SRX Quick Start June 2013

SRX QUICK START TRAINING

George Kaminski

Systems Engineer Tech Lead

Chapter 1: Course Introduction


3 Copyright 2013 Juniper Networks, Inc. www.juniper.net

INTRODUCTIONS

Before we get started

What is your name?

Where do you work?

What is your primary role in your

organization?

What kind of network experience

do you have?

What is the most important thing for

you to learn in this training session?


COURSE CONTENTS

Contents:

Chapter 1: Course Introduction

Chapter 2: Junos OS Overview

Chapter 3: Branch SRX Series Overview

Chapter 4: High-End SRX Series Overview

Chapter 5: SRX Concepts and Features

Chapter 6: Junos OS Command Line Interface (CLI) Introduction

Chapter 7: Other Security Products of Interest

Complete Hands on Labs 1 - 4


PREREQUISITES

The prerequisites for this course are the following:

Basic networking knowledge

Understanding of the OSI model and TCP/IP

Basic familiarity with the use and deployment of Firewalls, IPSec

Virtual Private Networks and Network Address Translation (NAT)


COURSE ADMINISTRATION

The basics:

Sign-in sheet

Schedule

Class times

Breaks

Lunch

Break and restroom facilities

Fire and safety procedures

Communications

Telephones and wireless devices

Internet access


EDUCATION MATERIALS

Available materials for classroom-based

and instructor-led online classes:

Lecture material

Lab guide

Lab equipment

Self-paced online courses also available

http://www.juniper.net/training/technical_education/


ADDITIONAL RESOURCES

For those who want more:

Juniper Networks Technical Assistance Center (JTAC)

http://www.juniper.net/support/requesting-support.html

Juniper Networks books

http://www.juniper.net/training/jnbooks/

Hardware and software technical

documentation

Online: http://www.juniper.net/techpubs/

Image files for offline viewing: http://www.juniper.net/techpubs/resources/cdrom.html

Certification resources

http://www.juniper.net/training/certification/resources.html


SATISFACTION FEEDBACK

To receive your certificate, you must complete the survey

Either you will receive a survey to complete at the end of class, or we

will e-mail it to you within two weeks

Completed surveys help us serve you better!

Class

Feedback


JUNIPER NETWORKS EDUCATION SERVICES CURRICULUM

Formats:

Classroom-based instructor-led technical courses

Online instructor-led technical courses

Hardware installation eLearning courses as well as technical

eLearning courses

Courses:

http://www.juniper.net/training/technical_education/


JUNIPER NETWORKS CERTIFICATION PROGRAM

Why earn a Juniper Networks certification?

Juniper Networks certification makes you stand out

Unleash your creativity across the entire network

Set yourself apart from your peers

Capitalize on the promise of the New Network

Develop and deploy the services you need

Lead the way and increase your value

Unique benefits for certified individuals


JUNIPER NETWORKS CERTIFICATION PATH


CERTIFICATION PREPARATION

Training and study resources:

Juniper Networks Certification Program website:

www.juniper.net/certification

Education Services training classes:

www.juniper.net/training

Juniper Networks documentation and white papers:

www.juniper.net/techpubs

Community:

J-Net: http://forums.juniper.net/t5/Training-Certification-and/

bd-p/Training_and_Certification

Twitter: @JuniperCertify


FIND US ONLINE

http://www.juniper.net/jnet

http://www.juniper.net/facebook

http://www.juniper.net/youtube

http://www.juniper.net/twitter

Chapter 2: Junos OS Overview



MOVING FROM CISCO IOS TO JUNOS OS

Moving checklist:

Call realtor

Change address

Change utilities

Gas

Electric

Garbage

Find movers

Pack

No matter the cause of the move, once the move is complete,

what a difference the new place makes in your life!


JUNOS OS: THE POWER OF ONE OPERATING SYSTEM

Deployed since 1998

First high-performance network operating system

14+ years of innovation and development

Runs routing, switching, and security platforms

Reduces complexity, achieves operational excellence

Evolutionary architecture expands to new services and extends to

new platforms for tomorrow

It is time for a new network

Top 130 global service providers

96 of the Global Fortune 100

Hundreds of federal, state, and local government agencies and higher

education organizations throughout the world


THE POWER OF ONE JUNOS

SECURITY ROUTERS

J Series

M Series

T Series

SWITCHES

MX Series

SRX Series

Reduces time/effort

to operate network

infrastructure

Simplifies management

One OS

One Release Train

Delivers new

functionality stably

Reduces OPEX

One Architecture

Ensures available &

scalable software for

growing needs

Reduces TCO

EX Series

QFX Series


JUNOS OS MODULAR ARCHITECTURE

Independent modules

Protected memory for stability

No overwrites

Contain faults and enable

rapid isolation

Well-defined interfaces for

expansion of functions/ platforms

Kernel

Controls the modules

Manages communication

between the modules and to the PFE

Kernel

Co

ntr

ol

Pla

ne

... Modu

le n

Inte

rfa

ces

Ma

na

gem

en

t

Ro

uti

ng


JUNOS OS SEPARATE CONTROL AND FORWARDING

Supports scale for high-performance

Assures performance of each plane

Enhances resiliency

Provides options for

redundancy

Data

Pla

ne

Routing Engine

Packet Forwarding Engine

Co

ntr

ol P

lan

e


JUNOS OS: THE FOUNDATION OF HIGH-PERFORMANCE NETWORKS

routing

switching

security

services

Data center

Headquarters

Campus

Branch

Chapter 3: Branch SRX Overview



BRANCH SRX SOLVES CUSTOMER CHALLENGES

Easy to manage all

aspects with Junos, a

single OS platform

Easy to activate new

security service in UTM

when needed to address

new concerns

Lower TCO and high

performance allows IT

to do more with less

All-in-One Best Price/

Performance

Next Gen Firewall

VPN

IPS, AppSecure

Anti-Virus

Anti-Spam

Web filtering

Routing / WAN

UT

M

WLAN, LAN, Switching

Unified Management


BRANCH SRX SERIES GATEWAYS Delivering No-Compromise Services with Scale & Performance

Small Office Small to

Medium Office Large Branch/ Regional Office

SRX220

+ 2 WAN slots,

8 x GigE, PoE

1 GB DRAM

SRX240

SRX650

+ More LAN slots, Dual P/S, + Hot Swap I/O

2 GB DRAM

SRX110

SRX100

SRX210

WAN slot,

2 x GigE, PoE,

1 GB DRAM

Hardware Platforms Scale from 1G to 10G

Junos Software across Security, Routing and Switching

Fixed Config

8 x FE1

1 GB DRAM

Fixed Config

VDSL2 WAN

8 x FE1

1 GB DRAM

SRX550

12.1

+ 4 WAN slots,

16 x GigE, PoE

2 GB DRAM

2mPIM+6GPIM

WAN slots, 10 x GigE,

PoE, Dual P/S

2 GB DRAM


Multi-services Gateway

BRANCH SRX: SERVING MULTIPLE CUSTOMER NEEDS

Secure Router UTM NGFW

Routing and WAN Interfaces

Firewall, VPN, NAT

In-line IPS

High availability

Transparent mode

Ease of use

Best-of-breed Anti-Virus, Anti-Spam, Web filtering

Cloud based AV - Sophos

In-line IPS

AppSecure

Next generation firewall (AppSecure)

