SRX Quick Start June 2013
June 4, 2016 | Author: wandrel | Category: N/A
Short Description
SRX Quick Start June 2013...
Description
SRX QUICK START TRAINING George Kaminski Systems Engineer Tech Lead
SRX QUICK START TRAINING Chapter 1: Course Introduction
INTRODUCTIONS Before we get started… What is your name? Where do you work? What is your primary role in your
organization? What kind of network experience do you have? What is the most important thing for you to learn in this training session?
3
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
COURSE CONTENTS Contents: Chapter 1: Course Introduction Chapter 2: Junos OS Overview Chapter 3: Branch SRX Series Overview Chapter 4: High-End SRX Series Overview Chapter 5: SRX Concepts and Features Chapter 6: Junos OS Command Line Interface (CLI) Introduction Chapter 7: Other Security Products of Interest Complete Hands on Labs 1 - 4
4
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
PREREQUISITES The prerequisites for this course are the following: Basic networking knowledge Understanding of the OSI model and TCP/IP Basic familiarity with the use and deployment of Firewalls, IPSec
Virtual Private Networks and Network Address Translation (NAT)
5
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
COURSE ADMINISTRATION The basics: Sign-in sheet Schedule Class times Breaks
Lunch
Break and restroom facilities Fire and safety procedures Communications Telephones and wireless devices Internet access
6
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
EDUCATION MATERIALS Available materials for classroom-based and instructor-led online classes: Lecture material Lab guide Lab equipment
Self-paced online courses also available http://www.juniper.net/training/technical_education/
7
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
ADDITIONAL RESOURCES For those who want more: Juniper Networks Technical Assistance Center (JTAC) http://www.juniper.net/support/requesting-support.html
Juniper Networks books http://www.juniper.net/training/jnbooks/
Hardware and software technical
documentation Online: http://www.juniper.net/techpubs/ Image files for offline viewing: http://www.juniper.net/techpubs/resources/cdrom.html
Certification resources http://www.juniper.net/training/certification/resources.html
8
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
SATISFACTION FEEDBACK Class Feedback
To receive your certificate, you must complete the survey Either you will receive a survey to complete at the end of class, or we
will e-mail it to you within two weeks Completed surveys help us serve you better!
9
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
JUNIPER NETWORKS EDUCATION SERVICES CURRICULUM Formats: Classroom-based instructor-led technical courses Online instructor-led technical courses Hardware installation eLearning courses as well as technical
eLearning courses
Courses: http://www.juniper.net/training/technical_education/
10
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
JUNIPER NETWORKS CERTIFICATION PROGRAM Why earn a Juniper Networks certification? Juniper Networks certification makes you stand out Unleash your creativity across the entire network Set yourself apart from your peers
Capitalize on the promise of the New Network Develop and deploy the services you need Lead the way and increase your value
Unique benefits for certified individuals
11
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
JUNIPER NETWORKS CERTIFICATION PATH
12
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
CERTIFICATION PREPARATION Training and study resources: Juniper Networks Certification Program website:
www.juniper.net/certification Education Services training classes: www.juniper.net/training Juniper Networks documentation and white papers: www.juniper.net/techpubs
Community: J-Net: http://forums.juniper.net/t5/Training-Certification-and/
bd-p/Training_and_Certification Twitter: @JuniperCertify
13
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
FIND US ONLINE
http://www.juniper.net/jnet http://www.juniper.net/facebook http://www.juniper.net/youtube
http://www.juniper.net/twitter
14
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
SRX QUICK START TRAINING Chapter 2: Junos OS Overview
MOVING FROM CISCO IOS TO JUNOS OS Moving checklist: Call realtor Change address Change utilities Gas Electric Garbage Find movers Pack
No matter the cause of the move, once the move is complete, what a difference the new place makes in your life! 16
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
JUNOS OS: THE POWER OF ONE OPERATING SYSTEM Deployed since 1998
First high-performance network operating system 14+ years of innovation and development Runs routing, switching, and security platforms Reduces complexity, achieves operational excellence Evolutionary architecture expands to new services and extends to new platforms for tomorrow
It is time for a new network Top 130 global service providers 96 of the Global Fortune 100 Hundreds of federal, state, and local government agencies and higher
education organizations throughout the world
17
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
THE POWER OF ONE JUNOS T Series EX Series
SRX Series
MX Series QFX Series
M Series J Series
SECURITY
One OS Reduces time/effort
to operate network infrastructure
ROUTERS
SWITCHES
One Release Train Delivers new
Ensures available &
functionality stably Reduces OPEX
Simplifies management 18
One Architecture scalable software for growing needs Reduces TCO
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
JUNOS OS MODULAR ARCHITECTURE Independent modules Protected memory for stability No overwrites
Kernel Controls the modules
between the modules and to the PFE
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
Module n
Interfaces
Routing
...
Kernel
Manages communication
19
Management
rapid isolation Well-defined interfaces for expansion of functions/ platforms
Control Plane
Contain faults and enable
JUNOS OS SEPARATE CONTROL AND FORWARDING Supports scale for high-performance
Assures performance of each plane Enhances resiliency
Data Plane
Control Plane
Provides options for redundancy
20
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
Routing Engine
Packet Forwarding Engine
JUNOS OS: THE FOUNDATION OF HIGH-PERFORMANCE NETWORKS Data center
routing
Headquarters
switching
Branch
security
Campus services 21
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
SRX QUICK START TRAINING Chapter 3: Branch SRX Overview
BRANCH SRX SOLVES CUSTOMER CHALLENGES All-in-One
Unified Management
Best Price/ Performance
Next Gen Firewall VPN UTM
IPS, AppSecure Anti-Virus
Anti-Spam Web filtering Routing / WAN WLAN, LAN, Switching
Easy to activate new security service in UTM when needed to address new concerns
23
Easy to manage all aspects with Junos, a single OS platform
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
Lower TCO and high performance allows IT to do more with less
BRANCH SRX SERIES GATEWAYS
Delivering “No-Compromise” Services with Scale & Performance Hardware Platforms Scale from 1G to 10G Junos Software across Security, Routing and Switching 12.1 2mPIM+6GPIM WAN slots, 10 x GigE, PoE, Dual P/S 2 GB DRAM + 4 WAN slots, 16 x GigE, PoE 2 GB DRAM + 2 WAN slots, 8 x GigE, PoE 1 GB DRAM
Fixed Config 8 x FE1 1 GB DRAM
Fixed Config VDSL2 WAN 8 x FE1 1 GB DRAM
WAN slot, 2 x GigE, PoE, 1 GB DRAM
+ More LAN slots, Dual P/S, + Hot Swap I/O 2 GB DRAM
SRX650
SRX550
SRX240
SRX220
SRX210
SRX110
SRX100
Small Office 24
Small to Medium Office Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
Large Branch/ Regional Office
BRANCH SRX: SERVING MULTIPLE CUSTOMER NEEDS Multi-services Gateway Secure Router
Routing and WAN Interfaces Firewall, VPN, NAT In-line IPS High availability Transparent mode
NGFW
UTM
Next generation firewall (AppSecure) In-line IPS Application visibility, tracking and enforcement User-role based policies
Ease of use Best-of-breed Anti-Virus, Anti-Spam, Web filtering Cloud based AV - Sophos In-line IPS AppSecure
Branch SRX 25
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
BRANCH SRX SERVICES GATEWAYS Highly configurable
Highly configurable
• Fixed and modular form factors Fixedof&WAN modular factors • Choice – DSL, form T1 / E1, DS3 • Wireless WAN and LAN WAN, WLAN, and LAN interfaces • On-board modular switching
Extensive integration Extensive integration Routing and switching capabilities
SRX100/ SRX110
Fixed
No
700/60 Mbps
Magnitude greater performance
SRX210E
1 mini PIM slot
Optional
850/85 Mbps
performance and availability Exceptional HW Content Security Acceleration
SRX220
2 mini PIM slots
Standard
950/100 Mbps
Security Acceleration Hardware-assisted Control & data Content plane separation,
SRX240
Optional
1800/230 Mbps
Exceptional performance
(CSA) for ExpressAV and IPS redundant processing and power Control & data plane separation, redundant processing and power
Model
SRX550 SRX650
26
Content SEC H/W FW/IPS Configuration Acceleration Performance
Full suite of JUNOS routing and switching capabilities Unmatched core and UTM security Unmatched security, including FW, VPN, UTM, AppSecure, UAC, and full IPS
Copyright © 2013 Juniper Networks, Inc.
