Understanding cSRX Container Firewall with a Bare-Metal Linux Server
The cSRX Container Firewall Container Firewall is a containerized version of the SRX Series Services Gateway with a low memory footprint. cSRX Container Firewall provides advanced security services, including content security, AppSecure, and Content Security in a container form factor. By using a Docker container in a bare-metal Linux server, the cSRX Container Firewall can substantially reduce overhead because each container shares the Linux host’s OS kernel. Regardless of how many containers a Linux server hosts, only one OS instance is in use. And because of the containers’ lightweight quality, a server can host many more container instances than it can virtual machines (VMs), yielding tremendous improvements in utilization. With its small footprint and Docker as a container management system, the cSRX Container Firewall Container Firewall enables agile, high-density security service deployment.
This section includes the following topics:
cSRX Container Firewall Overview
The cSRX Container Firewall Container Firewall runs as a single container on a Linux bare-metal server. It uses a Linux bare-metal server as the hosting platform for the Docker container environment. The cSRX Container Firewall container packages all of the dependent processes (daemons) and libraries to support the different Linux host distribution methods (Ubuntu, Red Hat Enterprise Linux, or CentOS). You use standard Docker commands to manage the cSRX Container Firewall container. cSRX Container Firewall is built on the Junos operating system (Junos OS) and delivers networking and security features similar to those available on the software releases for the SRX Series.
When the cSRX Container Firewall container runs, there are several daemons inside the Docker container that launch automatically when the cSRX Container Firewall becomes active. Some daemons support Linux features, providing the same service as if they are running on a Linux host (for example, sshd, rsyslogd, monit, and so on). Other daemons are compiled and ported from Junos OS to perform configuration and control jobs for security service (for example, MGD, NSD, Content Security, IDP, AppID, and so on). srxpfe is the data-plane daemon that receives and sends packets from the revenue ports of a cSRX Container Firewall container. The cSRX Container Firewall uses srxpfe for Layer 2 through 3 forwarding functions (secure-wire forwarding or static routing forwarding) as well as for Layer 4 through 7 network security services.
The cSRX Container Firewall Container Firewall enables advanced security at the network edge in a multitenant virtualized environment. cSRX Container Firewall provides Layer 4 through 7 advanced security features such as firewall, IPS, and AppSecure. The cSRX Container Firewall container also provides an additional interface to manage the cSRX Container Firewall. When cSRX Container Firewall is operating in Layer 2 secure wire mode, incoming Layer 2 frames from one interface go through Layer 4 through 7 processing based on the configured cSRX Container Firewall services. cSRX Container Firewall then sends the frames out of the other interface.
Launch the cSRX Container Firewall instance in secure-wire mode using the following command:
root@csrx-ubuntu3:~/csrx# docker run -d --privileged
--network=mgt_bridge -e CSRX_FORWARD_MODE="wire" --name=<csrx-container-name> <csrx-image-name>
As part of your Docker container configuration, you must connect the cSRX Container Firewall container to three virtual networks: one virtual network for out-of-band management sessions, the other two virtual networks to receive and transmit data traffic. See Installing cSRX Container Firewall in a Bare-Metal Linux Server.
Figure 1 illustrates the cSRX Container Firewall operating in secure-wire mode. It is an example of how a cSRX Container Firewall container is bridged with an external network. In this illustration, cSRX Container Firewall eth1 is bridged with host physical NIC eth1 and cSRX Container Firewall eth2 is bridged with host physical NIC eth2.
Figure 2 illustrates the cSRX Container Firewall operating in routing mode.
Starting in Junos OS Release 19.2R1, in routing mode, the default number of interfaces supported are three and maximum of 17 interfaces (1 management and 16 data interfaces).
Prior to Junos OS Release 19.2R1, in routing mode, eth0 was mapped as out of band management interface, eth1 as ge-0/0/1, and eth2 as ge-0/0/0.
Starting in Junos OS Release 19.2R1, in routing mode, with this increase in the number of supported interfaces, the mapping of ge interfaces are reordered as:
eth0 - out of band management interface
eth1 - ge-0/0/0
eth2 - ge-0/0/1
eth3 - ge-0/0/2
eth4 - ge-0/0/3 and so on
cSRX Container Firewall Benefits and Uses
The cSRX Container Firewall Container Firewall enables you to quickly introduce new firewall services, deliver customized services to customers, and scale security services based on dynamic needs. The cSRX Container Firewall container differs from VMs in several important ways. It runs with no guest OS overhead, has a notably smaller footprint, and is easier to migrate or download. The cSRX Container Firewall container uses less memory, and its spin-up time measures in subseconds—all leading to higher density at a lower cost. The boot time is reduced from several minutes with a VM-based environment to less than a few seconds for the cSRX Container Firewall container. The cSRX Container Firewall is ideal for public, private, and hybrid cloud environments.
