Juniper this week is introducing a family of flexible, high-speed security gateways that scale to handle massive traffic streams in the largest corporate networks via gigabit and 10 gigabit Ethernet ports.
Juniper's SRX Dynamic Service Gateways are modular devices that can handle multiple security applications on each of their processing cards, with the load on each distributed according to the demands of the actual traffic.
The boxes have dedicated control planes with near-terabit fabric that can pool resources between input-output cards and processing cards to create a single service engine. So if three firewall blades were added to the chassis, they would act as a single firewall as opposed to three separate firewalls, which is the case with some other vendors' multifunction security gear.
"It's distinguished from similar security devices because you don't add a specific [application] card which has pre-determined services on it -- an appliance-on-a-card approach," says Rob Whiteley, an analyst with Forrester Research. Instead the processing power is pooled with the processing power on all the other cards and distributed to handle whatever services are called for.
Because the SRXs are focused on efficiently delivering multiple security services, they are suitable for deploying outside data centers to better protect specific applications, he says. "As a result, companies can migrate the firewalling function away from the perimeter -- which is not protecting applications anyway -- and push it back into the data center where the applications and data reside," Whiteley says.
In addition to a firewall, the devices support network address translation, intrusion prevention, denial-of-service protection, quality of service and dynamic routing.
SRX comes in two models, the 5600 and 5800, with the 5800 featuring the company's fastest firewall -- 120Gbps. The dedicated control plane architecture is borrowed from Juniper's M, MX and T series routers that similarly share a control plane. The devices are based on Juniper's JUNOS operating system and controlled by a single management platform.
The SRX 5600 has six slots for I/O and service-processing cards and the SRX 5800 has 12 slots. The larger chassis can scale up to 400 Gigabit Ethernet ports. Traffic is load balanced across all the cards in a single device in accordance to what services need to be applied to individual flows.
When a flow hits an SRX, the device determines what policy has been set for that type of flow and applies it in a single pass through one of the processing cards without being passed from one single-function card to another.
New services can be added to the service-processing cards via software, and the company plans to add capabilities over time such as support for virtualization and unified threat management.
SRX 5800 costs US$68,000 for the base unit plus $100,000 per I/O or service-processing card. SRX 5600 costs $65,000 for the base unit plus $100,000 for the cards, which are the same for both the SRX 5600 and 5800.