JSEC C2 Arch 10.a.pps

Junos for Security Platforms
Chapter 2: Introduction to Junos

Security Platforms
© 2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Worldwide Education Services
Chapter Objectives
 After successfully completing this chapter you will be

able to:
•Describe traditional routing and security
•Describe current trends in internetworking
•Provide an overview of SRX Series Services Gateways
•Provide an overview of the Junos operating system for the
SRX Series
•Describe physical and logical packet flow through SRX
Series devices
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 2-2
Agenda:
Introduction to Junos Security Platforms
Traditional Routing
 Traditional Security
 Breaking the Tradition
 The Junos OS Architecture
Routers
 Traditionally, a router forwards packets based on a

Layer 3 IP address
•Uses some type of path determination mechanism
 Packet processing is stateless and promiscuous
 Routers separate broadcast domains and provide
WAN connectivity
Layer 3 Packet Forwarding (Routing)
 IP packets forwarded based on destination address

•Maintain routing table entries
• Static routes
• Dynamic routes (RIP, OSPF, BGP)
•Longest prefix match
RTR A [ge-0/0/0]
Switch
[ge-0/0/1] 10.2.2.1/24 10.2.2.2/24
10.1.1.1/24
10.1.1.10 10.3.3.10
Routing Table
Network Interface Gateway
10.1.1.0/24 ge-0/0/1 direct
10.2.2.0/24 ge-0/0/0 direct
10.3.3.0/24 ge-0/0/0 10.2.2.2
10.3.3.10/32 ge-0/0/2 10.4.4.2
10.4.4.0/24 ge-0/0/2 direct
Traditional Routing Is Promiscuous
 A traditional router provides

stateless connectivity
•Forwards all traffic by default
•Operates at Layer 3—cannot
detect security threats in
higher-layer protocols 192.168.1.1
•Operates on each packet
individually—cannot detect
malformed sessions
•The network is immediately 192.168.2.1
vulnerable
 Typically treats security
Finance Data
as a luxury add-on item Server Server
Router Positioning
 Typical router positioning:
Enterprise Branch 1
Service Provider Network
M Series Router
Core
J Series Router
M Series and T Series Enterprise Head Office

Platforms
Enterprise Branch 2
Agenda:
 Traditional Routing
Traditional Security
Firewalls
 Traditionally, a standalone firewall adds enhanced

security in the enterprise network
 Firewall must perform:
•Stateful packet processing
• Keeps a session or state table based on IP header and higher-level
information (TCP/UDP and Application Layer)
•NAT and PAT
• Private-to-public and public-to-private translation
•VPN establishment
• Encapsulation, authentication, and encryption
 Can also implement other security elements such as
SSL, IDP, ALGs, and so forth
Stateful Packet Processing
Private External Web Server

Zone Zone
Internet
ge-1/0/1.0 ge-0/0/0.0
10.1.1.5 200.5.5.5
Outgoing
SRC-IP DST-IP Protocol SRC-Port DST-Port
packet header
10.1.1.5 200.5.5.5 6 29218 80
+ session token= flow
information
Outgoing flow initiates a session table entry
Session table entry includes
expected return flow
Session Table
Source Source Destination Destination Protocol Interface
Address Port Address Port
10.1.1.5 29218 200.5.5.5 80 6 ge-1/0/1.0
200.5.5.5 80 10.1.1.5 29218 6 ge-0/0/0.0

Outgoing and incoming packets use session table for bidirectional communication
NAT and PAT
 NAT and PAT:

•NAT converts IP addresses
•PAT converts TCP or UDP port numbers
•Typically used at the boundary between private and public
addressing
Internet
Private Public
10.1.1.5 201.1.8.1
10.1.1.1
SRC-IP DST-IP Protocol SRC-Port DST-Port SRC-IP DST-IP Protocol SRC-Port DST-Port
10.1.1.5 221.1.8.5 6 36033 80 201.1.8.1 221.1.8.5 6 1025 80
NAT and PAT
Virtual Private Networks
10.1.20.3
 Provide secure tunnels across the
Internet Switch
Private
•Encapsulation 10.1.20.1 10.1.20.4
Firewall
•Encryption
Public IP packet
•Authentication 2.2.2.1
Public
1.1.1.1
Firewall
Encrypted packet
Switch Private
10.0.0.254
10.0.0.5
10.0.0.6 IP packet
Firewall Positioning
 Typical firewall positioning:
Administrative
Zone
Marketing
Zone Switch
Switch Firewall
Switch
Branch Office
Internet
Firewall Engineering
Switch Zone
Firewall
Home Office or Retail Site
Agenda:
Breaking the Tradition
Current Trends
 The current trends:

