# Preface

Security is one of the fastest moving segments within the realm of technology. Whereas most technology is created to offer new services or products, security is created to prevent the abuse of these new products and or services. In today’s world, where we are always connected in ways that have never been available to us before, the need to secure this connectivity is greater than ever.

Most of the world’s pockets hold smart phones. These tiny devices contain more computing power than what was used to land people on the moon; the pocket GPS device that assists you in navigating your day is more advanced than the technology used on the Apollo spacecraft. That same smart phone can photograph a paper check and instantly deposit its funds to your bank account. These types of technologies were always dreamed about but now are available to almost everyone.

In this same vein, there is a humongous generation of data that is currently being created every minute of every day. More data was created within 2012 than all the other years before combined. For example, 60 hours of video are uploaded to YouTube every minute of the day. This means that there is more content uploaded to one website than you could watch within your lifetime, even if you did nothing but watch YouTube. And that’s just one website and one type of media. The rapid expanse of information and data and media puts security needs at an all-time high, not only to provide security, but to provide it at higher scales and performance levels.

This scaling has happened at extremely fast rates due to the amount and the diversity of network-based applications. In the past, simple packet filters could limit the few network protocols that were being used. Only a few open ports were needed at the time. From packet filters on simple routers evolved proxy-based firewalls. These firewalls offered some of the most secure methods of securing transit data by literally controlling both sides of the transaction between the client and servers. They were able to inspect all parts of the traffic flows. However, as Internet circuits increased with available bandwidth, the maximum performance of these devices was being exceeded and a new technology was needed.

Then came the rise of stateful firewalls. Stateful firewalls were able to maintain the state of the connection and were able to allow and deny network traffic dynamically on the network. These firewalls did not need to proxy or broker the connections between the client and the servers. The stateful firewall could partially inspect the traffic and very well control which Internet Protocol (IP) addresses could contact other IPs. This is the primary technology that was used when the NetScreen ScreenOS platforms were created, and stateful monitoring could happen very effectively within these devices. However, as protocols evolved and became streamlined, more and more importance was put onto the application side of the traffic. This meant that simply inspecting the IP addresses and ports was not enough, and an additional depth of inspection was needed.

Learning from how stateful firewalls and proxy firewalls operated, a new technology called intrusion prevention systems (IPS) was created. This merged together the passive monitoring concepts from intrusion detection and the active blocking from stateful firewalls. It offered similar properties to what a proxy could do without the need to proxy all of the connections, allowing for deeper inspection of the applications but without the performance overhead of terminating two connections per session.

But all these technologies were typically done across several different types of devices. Each device had different management paradigms, different operating systems, and new behaviors for their administrators to learn. On the networking side of things, Juniper Networks had been producing the Junos operating system for more than 10 years before the SRX project. The goal was to provide the robustness of Junos and integrate these various security technologies into the platform. Juniper took its high-end custom ASICs and rock solid OS, and merged them with a new generation of high-speed network-focused processors to create the SRX. The SRX was designed to incorporate packet filtering, IPS, stateful firewalling, and future-focused hardware into a single device all running the Junos operating system. This idea was always dreamed of and called the “god box,” but after 2008, you could simply call it the SRX.

Since the SRX product line was launched, new technologies have been developed, such as application firewalling that allows you to block traffic based on what protocols are being used within the connection and not just on the ports that are utilized. Because the design of the SRX was so forward thinking, it has been trivial for Juniper to add this and other new features to the SRX. Now we’re at the point where the next generation of SRX hardware and features have launched to not only combat the security issues that we see today, but to ensure that the new hardware can last for at least five years. That’s a herculean task in our data-filled world, but for Juniper Networks and the amazing engineering minds there, it is not so much a task; instead, it is simply what the company does.

In its first four years, the SRX has quickly become one of the most deployed products that Juniper has ever made. We have personally deployed hundreds, from retail locations to data centers. Although the hardware platforms have been stable for some time, we are now starting to see some of the first new hardware refreshes, starting with the big-iron SRX5000 Series devices, and the entire product line will soon have new hardware revisions. Again, Juniper takes a different approach by starting with extremely robust hardware and then continually adding new features to it over its life cycle, including both throughput and capacity increases within the same hardware. An example of this was the largest SRX launched with 4 million maximum sessions, and yet using the same hardware, it can now handle up to 20 million concurrent sessions. With the next generation of hardware, Juniper is starting with 60 million sessions and plans to continually increase to hundreds of millions over time.

We believe, and have witnessed, that learning the SRX is an investment that pays off for any networking professional. There are so many aspects to the capabilities of the SRX and Junos that taking the time to learn them can only benefit you—even the smallest SRX can offer IPS, application security, UTM, stateful firewalling, packet filtering, and attack screening—and each of these offers a lot of depth. Then on the networking side, even the smallest SRX offers MPLS, VPLS, OSPF, BGP, switching, and well, almost every modern networking protocol in one device. So, if your future takes you toward more of a networking focus, the SRX can help guide you down that path, too. But that is not all. There’s Junos.

