Upload
wandrel
View
23
Download
0
Tags:
Embed Size (px)
DESCRIPTION
SRX Quick Start June 2013
Citation preview
SRX QUICK START TRAINING
George Kaminski
Systems Engineer Tech Lead
Chapter 1: Course Introduction
SRX QUICK START TRAINING
3 Copyright 2013 Juniper Networks, Inc. www.juniper.net
INTRODUCTIONS
Before we get started
What is your name?
Where do you work?
What is your primary role in your
organization?
What kind of network experience
do you have?
What is the most important thing for
you to learn in this training session?
4 Copyright 2013 Juniper Networks, Inc. www.juniper.net
COURSE CONTENTS
Contents:
Chapter 1: Course Introduction
Chapter 2: Junos OS Overview
Chapter 3: Branch SRX Series Overview
Chapter 4: High-End SRX Series Overview
Chapter 5: SRX Concepts and Features
Chapter 6: Junos OS Command Line Interface (CLI) Introduction
Chapter 7: Other Security Products of Interest
Complete Hands on Labs 1 - 4
5 Copyright 2013 Juniper Networks, Inc. www.juniper.net
PREREQUISITES
The prerequisites for this course are the following:
Basic networking knowledge
Understanding of the OSI model and TCP/IP
Basic familiarity with the use and deployment of Firewalls, IPSec
Virtual Private Networks and Network Address Translation (NAT)
6 Copyright 2013 Juniper Networks, Inc. www.juniper.net
COURSE ADMINISTRATION
The basics:
Sign-in sheet
Schedule
Class times
Breaks
Lunch
Break and restroom facilities
Fire and safety procedures
Communications
Telephones and wireless devices
Internet access
7 Copyright 2013 Juniper Networks, Inc. www.juniper.net
EDUCATION MATERIALS
Available materials for classroom-based
and instructor-led online classes:
Lecture material
Lab guide
Lab equipment
Self-paced online courses also available
http://www.juniper.net/training/technical_education/
8 Copyright 2013 Juniper Networks, Inc. www.juniper.net
ADDITIONAL RESOURCES
For those who want more:
Juniper Networks Technical Assistance Center (JTAC)
http://www.juniper.net/support/requesting-support.html
Juniper Networks books
http://www.juniper.net/training/jnbooks/
Hardware and software technical
documentation
Online: http://www.juniper.net/techpubs/
Image files for offline viewing: http://www.juniper.net/techpubs/resources/cdrom.html
Certification resources
http://www.juniper.net/training/certification/resources.html
9 Copyright 2013 Juniper Networks, Inc. www.juniper.net
SATISFACTION FEEDBACK
To receive your certificate, you must complete the survey
Either you will receive a survey to complete at the end of class, or we
will e-mail it to you within two weeks
Completed surveys help us serve you better!
Class
Feedback
10 Copyright 2013 Juniper Networks, Inc. www.juniper.net
JUNIPER NETWORKS EDUCATION SERVICES CURRICULUM
Formats:
Classroom-based instructor-led technical courses
Online instructor-led technical courses
Hardware installation eLearning courses as well as technical
eLearning courses
Courses:
http://www.juniper.net/training/technical_education/
11 Copyright 2013 Juniper Networks, Inc. www.juniper.net
JUNIPER NETWORKS CERTIFICATION PROGRAM
Why earn a Juniper Networks certification?
Juniper Networks certification makes you stand out
Unleash your creativity across the entire network
Set yourself apart from your peers
Capitalize on the promise of the New Network
Develop and deploy the services you need
Lead the way and increase your value
Unique benefits for certified individuals
12 Copyright 2013 Juniper Networks, Inc. www.juniper.net
JUNIPER NETWORKS CERTIFICATION PATH
13 Copyright 2013 Juniper Networks, Inc. www.juniper.net
CERTIFICATION PREPARATION
Training and study resources:
Juniper Networks Certification Program website:
www.juniper.net/certification
Education Services training classes:
www.juniper.net/training
Juniper Networks documentation and white papers:
www.juniper.net/techpubs
Community:
J-Net: http://forums.juniper.net/t5/Training-Certification-and/
bd-p/Training_and_Certification
Twitter: @JuniperCertify
14 Copyright 2013 Juniper Networks, Inc. www.juniper.net
FIND US ONLINE
http://www.juniper.net/jnet
http://www.juniper.net/facebook
http://www.juniper.net/youtube
http://www.juniper.net/twitter
Chapter 2: Junos OS Overview
SRX QUICK START TRAINING
16 Copyright 2013 Juniper Networks, Inc. www.juniper.net
MOVING FROM CISCO IOS TO JUNOS OS
Moving checklist:
Call realtor
Change address
Change utilities
Gas
Electric
Garbage
Find movers
Pack
No matter the cause of the move, once the move is complete,
what a difference the new place makes in your life!
17 Copyright 2013 Juniper Networks, Inc. www.juniper.net
JUNOS OS: THE POWER OF ONE OPERATING SYSTEM
Deployed since 1998
First high-performance network operating system
14+ years of innovation and development
Runs routing, switching, and security platforms
Reduces complexity, achieves operational excellence
Evolutionary architecture expands to new services and extends to
new platforms for tomorrow
It is time for a new network
Top 130 global service providers
96 of the Global Fortune 100
Hundreds of federal, state, and local government agencies and higher
education organizations throughout the world
18 Copyright 2013 Juniper Networks, Inc. www.juniper.net
THE POWER OF ONE JUNOS
SECURITY ROUTERS
J Series
M Series
T Series
SWITCHES
MX Series
SRX Series
Reduces time/effort
to operate network
infrastructure
Simplifies management
One OS
One Release Train
Delivers new
functionality stably
Reduces OPEX
One Architecture
Ensures available &
scalable software for
growing needs
Reduces TCO
EX Series
QFX Series
19 Copyright 2013 Juniper Networks, Inc. www.juniper.net
JUNOS OS MODULAR ARCHITECTURE
Independent modules
Protected memory for stability
No overwrites
Contain faults and enable
rapid isolation
Well-defined interfaces for
expansion of functions/ platforms
Kernel
Controls the modules
Manages communication
between the modules and to the PFE
Kernel
Co
ntr
ol
Pla
ne
... Modu
le n
Inte
rfa
ces
Ma
na
gem
en
t
Ro
uti
ng
20 Copyright 2013 Juniper Networks, Inc. www.juniper.net
JUNOS OS SEPARATE CONTROL AND FORWARDING
Supports scale for high-performance
Assures performance of each plane
Enhances resiliency
Provides options for
redundancy
Data
Pla
ne
Routing Engine
Packet Forwarding Engine
Co
ntr
ol P
lan
e
21 Copyright 2013 Juniper Networks, Inc. www.juniper.net
JUNOS OS: THE FOUNDATION OF HIGH-PERFORMANCE NETWORKS
routing
switching
security
services
Data center
Headquarters
Campus
Branch
Chapter 3: Branch SRX Overview
SRX QUICK START TRAINING
23 Copyright 2013 Juniper Networks, Inc. www.juniper.net
BRANCH SRX SOLVES CUSTOMER CHALLENGES
Easy to manage all
aspects with Junos, a
single OS platform
Easy to activate new
security service in UTM
when needed to address
new concerns
Lower TCO and high
performance allows IT
to do more with less
All-in-One Best Price/
Performance
Next Gen Firewall
VPN
IPS, AppSecure
Anti-Virus
Anti-Spam
Web filtering
Routing / WAN
UT
M
WLAN, LAN, Switching
Unified Management
24 Copyright 2013 Juniper Networks, Inc. www.juniper.net
BRANCH SRX SERIES GATEWAYS Delivering No-Compromise Services with Scale & Performance
Small Office Small to
Medium Office Large Branch/ Regional Office
SRX220
+ 2 WAN slots,
8 x GigE, PoE
1 GB DRAM
SRX240
SRX650
+ More LAN slots, Dual P/S, + Hot Swap I/O
2 GB DRAM
SRX110
SRX100
SRX210
WAN slot,
2 x GigE, PoE,
1 GB DRAM
Hardware Platforms Scale from 1G to 10G
Junos Software across Security, Routing and Switching
Fixed Config
8 x FE1
1 GB DRAM
Fixed Config
VDSL2 WAN
8 x FE1
1 GB DRAM
SRX550
12.1
+ 4 WAN slots,
16 x GigE, PoE
2 GB DRAM
2mPIM+6GPIM
WAN slots, 10 x GigE,
PoE, Dual P/S
2 GB DRAM
25 Copyright 2013 Juniper Networks, Inc. www.juniper.net
Multi-services Gateway
BRANCH SRX: SERVING MULTIPLE CUSTOMER NEEDS
Secure Router UTM NGFW
Routing and WAN Interfaces
Firewall, VPN, NAT
In-line IPS
High availability
Transparent mode
Ease of use
Best-of-breed Anti-Virus, Anti-Spam, Web filtering
Cloud based AV - Sophos
In-line IPS
AppSecure
Next generation firewall (AppSecure)
In-line IPS
Application visibility, tracking and enforcement
User-role based policies
Branch SRX
26 Copyright 2013 Juniper Networks, Inc. www.juniper.net
BRANCH SRX SERVICES GATEWAYS
Highly configurable
Fixed & modular form factors
WAN, WLAN, and LAN interfaces