4 mini PIM slots 2 mini PIM, 6 GPIM slots 8 GPIM slots
www.juniper.net
Standard 5500/800 Mbps Standard 7000/900 Mbps
BRANCH SRX PHYSICAL INTERFACES MPIMs
Wireless LAN
GPIMs
T1/E1
AX411 dual-radio AP
16XGE
Serial
WLA
24XGE
1XGE SFP
WLC2
4XT1E1
ADSL G.SHDSL
VDSL2 Docsis3.0
2XT1E1 Wireless WAN
2x10GE
SFP+/Copper EVDO/HSPA/WI
MAX/LTE
1xDS3 8xSFP 8xSerial
Supported on SRX210/220/240/550
27
Supported across all Branch SRX platforms
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
Supported on SRX550/650
JAN 2013
MAY 2012
NEW PIMS FOR SRX550 AND SRX650 8 Port Serial GPIM (12.1R2)
8 Port SFP XPIM (1Q2013)
• Synchronous speeds of 8 Mbps
• Line rate switching between ports
• Interface types supported
• Supported SFPs
• V.35, X.21, EIA/TIA-449
• LX, SX, BX
• EIA/TIA-232, EIA/TIA-530
• T or Copper SFPs • Full set of L2 switching features
• EIA/TIA-530A • Line Coding : NRZ, NRZI
• Jumbo frame support – 9192B
• Uses 8 port smart connector
28
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
BRANCH SRX FEATURES MATRIX Security
Wireless LAN and 3G/4G WAN
Firewall VPN IPS AppSecure Antivirus Enhanced Web filtering Antispam
802.11n 3G/4G WiMax & LTE
Routing & Switching RIP, OSPF, BGP, Multicast, IPv6 MPLS; Full BGP table J Flow, RPM L2 Switching POE Options
29
Physical Interfaces
T1/E1, Serial, DS3/E3 VDSL, ADSL, G.SHDSL DOCSIS Cable Modem Ethernet 10/100/1000 & 10G, Copper or Fiber
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
SRX100 Ideal for small sites and managed telecommuters Full security features Firewall and VPN UTM: IPS, AppSecure, antivirus,
web-filtering, and anti-spam UTM requires high memory version
Features On-board Ethernet
8 x FE
Power over Ethernet (802.3af, 802.3at)
None
WAN slots
None
USB ports
1
Content Security Accelerator—ExpressAV and Intrusion Detection and Prevention JUNOS Software version support
No JUNOS 11.1
Firewall performance (Large Packets)
700 Mbps
Firewall performance (IMIX)
200 Mbps
Firewall performance (Firewall + Routing PPS 64byte)
70 Kpps
VPN Performance—AES256+SHA-1 3DES+SHA 1
65 Mbps
IPS performance
60 Mbps
Connections Per Second (CPS)
2K CPS
Maximum Concurrent Sessions (512MB/1GB RAM)
16 K / 32K
Antivirus performance
25Mbps
AppSecure Throughput (HTTP)
90Mbps
High Availability
30
SRX100
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
N/A
SRX110 – IDEAL SOLUTION FOR SMALL BRANCH Designed for flexibility, investment protection, and lowest total cost of ownership (TCO). Features Additional USB port
Front Backup 3G WAN
Back
Primary WAN VDSL
On-board Ethernet
8 x FE
Primary WAN
VDSL2 with ADSL2 Fallback
Backup WAN
USB Port for 3G/4G Modem
Additional USB ports Content Security Accelerator—ExpressAV and Intrusion Detection and Prevention
One (total 2) No
Firewall performance (Large Packets)
700 Mbps
Firewall performance (IMIX)
200 Mbps
Firewall performance (Firewall + Routing PPS 64byte)
65 Kpps
VPN Performance (AES256+SHA1 / 3DES+SHA1)
65 Mbps
IPS performance
60 Mbps
Connections Per Second (CPS)
2K CPS
Maximum Concurrent Sessions
16 K / 32K
Antivirus performance
25Mbps
AppSecure Throughput (HTTP)
90 Mbps
High Availability
31
SRX 110
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
N/A
SRX210E Ideal for small branches
On-board Ethernet Power over Ethernet (802.3af, 802.3at)
Full security features
WAN slots
Firewall and VPN
USB ports (flash)
UTM: IPS, AppSecure, antivirus,
Content Security Accelerator—ExpressAV and Intrusion Detection and Prevention
web-filtering, and anti-spam UTM requires high memory version
32
Features
JUNOS Software version support
SRX210E 2 x GE + 6 x FE 4 ports, 50 W total 1 x mini PIM 2 Yes JUNOS 11.1
Firewall performance (Large Packets)
850 Mbps
Firewall performance (IMIX)
250 Mbps
Firewall performance (Firewall + Routing PPS 64byte)
95 Kpps
IPSec VPN Throughput
85 Mbps
IPS performance
85 Mbps
Connections Per Second (CPS)
2,200 CPS
Maximum Concurrent Sessions (512MB/1GB RAM)
32K / 64K
Antivirus performance
25 Mbps
AppSecure Throughput (HTTP)
250 Mbps
High Availability
A/A or A/P
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
SRX220 Ideal for small and medium branches
Features On-board Ethernet Power over Ethernet (802.3af, 802.3at) WAN slots
Full security features
USB ports (flash)
Firewall and VPN
Content Security Accelerator—ExpressAV and Intrusion Detection and Prevention
UTM: IPS, AppSecure,
JUNOS Software version support
antivirus, web-filtering, and anti-spam
33
SRX220 18x GE 8 ports GE, 120 W 2 x mini PIM 2 Yes JUNOS 11.1
Firewall performance (Large Packets)
950 Gbps
Firewall performance (IMIX)
300 Mbps
Firewall performance (Firewall + Routing PPS 64byte)
125 Kpps
VPN Performance—AES256+SHA-1 3DES+SHA-1
100 Mbps
IPS Performance
100 Mbps
Connections Per Second (CPS)
3K CPS
Maximum Concurrent Sessions (512MB/1GB RAM)
96K
Antivirus performance
34 Mbps
AppSecure Throughput (HTTP)
300 Mbps
High Availability
A/A or A/P
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
SEPT 2012
SRX240 - NOW WITH 2G MEMORY New SKUs for SRX240 provide additional memory SRX240B2 – 1GB DRAM, 2GB
Flash SRX240H2 – 2GB DRAM, 2GB Flash
Features On-board Ethernet Power over Ethernet (802.3af, 802.3at) WAN slots USB ports (flash)
Content Security Accelerator—ExpressAV and Intrusion Detection and Prevention JUNOS Software version support
SRX240 16 x GE 16 ports GE, 150 W 4 x mini PIM 2
Yes JUNOS 11.4R5
Firewall performance (Large Packets)
1.8 Gbps
No changes in price, hardware architecture or security services
Firewall performance (IMIX)
600 Mbps
Firewall performance (Firewall + Routing PPS 64byte)
200 Kpps
Improved scalability for services
VPN Performance—AES256+SHA-1 3DES+SHA-1
300 Mbps
IPS Performance
230 Mbps
Connections Per Second (CPS) Maximum Concurrent Sessions (1GB RAM/2GB RAM)
34
9K CPS 128K / 256K
Antivirus performance
85 Mbps
AppSecure Throughput (HTTP)
750 Mbps
High Availability
A/A or A/P
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
FRS 12.1
SRX550 SERVICES GATEWAY - NEW “No-Compromise Services” with scale and performance for the medium to large branch Advanced Security
•
Comprehensive Routing
Firewall and VPN
UTM: IPS, antivirus, enhanced web-filtering, anti-spam
Application visibility, tracking & enforcement
High Density Switching
Wide range of WAN options: 3G/LTE, T1/E1/DS3/E3, xDSL, Nx1GE, 10 GE L2/L3 VPN, MPLS, VPLS, IPv6, v4
Business Continuity, Resiliency
HA cluster (A/A or A/P)
10 x GE on board (6 Copper, 4 SFP)
WAN backup and redundancy
Modular switching with POE
Control plane, data plane separation
GPIM Online-Insertion-Removal*
Optional redundant power supplies (AC and DC)
Routing Performance
700 Kpps
Firewall Performance
1.7 Gbps (IMIX) 5.5 Gbps (Large packets)
AV & IDP HW Acceleration
Yes
IPSec Performance
1 Gbps
35
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
12.1
SRX550 Ideal for enterprise medium to large branch Ideal office-in-a-box solution for managed services or commercial business
Features On-board Ethernet
10 x GE (6 Copper, 4SFP)
Power over Ethernet (802.3af, 802.3at)
40 ports GE, 500 W
WAN slots USB ports (flash) Content Security Accelerator—ExpressAV and Intrusion Detection and Prevention
SRX550 offers: Comprehensive Routing and Security
Services High density on-board and modular
switch ports, Copper and SFP Application Awareness and Control Business Continuity and Resiliency
JUNOS Software version support
2 mPIM, 6 x GPIM 2 Yes
JUNOS 12.1
Firewall performance (Large Packets)
5.5 Gbps
Firewall performance (IMIX)
1.7 Gbps
Firewall performance (Firewall + Routing PPS 64byte)
700 Kpps
VPN Performance—AES256+SHA-1 3DES+SHA-1
1.0 Gbps
IPS Performance
800 Mbps
Connections Per Second (CPS)
27K CPS
Maximum Concurrent Sessions (2 GB RAM)
375 K
Antivirus performance
300 Mbps
AppSecure Throughput (HTTP)
1.5 Gbps
High Availability
36
SRX550
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
A/A or A/P
SRX650 Features
Ideal for regional sites and large branches
On-board Ethernet
Full security features
WAN slots
Power over Ethernet (802.3af, 802.3at)
Firewall and VPN
USB ports (flash)
UTM: IPS, AppSecure, antivirus, web-
Content Security Accelerator—ExpressAV and Intrusion Detection and Prevention
filtering, and anti-spam
JUNOS Software version support
Modular LAN switching Services Routing Processors with
