Upload
muhammad-bilal
View
131
Download
1
Tags:
Embed Size (px)
DESCRIPTION
ghnhedfh
Citation preview
Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
4-1
Introduction to SRX-series Services
Gateways
© 2009 Juniper Networks, Inc. All rights reserved. 2
Routers
Traditionally, a router is used to forward packets based on a Layer 3 IP address•Uses some type of path determination mechanism
Packet processing is stateless and promiscuous
Routers separate broadcast domains and provide WAN connectivity
© 2009 Juniper Networks, Inc. All rights reserved. 3
Layer 3 Packet Forwarding (Routing)
IP packets forwarded based on destination address•Maintain routing table entries
• Static routes• Dynamic routes (RIP, OSPF, BGP)
•Longest prefix match
10.1.1.10 10.3.3.10
[ge-0/0/0] 10.2.2.1/24
Routing Table
[ge-0/0/1] 10.1.1.1/24
10.2.2.2/24
[ge-0/0/2] 10.4.4.1/24
10.4.4.2/24
Network Interface Gateway
10.1.1.0/24 ge-0/0/1 direct
10.2.2.0/24 ge-0/0/0 direct
10.3.3.0/24 ge-0/0/0 10.2.2.2
10.3.3.10/32 ge-0/0/2 10.4.4.2
10.4.4.0/24 ge-0/0/2 direct
RTR A
© 2009 Juniper Networks, Inc. All rights reserved. 4
Traditional Routing Is Promiscuous
A traditional router is designed to provide stateless connectivity•Forwards all traffic by default•Operates at Layer 3—cannot
detect security threats in higher-layer protocols
•Operates on each packet individually—cannot detect malformed sessions
•The network is immediately vulnerable
Typically, security is treated as a luxury add-on item
192.168.1.1
192.168.2.1
© 2009 Juniper Networks, Inc. All rights reserved. 5
Router Positioning in the Enterprise
Typical enterprise applications:•M-series platform at the edge for large customers or at
an enterprise head office for smaller customers• J-series router at the edge for small-sized and medium-
sized customers or at the branch of a larger customer
Enterprise Branch 1
EnterpriseHead Office
Service Provider Network
M-series Router
J-series Router
M-series and T-series
Platforms
Core
Enterprise Branch 2
© 2009 Juniper Networks, Inc. All rights reserved. 6
Traditionally, a standalone firewall adds enhanced security in the enterprise network
Firewall must perform:•Stateful packet processing
• Keeps a session or state table based on IP header and higher-level information (TCP/UDP and Application layers)
•NAT and PAT• Private-to-public and public-to-private translation
•VPN establishment• Encapsulation, authentication, and encryption
Can also implement other security elements such as SSL, IDP, ALGs, and so forth
Firewalls
© 2009 Juniper Networks, Inc. All rights reserved. 7
Session table is used by outgoing and incoming packets for bidirectional communication
Session Table
Source Address
ProtocolSource Port
10.1.1.5. 629218
200.5.5.5 680
Destination Address
Destination Port
Interface
200.5.5.5
10.1.1.5 29218 ge-0/0/0.0
80 ge-1/0/1.0
Outgoing packet header information 10.1.1.5
SRC-IP
200.5.5.5
DST-IP
29218
SRC-Port
80
DST-Port
6
Protocol
Internet
ExternalZone
PrivateZone
10.1.1.5 200.5.5.5
Web Server
Stateful Packet Processing
=flow
+ session token
Outgoing flow initiates a session table entry Session table entry
includes expected return flow
ge-1/0/1.0
ge-0/0/0.0
© 2009 Juniper Networks, Inc. All rights reserved. 8
NAT and PAT
NAT and PAT:•NAT converts IP addresses•PAT converts TCP or UDP port numbers•Typically used at the boundary between private
and public addressing
NAT and PAT
10.1.1.5 Private 10.1.1.1
Public201.1.8.1
10.1.1.5SRC-IP
221.1.8.5DST-IP
36033
SRC-Port
80
DST-Port
6
Protocol
201.1.8.1SRC-IP
221.1.8.5DST-IP
1025
SRC-Port
80
DST-Port
6
Protocol
Internet
© 2009 Juniper Networks, Inc. All rights reserved. 9
Virtual Private Networks
Provide secure tunnels across the Internet•Encapsulation•Encryption•Authentication
Private10.0.0.254
10.1.20.3
10.1.20.4
Public1.1.1.1
Public2.2.2.1
Private10.1.20.1