Extensive integration
Routing and switching capabilities
Unmatched core and UTM security
Exceptional performance
Magnitude greater performance
HW Content Security Acceleration
Control & data plane separation,
redundant processing and power
Model Configuration
Content SEC H/W
Acceleration FW/IPS
Performance
SRX100/ SRX110
Fixed No 700/60 Mbps
SRX210E 1 mini PIM
slot Optional 850/85 Mbps
SRX220 2 mini PIM
slots Standard 950/100 Mbps
SRX240 4 mini PIM
slots Optional 1800/230 Mbps
SRX550 2 mini PIM,
6 GPIM slots Standard 5500/800 Mbps
SRX650 8 GPIM slots Standard 7000/900 Mbps
Highly configurable
Extensive integration
Exceptional performance and availability
Fixed and modular form factors
Choice of WAN DSL, T1 / E1, DS3
Wireless WAN and LAN
On-board modular switching
Full suite of JUNOS routing and switching capabilities
Unmatched security, including FW, VPN, UTM, AppSecure, UAC, and full IPS
Hardware-assisted Content Security Acceleration (CSA) for ExpressAV and IPS
Control & data plane separation, redundant processing and power
27 Copyright 2013 Juniper Networks, Inc. www.juniper.net
BRANCH SRX PHYSICAL INTERFACES
MPIMs
T1/E1
Serial
1XGE SFP
ADSL
G.SHDSL
VDSL2
Docsis3.0
Wireless LAN
AX411 dual-radio AP
WLA
WLC2
GPIMs
16XGE
24XGE
4XT1E1
2XT1E1
2x10GE
SFP+/Copper
1xDS3
8xSFP
8xSerial
Wireless WAN
EVDO/HSPA/WI
MAX/LTE
Supported across all
Branch SRX platforms Supported on
SRX210/220/240/550
Supported on
SRX550/650
28 Copyright 2013 Juniper Networks, Inc. www.juniper.net
NEW PIMS FOR SRX550 AND SRX650
8 Port Serial GPIM (12.1R2)
Synchronous speeds of 8 Mbps
Interface types supported
V.35, X.21, EIA/TIA-449
EIA/TIA-232, EIA/TIA-530
EIA/TIA-530A
Line Coding : NRZ, NRZI
Uses 8 port smart connector
8 Port SFP XPIM (1Q2013)
Line rate switching between ports
Supported SFPs
LX, SX, BX
T or Copper SFPs
Full set of L2 switching features
Jumbo frame support 9192B
JAN 2013 MAY 2012
29 Copyright 2013 Juniper Networks, Inc. www.juniper.net
BRANCH SRX FEATURES MATRIX
Security Firewall VPN IPS AppSecure Antivirus Enhanced Web filtering Antispam
Wireless LAN and 3G/4G WAN 802.11n
3G/4G WiMax & LTE
Routing & Switching RIP, OSPF, BGP,
Multicast, IPv6
MPLS; Full BGP table
J Flow, RPM
L2 Switching
POE Options
Physical Interfaces
T1/E1, Serial, DS3/E3 VDSL, ADSL, G.SHDSL DOCSIS Cable Modem Ethernet 10/100/1000
& 10G, Copper or Fiber
30 Copyright 2013 Juniper Networks, Inc. www.juniper.net
SRX100
Features SRX100
On-board Ethernet 8 x FE
Power over Ethernet (802.3af, 802.3at) None
WAN slots None
USB ports 1
Content Security AcceleratorExpressAV and Intrusion Detection and Prevention
No
JUNOS Software version support JUNOS 11.1
Firewall performance (Large Packets) 700 Mbps
Firewall performance (IMIX) 200 Mbps
Firewall performance (Firewall + Routing PPS 64byte)
70 Kpps
VPN PerformanceAES256+SHA-1 3DES+SHA 1
65 Mbps
IPS performance 60 Mbps
Connections Per Second (CPS) 2K CPS
Maximum Concurrent Sessions (512MB/1GB RAM)
16 K / 32K
Antivirus performance 25Mbps
AppSecure Throughput (HTTP) 90Mbps
High Availability N/A
Ideal for small sites and managed
telecommuters
Full security features
Firewall and VPN
UTM: IPS, AppSecure, antivirus,
web-filtering, and anti-spam
UTM requires high memory version
31 Copyright 2013 Juniper Networks, Inc. www.juniper.net
SRX110 IDEAL SOLUTION FOR SMALL BRANCH
Features SRX 110
On-board Ethernet 8 x FE
Primary WAN VDSL2 with
ADSL2 Fallback
Backup WAN USB Port for
3G/4G Modem
Additional USB ports One (total 2)
Content Security AcceleratorExpressAV and Intrusion Detection and Prevention
No
Firewall performance (Large Packets) 700 Mbps
Firewall performance (IMIX) 200 Mbps
Firewall performance (Firewall + Routing PPS 64byte)
65 Kpps
VPN Performance (AES256+SHA1 / 3DES+SHA1)
65 Mbps
IPS performance 60 Mbps
Connections Per Second (CPS) 2K CPS
Maximum Concurrent Sessions 16 K / 32K
Antivirus performance 25Mbps
AppSecure Throughput (HTTP) 90 Mbps
High Availability N/A
Additional
USB port
Front
Back
Designed for flexibility, investment protection, and lowest total cost of ownership (TCO).
Primary
WAN
VDSL
Backup 3G
WAN
32 Copyright 2013 Juniper Networks, Inc. www.juniper.net
Ideal for small branches
Full security features
Firewall and VPN
UTM: IPS, AppSecure, antivirus,
web-filtering, and anti-spam
UTM requires high memory
version
SRX210E
Features SRX210E
On-board Ethernet 2 x GE + 6 x FE
Power over Ethernet (802.3af, 802.3at) 4 ports, 50 W total
WAN slots 1 x mini PIM
USB ports (flash) 2
Content Security AcceleratorExpressAV and Intrusion Detection and Prevention
Yes
JUNOS Software version support JUNOS 11.1
Firewall performance (Large Packets) 850 Mbps
Firewall performance (IMIX) 250 Mbps
Firewall performance (Firewall + Routing PPS 64byte)
95 Kpps
IPSec VPN Throughput 85 Mbps
IPS performance 85 Mbps
Connections Per Second (CPS) 2,200 CPS
Maximum Concurrent Sessions (512MB/1GB RAM)
32K / 64K
Antivirus performance 25 Mbps
AppSecure Throughput (HTTP) 250 Mbps
High Availability A/A or A/P
33 Copyright 2013 Juniper Networks, Inc. www.juniper.net
SRX220
Features SRX220
On-board Ethernet 18x GE
Power over Ethernet (802.3af, 802.3at) 8 ports GE, 120 W
WAN slots 2 x mini PIM
USB ports (flash) 2
Content Security AcceleratorExpressAV and Intrusion Detection and Prevention
Yes
JUNOS Software version support JUNOS 11.1
Firewall performance (Large Packets) 950 Gbps
Firewall performance (IMIX) 300 Mbps
Firewall performance (Firewall + Routing PPS 64byte)
125 Kpps
VPN PerformanceAES256+SHA-1 3DES+SHA-1
100 Mbps
IPS Performance 100 Mbps
Connections Per Second (CPS) 3K CPS
Maximum Concurrent Sessions (512MB/1GB RAM)
96K
Antivirus performance 34 Mbps
AppSecure Throughput (HTTP) 300 Mbps
High Availability A/A or A/P
Ideal for small and medium
branches
Full security features
Firewall and VPN
UTM: IPS, AppSecure,
antivirus, web-filtering, and
anti-spam
34 Copyright 2013 Juniper Networks, Inc. www.juniper.net
SRX240 - NOW WITH 2G MEMORY
Features SRX240
On-board Ethernet 16 x GE
Power over Ethernet (802.3af, 802.3at) 16 ports GE, 150 W
WAN slots 4 x mini PIM
USB ports (flash) 2
Content Security AcceleratorExpressAV and Intrusion Detection and Prevention
Yes
JUNOS Software version support JUNOS 11.4R5
Firewall performance (Large Packets) 1.8 Gbps
Firewall performance (IMIX) 600 Mbps
Firewall performance (Firewall + Routing PPS 64byte)
200 Kpps
VPN PerformanceAES256+SHA-1 3DES+SHA-1
300 Mbps
IPS Performance 230 Mbps
Connections Per Second (CPS) 9K CPS
Maximum Concurrent Sessions (1GB RAM/2GB RAM)
128K / 256K
Antivirus performance 85 Mbps
AppSecure Throughput (HTTP) 750 Mbps
High Availability A/A or A/P
New SKUs for SRX240 provide
additional memory
SRX240B2 1GB DRAM, 2GB Flash
SRX240H2 2GB DRAM, 2GB Flash
No changes in price, hardware
architecture or security services
Improved scalability for services
SEPT 2012
35 Copyright 2013 Juniper Networks, Inc. www.juniper.net
SRX550 SERVICES GATEWAY - NEW
Routing Performance 700 Kpps
Firewall Performance
1.7 Gbps (IMIX)
5.5 Gbps (Large
packets)
AV & IDP HW Acceleration Yes
IPSec Performance 1 Gbps
No-Compromise Services with scale and performance for the medium to large branch
Advanced Security Firewall and VPN
UTM: IPS, antivirus, enhanced web-filtering,
anti-spam
Application visibility, tracking & enforcement
High Density Switching 10 x GE on board (6 Copper, 4 SFP)
Modular switching with POE
Comprehensive Routing Wide range of WAN options: 3G/LTE,
T1/E1/DS3/E3, xDSL, Nx1GE, 10 GE
L2/L3 VPN, MPLS, VPLS, IPv6, v4
Business Continuity, Resiliency HA cluster (A/A or A/P)
WAN backup and redundancy
Control plane, data plane separation
GPIM Online-Insertion-Removal*
Optional redundant power supplies (AC and
DC)
FRS 12.1
36 Copyright 2013 Juniper Networks, Inc. www.juniper.net
SRX550
Features SRX550
On-board Ethernet 10 x GE (6 Copper,
4SFP)
Power over Ethernet (802.3af, 802.3at) 40 ports GE, 500 W
WAN slots 2 mPIM, 6 x GPIM
USB ports (flash) 2
Content Security AcceleratorExpressAV and Intrusion Detection and Prevention
Yes
JUNOS Software version support JUNOS 12.1
Firewall performance (Large Packets) 5.5 Gbps
Firewall performance (IMIX) 1.7 Gbps
Firewall performance (Firewall + Routing PPS 64byte)
700 Kpps
VPN PerformanceAES256+SHA-1 3DES+SHA-1
1.0 Gbps
IPS Performance 800 Mbps
