Firewall and IPsec VPN

SRX SERVICES GATEWAYS(FIREWALLS)

High-performance security with advanced, integrated threat intelligence,
delivered on the industry's most scalable and resilient platform. SRX Series
gateways set new benchmarks with 100GbE interfaces and feature Express Path
technology, which enables up to 2 Tbps performance for the data center.There
are many SRX firewalls in juniper networks which are as follows.

1. SRX 110: The SRX110 Services Gateway provides next-generation,

enterprise-class security and networking for todays small businesses and
branch offices. The SRX110 Services Gateway consolidates security,
routing, switching, and WAN connectivity in a small desktop device. It
supports up to 700 Mbps firewall and 65 Mbps IPsec VPN in a single,
consolidated, cost-effective networking and security platform.
The Juniper Networks SRX Series Services Gateways product family can
deliver next-generation firewall protection with application awareness and
user role-based controls, plus best-in-class unified threat management (UTM)
options to protect and control your business assets.It also features a built-in
very-high-bit-rate digital subscriber line/asymmetric digital subscriber line
(VDSL/ADSL2)+ WAN interface, 3G/4G wireless capabilities, and an 8-port
Fast Ethernet switch. The SRX110 is ideally suited for securing small business
and branch deployments.

Specification
Junos OS Software version
tested
Firewall performance
(max)
IPS performance
VPN performance
Maximum concurrent
sessions
New sessions/second
(sustained, TCP, 3-way)
Maximum security
policies
economically to support

Junos OS
12.1X44-D15
700 Mbps
75 Mbps
65 Mbps
32,000
1,800
384

Features

Consolidated
Switching,
Routing, and Security means
enterprises can economically
deliver new applications and
services
with
secure
connectivity.

Flexible Configuration scales

up to thousands of users.

App Secure Suite secures a wide range of applications.

Network Security Segmentation enables policy tailoring for zones,

VLANs, IPsec VPNs, and virtual routers for internal, external, and DMZ
subgroups.

Integrated unified threat management (UTM) enables site-specific

security settings.

Anytime Service Enablement allows quick response to new threats.

2.SRX 220: The SRX220 Services Gateway provides robust, next-generation,

enterprise-class security and networking for todays small to midsize businesses
and distributed enterprise locations. The SRX220 Services Gateway
consolidates security, routing, switching, and WAN connectivity in an all-inone 1 U device that supports up to 950 Mbps firewall, 100 Mbps IPsec VPN,
and 100 Mbps intrusion prevention system (IPS).

The Juniper Networks SRX Series Services Gateways product family can
deliver next-generation firewall protection with application awareness and
user role-based controls, plus best-in-class unified threat management (UTM)
options to protect and control your business assets.The SRX220 Services
Gateway is ideally suited for securing small to midsize businesses and
distributed enterprise locations
Junos OS Software version tested

Junos OS 12.1X44-D15

Firewall performance (max)

950 Mbps

IPS performance

80 Mbps

VPN performance

100 Mbps

Maximum concurrent sessions

96,000

New sessions/second (sustained, TCP, 3-way)

2,800

Maximum security policies

2,048

Features

Consolidated Switching, Routing, and Security means enterprises can

economically deliver new applications and services with secure
connectivity.

Flexible Configuration scales economically to support up to thousands

of users.

AppSecure Suite secures a wide range of applications.

Network Security Segmentation enables policy tailoring for zones,

VLANs, IPsec VPNs, and virtual routers for internal, external, and DMZ
subgroups.

Integrated unified threat management (UTM) enables site-specific

security settings.

Anytime Service Enablement allows quick response to new threats.

3.SRX 300: SRX300 Services Gateways combine next-generation firewall

and advanced threat mitigation capabilities with routing, switching, and WAN
interfaces to deliver cost-effective, secure connectivity across distributed
enterprise locations. he SRX300 line of services gateways delivers a nextgeneration networking and security solution that helps you support the
changing needs of your cloud-enabled enterprise network. Whether youre
rolling out new services and applications across multiple locations,
connecting to the cloud, or improving operational efficiency, the SRX300 line
provides scalable, secure, and easy-to-manage connectivity.
As your network traffic grows, high-density native Gigabit Ethernet ports
available on the SRX300 platforms provide secure connectivity to help you
keep pace. Next-generation firewall and unified threat management (UTM)
capabilities also make it easier to detect and proactively mitigate threats to
improve the user and application experience.
Four SRX300 Services Gateway models are available to address the security
needs of different environments:

SRX300: 1-Gbps firewall with 250-Mbps IPsec VPN. It consolidates

security, routing, switching, and WAN connectivity in a small, fanless desktop

device ideal for retail-type offices with up to 50 users.

