Juniper J-4350 J-4350-JB-SC Data Sheet
Product codes
J-4350-JB-SC
3
Features and Benefits
Secure Routing
Should you use a router and a firewall to secure your network? By
building the branch J Series Services Routers with best-in-class
routing and firewall capabilities in one product, enterprises don’t
have to make that choice. Why forward traffic if it’s not legitimate?
building the branch J Series Services Routers with best-in-class
routing and firewall capabilities in one product, enterprises don’t
have to make that choice. Why forward traffic if it’s not legitimate?
J Series for the branch checks the traffic to see if it is legitimate,
and only forwards it on when it is. This reduces the load on
the network, allocates bandwidth for all other mission-critical
applications, and secures the network from hacking.
and only forwards it on when it is. This reduces the load on
the network, allocates bandwidth for all other mission-critical
applications, and secures the network from hacking.
The main purpose of a secure router is to provide firewall
protection and apply policies. The firewall (zone) functionality
inspects traffic flows and state to ensure that originating and
returning information in a session is expected and permitted for
a particular zone. The security policy determines if the session
can originate in one zone and traverse to another zone. This
architectural choice receives packets from a wide variety of clients
and servers and keeps track of every session, of every application,
and of every user. It allows the enterprise to make sure that only
legitimate traffic is on its network and that traffic is flowing in the
expected direction.
protection and apply policies. The firewall (zone) functionality
inspects traffic flows and state to ensure that originating and
returning information in a session is expected and permitted for
a particular zone. The security policy determines if the session
can originate in one zone and traverse to another zone. This
architectural choice receives packets from a wide variety of clients
and servers and keeps track of every session, of every application,
and of every user. It allows the enterprise to make sure that only
legitimate traffic is on its network and that traffic is flowing in the
expected direction.
Figure 1: Firewalls, zones and policies
To ease the configuration of a firewall, J Series for the branch
uses two features—“zones” and “policies.” While these can be
user defined, the default shipping configuration contains, at a
minimum, a trust and an untrust zone. The trust zone is used
uses two features—“zones” and “policies.” While these can be
user defined, the default shipping configuration contains, at a
minimum, a trust and an untrust zone. The trust zone is used
for configuration and attaching the LAN to the branch J Series
routers. The untrust zone is used for the WAN or Internet interface.
To simplify installation and make configuration easier, a default
policy is in place that allows traffic originating from the trust
zone to flow to the untrust zone. This policy blocks all traffic
originating from the untrust zone to the trust zone. A traditional
router forwards all traffic without regard to a firewall (session
awareness) or policy (origination and destination of a session).
routers. The untrust zone is used for the WAN or Internet interface.
To simplify installation and make configuration easier, a default
policy is in place that allows traffic originating from the trust
zone to flow to the untrust zone. This policy blocks all traffic
originating from the untrust zone to the trust zone. A traditional
router forwards all traffic without regard to a firewall (session
awareness) or policy (origination and destination of a session).
Figure 2: High availability
By using the Web interface or CLI, enterprises can create a series
of security policies that will control the traffic from within and in
between zones by defining policies. At the broadest level, all types
of traffic can be allowed from any source in security zones to any
destination in all other zones without any scheduling restrictions.
At the narrowest level, policies can be created that allow only one
kind of traffic between a specified host in one zone and another
specified host in another zone during a scheduled time period.
of security policies that will control the traffic from within and in
between zones by defining policies. At the broadest level, all types
of traffic can be allowed from any source in security zones to any
destination in all other zones without any scheduling restrictions.
At the narrowest level, policies can be created that allow only one
kind of traffic between a specified host in one zone and another
specified host in another zone during a scheduled time period.
High Availability
Junos OS Services Redundancy Protocol (JSRP) is a core feature
of the J Series for the branch. JSRP enables a pair of security
systems to be easily integrated into a high availability network
architecture, with redundant physical connections between the
systems and the adjacent network switches. With link redundancy,
Juniper Networks can address many common causes of system
failures, such as a physical port going bad or a cable getting
disconnected, to ensure that a connection is available, without
having to fail over the entire system. This is consistent with a
typical active/standby nature of routing resiliency protocols.
of the J Series for the branch. JSRP enables a pair of security
systems to be easily integrated into a high availability network
architecture, with redundant physical connections between the
systems and the adjacent network switches. With link redundancy,
Juniper Networks can address many common causes of system
failures, such as a physical port going bad or a cable getting
disconnected, to ensure that a connection is available, without
having to fail over the entire system. This is consistent with a
typical active/standby nature of routing resiliency protocols.
When J Series routers for the branch are configured as an active/
active pair, traffic and configuration will be mirrored automatically
to provide active firewall and VPN session maintenance in case of
a failure. The J Series will now synchronize both configuration and
runtime information. As a result, during failover, synchronization of
the following information is shared: connection/session state and
flow information, IPsec security associations, Network Address
Translation (NAT) traffic, address book information, configuration
changes, and more. In contrast to the typical router active/standby
resiliency protocols such as Virtual Router Redundancy Protocol
(VRRP), all dynamic flow and session information is lost and must
be reestablished in the event of a failover. Some or all applications
sessions will have to restart depending on the convergence time
of the links or nodes. By maintaining state, not only is the session
preserved, but security is intact. In an unstable network, this
active/active configuration also mitigates link flapping affecting
session performance.
active pair, traffic and configuration will be mirrored automatically
to provide active firewall and VPN session maintenance in case of
a failure. The J Series will now synchronize both configuration and
runtime information. As a result, during failover, synchronization of
the following information is shared: connection/session state and
flow information, IPsec security associations, Network Address
Translation (NAT) traffic, address book information, configuration
changes, and more. In contrast to the typical router active/standby
resiliency protocols such as Virtual Router Redundancy Protocol
(VRRP), all dynamic flow and session information is lost and must
be reestablished in the event of a failover. Some or all applications
sessions will have to restart depending on the convergence time
of the links or nodes. By maintaining state, not only is the session
preserved, but security is intact. In an unstable network, this
active/active configuration also mitigates link flapping affecting
session performance.
“Untrust” Zone
“Trust” Zone
“Guest” Zone
“DMZ” Zone
Intranet
INTERNET
Standby
J Series
J Series
Active
High Availability
Active
/
Standby
EX Series
EX Series
INTERNET
Failure
Active
Active
/
Standby
EX Series
EX Series
INTERNET
Active
Active
Active
/
Active
EX Series
EX Series
INTERNET
Failure
Active
Active
/
Active
EX Series
EX Series
INTERNET
J Series
J Series
J Series
J Series
J Series
J Series