The cSRX Container Firewall delivers a complete virtualized solution with advanced security, automated life cycle, and policy management. The cSRX empowers security professionals to deploy and scale firewall and advanced security detection and prevention in highly dynamic container environments.
Cloud-based technologies have accelerated the adoption of container platforms over the last decade. The use of containers as a low footprint foundation for running microservices has introduced another layer of infrastructure that needs to be secured. Juniper Connected Security provides organizations with industry-leading security for their containerized workloads, extending visibility and enforcement down to the communications between individual microservices within an application.
Like all aspects of IT, containers need to be secured, and administrators need visibility into data flows moving into and out of these containers. Monolithic applications are not only difficult to scale, they become incredibly inefficient when scaled. As a result, developers are driven to split applications into microservices, which in turn is driving the adoption of containers.
The Juniper Networks® cSRX Container Firewall, a containerized version of the Juniper Networks SRX Series Services Gateways, provides visibility into the network, allowing organizations to respond more quickly to emerging threats. Individual containerized applications or microservices can have their own content security-enabled next-generation firewall (NGFW), or even an entire chain of network security services, depending on the need of the organization.
The cSRX supports easy, flexible, and highly scalable deployment options covering various customer use cases, including application protection, microsegmentation, or as an edge gateway for secure IoT deployments through a Docker container management solution. The cSRX also supports SDN via Contrail® Enterprise Multicloud, OpenContrail, and other third-party solutions. The cSRX also integrates with other next-generation cloud orchestration tools such as Kubernetes.
Enterprises migrating to virtual or containerized cloud-based microservices can take advantage of the cost savings, faster boot time, and greater visibility while maintaining the same security posture across their public and private cloud environments.
When deployed as part of Contrail Networking™, the cSRX can participate in network function service chains, where it acts as a “bump in the wire” between two data flows and a target container. The cSRX adds security enforcement points where none have existed before, offering the most comprehensive network security for Kubernetes deployments.
Architecture and Key Components
Advanced Security Services
Implementing nonintegrated legacy systems built around traditional firewalls and individual standalone appliances and software is no longer an effective strategy for protecting against today’s sophisticated attacks. Juniper’s advanced security suite enables users to deploy multiple technologies to meet the unique and evolving needs of modern organizations and the continually changing threat landscape. Real-time updates ensure that technologies, policies, and other security measures are always current.
The cSRX Container Firewall delivers a versatile, powerful, and virtualization-specific set of advanced security services, including content security, intrusion detection and prevention (IDP), and application control and visibility services through Juniper Networks AppSecure.
The cSRX Container Firewall supports “bump-in-the-wire” L2 and L3 deployment using two essential features: zones and policies. Like other SRX Series firewalls, the cSRX can be configured and managed centrally through Junos Space® Security Director from the CLI with the same Junos® operating system syntax or using Network Configuration Protocol (NETCONF). Like all other Juniper firewalls, the cSRX follows zero trust principles, where traffic is not allowed to pass through unless explicitly permitted by a configured policy.
Virtual and Containerized Network Functions for Rapid Security Deployment
To achieve business agility, customers increasingly leverage an SDN framework to instantiate virtual private clouds on demand but require a consistent security posture. Deploying virtualized network functions (VNFs) addresses this critical requirement; however, most available VNFs—especially when it comes to security services—are not suitable for rapid deployments due to their size and boot times. A traditional VNF could take up to three minutes to boot, and it requires static reservation of resources like vCPU and vRAM. While this might be acceptable today, customers looking to increase the breadth of their infrastructure security coverage prefer a smaller, faster, more lightweight security VNF.
The cSRX meets all these requirements and more. The cSRX inherits the benefits of containers over their virtual counterparts, boots up in seconds, is lightweight, and includes most Junos OS features, including ease of configuration and management.
|1 All performance numbers are “up to” and depend on the underlying hardware configuration (some server configurations may perform better). Performance, capacity, and features listed based on cSRX running Junos OS 20.2R1 on a bare-metal Intel Xeon CPU E5-2660 server on the Intel 82599ES NIC with Data Plane Development Kit (DPDK) enabled, measured under ideal testing conditions. Actual results may vary based on Junos OS release and by deployment.|
|2 Throughput numbers based on HTTP traffic with 44 KB transaction size.|
|Capacity and Performance1||cSRX|
|Firewall throughput, large packet (1514 B)||12.3 Gbps|
|Firewall throughput, IMIX||3.2 Gbps|
|Application visibility and control2||5.8 Gbps|
|Intrusion prevention system (IPS)-recommended signatures2||2 Gbps|
|Connections per second (AppFW)||30,000|
|Maximum concurrent sessions||512,000|
Features and Benefits
The cSRX Container Firewall comes with the following features and associated benefits:
- Installs as a standalone container network function (CNF) in a Docker application on popular Linux platforms
- Deploys in native Kubernetes environments to deliver microsegmentation and protect applications from attacks and threats originating outside the network
- Secures containers with the industry’s first containerized firewall
- Imposes a small footprint to deliver highly agile, advanced security services in a container form factor
- Integrates with Contrail Enterprise Multicloud to deliver microsegmentation and L4-L7 firewall for microservices
- Leverages the same advanced security features as the SRX Series Services Gateways
- Integrates with third-party management and orchestration tools, CLI, and Junos Space Security Director, a centralized management platform for containerized, virtual, or physical SRX Series firewalls
- Defends against an increasingly sophisticated threat landscape by integrating robust content security, IPS, and application visibility and control capabilities for a comprehensive threat management framework
- Provides management flexibility with NETCONF and Security Director to support integration with third-party management and cloud orchestration tools
- Supports SDN, NFV via integration, and native Kubernetes with Contrail Enterprise Multicloud, OpenContrail, and other third-party solutions
- Participates in network function service chains, offering high availability as well as containerized security that scales individual network functions as needed
Juniper Networks Services and Support
Juniper Networks is the leader in performance-enabling services designed to accelerate, extend, and optimize your high-performance network. Our services allow you to maximize operational efficiency while reducing costs and minimizing risk, achieving a faster time to value. Juniper Networks ensures operational excellence by optimizing the network to maintain required levels of performance, reliability, and availability. For more details, please visit https://www.juniper.net/us/en/products.html.
For more information about Juniper Networks cSRX Container Firewall, please visit https://www.juniper.net/us/en/products/security/srx-series/csrx-containerized-firewall.html or contact your Juniper Networks sales representative.
About Juniper Networks
At Juniper Networks, we are dedicated to dramatically simplifying network operations and driving superior experiences for end users. Our solutions deliver industry-leading insight, automation, security and AI to drive real business results. We believe that powering connections will bring us closer together while empowering us all to solve the world’s greatest challenges of well-being, sustainability and equality.
1000588 - 009 - EN MARCH 2021