Understanding cSRX Container Firewall on Contrail Host-Based Firewall
Containerized SRX (cSRX Container Firewall) is a virtual security solution, which is integrated into a Contrail networking as distributed host-based firewall (HBF) service. cSRX Container Firewall is built based on Docker container to deliver agile, elastic, and cost-saving security services. The cSRX Container Firewall Container Firewall is a containerized version of the SRX Series Services Gateway with a low-memory footprint. cSRX Container Firewall provides advanced security services, including content security, AppSecure, and Content Security in a container.
cSRX Container Firewall Overview
The cSRX Container Firewall Container Firewall deploys as a single container on a Docker Engine compute node running in a Contrail cluster. It runs on a Linux bare-metal server as the hosting platform for the Docker container environment. The cSRX Container Firewall container packages all the dependent processes (or daemons) and libraries to support the different Linux host distribution methods (Ubuntu, Red Hat Enterprise Linux, or CentOS).
When the cSRX Container Firewall container runs, there are several processes (or daemons) inside the Docker container that launch automatically when cSRX Container Firewall becomes active. Some daemons support Linux features, providing the same service as if they are running on a Linux host (for example, sshd, rsyslogd, and monit). Other daemons are compiled and ported from Junos OS to perform configuration and control jobs for security service (for example, MGD, NSD, Content Security, IDP, and AppID). srxpfe is the data plane daemon that receives and sends packets from the revenue ports of a cSRX Container Firewall container. cSRX Container Firewall uses srxpfe for Layer 2 through 3 forwarding functions as well as for Layer 4 through 7 network security services.
The distributed software security solution is built on top of Contrail Networking using Contrail Controller and Contrail vRouter to prevent threats in a customer’s multi-cloud environment.
When cSRX Container Firewall acts as distributed firewall service on Contrail, Kubernetes is used to orchestrate cSRX Container Firewall instances on compute nodes. The Kubernetes API server can respond to Contrail Controller after HBF policies are configured on the Contrail user interface. A cSRX Container Firewall image is pulled from the Docker registry to compute nodes after the instances are provisioned.
Contrail Security includes an integrated virtual router (vRouter) that acts as a distributed element on every host where cSRX Container Firewall application is created. The vRouter enforces security at Layers 4–7 by monitoring traffic flows and redirecting suspicious traffic to next-generation firewalls.
After provisioning the cSRX Container Firewall instances:
Three VIFs connect the cSRX Container Firewall instance to vRouter.
The Management interface is connected to the management virtual network.
Two secure data interfaces are connected to the left and right virtual networks, receiving packets steered from vRouter and sending packets to vRouter after security check.
Security Director updates L7 security policies and dynamic addresses to cSRX Container Firewall instances.
cSRX Container Firewall instances send security logs to Security Director.
Each tenant that needs HBF service will start a private cSRX Container Firewall instance on the compute node.
With Contrail Security, you can define policies and automatically distribute them across all deployments. You can also monitor and troubleshoot traffic flows inside each cSRX Container Firewall instance and across cSRX Container Firewall instances.
In Contrail HBF, the cSRX Container Firewall Container Firewall is supported only in secure-wire mode and enables advanced security at the network edge in a multitenant virtualized environment. cSRX Container Firewall provides Layer 4 through 7 advanced security features such as firewall, IPS, and AppSecure. The cSRX Container Firewall container also provides an additional interface to manage cSRX Container Firewall. When cSRX Container Firewall is operating in Layer 2 mode, incoming Layer 2 frames from one interface go through Layer 4 through 7 processing based on the configured cSRX Container Firewall services. cSRX Container Firewall then sends the frames out of the other interface. The cSRX Container Firewall container either allows the frames to pass through unaltered or drops the frames, based on the configured security policies.
Figure 2 illustrates the cSRX Container Firewall operating in secure-wire mode.
cSRX Container Firewall Deployment Modes
Secure Traffic Inside Compute Node
When cSRX Container Firewall is securing traffic inside a compute node, vRouter will steer all traffic to cSRX Container Firewall which match HBF filter. Flow sessions are created for the traffic sent from vRouter to cSRX Container Firewall. After L7 security check in cSRX Container Firewall, traffic is sent back to vRouter and forwarded to the destination as shown in Figure 3.
cSRX Container Firewall works in bump-in-the-wire mode with two data interfaces connected to vRouter
vRouter filter traffic to cSRX Container Firewall VIF which needs L4-7 security check
After L4-7 security check, traffic is sent back to vRouter
Secure Traffic Cross Compute Nodes
cSRX Container Firewall works the same as when it is securing the traffic inside the compute node. The difference is, vRouter needs to guarantee that traffic is steered to same cSRX Container Firewall instance when traffic is crossing different compute nodes, so cSRX Container Firewall flow sessions are created and matched in same cSRX Container Firewall instance on both directions.
Multitenant Support
For supporting multitenancy, there is separate cSRX Container Firewall instance started for each tenant on same compute node.
Figure 5 shows the multitenancy support.
Licensing
The cSRX Container Firewall Container Firewall software features require a license to activate the feature. To understand more about cSRX Container Firewall Container Firewall licenses, see cSRX Flex Software Subscription Model.
cSRX Container Firewall Benefits and Uses
The cSRX Container Firewall Container Firewall enables you to quickly introduce new firewall services, deliver customized services to customers, and scale security services based on dynamic needs. The cSRX Container Firewall container differs from VMs in several important ways. It runs with no guest OS overhead, has a notably smaller footprint, and is easier to migrate or download. The cSRX Container Firewall container uses less memory, and its spin-up time measures in subseconds—all leading to higher density at a lower cost. The boot time is reduced from several minutes with a VM-based environment to less than a few seconds for the cSRX Container Firewall container. cSRX Container Firewall is ideal for public, private, and hybrid cloud environments.
The virtual solution provides the following capabilities:
Layer 7 security services such as firewall, intrusion prevention system (IPS), and AppSecure
Automated service provisioning and orchestration
Distributed and multitenant traffic securing
Centralized management with Junos Space Security Director, including dynamic policy/address update, remote log collections, and security events monitoring
Scalable security services with small footprints
You can deploy the cSRX Container Firewall Container Firewall in the following scenario:
Contrail microsegmentation–Within a Contrail environment running mixed workloads of VMs and containers, cSRX Container Firewall can provide security for Layer 4 through 7 traffic, managed by Security Director.