optional redundancy Power supplies with optional
redundancy (at FRS)
4 x GE 48 ports GE, 250W or 500 W 8 x GPIM
2 per processor Yes JUNOS 11.1
Firewall performance (Large Packets)
7.0 Gbps
Firewall performance (IMIX)
2.5 Gbps
Firewall performance (Firewall + Routing PPS 64byte)
850 Kpps
VPN Performance—AES256+SHA-1 3DES+SHA-1
1.5 Gbps
IPS Performance
1 Gbps
Connections Per Second (CPS)
35K CPS
Maximum Concurrent Sessions (512MB/1GB RAM)
512 K
Antivirus performance
350 Mbps
AppSecure Throughput (HTTP)
1.9 Gbps
High Availability
37
SRX650
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
A/A or A/P Hot swap GPIMs, Dual power
BRANCH SRX SERIES SPECIFICATIONS
38
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
JUNIPER’S WIRELESS WAN SOLUTION – CX111 Best signal Bridge
Get the 3G antenna out
of the wiring closet to optimize reception*
More choices Choose 3G/LTE USB modem
or standalone 3G bridge Choose from 90+ modems from every major manufacturer* Tightly coupled system speeds
wired to wireless failover Redundant radio hardware and provider diversity*
Direct Plug-in USB Modem support
Higher reliability
Carrier’s 3G/4G LTE Network
* Requires bridge solution 39
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
3G/4G WIRELESS WAN UPDATE Integrated Small Package for 3G: Now with USB modem support
CX111 Bridge
Direct plug-in USB Modem Support for SRX100, 110 and 210E
CX111 3G/4G Bridge for **all** SRX, other platforms
ExpressCards form factor obsolete GSM/HSPA+ Modem supported now Secure Modem / Modem Cap 1H 2012 4G LTE modem support Mid 2012 No USB 3G support on 220/240/550/650 40
Worldwide 90+ Modems supported LTE supported now CX111 supports SNMP based mgmt Junos CLI based management in 11.4R2 Q1 2012
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
BRANCH SRX ADVANCED SECURITY PLATFORM INTERNET
External Threats
Internal Threats
IPS
IDP detects/stops Worms, Trojans, DoS (L4 & L7), Scans
AppSecure with User Role FW
Application level visibility and classification Application security policies tied to user roles
Enhanced Web Filtering
Block access to unapproved sites Real time threat score for each URL
Antivirus
Stops viruses, file-based trojans or spread of spyware, adware, keyloggers
Antispam
Stops Spam/Phishing
Content Filtering
SRX Series blocks transmission of files for Data Loss Prevention
Core Security
Firewall, VPN, Unified Access Control
41
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
J-WEB WIZARDS
Configuration Wizards 1
2
3
4
Initial Device Setup
Firewall
NAT
VPN
JavaScript and XML based with all activity executed by browser
Provides a responsive user experience Complete Wizard UI is loaded after hitting launch button Single commit
Reduces configuration time 42
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
JAN 2013
NEW STARTUP WIZARD New Startup Wizard that simplifies user configuration and reduces time to setup device Guided setup (step by step) ‘Basic’ & ‘Expert’ Modes Security topology (zones),
security policy and license configuration NAT Remote/Dynamic VPN Confirm and Apply (Commit, Import, Export)
Available on all Branch SRX platforms 43
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
BRANCH SRX CERTIFICATIONS - UPDATE
Branch SRX leading the industry in most stringest certifications for enterprise firewall Key certifications added this year: Common Criteria CC EAL4 Department of Defense (DoD) certification Testing and certification by DoD JITC for interoperability with DoD networks Addition to Unified Capabilities Approved Product List (UC APL) Branch SRX certified as both router and firewall – this is a first for any vendor!
ICSA – Corporate Firewall and IPSec 1.3 USGv6 – Firewall Profile
44
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
SRX QUICK START TRAINING Chapter 4: High-End SRX Overview
High End SRX Platforms
DYNAMIC SERVICES ARCHITECTURE™ (DSA) Scales performance, capacity and service density World’s fastest firewall and IPS
SRX Services Gateways
High-Speed Fabric Technology
46
Expandable chassis Linear scalability Processing and I/O pools Industry’s top performance
Carrier-Class Reliability The power of one OS, one release train
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
Separation of control and data planes Redundant everything Proven operating system
SRX / HE DATA CENTER SERVICES PLATFORMS SRX5800
Next-Gen Security Systems
16U, 12 slot, 2RE*, 2+1 SCB,
Scalable Performance Rich Standard Services • Firewall • VPN • IPS • Full Routing • QoS • Application Security • Role Based Firewall • Extensible Security Services Integrated Networking Services
2+2 AC, 3+1 DC, 120/30/30G, 10M sess, 350kcps
8U, 6 slot, 2RE*, 1+1 SCB, 2+2 PS, 60/15/15G, 9M sess, 350kcps
NS-5400
SRX5600
SRX3600 5U, 6+6 CFM, 8+4 GE, 2RE*, 2+2 PS, 30/10/10G, 2M sess, 175kcps
SRX3400
3U, 4+3 CFM, 8+4 GE, 2RE*, 1+1 PS, 20/8/8G, 2M sess, 175kcps
SRX1400 ISG2000
3U, 3 CFM, 12GE or 3XGE+9GE , 1+1 PS, 10/2/2G, .5M sess [at FRS], 45kcps
ISG1000 47
NS-5200 Copyright © 2013 Juniper Networks, Inc.
Note *: Redundant REs not currently supported
www.juniper.net
HIGH-END SRX COMPONENTS I/O Cards (IOC) Provide Ethernet interfaces that connect the services gateway to
your network
Network Processing Unit (NPC) Network Processing Cards (NPCs) receive inbound traffic from I/O
cards (IOCs) and direct it to the appropriate Services Processing Card (SPC) for processing In simple terms, think of it as a session load balancer
Services Processing Card (SPC) Provide the processing capacity to run integrated services such as
firewall, IPsec, and IDP
48
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
HIGH-END COMPONENTS CONTINUED Routing Engine (RE) Runs the Junos operating system (Junos OS) Including software processes that maintain the routing tables, manage the routing protocols used on the services gateway, control the services gateway interfaces, control some chassis components, and provide the interface for system management and user access to the services gateway
Switch Fabric Board (SFB) Powers on and powers off IOCs and SPCs Controls clocking, system resets, and booting Monitors and controls system functions, including fan speed, board
power status, and the system front panel Provides interconnections to all the IOCs within the chassis through the switch fabrics integrated into the SCB 49
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
HIGH-END COMPONENTS CONTINUED Network Processing I/O Cards (NP-IOCs) Special IOCs designed specifically for low-latency applications Each NP-IOC has its own network processing unit (NPU), so that
traffic traversing the NP-IOC does not have to traverse the services gateway bus to a remote network processing card (NPC)
50
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
DYNAMIC SERVICES ARCHITECTURE SRX SERIES FULLY INTEGRATED PACKET FLOW 1.5
Flow Lookup Classification DoS/DDoS Policing
I/O Card
Network Processing Card
Egress Packet Integrated in SRX5000 IOC
QoS/Shaping
51
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
Fabric
Ingress Packet
Fabric
Oversubscription Control
Services FW/VPN/IDP NAT/Routing
Services Processing Cards
HIGH-END SRX SCALING AND PLANNING The number of NPC and SPC resources dictates the High-End SRX throughput and performance, i.e. number of IPSec tunnels, IDP performance, number of FW sessions, etc. Generally speaking it is the SPC’s that make the real difference in
terms of performance
Juniper Networks Systems Engineers and Partner SE’s can assist with sizing guidelines for a given desired performance profile and application
52
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
SRX1400 12 on-board ports:
3 RU Modular chassis – 3 expansion slots Compact form factor modules shared with SRX3000 – Junos Software
Fan tray
Expansion Slots
1400GE: 6+4+2 GE
(rear)
(NSPC or SPC+NPC)
1400XGE: 3 XGE plus 6+1+2 GE
Massive scale – Up to 45,000 new, sustained connections per second (CPS) – Up to .5 million sessions [at FRS]
High performance – Up to 10 Gbps firewall – Up to 2 Gbps IPS – Up to 2 Gbps IPSec VPN
Expansion Slot Slot
Management Module (RE)
(IOC)
guide
Redundant power and fans Chassis Clustering (Q2 2011) Modular Junos Software Shared HA-control ports High availability
SRX3000 technology – Common sparing possible 53
Copyright © 2013 Juniper Networks, Inc.