Connections Per Second (CPS) 27K CPS
Maximum Concurrent Sessions (2 GB RAM) 375 K
Antivirus performance 300 Mbps
AppSecure Throughput (HTTP) 1.5 Gbps
High Availability A/A or A/P
Ideal for enterprise medium to large
branch
Ideal office-in-a-box solution for managed
services or commercial business
SRX550 offers:
Comprehensive Routing and Security
Services
High density on-board and modular
switch ports, Copper and SFP
Application Awareness and Control
Business Continuity and Resiliency
12.1
37 Copyright 2013 Juniper Networks, Inc. www.juniper.net
SRX650
Features SRX650
On-board Ethernet 4 x GE
Power over Ethernet (802.3af, 802.3at) 48 ports GE, 250W
or 500 W
WAN slots 8 x GPIM
USB ports (flash) 2 per processor
Content Security AcceleratorExpressAV and Intrusion Detection and Prevention
Yes
JUNOS Software version support JUNOS 11.1
Firewall performance (Large Packets) 7.0 Gbps
Firewall performance (IMIX) 2.5 Gbps
Firewall performance (Firewall + Routing PPS 64byte)
850 Kpps
VPN PerformanceAES256+SHA-1 3DES+SHA-1
1.5 Gbps
IPS Performance 1 Gbps
Connections Per Second (CPS) 35K CPS
Maximum Concurrent Sessions (512MB/1GB RAM)
512 K
Antivirus performance 350 Mbps
AppSecure Throughput (HTTP) 1.9 Gbps
High Availability A/A or A/P Hot swap GPIMs,
Dual power
Ideal for regional sites and large
branches
Full security features
Firewall and VPN
UTM: IPS, AppSecure, antivirus, web-
filtering, and anti-spam
Modular
LAN switching
Services Routing Processors with
optional redundancy
Power supplies with optional
redundancy (at FRS)
38 Copyright 2013 Juniper Networks, Inc. www.juniper.net
BRANCH SRX SERIES SPECIFICATIONS
39 Copyright 2013 Juniper Networks, Inc. www.juniper.net
JUNIPERS WIRELESS WAN SOLUTION CX111
Best signal
Get the 3G antenna out
of the wiring closet to
optimize reception*
More choices
Choose 3G/LTE USB modem
or standalone 3G bridge
Choose from 90+ modems from
every major manufacturer*
Higher reliability
Tightly coupled system speeds
wired to wireless failover
Redundant radio hardware and
provider diversity*
Dir
ect P
lug
-in U
SB
Modem
support
Carriers 3G/4G LTE Network
* Requires bridge solution
Bri
dge
40 Copyright 2013 Juniper Networks, Inc. www.juniper.net
3G/4G WIRELESS WAN UPDATE
ExpressCards form factor obsolete
GSM/HSPA+ Modem supported now
Secure Modem / Modem Cap 1H 2012
4G LTE modem support Mid 2012
No USB 3G support on 220/240/550/650
Integrated Small Package for 3G:
Now with USB modem support
Worldwide 90+ Modems supported
LTE supported now
CX111 supports SNMP based mgmt
Junos CLI based management in 11.4R2 Q1 2012
CX111 Bridge
Direct plug-in USB Modem Support for
SRX100, 110 and 210E
CX111 3G/4G Bridge for
**all** SRX, other platforms
41 Copyright 2013 Juniper Networks, Inc. www.juniper.net
BRANCH SRX ADVANCED SECURITY PLATFORM
Block access to unapproved sites
Real time threat score for each URL Enhanced Web Filtering
Antivirus Stops viruses, file-based trojans or spread of spyware, adware, keyloggers
Antispam
IPS
Firewall, VPN, Unified Access Control
SRX Series blocks transmission of files for
Data Loss Prevention Content Filtering
Internal Threats
External Threats
INTERNET
IDP detects/stops Worms, Trojans,
DoS (L4 & L7), Scans
AppSecure with User Role FW
Core Security
Application level visibility and classification
Application security policies tied to user roles
Stops Spam/Phishing
42 Copyright 2013 Juniper Networks, Inc. www.juniper.net
J-WEB WIZARDS
VPN
Configuration Wizards
Initial Device
Setup
Firewall NAT
1 2 3 4
JavaScript and XML based with all activity executed by browser
Provides a responsive user experience
Complete Wizard UI is loaded after hitting launch button
Single commit
Reduces configuration time
43 Copyright 2013 Juniper Networks, Inc. www.juniper.net
NEW STARTUP WIZARD
New Startup Wizard that simplifies user configuration and reduces time to setup device
Guided setup (step by step)
Basic & Expert Modes
Security topology (zones),
security policy and license
configuration
NAT
Remote/Dynamic VPN
Confirm and Apply
(Commit, Import, Export)
Available on all Branch SRX platforms
JAN 2013
44 Copyright 2013 Juniper Networks, Inc. www.juniper.net
BRANCH SRX CERTIFICATIONS - UPDATE
Branch SRX leading the industry in most
stringest certifications for enterprise firewall
Common Criteria CC EAL4
Department of Defense (DoD) certification
Testing and certification by DoD JITC for interoperability with DoD networks
Addition to Unified Capabilities Approved Product List (UC APL)
Branch SRX certified as both router and firewall this is a first for any vendor!
ICSA Corporate Firewall and IPSec 1.3
USGv6 Firewall Profile
Key certifications added this year:
Chapter 4: High-End SRX Overview
SRX QUICK START TRAINING
46 Copyright 2013 Juniper Networks, Inc. www.juniper.net
High End SRX Platforms
High-Speed Fabric
Technology
Expandable chassis Linear scalability Processing and I/O pools Industrys top performance
Carrier-Class Reliability
Separation of control and data planes
Redundant everything Proven operating system
SRX Services Gateways
DYNAMIC SERVICES ARCHITECTURE (DSA) Scales performance, capacity and service density Worlds fastest firewall and IPS
The power of one OS, one release train
47 Copyright 2013 Juniper Networks, Inc. www.juniper.net
NS-5400
ISG2000
3U, 4+3 CFM, 8+4 GE, 2RE*, 1+1 PS, 20/8/8G, 2M sess,
175kcps
5U, 6+6 CFM, 8+4 GE, 2RE*, 2+2 PS, 30/10/10G, 2M sess,
175kcps
8U, 6 slot, 2RE*, 1+1 SCB, 2+2 PS, 60/15/15G, 9M sess, 350kcps
16U, 12 slot, 2RE*, 2+1 SCB,
2+2 AC, 3+1 DC, 120/30/30G,
10M sess, 350kcps
3U, 3 CFM, 12GE or 3XGE+9GE , 1+1 PS, 10/2/2G, .5M sess [at FRS], 45kcps
NS-5200 ISG1000
SRX3600
SRX5800
SRX5600
SRX3400
SRX1400
Note *: Redundant REs not currently supported
SRX / HE DATA CENTER SERVICES PLATFORMS
Next-Gen Security Systems Scalable Performance Rich Standard Services
Firewall VPN IPS Full Routing QoS Application Security Role Based Firewall
Extensible Security Services Integrated Networking Services
48 Copyright 2013 Juniper Networks, Inc. www.juniper.net
HIGH-END SRX COMPONENTS
I/O Cards (IOC)
Provide Ethernet interfaces that connect the services gateway to
your network
Network Processing Unit (NPC)
Network Processing Cards (NPCs) receive inbound traffic from I/O
cards (IOCs) and direct it to the appropriate Services Processing
Card (SPC) for processing
In simple terms, think of it as a session load balancer
Services Processing Card (SPC)
Provide the processing capacity to run integrated services such as
firewall, IPsec, and IDP
49 Copyright 2013 Juniper Networks, Inc. www.juniper.net
HIGH-END COMPONENTS CONTINUED
Routing Engine (RE)
Runs the Junos operating system (Junos OS)
Including software processes that maintain the routing tables, manage the routing protocols used on the services gateway, control the services
gateway interfaces, control some chassis components, and provide the
interface for system management and user access to the services
gateway
Switch Fabric Board (SFB)
Powers on and powers off IOCs and SPCs
Controls clocking, system resets, and booting
Monitors and controls system functions, including fan speed, board
power status, and the system front panel
Provides interconnections to all the IOCs within the chassis
through the switch fabrics integrated into the SCB
50 Copyright 2013 Juniper Networks, Inc. www.juniper.net
HIGH-END COMPONENTS CONTINUED
Network Processing I/O Cards (NP-IOCs)
Special IOCs designed specifically for low-latency applications
Each NP-IOC has its own network processing unit (NPU), so that
traffic traversing the NP-IOC does not have to traverse the services
gateway bus to a remote network processing card (NPC)
51 Copyright 2013 Juniper Networks, Inc. www.juniper.net
Flow Lookup Classification DoS/DDoS Policing
Ingress Packet
Egress Packet
Services FW/VPN/IDP
NAT/Routing
QoS/Shaping
Fa
bri
c
Fabric
Integrated in SRX5000 IOC
Oversubscription
Control
1.5
DYNAMIC SERVICES ARCHITECTURE SRX SERIES FULLY INTEGRATED PACKET FLOW
I/O Card
Network
Processing
Card
Services
Processing
Cards
52 Copyright 2013 Juniper Networks, Inc. www.juniper.net
HIGH-END SRX SCALING AND PLANNING
The number of NPC and SPC resources dictates the High-End
SRX throughput and performance, i.e. number of IPSec tunnels,
IDP performance, number of FW sessions, etc.
