Documente Academic
Documente Profesional
Documente Cultură
© 2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Worldwide Education Services
Chapter Objectives
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2-2
Agenda:
Introduction to Junos Security Platforms
Traditional Routing
Traditional Security
Breaking the Tradition
The Junos OS Architecture
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2-3
Routers
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2-4
Layer 3 Packet Forwarding (Routing)
Routing Table
Network Interface Gateway
10.1.1.0/24 ge-0/0/1 direct
10.2.2.0/24 ge-0/0/0 direct
10.3.3.0/24 ge-0/0/0 10.2.2.2
10.3.3.10/32 ge-0/0/2 10.4.4.2
10.4.4.0/24 ge-0/0/2 direct
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2-5
Traditional Routing Is Promiscuous
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2-6
Router Positioning
Enterprise Branch 1
Service Provider Network
M Series Router
Core
J Series Router
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2-7
Agenda:
Introduction to Junos Security Platforms
Traditional Routing
Traditional Security
Breaking the Tradition
The Junos OS Architecture
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2-8
Firewalls
Outgoing
SRC-IP DST-IP Protocol SRC-Port DST-Port
packet header
10.1.1.5 200.5.5.5 6 29218 80
+ session token= flow
information
Outgoing flow initiates a session table entry
Session table entry includes
expected return flow
Session Table
Source Source Destination Destination Protocol Interface
Address Port Address Port
10.1.1.5 29218 200.5.5.5 80 6 ge-1/0/1.0
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2-10
NAT and PAT
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2-11
Virtual Private Networks
10.1.20.3
Provide secure tunnels across the
Internet Switch
Private
•Encapsulation 10.1.20.1 10.1.20.4
Firewall
•Encryption
Public IP packet
•Authentication 2.2.2.1
Public
1.1.1.1
Firewall
Encrypted packet
Switch Private
10.0.0.254
10.0.0.5
10.0.0.6 IP packet
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2-12
Firewall Positioning
Administrative
Zone
Marketing
Zone Switch
Switch Firewall
Switch
Branch Office
Internet
Firewall Engineering
Switch Zone
Firewall
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2-13
Agenda:
Introduction to Junos Security Platforms
Traditional Routing
Traditional Security
Breaking the Tradition
The Junos OS Architecture
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2-14
Current Trends
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2-15
A New Perspective
SRX Series Services Gateways
•Integrated security and network features
with robust Dynamic Services Architecture
Administrative
Zone
Marketing
Zone
Branch Office
Internet SRX5800
SRX240
Engineering
Zone
SRX210
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2-17
Physical Packet Flow (High-End Platforms)
Flow lookup, policing, Routing and
and CoS device
management
MGT
Ingress
packet
Fabric
Fabric
Egress
packet
Integrated in SRX5000 IOC Services
Input/output Processing
cards
CoS and shaping Cards
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2-19
SRX Branch Platforms Overview
SRX Branch
Series
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2-20
Physical Packet Flow (Branch Devices)
Ingress Flash
packet
Ethernet Switch
Multi-core NPU
Physical Ports
Memory
Egress
packet REGEX Content
Processor
Varies by platform
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2-22
Agenda:
Introduction to Junos Security Platforms
Traditional Routing
Traditional Security
Breaking the Tradition
The Junos OS Architecture
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2-23
Junos Security Platforms Versus a
Traditional Router
No traffic permitted
The Junos OS for
security platforms
Add rules to
allow traffic
starts off as
completely secure Restrictive
Ideal
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2-24
The Junos OS for Security Platforms
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2-25
Junos Features (1 of 2)
Session-based features:
•Implement some ScreenOS features and functionality
through the use of new processes
•First packet of flow triggers session creation based on:
• Source and destination IP address
• Source and destination port
• Protocol
• Session token
•Zone-based security features:
• Packet on the incoming interface associates with the incoming zone
• Packet on the outgoing interface associates with the outgoing zone
•Core security features:
• Firewall, VPN, NAT, ALGs, IDP, and SCREEN options
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2-27
Control Plane Versus Data Plane
Control plane:
•Implemented on the RE or SRE
•The Junos kernel, processes, chassis management, user
interface, routing protocols, system monitoring, and
clustering control
Data plane:
•Implemented on the IOCs, NPCs, and SPCs
• Implemented on CPU/NPU and PIMs for branch platforms
•Forwarding packets, session setup and maintenance,
load-balancing, security policy, screen options, IDP, VPN
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2-28
Logical Packet Flow
Forwarding
Lookup
Flow Module
SCREEN
D-NAT Route Zones Policy S-NAT Services Session
Options ALG
No First Path
Ingress Egress
packet packet
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2-29
Session Management
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2-31
Packet Flow Example (1 of 3)
10.1.20.0/24
10.1.2.0/24
1.1.7.0/24
1.1.70.0/24
Host-B
.1 .254 .254 .1
10.1.20.5
Public
B
Zone 1.1.70.250
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2-32
Packet Flow Example (2 of 3)
SRC-IP DST-IP Protocol SRC-Port DST-Port
Example: 10.1.20.5 200.5.5.5 6 29218 80
Session Table
Source Address Source Port Destination Address Destination Port Protocol Int
1. Existing session?
• No
Routing Table
Network Interface Next hop
10.1.1.0/24 ge-0/0/0 (connected)
2. Destination reachable? 10.1.2.0/24 ge-0/0/1 (connected)
10.1.10.0/24 ge-0/0/0 10.1.1.254
• Yes 10.1.20.0/24 ge-0/0/1 10.1.2.254
0.0.0.0/0 ge-1/0/0 1.1.8.254
...
3. Zone determination Zone Table
Interface Zone
ge-0/0/1 Private
ge-0/0/0 Private
ge-0/0/3 Public
ge-1/0/0 External
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2-33
Packet Flow Example (3 of 3)
Example: From Private to External
SA DA App Action
4. Permitted by policy? 10.1.0.0/16 any FTP permit
10.1.0.0/16 any HTTP permit
• Yes 10.1.0.0/16 any ping permit
any any any deny
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2-34
Summary
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2-35
Review Questions
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2-36
Worldwide Education Services