Redundant
FRU
power supply (optional)
High availability – – – – –
Power supply
www.juniper.net
SRX 3400 SRX3400 Front View 2 x 10 GigE I/O card
12 on-board GbE ports
USB
Switch Fabric Board (SFB)
Fan tray
16 x GbE SFP I/O card
Front slot guide
16 x 10/100/1000 I/O card
Expansion Slot (SPC/NPC)
– 7 expansion slots (4 front and 3 rear) – Compact form factor modules for I/O and service processing – Dual, hot swappable management modules – Junos Software
Massive scale
Expansion Slot (IOC/SPC)
SRX3400 Rear View
3 RU Modular chassis
Redundant Routing Engine (future) or SCM
– Up to 175,000 new, sustained connections per second (CPS) – Up to 2.25 million sessions
High performance – Up to 20 Gbps firewall – Up to 6 Gbps IPS – Up to 6 Gbps IPSec VPN
Routing Engine
High availability Fan tray door Power supply FRU
54
Redundant power supply (optional)
Expansion Slot (SPC/NPC)
Rear slot guide
Copyright © 2013 Juniper Networks, Inc.
– Redundant power and fans – Redundant management – Modular Junos Software
www.juniper.net
SRX3600: FRONT AND REAR VIEWS SRX3600 Front View 12 on-board GigE ports
USB
Switch Fabric Board (SFB)
2 x 10 GigE I/O card 16 x GbE SFP I/O card
Fan tray
Front slot guide
Expansion slot (IOC/SPC)
SRX3600 Rear View Power supplies FRU
– Up to 175,000 new, sustained connections per second (CPS) – Up to 2.25 million sessions
Redundant power supplies (optional) Fan tray door
Expansion slot (SPC)
55
– 12 expansion slots (6 front and 6 rear) – Compact form factor modules for I/O and service processing – Dual, hot swappable management modules – Junos Software
Massive scale
16 x 10/100/1000 I/O card
Expansion slot (SPC/NPC)
Routing Engine
5 RU Modular chassis
Redundant Routing Engine (future) or SCM
Rear slot guide
Copyright © 2013 Juniper Networks, Inc.
High performance – Up to 30 Gbps firewall – Up to 10 Gbps IPS – Up to 10 Gbps IPSec VPN
High availability – Redundant power and fans – Redundant management – Modular Junos Software
www.juniper.net
3600 COMPONENT REVIEW Dual-height SFB option cover (SRX3600 only / future)
Switch Fabric Board (SFB)
Air Intake
IOC 16xSFP
IOC 2x10GE IOC 16xCopper
Services Processing Card (SPC)
Front Slot guide Fan tray door Services Processing Cards (SPC)
Network Processing Cards (NPC) [or SPCs]
Routing Engine (RE) 56
Rear Slot guide Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
SRX3000 CARDS Switch Fabric Board (SFB)
High speed switch fabric (320Gbps) Includes virtual IOC (8x10/100/1000 + 4xSFP), HA-control (2xSFP: SX, LX, LH, T) and system interface (CRAFT)
Network Processing Card (NPC)
Single Network Processor (NP) subsystem - 10Gig throughput
Services Processing Card (SPC)
Single HD-CPU subsystem (SPU) / 10Gig throughput
Routing Engine (RE)
1.2Ghz processor /w 1GB memory Complete separation of control / data planes Includes CPP (central PFE controller) and CB (control board)
Clustering Module (SCM)
Independent control-plane GigE switch to enable second HA-control link Requires Junos 10.2
I/O Cards (IOC)
3 versions:
57
2-port 10GE-XFP (SR, LR, ER) 16-port GE-SFP (SX, LX, LH, T [10/100/1000]) 16-port 10/100/1000 Copper 10Gig full-duplex throughput (oversubscribed) Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
SRX5600: PRODUCT OVERVIEW SRX5600 Front View
8 RU Modular chassis
Upper fan tray
– Horizontal design – 6 expansion slots – Modules for flexible I/O and service processing – Junos software
Control Panel
Services Processing Card
Expansion slot (fits any module)
Massive scale – Up to 350,000 new & sustained connections per second (CPS) – Up to 9 million sessions
40 x GbE IOC
High performance
Switch Control Boards (SCBs)
– Up to 60 Gbps firewall – Up to 15 Gbps IPS – Up to 15 Gbps IPSec VPN
Management Module
Power supplies FRU
High availability – Redundant management modules – Redundant switching fabrics – Redundant fans & power supplies – Modular Junos Software
SRX5600 Rear View
58
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
SRX5800: PRODUCT OVERVIEW SRX5800 Front View Control Panel
16 RU Modular chassis
Upper fan tray
– Vertical design – 12 expansion slots – Modules for flexible I/O and service processing – Junos software
Switch Control Boards (SCBs)
Massive Scale
Services Processing Card
40 x GbE I/O Card
Power supplies FRU
4 x 10GbE I/O Card
– Up to 350,000 new & sustained connections per second (CPS) – Up to 10 million sessions
High performance
Management module
– Up to 120 Gbps firewall – Up to 30 Gbps IPS – Up to 30 Gbps IPSec VPN
High availability – Redundant management modules – Redundant switching fabrics – Redundant fans & power supplies – Modular Junos Software
Lower fan tray
Air intake
Expansion slots (fits any module)
SRX5800 Rear View 59
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
SRX QUICK START TRAINING Chapter 5: SRX Concepts and Features
SRX SERIES—FIREWALL, ZONES, AND POLICIES ZONE “UNTRUST” Originating Zone
INTERNET
Default Policy—Deny All
Default Policy—Allow All
SRX
Originating Zone
ZONE “TRUST” 61
Copyright © 2013 Juniper Networks, Inc.
ZONE “TRUST2” www.juniper.net
NEXTGEN DATA PLANE (FLOW THREAD) Forwarding Lookup
Screens
Static NAT
NO
Per Packet Policer
Per Packet Filter
Dest NAT
Route
Zones
Policy
Reverse Static NAT
YES
Match Session?
Source NAT
Services ALG
Session
YES
Screens
TCP
NAT
Services ALG
Per Packet Filter
JUNOS Flow Module 1) Pull Packet from Queue 2) Police Packet 3) Filter Packet 4) Session Lookup
62
5a) No Existing Session • FW Screen Check • Static & Destination NAT • Route Lookup • Destination Zone Lookup • Policy Lookup • Reverse Static & Source NAT • Setup ALG Vector • Install Session
5b) Established Session • FW Screen Check • TCP Checks • NAT Translation • ALG Processing
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
6) Filter Packet 7) Shape Packet 8) Transmit Packet
Per Packet Shaper
FIREWALL FILTERS Stateless Filters SRC 10.1.20.1 ANY SSH
Applied to interfaces, can mitigate known un-wanted traffic before policy lookup INTERNET
Common to MX, EE, SRX Junos edit firewall filter SRX_Protection juniper@SRX5800# set term in-ssh from source-address 10.1.20.1/24 juniper@SRX5800# set term in-ssh from protocol tcp juniper@SRX5800# set term in-ssh from destination-port ssh juniper@SRX5800# set term in-ssh then accept
Retail
63
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
Branch
Small Office
Regional
APPLICATION LAYER GATEWAYS (ALG) Advanced inspection of dynamic applications
FTP
PASV
TCP 21
PORT
FTP TCP 14599
Can detect negotiated ports and perform statefull inspection on dynamic applications (FTP, SIP, SCCP, H323,MGCP etc)
Automatically utilized when application is referenced within the security policy Retail
64
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
Branch
Small Office
Regional
SCREENS Screens are used to mitigate known malicious activities such as DOS, DDOS, Reconnaissance Applied on Zone basis, default screen can be applied to “untrust” interface Uses thresholds and parameters to determine traffic flows into zone Can Drop Traffic or act as a Proxy for TCP Connections
TCP SYN TCP SYN TCP SYN
INTERNET
Retail
65
Copyright © 2013 Juniper Networks, Inc.