SRX320: 1-Gbps firewall with 250-Mbps IPsec VPN. This compact

desktop device features high-performance security, routing, switching, and

WAN connectivity for small, distributed enterprise locations with up to 50
users.

SRX340: 3-Gbps firewall with 500-Mbps IPsec VPN in a 1 U form

factor. Delivering consolidated security, routing, switching, and WAN

connectivity in a 1 U form factor, this device meets the needs of midsized,
distributed enterprise locations with up to 100 users.

SRX345: 5-Gbps firewall with 800-Mbps VPN in a 1 U form factor.

This device securely connects midsized and large distributed enterprise

locations with up to 200 users.

Features

Network segmentation allows you to tailor polices for zones, VLANs, and IPsec
VPNs, and you can use virtual routers for internal, external, and DMZ subgroups.

Next-generation firewall capabilities protect and improve the user and

application experience.

Integrated UTM capabilities allow site-specific security settings.

Easy-to-use on-box GUI enables individual device management.

On- and off-box automation capabilities and centralized network security

management simplify deployment and maintenance across geographically
dispersed locations.

4.SRX 550: The SRX550 Services Gateway is a robust, highly flexible

solution for next-generation security, delivering enterprise-class
networking for protecting todays medium-to-large branch locations.
The SRX550 Services Gateway is an all-in-one solution that consolidates
security, routing, switching, and WAN connectivity into a single 2 U device. It

supports up to 5.5 Gbps firewall, 1 Gbps IPsec VPN, and 800 Mbps intrusion
prevention system (IPS).
The SRX550 supports next-generation firewall capabilities such as intrusion
prevention, application visibility and control, and unified threat management
(UTM) features including antivirus, antispam, and enhanced Web filtering.
Integrated security intelligence offers adaptive threat protection against
command and control (C&C)-related botnets, malware, and Web application
threats. The SRX550 also enforces policies based on GeoIP data from Juniperprovided feeds. IT organizations can use their own custom and third-party
feeds for advanced threat protection.
The SRX550 is optimized for securing and connecting midsized or large
branch locations that are geographically dispersed. It provides cost-effective,
scalable integration of routing, security, and other midrange applications for
branch sites. IT staff can deploy and manage SRX550 appliances in dispersed
sites using the centralized Junos Space Security Director management
platform.
NSS Labs, the worlds leading information security company, recommends
the SRX550 because it delivers outstanding performanceeven under the
highest loadsin an architecture that consolidates next-generation firewall
security with rich networking capabilities.
Specifications:
Junos OS Software version tested

Junos OS 12.1

Firewall performance (max)

5.5 Gbps

IPS performance

800 Mbps

VPN performance

1.0 Gbps

Maximum concurrent sessions

375,000

New sessions/second (sustained, TCP, 3-way)

27,000

Maximum security policies

7,256

Features

Comprehensive protection includes multigigabit firewall, security

intelligence via Spotlight Secure, policy enforcement based on GeoIP data,

and UTM (including IPS, application security, user role-based firewall

controls, antivirus, antispam and Web filtering), NAT, DoS and QoS.

Scalable performance enables additional services without degradation.

System and network resiliency ensures carrier-class reliability from

redundant hardware and components, and Junos OS software.

On- and off-box automation capabilities and centralized network

security management simplify the deployment and maintenance of the
SRX550 across geographically dispersed locations.

Easy-to-use on-box GUI for individual device management.

WAN interface flexibility meets the needs of any network.

Network segmentation allows administrators to tailor security and

policies.

SRX1400 Services Gateway is the ideal platform for securing small to

midsize enterprise, service provider, and mobile operator data center
environments.