IP Packet
Encrypted Packet
IP Packet
10.0.0.5
10.0.0.6
IPsec VPN
© 2009 Juniper Networks, Inc. All rights reserved. 10
Firewall Positioning
Typical firewall positioning:•Network edge for
a small office
Engineering Zone
MarketingZone
Internet
Branch office
Home Office/Retail Site
Administrative Zone
IPsec VPN
IPsec VPN
© 2009 Juniper Networks, Inc. All rights reserved. 11
Current Trends
The current trends:•As boundaries of networks are virtualized, so are
the requirements of network edge devices•The functions of a router and a firewall are
collapsing•More protection required at the network edge
© 2009 Juniper Networks, Inc. All rights reserved. 12
Administrative Zone
A New Perspective
SRX-series Services Gateways•Integrated security and network
features with robust Dynamic Services Architecture
Engineering Zone
MarketingZone
Internet
Branch Office
Home Office/Retail Site
IPsec VPN
IPsec VPN
© 2009 Juniper Networks, Inc. All rights reserved. 13
SRX 3600 Overview
Horizontal modular chassis•Redundant Routing Engine and SCB•6 interchangeable slots on front•6 interchangeable slots on back•AC/DC power: 4 slots, hot-
swappable
Front View
© 2009 Juniper Networks, Inc. All rights reserved. 14
SRX 3600 Overview
Horizontal modular chassis•Maximum of seven SPCs on
any slot•Maximum of three NPCs on
rear right slot Performance and capacities
•Firewall: 30 Gbps• IDP: 10 Gbps•Concurrent sessions: 2.25M•Firewall packets per second: 6 MMps
7PEM 0 PEM 1
89
RE0
10PEM 2 PEM 3
1112
RE1
HDDRESETSTATUSMASTER
AUX0
1
USB
ONLINE
PFE CONTROLLER
STATUSRESETFAIL
OVER
SRX3K-RE-12-10ROUTING ENGINE
OK/FAIL
++
++
++
Rear View
© 2009 Juniper Networks, Inc. All rights reserved. 15
SRX 5600 Overview
Horizontal modular chassis•Redundant Routing Engine
and SCB•6 interchangeable slots•AC/DC power: 4 slots, hot-
swappable Performance and
capacities•Firewall: 60 Gbps•IDP: 15 Gbps•Concurrent sessions: 4M•New sessions per second:
350K
4x10 GigE IOC
8 RU
Craft Interface
40x1 GigE IOC
SPC SCB/RE
© 2009 Juniper Networks, Inc. All rights reserved. 16
SRX 5800 Overview
Vertical modular chassis•Redundant Routing Engine
and SCB •12 interchangeable slots•AC/DC power: 4 slots, hot-
swappable Performance and
capacities•Firewall: 120 Gbps• IDP: 30 Gpbs•Concurrent sessions: 4M•New sessions per second:
350K
Craft Interface
SCB/RE40x1 GigE IOC
4x10 GigE IOC
16 RU
SPC
© 2009 Juniper Networks, Inc. All rights reserved. 17
Session create
Terms:• IOC: Media connection to networks•SPC: Contains flow module•CP: Performs first path processing and load-balances
sessions across SPCs
Session installIOC
checks incoming packet to
see if there is existing session
Physical Packet Flow—First Packet
IOCIOC IOCIOC
SPC - CPSPC - CP
SPCSPC
1
2
34 5
6 7
Because no session exists, packet is sent to SPC serving
as CP
Install Ack
FWD to
egress IOC
Outgoing
packetCP notifies IOCs of new sessio
n
6
© 2009 Juniper Networks, Inc. All rights reserved. 18
Physical Packet Flow—Subsequent Packet
IOC checks incomin
g packet
to see if there is existing session
IOCIOC IOCIOC
SPC - CPSPC - CP
SPCSPC
1
2
3
4
Because there is an existing session, packet is sent directly
to SPC
FWD to
egress IOC
Outgoing
packet
© 2009 Juniper Networks, Inc. All rights reserved. 19
JUNOS Software Security Platforms Versus a Traditional Router
All Traffic Permitted
No Traffic Permitted
Ideal
Traditional router starts off as completely vulnerable
VulnerableVulnerable
Add S
ecu
rity to
Blo
ck Tra
ffic
RestrictiveRestrictive
Add R
ule
s to
Allo
w T
raffi
c
JUNOS software for SRX-series services gateways starts off as completely secure
© 2009 Juniper Networks, Inc. All rights reserved. 20
JUNOS Software for SRX-series Services Gateways
JUNOS software for SRX-series services gateways provides routing and security•Best-in-class high-performance firewall derived
from ScreenOS software, including security policies and zones
•IPsec VPNs•IDP Integration
SRX 5600 services gateway SRX 5800 services gateway
ScreenOS
© 2009 Juniper Networks, Inc. All rights reserved. 21
JUNOS Software Features (1 of 2)
JUNOS software for SRX-series services gateways includes the following elements:•JUNOS software as the base operating system•Session-based forwarding •Some ScreenOS-like security features
Packet-based features: •Control plane OS•Routing protocols•Forwarding features:
• Per-packet stateless filters• Policers • CoS
•J-Web
© 2009 Juniper Networks, Inc. All rights reserved. 22
JUNOS Software Features (2 of 2)
Session-based features:• Implements some ScreenOS features and functionality
through the use of new daemons•First packet of flow triggers session creation based on:
• Source and destination IP address• Source and destination port• Protocol• Session token
•Zone-based security features• Packet on the incoming interface is associated with the
incoming zone• Packet on the outgoing interface is associated with the
outgoing zone•Core security features:
• Firewall, VPN, NAT, ALGs, IDP, and SCREEN options
© 2009 Juniper Networks, Inc. All rights reserved. 23
Control Plane Versus Data Plane
Control Plane:•Implemented on the Routing Engine•JUNOS software kernel, daemons, chassis
management, user interface, routing protocols, system monitoring, clustering control
Data Plane:•Implemented on the IOCs and SPCs•Forwarding packets, session setup and
maintenance, load-balancing, security policy, screen options, IDP, VPN
© 2009 Juniper Networks, Inc. All rights reserved. 24
Logical Packet Flow
ForwardingLookup
Event Scheduler
Per-Packet Policers / Shapers
SCREENOptions
ServicesALG
S-NATPolicy
First Path
Fast Path
SCREEN Options TCP NATYes
No
Flow Module
MatchSession
?
ServicesALG
D-NAT Zones Session
Per Packet Filters
Route
© 2009 Juniper Networks, Inc. All rights reserved. 25
Session Management
Sessions are maintained in the session hash table for packet matching and processing
When no traffic matches the session during the service timeout, the session is aged out
Run-time changes during the lifetime of the session might be propagated into the session•Routing changes are always propagated into the
session•Security policy changes are propagated based on
configuration
© 2009 Juniper Networks, Inc. All rights reserved. 26
Internet
ExternalZone
PrivateZone
1.1.70.250
1.1.70.0/24
10.1.10.5
10.1.20.0/24
B
10.1.10.0/24
PublicZone
10.1.20.5
.254 200.5.5.510.1.1.0/24
10.1.2.0/24
.1 .254
.1 .254
1.1.7.0/24
1.1.8.0/24
.254 .1
Packet Flow Example (1 of 3)
Web Server
Host-B
Ge-0/0/0
Ge-0/0/1
Ge-1/0/0
Ge-0/0/3
© 2009 Juniper Networks, Inc. All rights reserved. 27
Session Table
Source Address
ProtocolSource Port
Destination Address
Destination Port
Int
Packet Flow Example (2 of 3)
Example:
1.Existing session?• No
2.Destination reachable?• Yes
3. Interzone traffic?• Yes
10.1.20.5
SRC-IP200.5.5.5
DST-IP29218
SRC-Port
80
DST-Port
6
Protocol
Network Interface Next-hop10.1.1.0/24 ge-0/0/0 (connected)10.1.2.0/24 ge-0/0/1 (connected)10.1.10.0/24 ge-0/0/0 10.1.1.25410.1.20.0/24 ge-0/0/1 10.1.2.2540.0.0.0/0 ge-1/0/0 1.1.8.254
...
Routing Table
Interface Zonege-0/0/1 Privatege-0/0/0 Privatege-0/0/3 Publicge-1/0/0 External
Zone Table
© 2009 Juniper Networks, Inc. All rights reserved. 28
Packet Flow Example (3 of 3)
Example:4. Permitted by policy?
• Yes
5. Action: add to session table
6. Action: forward packet
From Private to External
SA DA Service Action10.1.0.0/16 any FTP permit 10.1.0.0/16 any HTTP permit10.1.0.0/16 any ping permitany any any deny
10.1.20.5
SRC-IP200.5.5.5
DST-IP29218
SRC-Port
80
DST-Port
6
Protocol
Session Table
Source Address
ProtocolSource Port
10.1.20.5 629218
200.5.5.5 680
Destination Address
Destination Port
Interface
200.5.5.5
10.1.20.5 29218 ge-0/0/1.0
80 ge-1/0/0.0