10.1.20.5
Public Zone
1.1.70.250
26

Example:
SRC-IP
10.1.20.5
DST-IP
200.5.5.5

6 29218 80
1. Existing session?
No
Source Address
Source Port
Session Table Destination Destination Address Port
Protocol
Int
2. Destination reachable?
Yes
3. Interzone traffic?
Yes
Routing Table Network Interface 10.1.1.0/24 ge-0/0/0 10.1.2.0/24 ge-0/0/1 10.1.10.0/24 ge-0/0/0 10.1.20.0/24 ge-0/0/1 0.0.0.0/0 ge-1/0/0
Next-hop (connected) (connected) 10.1.1.254 10.1.2.254 1.1.8.254
...
Zone Table Interface Zone ge-0/0/1 ge-0/0/0 ge-0/0/3 ge-1/0/0 Private Private Public External
27

Example:
4. Permitted by policy?
Yes
From Private to External SA 10.1.0.0/16 10.1.0.0/16 10.1.0.0/16 any DA any any any any Service FTP HTTP ping any Action permit permit permit deny
5. Action: add to session table 6. Action: forward packet
Source Address 10.1.20.5 200.5.5.5
Source Port 29218 80
Session Table Destination Destination Protocol Interface Address Port 200.5.5.5 10.1.20.5 80 29218 6 6 ge-1/0/0.0 ge-0/0/1.0
SRC-IP
10.1.20.5
DST-IP
200.5.5.5

6 29218 80
28

1 Introduct To

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

1 Introduct To

Diunggah oleh

Hak Cipta:

Format Tersedia

Introduction to SRX-series Services Gateways

2009 Juniper Networks, Inc. All rights reserved.

Layer 3 Packet Forwarding (Routing)

Longest prefix match

Interface ge-0/0/1 ge-0/0/0 ge-0/0/0 ge-0/0/2 ge-0/0/2

Gateway direct direct 10.2.2.2 10.4.4.2 direct

Traditional Routing Is Promiscuous

Typically, security is treated as a luxury add-on item

Router Positioning in the Enterprise

Service Provider Network

M-series and T-series Platforms

Enterprise Head Office

Typical enterprise applications:

NAT and PAT

Stateful Packet Processing

Outgoing packet header information

+ session token = flow

Outgoing flow initiates a session table entry

Source Address 10.1.1.5 . 200.5.5.5

NAT and PAT

Protocol SRC-Port DST-Port

NAT and PAT

Virtual Private Networks

2009 Juniper Networks, Inc. All rights reserved.

Home Office/Retail Site

2009 Juniper Networks, Inc. All rights reserved.

2009 Juniper Networks, Inc. All rights reserved.

Home Office/Retail Site

2009 Juniper Networks, Inc. All rights reserved.

SRX 3600 Overview

2009 Juniper Networks, Inc. All rights reserved.

SRX 3600 Overview

Performance and capacities

2009 Juniper Networks, Inc. All rights reserved.

SRX 5600 Overview

4x10 GigE IOC

Performance and capacities

SPC 40x1 GigE IOC

SRX 5800 Overview

4x10 GigE IOC

Vertical modular chassis

Performance and capacities

Physical Packet FlowFirst Packet

IOC checks incoming packet to see if there is existing session

CP notifies IOCs of new session

FWD to egress IOC

Physical Packet FlowSubsequent Packet

IOC checks incoming packet to see if there is existing session

Because there is an existing session, packet is sent directly to SPC

FWD to egress IOC

2009 Juniper Networks, Inc. All rights reserved.

JUNOS Software Security Platforms Versus a Traditional Router

Add Security to Block Traffic

JUNOS Software for SRX-series Services Gateways

SRX 5600 services gateway

SRX 5800 services gateway

2009 Juniper Networks, Inc. All rights reserved.

JUNOS Software Features (1 of 2)

JUNOS Software Features (2 of 2)

Zone-based security features

Core security features:

Control Plane Versus Data Plane

2009 Juniper Networks, Inc. All rights reserved.