ICMP Sweep
www.juniper.net
Branch
Small Office
Regional
SCREENS juniper@SRX5800# show security screen ids-option untrusted-internet icmp { ip-sweep threshold 1000000; fragment; large; } ip bad-option; record-route-option; timestamp-option; security-option; stream-option; spoofing; source-route-option; Loose-source-route-option; strict-source-route-option; unknown-protocol; } tcp { syn-fin; fin-no-ack; tcp-no-flag; syn-frag; port-scan threshold 1000000;
66
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
TCP SYN TCP SYN TCP SYN
ICMP Sweep
INTERNET
Regional
FROM THE OVERALL ARCHITECTURE PERSPECTIVE BEST PRACTICES STEPS Assures legitimate traffic is not impacted
Step1 - Establish a baseline
Step 2- Build the First Line of Defense Police traffic close to source or at ingress into aggregation network elements, e.g. ingress into a FW
Step 3 – Build the Second Line of Defense SCREENs IDP Application-level IDP Application Firewall Step 4 – Build the Third Line of Defense Traffic shape at the egress of a FW 67
Throttles all the traffic, minimizing the impact of attacks on intermediate network elements Eliminates all the recognized “bad” traffic
Throttles the remainder of the traffic, which includes legitimate and nonrecognized “bad” traffic
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
CONTRASTING SCREENS AND IDP SCREENs Protect from the outer layer perspective Are executed prior to any route look up or security policy look up
IDP Provides deeper packet examination Detects protocol anomaly
Evoked after route and/or security policy look up
68
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
PROTECTING FROM A FIREWALL PERSPECTIVE
SRX FW Traffic Entering SRX FW
Ingress Policers & Firewall filters
SCREENs
L4-7 StatefullL3/L4/L5 IDP IPS FW
Steps 2, 3, & 4 69
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
Egress Traffic Shaping
Traffic Exiting SRX FW
ROUTING & SWITCHING SRX can act as a full router, supporting IPV4, IPV6, L2/L3 MPLS Supports IPV4 RIP, OSPF, IS-IS & BGP
Layer 2 switching supported on Branch SRX, not supported on HE SRX Onboard Ethernet ports on the SRX100, SRX210, and SRX240 devices Multiport Gigabit Ethernet XPIM on the SRX650 device
Support of Virtual Routers and Logical Tunnel Interfaces Supports full Junos COS – 8 Queues per port Can also run in Transparent FW mode, supporting Layer2 bridged FW security
70
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
Regional
SRX PACKET FLOW Branch SRX has 2 modes of Operation Packet Mode: Can be run in packet mode to operate like a traditional router, mode used to support MPLS, VPLS Flow Mode: Flow mode ensure Fast-Path Lookup, default action of Branch SRX devices. Mixed Mode: Brach SRX can also act in Mixed Mode supporting both Flow and Branch based connections
71
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
SRX HIGH AVAILABILITY Features Stateful fail-over Active/Backup Control Plane
Active/Active Data Plane Single System View
Benefits Maintains connection
persistence & improves system resiliency for services Load sharing across systems Optimized for complex routing environments
72
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
TWO CHASSIS CONNECTED TOGETHER Control Plane (fxp1) Fe-0/0/7
Data Plane (fab1) IOC to IOC
Control Plane (fxp1) Connection SPC-to-SPC Data Plane (fab1) Connection IOC to IOC 73
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
INTERFACE NUMBERING Interfaces are numbered “Hobson” style Node1 (12-23)
Node0 (0-11)
slot 12
slot 0
ge-13/0/0 ge-1/0/0
RE 0 RE 1
slot 23 74
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
CHASSIS CLUSTER INTERFACES Fxp1 -
Control Plane interface Dedicated Interface dependant on Model Dual Control Plane support on HE Synchronizes Configuration & Keepalives
Fab0/1 -
- Data fabric interface Can be 1G or 10G dependant on Model Synchronizes Session information over RTO’s Can be used for forward “Z” path traffic
Redundancy Group (RG) Logical Grouping of Interfaces. SRX with Highest Metric (255) is master for each RG. Failure of interfaces decrements total RETH redundant Ethernet, virtual IP and MAC for associated VLAN, member of redundancy group 75
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
CHASSIS CLUSTER DEPLOYMENTS ACTIVE/PASSIVE Active Control Plane Active Redundancy Group 1 Active Redundancy Group 2
76
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
CHASSIS CLUSTER DEPLOYMENTS ACTIVE/ACTIVE Active Control Plane Active Redundancy Group 1 Active Redundancy Group 2
77
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
APPLICATION VISIBILITY AND CONTROL IS EASY WITH APPSECURE Application Enforcement by User Role
Application View
Threat Mitigation
IPS
Application Awareness and Classification Engine What application? What user? User location? User device?
78
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
12.1
….NOW WITH USER ROLE FIREWALL
Allows different users to have different application policies based on their role and group
MAG/UAC P2P apps blocked
Marketing
Youtube allowed Anti-virus applied WF profile A
Branch SRX
Sales
P2P, Youtube blocked Anti-virus applied
WF profile B No apps blocked
CEO
Anti-virus applied
WF profile C 79
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
USER-ROLE FIREWALL FOR ACTIVE DIRECTORY Windows ADs
1
1
Doman user logins into domain from domain member device
Data
2
Unauthenticated Client tries to access resource through SRX, and dropped
Finance
3
SRX redirects client to IC for authentication process using Kerberos
4
Upon successful authentication and identification of user, IC gets AD group membership using LDAP and maps to Roles and sends info to SRX
5
Client device passes traffic through SRX per corresponding policy enforcement controls based on User/Role
Junos Pulse MAG/IC Series
3 4 SRX Series
Client
2
5
Video
Internet
Apps Corporate Data Center
80
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
COMPREHENSIVE USER POLICY ENFORCEMENT
Standard Server Hardware
Flexibility Agent-based deployment can provide advanced functionalities Agentless access can be used for unintrusive, transparent user experience Local web portal can be used for guest access or as a fallback mechanism 81
Rich OS Support Windows XP, Windows Vista and Windows 7 MacOS support Linux/Solaris support Thin clients can be supported using the local web portal Broad range of Smartphone OS – iOS, Android, others
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
Advanced Services Host checker Coordinated Threat Control SSL tunneling End-to-End Security Policy enforcement by user role and group
APPLICATION VISIBILITY FOR INFORMED RISK ANALYSIS Monitor & Track Applications
AppTrack
View application by protocol, Web application, and utilization Analyze usage and trends
Web 2.0 application visibility
Customize application monitoring Application usage monitoring Scalable, flexible logging & reporting 82
Log and report across security solutions and systems
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
APPSECURE: BEYOND JUST FIREWALL OR APPLICATION CONTROL Control & Enforce Web 2.0 Apps
AppFW
Inspect ports and protocols Uncover tunneled apps
HTTP
Stop multiple threat types
Dynamic application security
Control nested apps, chat, file sharing and other Web 2.0 activities
Web 2.0 policy enforcement
Threat detection & prevention
83
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
IPS FOR CUSTOMIZABLE PROTECTION Monitor & Mitigate Custom Attacks
IPS AppSecure IPS
Detect and monitor suspicious behavior
VULNERABILITY
Tune open signatures to detect and mitigate tailored attacks
Exploits Other IPS’s
On-going threat protection
Mobile traffic monitoring
Custom attack mitigation
84
Uncover attacks exploiting encrypted methods
Address vulnerabilities instead of ever-changing exploits of the vulnerability
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
ENHANCED WEB FILTERING
Internet
“In the Cloud” Categorization Server
Productivity Performance Security
SRX
Internal network
85
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
Continuous updates Large number of URLs Category granularity Real time threat score
CUSTOMER CHOICE FOR ANTIVIRUS
Cloud-based option: Sophos
On-box option: Kaspersky
Juniper is the only vendor offering customers a choice between two market proven antivirus solutions. 86
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
CLOUD BASED AV SERVICE: SOPHOS LIVE PROTECTION ANTI-MALWARE FOR JUNIPER SRX Cloud-based intelligence
delivers high performance malware protection Effective, instant protection
SRX
against malware and infected web sites Target customers that want
the performance and ease of a cloud-based antivirus solution
87
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
ANTI-SPAM 3
SRX tags email as ***SPAM*** or is allowed through. Email server can then use tag to make supplementary decisions
DMZ
2 Email Server
Web Proxy
Service checks host address against constantly updated list and returns a block, permit or log-and permit message to the SRX
Internet (UNTRUST)
Host
TRUST
1
88
SRX receives email destined for email server in DMZ or TRUST zone and looks up local white/black list to check local entries. Finds no entry and sends address of remote email server or source to in-the-cloud anti-spam service
Copyright © 2013 Juniper Networks, Inc.