Generally speaking it is the SPCs that make the real difference in terms of performance
Juniper Networks Systems Engineers and Partner SEs can assist with sizing guidelines for a given desired performance
profile and application
53 Copyright 2013 Juniper Networks, Inc. www.juniper.net
3 RU Modular chassis
3 expansion slots Compact form factor modules shared with SRX3000
Junos Software
Massive scale Up to 45,000 new, sustained
connections per second (CPS)
Up to .5 million sessions [at FRS]
High performance Up to 10 Gbps firewall
Up to 2 Gbps IPS
Up to 2 Gbps IPSec VPN
High availability Redundant power and fans
Chassis Clustering (Q2 2011)
Modular Junos Software
Shared HA-control ports
High availability
SRX3000 technology Common sparing possible
SRX1400
Management Module (RE)
Expansion Slot
(IOC)
12 on-board ports:
1400GE: 6+4+2 GE
1400XGE: 3 XGE plus 6+1+2 GE
Power supply
FRU
Redundant
power supply
(optional)
Fan tray
(rear)
Expansion Slots
(NSPC or SPC+NPC)
Slot
guide
54 Copyright 2013 Juniper Networks, Inc. www.juniper.net
SRX 3400
3 RU Modular chassis
7 expansion slots (4 front and 3 rear)
Compact form factor modules for I/O and service processing
Dual, hot swappable management modules
Junos Software
Massive scale Up to 175,000 new, sustained
connections per second (CPS)
Up to 2.25 million sessions
High performance Up to 20 Gbps firewall
Up to 6 Gbps IPS
Up to 6 Gbps IPSec VPN
High availability Redundant power and fans
Redundant management
Modular Junos Software
SRX3400 Front View
SRX3400 Rear View
Routing Engine
Expansion Slot (IOC/SPC)
Power supply FRU
12 on-board GbE ports USB
Expansion Slot (SPC/NPC)
Redundant power supply
(optional)
16 x 10/100/1000 I/O card
Fan tray
16 x GbE SFP I/O
card
Expansion Slot (SPC/NPC)
Redundant Routing Engine (future) or SCM
2 x 10 GigE I/O card
Front slot guide
Rear slot guide
Fan tray door
Switch Fabric Board (SFB)
55 Copyright 2013 Juniper Networks, Inc. www.juniper.net
5 RU Modular chassis
12 expansion slots (6 front and 6 rear)
Compact form factor modules for I/O and service processing
Dual, hot swappable management modules
Junos Software
Massive scale Up to 175,000 new, sustained
connections per second (CPS)
Up to 2.25 million sessions
High performance Up to 30 Gbps firewall
Up to 10 Gbps IPS
Up to 10 Gbps IPSec VPN
High availability Redundant power and fans
Redundant management
Modular Junos Software Routing Engine
Expansion slot (IOC/SPC)
Power supplies FRU
12 on-board GigE ports USB
Redundant Routing Engine (future) or SCM
Redundant power supplies
(optional)
16 x 10/100/1000 I/O card
Fan tray
16 x GbE SFP I/O
card
Expansion slot (SPC)
SRX3600 Front View
SRX3600 Rear View
2 x 10 GigE I/O card
Switch Fabric Board (SFB)
Fan tray door
Expansion slot (SPC/NPC)
Front slot guide
Rear slot guide
SRX3600: FRONT AND REAR VIEWS
56 Copyright 2013 Juniper Networks, Inc. www.juniper.net
IOC 2x10GE
Switch Fabric
Board (SFB)
Routing Engine
(RE)
Fan tray
door
Air
Intake
Services Processing
Card (SPC)
IOC 16xCopper
IOC 16xSFP
Front
Slot guide
Rear
Slot guide
Services Processing
Cards (SPC) Network
Processing
Cards (NPC)
[or SPCs]
Dual-height SFB
option cover (SRX3600 only / future)
3600 COMPONENT REVIEW
57 Copyright 2013 Juniper Networks, Inc. www.juniper.net
SRX3000 CARDS
Switch Fabric Board (SFB)
High speed switch fabric (320Gbps)
Includes virtual IOC (8x10/100/1000 + 4xSFP), HA-control (2xSFP: SX, LX, LH, T) and system interface (CRAFT)
Network Processing Card (NPC)
Single Network Processor (NP) subsystem - 10Gig throughput
Services Processing Card (SPC)
Single HD-CPU subsystem (SPU) / 10Gig throughput
Routing Engine (RE)
1.2Ghz processor /w 1GB memory
Complete separation of control / data planes
Includes CPP (central PFE controller) and CB (control board)
Clustering Module (SCM)
Independent control-plane GigE switch to enable second HA-control link
Requires Junos 10.2
I/O Cards (IOC)
3 versions:
2-port 10GE-XFP (SR, LR, ER)
16-port GE-SFP (SX, LX, LH, T [10/100/1000])
16-port 10/100/1000 Copper
10Gig full-duplex throughput (oversubscribed)
58 Copyright 2013 Juniper Networks, Inc. www.juniper.net
SRX5600: PRODUCT OVERVIEW
8 RU Modular chassis
Horizontal design 6 expansion slots Modules for flexible I/O and
service processing Junos software
Massive scale Up to 350,000 new & sustained
connections per second (CPS) Up to 9 million sessions
High performance Up to 60 Gbps firewall Up to 15 Gbps IPS Up to 15 Gbps IPSec VPN
High availability Redundant management
modules Redundant switching fabrics Redundant fans & power
supplies Modular Junos Software
Expansion slot (fits any module)
Control Panel
Upper fan tray
Services Processing
Card
Switch Control Boards (SCBs)
40 x GbE IOC
Management Module
Power supplies FRU
SRX5600 Front View
SRX5600 Rear View
59 Copyright 2013 Juniper Networks, Inc. www.juniper.net
SRX5800: PRODUCT OVERVIEW
Control Panel
Air intake
Lower fan tray
Upper fan tray
Services Processing
Card
4 x 10GbE I/O Card
40 x GbE I/O Card
16 RU Modular chassis
Vertical design 12 expansion slots Modules for flexible I/O and
service processing Junos software
Massive Scale Up to 350,000 new & sustained
connections per second (CPS) Up to 10 million sessions
High performance Up to 120 Gbps firewall Up to 30 Gbps IPS Up to 30 Gbps IPSec VPN
High availability Redundant management
modules Redundant switching fabrics Redundant fans & power
supplies Modular Junos Software
Management module
Switch Control Boards (SCBs)
Expansion slots (fits any module)
SRX5800 Front View
SRX5800 Rear View
Power supplies FRU
SRX QUICK START TRAINING
Chapter 5: SRX Concepts and Features
61 Copyright 2013 Juniper Networks, Inc. www.juniper.net
SRX SERIESFIREWALL, ZONES, AND POLICIES
ZONE UNTRUST Originating Zone
SRX
ZONE TRUST2 ZONE TRUST
Default PolicyDeny All Default PolicyAllow All
INTERNET
Originating Zone
62 Copyright 2013 Juniper Networks, Inc. www.juniper.net
NEXTGEN DATA PLANE (FLOW THREAD)
Per
Packet
Filter
Per
Packet
Policer
Per
Packet
Shaper
Per
Packet
Filter
JUNOS Flow Module
Forwarding Lookup
Dest
NAT Route Zones Policy
Reverse
Static
NAT
Services
ALG Session Screens
Static
NAT
Source
NAT
Match
Session?
