x
Security Platforms/Tools

Juniper Strikes at Security's Core

Taking a cue from the virtualization camp, Juniper Networks Inc. (NYSE: JNPR) is extending the security products and services developed from its 2004 NetScreen acquisition into a flexible high-end platform that, the company claims, could change the way carriers add services on the network. (See Juniper Buys NetScreen.)

The new SRX Dynamic Services Gateway line could also give NetScreen -- technically Juniper's Service Layer Technologies unit (SLT) -- a new presence in the network core, as the new line is far more high-end than anything currently in the SLT portfolio.

The SRX's trick is that its linecards are identical. Services such as firewalling, intrusion prevention, network address translation, and even plain old routing, get assigned via software, with each card able to handle different combinations of services for different customers.

In other words, the SRX is performing a kind of virtualization. Its linecards represent one big pool of resources -- built using elements such as processors and hardware-based encryption -- to be split up however needed.

"We’ve seen router and switches that can add route/switch capacity cards, but nothing this modular in the enterprise security domain," writes Forrester Research Inc. analyst Rob Whiteley in an email to Light Reading.

(The concept might sound familiar to many in the optical world, though. Consider the way Infinera Corp. (Nasdaq: INFN) refers to its DTN platform as providing a pool of bandwidth that's available on demand -- see Infinera Gets Virtual.)

So, what good is this setup? For one, it saves on the number of boxes being deployed. And it could help operators centralize certain services, serving them from the network core or metro core rather than at the customer premises.

"Companies can migrate the firewalling function away from the perimeter -- which is not protecting applications anyway -- and push it back into the datacenter where the applications and data reside," Whiteley writes. "It’s a slick solution for a de-perimeterized world."

It's also a change from the way other vendors -- Cisco Systems Inc. (Nasdaq: CSCO) in particular -- have handled services. The Cisco 7600 has become a chameleon of a system, with linecards that can make it a pure router or a pure services box. Its functions don't cross from one type of card to the next, though.

And because the SRX is a single box on a familiar operating system, it could be an easier alternative to the multiple-box expansion carriers tend to use.

"If they want to provide a policy to a user, they're knitting together different boxes," says Michael Frendo, Juniper's senior vice president of high-end security systems. "Those often have different operating systems and different management systems."

In addition to being flexible, the SRX line boasts big performance numbers -- firewalls and intrusion prevention that's six times faster than anything Juniper's offered before, for instance. A more important metric might be the session rate -- 350,000 session setups (or teardowns) per second.

"We're seeing these massive spikes in terms of sessions," says Brian Lazear, a Juniper director of product management. That's driven partly by the use of applications such as Google Maps, where the drawing of a map page consists of 20 to 30 services.

Juniper talks about the SRX line being able to fit 400 Gbit/s in Gigabit Ethernet and 10-Gbit/s Ethernet interfaces. But the chassis is built to handle up to 960 Gbit/s of traffic, Juniper claims, which would give the platform some room for growth.

Two variants are being launched. The SRX 5600 has six free slots for linecards and sells for $65,000, while the SRX 5800 includes 12 vacant linecard slots and sells for $68,000. Both require linecards (duh), which cost $100,000 apiece.

The SRX continues what's been a year of big launches and changes for Juniper. In January, the company got into Ethernet switching with the EX line, a move that analysts believed was long overdue. (See Juniper Storms Into Ethernet Switching.)

And Scott Kriens, while still chairman, is stepping aside in favor of new CEO Kevin Johnson, late of Microsoft Corp. (Nasdaq: MSFT). (See Kriens Steps Aside as Juniper CEO.)

No word yet on whether Kriens and Johnson plan to do any TV spots.

— Craig Matsumoto, West Coast Editor, Light Reading

materialgirl 12/5/2012 | 3:32:19 PM
re: Juniper Strikes at Security's Core Virtualization certainly makes systems more flexible, but it can also slow performance. Does the use of virtualization imply that chip technology is so powerful, you can waste performance for the sake of flexibility? Or, can you just lash enough boxes together to not care about packet performance? Separately, can this additional software layer add to latency or jitter?

