Junos for Security Platforms
Chapter 2: Introduction to Junos Security Platforms
Chapter Objectives After successfully completing this chapter you will be
able to: • Describe traditional routing and security • Describe current trends in internetworking • Provide an overview of SRX Series Services Gateways • Provide an overview of the Junos operating system for the SRX Series • Describe physical and logical packet flow through SRX Series devices
Agenda: Introduction to Junos Security Platforms Traditional Routing Traditional Security Breaking the Tradition The Junos OS Architecture
Routers Traditionally, a router forwards packets based on a
Layer 3 IP address •Uses some type of path determination mechanism Packet processing is stateless and promiscuous Routers separate broadcast domains and provide
WAN connectivity
Layer 3 Packet Forwarding (Routing) IP packets forwarded based on destination address
•Maintain routing table entries • Static routes • Dynamic routes (RIP, OSPF, BGP)
•Longest prefix match RTR A
[ge-0/0/1]
[ge-0/0/0] 10.2.2.1/24
10.2.2.2/24
Switch
10.1.1.1/24 10.3.3.10
10.1.1.10
10.1.1.0/24
ge-0/0/1
direct
10.2.2.0/24
ge-0/0/0
direct
10.3.3.0/24
ge-0/0/0
10.2.2.2
10.3.3.10/32
ge-0/0/2
10.4.4.2
10.4.4.0/24
ge-0/0/2
direct
Traditional Routing Is Promiscuous A traditional router provides
stateless connectivity •Forwards all traffic by default •Operates at Layer 3—cannot detect security threats in higher-layer protocols •Operates on each packet individually—cannot detect malformed sessions •The network is immediately vulnerable
192.168.1.1
192.168.2.1
Typically treats security
as a luxury add-on item
Finance Server
Data Server
Router Positioning Typical router positioning:
Service Provider Network M Series Router Core J Series Router
M Series and T Series Platforms
Agenda: Introduction to Junos Security Platforms Traditional Routing Traditional Security Breaking the Tradition The Junos OS Architecture
Firewalls Traditionally, a standalone firewall adds enhanced
security in the enterprise network Firewall must perform:
•Stateful packet processing • Keeps a session or state table based on IP header and higher-level information (TCP/UDP and Application Layer)
•NAT and PAT • Private-to-public and public-to-private translation
•VPN establishment • Encapsulation, authentication, and encryption
Can also implement other security elements such as
SSL, IDP, ALGs, and so forth
Stateful Packet Processing Web Server
External Zone
Private Zone ge-1/0/1.0
Internet
ge-0/0/0.0 200.5.5.5
10.1.1.5
Outgoing packet header information
10.1.1.5
200.5.5.5
6
29218
80
+ session token= flow
Outgoing flow initiates a session table entry Session table entry includes expected return flow
Source Address
Source Port
Destination Address
Destination Port
Protocol
Interface
10.1.1.5
29218
200.5.5.5
80
6
ge-1/0/1.0
200.5.5.5
80
10.1.1.5
29218
6
ge-0/0/0.0
Outgoing and incoming packets use session table for bidirectional communication
NAT and PAT NAT and PAT:
•NAT converts IP addresses •PAT converts TCP or UDP port numbers •Typically used at the boundary between private and public addressing
SRC-IP
DST-IP
10.1.1.5
221.1.8.5
Public 201.1.8.1
Private 10.1.1.1
10.1.1.5
Internet
Protocol SRC-Port DST-Port
SRC-IP
DST-IP
36033
201.1.8.1
221.1.8.5
6
80
NAT and PAT
Protocol SRC-Port DST-Port 6
1025
80
Virtual Private Networks 10.1.20.3
Provide secure tunnels across the
Internet
Switch
Private 10.1.20.1
•Encapsulation
10.1.20.4
Firewall
•Encryption
Public 2.2.2.1
•Authentication
IP packet
Public 1.1.1.1 Firewall Switch
Encrypted packet
Private 10.0.0.254
10.0.0.5 10.0.0.6
IP packet
Firewall Positioning Typical firewall positioning: Administrative Zone
Marketing Zone Switch
Switch
Firewall Switch
Branch Office Internet Firewall
Engineering Zone
Switch
Firewall
Home Office or Retail Site
Agenda: Introduction to Junos Security Platforms Traditional Routing Traditional Security Breaking the Tradition The Junos OS Architecture
Current Trends The current trends:
•As boundaries of networks become virtual, so do the requirements of network edge devices •The functions of a router and a firewall are collapsing •The network edge requires more protection •The hardware is now more capable
A New Perspective SRX Series Services Gateways •Integrated security and network features with robust Dynamic Services Architecture Administrative Zone Marketing Zone
Branch Office Internet
SRX5800
Engineering Zone
SRX240
SRX210
Home Office or Retail Site
SRX Series High-End Platform Overview High performance, modular chassis
•Firewall throughput ranging from 20 Gbps to 120 Gbps Components:
•IOC: Input/output card •NPC: Network Processing Card •SPC: Services Processing Card •SCB: Switch Control Board •RE: Routing Engine
Physical Packet Flow (High-End Platforms) Flow lookup, policing, and CoS
Routing and device management
MGT
Services FW, VPN, Oversubscription control
Network Processing Cards
IDP, NAT, and routing
Ingress packet
c i r b a F
c i r b a F
Egress packet Input/output cards
CoS and shaping