Remote Email Server
www.juniper.net
REMOTE ACCESS VPN Dynamic VPN Service – Access Manager Client Clientless – dynamic IPSEC client
automatically downloaded Simultaneous tunnel enforcement Automatic client upgrade capabilities Self-provisioning IPSec with TCP-based fallback for NAT traversal Windows platform support—XP, Vista, Win 2000, and Windows 7, Windows 10
Wireless
Wired
3G/4G Wireless
INTERNET
SRX210
89
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
JUNIPER WIRELESS - COMPLETE WLAN SOLUTION WLA/WLC PRODUCTS SUITE WLM – Management and Access Tools Plan Report
Trouble shoot
RingMaster
Config
Monitor
SmartPass
WLM - Appliance
Simple - Secure - Mobile WLA – Access Points
90
Copyright © 2013 Juniper Networks, Inc.
WLC – Controllers
www.juniper.net
APPSECURE SOFTWARE SERVICE SUITE Application Intelligence and Security In Branch
AppTrack
AppFW
AppQoS
AppDoS
IPS
Understand security risks
Block access to risky apps
Prioritize important apps
Protect apps from bot attacks
Remediate security threats
Address new user behaviors
Allows user tailored policies
Rate limit less important apps
Allow legitimate user traffic
Stay current with daily signatures
Subscription service includes all modules and updates Juniper Security Lab provides 900+ application signatures 91
Copyright © 2013 Juniper Networks, Inc.
2H 2013
www.juniper.net
APPLICATION SECURITY AVAILABILITY
92
High End SRX
Branch SRX
AppTrack
AppFW
AppQoS
AppDoS
IPS
Copyright © 2013 Juniper Networks, Inc.
2H2013
www.juniper.net
LOGICAL SYSTEMS (LSYS) HIGH-END SRX ONLY Virtualization of many aspects of Junos, especially security policies and enforcement options within a single HE SRX “Complete” separation of a single device into unique virtual instances, including: Administrative separation – users in one LSYS have no visibility
into or knowledge of any other LSYS instances that may be running on the box Traffic Separation – network traffic for a given LSYS cannot cross into another LSYS unless security and routing policies are configured to allow it Resource separation – resources such as sessions, policies, zones, and virtual routers can be budgeted between the various LSYS instances
An evolution of ScreenOS’s VSYS concept 93
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
SERVICES OFFLOAD: A.K.A. LOW LATENCY FIREWALL HIGH-END SRX ONLY Allows both latency-sensitive and normal traffic to be mixed on the same platform When configured with ‘services offload’, SPC will push policy to NPC, and further processing is handled directly by NPC Available as of Junos 11.4
PHY
NP NPC
SPC
PHY
NPC
SPC
PHY
NP NPC
SPC
PHY
NP NPC
SPC
Supports FW, NAT, NPU screens, and QoS No support for services that require an SPC Fragmented packets IPS Inter-LSYS traffic
94
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
JUNOS SPACE Open Network Application Platform Network Application Platform Open, extensible, standardsbased (SOA) Abstractions for generic service definitions
Network Activate, ● Transport Activate ● QoS Design ● Ethernet
OSS ● BSS ● Green/Energy ● End-user Forensics Security Director Adapters (MTOSI, OneAPI) ● … others
Juniper Applications
3rd Party Applications
Design ● Security Design ● Virtual Control ● Service Now
APPLICATIONS
Purpose-built for network orchestration and automation
RESTful Web Service API
Carrier-grade scale Transparent communication with all Junos devices (any device, any OS version) – total management of Juniper infrastructure Easy integration with OSS via NBI/SDK
Network Widgets
Infrastructure Widgets
JUNOS SPACE PLATFORM Device Management Interface (DMI)
95
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
SECURITY THREAT RESPONSE MANAGER (STRM)
STRM supports SRX Series Intrusion Prevention System (IPS) and AppSecure 220+ out-of-the box report templates Fully customizable reporting engine:
creating, branding and scheduling delivery of reports Compliance reporting packages for PCI, SOX, FISMA, GLBA, and HIPAA Reports based on control frameworks: NIST, ISO and CoBIT 96
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
JUNOS SCRIPTS Configuration Automation - Instructs Junos during the commit process Options to provide warnings, post log messages, automatically fail the commit, or change the configuration Operations Automation - Instructs Junos as prompted by the command-line and other scripts: Create custom operational commands for specific user and environment needs Event Automation - Instructs Junos of actions to take in response to events: Gather relevant troubleshooting information and correlate events from the first leading indicators
97
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
JUNOS SCRIPTS
98
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
SRX QUICK START TRAINING Chapter 6: Junos OS Command Line Interface (CLI) Introduction
MULTIPLE WAYS TO MANAGE! JUNOS CLI Telnet, SSH Commit model JUNOScript: Automated Configuration, Operations
J-Web Quick Setup with Templates Dashboard View Performance Monitoring
Security Director Manage multiple devices Global, group and device level configuration
100
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
CONFIGURATION HISTORY commit Candidate Configuration
configure
Active Configuration
0 rollback n
1 Active configuration stored in /config/juniper.conf.gz Rollback files stored in /config/juniper.conf.n.gz (n=1–3) /var/db/config/juniper.conf.n.gz (n=4–49) 101
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
2
...
49
JUNOS OS CONFIGURATION PROCESS Separation of configuration edit and activation Validation checks Version control
Automated rollback
Convenient deployment of standard configurations and policy language across the network
commit candidate Load configuration
102
commit confirmed
validated configuration commit scripts
commit validations
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
active configuration
JUNOS OS CONFIGURATION PROCESS (CONT’D)
1
2
3
commit configuration
commit confirmed commit scripts
1
commit validations
49
Basic steps in the configuration process 1. 2. 3.
103
Enter changes in the candidate Commit the candidate Candidate becomes active Copyright © 2013 Juniper Networks, Inc.
active configuration
www.juniper.net
rollback
validated configuration
candidate
Load
THE RESCUE CONFIGURATION A rescue configuration is designed to restore basic connectivity in the event of configuration problems
Contents are user defined
Include a root password!
By default, there is no rescue configuration Can be saved using J-Web or the CLI Once saved, the rescue configuration can be activated with the CLI or a momentary push of the recessed CONFIG button
CONFIG button
104
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
CLI MODES AND FEATURE OVERVIEW CLI operational mode:
Editing command lines Command completion and history Context-sensitive and documentation-based help UNIX-style pipes
CLI configuration mode:
105
Object-oriented hierarchy Jumping between levels Candidate configuration with sanity checking Automatic rollback capability Showing portions of configuration while configuring Saving, loading, and deleting configuration files Running operational-mode commands from within configuration
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
CLI MODES Operational mode: Monitor and troubleshoot the software, network connectivity, and
router hardware user@host>
The > character identifies operational mode
Configuration mode: Configure the router, including interfaces, general routing
information, routing protocols, user access, and system hardware properties
[edit] user@host# 106
The # character identifies configuration mode Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
LOGGING IN When logging in:
– Nonroot users are placed into the CLI automatically
host (ttyd0) login: user Password: --- JUNOS 8.3R2.8 built 2007-07-07 00:21:56 UTC user@host>
– The root user must start the CLI from the shell Do not forget to exit root shell after logging out of the CLI! host (ttyd0)
Shell Prompt
login: root Password: --- JUNOS 8.3R2.8 built 2007-07-07 00:21:56 UTC root@host% cli root@host> 107
Copyright © 2013 Juniper Networks, Inc.
