With the rapid growth in data traffic in the past decade and the rapid expansion of computer networks, the necessity for network security and stability has grown massively. Due to these concerns, leading service providers and big enterprises have focused mostly on security, stability, and quality of service have been offering. However, even with service providers being concentrated on these challenges, they are still experiencing various problems on a regular basis. Most of the problems have been categorized as human error and unforeseen network outages including device failures and misconfigurations. These outages have made a big financial mark on them and the IT world, as well as on the big companies depending on them. In the past years, we witnessed many big outages, some of them caused by only a single misconfigured firewall policy, other caused by device failure, or software bugs. A recent software bug at a top UKs service providers was caused because a single core Juniper switch had a memory leak, causing the loss of millions of pounds in a single night. The biggest financial impact was experienced by bookmaking companies which couldn’t stream live sports.
As a result, service providers decided that it is much more important to invest in deploying a stable and dependable network, rather than offer many services and ending with networks and deployments not being the right fit, while their networks grow massively and become more difficult to maintain.
A Firewall, what is it?
In today’s Internet era, every organization’s operation runs through an IT system. Whether that is a server, SQL database, or network infrastructure, these systems are accessing the open Internet one way or another. With every growing network and the fact that every organization depends on these systems, they must be made secure and trustworthy.
However, managing security and maintaining stability have been proven the most difficult of all. With security and stability in mind, networking vendors developed firewalls. In the simplest of definitions, firewalls provide essential security to your internal systems. However, firewalls are much more than simple devices. Since security risks have greatly increased in recent years, firewalls have matured as well. Today, they can filter every kind of traffic you can imagine, through different policies which allow network security engineers to play with them based on their requirements. Firewalls have been designed to inspect the millions of packets that traverse your network in an extremely short amount of time. Since we are not able to predict the future and what the future will bring, network security engineers must be able to implement a decent amount of flexibility to adapt to any unknown priorities that will emerge in the future. These challenges have been the focus of one of the biggest networking vendors, Juniper Networks, and the reason for them to produce mission-critical security appliances capable of adapting to tomorrow’s priorities and dangers.
Juniper Networks: from JProtect Newcomers to SRX Experts
Juniper’s beginning in network security started in May 2003 when they introduced their newest accomplishment to the IT world: the JProtect toolkit. This toolkit was developed to provide a single solution capable of protecting your network through the implementation of firewalls, NAT, flow monitoring, and traffic filtering. Over the next couple of years, Juniper managed to purchase a couple of companies and through their joint efforts, they produced decent end-user devices including access points as well as enterprise access routers.
Today, they are most proud of their SRX Series network security appliances and the Advanced Threat Prevention appliances. Depending on the type of solution you are deploying and the requirements you have, Juniper Networks offers many variations of these appliances, capable of protecting any network either small or enterprise-grade.
Juniper’s Dearest, the SRX Series
At the beginning of this article we focused on the security reasons and why firewalls are so important in our networks. In this section, we will focus on the most loved product of Juniper Networks, their SRX Series of networking appliances. We will separate this section based on the deployment needs and the reason behind their design.
Branch SRX Series appliances
The branch set of appliances have been designed for deployment in small offices and remote sites that require an average set of firewall features. This set of appliances has been developed so customers can have more features with less management expenses because the cost of maintaining several different types of equipment is kept to a minimum.
These devices use the Junos operating system which offers simplicity in configuration but a complexity of features. From a firewall point of view, they offer perimeter security, content security, application visibility, tracking and policy enforcement, as well as policy-based VPNs for more complex deployments. Through the trust and un-trust zone configuration, you can simplify which traffic the device trusts and how to handle the traffic in each case. Some of the main features that this type of device offers is:
- Next-generation firewall protection: through a full packet inspection, you can configure a wide variety of security policies based on the application, the source, and destination or the content that is travelling across your network. This means that these types of SRX devices can inspect traffic up to the last level of the OSI model.
- Application Security and IPS: scan and identify the application and its behavior, thus increasing the protection of the network.
- Unified Threat Management (UTM): a comprehensive set of anti-virus, web and content filtering, and anti-spam capabilities that protect your network from malware, phishing attacks, and various intrusions
- Secure routing: this gives the option to choose between router mode and firewall mode operation with a single command. The branch SRX devices by default will check traffic and confirm it’s safe before forwarding it.