In-line IPS

Application visibility, tracking and enforcement

User-role based policies

Branch SRX


BRANCH SRX SERVICES GATEWAYS

Highly configurable

Fixed & modular form factors

WAN, WLAN, and LAN interfaces

Extensive integration

Routing and switching capabilities

Unmatched core and UTM security

Exceptional performance

Magnitude greater performance

HW Content Security Acceleration

Control & data plane separation,

redundant processing and power

Model Configuration

Content SEC H/W

Acceleration FW/IPS

Performance

SRX100/ SRX110

Fixed No 700/60 Mbps

SRX210E 1 mini PIM

slot Optional 850/85 Mbps

SRX220 2 mini PIM

slots Standard 950/100 Mbps

SRX240 4 mini PIM

slots Optional 1800/230 Mbps

SRX550 2 mini PIM,

6 GPIM slots Standard 5500/800 Mbps

SRX650 8 GPIM slots Standard 7000/900 Mbps

Highly configurable

Extensive integration

Exceptional performance and availability

Fixed and modular form factors

Choice of WAN DSL, T1 / E1, DS3

Wireless WAN and LAN

On-board modular switching

Full suite of JUNOS routing and switching capabilities

Unmatched security, including FW, VPN, UTM, AppSecure, UAC, and full IPS

Hardware-assisted Content Security Acceleration (CSA) for ExpressAV and IPS

Control & data plane separation, redundant processing and power


BRANCH SRX PHYSICAL INTERFACES

MPIMs

T1/E1

Serial

1XGE SFP

ADSL

G.SHDSL

VDSL2

Docsis3.0

Wireless LAN

AX411 dual-radio AP

WLA

WLC2

GPIMs

16XGE

24XGE

4XT1E1

2XT1E1

2x10GE

SFP+/Copper

1xDS3

8xSFP

8xSerial

Wireless WAN

EVDO/HSPA/WI

MAX/LTE

Supported across all

Branch SRX platforms Supported on

SRX210/220/240/550

Supported on

SRX550/650


NEW PIMS FOR SRX550 AND SRX650

8 Port Serial GPIM (12.1R2)

Synchronous speeds of 8 Mbps

Interface types supported

V.35, X.21, EIA/TIA-449

EIA/TIA-232, EIA/TIA-530

EIA/TIA-530A

Line Coding : NRZ, NRZI

Uses 8 port smart connector

8 Port SFP XPIM (1Q2013)

Line rate switching between ports

Supported SFPs

LX, SX, BX

T or Copper SFPs

Full set of L2 switching features

Jumbo frame support 9192B

JAN 2013 MAY 2012


BRANCH SRX FEATURES MATRIX

Security Firewall VPN IPS AppSecure Antivirus Enhanced Web filtering Antispam

Wireless LAN and 3G/4G WAN 802.11n

3G/4G WiMax & LTE

Routing & Switching RIP, OSPF, BGP,

Multicast, IPv6

MPLS; Full BGP table

J Flow, RPM

L2 Switching

POE Options

Physical Interfaces

T1/E1, Serial, DS3/E3 VDSL, ADSL, G.SHDSL DOCSIS Cable Modem Ethernet 10/100/1000

& 10G, Copper or Fiber


SRX100

Features SRX100

On-board Ethernet 8 x FE

Power over Ethernet (802.3af, 802.3at) None

WAN slots None

USB ports 1

Content Security AcceleratorExpressAV and Intrusion Detection and Prevention

No

JUNOS Software version support JUNOS 11.1

Firewall performance (Large Packets) 700 Mbps

Firewall performance (IMIX) 200 Mbps

Firewall performance (Firewall + Routing PPS 64byte)

70 Kpps

VPN PerformanceAES256+SHA-1 3DES+SHA 1

65 Mbps

IPS performance 60 Mbps

Connections Per Second (CPS) 2K CPS

Maximum Concurrent Sessions (512MB/1GB RAM)

16 K / 32K

Antivirus performance 25Mbps

AppSecure Throughput (HTTP) 90Mbps

High Availability N/A

Ideal for small sites and managed

telecommuters

Full security features

Firewall and VPN

UTM: IPS, AppSecure, antivirus,

web-filtering, and anti-spam

UTM requires high memory version


SRX110 IDEAL SOLUTION FOR SMALL BRANCH

Features SRX 110

On-board Ethernet 8 x FE

Primary WAN VDSL2 with

ADSL2 Fallback

Backup WAN USB Port for

3G/4G Modem

Additional USB ports One (total 2)


No




65 Kpps

VPN Performance (AES256+SHA1 / 3DES+SHA1)

65 Mbps



Maximum Concurrent Sessions 16 K / 32K

Antivirus performance 25Mbps

AppSecure Throughput (HTTP) 90 Mbps

High Availability N/A

Additional

USB port

Front

Back

Designed for flexibility, investment protection, and lowest total cost of ownership (TCO).

Primary

WAN

VDSL

Backup 3G

WAN


Ideal for small branches


Firewall and VPN

UTM: IPS, AppSecure, antivirus,

web-filtering, and anti-spam

UTM requires high memory

version

SRX210E

Features SRX210E

On-board Ethernet 2 x GE + 6 x FE

Power over Ethernet (802.3af, 802.3at) 4 ports, 50 W total

WAN slots 1 x mini PIM

USB ports (flash) 2


Yes





95 Kpps

IPSec VPN Throughput 85 Mbps


Connections Per Second (CPS) 2,200 CPS


32K / 64K

Antivirus performance 25 Mbps


High Availability A/A or A/P


SRX220

Features SRX220

On-board Ethernet 18x GE

Power over Ethernet (802.3af, 802.3at) 8 ports GE, 120 W


USB ports (flash) 2


Yes


Firewall performance (Large Packets) 950 Gbps



125 Kpps

VPN PerformanceAES256+SHA-1 3DES+SHA-1

100 Mbps

IPS Performance 100 Mbps



96K




Ideal for small and medium

branches


Firewall and VPN

UTM: IPS, AppSecure,

antivirus, web-filtering, and

anti-spam


SRX240 - NOW WITH 2G MEMORY

Features SRX240

On-board Ethernet 16 x GE



USB ports (flash) 2


Yes

JUNOS Software version support JUNOS 11.4R5

Firewall performance (Large Packets) 1.8 Gbps



200 Kpps


300 Mbps



Maximum Concurrent Sessions (1GB RAM/2GB RAM)

128K / 256K




New SKUs for SRX240 provide

additional memory

SRX240B2 1GB DRAM, 2GB Flash

SRX240H2 2GB DRAM, 2GB Flash

No changes in price, hardware

architecture or security services

Improved scalability for services

SEPT 2012


SRX550 SERVICES GATEWAY - NEW

Routing Performance 700 Kpps

Firewall Performance

1.7 Gbps (IMIX)

5.5 Gbps (Large

packets)

AV & IDP HW Acceleration Yes

IPSec Performance 1 Gbps

No-Compromise Services with scale and performance for the medium to large branch

Advanced Security Firewall and VPN

UTM: IPS, antivirus, enhanced web-filtering,

anti-spam

Application visibility, tracking & enforcement

High Density Switching 10 x GE on board (6 Copper, 4 SFP)

Modular switching with POE

Comprehensive Routing Wide range of WAN options: 3G/LTE,

T1/E1/DS3/E3, xDSL, Nx1GE, 10 GE

L2/L3 VPN, MPLS, VPLS, IPv6, v4

Business Continuity, Resiliency HA cluster (A/A or A/P)

WAN backup and redundancy

Control plane, data plane separation

GPIM Online-Insertion-Removal*

Optional redundant power supplies (AC and

DC)

FRS 12.1


SRX550

Features SRX550

On-board Ethernet 10 x GE (6 Copper,

4SFP)


WAN slots 2 mPIM, 6 x GPIM

USB ports (flash) 2


Yes



Firewall performance (IMIX) 1.7 Gbps


700 Kpps


1.0 Gbps



Maximum Concurrent Sessions (2 GB RAM) 375 K


AppSecure Throughput (HTTP) 1.5 Gbps


Ideal for enterprise medium to large

branch

Ideal office-in-a-box solution for managed

services or commercial business

SRX550 offers:

Comprehensive Routing and Security

Services

High density on-board and modular

switch ports, Copper and SFP

Application Awareness and Control

Business Continuity and Resiliency

12.1


SRX650

Features SRX650

On-board Ethernet 4 x GE

Power over Ethernet (802.3af, 802.3at) 48 ports GE, 250W

or 500 W

WAN slots 8 x GPIM

USB ports (flash) 2 per processor


Yes



Firewall performance (IMIX) 2.5 Gbps


850 Kpps


1.5 Gbps

IPS Performance 1 Gbps



512 K


AppSecure Throughput (HTTP) 1.9 Gbps

High Availability A/A or A/P Hot swap GPIMs,

Dual power

Ideal for regional sites and large

branches


Firewall and VPN

UTM: IPS, AppSecure, antivirus, web-

filtering, and anti-spam

Modular

LAN switching

Services Routing Processors with

optional redundancy

Power supplies with optional

redundancy (at FRS)


BRANCH SRX SERIES SPECIFICATIONS


JUNIPERS WIRELESS WAN SOLUTION CX111

Best signal

Get the 3G antenna out

of the wiring closet to

optimize reception*

More choices

Choose 3G/LTE USB modem

or standalone 3G bridge

Choose from 90+ modems from

every major manufacturer*

Higher reliability

Tightly coupled system speeds

wired to wireless failover

Redundant radio hardware and

provider diversity*

Dir

ect P

lug

-in U

SB

Modem

support

Carriers 3G/4G LTE Network

* Requires bridge solution

Bri

dge


3G/4G WIRELESS WAN UPDATE

ExpressCards form factor obsolete

GSM/HSPA+ Modem supported now

Secure Modem / Modem Cap 1H 2012

4G LTE modem support Mid 2012

No USB 3G support on 220/240/550/650

Integrated Small Package for 3G:

Now with USB modem support

Worldwide 90+ Modems supported

LTE supported now

CX111 supports SNMP based mgmt

Junos CLI based management in 11.4R2 Q1 2012

CX111 Bridge

Direct plug-in USB Modem Support for

SRX100, 110 and 210E

CX111 3G/4G Bridge for

**all** SRX, other platforms


BRANCH SRX ADVANCED SECURITY PLATFORM

Block access to unapproved sites

Real time threat score for each URL Enhanced Web Filtering

Antivirus Stops viruses, file-based trojans or spread of spyware, adware, keyloggers

Antispam

IPS

Firewall, VPN, Unified Access Control

SRX Series blocks transmission of files for

Data Loss Prevention Content Filtering

Internal Threats

External Threats

INTERNET

IDP detects/stops Worms, Trojans,

DoS (L4 & L7), Scans

AppSecure with User Role FW

Core Security

Application level visibility and classification

Application security policies tied to user roles

Stops Spam/Phishing


J-WEB WIZARDS

VPN

Configuration Wizards

Initial Device

Setup

Firewall NAT

1 2 3 4

JavaScript and XML based with all activity executed by browser

Provides a responsive user experience

Complete Wizard UI is loaded after hitting launch button

Single commit

Reduces configuration time


NEW STARTUP WIZARD

New Startup Wizard that simplifies user configuration and reduces time to setup device

Guided setup (step by step)

Basic & Expert Modes

Security topology (zones),

security policy and license

configuration

NAT

Remote/Dynamic VPN

Confirm and Apply

(Commit, Import, Export)

Available on all Branch SRX platforms

JAN 2013


BRANCH SRX CERTIFICATIONS - UPDATE

Branch SRX leading the industry in most

stringest certifications for enterprise firewall

Common Criteria CC EAL4

Department of Defense (DoD) certification

Testing and certification by DoD JITC for interoperability with DoD networks

Addition to Unified Capabilities Approved Product List (UC APL)

Branch SRX certified as both router and firewall this is a first for any vendor!

ICSA Corporate Firewall and IPSec 1.3

USGv6 Firewall Profile

Key certifications added this year:

Chapter 4: High-End SRX Overview



High End SRX Platforms

High-Speed Fabric

Technology

Expandable chassis Linear scalability Processing and I/O pools Industrys top performance

Carrier-Class Reliability

Separation of control and data planes

Redundant everything Proven operating system

SRX Services Gateways

DYNAMIC SERVICES ARCHITECTURE (DSA) Scales performance, capacity and service density Worlds fastest firewall and IPS

The power of one OS, one release train


NS-5400

ISG2000

3U, 4+3 CFM, 8+4 GE, 2RE*, 1+1 PS, 20/8/8G, 2M sess,

175kcps

5U, 6+6 CFM, 8+4 GE, 2RE*, 2+2 PS, 30/10/10G, 2M sess,

175kcps

8U, 6 slot, 2RE*, 1+1 SCB, 2+2 PS, 60/15/15G, 9M sess, 350kcps

16U, 12 slot, 2RE*, 2+1 SCB,

2+2 AC, 3+1 DC, 120/30/30G,

10M sess, 350kcps

3U, 3 CFM, 12GE or 3XGE+9GE , 1+1 PS, 10/2/2G, .5M sess [at FRS], 45kcps

NS-5200 ISG1000

SRX3600

SRX5800

SRX5600

SRX3400

SRX1400

Note *: Redundant REs not currently supported

SRX / HE DATA CENTER SERVICES PLATFORMS

Next-Gen Security Systems Scalable Performance Rich Standard Services

Firewall VPN IPS Full Routing QoS Application Security Role Based Firewall

Extensible Security Services Integrated Networking Services


HIGH-END SRX COMPONENTS

I/O Cards (IOC)

Provide Ethernet interfaces that connect the services gateway to

your network

Network Processing Unit (NPC)

Network Processing Cards (NPCs) receive inbound traffic from I/O

cards (IOCs) and direct it to the appropriate Services Processing

Card (SPC) for processing

In simple terms, think of it as a session load balancer

Services Processing Card (SPC)

Provide the processing capacity to run integrated services such as

firewall, IPsec, and IDP


HIGH-END COMPONENTS CONTINUED

Routing Engine (RE)

Runs the Junos operating system (Junos OS)

Including software processes that maintain the routing tables, manage the routing protocols used on the services gateway, control the services

gateway interfaces, control some chassis components, and provide the

interface for system management and user access to the services

gateway

Switch Fabric Board (SFB)

Powers on and powers off IOCs and SPCs

Controls clocking, system resets, and booting

Monitors and controls system functions, including fan speed, board

power status, and the system front panel

Provides interconnections to all the IOCs within the chassis

through the switch fabrics integrated into the SCB


HIGH-END COMPONENTS CONTINUED

Network Processing I/O Cards (NP-IOCs)

Special IOCs designed specifically for low-latency applications

Each NP-IOC has its own network processing unit (NPU), so that

traffic traversing the NP-IOC does not have to traverse the services

gateway bus to a remote network processing card (NPC)


Flow Lookup Classification DoS/DDoS Policing

Ingress Packet

Egress Packet

Services FW/VPN/IDP

NAT/Routing

QoS/Shaping

Fa

bri

c

Fabric

Integrated in SRX5000 IOC

Oversubscription

Control

1.5

DYNAMIC SERVICES ARCHITECTURE SRX SERIES FULLY INTEGRATED PACKET FLOW

I/O Card

Network

Processing

Card

Services

Processing

Cards


HIGH-END SRX SCALING AND PLANNING

The number of NPC and SPC resources dictates the High-End

SRX throughput and performance, i.e. number of IPSec tunnels,

IDP performance, number of FW sessions, etc.

