+ All Categories
Home > Documents > 1 Introduct to ppt

1 Introduct to ppt

Date post: 26-Oct-2014
Category:
Upload: muhammad-bilal
View: 132 times
Download: 1 times
Share this document with a friend
Description:
ghnhedfh
Popular Tags:
29
Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 4-1 Introduction to SRX-series Services Gateways
Transcript
Page 1: 1 Introduct to ppt

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net

4-1

Introduction to SRX-series Services

Gateways

Page 2: 1 Introduct to ppt

© 2009 Juniper Networks, Inc. All rights reserved. 2

Routers

Traditionally, a router is used to forward packets based on a Layer 3 IP address•Uses some type of path determination mechanism

Packet processing is stateless and promiscuous

Routers separate broadcast domains and provide WAN connectivity

Page 3: 1 Introduct to ppt

© 2009 Juniper Networks, Inc. All rights reserved. 3

Layer 3 Packet Forwarding (Routing)

IP packets forwarded based on destination address•Maintain routing table entries

• Static routes• Dynamic routes (RIP, OSPF, BGP)

•Longest prefix match

10.1.1.10 10.3.3.10

[ge-0/0/0] 10.2.2.1/24

Routing Table

[ge-0/0/1] 10.1.1.1/24

10.2.2.2/24

[ge-0/0/2] 10.4.4.1/24

10.4.4.2/24

Network Interface Gateway

10.1.1.0/24 ge-0/0/1 direct

10.2.2.0/24 ge-0/0/0 direct

10.3.3.0/24 ge-0/0/0 10.2.2.2

10.3.3.10/32 ge-0/0/2 10.4.4.2

10.4.4.0/24 ge-0/0/2 direct

RTR A

Page 4: 1 Introduct to ppt

© 2009 Juniper Networks, Inc. All rights reserved. 4

Traditional Routing Is Promiscuous

A traditional router is designed to provide stateless connectivity•Forwards all traffic by default•Operates at Layer 3—cannot

detect security threats in higher-layer protocols

•Operates on each packet individually—cannot detect malformed sessions

•The network is immediately vulnerable

Typically, security is treated as a luxury add-on item

192.168.1.1

192.168.2.1

Page 5: 1 Introduct to ppt

© 2009 Juniper Networks, Inc. All rights reserved. 5

Router Positioning in the Enterprise

Typical enterprise applications:•M-series platform at the edge for large customers or at

an enterprise head office for smaller customers• J-series router at the edge for small-sized and medium-

sized customers or at the branch of a larger customer

Enterprise Branch 1

EnterpriseHead Office

Service Provider Network

M-series Router

J-series Router

M-series and T-series

Platforms

Core

Enterprise Branch 2

Page 6: 1 Introduct to ppt

© 2009 Juniper Networks, Inc. All rights reserved. 6

Traditionally, a standalone firewall adds enhanced security in the enterprise network

Firewall must perform:•Stateful packet processing

• Keeps a session or state table based on IP header and higher-level information (TCP/UDP and Application layers)

•NAT and PAT• Private-to-public and public-to-private translation

•VPN establishment• Encapsulation, authentication, and encryption

Can also implement other security elements such as SSL, IDP, ALGs, and so forth

Firewalls

Page 7: 1 Introduct to ppt

© 2009 Juniper Networks, Inc. All rights reserved. 7

Session table is used by outgoing and incoming packets for bidirectional communication

Session Table

Source Address

ProtocolSource Port

10.1.1.5. 629218

200.5.5.5 680

Destination Address

Destination Port

Interface

200.5.5.5

10.1.1.5 29218 ge-0/0/0.0

80 ge-1/0/1.0

Outgoing packet header information 10.1.1.5

SRC-IP

200.5.5.5

DST-IP

29218

SRC-Port

80

DST-Port

6

Protocol

Internet

ExternalZone

PrivateZone

10.1.1.5 200.5.5.5

Web Server

Stateful Packet Processing

=flow

+ session token

Outgoing flow initiates a session table entry Session table entry

includes expected return flow

ge-1/0/1.0

ge-0/0/0.0

Page 8: 1 Introduct to ppt

© 2009 Juniper Networks, Inc. All rights reserved. 8

NAT and PAT

NAT and PAT:•NAT converts IP addresses•PAT converts TCP or UDP port numbers•Typically used at the boundary between private

and public addressing

NAT and PAT

10.1.1.5 Private 10.1.1.1

Public201.1.8.1

10.1.1.5SRC-IP

221.1.8.5DST-IP

36033

SRC-Port

80

DST-Port

6

Protocol

201.1.8.1SRC-IP

221.1.8.5DST-IP

1025

SRC-Port

80

DST-Port

6

Protocol

Internet

Page 9: 1 Introduct to ppt

© 2009 Juniper Networks, Inc. All rights reserved. 9

Virtual Private Networks

Provide secure tunnels across the Internet•Encapsulation•Encryption•Authentication

