By default, three security zones come preconfigured on the SRX: the Trust zone, the Untrust zone, and the junos-global zone. It’s best to use custom zones with. While their earlier book, Junos Security, covered the SRX platform, this book focuses on the SRX Series devices themselves. You’ll learn how to use SRX. Considered the go-to study guide for Juniper Networks enterprise routing to Junos administrators—including the most recent set of flow-based security.
|Published (Last):||14 December 2008|
|PDF File Size:||11.94 Mb|
|ePub File Size:||17.86 Mb|
|Price:||Free* [*Free Regsitration Required]|
Firewalls are a staple of almost every network in the world. The firewall protects nearly every network-based transaction that occurs, and even the end user understands its metaphoric name, meant to imply keeping out the bad stuff.
But firewalls have had to change. A firewall now has to transcend its own title, the one end users are so familiar with, into a whole new type of device and service. This new class of device is a services gateway. And it needs to provide much more than just a firewall—it needs to look deeper into the packet and use the contained data in new ways that are advantageous to the network for which it is deployed.
Can you tell if an egg is good or not by just looking at its shell? Deep inspection from a services gateway is the new firewall of the future. What Juniper did do, however, is start from the ground up to solve the technical problems of peering deeply. How do you not only solve the needs of your network today, but also anticipate the needs for tomorrow? Juniper spent an enormous amount of effort to create a platform that can grow over time.
The scalability is built into the features, performance, and multifunction capability of seccurity SRX Series. This chapter introduces what solutions the SRX Series can provide for your organization today, while detailing its architecture to help you anticipate and solve your problems of tomorrow.
They really raised the bar when they were introduced to the market, first by NetScreen and feilly by Juniper Networks.
Junos Security – Junos Security [Book]
Many features reikly be remembered as notable, but the most important was the migration of a split firewall software and operating system OS model.
Firewalls at the time of their introduction consisted of a base OS and then firewall software loaded on top. This was flexible for the organization, since it could choose the underlying OS it was comfortable with, but when any sort of troubleshooting occurred, it led to all sorts of finger-pointing among vendors.
ScreenOS provided an appliance-based approach by combining the underling OS and the features it provided. The integrated approach of ScreenOS transformed the reikly.
Juniper SRX Series
Today, most vendors have migrated to an appliance-based firewall model, but it has been more than sefurity years since the founding of NetScreen Technologies and its ScreenOS approach. So, when Juniper began to plan for a totally new approach to firewall products, it did not have to look far to see its next-generation choice for an operating system: Junos became the base for the new product line called the SRX Series. The Junos operating system has been a mainstay of Juniper and it runs on the majority of its products.
The goal was to provide a robust core OS that could control the underlying chassis hardware. At that time, FreeBSD was a great choice on which to base Junos, because it provided all of the important components, including storage support, a memory controller, a kernel, and a task scheduler.
The BSD license also allowed anyone to modify the source code without having to return the new code. This allowed Juniper to modify the code as it saw fit. Junos has evolved greatly from its initial days as a spin-off of BSD. It contains millions of lines of code and an extremely strong feature set.
The ScreenOS operating system l gracefully over time, but it hit some important limits that prevented it from being the choice for the next-generation SRX Series products.
First, ScreenOS cannot separate the running of tasks from the kernel. All processes effectively run with the same privileges. Because of this, if any part of ScreenOS were to crash or fail, the entire OS would end up crashing or failing. Second, the modular architecture of Junos allows for the addition of new services, since this was the initial intention of Junos and the history of its release train.
ScreenOS could not compare. Junos is one system, designed to completely rethink the way the network works. Its operating system helps to reduce the amount of time and effort required to plan, deploy, reully operate network infrastructure. The one release train provides stable delivery of new functionality in a time-tested cadence. And its reily modular software architecture provides highly available and scalable software that keeps up with changing needs.
As you will see in this book, Junos opened up enormous possibilities and network functionality from one device.
Juniper SRX Series – O’Reilly Media
For example, ScreenOS introduced the concept reillly zones to the firewall world. A zone is a logical entity that interfaces are bound to, and zones are used in security policy creation, allowing the specification of an ingress and egress zone in the security policy. Creating ingress and egress zones means the specified traffic can only pass in a specific direction. It also increases the overall speed of policy lookup, and since multiple zones are always used in a firewall, it separates the overall firewall rule base into many subsets of reklly groupings.
A VR allows for the creation of multiple routing tables inside the same device, providing the administrator with the ability to segregate traffic and virtualize the firewall.