Generally speaking it is the SPCs that make the real difference in terms of performance

Juniper Networks Systems Engineers and Partner SEs can assist with sizing guidelines for a given desired performance

profile and application


3 RU Modular chassis

3 expansion slots Compact form factor modules shared with SRX3000

Junos Software

Massive scale Up to 45,000 new, sustained

connections per second (CPS)

Up to .5 million sessions [at FRS]

High performance Up to 10 Gbps firewall

Up to 2 Gbps IPS

Up to 2 Gbps IPSec VPN

High availability Redundant power and fans

Chassis Clustering (Q2 2011)

Modular Junos Software

Shared HA-control ports

High availability

SRX3000 technology Common sparing possible

SRX1400

Management Module (RE)

Expansion Slot

(IOC)

12 on-board ports:

1400GE: 6+4+2 GE

1400XGE: 3 XGE plus 6+1+2 GE

Power supply

FRU

Redundant

power supply

(optional)

Fan tray

(rear)

Expansion Slots

(NSPC or SPC+NPC)

Slot

guide


SRX 3400


7 expansion slots (4 front and 3 rear)

Compact form factor modules for I/O and service processing

Dual, hot swappable management modules

Junos Software



Up to 2.25 million sessions


Up to 6 Gbps IPS



Redundant management

Modular Junos Software

SRX3400 Front View

SRX3400 Rear View

Routing Engine

Expansion Slot (IOC/SPC)

Power supply FRU

12 on-board GbE ports USB

Expansion Slot (SPC/NPC)

Redundant power supply

(optional)

16 x 10/100/1000 I/O card

Fan tray

16 x GbE SFP I/O

card

Expansion Slot (SPC/NPC)

Redundant Routing Engine (future) or SCM

2 x 10 GigE I/O card

Front slot guide

Rear slot guide

Fan tray door




12 expansion slots (6 front and 6 rear)

Compact form factor modules for I/O and service processing

Dual, hot swappable management modules

Junos Software



Up to 2.25 million sessions


Up to 10 Gbps IPS



Redundant management

Modular Junos Software Routing Engine

Expansion slot (IOC/SPC)

Power supplies FRU

12 on-board GigE ports USB

Redundant Routing Engine (future) or SCM

Redundant power supplies

(optional)

16 x 10/100/1000 I/O card

Fan tray

16 x GbE SFP I/O

card

Expansion slot (SPC)

SRX3600 Front View

SRX3600 Rear View

2 x 10 GigE I/O card


Fan tray door

Expansion slot (SPC/NPC)

Front slot guide

Rear slot guide

SRX3600: FRONT AND REAR VIEWS


IOC 2x10GE

Switch Fabric

Board (SFB)

Routing Engine

(RE)

Fan tray

door

Air

Intake

Services Processing

Card (SPC)

IOC 16xCopper

IOC 16xSFP

Front

Slot guide

Rear

Slot guide

Services Processing

Cards (SPC) Network

Processing

Cards (NPC)

[or SPCs]

Dual-height SFB

option cover (SRX3600 only / future)

3600 COMPONENT REVIEW


SRX3000 CARDS


High speed switch fabric (320Gbps)

Includes virtual IOC (8x10/100/1000 + 4xSFP), HA-control (2xSFP: SX, LX, LH, T) and system interface (CRAFT)

Network Processing Card (NPC)

Single Network Processor (NP) subsystem - 10Gig throughput

Services Processing Card (SPC)

Single HD-CPU subsystem (SPU) / 10Gig throughput

Routing Engine (RE)

1.2Ghz processor /w 1GB memory

Complete separation of control / data planes

Includes CPP (central PFE controller) and CB (control board)

Clustering Module (SCM)

Independent control-plane GigE switch to enable second HA-control link

Requires Junos 10.2

I/O Cards (IOC)

3 versions:

2-port 10GE-XFP (SR, LR, ER)

16-port GE-SFP (SX, LX, LH, T [10/100/1000])

16-port 10/100/1000 Copper

10Gig full-duplex throughput (oversubscribed)


SRX5600: PRODUCT OVERVIEW


Horizontal design 6 expansion slots Modules for flexible I/O and

service processing Junos software

Massive scale Up to 350,000 new & sustained

connections per second (CPS) Up to 9 million sessions

High performance Up to 60 Gbps firewall Up to 15 Gbps IPS Up to 15 Gbps IPSec VPN

High availability Redundant management

modules Redundant switching fabrics Redundant fans & power

supplies Modular Junos Software

Expansion slot (fits any module)

Control Panel

Upper fan tray

Services Processing

Card

Switch Control Boards (SCBs)

40 x GbE IOC

Management Module

Power supplies FRU

SRX5600 Front View

SRX5600 Rear View


SRX5800: PRODUCT OVERVIEW

Control Panel

Air intake

Lower fan tray

Upper fan tray

Services Processing

Card

4 x 10GbE I/O Card

40 x GbE I/O Card


Vertical design 12 expansion slots Modules for flexible I/O and

service processing Junos software

Massive Scale Up to 350,000 new & sustained

connections per second (CPS) Up to 10 million sessions

High performance Up to 120 Gbps firewall Up to 30 Gbps IPS Up to 30 Gbps IPSec VPN

High availability Redundant management

modules Redundant switching fabrics Redundant fans & power

supplies Modular Junos Software

Management module

Switch Control Boards (SCBs)

Expansion slots (fits any module)

SRX5800 Front View

SRX5800 Rear View

Power supplies FRU


Chapter 5: SRX Concepts and Features


SRX SERIESFIREWALL, ZONES, AND POLICIES

ZONE UNTRUST Originating Zone

SRX

ZONE TRUST2 ZONE TRUST

Default PolicyDeny All Default PolicyAllow All

INTERNET

Originating Zone


NEXTGEN DATA PLANE (FLOW THREAD)

Per

Packet

Filter

Per

Packet

Policer

Per

Packet

Shaper

Per

Packet

Filter

JUNOS Flow Module

Forwarding Lookup

Dest

NAT Route Zones Policy

Reverse

Static

NAT

Services

ALG Session Screens

Static

NAT

Source

NAT

Match

Session?

NO YES

Screens TCP NAT Services

ALG

YES

1) Pull Packet from Queue

2) Police Packet

3) Filter Packet

4) Session Lookup

5a) No Existing Session

FW Screen Check Static & Destination NAT Route Lookup Destination Zone Lookup Policy Lookup Reverse Static & Source NAT Setup ALG Vector Install Session

5b) Established Session

FW Screen Check TCP Checks NAT Translation ALG Processing

6) Filter Packet

7) Shape Packet

8) Transmit Packet


FIREWALL FILTERS

Stateless Filters

Applied to interfaces, can mitigate known

un-wanted traffic before policy lookup

Common to MX, EE, SRX Junos

edit firewall filter SRX_Protection

juniper@SRX5800# set term in-ssh from source-address 10.1.20.1/24

juniper@SRX5800# set term in-ssh from protocol tcp

juniper@SRX5800# set term in-ssh from destination-port ssh

juniper@SRX5800# set term in-ssh then accept

Retail Branch

Regional

Small Office

INTERNET

SRC 10.1.20.1 ANY SSH


APPLICATION LAYER GATEWAYS (ALG)

Advanced inspection of dynamic applications

Can detect negotiated ports and perform statefull inspection on dynamic applications (FTP, SIP, SCCP, H323,MGCP etc)

Automatically utilized when application is referenced within the security policy

Retail Branch

Regional

Small Office

FTP

TCP 21

PASV

PORT FTP

TCP 14599


SCREENS

Screens are used to mitigate known malicious activities such as DOS, DDOS, Reconnaissance

Applied on Zone basis, default screen can be applied to untrust interface

Uses thresholds and parameters to determine traffic flows into zone

Can Drop Traffic or act as a Proxy for TCP Connections

Retail Branch

Regional

Small Office

INTERNET

TCP SYN TCP SYN

TCP SYN ICMP Sweep


SCREENS

Regional

INTERNET

TCP SYN TCP SYN

TCP SYN ICMP Sweep

juniper@SRX5800# show security screen ids-option untrusted-internet

icmp {

ip-sweep threshold 1000000;

fragment;

large;

}

ip

bad-option;

record-route-option;

timestamp-option;

security-option;

stream-option;

spoofing;

source-route-option;

Loose-source-route-option;

strict-source-route-option;

unknown-protocol;

}

tcp {

syn-fin;

fin-no-ack;

tcp-no-flag;

syn-frag;

port-scan threshold 1000000;


FROM THE OVERALL ARCHITECTURE PERSPECTIVE - BEST PRACTICES STEPS

Step1 - Establish a baseline

Step 2- Build the First Line of Defense

Police traffic close to source or at ingress into aggregation network elements, e.g. ingress into a FW