Junos is a FreeBSD-based operating system that contains all the familiar facilities that one would find within a Unix-like environment, including raw device control over the BSD side of the device. Junos also allows scripting tasks, so you can utilize automation all the way up to, and including, creating your own processes that can run on the platform. No matter where you want to start with Junos, it can be your best friend on a journey of learning that spans many different technologies within the Junos ecosphere. What you learn in this book can be applied to other Junos devices and other network segments.

The discussions for writing this book started in 2012, and by completion it will have taken the effort of nearly a dozen people at least a year. We wrote this book not only because we care, but also because both of us have been there. We have experienced those late-night cutovers where nothing goes right. Both of us have been placed onsite with a new product that we have never used and we had no idea how to use it. We understand your pain and what you have been through; we know what it is like to be tasked with the impossible knowing that perfection is the only acceptable outcome. We are very thankful for every copy we sell, but most important, we are thankful for every person that we help.

So how does this book differ from the previous published Junos Security book? Well, we took what we learned from talking to our readers and various customers after the publication of Junos Security and respun the book to better fit your needs. In that first book, our goal was to be hyperdetailed about all possible aspects of the SRX. Most of the focus was around the data center devices, as those had been out for the longest time. This time around we want the book to be focused on best practices and what matters with the products in the field. Finally, Junos Security was written with five authors, and that’s just too many cooks. This book is tightly focused because we have had the opportunity to keep a consistent tone and reading experience throughout the book.

Note that much of the content in Junos Security was considered too advanced, or about a feature set that is simply not commonly used, and we removed it from this book. This allows the Junos Security book to stand on its own for its depth and breadth, but also to be complementary to this, the newer book.

We have worked with hundreds of customers and thousands of design scenarios since Junos Security was published, and we have spent countless hours going into the bowels of the SRX. Now, we have come back to talk about it. This book is focused around how to get the most out of your SRX and the best ways to accomplish that: it is literally field-tested and battle hardened.

This book is focused on two aspects of the SRX: Junos and security. A good friend of ours once said that the problem with security books is that security often starts too late into the book. With that in mind, each chapter was either rewritten or retooled to focus on security. Even in cases where Junos is the topic, the goal of those sections is not only how Junos works, but how to secure it.

We also took out a lot of topics that focused only on networking. Although the SRX is an extremely capable networking device, we wanted to focus purely on security. This was one of the biggest bits of feedback that we received on the previous book. There are many other books in the Juniper Networks Technical Library from O’Reilly Media that more deeply define the networking capabilities of Junos. Throughout this book we will point you to those books, or other guides that can help out in this area, as they do much more justice on the topics than we can put into this book.

We think we have been truthful to our initial goals: update the topic, improve the focus, include the new features and capabilities, and try to answer the questions we constantly get from the field. We hope you like it.

## How to Use This Book

How can you get the most out of this book? We are assuming that you have some basic networking knowledge. If you don’t, that’s okay, because we made an effort to write in a “fireside chat” method as if we were walking each reader personally though the material. The various configuration examples were written as if we were typing them with you in the same room. We used variations in the examples to highlight different tips and tricks for how to utilize the CLI. This should also keep the reading interesting as you go through the book. Each example has a bit of variation in it, so do look for that.

We do not expect you to have any prior firewall or SRX experience. We wrote the first five chapters so they could be read at any level. This means that even if you have no idea what an IP is, you can still follow along. Often we talk to customers who just want to learn more about the SRX but really have no interest in ever getting “hands-on” with the products, so these initial chapters are open for anyone to read. But these chapters are also valuable to the experienced administrator, as we incorporated best practices from our experiences in the field. So, although the first chapter is a very basic explanation of what the SRX is, and how it can work, it also shows the SRXs in ways in which they are actually deployed in real customer networks. This should keep the book interesting for both the novice and the advanced reader alike.

If you are not familiar with networking or Junos, here are some basic terms and concepts that you should know before you start on these pages.

OSI model

The Open Systems Interconnection (OSI) model defines seven different layers of technology: physical, data link, network, transport, session, presentation, and application. This model allows network engineers and network vendors to easily discuss and apply technology to a specific OSI level. This segmentation lets engineers divide the overall problem of getting one application to talk to another into discrete parts and more manageable sections. Each level has certain attributes that describe it and each level interacts with its neighboring levels in a very well-defined manner. Knowledge of the layers above Layer 7 is not mandatory, but understanding that interoperability is not always about electrons and photons will help.