Junos Enterprise Routing, 2nd Edition
Although some of the features do not have a one-to-one naming parity, the functionality of these features is generally replicated on the Junos platform.
Junos has evolved since junox was first deployed in service provider networks. Over the years, many lessons were learned regarding how to best use the device running the OS. These practices have been integrated into the SRX Series and are shared throughout this book, specifically in how to use the command-line interface CLI.
For the most part, Junos users traditionally tend to utilize the Junod for managing the platform. As strange as it may sound, even very large organizations use the CLI to manage their devices. The CLI was designed to be easy to utilize and navigate through, and once you are familiar with it, even large configurations are completely manageable through a simple terminal window.
In Junos, the CLI extends beyond just a simple set of commands. Third-party applications eeilly integrate with Junoscript or a user may even use it on the device. Juniper Networks provides extensive training and documentation covering this feature; an example is its Day One Automation Series see http: Sometimes, getting started with such a rich platform is a daunting task, if only because thousands of commands can be used in the Junos operating system.
The J-Web tool is automatically installed on the SRX Series on some other Junos platforms it is an optional packageand it is enabled by default. The interface is intuitive and covers most of the important tasks for configuring a device. For large networks with many devices, we all know mass efficiency is required. Juniper provides two tools to accomplish efficient management. This is the legacy tool that you can use to manage networks. Although it is still a viable platform for management, just like the evolution of ScreenOS to Junos, a newly architected platform is available.
This new platform is called Junos Space, and it is designed from the ground up to be a modular platform that can integrate easily with a multitude of devices, and even other management systems. The goal for Junos Space is to allow for the simplified provisioning of a network. By accomplishing these tasks, Junos Space will take reillg management to a new level of productivity and efficiency for an organization.
At the time of this writing, Junos Space was still being finalized. Nonetheless, readers of this book will learn about the capabilities of the SRX Series using the Junos CLI from the ground up, and will be ready to apply it within Junos Space anytime they sscurity appropriate. The SRX Series hardware platform is a next-generation departure from the previous Sscurity platforms, built from the ground up to provide scalable services.
Now, the question that begs to be answered is: A service is an action or actions that are applied to the network traffic juhos through the SRX Series of products. Two examples of services are stateful firewalling and intrusion prevention. The ScreenOS products were designed primarily to provide three services: When ScreenOS was originally designed, these were the core value propositions for a firewall in a network. Since the SRX is going to be processing this traffic, it is critical that it provides as many services as possible on the traffic in one single pass.
So, the SRX provides services on the passing traffic, but it must also provide scalable services. This is an important concept to review. This allows the administrator to better wecurity how the device scales under such load. Scaling under load is based on the services a device is attempting to provide and the jnuos it needs to achieve. The traditional device required to do all this is either a branch device, or the new, high-end data center firewall.
A branch firewall needs to provide a plethora of services at a performance level typical of the rreilly WAN speeds. A data center firewallon the other hand, needs to provide highly scalable performance. When a firewall is placed in the core of a data center it cannot impede the performance of the entire network.
Each transaction in the data center sefurity a considerable amount of value to the organization, and any packet loss or delay can cause financial implications. A data center firewall requires extreme stateful firewall speeds, a high session capacity, and very fast new sessions per second. In response to these varied requirements, Juniper Networks created two product lines: Each is targeted at its specific market segments and the network needs of the device in those segments. No matter which SRX Series platform you use, or plan to use, each has a common core.
One of the most powerful aspects of the Junos operating system is that only a single source code train, or pool of source code, is used to build a release of the network software.
This provides great efficiency when it comes to integrating features and providing quality assurance testing. As new products such as those in the SRX Series are created, it is easier to take previous features, such as the Junos implementation of routing, and bring them to the new platform. The same idea is implemented across the SRX Series. Where it makes sense, common features and code are shared. There are challenges rdilly this mantra, such as the implementation of features in what is known as the Packet Forwarding Engine PFE.
The PFE in each SRX Series platform typically contains different components, creating the largest barrier for feature parity across the platforms. But as stated before, the products are designed to meet the needs of the deployment, using Junos to provide commonality. Networking products are created to solve problems and increase efficiencies. The branch SRX Series products are designed for small to large office locations consisting of anywhere from a few individuals to hundreds of employees, representing either a small, single device requirement or a reasonably sized infrastructure.
In these locations, the firewall is typically deployed at the edge of the network, separating the users from the Internet. These products are targeted reillh the data center and the service provider.