Step 3 Build the Second Line of Defense

SCREENs

IDP

Application-level IDP

Application Firewall

Step 4 Build the Third Line of Defense

Traffic shape at the egress of a FW

Assures legitimate traffic is not impacted

Throttles all the traffic, minimizing the impact of attacks on intermediate network elements

Eliminates all the recognized bad traffic

Throttles the remainder of the traffic, which includes legitimate and non-recognized bad traffic


CONTRASTING SCREENS AND IDP

SCREENs

Protect from the outer layer perspective

Are executed prior to any route look up or security policy look up

IDP

Provides deeper packet examination

Detects protocol anomaly

Evoked after route and/or security policy look up


PROTECTING FROM A FIREWALL PERSPECTIVE

SCREENs Ingress Policers

& Firewall filters

L3/L4/L5

IDP

Traffic

Exiting

SRX FW

SRX FW Traffic

Entering

SRX FW

Steps 2, 3, & 4

L4-7

IPS Statefull

FW

Egress

Traffic

Shaping


ROUTING & SWITCHING

SRX can act as a full router, supporting

IPV4, IPV6, L2/L3 MPLS

Supports IPV4 RIP, OSPF, IS-IS & BGP

Layer 2 switching supported on Branch SRX, not supported on HE SRX

Onboard Ethernet ports on the SRX100, SRX210, and SRX240 devices

Multiport Gigabit Ethernet XPIM on the SRX650 device

Support of Virtual Routers and Logical Tunnel Interfaces

Supports full Junos COS 8 Queues per port

Can also run in Transparent FW mode, supporting Layer2 bridged FW security

Regional


SRX PACKET FLOW

Branch SRX has 2 modes of Operation

Packet Mode: Can be run in packet mode to operate like a traditional router, mode used to support MPLS, VPLS

Flow Mode: Flow mode ensure Fast-Path Lookup, default action of Branch SRX devices.

Mixed Mode: Brach SRX can also act in Mixed Mode supporting both Flow and Branch based connections


SRX HIGH AVAILABILITY

Features

Stateful fail-over

Active/Backup Control Plane

Active/Active Data Plane

Single System View

Benefits

Maintains connection

persistence & improves

system resiliency for services

Load sharing across systems

Optimized for complex

routing environments


TWO CHASSIS CONNECTED TOGETHER

Control Plane (fxp1)

Connection

SPC-to-SPC

Data Plane (fab1)

Connection

IOC to IOC

Control Plane (fxp1)

Fe-0/0/7

Data Plane (fab1)

IOC to IOC


INTERFACE NUMBERING

Interfaces are numbered Hobson style Node0 (0-11) Node1 (12-23)

ge-1/0/0

ge-13/0/0

slot 0

RE 0

slot 12

slot 23

RE 1


CHASSIS CLUSTER INTERFACES

Fxp1 - Control Plane interface

- Dedicated Interface dependant on Model

- Dual Control Plane support on HE

- Synchronizes Configuration & Keepalives

Fab0/1 - Data fabric interface

- Can be 1G or 10G dependant on Model

- Synchronizes Session information over RTOs - Can be used for forward Z path traffic

Redundancy Group (RG)

Logical Grouping of Interfaces. SRX with Highest Metric (255) is

master for each RG. Failure of interfaces decrements total

RETH

redundant Ethernet, virtual IP and MAC for associated VLAN,

member of redundancy group


CHASSIS CLUSTER DEPLOYMENTS

ACTIVE/PASSIVE

Active Control Plane

Active Redundancy Group 1



CHASSIS CLUSTER DEPLOYMENTS

ACTIVE/ACTIVE

Active Control Plane




APPLICATION VISIBILITY AND CONTROL IS EASY WITH APPSECURE

Application Awareness and Classification Engine

Application

View

Application

Enforcement

by User Role

Threat

Mitigation

IPS

What application?

What user?

User location?

User device?


Allows different users to have different application policies based on their role and

group

.NOW WITH USER ROLE FIREWALL

Marketing

Sales

CEO

No apps blocked

Anti-virus applied

P2P apps blocked

Youtube allowed

Anti-virus applied

P2P, Youtube blocked

Anti-virus applied

Branch SRX

WF profile A

WF profile B

WF profile C

12.1

MAG/UAC


Windows ADs

USER-ROLE FIREWALL FOR ACTIVE DIRECTORY

Client

SRX Series

Junos Pulse MAG/IC

Series

Corporate Data Center

Apps

Data

Finance

Video

Internet

1

2

3 4

5

2

3

4

5

1 Doman user logins into domain from domain member device

Unauthenticated Client tries to

access resource through SRX,

and dropped

SRX redirects client to IC for

authentication process using

Kerberos

Upon successful authentication

and identification of user, IC gets

AD group membership using

LDAP and maps to Roles and

sends info to SRX

Client device passes traffic

through SRX per corresponding

policy enforcement controls based

on User/Role


COMPREHENSIVE USER POLICY ENFORCEMENT

Host checker

Coordinated Threat Control

SSL tunneling

End-to-End Security Policy enforcement by user role

and group

Windows XP, Windows Vista and Windows 7

MacOS support

Linux/Solaris support

Thin clients can be supported using the local

web portal

Broad range of Smartphone OS iOS, Android, others

Agent-based deployment can provide advanced

functionalities

Agentless access can be used for unintrusive,

transparent user

experience

Local web portal can be used for guest access or

as a fallback mechanism

Flexibility Rich OS Support Advanced Services

Standard Server Hardware


Monitor & Track Applications

AppTrack

APPLICATION VISIBILITY FOR INFORMED RISK ANALYSIS

View application by protocol, Web

application, and utilization

Analyze usage and trends

Log and report across security

solutions and systems

Customize application monitoring

Web 2.0 application visibility

Application usage monitoring

Scalable, flexible logging &

reporting


Control & Enforce Web 2.0 Apps

AppFW

APPSECURE: BEYOND JUST FIREWALL OR APPLICATION CONTROL

Inspect ports and protocols

Control nested apps, chat, file

sharing and other Web 2.0 activities Dynamic application security

Web 2.0 policy enforcement

Threat detection & prevention

HTTP Uncover tunneled apps

Stop multiple threat types


Monitor & Mitigate Custom Attacks

IPS

IPS FOR CUSTOMIZABLE PROTECTION

Detect and monitor suspicious

behavior

Address vulnerabilities instead of

ever-changing exploits of the

vulnerability

On-going threat protection

Mobile traffic monitoring

Custom attack mitigation

Tune open signatures to detect and

mitigate tailored attacks

Uncover attacks exploiting encrypted

methods

Exploits

VULNERABILITY

AppSecure IPS

Other

IPSs


ENHANCED WEB FILTERING

SRX

Internal network

In the Cloud Categorization Server Continuous updates Large number of URLs Category granularity Real time threat score

Productivity

Performance

Security

Internet


CUSTOMER CHOICE FOR ANTIVIRUS

On-box option:

Kaspersky Cloud-based option:

Sophos

Juniper is the only vendor offering customers a choice

between two market proven antivirus solutions.