NO YES
Screens TCP NAT Services
ALG
YES
1) Pull Packet from Queue
2) Police Packet
3) Filter Packet
4) Session Lookup
5a) No Existing Session
FW Screen Check Static & Destination NAT Route Lookup Destination Zone Lookup Policy Lookup Reverse Static & Source NAT Setup ALG Vector Install Session
5b) Established Session
FW Screen Check TCP Checks NAT Translation ALG Processing
6) Filter Packet
7) Shape Packet
8) Transmit Packet
63 Copyright 2013 Juniper Networks, Inc. www.juniper.net
FIREWALL FILTERS
Stateless Filters
Applied to interfaces, can mitigate known
un-wanted traffic before policy lookup
Common to MX, EE, SRX Junos
edit firewall filter SRX_Protection
juniper@SRX5800# set term in-ssh from source-address 10.1.20.1/24
juniper@SRX5800# set term in-ssh from protocol tcp
juniper@SRX5800# set term in-ssh from destination-port ssh
juniper@SRX5800# set term in-ssh then accept
Retail Branch
Regional
Small Office
INTERNET
SRC 10.1.20.1 ANY SSH
64 Copyright 2013 Juniper Networks, Inc. www.juniper.net
APPLICATION LAYER GATEWAYS (ALG)
Advanced inspection of dynamic applications
Can detect negotiated ports and perform statefull inspection on dynamic applications (FTP, SIP, SCCP, H323,MGCP etc)
Automatically utilized when application is referenced within the security policy
Retail Branch
Regional
Small Office
FTP
TCP 21
PASV
PORT FTP
TCP 14599
65 Copyright 2013 Juniper Networks, Inc. www.juniper.net
SCREENS
Screens are used to mitigate known malicious activities such as DOS, DDOS, Reconnaissance
Applied on Zone basis, default screen can be applied to untrust interface
Uses thresholds and parameters to determine traffic flows into zone
Can Drop Traffic or act as a Proxy for TCP Connections
Retail Branch
Regional
Small Office
INTERNET
TCP SYN TCP SYN
TCP SYN ICMP Sweep
66 Copyright 2013 Juniper Networks, Inc. www.juniper.net
SCREENS
Regional
INTERNET
TCP SYN TCP SYN
TCP SYN ICMP Sweep
juniper@SRX5800# show security screen ids-option untrusted-internet
icmp {
ip-sweep threshold 1000000;
fragment;
large;
}
ip
bad-option;
record-route-option;
timestamp-option;
security-option;
stream-option;
spoofing;
source-route-option;
Loose-source-route-option;
strict-source-route-option;
unknown-protocol;
}
tcp {
syn-fin;
fin-no-ack;
tcp-no-flag;
syn-frag;
port-scan threshold 1000000;
67 Copyright 2013 Juniper Networks, Inc. www.juniper.net
FROM THE OVERALL ARCHITECTURE PERSPECTIVE - BEST PRACTICES STEPS
Step1 - Establish a baseline
Step 2- Build the First Line of Defense
Police traffic close to source or at ingress into aggregation network elements, e.g. ingress into a FW
Step 3 Build the Second Line of Defense
SCREENs
IDP
Application-level IDP
Application Firewall
Step 4 Build the Third Line of Defense
Traffic shape at the egress of a FW
Assures legitimate traffic is not impacted
Throttles all the traffic, minimizing the impact of attacks on intermediate network elements
Eliminates all the recognized bad traffic
Throttles the remainder of the traffic, which includes legitimate and non-recognized bad traffic
68 Copyright 2013 Juniper Networks, Inc. www.juniper.net
CONTRASTING SCREENS AND IDP
SCREENs
Protect from the outer layer perspective
Are executed prior to any route look up or security policy look up
IDP
Provides deeper packet examination
Detects protocol anomaly
Evoked after route and/or security policy look up
69 Copyright 2013 Juniper Networks, Inc. www.juniper.net
PROTECTING FROM A FIREWALL PERSPECTIVE
SCREENs Ingress Policers
& Firewall filters
L3/L4/L5
IDP
Traffic
Exiting
SRX FW
SRX FW Traffic
Entering
SRX FW
Steps 2, 3, & 4
L4-7
IPS Statefull
FW
Egress
Traffic
Shaping
70 Copyright 2013 Juniper Networks, Inc. www.juniper.net
ROUTING & SWITCHING
SRX can act as a full router, supporting
IPV4, IPV6, L2/L3 MPLS
Supports IPV4 RIP, OSPF, IS-IS & BGP
Layer 2 switching supported on Branch SRX, not supported on HE SRX
Onboard Ethernet ports on the SRX100, SRX210, and SRX240 devices
Multiport Gigabit Ethernet XPIM on the SRX650 device
Support of Virtual Routers and Logical Tunnel Interfaces
Supports full Junos COS 8 Queues per port
Can also run in Transparent FW mode, supporting Layer2 bridged FW security
Regional
71 Copyright 2013 Juniper Networks, Inc. www.juniper.net
SRX PACKET FLOW
Branch SRX has 2 modes of Operation
Packet Mode: Can be run in packet mode to operate like a traditional router, mode used to support MPLS, VPLS
Flow Mode: Flow mode ensure Fast-Path Lookup, default action of Branch SRX devices.
Mixed Mode: Brach SRX can also act in Mixed Mode supporting both Flow and Branch based connections
72 Copyright 2013 Juniper Networks, Inc. www.juniper.net
SRX HIGH AVAILABILITY
Features
Stateful fail-over
Active/Backup Control Plane
Active/Active Data Plane
Single System View
Benefits
Maintains connection
persistence & improves
system resiliency for services
Load sharing across systems
Optimized for complex
routing environments
73 Copyright 2013 Juniper Networks, Inc. www.juniper.net
TWO CHASSIS CONNECTED TOGETHER
Control Plane (fxp1)
Connection
SPC-to-SPC
Data Plane (fab1)
Connection
IOC to IOC
Control Plane (fxp1)
Fe-0/0/7
Data Plane (fab1)
IOC to IOC
74 Copyright 2013 Juniper Networks, Inc. www.juniper.net
INTERFACE NUMBERING
Interfaces are numbered Hobson style Node0 (0-11) Node1 (12-23)
ge-1/0/0
ge-13/0/0
slot 0
RE 0
slot 12
slot 23
RE 1
75 Copyright 2013 Juniper Networks, Inc. www.juniper.net
CHASSIS CLUSTER INTERFACES
Fxp1 - Control Plane interface
- Dedicated Interface dependant on Model
- Dual Control Plane support on HE
- Synchronizes Configuration & Keepalives
Fab0/1 - Data fabric interface
- Can be 1G or 10G dependant on Model
- Synchronizes Session information over RTOs - Can be used for forward Z path traffic
Redundancy Group (RG)
Logical Grouping of Interfaces. SRX with Highest Metric (255) is
master for each RG. Failure of interfaces decrements total
RETH
redundant Ethernet, virtual IP and MAC for associated VLAN,
member of redundancy group
76 Copyright 2013 Juniper Networks, Inc. www.juniper.net
CHASSIS CLUSTER DEPLOYMENTS
ACTIVE/PASSIVE
Active Control Plane
Active Redundancy Group 1
Active Redundancy Group 2
77 Copyright 2013 Juniper Networks, Inc. www.juniper.net
CHASSIS CLUSTER DEPLOYMENTS
ACTIVE/ACTIVE
Active Control Plane
Active Redundancy Group 1
Active Redundancy Group 2
78 Copyright 2013 Juniper Networks, Inc. www.juniper.net
APPLICATION VISIBILITY AND CONTROL IS EASY WITH APPSECURE
Application Awareness and Classification Engine
Application
View
Application
Enforcement
by User Role
Threat
Mitigation
IPS
What application?
What user?
User location?
User device?
79 Copyright 2013 Juniper Networks, Inc. www.juniper.net
Allows different users to have different application policies based on their role and
group
.NOW WITH USER ROLE FIREWALL
Marketing
Sales
CEO
No apps blocked
Anti-virus applied
P2P apps blocked
Youtube allowed
Anti-virus applied
P2P, Youtube blocked
Anti-virus applied
Branch SRX
WF profile A
WF profile B
WF profile C
12.1
MAG/UAC
80 Copyright 2013 Juniper Networks, Inc. www.juniper.net
Windows ADs
USER-ROLE FIREWALL FOR ACTIVE DIRECTORY
Client
SRX Series
Junos Pulse MAG/IC
Series
Corporate Data Center
Apps
Data
Finance
Video
Internet
1
2
3 4
5
2
3
4
5
1 Doman user logins into domain from domain member device
Unauthenticated Client tries to
access resource through SRX,
and dropped
SRX redirects client to IC for
authentication process using
Kerberos
Upon successful authentication
and identification of user, IC gets
AD group membership using
LDAP and maps to Roles and
sends info to SRX
Client device passes traffic
through SRX per corresponding
policy enforcement controls based
on User/Role
81 Copyright 2013 Juniper Networks, Inc. www.juniper.net
COMPREHENSIVE USER POLICY ENFORCEMENT
Host checker
Coordinated Threat Control
SSL tunneling
End-to-End Security Policy enforcement by user role
and group
Windows XP, Windows Vista and Windows 7
MacOS support
Linux/Solaris support
Thin clients can be supported using the local
web portal
Broad range of Smartphone OS iOS, Android, others
Agent-based deployment can provide advanced
functionalities
Agentless access can be used for unintrusive,
transparent user
experience
Local web portal can be used for guest access or
as a fallback mechanism
Flexibility Rich OS Support Advanced Services
Standard Server Hardware
82 Copyright 2013 Juniper Networks, Inc. www.juniper.net
Monitor & Track Applications
AppTrack
APPLICATION VISIBILITY FOR INFORMED RISK ANALYSIS
View application by protocol, Web
application, and utilization
Analyze usage and trends
Log and report across security
solutions and systems
Customize application monitoring
Web 2.0 application visibility
Application usage monitoring
Scalable, flexible logging &
reporting
83 Copyright 2013 Juniper Networks, Inc. www.juniper.net
Control & Enforce Web 2.0 Apps
AppFW
APPSECURE: BEYOND JUST FIREWALL OR APPLICATION CONTROL
Inspect ports and protocols
Control nested apps, chat, file
sharing and other Web 2.0 activities Dynamic application security
Web 2.0 policy enforcement
Threat detection & prevention
HTTP Uncover tunneled apps
Stop multiple threat types
84 Copyright 2013 Juniper Networks, Inc. www.juniper.net
Monitor & Mitigate Custom Attacks
IPS
IPS FOR CUSTOMIZABLE PROTECTION
Detect and monitor suspicious
behavior
Address vulnerabilities instead of
ever-changing exploits of the
vulnerability
On-going threat protection
Mobile traffic monitoring
Custom attack mitigation
Tune open signatures to detect and
mitigate tailored attacks
Uncover attacks exploiting encrypted
methods
Exploits
VULNERABILITY
AppSecure IPS
Other
IPSs
85 Copyright 2013 Juniper Networks, Inc. www.juniper.net
ENHANCED WEB FILTERING
SRX
Internal network
In the Cloud Categorization Server Continuous updates Large number of URLs Category granularity Real time threat score
Productivity
Performance
Security
Internet
86 Copyright 2013 Juniper Networks, Inc. www.juniper.net
CUSTOMER CHOICE FOR ANTIVIRUS
On-box option:
Kaspersky Cloud-based option:
Sophos
Juniper is the only vendor offering customers a choice
between two market proven antivirus solutions.
