Specifically, the company has added features like Network Address Translation (NAT), stateful firewalling, and flow monitoring to its Adaptive Services PIC, which fits in the M- and T-series routers, and to its Tunnel Services Module, which slots into the E-series routers. As it's done with its M- and T-series routers, Juniper has added support for port mirroring to the E-series to simplify traffic monitoring and analysis.
The new enhancements are improvements on Juniper’s current security offerings, which include packet filtering and access control lists, among other things. These new features take security a step further and should help protect service provider networks and their customers from more sophisticated attacks.
Let’s take a look at how each of these features improves security:
- Stateful firewalls are inherently more secure than stateless firewalls. Stateless firewalls, used in basic packet filtering, only look at individual packets. By contrast, stateful firewalls can look at the context of each packet and filter traffic based on previous packets in the same flow.
- Network Address Translation is a mechanism that allows multiple end-user computers to access the Internet as if they were all one machine. This not only conserves IP addresses, but it also keeps outsiders from reaching machines within a particular enterprise.
- Port mirroring copies packets coming into the router on one interface over to another one. From a security perspective, this is particularly helpful, because it copies packets that don’t match a particular access list and moves them to another interface.
- Flow monitoring is a function that monitors traffic flows by sampling packets. It gathers information on the traffic and statistically analyzes it to look for harmful traffic patterns. Policies are then established to determine what to do with traffic that meets certain thresholds.
Juniper is not the first routing vendor to offer these features. Others, like Avici Systems Inc. (Nasdaq: AVCI; Frankfurt: BVC7) and Cisco Systems Inc. (Nasdaq: CSCO), offer port mirroring and flow monitoring. Avici made its big security push last spring when it rolled out its IPriori Release 4.2 version of its software (see Avici Adds Core Router Software). Cisco also offers products that handle NAT and stateful firewalling.
But Juniper's security features look more like a bid to add the functionality of separate security boxes to its routers. Competitors like CoSine Communications Inc. (Nasdaq: COSN), which specializes in network-based security, offer NAT and stateful firewalling in their products, which are designed to allow carriers to deploy VPNs (virtual private networks).
“What Juniper is offering is not really ground breaking,” says Jeff Wilson, a security analyst with Infonetics Research Inc. “Most of these things are already being done. But what’s important is that more router vendors are adding them to products.”
Wilson says that security has increasingly become an important issue for IP routing vendors. As denial-of-service attacks and viscous viruses become more sophisticated in how they target end users and networks, vendors are realizing that it’s part of their responsibility to include protection mechanisms in their gear.
But he also warns that new and improved security at the network level doesn’t eliminate the need for separate firewalls or client-based security software.
“The more layers of security there are, the better off you are,” he says. “Service providers need to make their networks more secure to benefit themselves as well as their customers.”
It’s important to note that security hasn’t been totally absent from routers. But it has typically come at a price. Performance often suffers when features are turned on. Juniper claims that its new additions do not impinge on the performance of any of its routers. For example, it says that on the Adaptive Services PIC, it can support up to 500 Mbit/s of throughput and 400,000 flows per PIC. Four PICs can fit into a single I/O slot. For the Tunnel Services Module, it can support throughput up to 155.53 Mbit/s and 128,000 flows per module.
But keep in mind, these claims have yet to be verified. Other vendors, such as Avici and CoSine also claim to be able to turn on services without taking a performance hit. Cisco claims line-rate performance when special accelerating hardware is used.
— Marguerite Reardon, Senior Editor, Light Reading