Вы находитесь на странице: 1из 27

Introduction to SRX-series Services Gateways

4-1
Copyright 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net

Routers
Traditionally, a router is used to forward packets based on a Layer 3 IP address
Uses some type of path determination mechanism

Packet processing is stateless and promiscuous Routers separate broadcast domains and provide WAN connectivity

2009 Juniper Networks, Inc. All rights reserved.

Layer 3 Packet Forwarding (Routing)


IP packets forwarded based on destination address
Maintain routing table entries
Static routes Dynamic routes (RIP, OSPF, BGP)

Longest prefix match


[ge-0/0/1] 10.1.1.1/24 10.1.1.10
RTR A

[ge-0/0/0] 10.2.2.1/24

10.2.2.2/24

10.3.3.10

Routing Table
Network 10.1.1.0/24 10.2.2.0/24 10.3.3.0/24 10.3.3.10/32 10.4.4.0/24
2009 Juniper Networks, Inc. All rights reserved.

Interface ge-0/0/1 ge-0/0/0 ge-0/0/0 ge-0/0/2 ge-0/0/2

Gateway direct direct 10.2.2.2 10.4.4.2 direct


3

Traditional Routing Is Promiscuous


A traditional router is designed to provide stateless connectivity
Forwards all traffic by default Operates at Layer 3cannot detect security threats in higher-layer protocols Operates on each packet individuallycannot detect malformed sessions The network is immediately vulnerable
192.168.1.1

192.168.2.1

Typically, security is treated as a luxury add-on item


2009 Juniper Networks, Inc. All rights reserved.

Router Positioning in the Enterprise


Enterprise Branch 1

Service Provider Network


Core

M-series Router

J-series Router

M-series and T-series Platforms


Enterprise Branch 2

Enterprise Head Office

Typical enterprise applications:


M-series platform at the edge for large customers or at an enterprise head office for smaller customers J-series router at the edge for small-sized and medium-sized customers or at the branch of a larger customer
2009 Juniper Networks, Inc. All rights reserved.

Firewalls
Traditionally, a standalone firewall adds enhanced security in the enterprise network Firewall must perform:
Stateful packet processing
Keeps a session or state table based on IP header and higher-level information (TCP/UDP and Application layers)

NAT and PAT


Private-to-public and public-to-private translation

VPN establishment
Encapsulation, authentication, and encryption

Can also implement other security elements such as SSL, IDP, ALGs, and so forth
2009 Juniper Networks, Inc. All rights reserved.

Stateful Packet Processing


Private Zone External Zone Web Server

Internet
200.5.5.5

ge-1/0/1.0
10.1.1.5

ge-0/0/0.0

Outgoing packet header information

SRC-IP 10.1.1.5

DST-IP 200.5.5.5

Protocol 6

SRC-Port 29218

DST-Port 80

+ session token = flow


Session table entry includes expected return flow

Outgoing flow initiates a session table entry

Source Address 10.1.1.5 . 200.5.5.5

Source Port

Session Table Destination Destination Protocol Interface Address Port 200.5.5.5 10.1.1.5 80 29218 6 6 ge-1/0/1.0 ge-0/0/0.0

29218
80

Session table is used by outgoing and incoming packets for bidirectional communication
2009 Juniper Networks, Inc. All rights reserved.

NAT and PAT


NAT and PAT:
NAT converts IP addresses PAT converts TCP or UDP port numbers Typically used at the boundary between private and public addressing
Private 10.1.1.1
Protocol SRC-Port DST-Port

10.1.1.5
SRC-IP DST-IP

Public 201.1.8.1
SRC-IP DST-IP

Internet

Protocol SRC-Port DST-Port

10.1.1.5

221.1.8.5

36033

80

201.1.8.1

221.1.8.5

1025

80

NAT and PAT


2009 Juniper Networks, Inc. All rights reserved.

Virtual Private Networks


Provide secure tunnels across the Internet
Encapsulation Encryption Authentication
Public 1.1.1.1
IPsec VPN

10.1.20.3

Private 10.1.20.1

10.1.20.4

Public 2.2.2.1

IP Packet

Encrypted Packet
Private 10.0.0.254 10.0.0.5 10.0.0.6

IP Packet

2009 Juniper Networks, Inc. All rights reserved.

Firewall Positioning
Typical firewall positioning:
Network edge for a small office
Marketing Zone Administrative Zone

Branch office
IPsec VPN

Internet
IPsec VPN

Engineering Zone

Home Office/Retail Site

2009 Juniper Networks, Inc. All rights reserved.

10

Current Trends
The current trends:
As boundaries of networks are virtualized, so are the requirements of network edge devices The functions of a router and a firewall are collapsing More protection required at the network edge

2009 Juniper Networks, Inc. All rights reserved.

11

A New Perspective
SRX-series Services Gateways
Integrated security and network features with robust Dynamic Services Architecture
Marketing Zone Administrative Zone

Branch Office
IPsec VPN

Internet
IPsec VPN

Engineering Zone

Home Office/Retail Site


12

2009 Juniper Networks, Inc. All rights reserved.

SRX 5600 Overview


Horizontal modular chassis
Redundant Routing Engine and SCB 6 interchangeable slots AC/DC power: 4 slots, hotswappable

4x10 GigE IOC

Craft Interface

Performance and capacities


Firewall: 60 Gbps IDP: 15 Gbps Concurrent sessions: 4M New sessions per second: 350K
2009 Juniper Networks, Inc. All rights reserved.

8 RU

SPC 40x1 GigE IOC

SCB/RE

13

SRX 5800 Overview


Craft Interface

4x10 GigE IOC

Vertical modular chassis


Redundant Routing Engine and SCB 12 interchangeable slots AC/DC power: 4 slots, hotswappable

16 RU

Performance and capacities


Firewall: 120 Gbps IDP: 30 Gpbs Concurrent sessions: 4M New sessions per second: 40x1 GigE IOC 350K
2009 Juniper Networks, Inc. All rights reserved.

SCB/RE

SPC
14

Physical Packet FlowFirst Packet


Because no session exists, packet is sent to SPC serving as CP
2

SPC - CP
1

IOC checks incoming packet to see if there is existing session

IOC
6

3 Session

create

Session 4 install

Install 5 Ack
7

IOC

Outgoing packet

Terms:

CP notifies IOCs of new session

SPC

FWD to egress IOC

IOC: Media connection to networks SPC: Contains flow module CP: Performs first path processing and load-balances sessions across SPCs
2009 Juniper Networks, Inc. All rights reserved.

15

Physical Packet FlowSubsequent Packet

SPC - CP
1 4

IOC checks incoming packet to see if there is existing session

IOC
3

IOC SPC
2

Outgoing packet

Because there is an existing session, packet is sent directly to SPC

FWD to egress IOC

2009 Juniper Networks, Inc. All rights reserved.

16

JUNOS Software Security Platforms Versus a Traditional Router


JUNOS software for SRX-series services gateways starts off as completely secure No Traffic Permitted
Add Rules to Allow Traffic

Restrictive
Ideal

Add Security to Block Traffic

Vulnerable
Traditional router starts off as completely vulnerable All Traffic Permitted
2009 Juniper Networks, Inc. All rights reserved.

17

JUNOS Software for SRX-series Services Gateways


JUNOS software for SRX-series services gateways provides routing and security
Best-in-class high-performance firewall derived from ScreenOS software, including security policies and zones IPsec VPNs IDP Integration ScreenOS

SRX 5600 services gateway

SRX 5800 services gateway

2009 Juniper Networks, Inc. All rights reserved.

18

JUNOS Software Features (1 of 2)


JUNOS software for SRX-series services gateways includes the following elements:
JUNOS software as the base operating system Session-based forwarding Some ScreenOS-like security features

Packet-based features:
Control plane OS Routing protocols Forwarding features:
Per-packet stateless filters Policers CoS

J-Web
2009 Juniper Networks, Inc. All rights reserved.

