IKE and IPsec VPN—JUNOS
software supports a full Internet Key Exchange (IKE) and IP Security
(IPsec) virtual private network (VPN) implementation. The IKE provides
tunnel management for IPsec, authenticates end-entities, and performs
a Diffie-Hellman key exchange to generate a VPN tunnel between network
devices. The VPN tunnels generated by IKE are used to encrypt, decrypt,
and authenticate user traffic between the network devices at the IP
layer. In SRX-series devices, a VPN tunnel is created by distributing
the IKE and IPsec workload among the multiple Services Processing
Units (SPUs) of the platform. The IKE workload is distributed based
on a key generated from the IKE packet's four tuples (source IP address,destination
IP addresses, and UDP ports). In IPsec, the workload is distributed
by the same algorithm that distributes the IKE. The Phase 2 security
association (SA) for a given VPN tunnel termination points pair is
exclusively owned by a particular SPU, and all IPsec packets belonging
to this Phase 2 SA are forwarded to the anchoring SPU of that SA for
IPsec processing.
JUNOS software also supports the following features:
Site-to-site manual and IKE-negotiated (AutoKey) IPsec
VPNs for policy-based VPNs and route-based VPNs
Authentication by preshared key and RSA public key certificates
Perfect Forward Secrecy (PFS) to use Diffie-Hellman Groups
1, 2, and 5
IKE dead peer detection (DPD) as defined in RFC 3706
Next Hop Tunnel Binding (NHTB)—Binding multiple
IPsec security associations to the same tunnel interface (This applies
to static routes and OSPF only.)
IPsec remote access with extended authentication (XAuth)
support of the NS-Remote client v8.8
VPN monitoring
Priority queuing of IKE packets
Invalid security parameter index (SPI) response to invalid
packets
Don’t Fragment (DF) bit, including a clear option
To configure IPsec VPN options, use the ipsec statement at the [set security] hierarchy level. For more
information, see the JUNOS Software Security Configuration Guide.
Static NAT—Static Network
Address Translation (NAT) defines a one-to-one static mapping from
one IP subnet to another IP subnet. To configure static NAT, use the static nat statement at the [edit security nat] hierarchy
level. For more information, see the JUNOS Software Security Configuration Guide.
Intrusion Detection and Prevention (IDP)
IDP SSL Inspection—Secure
Sockets Layer (SSL) is a protocol suite that consists of different
versions, ciphers, and key exchange methods. SSLv3 and TLS protocols
are supported. Combined with the Application Identification feature,
the SSL Inspection feature enables SRX-series devices to inspect HTTP
traffic encrypted in SSL on any TCP port. SSL inspection is disabled
by default and can be enabled by using the configuration CLI. To display
all installed keys and associated servers, use the show security
idp ssl-inspection key command. For more information, see the JUNOS Software Security Configuration Guide.
IDP custom attacks and groups—JUNOS CLI support is available for creating IDP custom attacks
and groups. In previous 9.2Rx releases, creating Signature, Anomaly,
and Chain custom attacks and groups required modifying XML strings.
Now you can use the JUNOS configuration statements to configure the
required fields.
J-Web
J-Web Infrastructure—This
release of JUNOS software includes revisions to the J-Web graphical
user interface. The following layout and navigational elements have
changed:
The changes affect the following:
Dashboard
Menu layout
Configuration pages
Monitoring pages
Maintenance pages
Troubleshooting sections
Wizards
For more information, see the JUNOS Software Administration Guide.
Management and Administration
SNMP
JUNOS software for SRX-series devices supports the Simple
Network Management Protocol (SNMP), which is a part of the Internet
protocol suite that is used to monitor network-attached devices for
conditions that warrant administrative attention.
JUNOS for SRX-series Services Gateways Product Overview
Hardware
This release of JUNOS software supports the SRX 5600 and SRX
5800 services gateways, which are high-performance, highly scalable,
carrier-class devices featuring multiprocessor architecture optimized
for JUNOS software.
By installing different combinations of Input/Output Cards (IOCs)
and Services Processing Cards (SPCs), you can tailor both the number
of Gigabit ports and the maximum security processing capacity to suit
your network.