The SRX1400 Services Gateway is a professional-grade platform for security

ideally suited for small to mid-size enterprise, service provider, and mobile
operator 10GbE network environments, where consolidated functionality,
uncompromising performance, and services integration are
required.Integrated security intelligence offers adaptive threat protection
against command and control (C&C) related botnets and Web application
threats, and policy enforcement based on GeoIP data. Customers may also
leverage their own custom and third-party feeds for protection from
advanced malware and other threats.
SRX1400 consolidates multiple security services and networking functions in
a highly available 3 U appliance featuring a modular design that uses
common form-factor modules serviceable from the front panel. It
incorporates innovations that improve reliability, enhance network
availability, and deliver deterministic performance of concurrent security
services at scale. A carrier-grade appliance, SRX1400 has been designed
from the ground up for a long, trouble-free service life of continuous
operation in demanding, high-performance data center network
environments.

Specifications
Junos OS Software version tested

Junos OS 12.1X44

Firewall performance (max)

10 Gbps

IPS performance

3 Gbps

VPN performance

4 Gbps

Maximum concurrent sessions

1.5 million

New sessions/second (sustained, TCP, 3-way)

70,000

Maximum security policies

40,000

Features

Comprehensive protection includes multi-gigabit firewall, security

intelligence via Spotlight Secure, policy enforcement based on GeoIP data,
UTM which includes IPS, application security (AppSecure), user role-based
firewall controls, antivirus, antispam, and Web filtering, NAT, DoS, and
QoS.

Scalable performance enables additional services without degradation.

System and Network Resiliency ensures carrier-class reliability from

redundant hardware and components, and Junos OS software.
Interface flexibility meets the needs of any network.
Network segmentation allows administrators to tailor security and
policies.

SRX 5800:The SRX5800 Services Gateway redefines scalability,

integrating security services with a record-breaking 100 million concurrent

sessions and firewall performance of 2 Tbps to meet the needs of the
worlds most demanding networks.

The SRX5800 Services Gateway is an award-winning, next-generation

security platform based on an innovative architecture that provides
outstanding performance, scalability, and service integration.Ideally suited
for service provider, large enterprise, and public sector networks, the
SRX5800 supports 2 Tbps firewall, six nines carrier-grade reliability, more
than 100 Gbps intrusion prevention system (IPS), and an industry recordbreaking 100 million concurrent user sessions.
The SRX5800 delivers the industrys most open and scalable threat
intelligence platform. Integrated threat intelligence offers adaptive,
customized protection against command and control (C&C)-related botnets
and malware, as well as dynamic policy enforcement based on GeoIP and
threat data, with intelligence from Juniper-provided feeds. In companies that
have their own threat collection capabilities, you can also leverage the
SRX5800 as an enforcement point for custom and third-party feeds,
protecting against advanced threats unique to your industry.Equipped with a
full range of integrated security features, the massively scalable SRX5800
Services Gateway gives you an optimal solution for securing large enterprise
data centers, hosted or colocated data centers, and service provider
infrastructures.

Specifications:
Junos OS Software version tested

Junos OS 15.1x49

Firewall performance (max)

320 Gbps (2 Tbps with Express

Path)

IPS performance

100 Gbps

VPN performance

200 Gbps

Maximum concurrent sessions

230 million

New sessions/second (sustained, TCP,

3-way)

2 million

Maximum security policies

Unrestricted

Features

Comprehensive protection includes multigigabit firewall; open,

actionable threat intelligence via Spotlight Secure; dynamic policy
enforcement based on GeoIP and Command & Control (C&C) threat data;
and support for custom and third-party threat feeds.

Advanced security services include IPS, application security

(AppSecure), user role-based firewall controls, UTM (antivirus, antispam,
Web filtering), Network Address Translation (NAT), denial of service (DoS),
and quality of service (QoS).

Express Path, an optimization capability available on the nextgeneration line cards (IOC2), securely optimizes SRX5800 performance to
improve IMIX bandwidth by identifying traffic flows that do not require
additional inspection or deep processing.

Scalable performance enables additional services without degradation.

System and network resiliency ensures six nines of carrier-class
reliability from redundant hardware and components, as well as Junos OS
software.
Interface flexibility meets the needs of any network.