CLI Prompt www.juniper.net
CLI OPERATIONAL MODE
Execute commands (mainly) from the default CLI level (user@host>) – Can execute from configuration mode with the run command – Hierarchy of commands – Example: show ospf neighbor
Less Specific clear configure file help monitor set show
etc.
bgp chassis configuration ospf rip route version etc.
database interface neighbor route statistics etc. 108
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
More Specific
EDITING COMMAND LINES
EMACS-style editing sequences are supported user@host> show interfaces
Keyboard sequence •
•
•
•
Ctrl+b user@host> show interfaces Ctrl+a user@host> show interfaces Ctrl+f user@host> show interfaces
Cursor position
Ctrl+e user@host> show interfaces
The default VT100 terminal type also supports cursor positioning with the arrow keys
109
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
COMMAND AND VARIABLE COMPLETION Spacebar completes a command user@host> show 'i' is ambiguous. Possible completions: igmp ike interfaces ipsec isis
i
Show Show Show Show Show
Enter a space to complete a command
Internet Group Management Protocol... Internet Key Exchange information interface information IP Security information Intermediate System-to-Intermediate...
user@host> show i
Use the Tab key to complete an assigned variable [edit policy-options] user@host# show policy-statement this-is-my-policy then accept; [edit policy-options] user@host#
110
Use Tab to complete assigned variables
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
CONTEXT-SENSITIVE HELP Type ? anywhere on the command line user@host> ? Possible completions: clear configure information file help . . . user@host> clear ? Possible completions: arp bfd Detection bgp information firewall . . . 111
Clear information in the system Manipulate software configuration Perform file operations Provide help information
Clear address resolution information Clear Bidirectional Forwarding information Clear Border Gateway Protocol Clear firewall counters
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
TOPICAL HELP The help topic command provides information on general concepts user@host> help topic interfaces ? Possible completions: accept-data Accept packets destined for virtual IP... accept-source-mac Policers for specific source MAC addresses access-profile Mapping peer name and secrets for CHAP accounting-profile Accounting profile acknowledge-timer Maximum time to wait for link... address Interface address and destination prefix ... user@host> help topic interfaces address Configuring the Interface Address
You assign an address to an interface by specifying the address when configuring the protocol family. For the inet family, you configure the interface's IP address. For the iso family, you configure one or more addresses for the loopback interface. For the ccc, tcc, mpls, tnp, and vpls families, you never configure an address. ...
112
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
CONFIGURATION SYNTAX HELP Use help reference for assistance with configuration syntax user@host> help reference interfaces address address Syntax address address { arp ip-address (mac | multicast-mac) mac-address ; broadcast address; destination address; destination-profile name; eui-64; multipoint-destination address dlci dlci-identifier; ... Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family], [edit logical-routers logical-router-name interfaces interface-name unit logical-unit-number family family] Description
Configure the interface address. ... 113
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
USING | (PIPE) The pipe function allows you to filter and manipulate command output Available in all modes and contexts user@host> show route | ? Possible completions: count Count occurrences display Show additional kinds of information except Show only text that does not match a pattern find Search for first occurrence of pattern hold Hold text without exiting the --More-- prompt last Display end of output only match Show only text that matches a pattern no-more Don't paginate output request Make system-level requests resolve Resolve IP addresses save Save output text to file trim Trim specified number of columns from start of line user@host> show route |
114
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
ACTIVE AND CANDIDATE CONFIGURAITONS Batch configuration model: – Must commit configuration changes
Active configuration: – Current operational configuration – Boot-up configuration
Candidate configuration: – A working copy for configuration changes – Initialized with the active configuration – Becomes active configuration upon commit
115
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
CONFIGURE PRIVATE, CONFIGURE EXCLUSIVE Use configure private for your own copy of the candidate configuration mike@jnpr1> configure private warning: uncommitted changes will be discarded on exit Entering configuration mode
Use configure exclusive when you want to prohibit others from also making changes while you are in configuration mode
mike@jnpr1> configure exclusive warning: uncommitted changes will be discarded on exit Entering configuration mode 116
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
SHOW COMMAND List the complete candidate from the top of configuration mode [edit] mike@juniper1# show version "9.2R1.3"; groups { re0 { system { jnpr1-name jnpr1; } } } … 117
List a specific subset of the candidate configuration from a deeper level of the hierarchy
[edit interfaces ge-5/0/0] mike@jnpr# show gigether-options { flow-control; auto-negotiation; } unit 0 { family inet { address 1.2.3.4/28; } }
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
SET COMMAND From the top of configuration mode
[edit] mike@jnpr1# set system services finger mike@jnpr1# set system services ftp mike@jnpr1# set system services ssh mike@jnpr1# set system services telnet
From a sublevel
Either adds
[edit system services] mike@jnpr1# set finger mike@jnpr1# set ftp mike@jnpr1# set ssh mike@jnpr1# set telnet 118
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
[edit] system { services { finger; ftp; ssh; telnet; } }
DELETE COMMAND Remove a statement along with any subordinate statements Deleting a statement effectively returns the affected device, protocol,
or service to an unconfigured state Deleting a container statement removes everything under that level of the hierarchy
[edit] mike@jnpr1# delete system services
Now
119
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
[edit] system { }
COMPARE CONFIGURATIONS Display the differences between the candidate and active configuration Options to show any two configurations
[edit system services] mike@jnpr1# show | compare - ssh; + telnet; - web-management { http { port 8080; } -}
120
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
COMMIT CHECK Check that the device will accept your candidate Validates the logic and completeness of the candidate without
activating the changes [edit] mike@jnpr1# commit check [edit interfaces lo0 unit 0 family inet] 'address 192.168.69.1/24' Loopback addresses' prefix must be 32 bits error: configuration check-out failed
121
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
COMMIT Activates the candidate to become the running configuration of the device If the validation checks find any errors, you must fix these before the
candidate can become the active file [edit] Bullets •Add mike@jnpr1# commit error: Policy error: Policy my-policy referenced but not defined error: BGP: export list not applied The commit complete message tells you that error: configuration check-out failed
configuration is now active
[edit] mike@jnpr1# commit commit complete 122
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
the new
COMMIT CONFIRMED Automate rollback in remote devices Commit a candidate configuration for a limited time
[edit] mike@jnpr1# commit confirmed commit confirmed will be automatically rolled back in 10 unless complete minutes Finalize theconfirmed commit,commit by entering a 2nd commit
[edit] mike@jnpr1# commit Or, wait for rollback commit complete
123
command
to your previous configuration
Broadcast Message from root@jnpr1 (no tty) at 08:10:17 UTC Commit was not confirmed;Copyright automatic rollback complete. © 2013 Juniper Networks, Inc. www.juniper.net
ROLLBACK
Use rollback (or rollback 0 ) to reset the candidate configuration to the currently active configuration rollback 1 loads the previously active configuration rollback n loads the nth previous active configuration
rollback rescue loads the previously created rescue file
rollback only modifies the candidate configuration Don’t forget to commit the changes!
[edit] mike@host# rollback load complete [edit] mike@host# commit commit complete 124
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
SAVING A RESCUE CONFIGURATION
Use request system configuration rescue [save | delete] CLI command View with the show system configuration rescue CLI
command
125
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
CONFIGURATION STATEMENT HIERARCHY [edit] user@host# edit protocols ospf area 51 stub [edit protocols ospf area 0.0.0.51 stub] user@host# top
Less Specific chassis interfaces protocols services system etc.
bgp
isis
mpls
ospf
pim
rip
rsvp
vrrp
etc.
area area_id graceful-restart overload traffic-engineering etc.
area-range area_range 126
interface
nssa
stub
Copyright © 2013 Juniper Networks, Inc.
etc.
www.juniper.net
More Specific
CONFIGURATION FILE IS HIERARCHICAL CLI commands are entered without curly brackets [edit system] user@host# set services web-management http port 8080
The result is a hierarchical configuration file, complete with curly
brackets [edit system] user@host# show services web-management { http { port 8080; } } [edit system] user@host#
127
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
CONFIGURATION FILE DIFFERENCES Change the candidate configuration: [edit system] user@host# set services telnet [edit system] user@host# delete services web-management [edit system] user@host# delete services ssh
Display differences between the candidate and active configurations: user@host# show | compare [edit system services] - ssh; + telnet; - web-management { http { port 8080; } - }
128
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
RUN IS COOL Use the run command to execute operational-mode CLI commands from within configuration Can be a real time-saver when testing the effect of a recent change [edit interfaces fe-0/0/0] lab@HongKong# set unit 0 family inet address 10.250.0.141/16
[edit interfaces fe-0/0/0] lab@HongKong# commit commit complete [edit interfaces fe-0/0/0] lab@HongKong# run ping 10.250.0.149 count 1 PING 10.250.0.149 (10.250.0.149): 56 data bytes 64 bytes from 10.250.0.149: icmp_seq=0 ttl=255 time=0.967 ms --- 10.250.0.149 ping statistics --1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.967/0.967/0.967/0.000 ms
129
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
USING RENAME User-defined variables can be changed with the rename command Can change policy names, filter names, IP addresses, etc. [edit interfaces fe-0/0/0] lab@HongKong# set unit 0 family inet address 10.250.0.141/16 [edit interfaces fe-0/0/0] lab@HongKong# show unit 0 { family inet { address 10.250.0.141/16; } } [edit interfaces fe-0/0/0] lab@HongKong# rename unit 0 family inet address 10.250.0.141/16 to address 10.250.0.241/16 [edit interfaces fe-0/0/0] lab@HongKong# show unit 0 { family inet { address 10.250.0.241/16; }
} 130
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
USING REPLACE In configuration mode [edit] lab@HongKong# replace pattern 10.1.1.1 with 10.2.2.2
131
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
SRX QUICK START TRAINING Chapter X: Other Security Products of Interest
COMMITTED TO INNOVATION AND INVESTMENT Security is core to our business at Juniper Market Leader
#
1
High-End Firewalls
1
Remote Access SSL VPN
#
#
3
Network Security
133 Infonetics Research 2012
Global Powerhouse
$1B global revenue
Serving customers in over 47 countries, with a worldwide community of over 1000 Reseller Partners
Dedicated Innovator Juniper R&D is $1.027B, or 23% of revenues – a figure no one else in the industry comes close to on a percentage basis – 2011 Annual Report New in 2013: A differentiated approach to security with our Intrusion Deception and DDoS protection capabilities Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
OTHER SECURITY PRODUCTS OF INTEREST Virtualized Firewall Solution Junos V Firefly
Securing Web Portals Junos WebApp Secure
Securing Virtual Machines and ESX Hosts vGW Virtual Gateway
134
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
JUNOS V FIREFLY 135
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
INTRODUCING JUNOSV FIREFLY Virtualized Environment VM
VM
VM
Firefly
JunosV Firefly
Enterprise/Tenant A
Hypervisor
Physical SRX & Junos
Juniper is delivering its industry-leading Junos OS and SRX features as a software appliance for deployment in virtualized environments 136
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
JUNOSV FIREFLY VISION: ADVANCED PROTECTION IN VIRTUALIZED ENVIRONMENTS Security & Routing functionality delivered as a virtual machine
Junos Routing Protocols and SDK
Junos delivered as a virtual Junos Rich & Extensible Security Stack
appliance on a choice of Hypervisors Runs on standard x86 hardware
Full, proven Junos security and routing protocol suite
Perimeter
Content
Firewall
Anti-Virus
VPN
IPS Full IDP Feature Set
NAT
Web Filtering
Leverages proven SRX & VJX
technology
Network Admission Control
flowd over multiple vCPUs
Supports Hypervisor VM functionality
Anti-Spam
CLI, JWeb, SNMP, JSpace- SD, Hypervisor Mgmt, HA/FT
Example: vMotion, snapshots,
HA/FT, Cloning, Management etc.
