Integrating SRX Security Services with QFabric in the Data Center
Jan 10, 2013
The data center is a concentrated deployment environment for networking equipment, consisting of thousands of servers that are accessed by tens of thousands of client systems. The need for large-scale access creates a complex set of data flows to business applications that must be protected. Determining firewall deployment configurations and sizing in a data center is a considerable effort and firewall performance is critical to handle the volume of connections per second, and sustained connections. To address these challenges, Juniper Networks created a new class of security products, the SRX Series Services Gateways, to provide the ability to scale in the data center.
Implementation Guide for the SRX in the Data Center
To help customers deploy the SRX Juniper has created an implementation guide that provides various design considerations and implementation guidelines to deploy firewall services in a Juniper QFabric switch-based data center. The guide is intended for architects, network engineers and operators, and those who require technical knowledge regarding integrating the SRX Series with QFabric technology. The guide reviews the technical concepts of the SRX Series Services Gateways related to design and implementation of firewall services. Deployment scenarios are based on a single logical switch design using the Qfabric.
The deployment scenarios and design considerations include:
• Active/passive firewall cluster deployment with SRX acting as the first-hop router (FHR) for QFabric
• Active/active firewall cluster deployment with SRX acting as the FHR for QFabric
• Active/passive firewall cluster deployment with QFabric acting as the FHR for intra virtual router traffic
• Active/active firewall cluster deployment with QFabric acting as the FHR for intra virtual router traffic
• Active/passive low-latency firewall deployment for latency-sensitive applications
SRX and QFabric Integration Design
The implementation steps and validated configuration details for the deployment scenarios are presented using designs that were tested for transit traffic latency over various paths that network traffic might take during normal operations in the event of a failure. The designs were validated for convergence for various failure scenarios, such as link failure, network infrastructure device failure, and firewall node failure, to ensure required resiliency.
The following scenarios where tested for a QFabric and SRX integration:
• QFabric technology in Layer 2 (L2) mode, SRX as the FHR
• QFabric technology in L2 or Layer 3 (L3) mode, virtual router–based traffic steering
• SRX Series services offload feature providing a low-latency firewall
QFabric in L2 Mode, SRX As the FHR
In this deployment scenario, the first-hop router (FHR) is either the SRX Series or the MX Series, depending on which traffic needs firewall policies (or any other L3 equipment). The QFabric solution is strictly an L2 connection. The advantages of this deployment are large table scale, such as host tables and media access control (MAC) address table, a simple configuration model where each appliance has a dedicated role. It is an appropriate design when VLANs must span different geographic data centers.
QFabric in L2 or L3, VR-based Traffic Steering to the SRX
In this scenario, the MX Series is the gateway to the outside world, and the SRX Series is used for services while the QFabric solution is the default gateway for the servers. The advantages of this deployment are low and consistent latency for routing, full separation of the data center from the outside world, only inter virtual router (VR) traffic that needs security services goes to the SRX Series for security policy enforcement, and only traffic that needs to reach the outside world exits the QFabric system.
SRX As a Low-Latency Firewall
Implementing firewalls within the data center has always been a challenge because firewalls usually introduce considerable latency as they have to analyze the packets for security processing. Often times, latency-sensitive applications are bypassed for this reason. The SRX is a low-latency firewall solution and this use case deploys the SRX Series in customer environments in which business applications require segmentation while still maintaining extremely low latency using the licensed software feature, services offloading which provides a mechanism for achieving low latency.
For More Information
The data center network presents multiple firewall integration points and possibilities for seamlessly fitting in to specific customer environments. Regardless of the deployment model, the need for a high-speed, low-latency, service-ready firewall system in the data center is paramount. As more data centers are consolidating and more applications are being hosted in these data centers and more complex traffic patterns evolve, additional security and less compromise are required. The Juniper Networks SRX systems are architected to support the data centers of today, as well as fulfill requirements as the network evolves to meet future demands and challenges in the data center. For more information see, Integrating SRX Series Services Gateways into a QFabric Switch-based Data Center Implementation Guid....