Some of the key benefits of cSRX Container Firewall in a containerized private or public cloud multitenant environment include:
Stateful firewall protection at the tenant edge.
Faster deployment of containerized firewall services into new sites.
With a small footprint and minimum resource reservation requirements, the cSRX Container Firewall can easily scale to keep up with customers’ peak demand.
Provides significantly higher density without requiring resource reservation on the host than what is offered by VM-based firewall solutions.
Flexibility to run on a bare-metal Linux server or Juniper Networks Contrail.
In the Contrail Networking cloud platform, cSRX Container Firewall can be used to provide differentiated Layer 4 through 7 security services for multiple tenants as part of a service chain.
With the Contrail orchestrator, cSRX Container Firewall can be deployed as a large scale security service.
Application security features (including IPS and AppSecure).
Content Security content security features (including antispam, Sophos Antivirus, web filtering, and content filtering).
Authentication and integrated user firewall features.
While the security services features between cSRX Container Firewall and vSRX Virtual Firewall are similar, there are scenarios in which each product is the optimal option in your environment. For example, the cSRX Container Firewall does not support routing instances and protocols, switching features, MPLS LSPs and MPLS applications, chassis cluster, and software upgrade features. For environments that require routing or switching, a vSRX Virtual Firewall VM provides the best feature set. For environments focused on security services in a Docker containerized deployment, cSRX Container Firewall is a better fit.
See Junos OS Features Supported on cSRX Container Firewall for a summary of the feature categories supported on cSRX Container Firewall, and also for a summary of features not supported on cSRX Container Firewall.
You can deploy the cSRX Container Firewall Container Firewall in the following scenarios:
Cloud CPE–For service providers (SPs) and managed security service providers (MSSPs) where there is a large subscriber base of branch offices or residential subscribers. MSSPs can offer differentiated services to individual subscribers.
Contrail microsegmentation–Within a Contrail environment running mixed workloads of VMs and containers, cSRX Container Firewall can provide security for Layer 4 through 7 traffic, managed by Security Director.
Private clouds–cSRX Container Firewall can provide security services in a private cloud running containerized workloads and can include Contrail integration.
Docker Overview
Docker is an open source software platform that simplifies the creation, management, and teardown of a virtual container that can run on any Linux server. A Docker container is an open source software development platform, with its main benefit being to package applications in “containers” to allow them to be portable among any system running the Linux operating system (OS). A container provides an OS-level virtualization approach for an application and associated dependencies that allow the application to run on a specific platform. Containers are not VMs, rather they are isolated virtual environments with dedicated CPU, memory, I/O, and networking.
A container image is a lightweight, standalone, executable package of a piece of software that includes everything required to run it: code, runtime, system tools, system libraries, settings, and so on. Because containers include all dependencies for an application, multiple containers with conflicting dependencies can run on the same Linux distribution. Containers use the host OS Linux kernel features, such as groups and namespace isolation, to allow multiple containers to run in isolation on the same Linux host OS. An application in a container can have a small memory footprint because the container does not require a guest OS, which is required with VMs, because it shares the kernel of its Linux host’s OS.
Containers have a high spin-up speed and can take much less time to boot up as compared to VMs. This enables you to install, run, and upgrade applications quickly and efficiently.
Figure 3 provides an overview of a typical Docker container environment.
cSRX Container Firewall Scale-Up Performance
You can scale the performance and capacity of a cSRX Container Firewall container by increasing the allocated amount of virtual memory or the number of flow sessions. Table 1 shows the cSRX Container Firewall scale-up performance applied to a cSRX Container Firewall container based on its supported sizes: small, medium, and large. The default size for a cSRX Container Firewall container is large.
See Changing the Size of a cSRX Container for the procedure on how to scale the performance and capacity of a cSRX Container Firewall container by changing the container size.
cSRX Container Firewall Size |
Physical Memory Overhead |
Number of Flow Sessions |
Release Introduced |
---|---|---|---|
Small |
256M |
8K |
Junos OS Release 18.1R1 |
Medium |
1G |
64K |
|
Large |
4G |
512K |