JNCIS-SEC [Introduction]

Packet forwarding on Junos security devices are stateful as opposed to a traditional router whose behaviour is stateless/promiscuous.

There are several requirements for security devices;

1) Stateful packet processing based on IP,transport and application layer
2) NAT,PAT
3) VPNs with authentication and encryption

Stateful packet processing involves a unidirectional flow consisting of six elements

1) Source IP address
2) Destination IP address
3) Source Port number
4) Destination Port number
5) Protocol Number
6) Session token

High End SRX Components:

Firewall throughput: 20Gbps to 120Gbps

* IOC: Input/output card
* NPC: Network Processing Card
* SPC: Services Processing Card
* SCB: Switch Control Board
* RE: Routing Engine

 IOC: SPCs and IOCs have the same modular architecture and they can be installed on a given slot.
 NPC: Used to distribute inbound and outbound traffic to the appropriate SPCs and IOCs and responsible for QoS and DoS, DDoS protections. In SRX5000 series, NPC is integrated into the IOC.
SPC: This is for processing all available services.
SCB: Its task is to monitor and control system functions along with providing     interconnections to all IOCs in the chassis
RE: It is an Intel-based PC running software processes, maintaining routing tables,routing protocols, control chassis components etc.

Here is the packet flow for high-end devices:

1) Packet enters through IOC (over subscription control is applied)
2) Packet traverses the switch fabric from the IOC to NPC. NPC performs a flow lookup. If the packet belongs to an existing flow, NPC forwards the packet to the SPC associated with the session. If the flow doesn’t currently exist, NPC install a new session and assigns the flow to an SPC for further processing. NPC also performs CoS, policing and shaping
3) Packet traversed switch fabric  to its associated SPC in which security processing and forwarding/routing occur.
4) Packet travers the switch fabric back to an NPC in which packet processing,shaping,CoS occur.
5) Packet travers the switch fabric to IOC associated with the agress interface and sent to physical medium.

SRX Branch devices are a little different.  Throughput is between 75Mbps and 7Gbps and components are different than high end;
a)  Multi-core network processing unit
b) PIM: Physical Interface Module
c) SRE: Services and Rouring engine (only SRC 650)

Multi-Core processing unit: Uses multiple hardware treads to provide data plane and control plane services.
PIM:  Not necessary to explain what it is
SRE: a replacable unit in SRX650 and provices routing protocol processes and processing power, chassis controlling etc.
  Control Plane: This is indeed Routing Engine. It consists of junos kernel, various processes, chassis management etc.
Data Plane: imlemented on IOCs,NPCs and SPCs for high-end devices and on CPU cores and PIMs for branch devices.

Logical Packet Flow:
We can mentioned two paths: First Path and Fast Path

First Path: This path is taken when there is no existing flow for the incoming packet.  Once the session is created, software puts it into a session hash table for further processing.  Software starts a 30 minutes session timer for TCP and 1 minute for UDP traffic. If no traffic matches the session during service timeout, Junos ages out the session.
Fast Path: If there is already an established session this path is taken.

   Below is a sample image from juniper page

If a change is done on the policy by default only new sessions are affected by the change on the contrary to routing changes which are always propagated into the current sessions.

One last thing to say is SRX by default don’t allow traffic to pass as opposed to traditional router behaviour.

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


You have a feedback?

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading