By default, three security zones come preconfigured on the SRX: the Trust zone, the Untrust zone, and the junos-global zone. It’s best to use custom zones with. While their earlier book, Junos Security, covered the SRX platform, this book focuses on the SRX Series devices themselves. You’ll learn how to use SRX. Considered the go-to study guide for Juniper Networks enterprise routing to Junos administrators—including the most recent set of flow-based security.
|Published (Last):||12 October 2011|
|PDF File Size:||3.57 Mb|
|ePub File Size:||9.82 Mb|
|Price:||Free* [*Free Regsitration Required]|
Firewalls are a staple of almost every network in the world. The firewall protects nearly every network-based transaction that occurs, and even the end user understands its metaphoric name, meant to imply reiilly out the bad stuff.
But firewalls have had to change. A firewall now has to transcend its own title, the one end users are so familiar with, into a whole new type of device and service. This new class of device is a services gateway.
And it needs to provide much more than just a firewall—it needs to look deeper into the packet and use the contained data in new ways that are advantageous to the network for which it is deployed. Can you tell if an egg is good or not by just looking at its shell?
Deep inspection from a services gateway is the new firewall of the future. What Juniper did do, however, is start from the ground up to solve the technical problems of peering deeply.
How do you not only solve the needs of your network today, but also anticipate the needs for tomorrow? Juniper spent an enormous amount of effort to create a platform that can grow over time. The scalability is built into the features, performance, and multifunction capability of the SRX Series. This chapter introduces what solutions the SRX Series can provide for your organization today, while detailing its architecture to help you anticipate and solve your problems of tomorrow.
They really raised the bar when they were introduced to the market, first by NetScreen and then by Juniper Networks. Many features might be remembered as notable, but the most important was the migration of a split firewall software and operating system OS model. Firewalls at the time of their introduction consisted of a base OS and then firewall software loaded on top.
This was flexible for the organization, since it could choose the underlying OS it was comfortable with, but when any sort of troubleshooting occurred, it led to all sorts of finger-pointing among vendors. ScreenOS provided an appliance-based approach by combining the underling OS and the features it provided. The integrated approach of ScreenOS transformed the market. Today, most vendors have migrated to an appliance-based firewall model, but it has been more than 10 years since the founding of NetScreen Technologies and its ScreenOS approach.
So, when Juniper began to plan for a totally new approach to firewall products, it did not have to look far to see its next-generation choice for an operating system: Junos became the base for the new product line called the SRX Series.
The Junos operating system has been a mainstay of Juniper and it runs on the majority of its products. The goal was to provide a robust core OS that could control the underlying chassis hardware. At that time, FreeBSD was a great choice on which to base Junos, because it provided all of the important components, including storage support, a memory controller, a kernel, and a task scheduler. The BSD license also allowed anyone to modify the source code without having to return the new code.
This allowed Juniper to modify the code as it saw fit. Junos has evolved greatly from its initial days as a spin-off of BSD. It contains millions of lines of code and an extremely strong feature set. The ScreenOS sexurity system aged gracefully over time, but it hit some important limits that prevented it from being the choice for the next-generation SRX Series products. First, ScreenOS cannot separate the running of tasks securlty the kernel.
All processes effectively run with the same privileges. Because of this, if any part of ScreenOS were to crash or fail, the entire OS would end up securigy or failing.
Second, the modular architecture of Junos allows for the addition of new services, since this was the initial intention of Junos and securuty history of its release train. ScreenOS could not compare.
Junos is one system, designed to completely rethink the jujos the network works. Its operating system helps to reduce the amount of time and effort required to plan, deploy, and operate network infrastructure. The one release train provides stable delivery of sscurity functionality in a time-tested cadence. And rfilly one modular software architecture provides highly available and scalable software that keeps up with changing needs. As you will see in this book, Junos opened up enormous possibilities and network functionality from one device.
For example, ScreenOS introduced the concept of zones to the firewall world. A zone is a logical entity that interfaces are bound to, and zones are used in security policy creation, swcurity the specification of an ingress and egress zone in the security policy.
Creating ingress and egress zones means the specified traffic can rilly pass in a specific direction. It also increases the overall speed of policy lookup, and since multiple zones are always used in a firewall, it separates the overall firewall rule base into many subsets of zone groupings. A VR allows for the creation of multiple routing tables inside the same device, providing the administrator with the ability to segregate traffic and virtualize the firewall.
