For example, Capacity Increase and Feature Upgrades Subscription keys are licenses that have to be renewed prior to expiration. Juniper offers 1 up to 5 years subscription. Multi-year subscription licenses are currently available for a maximum of 5 years. Varieties of 1-year, 3-year, and 5-year subscriptions are available.
Validity of subscription licenses can be extended by purchasing a license renewal and not by generating two quantities of licenses of the same type. Finally, you should note that all of the network hosts are directly connected to the branch. In medium to large branch offices, the network has to provide more to the location because there are 20 or more users—our network example contains about 50 client devices—so here the solution is the Juniper Networks SRX Series Services Gateway branch device.
Figure shows the deployment of the SRX placed at the Internet edge. Note that the servers are connected directly to the SRX to provide maximum performance and security. Because this branch provides email and web-hosting services to the Internet, security must be provided.
Not only can the SRX provide stateful firewalling, but it can also offer intrusion protection services IPS for the Web and email services, including antivirus services for email.
It also provides more interface density and gives more headroom for future expansion, so it is also a good consideration for the medium branch deployments. Because of the size of the branch, the network can never go down. Using chassis cluster or ensures that if one device were to fail, the other will keep the network up and running. Because the SRX can offer HA switching, it allows the servers to stay up in the event of a single device failure. The last branch deployment to review is the large branch.
For our example, the large branch has clients. This network requires significantly more equipment than was used in the preceding branch examples. Figure depicts our large branch topology. Our example branch network needs to provide Ethernet access for clients, so to realistically depict this, six groupings of two EX switches are deployed.
Each switch provides 48 tri-speed Ethernet ports. The SRX is ideal if you do not need additional headroom for your deployment. The SRX is the largest of the branch SRX Series products; its performance capabilities actually exceed those of the branch, allowing for future adoption of features in the branch. Just as was done in the previous deployment, the local servers will sit off of an arm of the SRX, but note that in this deployment, HA was utilized, so the servers must sit off of their own switch here the Juniper Networks EX switch.
Each individual user can get authenticated for services using AppSecure. This is further discussed in the AppSecure chapter later in the book. The HA deployment of the SRX products means two devices are used, allowing the second SRX to take over in the event of a failure on the primary device. The SRX HA model provides an extreme amount of flexibility for deploying a firewall, and we detail its capabilities in Chapter 7.
What truly is a data center has blurred in recent times. The traditional concept of a data center is a physical location that contains servers that provide services to clients. Ingress points may be Internet or WAN connections, but each type of ingress point requires different levels of security. The new data center of today seems to be any network that contains services, and these networks could even span multiple physical locations. In the past, a data center and its tiers were limited to a single physical location because there were some underlying technologies that were hard to stretch.
The traditional data center design consists of a two- or three-tier switching model. Figure shows both a two-tier and a three-tier switching design. Both are fundamentally the same, except that between the two is the addition of the aggregation switching tier. The aggregation tier compensates for the lack of port density at the core only in the largest switched networks should a distribution tier be required.
Note that the edge tier is unchanged in both models. This is where the servers connect into the network, and the number of edge switches and their configuration is driven by the density of the servers. Most progressively designed data centers are using virtualization technologies that allow multiple servers to run on the same bit of hardware, reducing the overall footprint, energy consumption, and rack space.
Neither this book nor this chapter is designed to be a comprehensive primer on data centers. Design considerations for a data center are enormous and can easily fill up several volumes. The point here is to give a little familiarity to the next few deployment scenarios and to show how the various SRX Series platforms scale to the needs of those deployments. The most common service is ingress Internet traffic, and as you can imagine, the ingress point is a very important area to secure.
This area needs to allow access to the servers, yet in a limited and secure fashion, and because the data center services are typically high profile, they could be the target of denial-of-service DoS , distributed denial-of-service DDoS , and botnet attacks. It is a fact of network life that must be taken into consideration when building a data center network. An SRX Series product deployed at the edge of the network must handle all of these tasks, as well as handle the transactional load of the servers.
Most connections into applications for a data center are quick to be created and torn down, and during the connection, only a small amount of data is sent. An example of this is accessing a web application. Many small components are actually delivered to the web browser on the client, and most of them are delivered asynchronously, so the components might not be returned in the order they were accessed. This leads to many small data exchanges or transactions, which differs greatly from the model of large continual streams of data transfer.
Figure illustrates where the SRX Series would be deployed in our example topology. Figure might look familiar to you, as it is part of what we discussed regarding the data center tier in Figure The data center is modeled after that two-tier design, with the edge being placed at the top of the diagram.
A data center relies on availability—all systems must be deployed to ensure that there is no single point of failure. This includes the SRX Series. This means both firewalls can pass traffic simultaneously.
When a product in the SRX line operates in a cluster, the two boxes operate as though they are one unit. This simplifies HA deployment because management operations are reduced. Also, traffic can enter and exit any port on either chassis. This model is flexible compared to the traditional model of forcing traffic to only go through an active member.
