搜索
IntroductiontoSRX-seriesServicesGatewaysChapterTitleINTERNALUSEONLYIntroductiontoSRX-seriesServicesGateways2©2008JuniperNetworks,Inc.Allrightsreserved.BuilttoForwardPacketsTheprimaryresponsibilityofarouteristoforwardpacketsusingLayer3IPaddressesfoundinanIPpacketheader.Toforwardpackets,theroutermusthaveapathdeterminationmechanism.Thismechanismcouldbestaticallyassignedroutes,routingprotocols,orpolicy-basedrouting.PacketProcessingisStatelessTraditionally,routersprocesspacketsinastatelessfashion.Routersdonotkeeptrackofbidirectionalsessions;theyforwardeachpacketindividuallybasedonthepacketheader.SeparateBroadcastDomainsandProvideWANConnectivityRouterswereoriginallyusedtoseparatebroadcastdomains.WiththeintroductionofadvancedswitchingtechnologiesandthebirthofvirtualLAN(VLAN)standards,broadcastdomainscanalsobeseparatedusingswitches.Thatcapability,however,doesnotaddressinter-VLANconnectivity,whichstillnecessitatestheuseofroutersforforwardingtrafficbetweenVLANs.Furthermore,routersprovideWANconnectivityatthenetworkedge.INTERNALUSEONLYIntroductiontoSRX-seriesServicesGateways©2008JuniperNetworks,Inc.Allrightsreserved.3Layer3PacketForwardingRoutersperformLayer3packetforwardingusingroutingtableentries.Routersbuildroutingtablesbasedontheresultsofdynamicroutingprotocols(forexample,RIP,OSPF,IS-IS,andBGP),staticallyenteredroutes,orbothofthesemethods.Notethatroutersforwardpacketsbasedonthelongestprefixmatch.Forexample,inthegraphicontheslide,RouterAselectsinterfacege-0/0/2tosendtraffictodestination10.3.3.10because10.3.3.10/32isalongerprefixmatchthan10.3.3.0/24.Ifentry10.3.3.10/32doesnotexistintheroutingtable,therouterselectsinterfacege-0/0/0asthenexthopforthesamepacketflow.INTERNALUSEONLYIntroductiontoSRX-seriesServicesGateways4©2008JuniperNetworks,Inc.Allrightsreserved.PromiscuousBehaviorofaTraditionalRouterAtraditionalrouterisapromiscuousdevicethatperformsstatelesspacketprocessing.Itispromiscuousbecauseonceitisconfigured,itimmediatelyforwardsalltrafficbydefault(provided,ofcourse,thatsomecombinationofstaticanddynamicroutingisconfigured).Typically,arouteroperatesonlyatLayer3anddoesnotrecognizeanysecuritythreatsinhigher-layerprotocols.Furthermore,atraditionalrouteroperatesperpacket,whichaddstoitsfundamentallyinsecurenature,asitcannotdetectmalformedsessions.Thenetworkandtherouteritselfareimmediatelyvulnerabletoallsecuritythreats.TypicalTreatmentofSecurityOtherthanimplementingstandardaccesscontrolusingIPheaderinformation,mostroutersarenotequippedtosecureanetwork.Traditionally,afullsecuritysolutioninvolvesaddingaseparatefirewalldevice.INTERNALUSEONLYIntroductiontoSRX-seriesServicesGateways©2008JuniperNetworks,Inc.Allrightsreserved.5EnterpriseRouterPositioningEnterprisecustomerpremiseapplicationsareservedbytheJ-seriesfamilyofserviceroutersand,inthecaseoflargerenterprises,M-seriesrouters.EnterprisedatacenterapplicationscanalsobeservedbyM-seriesrouters.J-seriesandM-seriesrouterssupporttherichroutingandclass-of-service(CoS)featuresneededbytheenterpriseandmaintainvalue,stability,andpredictablyhighperformance.INTERNALUSEONLYIntroductiontoSRX-seriesServicesGateways6©2008JuniperNetworks,Inc.Allrightsreserved.AddingSecuritytotheNetworkStandaloneroutersdonotprovideadequatesecuritytoenterprisenetworksanddatacenters.Asnetworkscontinuetoexpand,networkapplicationscontinuetodiversifyandexpand,andasnewmethodsofremotecommunicationssuchastelecommutingincrease,theneedforaddedsecuritybecomesapparent.Typicallyastandalonefirewallisaddedtothenetwork,increasingcostsandmaintenance.RequirementsforFirewallDevicesAfirewalldevicemustbecapableofthefollowing:•StatefulpacketprocessingbasedoncontentsofIPandhigher-levelpacketinformation,whichincludesTCP/UDPandtheapplicationlayer;•NetworkAddressTranslation(NAT)andPortAddressTranslation(PAT),achievingprivate-to-publictranslationsandviceversa;and•Establishingvirtualprivatenetworks(VPNs)compoundedwithauthenticationandencryption.AdditionalServicesThegrowthinnetworksecurityhasresultedinadditionalservicesprovidedbystandalonefirewallssuchasSecureSocketsLayer(SSL)networkaccess,IntrusionDetectionandPrevention(IDP),ApplicationLayerGateway(ALG)processing,andmore.INTERNALUSEONLYIntroductiontoSRX-seriesServicesGateways©2008JuniperNetworks,Inc.Allrightsreserved.7Firewall:StatefulPacketProcessingAsthemainjobofafirewallistoprotectnetworksanddevices,fundamentalfirewallintelligenceconsistsoftheabilitytomakepacketprocessingdecisionsbasedonIPpacketheaderinformation,includingitsupperlayers.Statefulpacketprocessinginvolvesthecreationofaunidirectionalflow,whichconsistsofsixelementsofinformation—sourceIPaddress,destinationIPaddress,sourceportnumber,destinationportnumber,protocolnumber,andasessiontoken.Thesessiontokenisderivedfromacombinationofaroutinginstanceandazone.Theoutgoingflowinitiatesasessiontableentryandtheexpectedreturnflowforthatpacket.Bothoutgoingandincomingflowscomprisethesessionandareenteredintothesessiontable.Thesessiontableenablesbidirectionalcommunicationwithoutanyadditionalconfigurationalstepsforreturntraffic.INTERNALUSE