Switches

These devices operate at Layer 2 of the OSI model and use logical local addressing to move frames across a network. Devices in this category include Ethernet in all it variations, VLANs, aggregates, and redundant.

Routers

These devices operate at Layer 3 of the OSI model and connect IP subnets to each other. Routers move packets across a network in a hop-by-hop fashion.

Ethernet

These broadcast domains connect multiple hosts together on a common infrastructure. Hosts communicate with each other using Layer 2 media access control (MAC) addresses.

Hosts using IP to communicate with each other use 32-bit addresses. Humans often use a dotted decimal format to represent this address. This address notation includes a network portion and a host portion, which is normally displayed as 192.168.1.1/24.

TCP and UDP

These Layer 4 protocols define methods for communicating between hosts. The Transmission Control Protocol (TCP) provides for connection-oriented communications, whereas the User Datagram Protocol (UDP) uses a connectionless paradigm. Other benefits of using TCP include flow control, windowing/buffering, and explicit acknowledgments.

ICMP

Network engineers use this protocol to troubleshoot and operate a network, as it is the core protocol used (on some platforms) by the ping and traceroute programs. In addition, the Internet Control Message Protocol (ICMP) is used to signal error and other messages between hosts in an IP-based network.

Junos CLI

Juniper Networks routers use the Junos command-line interface (CLI), which is the primary method for configuring, managing, and troubleshooting the router. Junos documentation covers the CLI in detail, and it is freely available on the Juniper Networks website. The Juniper Day One Library offers free PDF books that explore the Junos CLI step by step.

Supported Features

Because there are many variations of platforms and releases, it would be too extensive to compile into a book. The best option is to refer to the pathfinder tool, which documents up-to-date releases with what features are supported. To view pathfinder please go to http://pathfinder.juniper.net. This requires a customer portal login. In pathfinder you will want to use the feature explorer to review feature limitations for transparent mode as well as any other feature support that is listed here.

## What’s in This Book?

This book is presented in 14 chapters. The first four chapters are designed to get you started using the SRX. If you are an advanced user, don’t skip these chapters, as they include some best practices about Junos and the SRX when it comes to the initial setup.

The remaining chapters were ordered by the popularity of the features. Chapters 5 through 9 are features that are used in almost every SRX deployment. Because of this, we wrote them in a manner that assumes the reader would read them sequentially. They will stand on their own, of course, but if you read them in order you’ll notice more about the concepts that we are building on. Chapters 10 through 14 are all standalone chapters. These also are the deeper chapters in terms of complexity, as they focus on some of the more compelling and complex features of the SRX, including AppSecure, IPS, UTM, and more.

Get comprehensive coverage of the SRX Series by using the following chapters:

Chapter 1

This chapter explains what the SRX is and how it can be best utilized. The content covers the various deployment scenarios for the SRX and the history of the SRX. This chapter is a great read for anyone who wants to know more about the SRX. No technical background is required for this chapter.

Chapter 2

Moving on from how the SRXs are deployed, we focus on the hardware itself. We take a look at the components and platforms that make up the SRX product line. The content of this chapter is great for anyone who needs to deploy, select, or understand the products that make up the SRX Series.

Chapter 3

Although Junos is primarily a CLI-focused platform, it does have several different tools to manage both the devices and your Juniper Security infrastructure. This chapter takes a look at the on-box Junos GUI management tools as well as the centralized management tools available. This chapter offers an overview of the tools more so than an in-depth look at them. GUI tools are the ones that most rapidly evolve within the Junos ecosphere. Because of this, we focused on teaching you how to use the tools rather than the specifics of the tools. This chapter is the one that is most likely to lose relevance over the lifetime of the book, so it was written to best provide value over the long haul.

Chapter 4

The SRX contains an extreme amount of networking features. This chapter focuses on the most core networking features of the SRX and the best practices in configuring them.

Chapter 5

Junos has the option of not only providing traffic processing capabilities, but it also has many different services it can offer the network. These include both services such as DHCP, NTP, DNS, JFlow, and Logging and system management services such as Secure Shell and others. This chapter reviews how to both configure and secure the most important services on an SRX.

Chapter 6

Typically, an SRX is deployed much like a traditional router with IP addresses on the interfaces, but there are times when security is still needed and the traditional deployment model is unacceptable. Because of this, the SRX can act in a transparent mode or as a bump in the wire. This chapter reviews this function in its entirety and how you can use this mode to your advantage.

Chapter 7

Around 90 percent of all SRX deployments are done in a highly available configuration. In today’s “always connected” world, service failures are simply not an option. This chapter works to take the hard work out of high availability and show you the best practices to configure, troubleshoot, and deploy your SRXs in a highly available manner.

Chapter 8

The fundamental value proposition of the SRX is to restrict and to protect access to hosts on the network. This chapter reviews how to configure and implement security policies on the SRX. This is the cornerstone for all security that the SRX provides.