Private10.0.0.254

10.1.20.3

10.1.20.4

Public1.1.1.1

Public2.2.2.1

Private10.1.20.1

IP Packet

Encrypted Packet

IP Packet

10.0.0.5

10.0.0.6

IPsec VPN

Page 10: 1 Introduct to ppt

© 2009 Juniper Networks, Inc. All rights reserved. 10

Firewall Positioning

Typical firewall positioning:•Network edge for

a small office

Engineering Zone

MarketingZone

Internet

Branch office

Home Office/Retail Site

Administrative Zone

IPsec VPN

IPsec VPN

Page 11: 1 Introduct to ppt

© 2009 Juniper Networks, Inc. All rights reserved. 11

Current Trends

The current trends:•As boundaries of networks are virtualized, so are

the requirements of network edge devices•The functions of a router and a firewall are

collapsing•More protection required at the network edge

Page 12: 1 Introduct to ppt

© 2009 Juniper Networks, Inc. All rights reserved. 12

Administrative Zone

A New Perspective

SRX-series Services Gateways•Integrated security and network

features with robust Dynamic Services Architecture

Engineering Zone

MarketingZone

Internet

Branch Office

Home Office/Retail Site

IPsec VPN

IPsec VPN

Page 13: 1 Introduct to ppt

© 2009 Juniper Networks, Inc. All rights reserved. 13

SRX 3600 Overview

Horizontal modular chassis•Redundant Routing Engine and SCB•6 interchangeable slots on front•6 interchangeable slots on back•AC/DC power: 4 slots, hot-

swappable

Front View

Page 14: 1 Introduct to ppt

© 2009 Juniper Networks, Inc. All rights reserved. 14

SRX 3600 Overview

Horizontal modular chassis•Maximum of seven SPCs on

any slot•Maximum of three NPCs on

rear right slot Performance and capacities

•Firewall: 30 Gbps• IDP: 10 Gbps•Concurrent sessions: 2.25M•Firewall packets per second: 6 MMps

7PEM 0 PEM 1

89

RE0

10PEM 2 PEM 3

1112

RE1

HDDRESETSTATUSMASTER

AUX0

1

USB

ONLINE

PFE CONTROLLER

STATUSRESETFAIL

OVER

SRX3K-RE-12-10ROUTING ENGINE

OK/FAIL

++

++

++

Rear View

Page 15: 1 Introduct to ppt

© 2009 Juniper Networks, Inc. All rights reserved. 15

SRX 5600 Overview

Horizontal modular chassis•Redundant Routing Engine

and SCB•6 interchangeable slots•AC/DC power: 4 slots, hot-

swappable Performance and

capacities•Firewall: 60 Gbps•IDP: 15 Gbps•Concurrent sessions: 4M•New sessions per second:

350K

4x10 GigE IOC

8 RU

Craft Interface

40x1 GigE IOC

SPC SCB/RE

Page 16: 1 Introduct to ppt

© 2009 Juniper Networks, Inc. All rights reserved. 16

SRX 5800 Overview

Vertical modular chassis•Redundant Routing Engine

and SCB •12 interchangeable slots•AC/DC power: 4 slots, hot-

swappable Performance and

capacities•Firewall: 120 Gbps• IDP: 30 Gpbs•Concurrent sessions: 4M•New sessions per second:

350K

Craft Interface

SCB/RE40x1 GigE IOC

4x10 GigE IOC

16 RU

SPC

Page 17: 1 Introduct to ppt

© 2009 Juniper Networks, Inc. All rights reserved. 17

Session create

Terms:• IOC: Media connection to networks•SPC: Contains flow module•CP: Performs first path processing and load-balances

sessions across SPCs

Session installIOC

checks incoming packet to

see if there is existing session

Physical Packet Flow—First Packet

IOCIOC IOCIOC

SPC - CPSPC - CP

SPCSPC

1

2

34 5

6 7

Because no session exists, packet is sent to SPC serving

as CP

Install Ack

FWD to

egress IOC

Outgoing

packetCP notifies IOCs of new sessio

n

6

Page 18: 1 Introduct to ppt

© 2009 Juniper Networks, Inc. All rights reserved. 18

Physical Packet Flow—Subsequent Packet

IOC checks incomin

g packet

to see if there is existing session

IOCIOC IOCIOC

SPC - CPSPC - CP

SPCSPC

1

2

3

4

Because there is an existing session, packet is sent directly

to SPC

FWD to

egress IOC

Outgoing

packet

Page 19: 1 Introduct to ppt

© 2009 Juniper Networks, Inc. All rights reserved. 19

JUNOS Software Security Platforms Versus a Traditional Router

All Traffic Permitted

No Traffic Permitted

Ideal

Traditional router starts off as completely vulnerable

VulnerableVulnerable

Add S

ecu

rity to

Blo

ck Tra

ffic

RestrictiveRestrictive

Add R

ule

s to

Allo

w T

raffi

c

JUNOS software for SRX-series services gateways starts off as completely secure

Page 20: 1 Introduct to ppt

© 2009 Juniper Networks, Inc. All rights reserved. 20

JUNOS Software for SRX-series Services Gateways

JUNOS software for SRX-series services gateways provides routing and security•Best-in-class high-performance firewall derived

from ScreenOS software, including security policies and zones

•IPsec VPNs•IDP Integration

SRX 5600 services gateway SRX 5800 services gateway

ScreenOS

Page 21: 1 Introduct to ppt

© 2009 Juniper Networks, Inc. All rights reserved. 21

JUNOS Software Features (1 of 2)

