What kind of a device is an SRX? An Ambassador's Perspective
Dec 14, 2018
In 2014 I wrote an article on how to look at the SRX platform in a different way than the classic one. That was based on the first generation of branch SRX devices. I received a lot of positive feedback on that article. With the new generation of branch (and also mid-size) SRX devices, there are even more opportunities to position them in a different view. The specs on the 300 series are impressive on the routing part, with the SRX340, not the most expensive device on the market, supporting 1M routes in control plane and 600K in data plane. And the list of supported protocols is very complete!
So yes, when you’re looking for a router with a strong control plane and a few gigs of throughput in the dataplane, the SRX might be a good choice. It’s not an MX class router but has a very good price per Gb/port.
On the SRX340/345, a big change compared to the 240 is that you have eight copper and eight SFP ports now, without using expansion slots. In my opinion, this makes it even more attractive for routing functionality. The SRX1500 brings performances up to 5Gb/s on IMIX and 9Gb/s on large packets with stateful firewalling turned on. To support this the SRX1500 has 4 SFP+ (10Gbps) interfaces besides 16 Gig ports. Two million routes in the control planes and one million in the data plane makes this device suitable for full internet tables.
Looking at the switching functionalities, things still look amazingly good. I’ve never seen non-switches with so much switching functionality. I mean things like Ethernet Ring Protection and OAM LFM/CFM which you will normally only find on carrier grade switches.
But there’s more now. Of course, you can stateful firewall the traffic. Also, you can do layer seven analyses and recognize applications. You can make firewall, routing, and class of service decisions based upon the recognized application. In addition, UTM, user-based rules and SSL proxies are supported. But which modern security devices can’t do this? There’s more to the SRX: you can also use it as a kind of sensor and enforcer in SDSN implementations. Analyses can be done in the cloud with Sky ATPor on premise with the JATP appliance. Switches or NAC solutions can be used to isolate infected hosts.
What’s back in the SRX is the possibility to use mixed mode. Some traffic handled on Layer three, some on layer two. Now I know we normally want to route traffic in security solutions, not switch or bridge it, but think about this: What if you have a sudden and urgent problem in your network? If you can insert an SRX in transparent mode between your servers and your clients and analyze/secure the traffic without the need to renumber the network, your implementation is way faster. And you can combine that with using the same SRX as a secure router to the outside world.
Is that all there is to tell? No definitely not. On the management side of things there’s also been a lot going on. The GUI of the SRX has improved almost beyond recognition. That, and Sky Enterprise has arrived. Sky Enterprise gives us the ability to manage secure gateways from the cloud and use zero touch provisioning. It simplifies the management enormously and give very useful reports.
And then there’s SD-WAN. Juniper offers a very complete SD-WAN solution based upon the Contrail Controller. There is a lot of software in this software defined solution. But when you need hardware for a secure gateway it can be an SRX.
So, what do I call an SRX? A secure router? A secure bridge? An SD-WAN router? A stateful gateway? All correct I suppose. Don’t call it a firewall, not even a next generation firewall, that’s not doing justice to the platform. It’s way more than that.