Juniper SRX220-PWR-60W-JP-01 データシート

ページ / 20
3
Features and Benefits
Secure Routing 
Should you use a router and a firewall to secure your network? 
By building the branch SRX Series with best-in-class routing, 
switching and firewall capabilities in one product, enterprises 
don’t have to make that choice. Why forward traffic if it’s not 
legitimate? 
SRX Series for the branch 
checks the traffic to see if it is 
legitimate and permitted, and 
only forwards it on when it is. 
This reduces the load on the 
network, allocates bandwidth 
for all other mission-critical 
applications, and secures the 
network from malicious users. 
The main purpose of a 
secure router is to provide 
firewall protection and apply 
policies. The firewall (zone) 
functionality inspects traffic 
flows and state to ensure 
that originating and returning 
information in a session is 
expected and permitted for a 
particular zone. The security 
policy determines if the session can originate in one zone and 
traverse to another zone. This architectural choice receives 
packets from a wide variety of clients and servers and keeps track 
of every session, of every application, and of every user. It allows 
the enterprise to make sure that only legitimate traffic is on its 
network and that traffic is flowing in the expected direction. 
To ease the configuration of a firewall, SRX Series for the branch 
uses two features—“zones” and “policies.” While these can be 
user-defined, the default shipping configuration contains, at a 
minimum, a “trust” and “untrust” zone. The trust zone is used 
for configuration and attaching the internal LAN to the branch 
SRX Series. The untrust zone is commonly used for the WAN or 
untrusted Internet interface. To simplify installation and make 
configuration easier, a default policy is in place that allows traffic 
originating from the trust zone to flow to the untrust zone. This 
policy blocks all traffic originating from the untrust zone to the 
trust zone. A traditional router forwards all traffic without regard 
to a firewall (session awareness) or policy (origination and 
destination of a session).  
By using the Web interface or CLI, enterprises can create a series 
of security policies that will control the traffic from within and in 
between zones by defining policies. At the broadest level, all types 
of traffic can be allowed from any source in security zones to any 
destination in all other zones without any scheduling restrictions. 
At the narrowest level, policies can be created that allow only one 
kind of traffic between a specified host in one zone and another 
specified host in another zone during a scheduled time period.
High Availability
Junos OS Services Redundancy Protocol (JSRP) is a core feature 
of the SRX Series for the branch. JSRP enables a pair of SRX 
Series systems to be easily integrated into a high availability 
network architecture, with redundant physical connections 
between the systems and the adjacent network switches. With 
link redundancy, Juniper Networks can address many common 
causes of system failures, such as a physical port going bad 
or a cable getting disconnected, to ensure that a connection 
is available without having to fail over the entire system. This 
is consistent with a typical active/standby nature of routing 
resiliency protocols. 
When SRX Series Services Gateways for the branch are 
configured as an active/active hA pair, traffic and configuration 
is mirrored automatically to provide active firewall and VPN 
session maintenance in case of a failure. The branch SRX Series 
synchronizes both configuration and runtime information. As a 
result, during failover, synchronization of the following information 
is shared:  connection/session state and flow information, IPSec 
security associations, Network Address Translation (NAT) traffic, 
address book information, configuration changes, and more. In 
contrast to the typical router active/standby resiliency protocols 
such as Virtual Router Redundancy Protocol (VRRP), all dynamic 
flow and session information is lost and must be reestablished in 
the event of a failover. Some or all network sessions will have to 
restart depending on the convergence time of the links or nodes. By 
maintaining state, not only is the session preserved, but security is 
kept intact. In an unstable network, this active/active configuration 
also mitigates link flapping affecting session performance. 
Figure 2: High availability
Standby
SRX240
SRX240
Active
High Availability
Active
/
Standby
EX Series
EX Series
INTERNET
Failure
SRX240
SRX240
Active
Active
/
Standby
EX Series
EX Series
INTERNET
SRX240
SRX240
Active
Active
Active
/
Active
EX Series
EX Series
INTERNET
Failure
SRX240
SRX240
Active
Active
/
Active
EX Series
EX Series
INTERNET
“Untrust” Zone
“Trust” Zone
“Guest” Zone
“DMZ” Zone
Intranet
INTERNET
Figure 1:  Firewalls, zones,  
and policies