Finally, what is stopping CSCO from just putting IOS services on Linux, running as separate virtual services? Is the old nature of IOS holding back Cat switch sales as much as the economy right now? If not, what are they doing with that VMW investment? What is the sound of one hand clapping ... Virtualization is certainly a disruptive technology?
Pete Baldwin 12/5/2012 | 3:32:18 PM
re: Juniper Strikes at Security's Core > Finally, what is stopping CSCO from just putting IOS services on Linux, running as separate virtual services?

Part of it is probably that it's harder to do than to say, as you pointed out in the first paragraph.

I'm not sure that what the SRX does really "counts" as virtualization. It's more a case of having more clever processor usage (and faster processors) to let blades multitask.

My understanding is that once a card starts a task, the SRX makes it stick with that task, as I understand it... so it's not like storage virtualization, where a job could be split among multiple machines.

Anyone have a different understanding (or a better idea of what they're talking about?) If so, let us know.
materialgirl 12/5/2012 | 3:32:18 PM
re: Juniper Strikes at Security's Core Dear Craig:
So this box does super-fast task switching, but not aggregation of capacity?
Pete Baldwin 12/5/2012 | 3:32:17 PM
re: Juniper Strikes at Security's Core Aggregation?
I think we may be talking about different things. Or, it could be that there's a key issue to this that I've missed.

The SRX isn't a switch; it's the next-gen NetScreen box. Like a firewall with tons of features (although that's an imperfect comparison that Juniper might take as an insult). I don't think it can do aggregation, but I wouldn't expect anyone to buy it for that.
catalyst 12/5/2012 | 3:32:14 PM
re: Juniper Strikes at Security's Core Does anyone know what kind of processors this product use?

-catalyst
catalyst 12/5/2012 | 3:32:14 PM
re: Juniper Strikes at Security's Core Article says GǣGǪ.with each card able to handle different combinations of services for different customers.Gǥ

This functionality can be implemented without GǣhypervisorGǥ underneath but using multi-core processors and run a separate OS (or tight loop) on each core with specific applications. Boot the line card with a specific customer configuration image.

-catalyst
tsat 12/5/2012 | 3:32:09 PM
re: Juniper Strikes at Security's Core "This functionality can be implemented without GǣhypervisorGǥ underneath but using multi-core processors and run a separate OS (or tight loop) on each core with specific applications. Boot the line card with a specific customer configuration image."

Sounds like a quality assurance nightmare.

-tsat
AAL5 12/5/2012 | 3:32:08 PM
re: Juniper Strikes at Security's Core "Sounds like a quality assurance nightmare."

Actually this is a very common model used to scale data-plane services on a multi-core processors, there is no need for hypervisors.

In regards to system architecture, as you get more towards the high performance, high lookup requirements of a switching, routing or L4+ service data-plane, the protection mechanisms that are commonly used in user space programming are thrown out to meet performance requirements.

AAL5
catalyst 12/5/2012 | 3:32:07 PM
re: Juniper Strikes at Security's Core "Actually this is a very common model used to scale data-plane services on a multi-core processors, there is no need for hypervisors."

hypervisors can help to create more than one instance and use one instance as Active and other one as Standby. You can get High Availability 'kind of' functionality without standby HW.

hypervisors can also help to dynamically manage core(s) allocation across different services.

hypervisors can help to live software upgrades and remote management.

hypervisors can help to run multiple protocol versions on the same platform (particularly helpful on mobile gateway networking devices) and potentially avoid deploying multiple boxes.

SLA implementations can be taken into different dimension as well. One can allocate 'computing resources' as part of SLA instead of traditional 'bandwidth' agreements.

-catalyst
h4oooo 12/5/2012 | 3:31:36 PM
re: Juniper Strikes at Security's Core Seems that VPN feature is missing.
HOME
Sign In
SEARCH
CLOSE
MORE
CLOSE