87 Copyright 2013 Juniper Networks, Inc. www.juniper.net
CLOUD BASED AV SERVICE: SOPHOS LIVE PROTECTION ANTI-MALWARE FOR JUNIPER SRX
Cloud-based intelligence delivers high performance malware protection
Effective, instant protection against malware and infected web sites
Target customers that want the performance and ease of a cloud-based antivirus solution
SRX
88 Copyright 2013 Juniper Networks, Inc. www.juniper.net
ANTI-SPAM
DMZ
Web Proxy Email Server
TRUST
SRX receives email destined for email server
in DMZ or TRUST zone and looks up local
white/black list to check local entries. Finds no
entry and sends address of remote email
server or source to in-the-cloud anti-spam
service
1
Host
Remote Email Server
SRX tags email as
***SPAM*** or is allowed
through. Email server can
then use tag to make
supplementary decisions
3
2 Service checks host address against constantly updated
list and returns a block,
permit or log-and permit
message to the SRX
Internet (UNTRUST)
89 Copyright 2013 Juniper Networks, Inc. www.juniper.net
SRX210
REMOTE ACCESS VPN
Dynamic VPN Service Access Manager Client
Clientless dynamic IPSEC client automatically downloaded
Simultaneous tunnel enforcement
Automatic client upgrade
capabilities
Self-provisioning
IPSec with TCP-based fallback
for NAT traversal
Windows platform supportXP, Vista, Win 2000, and Windows 7,
Windows 10
Wired Wireless
3G/4G
Wireless
INTERNET
90 Copyright 2013 Juniper Networks, Inc. www.juniper.net
WLM Management and Access Tools
RingMaster WLM - Appliance SmartPass
JUNIPER WIRELESS - COMPLETE WLAN SOLUTION WLA/WLC PRODUCTS SUITE
WLC Controllers
Simple - Secure - Mobile
WLA Access Points
Plan
Config
Monitor Trouble shoot
Report
91 Copyright 2013 Juniper Networks, Inc. www.juniper.net
APPSECURE SOFTWARE SERVICE SUITE
Understand
security risks
Address new
user behaviors
Application Intelligence and Security In Branch
Subscription service includes all modules and updates Juniper Security Lab provides 900+ application signatures
AppTrack
AppQoS
AppDoS
IPS
Block access to
risky apps
Allows user
tailored policies
Prioritize
important apps
Rate limit less
important apps
Protect apps from
bot attacks
Allow legitimate
user traffic
Remediate
security threats
Stay current with
daily signatures
2H
2013
AppFW
92 Copyright 2013 Juniper Networks, Inc. www.juniper.net
APPLICATION SECURITY AVAILABILITY
High End SRX Branch SRX
2H2013
AppTrack
AppFW
AppQoS
AppDoS
IPS
93 Copyright 2013 Juniper Networks, Inc. www.juniper.net
LOGICAL SYSTEMS (LSYS) HIGH-END SRX ONLY
Virtualization of many aspects of Junos, especially security policies and enforcement options within a single HE SRX
Complete separation of a single device into unique virtual instances, including:
Administrative separation users in one LSYS have no visibility into or knowledge of any other LSYS instances that may be running on the box
Traffic Separation network traffic for a given LSYS cannot cross into another LSYS unless security and routing policies are configured to allow it
Resource separation resources such as sessions, policies, zones, and virtual routers can be budgeted between the various LSYS instances
An evolution of ScreenOSs VSYS concept
94 Copyright 2013 Juniper Networks, Inc. www.juniper.net
SERVICES OFFLOAD: A.K.A. LOW LATENCY FIREWALL HIGH-END SRX ONLY
Allows both latency-sensitive and normal
traffic to be mixed on the same platform
When configured with services offload, SPC will push policy to NPC, and further processing
is handled directly by NPC
Available as of Junos 11.4
Supports FW, NAT, NPU screens, and QoS
No support for services that require an SPC
Fragmented packets
IPS
Inter-LSYS traffic
SPC
SPC
SPC
SPC
PHY NPC
NP PHY NPC
NP PHY NPC
NP PHY NPC
95 Copyright 2013 Juniper Networks, Inc. www.juniper.net
JUNOS SPACE
APPLICATIONS
Juniper Applications 3rd Party Applications
Network Activate, Transport
Activate QoS Design Ethernet
Design Security Design Virtual Control Service Now
OSS BSS Green/Energy End-user Forensics Adapters (MTOSI, OneAPI) others
Device Management Interface (DMI)
RESTful Web Service API
JUNOS SPACE PLATFORM
Network Widgets Infrastructure Widgets
Open Network Application Platform
Network Application
Platform
Open, extensible, standards-based (SOA)
Abstractions for generic service definitions
Purpose-built for network orchestration and automation
Carrier-grade scale
Transparent communication with all Junos devices (any device, any
OS version) total management of Juniper infrastructure
Easy integration with OSS via NBI/SDK
Security Director
96 Copyright 2013 Juniper Networks, Inc. www.juniper.net
SECURITY THREAT RESPONSE MANAGER (STRM)
STRM supports SRX Series
Intrusion Prevention System (IPS) and AppSecure
220+ out-of-the box report templates
Fully customizable reporting engine: creating, branding and scheduling delivery of reports
Compliance reporting packages for PCI, SOX, FISMA, GLBA, and HIPAA
Reports based on control frameworks: NIST, ISO and CoBIT
97 Copyright 2013 Juniper Networks, Inc. www.juniper.net
JUNOS SCRIPTS
Configuration Automation - Instructs Junos during the
commit process
Options to provide warnings, post log messages,
automatically fail the commit, or change the
configuration
Operations Automation - Instructs Junos as prompted by the
command-line and other scripts:
Create custom operational commands for specific user and
environment needs
Event Automation - Instructs Junos of actions to take in
response to events:
Gather relevant troubleshooting information and correlate
events from the first leading indicators
98 Copyright 2013 Juniper Networks, Inc. www.juniper.net
JUNOS SCRIPTS
Chapter 6: Junos OS Command Line Interface (CLI) Introduction
SRX QUICK START TRAINING
100 Copyright 2013 Juniper Networks, Inc. www.juniper.net
MULTIPLE WAYS TO MANAGE!
JUNOS CLI Telnet, SSH
Commit model
JUNOScript: Automated Configuration, Operations
J-Web Quick Setup with Templates
Dashboard View
Performance Monitoring
Security Director Manage multiple devices
Global, group and device level configuration
101 Copyright 2013 Juniper Networks, Inc. www.juniper.net
CONFIGURATION HISTORY
Active configuration stored in
/config/juniper.conf.gz
Rollback files stored in /config/juniper.conf.n.gz (n=13) /var/db/config/juniper.conf.n.gz (n=449)
commit
rollback n
Candidate
Configuration
Active
Configuration
1 2 ...
0
49
configure
102 Copyright 2013 Juniper Networks, Inc. www.juniper.net
JUNOS OS CONFIGURATION PROCESS
Separation of configuration edit and activation
Validation checks
Version control
Automated rollback
Convenient deployment of standard configurations and policy
language across the network
Load commit
confirmed
candidate configuration
commit validations
commit
commit scripts
validated configuration
active configuration
103 Copyright 2013 Juniper Networks, Inc. www.juniper.net
JUNOS OS CONFIGURATION PROCESS (CONTD)
Basic steps in the configuration process
1. Enter changes in the candidate
2. Commit the candidate
3. Candidate becomes active
Load
commit confirmed
1 2 3
candidate configuration
active configuration
rollb
ac
k commit
validations
commit
commit scripts
validated configuration
1
49
104 Copyright 2013 Juniper Networks, Inc. www.juniper.net
THE RESCUE CONFIGURATION
A rescue configuration is designed to restore basic connectivity in the
event of configuration problems
Contents are user defined
Include a root password!
By default, there is no rescue configuration
Can be saved using J-Web or the CLI
Once saved, the rescue configuration can be activated with the CLI or a
momentary push of the recessed CONFIG button
CONFIG button
105 Copyright 2013 Juniper Networks, Inc. www.juniper.net
CLI MODES AND FEATURE OVERVIEW
CLI operational mode: Editing command lines Command completion and history Context-sensitive and documentation-based help UNIX-style pipes
CLI configuration mode: Object-oriented hierarchy Jumping between levels Candidate configuration with sanity checking Automatic rollback capability Showing portions of configuration while configuring Saving, loading, and deleting configuration files Running operational-mode commands from within configuration
106 Copyright 2013 Juniper Networks, Inc. www.juniper.net
CLI MODES
Operational mode:
Monitor and troubleshoot the software, network connectivity, and
router hardware
Configuration mode:
Configure the router, including interfaces, general routing
information, routing protocols, user access, and system hardware
properties
user@host>
user@host# [edit]
The > character identifies
operational mode
The # character identifies
configuration mode
107 Copyright 2013 Juniper Networks, Inc. www.juniper.net
host (ttyd0)
login: root
Password:
--- JUNOS 8.3R2.8 built 2007-07-07 00:21:56 UTC
root@host% cli
root@host>
When logging in: Nonroot users are placed into the CLI automatically
host (ttyd0)
login: user
Password:
--- JUNOS 8.3R2.8 built 2007-07-07 00:21:56 UTC
user@host>
The root user must start the CLI from the shell
Do not forget to exit root shell after logging out of the CLI!
Shell Prompt
CLI Prompt
LOGGING IN
108 Copyright 2013 Juniper Networks, Inc. www.juniper.net
CLI OPERATIONAL MODE
Execute commands (mainly) from the default CLI level (user@host>) Can execute from configuration mode with the run
command
Hierarchy of commands Example: show ospf neighbor
Less Specific
More Specific database interface route statistics
chassis configuration
configure file help monitor etc.
neighbor
bgp
clear set show
ospf rip route version etc.
etc.