CLOUD BASED AV SERVICE: SOPHOS LIVE PROTECTION ANTI-MALWARE FOR JUNIPER SRX

Cloud-based intelligence delivers high performance malware protection

Effective, instant protection against malware and infected web sites

Target customers that want the performance and ease of a cloud-based antivirus solution

SRX


ANTI-SPAM

DMZ

Web Proxy Email Server

TRUST

SRX receives email destined for email server

in DMZ or TRUST zone and looks up local

white/black list to check local entries. Finds no

entry and sends address of remote email

server or source to in-the-cloud anti-spam

service

1

Host

Remote Email Server

SRX tags email as

***SPAM*** or is allowed

through. Email server can

then use tag to make

supplementary decisions

3

2 Service checks host address against constantly updated

list and returns a block,

permit or log-and permit

message to the SRX

Internet (UNTRUST)


SRX210

REMOTE ACCESS VPN

Dynamic VPN Service Access Manager Client

Clientless dynamic IPSEC client automatically downloaded

Simultaneous tunnel enforcement

Automatic client upgrade

capabilities

Self-provisioning

IPSec with TCP-based fallback

for NAT traversal

Windows platform supportXP, Vista, Win 2000, and Windows 7,

Windows 10

Wired Wireless

3G/4G

Wireless

INTERNET


WLM Management and Access Tools

RingMaster WLM - Appliance SmartPass

JUNIPER WIRELESS - COMPLETE WLAN SOLUTION WLA/WLC PRODUCTS SUITE

WLC Controllers

Simple - Secure - Mobile

WLA Access Points

Plan

Config

Monitor Trouble shoot

Report


APPSECURE SOFTWARE SERVICE SUITE

Understand

security risks

Address new

user behaviors

Application Intelligence and Security In Branch

Subscription service includes all modules and updates Juniper Security Lab provides 900+ application signatures

AppTrack

AppQoS

AppDoS

IPS

Block access to

risky apps

Allows user

tailored policies

Prioritize

important apps

Rate limit less

important apps

Protect apps from

bot attacks

Allow legitimate

user traffic

Remediate

security threats

Stay current with

daily signatures

2H

2013

AppFW


APPLICATION SECURITY AVAILABILITY

High End SRX Branch SRX

2H2013

AppTrack

AppFW

AppQoS

AppDoS

IPS


LOGICAL SYSTEMS (LSYS) HIGH-END SRX ONLY

Virtualization of many aspects of Junos, especially security policies and enforcement options within a single HE SRX

Complete separation of a single device into unique virtual instances, including:

Administrative separation users in one LSYS have no visibility into or knowledge of any other LSYS instances that may be running on the box

Traffic Separation network traffic for a given LSYS cannot cross into another LSYS unless security and routing policies are configured to allow it

Resource separation resources such as sessions, policies, zones, and virtual routers can be budgeted between the various LSYS instances

An evolution of ScreenOSs VSYS concept


SERVICES OFFLOAD: A.K.A. LOW LATENCY FIREWALL HIGH-END SRX ONLY

Allows both latency-sensitive and normal

traffic to be mixed on the same platform

When configured with services offload, SPC will push policy to NPC, and further processing

is handled directly by NPC

Available as of Junos 11.4

Supports FW, NAT, NPU screens, and QoS

No support for services that require an SPC

Fragmented packets

IPS

Inter-LSYS traffic

SPC

SPC

SPC

SPC

PHY NPC

NP PHY NPC

NP PHY NPC

NP PHY NPC


JUNOS SPACE

APPLICATIONS

Juniper Applications 3rd Party Applications

Network Activate, Transport

Activate QoS Design Ethernet

Design Security Design Virtual Control Service Now

OSS BSS Green/Energy End-user Forensics Adapters (MTOSI, OneAPI) others

Device Management Interface (DMI)

RESTful Web Service API

JUNOS SPACE PLATFORM

Network Widgets Infrastructure Widgets

Open Network Application Platform

Network Application

Platform

Open, extensible, standards-based (SOA)

Abstractions for generic service definitions

Purpose-built for network orchestration and automation

Carrier-grade scale

Transparent communication with all Junos devices (any device, any

OS version) total management of Juniper infrastructure

Easy integration with OSS via NBI/SDK

Security Director


SECURITY THREAT RESPONSE MANAGER (STRM)

STRM supports SRX Series

Intrusion Prevention System (IPS) and AppSecure

220+ out-of-the box report templates

Fully customizable reporting engine: creating, branding and scheduling delivery of reports

Compliance reporting packages for PCI, SOX, FISMA, GLBA, and HIPAA

Reports based on control frameworks: NIST, ISO and CoBIT


JUNOS SCRIPTS

Configuration Automation - Instructs Junos during the

commit process

Options to provide warnings, post log messages,

automatically fail the commit, or change the

configuration

Operations Automation - Instructs Junos as prompted by the

command-line and other scripts:

Create custom operational commands for specific user and

environment needs

Event Automation - Instructs Junos of actions to take in

response to events:

Gather relevant troubleshooting information and correlate

events from the first leading indicators


JUNOS SCRIPTS

Chapter 6: Junos OS Command Line Interface (CLI) Introduction



MULTIPLE WAYS TO MANAGE!

JUNOS CLI Telnet, SSH

Commit model

JUNOScript: Automated Configuration, Operations

J-Web Quick Setup with Templates

Dashboard View

Performance Monitoring

Security Director Manage multiple devices

Global, group and device level configuration


CONFIGURATION HISTORY

Active configuration stored in

/config/juniper.conf.gz

Rollback files stored in /config/juniper.conf.n.gz (n=13) /var/db/config/juniper.conf.n.gz (n=449)

commit

rollback n

Candidate

Configuration

Active

Configuration

1 2 ...

0

49

configure


JUNOS OS CONFIGURATION PROCESS

Separation of configuration edit and activation

Validation checks

Version control

Automated rollback

Convenient deployment of standard configurations and policy

language across the network

Load commit

confirmed

candidate configuration

commit validations

commit

commit scripts

validated configuration

active configuration


JUNOS OS CONFIGURATION PROCESS (CONTD)

Basic steps in the configuration process

1. Enter changes in the candidate

2. Commit the candidate

3. Candidate becomes active

Load

commit confirmed

1 2 3

candidate configuration

active configuration

rollb

ac

k commit

validations

commit

commit scripts

validated configuration

1

49


THE RESCUE CONFIGURATION

A rescue configuration is designed to restore basic connectivity in the

event of configuration problems

Contents are user defined

Include a root password!

By default, there is no rescue configuration

Can be saved using J-Web or the CLI

Once saved, the rescue configuration can be activated with the CLI or a

momentary push of the recessed CONFIG button

CONFIG button


CLI MODES AND FEATURE OVERVIEW

CLI operational mode: Editing command lines Command completion and history Context-sensitive and documentation-based help UNIX-style pipes

CLI configuration mode: Object-oriented hierarchy Jumping between levels Candidate configuration with sanity checking Automatic rollback capability Showing portions of configuration while configuring Saving, loading, and deleting configuration files Running operational-mode commands from within configuration


CLI MODES

Operational mode:

Monitor and troubleshoot the software, network connectivity, and

router hardware

Configuration mode:

Configure the router, including interfaces, general routing

information, routing protocols, user access, and system hardware

properties

user@host>

user@host# [edit]

The > character identifies

operational mode

The # character identifies

configuration mode


host (ttyd0)

login: root

Password:

--- JUNOS 8.3R2.8 built 2007-07-07 00:21:56 UTC

root@host% cli

root@host>

When logging in: Nonroot users are placed into the CLI automatically

host (ttyd0)

login: user

Password:

--- JUNOS 8.3R2.8 built 2007-07-07 00:21:56 UTC

user@host>

The root user must start the CLI from the shell

Do not forget to exit root shell after logging out of the CLI!

Shell Prompt

CLI Prompt

LOGGING IN


CLI OPERATIONAL MODE

Execute commands (mainly) from the default CLI level (user@host>) Can execute from configuration mode with the run

command

Hierarchy of commands Example: show ospf neighbor

Less Specific

More Specific database interface route statistics

chassis configuration

configure file help monitor etc.

neighbor

bgp

clear set show

ospf rip route version etc.

etc.


EMACS-style editing sequences are supported

The default VT100 terminal type also supports cursor positioning with the arrow keys

EDITING COMMAND LINES

user@host> show interfaces

Ctrl+b user@host> show interfaces

Ctrl+a user@host> show interfaces

Ctrl+f user@host> show interfaces

Ctrl+e user@host> show interfaces

Cursor position

Keyboard

sequence


COMMAND AND VARIABLE COMPLETION

Spacebar completes a command user@host> show i

'i' is ambiguous.