JUNOS software for SRX-series services gateways includes the following elements:•JUNOS software as the base operating system•Session-based forwarding •Some ScreenOS-like security features

Packet-based features: •Control plane OS•Routing protocols•Forwarding features:

• Per-packet stateless filters• Policers • CoS

•J-Web

Page 22: 1 Introduct to ppt

© 2009 Juniper Networks, Inc. All rights reserved. 22

JUNOS Software Features (2 of 2)

Session-based features:• Implements some ScreenOS features and functionality

through the use of new daemons•First packet of flow triggers session creation based on:

• Source and destination IP address• Source and destination port• Protocol• Session token

•Zone-based security features• Packet on the incoming interface is associated with the

incoming zone• Packet on the outgoing interface is associated with the

outgoing zone•Core security features:

• Firewall, VPN, NAT, ALGs, IDP, and SCREEN options

Page 23: 1 Introduct to ppt

© 2009 Juniper Networks, Inc. All rights reserved. 23

Control Plane Versus Data Plane

Control Plane:•Implemented on the Routing Engine•JUNOS software kernel, daemons, chassis

management, user interface, routing protocols, system monitoring, clustering control

Data Plane:•Implemented on the IOCs and SPCs•Forwarding packets, session setup and

maintenance, load-balancing, security policy, screen options, IDP, VPN

Page 24: 1 Introduct to ppt

© 2009 Juniper Networks, Inc. All rights reserved. 24

Logical Packet Flow

ForwardingLookup

Event Scheduler

Per-Packet Policers / Shapers

SCREENOptions

ServicesALG

S-NATPolicy

First Path

Fast Path

SCREEN Options TCP NATYes

No

Flow Module

MatchSession

?

ServicesALG

D-NAT Zones Session

Per Packet Filters

Route

Page 25: 1 Introduct to ppt

© 2009 Juniper Networks, Inc. All rights reserved. 25

Session Management

Sessions are maintained in the session hash table for packet matching and processing

When no traffic matches the session during the service timeout, the session is aged out

Run-time changes during the lifetime of the session might be propagated into the session•Routing changes are always propagated into the

session•Security policy changes are propagated based on

configuration

Page 26: 1 Introduct to ppt

© 2009 Juniper Networks, Inc. All rights reserved. 26

Internet

ExternalZone

PrivateZone

1.1.70.250

1.1.70.0/24

10.1.10.5

10.1.20.0/24

B

10.1.10.0/24

PublicZone

10.1.20.5

.254 200.5.5.510.1.1.0/24

10.1.2.0/24

.1 .254

.1 .254

1.1.7.0/24

1.1.8.0/24

.254 .1

Packet Flow Example (1 of 3)

Web Server

Host-B

Ge-0/0/0

Ge-0/0/1

Ge-1/0/0

Ge-0/0/3

Page 27: 1 Introduct to ppt

© 2009 Juniper Networks, Inc. All rights reserved. 27

Session Table

Source Address

ProtocolSource Port

Destination Address

Destination Port

Int

Packet Flow Example (2 of 3)

Example:

1.Existing session?• No

2.Destination reachable?• Yes

3. Interzone traffic?• Yes

10.1.20.5

SRC-IP200.5.5.5

DST-IP29218

SRC-Port

80

DST-Port

6

Protocol

Network Interface Next-hop10.1.1.0/24 ge-0/0/0 (connected)10.1.2.0/24 ge-0/0/1 (connected)10.1.10.0/24 ge-0/0/0 10.1.1.25410.1.20.0/24 ge-0/0/1 10.1.2.2540.0.0.0/0 ge-1/0/0 1.1.8.254

...

Routing Table

Interface Zonege-0/0/1 Privatege-0/0/0 Privatege-0/0/3 Publicge-1/0/0 External

Zone Table

Page 28: 1 Introduct to ppt

© 2009 Juniper Networks, Inc. All rights reserved. 28

Packet Flow Example (3 of 3)

Example:4. Permitted by policy?

• Yes

5. Action: add to session table

6. Action: forward packet

From Private to External

SA DA Service Action10.1.0.0/16 any FTP permit 10.1.0.0/16 any HTTP permit10.1.0.0/16 any ping permitany any any deny

10.1.20.5

SRC-IP200.5.5.5

DST-IP29218

SRC-Port

80

DST-Port

6

Protocol

Session Table

Source Address

ProtocolSource Port

10.1.20.5 629218

200.5.5.5 680

Destination Address

Destination Port

Interface

200.5.5.5

10.1.20.5 29218 ge-0/0/1.0

80 ge-1/0/0.0

Page 29: 1 Introduct to ppt

Recommended