Network segmentation allows administrators to tailor security and

policies.

Robust Routing Engine separates data and control planes to allow use
of consolidated routing and security devices.

Capabilities of Juniper Firewall

DoS and DDoS protection (Layers 3 and 4): A denial-of-service attack (DoS attack) is
a cyber-attack where the perpetrator seeks to make a machine or network resource
unavailable to its intended users, such as to temporarily or indefinitely interrupt or
suspend services of a host connected to the Internet. Denial of service is typically
accomplished by flooding the targeted machine or resource with superfluous requests in
an attempt to overload systems and prevent some or all legitimate requests from being
fulfilled.[1] It is analogous to a group of people crowding the entry door or gate to a shop
or business, and not letting legitimate parties enter into the shop or business, disrupting
normal operations.

Distributed denial of service (DDoS) attacks are launched from multiple connected
devices that are distributed across the Internet. These multi-person, multi-device barrages are
generally harder to deflect, mostly due to the sheer volume of devices involved.
TCP reassembly for fragmented packet protection: Also known as Teardrop attacks,
these assaults target TCP/IP reassembly mechanisms, preventing them from putting
together fragmented data packets. As a result, the data packets overlap and quickly
overwhelm the victim's servers, causing them to fail.
Teardrop attacks are a result of an OS vulnerability common in older versions of
Windows, including 3.1, 95 and NT. While patches were thought to have put a stop to
these attacks, a vulnerability resurfaced in Windows 7 and Windows Vista, making
Teardrop attacks once again a viable attack vector.
The vulnerability was re-patched in the latest version of Windows, but operators should
keep an eye out to ensure that it stays patched in all future versions.So this firewall is
helpful in mitigating these types of attacks.

Brute force attack mitigation: A common threat web developers face is a passwordguessing attack known as a brute force attack. A brute-force attack is an attempt to
discover a password by systematically trying every possible combination of letters,
numbers, and symbols until you discover the one correct combination that works. If your
web site requires user authentication, you are a good target for a brute-force attack.

Zone-based IP spoofing:IP spoofing is the process of replacing the source IP address

with fake IP address from the IP packets to hide the real identity of the sender.By
changing the source address of the packet an attacker can make it appear that the
packet was sent by a different computer system. The mechanism to detect IP spoofing
relies on route table entries. For example, if a packet with source IP address 10.1.1.6
arrives at ge-0/0/1, but Junos OS has a route to 10.1.1.0/24 through ge-0/0/0, a check
for IP spoofing discovers that this address arrived at an invalid interface as defined in
the route table. A valid packet from 10.1.1.6 can only arrive via ge-0/0/0, not ge-0/0/1.
Therefore, Junos OS concludes that the packet has a spoofed source IP address and
discards it.Junos OS detects and drops both IPv4 and IPv6 spoofed packets.

IPsec VPN in Juniper Networks

A virtual private network (VPN) provides a means for securely communicating among
remote computers across a public WAN such as the Internet.A VPN connection can link
two LANs (site-to-site VPN) or a remote dial-up user and a LAN. The traffic that flows
between these two points passes through shared resources such as routers, switches,
and other network equipment that make up the public WAN. To secure VPN
communication while passing through the WAN, the two participants create an IP
Security (IPsec) tunnel.
IPsec is a suite of related protocols for cryptographically securing communications at
the IP Packet Layer. IPsec also provides methods for the manual and automatic
negotiation of security associations (SAs) and key distribution, all the attributes for
which are gathered in a domain of interpretation (DOI). The IPsec DOI is a document
containing definitions for all the security parameters required for the successful
negotiation of a VPN tunnelessentially, all the attributes required for SA and IKE
negotiations.
The following are some of the IPsec VPN topologies that Junos operating system (OS)
supports:

Site-to-site VPNsConnects two sites in an organization together and allows

secure communications between the sites.
Hub-and-spoke VPNsConnects branch offices to the corporate office in an
enterprise network. You can also use this topology to connect spokes together by
sending traffic through the hub.
Remote access VPNsAllows users working at home or traveling to connect to
the corporate office and its resources. This topology is sometimes referred to as
an end-to-site tunnel.
Policy-based VPNs- In policy-based VPNs, a tunnel is treated as an object that,
together with source, destination, application, and action, constitutes a tunnel policy that
permits VPN traffic.