Possible completions:

igmp Show Internet Group Management Protocol...

ike Show Internet Key Exchange information

interfaces Show interface information

ipsec Show IP Security information

isis Show Intermediate System-to-Intermediate...

user@host> show i

Use the Tab key to complete an assigned variable [edit policy-options]

user@host# show policy-statement this-is-my-policy

then accept;

[edit policy-options]

user@host# Use Tab to complete

assigned variables

Enter a space to

complete a command


Type ? anywhere on the command line

user@host> ?


clear Clear information in the system

configure Manipulate software configuration information

file Perform file operations

help Provide help information

. . .

user@host> clear ?


arp Clear address resolution information

bfd Clear Bidirectional Forwarding Detection information

bgp Clear Border Gateway Protocol information

firewall Clear firewall counters

. . .

CONTEXT-SENSITIVE HELP


The help topic command provides information on general concepts

user@host> help topic interfaces ?


accept-data Accept packets destined for virtual IP...

accept-source-mac Policers for specific source MAC addresses

access-profile Mapping peer name and secrets for CHAP

accounting-profile Accounting profile

acknowledge-timer Maximum time to wait for link...

address Interface address and destination prefix

...

user@host> help topic interfaces address

Configuring the Interface Address

You assign an address to an interface by specifying the address when

configuring the protocol family. For the inet family, you configure the

interface's IP address. For the iso family, you configure one or more

addresses for the loopback interface. For the ccc, tcc, mpls, tnp, and

vpls families, you never configure an address.

...

TOPICAL HELP


Use help reference for assistance with configuration syntax

user@host> help reference interfaces address

address

Syntax

address address {

arp ip-address (mac | multicast-mac) mac-address ;

broadcast address;

destination address;

destination-profile name;

eui-64;

multipoint-destination address dlci dlci-identifier;

...

Hierarchy Level

[edit interfaces interface-name unit logical-unit-number family family],

[edit logical-routers logical-router-name interfaces interface-name unit

logical-unit-number family family]

Description

Configure the interface address.

...

CONFIGURATION SYNTAX HELP


USING | (PIPE)

The pipe function allows you to filter and manipulate command output Available in all modes and contexts

user@host> show route | ?


count Count occurrences

display Show additional kinds of information

except Show only text that does not match a pattern

find Search for first occurrence of pattern

hold Hold text without exiting the --More-- prompt

last Display end of output only

match Show only text that matches a pattern

no-more Don't paginate output

request Make system-level requests

resolve Resolve IP addresses

save Save output text to file

trim Trim specified number of columns from start of line

user@host> show route |


Batch configuration model: Must commit configuration changes

Active configuration: Current operational configuration

Boot-up configuration

Candidate configuration: A working copy for configuration changes

Initialized with the active configuration

Becomes active configuration upon commit

ACTIVE AND CANDIDATE CONFIGURAITONS


CONFIGURE PRIVATE, CONFIGURE EXCLUSIVE

Use configure private for your own copy of the candidate

configuration

Use configure exclusive when you want to prohibit others

from also making changes while you are in configuration mode

mike@jnpr1> configure exclusive

warning: uncommitted changes will be discarded on exit

Entering configuration mode

mike@jnpr1> configure private

warning: uncommitted changes will be discarded on exit

Entering configuration mode


SHOW COMMAND

List the complete candidate

from the top of configuration

mode

List a specific subset of the

candidate configuration from

a deeper level of the

hierarchy [edit]

mike@juniper1# show

version "9.2R1.3";

groups

{

re0 {

system {

jnpr1-name jnpr1;

}

}

}

[edit interfaces ge-5/0/0]

mike@jnpr# show

gigether-options {

flow-control;

auto-negotiation;

}

unit 0 {

family inet {

address 1.2.3.4/28;

}

}


From the top of configuration mode

From a sublevel

SET COMMAND

[edit]

mike@jnpr1# set system services finger

mike@jnpr1# set system services ftp

mike@jnpr1# set system services ssh

mike@jnpr1# set system services telnet

[edit system services]

mike@jnpr1# set finger

mike@jnpr1# set ftp

mike@jnpr1# set ssh

mike@jnpr1# set telnet

[edit]

system {

services {

finger;

ftp;

ssh;

telnet;

}

}

Either

adds


DELETE COMMAND

Remove a statement along with any subordinate statements

Deleting a statement effectively returns the affected device, protocol,

or service to an unconfigured state

Deleting a container statement removes everything under that level of

the hierarchy

[edit]

mike@jnpr1# delete system services [edit]

system {

} Now


COMPARE CONFIGURATIONS

Display the differences between the candidate and active

configuration

Options to show any two configurations


mike@jnpr1# show | compare

- ssh;

+ telnet;

- web-management {

- http {

- port 8080;

- }

- }


Check that the device will accept your candidate

Validates the logic and completeness of the candidate without

activating the changes

COMMIT CHECK

[edit]

mike@jnpr1# commit check

[edit interfaces lo0 unit 0 family inet]

'address 192.168.69.1/24'

Loopback addresses' prefix must be 32 bits

error: configuration check-out failed


Activates the candidate to become the running configuration of the

device

If the validation checks find any errors, you must fix these before the

candidate can become the active file

The commit complete message tells you that the new

configuration is now active

COMMIT

Add Bullets

[edit]

mike@jnpr1# commit

commit complete

[edit]

mike@jnpr1# commit

error: Policy error: Policy my-policy referenced but not defined

error: BGP: export list not applied

error: configuration check-out failed


Automate rollback in remote devices

Commit a candidate configuration for a limited time

Finalize the commit, by entering a 2nd commit command

Or, wait for rollback to your previous configuration

COMMIT CONFIRMED

[edit]

mike@jnpr1# commit confirmed

commit confirmed will be automatically rolled back in 10 minutes unless confirmed commit complete

Broadcast Message from root@jnpr1

(no tty) at 08:10:17 UTC

Commit was not confirmed; automatic rollback complete.

[edit]

mike@jnpr1# commit

commit complete


ROLLBACK Use rollback (or rollback 0 ) to reset the candidate

configuration to the currently active configuration

rollback 1 loads the previously active configuration

rollback n loads the nth previous active configuration

rollback rescue loads the previously created rescue file

rollback only modifies the candidate configuration

Dont forget to commit the changes!

[edit]

mike@host# rollback

load complete

[edit]

mike@host# commit

commit complete


SAVING A RESCUE CONFIGURATION

Use request system configuration rescue

[save | delete] CLI command

View with the show system configuration rescue CLI

command


CONFIGURATION STATEMENT HIERARCHY

[edit]

user@host# edit protocols ospf area 51 stub

[edit protocols ospf area 0.0.0.51 stub]

user@host#

Less Specific

More Specific

area area_id graceful-restart

isis mpls

interfaces protocols etc.

bgp

chassis

ospf pim rip rsvp etc.

etc.

top

services system

vrrp

overload traffic-engineering

area-range area_range interface nssa stub etc.


CONFIGURATION FILE IS HIERARCHICAL

CLI commands are entered without curly brackets [edit system] user@host# set services web-management http port 8080

The result is a hierarchical configuration file, complete with curly

brackets

[edit system] user@host# show services web-management { http { port 8080; } } [edit system] user@host#


Change the candidate configuration: [edit system]

user@host# set services telnet

[edit system]

user@host# delete services web-management

[edit system]

user@host# delete services ssh

Display differences between the candidate and active configurations:

user@host# show | compare


- ssh;

+ telnet;

- web-management {

- http {

- port 8080;

- }

- }

CONFIGURATION FILE DIFFERENCES


RUN IS COOL

Use the run command to execute operational-mode CLI commands from within configuration Can be a real time-saver when testing the effect of a recent change

[edit interfaces fe-0/0/0] lab@HongKong# set unit 0 family inet address 10.250.0.141/16 [edit interfaces fe-0/0/0] lab@HongKong# commit commit complete [edit interfaces fe-0/0/0] lab@HongKong# run ping 10.250.0.149 count 1 PING 10.250.0.149 (10.250.0.149): 56 data bytes 64 bytes from 10.250.0.149: icmp_seq=0 ttl=255 time=0.967 ms --- 10.250.0.149 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.967/0.967/0.967/0.000 ms


USING RENAME

User-defined variables can be changed with the rename command Can change policy names, filter names, IP addresses, etc.