•As boundaries of networks become virtual, so do the
requirements of network edge devices
•The functions of a router and a firewall are collapsing
•The network edge requires more protection
•The hardware is now more capable
A New Perspective
 SRX Series Services Gateways
•Integrated security and network features
with robust Dynamic Services Architecture
Administrative
Zone
Marketing
Zone
Branch Office
Internet SRX5800
SRX240
Engineering
Zone
SRX210
Home Office or Retail Site

SRX Series High-End Platform Overview
 High performance, modular chassis

•Firewall throughput ranging from 20 Gbps to 120 Gbps
 Components:
•IOC: Input/output card
•NPC: Network Processing Card
•SPC: Services Processing Card
•SCB: Switch Control Board
•RE: Routing Engine
Physical Packet Flow (High-End Platforms)
Flow lookup, policing, Routing and
and CoS device
management
MGT
Services FW, VPN,

1.5 Oversubscription control Network IDP, NAT, and routing
Processing Cards
Ingress
packet
Fabric
Fabric
Egress
packet
Integrated in SRX5000 IOC Services
Input/output Processing
cards
CoS and shaping Cards
SRX Branch Platforms Overview
 Switching, routing, and security for the branch office

•Firewall throughput ranging from 75 Mbps to 7 Gbps
 Components:
•Multicore “System-on-a-chip”network processing unit
•PIM: Physical Interface Module
•SRE: Services and Routing Engine
• SRX650 only
SRX Branch
Series
Physical Packet Flow (Branch Devices)
 CPU performs most control and data plane processing

using separate hardware cores
Ingress Flash
packet
Ethernet Switch
Multi-core NPU
Physical Ports
Memory
Egress
packet REGEX Content
Processor
Varies by platform
Agenda:
The Junos OS Architecture
Junos Security Platforms Versus a
Traditional Router
No traffic permitted
The Junos OS for
security platforms
Add rules to
allow traffic
starts off as
completely secure Restrictive
Ideal
Add security to block traffic

Vulnerable
Traditional routers start
off as completely
vulnerable
All traffic permitted
The Junos OS for Security Platforms
 The Junos OS for security platforms provides routing

and security
•Best-in-class high-performance firewall derived from
ScreenOS software, including security policies and zones
•IPsec VPNs
•IDP Integration
ScreenOS
SRX210 Services Gateway SRX5800 Services Gateway
Junos Features (1 of 2)
 The Junos OS for security platforms includes the

following elements:
•The Junos OS as the base operating system
•Session-based forwarding
•Some ScreenOS-like security features
 Packet-based features:
•Control plane OS
•Routing protocols
•Forwarding features:
• Per-packet stateless filters
• Policers
• CoS
•J-Web
Junos Features (2 of 2)
 Session-based features:
•Implement some ScreenOS features and functionality
through the use of new processes
•First packet of flow triggers session creation based on:
• Source and destination IP address
• Source and destination port
• Protocol
• Session token
•Zone-based security features:
• Packet on the incoming interface associates with the incoming zone
• Packet on the outgoing interface associates with the outgoing zone
•Core security features:
• Firewall, VPN, NAT, ALGs, IDP, and SCREEN options
Control Plane Versus Data Plane
 Control plane:
•Implemented on the RE or SRE
•The Junos kernel, processes, chassis management, user
interface, routing protocols, system monitoring, and
clustering control
 Data plane:
•Implemented on the IOCs, NPCs, and SPCs
• Implemented on CPU/NPU and PIMs for branch platforms
•Forwarding packets, session setup and maintenance,
load-balancing, security policy, screen options, IDP, VPN
Logical Packet Flow
Forwarding
Lookup
Flow Module
SCREEN
D-NAT Route Zones Policy S-NAT Services Session
Options ALG
No First Path
Match Yes SCREEN Services

