3
Features and Benefits
Secure Routing
Should you use a router and a firewall to secure your network?
By building the branch J Series Services Routers with best-in-
class routing and firewall capabilities in one product, enterprises
don’t have to make that choice. Why forward traffic if it’s not
legitimate?
J Series for the branch checks the traffic to see if it is legitimate,
and only forwards it on when it is. This reduces the load on
the network, allocates bandwidth for all other mission-critical
applications, and secures the network from hacking.
The main purpose of a secure router is to provide firewall
protection and apply policies. The rewall (zone) functionality
inspects trafc ows and state to ensure that originating and
returning information in a session is expected and permitted for
a particular zone. The security policy determines if the session
can originate in one zone and traverse to another zone. This
architectural choice receives packets from a wide variety of
clients and servers and keeps track of every session, of every
application, and of every user. It allows the enterprise to make
sure that only legitimate traffic is on its network and that traffic
is owing in the expected direction.
Figure 1: Firewalls, zones and policies
To ease the configuration of a firewall, J Series for the branch
uses two features—“zones” and “policies.” While these can be
user defined, the default shipping configuration contains, at a
minimum, a trust and an untrust zone. The trust zone is used
for configuration and attaching the LAN to the branch J Series
routers. The untrust zone is used for the WAN or Internet
interface. To simplify installation and make configuration easier,
a default policy is in place that allows traffic originating from the
trust zone to ow to the untrust zone. This policy blocks all trafc
originating from the untrust zone to the trust zone. A traditional
router forwards all trafc without regard to a rewall (session
awareness) or policy (origination and destination of a session).
Figure 2: High availability
By using the Web interface or CLI, enterprises can create a
series of security policies that will control the traffic from within
and in between zones by defining policies. At the broadest
level, all types of traffic can be allowed from any source in
security zones to any destination in all other zones without any
scheduling restrictions. At the narrowest level, policies can be
created that allow only one kind of traffic between a specified
host in one zone and another specified host in another zone
during a scheduled time period.
High Availability
JUNOS Services Redundancy Protocol (JSRP) is a core feature
of the J Series for the branch. JSRP enables a pair of security
systems to be easily integrated into a high availability network
architecture, with redundant physical connections between
the systems and the adjacent network switches. With link
redundancy, Juniper Networks can address many common
causes of system failures, such as a physical port going bad
or a cable getting disconnected, to ensure that a connection
is available, without having to fail over the entire system. This
is consistent with a typical active/standby nature of routing
resiliency protocols.
When J Series routers for the branch are configured as an
active/active pair, trafc and conguration will be mirrored
automatically to provide active firewall and VPN session
maintenance in case of a failure. The J Series will now
synchronize both configuration and runtime information.
As a result, during failover, synchronization of the following
information is shared: connection/session state and ow
information, IPsec security associations, Network Address
Translation (NAT) trafc, address book information, conguration
changes, and more. In contrast to the typical router active/
standby resiliency protocols such as Virtual Router Redundancy
INTERNET
“Untrust” Zone
“Trust” Zone
“Guest” Zone
“DMZ” Zone
Intranet
Standby
J Series
Active Active
Failure
High Availability
Active/StandbyActive/Standby
INTERNETINTERNET
EX Series EX Series
EX Series EX Series
EX Series
EX Series
Active Active Active
Failure
Active/ActiveActive/Active
INTERNETINTERNET
EX Series
EX Series
J Series
J SeriesJ Series
J SeriesJ Series
J SeriesJ Series