IPsec Tunnel Traffic Configuration Overview

Traffic configuration defines the traffic that must flow through the IPsec tunnel. You
configure outbound and inbound firewall filters, which identify and direct traffic to be
encrypted and confirm that decrypted traffic parameters match those defined for the
given tunnel. Gateway A protects the network 10.1.1.0/24, and Gateway B protects the
network 10.2.2.0/24. The gateways are connected by an IPsec tunnel.
Gateway A protects the network 10.1.1.0/24, and Gateway B protects the network
10.2.2.0/24. The gateways are connected by an IPsec tunnel.
Figure 1: Example: IPsec

The SA and ES interfaces for Gateway A are configured as follows:

security-association manual-sa1 {
manual {
direction bidirectional {
protocol esp;
spi 2312;
authentication {
algorithm hmac-md5-96;
key ascii-text 1234123412341234;
}
encryption {
algorithm 3des-cbc;
key ascii-text 123456789009876543211234;
}

}
}
}
unit 0 {
tunnel {
source 10.5.5.5;
destination 10.6.6.6;
}
family inet {
ipsec-sa manual-sa1;
address 10.1.1.8/32 {
destination 10.1.1.9;
}
}
The SA and ES interfaces for Gateway B are configured as follows:
[edit security ipsec]
security-association manual-sa1 {
manual {
direction bidirectional {
protocol esp;
spi 2312;
authentication {
algorithm hmac-md5-96;
key ascii-text 1234123412341234;
}
encryption {
algorithm 3des-cbc;
key ascii-text 123456789009876543211234;
}
}
}
}
[edit interfaces es-0/1/0]
unit 0 {
tunnel {
source 10.6.6.6;
destination 10.5.5.5;
}
family inet {
ipsec-sa manual-sa1;
address 10.1.1.9/32; {
destination 10.1.1.8;
}
}
}

Security Associations
A security association (SA) is a unidirectional agreement between the VPN participants
regarding the methods and parameters to use in securing a communication channel.
Full bidirectional communication requires at least two SAs, one for each direction.
Through the SA, an IPsec tunnel can provide the following security functions:

Privacy (through encryption)

Content integrity (through data authentication)

Sender authentication andif using certificatesnonrepudiation (through data

origin authentication)
The security functions you employ depend on your needs. If you need only to
authenticate the IP packet source and content integrity, you can authenticate the packet
without applying any encryption. On the other hand, if you are concerned only with
preserving privacy, you can encrypt the packet without applying any authentication
mechanisms. Optionally, you can both encrypt and authenticate the packet. Most
network security designers choose to encrypt, authenticate, and replay-protect their
VPN traffic.
An IPsec tunnel consists of a pair of unidirectional SAsone SA for each direction of
the tunnelthat specify the security parameter index (SPI), destination IP address, and
security protocol (Authentication Header [AH] or Encapsulating Security Payload [ESP]
employed. An SA groups together the following components for securing
communications:

Security algorithms and keys.

Protocol mode, either transport or tunnel. Junos OS devices always use tunnel
mode.

Key-management method, either manual key or AutoKey IKE.

SA lifetime.
For inbound traffic, Junos OS looks up the SA by using the following triplet:

Destination IP address.
Security protocol, either AH or ESP.

Security parameter index (SPI) value.

For outbound VPN traffic, the policy invokes the SA associated with the VPN tunnel.