Session TCP NAT
? Options ALG
Fast Path
Per Packet Filters

Per Packet Policer Per Packet Shaper
Ingress Egress
packet packet
Session Management
 The session hash table maintains sessions for packet

matching and processing
 When no traffic matches the session during the
service timeout, the session ages out
 Run-time changes during the lifetime of the session
might propagate into the session
•Routing changes always propagate into the session
•Security policy changes propagate based on configuration
Packet Flow Example (1 of 3)
10.1.10.0/24 Private External

.1 .254 Web Server
Zone Zone Internet
10.1.10.5 10.1.1.0/24 .254 200.5.5.5

1.1.8.0/24
SRX5800
10.1.20.0/24
10.1.2.0/24
1.1.7.0/24
1.1.70.0/24
Host-B
.1 .254 .254 .1
10.1.20.5
Public
B
Zone 1.1.70.250
 Example: 10.1.20.5 200.5.5.5 6 29218 80
Session Table
Source Address Source Port Destination Address Destination Port Protocol Int
1. Existing session?
• No
Routing Table
Network Interface Next hop
10.1.1.0/24 ge-0/0/0 (connected)
2. Destination reachable? 10.1.2.0/24 ge-0/0/1 (connected)
10.1.10.0/24 ge-0/0/0 10.1.1.254
• Yes 10.1.20.0/24 ge-0/0/1 10.1.2.254
0.0.0.0/0 ge-1/0/0 1.1.8.254
...
3. Zone determination Zone Table
Interface Zone
ge-0/0/1 Private
ge-0/0/0 Private
ge-0/0/3 Public
ge-1/0/0 External
 Example: From Private to External
SA DA App Action
4. Permitted by policy? 10.1.0.0/16 any FTP permit
10.1.0.0/16 any HTTP permit
• Yes 10.1.0.0/16 any ping permit
any any any deny
5. Action: add to session table

Session Table
Source Source Destination Destination Protocol Interface
Address Port Address Port
10.1.20.5 29218 200.5.5.5 80 6 ge-1/0/0.0
200.5.5.5 80 10.1.20.5 29218 6 ge-0/0/1.0
6. Action: forward packet

10.1.20.5 200.5.5.5 6 29218 80
Summary
 In this chapter we discussed:

•Traditional routing and security
•The current trends in internetworking
•SRX Series overview
•The Junos OS for the SRX Series
•Physical and logical packet flow through SRX Series devices
Review Questions
1. What type of packet processing do traditional routers

provide?
2. What type of packet processing do traditional
firewalls provide?
3. What are two main differences between Junos OS for
security platforms and the traditional Junos OS?
4. How is the first packet of a session handled
differently than subsequent packets of the same
session?
Worldwide Education Services

JSEC C2 Arch 10.a.pps

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

JSEC C2 Arch 10.a.pps

Încărcat de

Drepturi de autor:

Formate disponibile

Junos for Security Platforms

Chapter 2: Introduction to Junos

 After successfully completing this chapter you will be

 Traditionally, a router forwards packets based on a

 IP packets forwarded based on destination address

 A traditional router provides

 Typical router positioning:

M Series and T Series Enterprise Head Office

 Traditionally, a standalone firewall adds enhanced

Private External Web Server

200.5.5.5 80 10.1.1.5 29218 6 ge-0/0/0.0

 NAT and PAT:

NAT and PAT

 Typical firewall positioning:

Home Office or Retail Site

 The current trends:

Home Office or Retail Site

 High performance, modular chassis

Services FW, VPN,

 Switching, routing, and security for the branch office

 CPU performs most control and data plane processing

Add security to block traffic

 The Junos OS for security platforms provides routing

SRX210 Services Gateway SRX5800 Services Gateway

 The Junos OS for security platforms includes the

Match Yes SCREEN Services

Per Packet Filters

 The session hash table maintains sessions for packet

10.1.10.0/24 Private External

10.1.10.5 10.1.1.0/24 .254 200.5.5.5

5. Action: add to session table

6. Action: forward packet

 In this chapter we discussed:

1. What type of packet processing do traditional routers

S-ar putea să vă placă și