109 Copyright 2013 Juniper Networks, Inc. www.juniper.net
EMACS-style editing sequences are supported
The default VT100 terminal type also supports cursor positioning with the arrow keys
EDITING COMMAND LINES
user@host> show interfaces
Ctrl+b user@host> show interfaces
Ctrl+a user@host> show interfaces
Ctrl+f user@host> show interfaces
Ctrl+e user@host> show interfaces
Cursor position
Keyboard
sequence
110 Copyright 2013 Juniper Networks, Inc. www.juniper.net
COMMAND AND VARIABLE COMPLETION
Spacebar completes a command user@host> show i
'i' is ambiguous.
Possible completions:
igmp Show Internet Group Management Protocol...
ike Show Internet Key Exchange information
interfaces Show interface information
ipsec Show IP Security information
isis Show Intermediate System-to-Intermediate...
user@host> show i
Use the Tab key to complete an assigned variable [edit policy-options]
user@host# show policy-statement this-is-my-policy
then accept;
[edit policy-options]
user@host# Use Tab to complete
assigned variables
Enter a space to
complete a command
111 Copyright 2013 Juniper Networks, Inc. www.juniper.net
Type ? anywhere on the command line
user@host> ?
Possible completions:
clear Clear information in the system
configure Manipulate software configuration information
file Perform file operations
help Provide help information
. . .
user@host> clear ?
Possible completions:
arp Clear address resolution information
bfd Clear Bidirectional Forwarding Detection information
bgp Clear Border Gateway Protocol information
firewall Clear firewall counters
. . .
CONTEXT-SENSITIVE HELP
112 Copyright 2013 Juniper Networks, Inc. www.juniper.net
The help topic command provides information on general concepts
user@host> help topic interfaces ?
Possible completions:
accept-data Accept packets destined for virtual IP...
accept-source-mac Policers for specific source MAC addresses
access-profile Mapping peer name and secrets for CHAP
accounting-profile Accounting profile
acknowledge-timer Maximum time to wait for link...
address Interface address and destination prefix
...
user@host> help topic interfaces address
Configuring the Interface Address
You assign an address to an interface by specifying the address when
configuring the protocol family. For the inet family, you configure the
interface's IP address. For the iso family, you configure one or more
addresses for the loopback interface. For the ccc, tcc, mpls, tnp, and
vpls families, you never configure an address.
...
TOPICAL HELP
113 Copyright 2013 Juniper Networks, Inc. www.juniper.net
Use help reference for assistance with configuration syntax
user@host> help reference interfaces address
address
Syntax
address address {
arp ip-address (mac | multicast-mac) mac-address ;
broadcast address;
destination address;
destination-profile name;
eui-64;
multipoint-destination address dlci dlci-identifier;
...
Hierarchy Level
[edit interfaces interface-name unit logical-unit-number family family],
[edit logical-routers logical-router-name interfaces interface-name unit
logical-unit-number family family]
Description
Configure the interface address.
...
CONFIGURATION SYNTAX HELP
114 Copyright 2013 Juniper Networks, Inc. www.juniper.net
USING | (PIPE)
The pipe function allows you to filter and manipulate command output Available in all modes and contexts
user@host> show route | ?
Possible completions:
count Count occurrences
display Show additional kinds of information
except Show only text that does not match a pattern
find Search for first occurrence of pattern
hold Hold text without exiting the --More-- prompt
last Display end of output only
match Show only text that matches a pattern
no-more Don't paginate output
request Make system-level requests
resolve Resolve IP addresses
save Save output text to file
trim Trim specified number of columns from start of line
user@host> show route |
115 Copyright 2013 Juniper Networks, Inc. www.juniper.net
Batch configuration model: Must commit configuration changes
Active configuration: Current operational configuration
Boot-up configuration
Candidate configuration: A working copy for configuration changes
Initialized with the active configuration
Becomes active configuration upon commit
ACTIVE AND CANDIDATE CONFIGURAITONS
116 Copyright 2013 Juniper Networks, Inc. www.juniper.net
CONFIGURE PRIVATE, CONFIGURE EXCLUSIVE
Use configure private for your own copy of the candidate
configuration
Use configure exclusive when you want to prohibit others
from also making changes while you are in configuration mode
mike@jnpr1> configure exclusive
warning: uncommitted changes will be discarded on exit
Entering configuration mode
mike@jnpr1> configure private
warning: uncommitted changes will be discarded on exit
Entering configuration mode
117 Copyright 2013 Juniper Networks, Inc. www.juniper.net
SHOW COMMAND
List the complete candidate
from the top of configuration
mode
List a specific subset of the
candidate configuration from
a deeper level of the
hierarchy [edit]
mike@juniper1# show
version "9.2R1.3";
groups
{
re0 {
system {
jnpr1-name jnpr1;
}
}
}
[edit interfaces ge-5/0/0]
mike@jnpr# show
gigether-options {
flow-control;
auto-negotiation;
}
unit 0 {
family inet {
address 1.2.3.4/28;
}
}
118 Copyright 2013 Juniper Networks, Inc. www.juniper.net
From the top of configuration mode
From a sublevel
SET COMMAND
[edit]
mike@jnpr1# set system services finger
mike@jnpr1# set system services ftp
mike@jnpr1# set system services ssh
mike@jnpr1# set system services telnet
[edit system services]
mike@jnpr1# set finger
mike@jnpr1# set ftp
mike@jnpr1# set ssh
mike@jnpr1# set telnet
[edit]
system {
services {
finger;
ftp;
ssh;
telnet;
}
}
Either
adds
119 Copyright 2013 Juniper Networks, Inc. www.juniper.net
DELETE COMMAND
Remove a statement along with any subordinate statements
Deleting a statement effectively returns the affected device, protocol,
or service to an unconfigured state
Deleting a container statement removes everything under that level of
the hierarchy
[edit]
mike@jnpr1# delete system services [edit]
system {
} Now
120 Copyright 2013 Juniper Networks, Inc. www.juniper.net
COMPARE CONFIGURATIONS
Display the differences between the candidate and active
configuration
Options to show any two configurations
[edit system services]
mike@jnpr1# show | compare
- ssh;
+ telnet;
- web-management {
- http {
- port 8080;
- }
- }
121 Copyright 2013 Juniper Networks, Inc. www.juniper.net
Check that the device will accept your candidate
Validates the logic and completeness of the candidate without
activating the changes
COMMIT CHECK
[edit]
mike@jnpr1# commit check
[edit interfaces lo0 unit 0 family inet]
'address 192.168.69.1/24'
Loopback addresses' prefix must be 32 bits
error: configuration check-out failed
122 Copyright 2013 Juniper Networks, Inc. www.juniper.net
Activates the candidate to become the running configuration of the
device
If the validation checks find any errors, you must fix these before the
candidate can become the active file
The commit complete message tells you that the new
configuration is now active
COMMIT
Add Bullets
[edit]
mike@jnpr1# commit
commit complete
[edit]
mike@jnpr1# commit
error: Policy error: Policy my-policy referenced but not defined
error: BGP: export list not applied
error: configuration check-out failed
123 Copyright 2013 Juniper Networks, Inc. www.juniper.net
Automate rollback in remote devices
Commit a candidate configuration for a limited time
Finalize the commit, by entering a 2nd commit command
Or, wait for rollback to your previous configuration
COMMIT CONFIRMED
[edit]
mike@jnpr1# commit confirmed
commit confirmed will be automatically rolled back in 10 minutes unless confirmed commit complete
Broadcast Message from root@jnpr1
(no tty) at 08:10:17 UTC
Commit was not confirmed; automatic rollback complete.
[edit]
mike@jnpr1# commit
commit complete
124 Copyright 2013 Juniper Networks, Inc. www.juniper.net
ROLLBACK Use rollback (or rollback 0 ) to reset the candidate
configuration to the currently active configuration
rollback 1 loads the previously active configuration
rollback n loads the nth previous active configuration
rollback rescue loads the previously created rescue file
rollback only modifies the candidate configuration
Dont forget to commit the changes!
[edit]
mike@host# rollback
load complete
[edit]
mike@host# commit
commit complete
125 Copyright 2013 Juniper Networks, Inc. www.juniper.net
SAVING A RESCUE CONFIGURATION
Use request system configuration rescue
[save | delete] CLI command
View with the show system configuration rescue CLI
command
126 Copyright 2013 Juniper Networks, Inc. www.juniper.net
CONFIGURATION STATEMENT HIERARCHY
[edit]
user@host# edit protocols ospf area 51 stub
[edit protocols ospf area 0.0.0.51 stub]
user@host#
Less Specific
More Specific
area area_id graceful-restart
isis mpls
interfaces protocols etc.
bgp
chassis
ospf pim rip rsvp etc.
etc.
top
services system
vrrp
overload traffic-engineering
area-range area_range interface nssa stub etc.
127 Copyright 2013 Juniper Networks, Inc. www.juniper.net
CONFIGURATION FILE IS HIERARCHICAL
CLI commands are entered without curly brackets [edit system] user@host# set services web-management http port 8080
The result is a hierarchical configuration file, complete with curly
brackets
[edit system] user@host# show services web-management { http { port 8080; } } [edit system] user@host#
128 Copyright 2013 Juniper Networks, Inc. www.juniper.net
Change the candidate configuration: [edit system]
user@host# set services telnet
[edit system]
user@host# delete services web-management
[edit system]
user@host# delete services ssh
Display differences between the candidate and active configurations:
user@host# show | compare
[edit system services]
- ssh;
+ telnet;
- web-management {
- http {
- port 8080;
- }
- }
CONFIGURATION FILE DIFFERENCES
129 Copyright 2013 Juniper Networks, Inc. www.juniper.net
RUN IS COOL
Use the run command to execute operational-mode CLI commands from within configuration Can be a real time-saver when testing the effect of a recent change
[edit interfaces fe-0/0/0] lab@HongKong# set unit 0 family inet address 10.250.0.141/16 [edit interfaces fe-0/0/0] lab@HongKong# commit commit complete [edit interfaces fe-0/0/0] lab@HongKong# run ping 10.250.0.149 count 1 PING 10.250.0.149 (10.250.0.149): 56 data bytes 64 bytes from 10.250.0.149: icmp_seq=0 ttl=255 time=0.967 ms --- 10.250.0.149 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.967/0.967/0.967/0.000 ms
130 Copyright 2013 Juniper Networks, Inc. www.juniper.net
USING RENAME
User-defined variables can be changed with the rename command Can change policy names, filter names, IP addresses, etc.
