Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Solution Benefits

The Juniper Scale-Out Security Services solution is a common security services complex featuring an IPsec Security Gateway (referred to as SECGW in code) for use in a Mobile Service Provider (MSP) deployment. The security complex leverages the scale-out network architecture and automation with a tight integration between routing and security services elements represented by MX Series universal routers and SRX Series Firewalls. This provides best routing and security stacks for optimal performance and total cost of ownership. The scale-out approach has an advantage over scale-up and integrates security engines directly into the routing domain, including:

  • Highly scalable security gateway systems with respect to number of IPsec terminations and tunnel scale
  • Pay-as-you-grow approach
  • Flexibility to handle unpredictable traffic growth
  • High availability with sub-second restoration for IPsec security associations
  • Optimal operational preferences for a choice of physical or virtual nodes
  • Improved time to market security services on new platforms
  • Flexible placement of security services in the network
Figure 1: Juniper Scale-Out General Architecture A diagram of a cloud computing system Description automatically generated

This solution is equally applicable to the green-field deployments or as a nested solution on top of the existing MX Series Routers in the centralized or distributed mobile edge segment of SP networks allowing flexibility in placement of the services across SP WAN infrastructure.

The Scale-Out Security Services solution provides a scale-out model to enable high-capacity security gateway services combining Juniper MX Series modular and compact routers with Juniper vSRX and SRX4600 security products (Virtual Network Functions or Firewalls). In general, a solution includes three layers: forwarding layer, security services layer, and management and control layer. These layers in the solution enable consistent traffic flows through the service complex in both directions, addressing high availability requirements and simplified operations and management of multiple systems.

This JVD focuses on the first two layers only, which include the following functional elements and solution building blocks:

Security Services Layer

The security services layer includes the following functional elements:

  • IPsec security gateway terminating IPsec coming from eNodeBs/gNodeBs
  • Stateful firewall (this is built-in the SRX Series Firewalls)
  • High availability function (using Multinode High Availability (MNHA))

Forwarding Layer

The forwarding layer includes the following functional elements:

  • PE forwarding plane with virtual routing instance (“external” and “internal”)
  • Load balancing between multiple nodes of the service layer
  • High availability function
  • Might include a distribution forwarding layer optionally