137
Application Awareness
Identity Awareness
Performance optimized SMP kernel & multi-threaded
Application
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
JUNOSV FIREFLY MANAGEMENT JUNOSV FIREFLY DEVICE MANAGEMENT Centralized management
Junos Space /Security Design
JUNOS SPACE VIRTUAL DIRECTOR A Junos Space platform application that offers complete “Lifecycle” management for JunosV Firefly.
Security Insight STRM (logging and reporting), Syslog, Traceroute Local management CLI JWeb Junos Scripts SNMP
138
Firefly
Copyright © 2013 Juniper Networks, Inc.
Virtual Director
www.juniper.net
JUNOS WEBAPP SECURE 139
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
HACKER THREATS Scripts & Too, Exploits
IP Scan
Targeted Scan
Generic scripts and tools against one site.
Script run against multiple sites seeking a specific vulnerability.
Targets a specific site for any vulnerability.
Botnet
Human Hacker
Script loaded onto a bot network to carry out attack.
Sophisticated, targeted attack (APT). Low and slow to avoid detection.
Jan
140
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
June
Dec
WEB APP SECURITY TECHNOLOGY
Detection
Signatures
Web Application Firewall
Web Intrusion Prevention System
Q1 2012
Tar Traps
Tracking
IP address
Browser, software and scripts Profiling
IP address
Block IP
141
Section 6.6 Copyright © 2013 Juniper Networks, Inc.
Block, warn and deceive attacker PCI
Browser, software and scripts Responses
www.juniper.net
THE JUNOS WEBAPP SECURE ADVANTAGE DECEPTION-BASED SECURITY
Detect
Track
Profile
Respond
“Tar Traps” detect threats without false positives.
Track IPs, browsers, software and scripts.
Understand attacker’s capabilities and intents.
Adaptive responses, including block, warn and deceive.
142
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
THE ANATOMY OF A WEB ATTACK
Phase 1
Phase 2
Phase 3
Phase 4
Phase 5
Reconnaissance
Attack Vector Establishment
Implementation
Automation
Maintenance
Weeks or months
Weeks or months
Days or weeks
Months or years
Web App Firewall
143
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
Years
DETECTION BY DECEPTION
Tar Traps Query String Parameters
Network Perimeter Hidden Input Fields
Client
Firewall
App Server
Server Configuration
144
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
Database
TRACK ATTACKERS BEYOND THE IP Track IP Address
145
Track Browser Attacks
Track Software and Script Attacks
Persistent Token
Fingerprinting
Capacity to persist in all browsers including various privacy control features.
HTTP communications.
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
SMART PROFILE OF ATTACKER Every attacker assigned a name
Incident history
Attacker threat level
146
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
RESPOND AND DECEIVE
Junos WebApp Secure Responses
Human Hacker
Botnet
Targeted Scan
IP Scan
Scripts &Tools Exploits
Warn attacker
Block user
Force CAPTCHA
Slow connection
Simulate broken application
Force log-out
All responses are available for any type of threat. Highlighted responses are most appropriate for each type of threat.
147
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
UNIFIED PROTECTION ACROSS PLATFORMS
Internal App Server Database
Virtualized
Cloud
148
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
VGW VIRTUAL GATEWAY 149
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
MEGA TREND – SERVER VIRTUALIZATION Physical Server Installed Base (Millions) Logical Server Installed Base (Millions)
Millions Installed Servers
80
60 Capital Savings
40
20
0 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Source: IDC 150
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
SECURITY IMPLICATION OF VIRTUALIZATION Physical Network
Virtual Network VM1
VM2
VM3
ESX/ESXi Host
Virtual Switch
HYPERVISOR
Firewall/IDS Sees/Protects All Traffic between Servers
151
Physical Security Is “Blind” to Traffic between Virtual Machines
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
APPROACHES TO SECURING VIRTUAL NETWORKS 1
VLANs & Physical Segmentation
VM1
VM2
VM3
VM1
VM2
3
VM2
VM3
Virtual Security Layer
VS HYPERVISOR
HYPERVISOR
HYPERVISOR
Regular Thick Agent for FW & AV
152
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
ESX/ESXi Host
VS
Integrated Virtual Security
VM1
VM3
ESX/ESXi Host
ESX/ESXi Host
VS
Traditional Security Agents
2
THE VGW ARCHITECTURE OVERVIEW Service Provider & Enterprise Grade Three Tiered Model
1
VMware Certified (signed binaries!)
Protects each VM and the hypervisor
Virtual Center
2
Security Design for vGW
VM
Fault-tolerant architecture (i.e., HA)
VM1
VM2
VM3
ESX or ESXi Host
Virtualization-aware Secure VMotion “Auto Secure” detects/protects
Partner Server (IDS, SIM, Syslog, Netflow)
3
Packet Data
VMWARE API’s
Granular, Tiered Defense
Any vSwitch (Standard, DVS, 3rd Party)
Stateful firewall, integrated IDS,
and AV Flexible Policy Enforcement – zone, VM group, VM, individual vNIC 153
Copyright © 2013 Juniper Networks, Inc.
HYPERVISOR
www.juniper.net
VMware Kernel
new VMs
THE vGW ENGINE
VGW MODULES
Main Dashboard view of the virtual system threats (including VM quarantine view)
7 Functional Modules Network – Visibility of inter-VM traffic flows Firewall – Firewall Policy Management and Logs IDS – Centralized view of IDS alerts and ability to drill-down on attacks AntiVirus – Full AV protection for virtual machines Introspection – Centralized view of the software loaded in a VM including OS, Apps,
HotFixes. Ability to track & control changes in loaded software via Image Enforcer Compliance – Out-of-box & custom rules engine to alert on VM & Host config changes Reports – Automated reports for all the functional modules
154
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
SRX SERIES INTEGRATION Firewall zones integration (zone synchronization between SRX Series and vGW)
Benefits:
Guarantee integrity of zones on hypervisor
Automate and verify no “policy violation” of VMs Empower SRX Series with VM awareness
155
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
RESOURCES TO HELP YOU LEARN MORE Resource
URL
Pathfinder
http://pathfinder.juniper.net
Content Explorer
http://www.juniper.net/techpubs/content-applications/contentexplorer
Feature Explorer
http://pathfinder.juniper.net/feature-explorer
Learning Bytes
www.juniper.net/learningbytes
Installation and configuration courses
www.juniper.net/courses
J-Net Forum
http://forums.juniper.net/t5/Training-Certification-and/bdp/ Training_and_Certification
Certification program
www.juniper.net/certification
Courses
http://www.juniper.net/training/technical_education
Translation tools
http://www.juniper.net/customers/support/#task
156
Copyright © 2013 Juniper Networks, Inc.
www.juniper.net
View more...
Comments