A firewall at the data center core needs to maintain many concurrent sessions. Although servers may maintain long-lived connections, they are more likely to have connectivity bursts that last a short period of time. This, coupled with the density of running systems, increases the required number of concurrent connections, but at the rate of new connections per second. If a firewall fails to create sessions quickly enough, or falls behind in allowing the creation of new sessions, transactions are lost.
It can meet the scaling needs of today as well as those of tomorrow. Placing a firewall inside the data center core is always challenging, and typically the overall needs of the data center dictate the placement of the firewall. However, there is a perfect location for the deployment of our SRX, as shown in Figure , which builds on the example shown as part of the two-tier data center in Figure This location in the data center network is called the services tier , and it is where services are provided to the data center servers on the network traffic.
This allows the creation of a pool of resources that can be shared among the various servers. It is also possible to deploy multiple firewalls and distribute the load across all of them, but that increases complexity and management costs. The trend over the past five years has been to move toward consolidation for all the financial and managerial reasons you can imagine. In the data center core, AppSecure and IPS are two key services to include in the data center services tier design.
The AppSecure feature allows the SRX to look for attack patterns, unlike other security products. AppSecure can perform actions like application firewalling, application Quality of Service QoS , and advanced application usage reporting. Because all of the connections to the critical servers will pass through the SRX, adding the additional protection of the IPS technology provides a great deal of value, not to mention additional security for the services tier.
Although most administrators are more likely to use the services of a service provider than they are to run one, looking at the use case of a service provider can be quite interesting. Providing connectivity to millions of hosts in a highly available and scalable method is an extremely tough proposition. Accomplishing this task requires a herculean effort of thousands of people. Extending a service provider network to include stateful security is just as difficult. Traditionally, a service provider processes traffic in a stateless manner, meaning that each packet is treated independently of any other.
In a stateful processing device, each packet is matched as part of a new or existing flow. Each packet must be processed to ensure that it is part of an existing session, or a new session must be created. All of the fields of each packet must be validated to ensure that they correctly match the values of the existing flow. Scaling a device to do this is extremely challenging.
On the left, several customers are shown, and depending on the service provider environment, this could be several dozen to several thousand for the purposes of explanation, only a handful are needed. The service provider can minimize its operational costs and maximize the density of customers on a single device.
Our second scenario for service providers involves protecting the services that they provide. Although a service provider provides access to other networks, such as the Internet, it also has its own hosted services. For these services, firewalls are typically deployed, as shown in our example topology in Figure They are all the critical types of attacks that the provider needs to be aware of and defend.
In the case of a traditional DoS attack, the screen feature can be utilized. Once these thresholds have been exceeded, protection mechanisms are enacted to minimize the threat of these attacks. We discuss the screen feature in detail in Chapter More and more people who would typically not use the Internet are now accessing the Internet through these mobile devices, which means that access to the public network is advancing in staggering demographic numbers.
This explosion of usage has brought a new challenge to mobile operators: how to provide a resilient data network to every person in the world. Such a mobile network, when broken down into smaller, easy-to-manage areas, provides a perfect example of how an SRX Series firewall can be utilized to secure such a network. For mobile carrier networks, an SRX is the right choice for a few specific reasons: its high session capacity and its high connections-per-second rate. In the network locations where this device is placed, connection rates can quickly vary from a few thousand to several hundred thousand.
A quick flood of new emails or everyone scrambling to see a breaking news event can strain any well-designed network. Figure shows a simplified example of a mobile operator network. By protecting the network, it ensures that its availability and the service that customers spend money on each month continues. If the protection of the handsets is the responsibility of the handset provider in conjunction with the carrier, the same goes for the cellular or 3G Internet services that can be utilized by consumers using cellular or 3G modems.
For any service provider, mobile carriers included, the provided services need to be available to the consumers. As shown in Figure , the SRX devices are deployed in a highly available design. Of course, this failover is transparent to the end user for uninterrupted service and network uptime that reaches to the five, six, or even seven 9s, or The idea of providing any service to anyone at any time to any scale with complete resilience is a dream that is becoming a reality for many organizations.
Both cloud computing vendors and large enterprises are providing their own private clouds. Although each cloud network has its own specific design needs, the SRX Series can and should play an important role. It must scale in the number of running operating systems it can provide. It must scale in the number of physical servers that can run these operating systems. And it must scale in the available number of networking ports that the network provides to the servers. The SRX Series must be able to scale to secure all of this traffic, and in some cases, it must be able to be bypassed for other services.
Figure depicts this scale in a sample cloud network that is meant to merely show the various components and how they might scale. The same goes for the network. The help desk software for IT. Track users' IT needs, easily, and with only the features you need. Learn More ». Get answers from your peers along with millions of IT pros who visit Spiceworks.
Now, I know what most will say which is go for the latest and most up to date SRX range, however I have some administrative issues I need to consider: - ScreenOS seems much simpler, which suits the lower-skilled technical staff more. What would you advise in my positon? Juniper Networks , Followers Follow. Best Answer.
0コメント