[edit interfaces fe-0/0/0]

lab@HongKong# set unit 0 family inet address 10.250.0.141/16


lab@HongKong# show

unit 0 {

family inet {

address 10.250.0.141/16;

}

}


lab@HongKong# rename unit 0 family inet address 10.250.0.141/16 to address 10.250.0.241/16


lab@HongKong# show

unit 0 {

family inet {

address 10.250.0.241/16;

}

}


USING REPLACE

In configuration mode

[edit]

lab@HongKong# replace pattern 10.1.1.1 with 10.2.2.2

Chapter X: Other Security Products of Interest



COMMITTED TO INNOVATION AND INVESTMENT

Security is core to our business at Juniper

Juniper R&D is $1.027B, or 23% of revenues a figure no one else in the industry comes close

to on a percentage basis 2011 Annual Report

New in 2013: A differentiated approach to security

with our Intrusion Deception and DDoS protection

capabilities

Market Leader

Remote Access

SSL VPN

High-End

Firewalls

Network

Security

$1B global

revenue

#1 Dedicated Innovator

Global Powerhouse

#1

#3

Serving customers in over 47 countries,

with a worldwide community of over

1000 Reseller Partners

Infonetics Research 2012


OTHER SECURITY PRODUCTS OF INTEREST

Virtualized Firewall Solution

Junos V Firefly

Securing Web Portals

Junos WebApp Secure

Securing Virtual Machines and ESX Hosts

vGW Virtual Gateway


JUNOS V FIREFLY


Virtualized Environment

INTRODUCING JUNOSV FIREFLY

Physical SRX & Junos

Hypervisor

VM VM VM

JunosV Firefly

Juniper is delivering its industry-leading Junos OS and SRX features

as a software appliance for deployment in virtualized environments

Firefly

Enterprise/Tenant A


JUNOSV FIREFLY VISION: ADVANCED PROTECTION IN VIRTUALIZED ENVIRONMENTS

Security & Routing functionality

delivered as a virtual machine

Junos delivered as a virtual

appliance on a choice of

Hypervisors

Runs on standard x86 hardware

Full, proven Junos security and

routing protocol suite

Leverages proven SRX & VJX

technology

Performance optimized

SMP kernel & multi-threaded

flowd over multiple vCPUs

Supports Hypervisor VM functionality

Example: vMotion, snapshots,

HA/FT, Cloning, Management etc.

Firewall

VPN

NAT

Network Admission Control

Perimeter

Anti-Virus

IPS

Full IDP Feature Set

Web Filtering

Anti-Spam

Content

Application

Awareness

Identity

Awareness

Application

CLI, JWeb, SNMP, JSpace- SD, Hypervisor Mgmt, HA/FT

Junos Routing Protocols and SDK

Junos Rich & Extensible Security Stack


JUNOSV FIREFLY MANAGEMENT

JUNOSV FIREFLY

DEVICE MANAGEMENT

Centralized management

Junos Space /Security Design

Security Insight

STRM (logging and reporting), Syslog, Traceroute

Local management

CLI

JWeb

Junos Scripts

SNMP

JUNOS SPACE

VIRTUAL DIRECTOR

A Junos Space platform application

that offers complete Lifecycle management for JunosV Firefly.

Firefly Virtual Director


JUNOS WEBAPP SECURE


HACKER THREATS

Scripts & Too, Exploits Targeted Scan

Botnet Human Hacker

IP Scan Generic scripts and tools against one site. Script run against multiple sites seeking

a specific vulnerability.

Targets a specific site for any vulnerability.

Script loaded onto a bot network to carry out attack. Sophisticated, targeted attack (APT). Low and slow to avoid detection.

Jan June Dec


WEB APP SECURITY TECHNOLOGY

Web Application

Firewall

Web Intrusion

Prevention System

Detection Signatures Q1 2012

Tar Traps

Tracking IP address

Browser, software and scripts

Profiling IP address

Browser, software and scripts

Responses Block IP

Block, warn and deceive attacker

PCI Section 6.6


Tar Traps detect threats without false

positives.

Track IPs, browsers,

software and scripts.

Understand

attackers capabilities and intents.

Adaptive responses,

including block,

warn and deceive.

THE JUNOS WEBAPP SECURE ADVANTAGE DECEPTION-BASED SECURITY

Detect Track Profile Respond


THE ANATOMY OF A WEB ATTACK

Phase 1 Reconnaissance

Phase 2 Attack Vector

Establishment

Phase 3 Implementation

Phase 4 Automation

Web App

Firewall

Days or weeks Weeks or months Weeks or months Months or years Years

Phase 5 Maintenance


App Server Client

Server Configuration

Network

Perimeter

Database Firewall

Query String Parameters

Tar Traps

Hidden Input Fields

DETECTION BY DECEPTION


Track Software and Script Attacks Fingerprinting

HTTP communications.

Track Browser Attacks Persistent Token

Capacity to persist in all browsers including

various privacy control features.

Track IP Address

TRACK ATTACKERS BEYOND THE IP


Every attacker assigned a name

SMART PROFILE OF ATTACKER

Incident history

Attacker threat level


Junos WebApp

Secure Responses

Human

Hacker Botnet

Targeted

Scan IP Scan

Scripts

&Tools

Exploits

Warn attacker

Block user

Force CAPTCHA

Slow connection

Simulate broken application

Force log-out

All responses are available for any type of threat. Highlighted responses are most appropriate for each type of threat.

RESPOND AND DECEIVE


App Server Database

Internal

Virtualized

Cloud

UNIFIED PROTECTION ACROSS PLATFORMS


VGW VIRTUAL GATEWAY


Capital Savings

MEGA TREND SERVER VIRTUALIZATION

0

20

40

60

80

1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

Physical Server Installed Base (Millions)

Logical Server Installed Base (Millions) Millions Installed Servers

Source: IDC


SECURITY IMPLICATION OF VIRTUALIZATION

Physical Network Virtual Network

Firewall/IDS Sees/Protects

All Traffic between Servers

Physical Security Is Blind to Traffic between Virtual Machines

VM1 VM2 VM3

Virtual Switch

HYPERVISOR

ES

X/E

SX

i Host


Integrated

Virtual Security

VM1 VM2 VM3

VS

ES

X/E

SX

i Ho

st

Virtual Security Layer

Traditional Security

Agents

VLANs & Physical

Segmentation

VM1 VM2 VM3

VS

ES

X/E

SX

i Ho

st

VM1 VM2 VM3

VS

ES

X/E

SX

i Ho

st

Regular Thick Agent for FW & AV

HYPERVISOR

HYPERVISOR

HYPERVISOR

APPROACHES TO SECURING VIRTUAL NETWORKS

1 2 3


Service Provider & Enterprise Grade

Three Tiered Model

VMware Certified (signed binaries!)

Protects each VM and the hypervisor

Fault-tolerant architecture (i.e., HA)

Virtualization-aware

Secure VMotion

Auto Secure detects/protects new VMs

Granular, Tiered Defense

Stateful firewall, integrated IDS,

and AV

Flexible Policy Enforcement zone, VM group, VM, individual vNIC

THE VGW ARCHITECTURE OVERVIEW

THE vGW ENGINE

Virtual Center VM

VM1 VM2 VM3

Partner Server

(IDS, SIM,

Syslog, Netflow)

Packet Data

VMWARE APIs

Any vSwitch (Standard, DVS, 3rd Party)

HYPERVISOR

VM

ware

Kern

el

ES

X o

SRX Quick Start June 2013

Documents

Transcript of SRX Quick Start June 2013