cSRX Container Firewall

Download Datasheet

Product Overview

The cSRX Container Firewall delivers a complete virtualized solution with advanced security, automated life cycle, and policy management. The cSRX empowers security professionals to deploy and scale firewall and advanced security detection and prevention in highly dynamic container environments.

Product Description

Cloud-based technologies have accelerated the adoption of container platforms over the last decade. The use of containers as a low footprint foundation for running microservices has introduced another layer of infrastructure that needs to be secured. Juniper Connected Security provides organizations with industry-leading security for their containerized workloads, extending visibility and enforcement down to the communications between individual microservices within an application.

Like all aspects of IT, containers need to be secured, and administrators need visibility into data flows moving into and out of these containers. Monolithic applications are not only difficult to scale, they become incredibly inefficient when scaled. As a result, developers are driven to split applications into microservices, which in turn is driving the adoption of containers.

The Juniper Networks® cSRX Container Firewall, a containerized version of the Juniper Networks SRX Series Services Gateways, provides visibility into the network, allowing organizations to respond more quickly to emerging threats. Individual containerized applications or microservices can have their own content security-enabled next-generation firewall (NGFW), or even an entire chain of network security services, depending on the need of the organization.

The cSRX supports easy, flexible, and highly scalable deployment options covering various customer use cases, including application protection, microsegmentation, or as an edge gateway for secure IoT deployments through a Docker container management solution. The cSRX also supports SDN via Contrail® Enterprise Multicloud, OpenContrail, and other third-party solutions. The cSRX also integrates with other next-generation cloud orchestration tools such as Kubernetes.

Enterprises migrating to virtual or containerized cloud-based microservices can take advantage of the cost savings, faster boot time, and greater visibility while maintaining the same security posture across their public and private cloud environments.

When deployed as part of Contrail Networking™, the cSRX can participate in network function service chains, where it acts as a “bump in the wire” between two data flows and a target container. The cSRX adds security enforcement points where none have existed before, offering the most comprehensive network security for Kubernetes deployments.

Architecture and Key Components

Advanced Security Services

Implementing nonintegrated legacy systems built around traditional firewalls and individual standalone appliances and software is no longer an effective strategy for protecting against today’s sophisticated attacks. Juniper’s advanced security suite enables users to deploy multiple technologies to meet the unique and evolving needs of modern organizations and the continually changing threat landscape. Real-time updates ensure that technologies, policies, and other security measures are always current.

The cSRX Container Firewall delivers a versatile, powerful, and virtualization-specific set of advanced security services, including content security, intrusion detection and prevention (IDP), and application control and visibility services through Juniper Networks AppSecure.

Simple Configuration

The cSRX Container Firewall supports “bump-in-the-wire” L2 and L3 deployment using two essential features: zones and policies. Like other SRX Series firewalls, the cSRX can be configured and managed centrally through Junos Space® Security Director from the CLI with the same Junos® operating system syntax or using Network Configuration Protocol (NETCONF). Like all other Juniper firewalls, the cSRX follows zero trust principles, where traffic is not allowed to pass through unless explicitly permitted by a configured policy.

Virtual and Containerized Network Functions for Rapid Security Deployment

To achieve business agility, customers increasingly leverage an SDN framework to instantiate virtual private clouds on demand but require a consistent security posture. Deploying virtualized network functions (VNFs) addresses this critical requirement; however, most available VNFs—especially when it comes to security services—are not suitable for rapid deployments due to their size and boot times. A traditional VNF could take up to three minutes to boot, and it requires static reservation of resources like vCPU and vRAM. While this might be acceptable today, customers looking to increase the breadth of their infrastructure security coverage prefer a smaller, faster, more lightweight security VNF.

The cSRX meets all these requirements and more. The cSRX inherits the benefits of containers over their virtual counterparts, boots up in seconds, is lightweight, and includes most Junos OS features, including ease of configuration and management.

Table 1. cSRX Container Firewall Key Performance Metrics
All performance numbers are “up to” and depend on the underlying hardware configuration (some server configurations may perform better). Performance, capacity, and features listed based on cSRX running Junos OS 20.2R1 on a bare-metal Intel Xeon CPU E5-2660 server on the Intel 82599ES NIC with Data Plane Development Kit (DPDK) enabled, measured under ideal testing conditions. Actual results may vary based on Junos OS release and by deployment.
Throughput numbers based on HTTP traffic with 44 KB transaction size.
Capacity and Performance1 cSRX
Virtual CPU 2
Memory 4 GB
Firewall throughput, large packet (1514 B) 12.3 Gbps
Firewall throughput, IMIX 3.2 Gbps
Application visibility and control2 5.8 Gbps
Intrusion prevention system (IPS)-recommended signatures2 2 Gbps
Connections per second (AppFW) 30,000
Maximum concurrent sessions 512,000

Features and Benefits

The cSRX Container Firewall comes with the following features and associated benefits:

  • Installs as a standalone container network function (CNF) in a Docker application on popular Linux platforms
  • Deploys in native Kubernetes environments to deliver microsegmentation and protect applications from attacks and threats originating outside the network
  • Secures containers with the industry’s first containerized firewall
  • Imposes a small footprint to deliver highly agile, advanced security services in a container form factor
  • Integrates with Contrail Enterprise Multicloud to deliver microsegmentation and L4-L7 firewall for microservices
  • Leverages the same advanced security features as the SRX Series Services Gateways
  • Integrates with third-party management and orchestration tools, CLI, and Junos Space Security Director, a centralized management platform for containerized, virtual, or physical SRX Series firewalls
  • Defends against an increasingly sophisticated threat landscape by integrating robust content security, IPS, and application visibility and control capabilities for a comprehensive threat management framework
  • Provides management flexibility with NETCONF and Security Director to support integration with third-party management and cloud orchestration tools
  • Supports SDN, NFV via integration, and native Kubernetes with Contrail Enterprise Multicloud, OpenContrail, and other third-party solutions
  • Participates in network function service chains, offering high availability as well as containerized security that scales individual network functions as needed

Juniper Networks Services and Support

Juniper Networks is the leader in performance-enabling services designed to accelerate, extend, and optimize your high-performance network. Our services allow you to maximize operational efficiency while reducing costs and minimizing risk, achieving a faster time to value. Juniper Networks ensures operational excellence by optimizing the network to maintain required levels of performance, reliability, and availability. For more details, please visit www.juniper.net/us/en/products-services.

Ordering Information

For more information about Juniper Networks cSRX Container Firewall, please visit www.juniper.net/us/en/products-services/security/srx-series/csrx or contact your Juniper Networks sales representative.

About Juniper Networks

Juniper Networks brings simplicity to networking with products, solutions, and services that connect the world. Through engineering innovation, we remove the constraints and complexities of networking in the cloud era to solve the toughest challenges our customers and partners face daily. At Juniper Networks, we believe that the network is a resource for sharing knowledge and human advancement that changes the world. We are committed to imagining groundbreaking ways to deliver automated, scalable, and secure networks to move at the speed of business.