[edit interfaces fe-0/0/0]
lab@HongKong# set unit 0 family inet address 10.250.0.141/16
[edit interfaces fe-0/0/0]
lab@HongKong# show
unit 0 {
family inet {
address 10.250.0.141/16;
}
}
[edit interfaces fe-0/0/0]
lab@HongKong# rename unit 0 family inet address 10.250.0.141/16 to address 10.250.0.241/16
[edit interfaces fe-0/0/0]
lab@HongKong# show
unit 0 {
family inet {
address 10.250.0.241/16;
}
}
131 Copyright 2013 Juniper Networks, Inc. www.juniper.net
USING REPLACE
In configuration mode
[edit]
lab@HongKong# replace pattern 10.1.1.1 with 10.2.2.2
Chapter X: Other Security Products of Interest
SRX QUICK START TRAINING
133 Copyright 2013 Juniper Networks, Inc. www.juniper.net
COMMITTED TO INNOVATION AND INVESTMENT
Security is core to our business at Juniper
Juniper R&D is $1.027B, or 23% of revenues a figure no one else in the industry comes close
to on a percentage basis 2011 Annual Report
New in 2013: A differentiated approach to security
with our Intrusion Deception and DDoS protection
capabilities
Market Leader
Remote Access
SSL VPN
High-End
Firewalls
Network
Security
$1B global
revenue
#1 Dedicated Innovator
Global Powerhouse
#1
#3
Serving customers in over 47 countries,
with a worldwide community of over
1000 Reseller Partners
Infonetics Research 2012
134 Copyright 2013 Juniper Networks, Inc. www.juniper.net
OTHER SECURITY PRODUCTS OF INTEREST
Virtualized Firewall Solution
Junos V Firefly
Securing Web Portals
Junos WebApp Secure
Securing Virtual Machines and ESX Hosts
vGW Virtual Gateway
135 Copyright 2013 Juniper Networks, Inc. www.juniper.net
JUNOS V FIREFLY
136 Copyright 2013 Juniper Networks, Inc. www.juniper.net
Virtualized Environment
INTRODUCING JUNOSV FIREFLY
Physical SRX & Junos
Hypervisor
VM VM VM
JunosV Firefly
Juniper is delivering its industry-leading Junos OS and SRX features
as a software appliance for deployment in virtualized environments
Firefly
Enterprise/Tenant A
137 Copyright 2013 Juniper Networks, Inc. www.juniper.net
JUNOSV FIREFLY VISION: ADVANCED PROTECTION IN VIRTUALIZED ENVIRONMENTS
Security & Routing functionality
delivered as a virtual machine
Junos delivered as a virtual
appliance on a choice of
Hypervisors
Runs on standard x86 hardware
Full, proven Junos security and
routing protocol suite
Leverages proven SRX & VJX
technology
Performance optimized
SMP kernel & multi-threaded
flowd over multiple vCPUs
Supports Hypervisor VM functionality
Example: vMotion, snapshots,
HA/FT, Cloning, Management etc.
Firewall
VPN
NAT
Network Admission Control
Perimeter
Anti-Virus
IPS
Full IDP Feature Set
Web Filtering
Anti-Spam
Content
Application
Awareness
Identity
Awareness
Application
CLI, JWeb, SNMP, JSpace- SD, Hypervisor Mgmt, HA/FT
Junos Routing Protocols and SDK
Junos Rich & Extensible Security Stack
138 Copyright 2013 Juniper Networks, Inc. www.juniper.net
JUNOSV FIREFLY MANAGEMENT
JUNOSV FIREFLY
DEVICE MANAGEMENT
Centralized management
Junos Space /Security Design
Security Insight
STRM (logging and reporting), Syslog, Traceroute
Local management
CLI
JWeb
Junos Scripts
SNMP
JUNOS SPACE
VIRTUAL DIRECTOR
A Junos Space platform application
that offers complete Lifecycle management for JunosV Firefly.
Firefly Virtual Director
139 Copyright 2013 Juniper Networks, Inc. www.juniper.net
JUNOS WEBAPP SECURE
140 Copyright 2013 Juniper Networks, Inc. www.juniper.net
HACKER THREATS
Scripts & Too, Exploits Targeted Scan
Botnet Human Hacker
IP Scan Generic scripts and tools against one site. Script run against multiple sites seeking
a specific vulnerability.
Targets a specific site for any vulnerability.
Script loaded onto a bot network to carry out attack. Sophisticated, targeted attack (APT). Low and slow to avoid detection.
Jan June Dec
141 Copyright 2013 Juniper Networks, Inc. www.juniper.net
WEB APP SECURITY TECHNOLOGY
Web Application
Firewall
Web Intrusion
Prevention System
Detection Signatures Q1 2012
Tar Traps
Tracking IP address
Browser, software and scripts
Profiling IP address
Browser, software and scripts
Responses Block IP
Block, warn and deceive attacker
PCI Section 6.6
142 Copyright 2013 Juniper Networks, Inc. www.juniper.net
Tar Traps detect threats without false
positives.
Track IPs, browsers,
software and scripts.
Understand
attackers capabilities and intents.
Adaptive responses,
including block,
warn and deceive.
THE JUNOS WEBAPP SECURE ADVANTAGE DECEPTION-BASED SECURITY
Detect Track Profile Respond
143 Copyright 2013 Juniper Networks, Inc. www.juniper.net
THE ANATOMY OF A WEB ATTACK
Phase 1 Reconnaissance
Phase 2 Attack Vector
Establishment
Phase 3 Implementation
Phase 4 Automation
Web App
Firewall
Days or weeks Weeks or months Weeks or months Months or years Years
Phase 5 Maintenance
144 Copyright 2013 Juniper Networks, Inc. www.juniper.net
App Server Client
Server Configuration
Network
Perimeter
Database Firewall
Query String Parameters
Tar Traps
Hidden Input Fields
DETECTION BY DECEPTION
145 Copyright 2013 Juniper Networks, Inc. www.juniper.net
Track Software and Script Attacks Fingerprinting
HTTP communications.
Track Browser Attacks Persistent Token
Capacity to persist in all browsers including
various privacy control features.
Track IP Address
TRACK ATTACKERS BEYOND THE IP
146 Copyright 2013 Juniper Networks, Inc. www.juniper.net
Every attacker assigned a name
SMART PROFILE OF ATTACKER
Incident history
Attacker threat level
147 Copyright 2013 Juniper Networks, Inc. www.juniper.net
Junos WebApp
Secure Responses
Human
Hacker Botnet
Targeted
Scan IP Scan
Scripts
&Tools
Exploits
Warn attacker
Block user
Force CAPTCHA
Slow connection
Simulate broken application
Force log-out
All responses are available for any type of threat. Highlighted responses are most appropriate for each type of threat.
RESPOND AND DECEIVE
148 Copyright 2013 Juniper Networks, Inc. www.juniper.net
App Server Database
Internal
Virtualized
Cloud
UNIFIED PROTECTION ACROSS PLATFORMS
149 Copyright 2013 Juniper Networks, Inc. www.juniper.net
VGW VIRTUAL GATEWAY
150 Copyright 2013 Juniper Networks, Inc. www.juniper.net
Capital Savings
MEGA TREND SERVER VIRTUALIZATION
0
20
40
60
80
1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
Physical Server Installed Base (Millions)
Logical Server Installed Base (Millions) Millions Installed Servers
Source: IDC
151 Copyright 2013 Juniper Networks, Inc. www.juniper.net
SECURITY IMPLICATION OF VIRTUALIZATION
Physical Network Virtual Network
Firewall/IDS Sees/Protects
All Traffic between Servers
Physical Security Is Blind to Traffic between Virtual Machines
VM1 VM2 VM3
Virtual Switch
HYPERVISOR
ES
X/E
SX
i Host
152 Copyright 2013 Juniper Networks, Inc. www.juniper.net
Integrated
Virtual Security
VM1 VM2 VM3
VS
ES
X/E
SX
i Ho
st
Virtual Security Layer
Traditional Security
Agents
VLANs & Physical
Segmentation
VM1 VM2 VM3
VS
ES
X/E
SX
i Ho
st
VM1 VM2 VM3
VS
ES
X/E
SX
i Ho
st
Regular Thick Agent for FW & AV
HYPERVISOR
HYPERVISOR
HYPERVISOR
APPROACHES TO SECURING VIRTUAL NETWORKS
1 2 3
153 Copyright 2013 Juniper Networks, Inc. www.juniper.net
Service Provider & Enterprise Grade
Three Tiered Model
VMware Certified (signed binaries!)
Protects each VM and the hypervisor
Fault-tolerant architecture (i.e., HA)
Virtualization-aware
Secure VMotion
Auto Secure detects/protects new VMs
Granular, Tiered Defense
Stateful firewall, integrated IDS,
and AV
Flexible Policy Enforcement zone, VM group, VM, individual vNIC
THE VGW ARCHITECTURE OVERVIEW
THE vGW ENGINE
Virtual Center VM
VM1 VM2 VM3
Partner Server
(IDS, SIM,
Syslog, Netflow)
Packet Data
VMWARE APIs
Any vSwitch (Standard, DVS, 3rd Party)
HYPERVISOR
VM
ware
Kern
el
ES
X o