19

JUNOS Software Features (2 of 2)


Session-based features:
Implements some ScreenOS features and functionality through the use of new daemons First packet of flow triggers session creation based on:
Source and destination IP address Source and destination port Protocol Session token

Zone-based security features


Packet on the incoming interface is associated with the incoming zone Packet on the outgoing interface is associated with the outgoing zone

Core security features:


Firewall, VPN, NAT, ALGs, IDP, and SCREEN options
2009 Juniper Networks, Inc. All rights reserved.

20

Control Plane Versus Data Plane


Control Plane:
Implemented on the Routing Engine JUNOS software kernel, daemons, chassis management, user interface, routing protocols, system monitoring, clustering control

Data Plane:
Implemented on the IOCs and SPCs Forwarding packets, session setup and maintenance, load-balancing, security policy, screen options, IDP, VPN

2009 Juniper Networks, Inc. All rights reserved.

21

Logical Packet Flow


Forwarding Lookup Flow Module
SCREEN D-NAT Route Zones Policy S-NAT Services Session Options ALG No Match Session ?

First Path
Yes SCREEN TCP Options NAT Services ALG

Fast Path

Per Packet Filters


Per-Packet Policers / Shapers Event Scheduler

2009 Juniper Networks, Inc. All rights reserved.

22

Session Management
Sessions are maintained in the session hash table for packet matching and processing When no traffic matches the session during the service timeout, the session is aged out Run-time changes during the lifetime of the session might be propagated into the session
Routing changes are always propagated into the session Security policy changes are propagated based on configuration

2009 Juniper Networks, Inc. All rights reserved.

23

Packet Flow Example (1 of 3)


10.1.10.0/24
.1 .254

Private Zone

External Zone
.254

Web Server
Internet

10.1.10.5

10.1.1.0/24

200.5.5.5

1.1.8.0/24

10.1.20.0/24 Host-B
.1

10.1.2.0/24

1.1.7.0/24
.254

1.1.70.0/24
.1 B

.254

10.1.20.5

Public Zone

1.1.70.250

2009 Juniper Networks, Inc. All rights reserved.

24

Packet Flow Example (2 of 3)


Example:
SRC-IP
10.1.20.5

DST-IP
200.5.5.5

Protocol SRC-Port DST-Port


6 29218 80

1. Existing session?
No

Source Address

Source Port

Session Table Destination Destination Address Port

Protocol

Int

2. Destination reachable?
Yes

3. Interzone traffic?
Yes

Routing Table Network Interface 10.1.1.0/24 ge-0/0/0 10.1.2.0/24 ge-0/0/1 10.1.10.0/24 ge-0/0/0 10.1.20.0/24 ge-0/0/1 0.0.0.0/0 ge-1/0/0

Next-hop (connected) (connected) 10.1.1.254 10.1.2.254 1.1.8.254

...
Zone Table Interface Zone ge-0/0/1 ge-0/0/0 ge-0/0/3 ge-1/0/0 Private Private Public External

2009 Juniper Networks, Inc. All rights reserved.

25

Packet Flow Example (3 of 3)


Example:
4. Permitted by policy?
Yes
From Private to External SA 10.1.0.0/16 10.1.0.0/16 10.1.0.0/16 any DA any any any any Service FTP HTTP ping any Action permit permit permit deny

5. Action: add to session table 6. Action: forward packet

Source Address 10.1.20.5 200.5.5.5

Source Port 29218 80

Session Table Destination Destination Protocol Interface Address Port 200.5.5.5 10.1.20.5 80 29218 6 6 ge-1/0/0.0 ge-0/0/1.0

SRC-IP
10.1.20.5

DST-IP
200.5.5.5

Protocol SRC-Port DST-Port


6 29218 80

2009 Juniper Networks, Inc. All rights reserved.

26