Although some of the features securigy not have a one-to-one naming parity, the functionality of these features is generally replicated on the Junos platform. Junos has evolved since it was first deployed in service provider networks. Over the years, many lessons were learned regarding how to best use the device running the OS. These practices have been integrated into the SRX Series and are shared throughout this book, specifically in how to use the command-line interface CLI.
For the most part, Junos users traditionally tend to utilize the CLI for managing the platform. As strange as it may sound, even very large organizations use the CLI to manage their devices. The CLI rilly designed to be easy to utilize and navigate through, and once you are familiar with it, even large configurations are completely manageable through a simple terminal window.
In Junos, the CLI extends beyond just a simple set of commands. Third-party applications can integrate reill Junoscript or a user may even use it on the device.
Juniper Networks provides extensive training and documentation covering this feature; an example is its Day One Automation Series see http: Sometimes, getting started with such a rich platform is a daunting task, if only because thousands of commands can be used in the Junos operating teilly.
The J-Web tool is automatically installed on the SRX Series on some other Junos platforms it is an optional packageand it is enabled by default. The interface is jjunos and covers most of the important tasks for configuring a device. For large networks with many devices, we all know mass efficiency is required.
Juniper provides two tools to accomplish efficient management. This is the legacy tool that you can securitg to manage networks. Although it is still a viable platform for management, just like the evolution of ScreenOS to Junos, a newly architected platform is available.
1. Introduction to the SRX – Junos Security [Book]
This new platform is called Junos Space, junow it is designed from the ground up to be a modular platform that can integrate easily with a multitude of devices, junoss even other management systems. The goal for Junos Space is to allow for the simplified provisioning of a network. By accomplishing these tasks, Junos Space will take network management to a new level of productivity and efficiency for an organization.
Sedurity the time of this writing, Junos Space was still being finalized. Nonetheless, readers of this book will learn about the capabilities of the SRX Series using the Junos CLI from the ground up, and will be ready to apply it within Junos Space anytime they deem appropriate. The SRX Series hardware platform is a next-generation departure from the previous ScreenOS platforms, built from the ground up to provide scalable services.
Now, the question that begs to be answered is: A service is an action or actions that are applied to the network traffic passing through the SRX Series of products. Two examples of services reillly stateful firewalling and intrusion prevention.
Junos Enterprise Routing, 2nd Edition
The K products were designed primarily to provide three services: When ScreenOS was originally designed, these were the core value propositions for a firewall in a network. Since the SRX is going to be processing this jnuos, it is critical that it provides as many services as possible on the traffic in one single pass. So, the SRX provides services on the passing traffic, but it must also provide scalable services.
This is an important concept to review. This allows the administrator to better judge how the device scales under such load.
Junos Security – O’Reilly Media
Scaling under load is based on the services a device is attempting to provide and the scale it needs to achieve. The traditional device required to do all this is either a branch device, or the new, high-end data center firewall. A branch firewall needs to provide a plethora of services at a performance level typical of the available WAN speeds. A data center firewallon the other hand, needs to provide highly scalable performance.
When a firewall is placed in the core of a data center it cannot impede the performance of the entire network. Each transaction in the data center contains a considerable amount of value to the organization, and any packet loss or delay can cause financial implications.
A data center firewall requires extreme stateful firewall speeds, a high session capacity, and very fast new sessions per second. In response to these varied requirements, Juniper Networks created two product lines: Each is targeted at its specific market segments and the network needs of the device in those segments. No matter which SRX Series platform you use, or plan to use, each has a common core. One of the most powerful aspects of the Junos operating system is that only a single source code train, or pool of source code, is used to build a release of the network software.
This provides great efficiency when it comes to integrating features and providing quality assurance testing. As new products such as those in the SRX Series are created, it is easier to take previous features, such as the Junos implementation of routing, and bring them to the new platform.
Secueity same idea is implemented across the SRX Series. Where it makes sense, common features and code are shared. There are challenges to this mantra, such as the implementation of features in what is known as the Packet Forwarding Engine PFE. The PFE in each SRX Series platform typically contains different components, creating the largest barrier for feature parity across the platforms.
But as stated before, the products are designed to meet the needs of the deployment, using Junos to provide commonality. Networking products are created to solve securoty and increase efficiencies. The branch SRX Series products are designed for small to large office locations consisting of anywhere from a few individuals to hundreds of employees, representing either a small, single device requirement or a reasonably sized infrastructure.
In these locations, the firewall is typically deployed at the edge of the network, separating the users from the Internet. These products are targeted at the data center and the service provider.