The following table compares the SRX 5600 and SRX 5800 services
gateways:
SRX 5600 Device
SRX 5800 Device
Maximum Throughput
60 Gigabits per second
120 Gigabits per second
Total Slots
8
14
Slots for SPCs and IOCs
6
12
Slots for Switch Control Boards (SCBs)
2
3
Chassis Height
8 U (14”)
16 U (28”)
Devices per Rack
6
3
Two types of IOCs are available, both of which consist of four
Packet Forwarding Engines and enable a throughput of 10 Gbps:
A 40-port Gigabit Ethernet IOC with SFP connectors (1000
Mbit copper and fiber only)
A 4-port 10-Gigabit Ethernet IOC with XFP connectors
The SRX 5600 services gateway chassis provides redundancy and
resiliency. The hardware system is fully redundant, including power
supplies, fan trays, and Switch Control Boards (SCBs).
Flow and Processing
Flow-based stateful processing—In addition to packet processing, JUNOS software for SRX-series devices
performs flow-based stateful processing. When a packet enters the
device, the system applies any packet-based filter processing associated
with the interface to the packet. Next, the system attempts to match
the packet against an existing session based on a session's match
criteria (source and destination addresses, source and destination
ports, and protocol and session tokens derived from the zone and virtual
router). If a packet matches an existing session, the system processes
it according to the flow's session features, security policies, screens,
and other features. If the packet does not match an existing session,
the system establishes a new session for the packet based on routing,
policy, and other classification information. Before a packet leaves
the device, the system applies filters and traffic shaping to it.
Distributed multithread flow—The SRX-series services gateway is multicore, multichassis hardware with
distributed computing engines. The Network Processing Units (NPUs)
and multicore Services Processing Units (SPUs) on the Services Processing
Cards (SPCs) comprise the data plane.
Packets for any given flow could traverse two NPUs and possibly
more than one SPU (in the case of tunnels). Therefore, a distributed
flow module is needed that can span multiple computing engines.
To configure flow options, use the flow statement
at the [set security] hierarchy level. For more information,
see the JUNOS Software Security Configuration Guide.
Interfaces and Routing
Interfaces—Interfaces
act as a doorway through which traffic enters and exits a device.
Several security-related configuration and runtime attributes are
kept in an interface object. Different modules in the data path use
these attributes. Many interfaces can share exactly the same security
requirements; however, different interfaces can also have different
security requirements for inbound and outbound (I/O) data packets.
Security processing and inbound and outbound (I/O) data packets
analysis are separated in JUNOS software and SRX-series service gateways.
As a result, the line-card interface on the Input/Output Card (IOC)
and the security processors on the Services Processing Card (SPC)
are separated by a fabric. The security data plane is simultaneously
performing multiprocessing (32-way MT per XLR SPU) and distributed
processing (The SRX 5600 and SRX 5800 devices distribute the processing
over a maximum of 2 SPUs per SPC.) For more information, see the JUNOS Software Interfaces and Routing Configuration Guide.
Routing— SRX-series services
gateways support using the Border Gateway Protocol (BGP), the Open
Shortest Path First (OSPF) Protocol, and the Routing Information Protocol
(RIP) to deliver routing information across networks. To configure
the services gateway to use these protocols, use the bgp, ospf, or rip statements (respectively) at the [protocols] hierarchy level. You can also configure the services
gateway to use static routes. For more information, see the JUNOS Software Interfaces and Routing Configuration Guide.
SRX-series services gateways also support the following additional
routing functionality:
DHCP— JUNOS software for SRX-series devices
supports Dynamic Host Configuration Protocol (DHCP) client, relay,
and server functions, enabling the services gateway to provide IP
addresses and settings to hosts that are connected to the device’s
interfaces. When you configure the SRX-series device as a DHCP server,
hosts can connect to the device's interface via subnet or through
DHCP relay. To configure DHCP, use the dhcp statement at
the [system services] hierarchy level.
NTP— JUNOS software for SRX-series devices
incorporates Network Time Protocol (NTP) support, enabling the services
gateway to synchronize time and coordinate time distribution in a
large, diverse network. To configure NTP, use the ntp statement
at the [system] hierarchy level.
For more information, see the JUNOS Software Administration Guide.
Note:
This release of JUNOS software for the SRX-series services gateway
does not support packet-based protocols such as MPLS, Connectionless
Network Service (CLNS), and IP version 6 (IPV6) and Multicast.
IPv4—JUNOS software for SRX-series devices
supports processing IPv4 (IP version 4) traffic through an interface.
