Juniper SRX220-PWR-60W-JP-05 データシート
3
Features and Benefits
Secure Routing
Should you use a router and a firewall to secure your network?
By building the branch SRX Series with best-in-class routing,
switching and firewall capabilities in one product, enterprises
don’t have to make that choice. Why forward traffic if it’s not
legitimate?
By building the branch SRX Series with best-in-class routing,
switching and firewall capabilities in one product, enterprises
don’t have to make that choice. Why forward traffic if it’s not
legitimate?
SRX Series for the branch
checks the traffic to see if it is
legitimate and permitted, and
only forwards it on when it is.
This reduces the load on the
network, allocates bandwidth
for all other mission-critical
applications, and secures the
network from malicious users.
checks the traffic to see if it is
legitimate and permitted, and
only forwards it on when it is.
This reduces the load on the
network, allocates bandwidth
for all other mission-critical
applications, and secures the
network from malicious users.
The main purpose of a
secure router is to provide
firewall protection and apply
policies. The firewall (zone)
functionality inspects traffic
flows and state to ensure
that originating and returning
information in a session is
expected and permitted for a
particular zone. The security
secure router is to provide
firewall protection and apply
policies. The firewall (zone)
functionality inspects traffic
flows and state to ensure
that originating and returning
information in a session is
expected and permitted for a
particular zone. The security
policy determines if the session can originate in one zone and
traverse to another zone. This architectural choice receives
packets from a wide variety of clients and servers and keeps track
of every session, of every application, and of every user. It allows
the enterprise to make sure that only legitimate traffic is on its
network and that traffic is flowing in the expected direction.
traverse to another zone. This architectural choice receives
packets from a wide variety of clients and servers and keeps track
of every session, of every application, and of every user. It allows
the enterprise to make sure that only legitimate traffic is on its
network and that traffic is flowing in the expected direction.
To ease the configuration of a firewall, SRX Series for the branch
uses two features—“zones” and “policies.” While these can be
user-defined, the default shipping configuration contains, at a
minimum, a “trust” and “untrust” zone. The trust zone is used
for configuration and attaching the internal LAN to the branch
SRX Series. The untrust zone is commonly used for the WAN or
untrusted Internet interface. To simplify installation and make
configuration easier, a default policy is in place that allows traffic
originating from the trust zone to flow to the untrust zone. This
policy blocks all traffic originating from the untrust zone to the
uses two features—“zones” and “policies.” While these can be
user-defined, the default shipping configuration contains, at a
minimum, a “trust” and “untrust” zone. The trust zone is used
for configuration and attaching the internal LAN to the branch
SRX Series. The untrust zone is commonly used for the WAN or
untrusted Internet interface. To simplify installation and make
configuration easier, a default policy is in place that allows traffic
originating from the trust zone to flow to the untrust zone. This
policy blocks all traffic originating from the untrust zone to the
trust zone. A traditional router forwards all traffic without regard
to a firewall (session awareness) or policy (origination and
destination of a session).
to a firewall (session awareness) or policy (origination and
destination of a session).
By using the Web interface or CLI, enterprises can create a series
of security policies that will control the traffic from within and in
between zones by defining policies. At the broadest level, all types
of traffic can be allowed from any source in security zones to any
destination in all other zones without any scheduling restrictions.
At the narrowest level, policies can be created that allow only one
kind of traffic between a specified host in one zone and another
specified host in another zone during a scheduled time period.
of security policies that will control the traffic from within and in
between zones by defining policies. At the broadest level, all types
of traffic can be allowed from any source in security zones to any
destination in all other zones without any scheduling restrictions.
At the narrowest level, policies can be created that allow only one
kind of traffic between a specified host in one zone and another
specified host in another zone during a scheduled time period.
High Availability
Junos OS Services Redundancy Protocol (JSRP) is a core feature
of the SRX Series for the branch. JSRP enables a pair of SRX
Series systems to be easily integrated into a high availability
network architecture, with redundant physical connections
between the systems and the adjacent network switches. With
link redundancy, Juniper Networks can address many common
causes of system failures, such as a physical port going bad
or a cable getting disconnected, to ensure that a connection
is available without having to fail over the entire system. This
is consistent with a typical active/standby nature of routing
resiliency protocols.
of the SRX Series for the branch. JSRP enables a pair of SRX
Series systems to be easily integrated into a high availability
network architecture, with redundant physical connections
between the systems and the adjacent network switches. With
link redundancy, Juniper Networks can address many common
causes of system failures, such as a physical port going bad
or a cable getting disconnected, to ensure that a connection
is available without having to fail over the entire system. This
is consistent with a typical active/standby nature of routing
resiliency protocols.
When SRX Series Services Gateways for the branch are
configured as an active/active hA pair, traffic and configuration
is mirrored automatically to provide active firewall and VPN
session maintenance in case of a failure. The branch SRX Series
synchronizes both configuration and runtime information. As a
result, during failover, synchronization of the following information
is shared: connection/session state and flow information, IPSec
security associations, Network Address Translation (NAT) traffic,
address book information, configuration changes, and more. In
contrast to the typical router active/standby resiliency protocols
such as Virtual Router Redundancy Protocol (VRRP), all dynamic
flow and session information is lost and must be reestablished in
the event of a failover. Some or all network sessions will have to
restart depending on the convergence time of the links or nodes. By
maintaining state, not only is the session preserved, but security is
kept intact. In an unstable network, this active/active configuration
also mitigates link flapping affecting session performance.
configured as an active/active hA pair, traffic and configuration
is mirrored automatically to provide active firewall and VPN
session maintenance in case of a failure. The branch SRX Series
synchronizes both configuration and runtime information. As a
result, during failover, synchronization of the following information
is shared: connection/session state and flow information, IPSec
security associations, Network Address Translation (NAT) traffic,
address book information, configuration changes, and more. In
contrast to the typical router active/standby resiliency protocols
such as Virtual Router Redundancy Protocol (VRRP), all dynamic
flow and session information is lost and must be reestablished in
the event of a failover. Some or all network sessions will have to
restart depending on the convergence time of the links or nodes. By
maintaining state, not only is the session preserved, but security is
kept intact. In an unstable network, this active/active configuration
also mitigates link flapping affecting session performance.
Figure 2: High availability
Standby
SRX240
SRX240
Active
High Availability
Active
/
Standby
EX Series
EX Series
INTERNET
Failure
SRX240
SRX240
Active
Active
/
Standby
EX Series
EX Series
INTERNET
SRX240
SRX240
Active
Active
Active
/
Active
EX Series
EX Series
INTERNET
Failure
SRX240
SRX240
Active
Active
/
Active
EX Series
EX Series
INTERNET
“Untrust” Zone
“Trust” Zone
“Guest” Zone
“DMZ” Zone
Intranet
INTERNET
Figure 1: Firewalls, zones,
and policies