November 2008 – Juniper Networks has introduced SRX “dynamic services gateways” which it says represent a new game-changing category of extensible networking and security product essential to processing and managing integrated IP services.
Such functionalities incorporated into a single blade at the router level are critical in an era of massive growth in data center, core perimeter and network edge capacity and ever multiplying security threats, says Michael Frendo, senior vice president, high-end security systems, for Juniper. He notes the Dynamic Services Architecture underlying the new SRX silicon and software make this any-service-on-any-card capability possible.
Running on Juniper’s single-source JUNOS network operating system software, the SRX 5600 and 5800 series initially offers a firewall service. However, in support of its “dynamic” gateway claim, the SRX also natively integrates other services such as Intrusion Prevention System (IPS), Distributed Denial of Service (DDos/DoS) protection, Network Address Translation (NAT), dynamic routing, and Quality of Service (QoS) – any of which can be configured on any service processing card.
“This kind of services platform has traditionally been delivered through many different boxes or blades,” Frendo says. “We are moving away from a paradigm that meets every new problem with a new box or blade. Now you won’t require new hardware every time you want to provision a new service, like firewall, or a future service.”
For service providers or datacenter operators, the architecture translates to a single system for policy and configuration and a single device to manage. “We’ve separated I/O (input/output) from service capability functions,” so each slot can have an I/O or service blade, and any service blade can be configured to run any service, Frendo explains. “Each service engine added grows power for all service types, not just DDOS, or firewall. Future services might include virus detection or maybe some new deep packet inspection against bot nets.”
As operators of large IP networks seek competitive agility to rapidly launch new services like DDoS, NAT and QoS, any proliferation of separate boxes with separate operating systems threatens to overwhelm service management with complexity.
“If you have policy you want to apply to a particular user, you’re having to set rules for the policy in each separate appliance separately,” he says. “We said, ‘What if you could bring flow to one box, set up one session and set up policy once on one operating system and one management system?’ Then you would have a far simpler network and an operationally simple method for deploying and updating services in that same platform. That’s what this architectural framework is all about. A single operating system and single management system.”
The SRX also provides scalable processing and I/O capacities to achieve what it says is a quantum leap in performance. The firewall service, for example, yields up to 120 gigabit-per-second throughput, an order of magnitude increase in processing speed compared to traditional firewalls.
Both new devices are built on Juniper terabit-speed fabric, “the same you find in high and midrange routers,” Frendo says. “We’re reusing that same silicon and building a security appliance on top.” For the SRX 5800, that fabric translates to 40 to 440 Gigabit Ethernet ports; 10 to 120 gbps firewall capacity; 2 to 30 gbps IPS capacity; and support for 500,000 to 4 million concurrent sessions.
“We can take advantage of the best routing technologies available, and all that is built on top of the new architecture,” he says. “The new services architecture, we believe, is the wave of future – the way things are going to need to be done.”
Frendo notes that Juniper’s service provider segment business has grown from a single-digit percentage to 40 percent of the company’s revenues in the past several years, and it expects that percentage to grow higher.
“In the consumer space, with a lot of new services like VoIP or VOD, they’re finding a strong need to secure control over parts of the networks,” he says. “Otherwise you open up to service disruptions or theft. So they have very strong incentive on security side. In mobile, bandwidth is at a premium, so they’re looking at firewall and intrusion detection to ensure that traffic is increasingly cleaned to make sure the handset is not getting a lot of viruses or other bandwidth eating stuff.
“We think this architecture is something our customers need,” he says. “I expect competitors will follow. Frankly we’re ahead of the game.”
The dynamic services gateways are available today. The base list price for the SRX 5600 chassis starts at USD $65,000, while the list price of the SRX 5800 chassis starts at USD $68,000. The list price for the services processing cards and input/output cards starts at USD $100,000.