The IPv4 protocol family supports 32-bit addresses and subnets. To
enable the IPv4 protocol for an interface, specify inet for the interface
family. For example, use edit interfaces ge-0/0/3 unit 0 family
inet address 10.10.10.10/24.
Class of service (CoS) —The JUNOS software for SRX-series devices
class of service (CoS) feature provides a set of mechanisms that you
can use to provide differentiated services when best-effort traffic
delivery is insufficient. When a network experiences congestion and
delay, some packets must be dropped. CoS allows you to classify and
then divide traffic into classes and offer various levels of throughput
and packet loss when congestion occurs. This allows packet loss to
happen according to rules that you configure. Note that CoS policing
is not available in this release.
You can use an SRX-series services gateway to control traffic rate by applying
classifiers and shapers. To configure CoS components, use the component
you want to configure at the [edit class-of-service] hierarchy
level of the configuration. For more information, see the JUNOS Software Interfaces and Routing Configuration Guide.
Chassis Clustering
Chassis clustering—You
can connect a pair of the same kind of supported SRX-series devices
into a cluster to provide stateful failover of JUNOS processes and
services. Interchassis clustering removes the single point of failure
in the network by allowing the devices to be configured in a redundant
cluster, with one device acting as the primary and the other as a
backup. If the primary fails, the backup takes over traffic processing.
Clustered devices synchronize configuration, kernel, and Packet Forwarding
Engine session states across the cluster to facilitate high availability
of interfaces and services. JUNOS software includes the following
chassis cluster features:
Resilient system architecture includes a single control
plane for the entire cluster to manage multiple Packet Forwarding
Engines.
Configuration and dynamic runtime states are synchronized
between the services gateways within a cluster.
Graceful restart of the routing protocols enables the
services gateway to minimize traffic disruption during a failover.
Physical interfaces are grouped and monitored to trigger
failover to the backup services gateway if the failure parameters
cross a configured threshold.
For more information, see the JUNOS Software Security Configuration Guide.
Note:
In this release of JUNOS software for SRX-series devices, synchronization
of IDP-specific runtime data does not occur across the cluster. As
a result, IDP processing is not continued for sessions that fail over.
(IDP processing resumes for sessions created after failover.)
Note:
When configuring chassis clusters, you are automatically in
configure private mode. As a result, you must commit changes from
the top of the hierarchy. For information about the configure private
mode, see the JUNOS CLI User Guide.
Security
Security zones—Security
zones are the building blocks for policies; they are logical entities
to which one or more interfaces are bound. Security zones provide
a means of distinguishing groups of hosts (user systems and other
hosts, such as servers) and their resources from one another in order
to apply different security measures to them. From the perspective
of security policies, traffic enters into one security zone (to-zone)
and goes out on another (from-zone). To configure security zones,
use the zones statement at the [security zones]
hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.
Security policies—Security
policies can be configured to control traffic flow from one zone to
another by defining a certain action on the kinds of traffic that
is allowed from specified sources to specified destinations at scheduled
times. When packets match a policy, the policy instructs the flow
to apply different rules for features. To configure a policy, use
the screen statement at the [set security policies] hierarchy level.
Firewall screens—JUNOS software for SRX-series devices
provides various detection methods and defense mechanisms to combat
the following security breaches at all stages of their execution:
SYN, UDP, and ICMP flood attacks
Network DoS attacks
Operating system-specific DoS attacks
To configure screen options, use the screen statement
at the [set security screen] hierarchy level.
Firewall user authentication —Firewall user authentication enables you to restrict and permit
access to protected resources behind a firewall based on a user’s
source IP address and other credentials. You may use pass-through
authentication or Web authentication to control access to the protected
resources. With pass-through authentication, a user from one zone
tries to access resources from another zone over an FTP, Telnet, or
HTTP connection. With Web authentication, a user tries to connect
to an IP address on the device over an HTTP connection. With both
methods, the device forwards the user’s credentials to the server
of your choice (local, RADIUS, LDAP, or RSA SecurID) to authenticate
the user and control subsequent access requests.
To configure pass-through authentication, use the following
statements:
set security policies from-zone zone-name to-zone zone-name policy policy-name then permit firewall-authentication pass-through
To configure Web authentication, use the following statements:
set security policies from-zone zone-name to-zone zone-name policy policy-name then permit firewall-authentication web-authentication
For more information, see the JUNOS Software Security Configuration Guide.