Services Processing Cards
SRX Branch Platforms Overview Switching, routing, and security for the branch office
•Firewall throughput ranging from 75 Mbps to 7 Gbps Components:
•Multicore “System-on-a-chip”network processing unit •PIM: Physical Interface Module •SRE: Services and Routing Engine • SRX650 only
Physical Packet Flow (Branch Devices) CPU performs most control and data plane processing
using separate hardware cores
Ingress packet
Egress packet
s t r o P l a c i s y h P
h c t i w S t e n r e h t E
U P N e r o c i t l u M
Varies by platform
Agenda: Introduction to Junos Security Platforms Traditional Routing Traditional Security Breaking the Tradition The Junos OS Architecture
Junos Security Platforms Versus a Traditional Router No traffic permitted The Junos OS for security platforms starts off as completely secure
Restrictive Ideal
Vulnerable Traditional routers start off as completely vulnerable All traffic permitted
a A l l d o d w r u t r l a e f s f i t c o A d d s e c u r i t y t o b l o c k t r a f f i c
The Junos OS for Security Platforms The Junos OS for security platforms provides routing
and security •Best-in-class high-performance firewall derived from ScreenOS software, including security policies and zones •IPsec VPNs •IDP Integration
SRX210 Services Gateway
ScreenOS
SRX5800 Services Gateway
Junos Features (1 of 2) The Junos OS for security platforms includes the
following elements: •The Junos OS as the base operating system •Session-based forwarding •Some ScreenOS-like security features Packet-based features:
•Control plane OS •Routing protocols •Forwarding features: • Per-packet stateless filters • Policers • CoS
•J-Web
Junos Features (2 of 2) Session-based features:
•Implement some ScreenOS features and functionality through the use of new processes •First packet of flow triggers session creation based on: • Source and destination IP address • Source and destination port • Protocol • Session token
•Zone-based security features: • Packet on the incoming interface associates with the incoming zone • Packet on the outgoing interface associates with the outgoing zone
•Core security features: • Firewall, VPN, NAT, ALGs, IDP, and SCREEN options
Control Plane Versus Data Plane Control plane:
•Implemented on the RE or SRE •The Junos kernel, processes, chassis management, user interface, routing protocols, system monitoring, and clustering control Data plane:
•Implemented on the IOCs, NPCs, and SPCs • Implemented on CPU/NPU and PIMs for branch platforms
•Forwarding packets, session setup and maintenance, load-balancing, security policy, screen options, IDP, VPN
Logical Packet Flow Forwarding Lookup
Flow Module SCREEN D-NAT Route Zones Policy S-NAT Services Session Options ALG No Match Session
First Path
Yes
?
SCREEN TCP Options
NAT
Services ALG
Fast Path
Per Packet Filters Per Packet Policer Ingress packet
Per Packet Shaper Egress packet
Session Management The session hash table maintains sessions for packet
matching and processing When no traffic matches the session during the
service timeout, the session ages out Run-time changes during the lifetime of the session
might propagate into the session •Routing changes always propagate into the session •Security policy changes propagate based on configuration
Packet Flow Example (1 of 3) 10.1.10.0/24 .1
Web Server
.254
Internet
10.1.1.0/24
10.1.10.5
.254
1.1.8.0/24 SRX5800
10.1.20.0/24
10.1.2.0/24 1.1.7.0/24
Host-B .1
.254
.254
1.1.70.0/24 .1
10.1.20.5 1.1.70.250
Packet Flow Example (2 of 3) Example:
10.1.20.5
1. Existing session?
200.5.5.5
Source Address
6
Source Port
29218
Destination Address
80
Destination Port
Protocol
• No
2. Destination reachable? • Yes
Network 10.1.1.0/24 10.1.2.0/24 10.1.10.0/24 10.1.20.0/24 0.0.0.0/0
Interface ge-0/0/0 ge-0/0/1 ge-0/0/0 ge-0/0/1 ge-1/0/0
3. Zone determination Interface ge-0/0/1 ge-0/0/0 ge-0/0/3 ge-1/0/0
Zone Private Private Public External
Next hop (connected) (connected) 10.1.1.254 10.1.2.254 1.1.8.254
Int
Packet Flow Example (3 of 3) From Private to External
Example:
SA 10.1.0.0/16 10.1.0.0/16 10.1.0.0/16 any
4. Permitted by policy? • Yes
DA any any any any
App FTP HTTP ping any
Action permit permit permit deny
5. Action: add to session table Session Table Source Address
Source Port
Destination Address
Destination Protocol Interface Port
10.1.20.5
29218
200.5.5.5
80
6
ge-1/0/0.0
200 555
80
10.1.20.5
29218
6
ge-0/0/1.0
6. Action: forward packet 10.1.20.5
200.5.5.5
6
29218
80
Summary In this chapter we discussed:
•Traditional routing and security •The current trends in internetworking •SRX Series overview •The Junos OS for the SRX Series •Physical and logical packet flow through SRX Series devices
Review Questions 1. What type of packet processing do traditional routers provide? 2. What type of packet processing do traditional firewalls provide? 3. What are two main differences between Junos OS for security platforms and the traditional Junos OS? 4. How is the first packet of a session handled differently than subsequent packets of the same session?