Chapter 9

Manipulating the IP address in a packet or network address translation (NAT) is a key feature that almost all SRX devices use. This chapter covers the most common types of NAT and how to optimally configure them for use in your network. Both IPv4 and IPv6 are covered within the chapter. Although the popularity of IPv6 is steadily growing, most enterprises do not tend to use it. But within this chapter, and the rest of the book, IPv6 is treated as a first-class citizen, as it is commonly used within Junos implementations.

Chapter 10

Securely connecting networks together is a staple for any firewall. The SRX offers a host of IPsec features that allow you to securely transport your information anywhere in the world. This chapter details the best practices for configuring and securing the transport of your critical data.

Chapter 11

Screening is a very basic but fundamental method to protect your network and the SRX itself. A screen is a simple policy that defines how the SRX should respond to potential Layer 3 and Layer 4 attacks. These attacks can cripple almost any network or firewall. This is why the configuration of screens is so critical. An SRX without the correct screens configured can be attacked by anyone on the network. But by enabling a few screens, the SRX and its connected network are secured from these otherwise devastating attacks.

Chapter 12

AppSecure is a suite of features that allow you to provide security past the IP address and port. It gives you the power to block individual users from using specific applications. It also offers statistical analysis on what protocols are being used on your network. This chapter covers most of what makes up a next-generation firewall. This is one of the hottest and most interesting features that has come to the SRX.

Chapter 13

AppSecure provides deeper inspection into the applications on your network, but IPS offers extreme depth and security. IPS is able to detect individual attacks that are often buried deep within a protocol and stop them before they hit critical hosts. This chapter covers the overview of IPS as well as the best ways to take advantage of the technology to secure your infrastructure.

Chapter 14

Unified Threat Management (UTM) is a suite of tools that are used to provide protection for specific kinds of threats. These include but are not limited to antivirus and antispam. These types of tools are used typically within branch office locations, but they can also be scaled to protect larger enterprises. This chapter covers the configuration and best methodologies on how to use these features to protect your network.

## Conventions Used in This Book

The following typographical conventions are used in this book:

Italic

Indicates new terms, URLs, email addresses, filenames, file extensions, pathnames, directories, and Unix utilities

Constant width

Indicates commands, options, switches, variables, attributes, keys, functions, types, classes, namespaces, methods, modules, properties, parameters, values, objects, events, event handlers, XML tags, HTML tags, macros, the contents of files, and the output from commands

Constant width bold

Shows commands and other text that should be typed literally by the user, as well as important lines of code

Constant width italic

Shows text that should be replaced with user-supplied values

This icon signifies a tip, suggestion, or general note.

This icon indicates a warning or caution.

## Using Code Examples

This book is here to help you get your job done. In general, if this book includes code examples, you may use the code in this book in your own configuration and documentation. You do not need to contact us for permission unless you’re reproducing a significant portion of the material. For example, deploying a network based on actual configurations from this book does not require permission. Selling or distributing a CD-ROM of examples from this book does require permission. Answering a question by citing this book and quoting example code does not require permission. Incorporating a significant amount of sample configurations or operational output from this book into your product’s documentation does require permission.

We appreciate, but do not require, attribution. An attribution usually includes the title, author, publisher, and ISBN, for example: “Juniper SRX Series, by Brad Woodberg and Rob Cameron. Copyright 2013 Brad Woodberg and Rob Cameron, 978-1-449-33896-1.”

If you feel your use of code examples falls outside fair use or the permission given here, feel free to contact us at .

## Safari® Books Online

Safari Books Online (www.safaribooksonline.com) is an on-demand digital library that delivers expert content in both book and video form from the world’s leading authors in technology and business.

Technology professionals, software developers, web designers, and business and creative professionals use Safari Books Online as their primary resource for research, problem solving, learning, and certification training.

Safari Books Online offers a range of product mixes and pricing programs for organizations, government agencies, and individuals. Subscribers have access to thousands of books, training videos, and prepublication manuscripts in one fully searchable database from publishers like O’Reilly Media, Prentice Hall Professional, Addison-Wesley Professional, Microsoft Press, Sams, Que, Peachpit Press, Focal Press, Cisco Press, John Wiley & Sons, Syngress, Morgan Kaufmann, IBM Redbooks, Packt, Adobe Press, FT Press, Apress, Manning, New Riders, McGraw-Hill, Jones & Bartlett, Course Technology, and dozens more. For more information about Safari Books Online, please visit us online.

 O’Reilly Media, Inc. 1005 Gravenstein Highway North Sebastopol, CA 95472 800-998-9938 (in the United States or Canada) 707-829-0515 (international or local) 707-829-0104 (fax)

We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at http://oreil.ly/Juniper_SRX.