Network Address Translation—Network Address Translation (NAT) is a method by which IP
addresses in a packet are mapped from one group to another and, optionally,
port numbers in the packet are translated into different port numbers.
NAT is described in RFC 1631 to solve IP (version 4) address depletion
problems. On an SRX-series services gateway, JUNOS software decouples NAT configuration
from policy configuration. NAT has its own rules to regulate traffic
on the SRX-series services gateway.
To configure NAT, use the nat statement at the [set security] hierarchy level. For more information, see the JUNOS Software Security Configuration Guide.
Intrusion Detection and Prevention (IDP)
IDP policies—Intrusion
Detection and Prevention (IDP) policy enables you to selectively enforce
various attack detection and prevention techniques on network traffic
passing through an IDP-enabled device. It allows you to define policy
rules to match a section of traffic based on a zone, network, and
application, and then take active or passive preventive actions on
that traffic.
A policy is made up of rulebases, and each
rulebase contains a set of rules. You define
rule parameters, such as traffic match conditions, action, and logging
requirements and then add the rules to rulebases. You can create new
IDP policies from scratch, or start with a predefined template provided
by Juniper Networks. Juniper Networks also provides custom application
objects and attack objects that you can configure as match conditions
in policies.
To configure an IDP policy, use the idp-policy statement
at the [edit security idp] hierarchy level. For more information,
see the JUNOS Software Security Configuration Guide.
Note:
Installing the IDP signature database requires a license.
IDP signature database—Signature
database is one of the major components of IDP. It contains definitions
of different objects—such as attack objects, application signatures
objects, and service objects—that are used in defining IDP policy
rules. As a response to new vulnerabilities, Juniper Networks periodically
provides a file containing attack database updates on the Juniper
Website.
To protect your network from new threats, you can download signature
database updates manually or configure your device to download them
automatically at a specified interval. For more information, see the JUNOS Software Security Configuration Guide.
IDP application identification—Juniper Networks provides predefined application signatures
that detect TCP and UDP applications running on non standard ports.
Identifying these applications allows IDP to apply appropriate attack
objects to applications running on non standard ports. It also improves
performance by narrowing the scope of attack signatures for applications
without decoders.
Application signatures are available as part of the security
package provided by Juniper Networks. You download predefined application
signatures along with the security package updates. Application identification
is enabled by default and is automatically turned on when you configure
the default application in the IDP policy. For more information, see
the JUNOS Software Security Configuration Guide.
IDP protocol detector engine—The IDP protocol detector engine contains Application Layer
protocol decoders or services. You can download the protocol detector
updates along with the signature database updates.
IDP supports 52 protocol decoders or services. Protocol decoders
scan protocol headers and message body to identify individual fields
in the protocols to determine if data conforms to the RFC. You configure
protocol decoders in IDP policy rules to specify the protocol that
an attack uses to access your network. For more information, see the JUNOS Software Security Configuration Guide
IDP logging—The basic
JUNOS system logging continues to function after IDP is enabled. An
IDP-enabled device supports basic JUNOS system logging and continues
to record events that occur because of routine operations, such as
a user login into the configuration database. It records failure and
error conditions, such as failure to access a configuration file.
In addition to the regular system log messages, IDP generates event
logs for attacks. To manage attack log volume and message size, IDP
supports log suppression.
Enabling log suppression ensures that minimal numbers of logs
are generated for the same event or attack that occurs multiple times.
To configure log suppression, use the suppression statement
at the [edit security idp sensor-configuration log] hierarchy
level. For more information, see the JUNOS Software Security Configuration Guide.
IDP DiffServ marking—Configuring
Differentiated Services Code Point (DSCP) values in IDP policies provides
a method of associating class-of-service (CoS) values—thus different
levels of reliability—for different types of traffic on the
network. DSCP is an integer value encoded in the 6-bit field defined
in IP packet headers. It is used to enforce CoS distinctions. CoS
allows you to override the default packet-forwarding behavior and
assign service levels to specific traffic flows.
You can configure DSCP value as an action in an IDP policy rule.
Based on the DSCP value, behavior aggregate classifiers set the forwarding
class and loss priority for the traffic determining the forwarding
treatment the traffic receives. For more information, see the JUNOS Software Security Configuration Guide.
IDP J-Web support—You
can configure IDP policies and request security package updates by
using Quick Configuration pages in the J-Web user interface. You can
also display IDP status and memory usage in the J-Web monitoring pages.