IPsec Key Management

The distribution and management of keys are critical to using VPNs successfully. Junos
OS supports IPsec technology for creating VPN tunnels with three kinds of key creation
mechanisms
Manual Key
AutoKey IKE
Diffie-Hellman Exchange
Manual Key
With manual keys, administrators at both ends of a tunnel configure all the security
parameters. This is a viable technique for small, static networks where the distribution,
maintenance, and tracking of keys are not difficult. However, safely distributing manualkey configurations across great distances poses security issues. Aside from passing the
keys face-to-face, you cannot be completely sure that the keys have not been
compromised while in transit. Also, whenever you want to change the key, you are faced
with the same security issues as when you initially distributed it.
AutoKey IKE
When you need to create and manage numerous tunnels, you need a method that does
not require you to configure every element manually. IPsec supports the automated
generation and negotiation of keys and security associations using the Internet Key
Exchange (IKE) protocol. Junos OS refers to such automated tunnel negotiation as
AutoKey IKE and supports AutoKey IKE with preshared keys and AutoKey IKE with
certificates.
Diffie-Hellman Exchange
A Diffie-Hellman (DH) exchange allows participants to produce a shared secret value.
The strength of the technique is that it allows participants to create the secret value over
an unsecured medium without passing the secret value through the wire. The size of the
prime modulus used in each group's calculation differs as follows:

DH Group 1768-bit modulus

DH Group 21024-bit modulus

DH Group 51536-bit modulus

DH Group 142048-bit modulus

DH Group 19256-bit modulus elliptic curve

DH Group 20384-bit modulus elliptic curve

DH Group 242048-bit modulus with 256-bit prime order subgroup

.

IPsec Security Protocols

IPsec uses two protocols to secure communications at the IP layer:
Authentication Header (AH)A security protocol for authenticating the source of an IP
packet and verifying the integrity of its content
Encapsulating Security Payload (ESP)A security protocol for encrypting the entire
IP packet (and authenticating its content)
AH Protocol
The Authentication Header (AH) protocol provides a means to verify the authenticity and
integrity of the content and origin of a packet. You can authenticate the packet by the
checksum calculated through a Hash Message Authentication Code (HMAC) using a
secret key and either MD5 or SHA-1 hash functions.
Message Digest 5 (MD5)An algorithm that produces a 128-bit hash (also called
a digital signature or message digest) from a message of arbitrary length and a 16-byte
key. The resulting hash is used, like a fingerprint of the input, to verify content and
source authenticity and integrity.
Secure Hash Algorithm (SHA-1)An algorithm that produces a 160-bit hash from a
message of arbitrary length and a 20-byte key. It is generally regarded as more secure
than MD5 because of the larger hashes it produces. Because the computational
processing is done in the ASIC, the performance cost is negligible.
ESP Protocol
The Encapsulating Security Payload (ESP) protocol provides a means to ensure privacy
(encryption) and source authentication and content integrity (authentication). ESP in
tunnel mode encapsulates the entire IP packet (header and payload) and then appends
a new IP header to the now-encrypted packet. This new IP header contains the
destination address needed to route the protected data through the network.
With ESP, you can both encrypt and authenticate, encrypt only, or authenticate only. For
encryption, you can choose one of the following encryption algorithms:

Data Encryption Standard (DES)A cryptographic block algorithm with a 56-bit

key.

Triple DES (3DES)A more powerful version of DES in which the original DES
algorithm is applied in three rounds, using a 168-bit key. DES provides significant
performance savings but is considered unacceptable for many classified or sensitive
material transfers.
Advanced Encryption Standard (AES)An encryption standard which offers
greater interoperability with other devices. Junos OS supports AES with 128-bit, 192-bit,
and 256-bit keys.
.

IPsec Tunnel Negotiation

To establish an AutoKey IKE IPsec tunnel, two phases of negotiation are required:

In Phase 1, the participants establish a secure channel in which to negotiate the

IPsec security associations (SAs).
In Phase 2, the participants negotiate the IPsec SAs for encrypting and
authenticating the ensuing exchanges of user data.
For a manual key IPsec tunnel, because all the SA parameters have been previously
defined, there is no need to negotiate which SAs to use. In essence, the tunnel has
already been established. When traffic matches a policy using that manual key tunnel or
when a route involves the tunnel, the Juniper Networks device simply encrypts and
authenticates the data, as you determined, and forwards it to the destination gateway.
The remote IKE gateway address can be in any virtual routing (VR) instance. VR is
determined during IKE Phase 1 and Phase 2 negotiation. VR does not have to be
configured in the IKE proposals. If the IKE gateway interface is moved from one VR to
another, the existing IKE Phase 1 and Phase 2 negotiations for the IKE gateway are
cleared, and new Phase 1 and Phase 2 negotiations are performed.