Different variations of this group of devices is shown in the image below:
Original Source: www.juniper.net
In addition, Juniper included some other features in the branch SRX series which come in handy for branch offices spread out in different parts of the world. With these features, customers can access their remote LAN network securely and at a low cost. It’s made possible with the Dynamic VPN Client which requires no additional software to be installed on each side.
The branch SRX series can work as firewalls and routers. The ability to modify how the SRX processes traffic is by far the best feature of these SRX devices. You can choose if you want your router to focus on traffic based entirely on the packets or you can manipulate the traffic by its session. This traffic manipulation allows you to configure complex solutions to the remote branch office which was unthinkable in past years.
With all of these features included, the branch SRX series appliances are proven all-round players in the highly dynamic and unpredictable networking “game”.
Data Center SRX Series appliances
The data center SRX devices are highly modular devices that provide high speed and scalability options suitable for some of the biggest Service Providers in the world. By default, these devices don’t have the necessary power, however this is achieved with the help of many different modules which will add the necessary power and processing capability. This type of modular operation eventually cuts the cost of the initial deployment. A neat option which Juniper implemented is the almost identical chassis and internal components that make simple the ability to migrate from one device to the other.
This group of devices counts three separate main chassis: SRX1000, SRX3000, and the SRX5000. Designed for the smallest of deployments is the Juniper SRX1000. The next in line SRX3000 (figure 1) is a more configurable midsized device designed for medium-sized deployments. The device designed for large scale deployments is the SRX5000 (figure 2) and this device can scale up to an extreme level. A unique feature of these devices is the option to configure them and manipulate their features, creating a unique device specific to your needs. You can play with the features because of the modular approach, add more processing power, or add more security options in expense of lower throughput. Some of the key features that made this group of devices award winning are:
- Comprehensive security features: these features provide a multi-gigabit firewall operation capable of scanning large amounts of traffic through the smallest details.
- Express Path Optimization: this feature allows the SRX to optimize the bandwidth by successfully identifying and choosing the optimal traffic flow.
- Scalability: this group of SRX devices has the option to scale and segment the network based on the network requirements. Together, with the Robust Engine, which separates data and control planes to allow deployment of consolidated routing and security devices, the SRX is the optimal for securing your large network.
Figure 1: Original Source: https://www.juniper.net/us/en/products-services/security/srx-series/srx3600/
Figure 2: Original Source: http://www.networkscreen.com/SRX5600.asp
A specific feature that separates these devices from the branch series is the ability to operate in dedicated mode. This is made possible with the incorporated high performance and flexible processors which can be modified based on the requirements. This allows the router to focus on the intrusion detection for maximum security.
The main “culprit” for this capability is the main SPC (Services Processing Card). The SPC is in fact the processor that handles all the traffic processing including the firewalling, NAT, and VPN traffic. Each SPC can contain one or more SPUs (Service Processing Units) and each of those provides a separate, and often extreme, processing power. In a matter of fact each of these SPUs can run up to 32 parallel tasks simultaneously. Given the fact that engineers love numbers let’s put this into perspective a bit more. Each SPU can process:
- 10 Gbps of Firewall throughput
- 2.5 Gbps of VPN throughput
- 1,100,000 packets every second
- 2.5 Gbps of IPS throughput
This is a massive amount of power in the hands of the data center. However, this power can multiply by adding additional processing card modules which help when the router is over-configured with new services.
Another important piece of hardware in the data center SRX series is the NPU (Network Processing Unit). This unit is responsible for balancing packets once they enter the device by forwarding the packet to the correct SPU handling that session. The NPU is capable of processing around 6.5 million packets per second inbound and about 16 million packets outbound. This unit has hidden security feature as well. It is responsible for much of the packet inspection functions which detect the packets and isolate the intrusion.
Since the initial idea of Juniper was to provide massive scaling in a single device, the SPU and NTU are the main points to scale. By scaling the SPU, you allow for more traffic to be processed and by scaling the NTU, you eventually allow for more traffic to enter the router. This offers you the possibility of deploying massive network with security and stability run by the minimum number of devices.
All of Juniper’s SRX devices are next-generation offerings that enable Service Provider level of processing power and reliability. With the many possible options and modules and most of the features being shared across the platforms, you will have a unique experience when deploying and maintaining these devices.
In this post, Juniper proved that they are more than capable to fight for the top with the already globally recognized networking vendors. With this approach, we simply can’t wait to see what the future holds for us.
Thank you to Bojan Janevski for his contribution to our blog.