For more information, see the JUNOS Software Security Configuration Guide and
the JUNOS Software Administration Guide.
Application Layerl Gateways (ALGs)
FTP ALGs— JUNOS software for SRX-series devices
provides File Transfer Protocol (FTP) support for services and applications
that transfer data using FTP, allowing legitimate FTP traffic to go
through the device while blocking out malicious FTP packets. The FTP
ALG monitors PORT, PASV, and 227 commands. It performs Network Address
Translation (NAT) of the IP or port in the message and gate opening
on the device as necessary.
To configure FTP ALG, use the edit security alg ftp statement at the [edit security alg] hierarchy level. For
more information, see the JUNOS Software Security Configuration Guide.
TFTP ALGs— JUNOS software for SRX-series devices
provides Trivial File Transfer Protocol (TFTP) support for services
and applications that transfer data using TFTP, allowing legitimate
TFTP traffic to go through the device while blocking out malicious
TFTP packets. The TFTP ALG processes the TFTP packets that initiate
the request and opens a pinhole to allow return packets from the reverse
direction to the port that sends the request.
To configure TFTP ALG, use the edit security alg tftp statement at the [edit security alg] hierarchy level. For
more information, see the JUNOS Software Security Configuration Guide.
J-Web
J-Web user interface—A graphical
user interface enables you to configure, monitor, troubleshoot, and
manage the SRX-series devices through an Internet browser. The J-Web
interface includes Quick Configuration pages to perform basic configuration
of the devices and monitoring tools to view system health, routes,
and statistics. The J-Web interface provides diagnostic tools (such
as ping and traceroute) and file utilities to manage
configuration files, licenses, and temporary files on the device.
The J-Web interface also includes a chassis viewer, which provides
a graphical, dynamic view of the SRX-series of devices. For more
information, see the J-Web Interface User Guide.
Management and Administration
Chassis management—JUNOS software for SRX-series devices
provides the ability to monitor and manage select chassis components.
This includes monitoring chassis clusters, component temperature and
cooling systems, chassis firmware, and chassis location. The CLI also
provides commands for bringing most chassis components online and
offline.
To bring chassis components online and offline, use the chassis statement at the [request] hierarchy level.
For more information, see the JUNOS Software Security Configuration Guide.
Note:
In SRX-series services gateways, the offline, online, and restart commands are supported only on IOCs and are
not supported on SPCs.
System logging—JUNOS software for SRX-series devices
generates separate system log messages (also called syslog messages)
to record events that occur on the system’s data and control
planes.
The data plane logs primarily include a list of security events
that the system has handled directly inside the data plane. Because
the system has already handled these events, it does not send them
on to the Routing Engine. Instead, the system streams the logs directly
to external log servers, bypassing the Routing Engine. To view the
data plane logs, use the log statement at the [security] hierarchy level.
The control plane logs, on the other hand, include a list of
actionable events. The system sends this list of control plane events
on to the eventd process on the Routing Engine, which then handles
the events by using JUNOS event policies and/or by generating system
log messages. You can choose to send control plane logs to a file,
user terminal, routing platform console, or remote machine.
To generate control plane logs, use the syslog statement
at the [system] hierarchy level. For more information, see
the JUNOS Software Administration Guide.
Note:
In SRX-series devices, data plane logs and control plane logs
have to be configured separately.
Packet tracing—The JUNOS software for SRX-series devices
trace function provides a tool for applications to write security
and security flow debugging information to a file. The information
that appears in this file is based on configured criteria. This criteria
include source port, destination port, protocol, interface, and string
matching. Use this information to analyze security application issues.
The trace function operates in a distributed manner, with each thread
writing to its own trace buffer. These trace buffers are then collected
at one point, sorted, and written to trace files. Trace messages are
delivered using the InterProcess Communications (IPC) protocol.
To configure trace options, use the traceoptions statement
at the [set security] hierarchy level. For more information,
see the JUNOS Software Security Configuration Guide.
SPU monitoring —JUNOS software for SRX-series devices
provides a new JUNOS software-based security device that uses multiple
processors to process traffic. SPU monitoring allows for:
CPU utilization per SPU in percentage
Memory utilization per SPU in percentage
These metrics provide information that can be used to
prevent unexpected outages and look for trends for capacity planning.
To monitor the Flexible PIC Concentrator (FPC) card by using the SPU
unit’s CPU and memory utilization, use the show security
monitoring fpc statement.
