Juniper deals services on a card

All-in-one appliances have been a dream WAN gateway makers have been chasing for some time. The problem is putting multiple services in a high-performance package that doesn’t get bogged down.

Juniper Networks believes the solution is in its new SRX family for service providers and demanding enterprises.

The top of the two models introduced this month boasts a firewall with a maximum throughput of 120 Gigabits per second, full duplex, and 30Gbps throughput on its intrusion detection.

But the heart of the line is a new architecture that puts services such as the firewall, intrusion protection, VPN on an upgradeable card. Instead of adding gateways or appliances to scale up the system, cards are added to the slots in an SRX chassis. Similarly, connectivity comes on cards. As a result, network managers can configure an SRX gateway to lean towards security or I/O.

“It’s a major shift from what architecturally is being deployed today” by Juniper and its competitors, said Brian Lazear, the company’s director of product line management.

This evolution, however, comes with a big price tag. The top of the line SRX 5800 starts at US$268,000 in a base configuration, while the SRX 5600, with half the throughput, starts US$265,000.

Lazear argues it’s worth it. The SRX 5800 is six times faster than what he says is a comparable product from Cisco Systems, the ASA 5580 Adaptive Security Appliance, and Check Point Software Technologies’ Power-1 9070. He also said it can handle new session rates three times faster than the Cisco unit while consuming half the power per gigabit throughput.

Abner Germanow, IDC’s director of enterprise networks research, notes that most makers of WAN gateways are looking for ways to build multiple services into a single platform. At the low end of the market, these are called unified threat management appliances. Juniper is just one of several trying it at the high end with different architectures. The challenge, Germanow said, is creating a box that “doesn’t fall over” when all the services are turned on.

“What’s interesting is that they [Juniper] have a set of services that run off a common hardware platform that allows an enterprise to mix and match what they need for their environment at a particular time without having to buy a track of appliances or blades,” said Germanow. He emphasized that he wants to hear from actual users before making a final judgment, but also said that the SRX “looks to be a lot more flexible that what’s currently offered in the market by people like Cisco. The ability to firewall very large traffic is hard.”

“It’s a slick solution for de-perimeterized world,” wrote Robert Whiteley of Forrester Research in an e-mail interview. Organizations are extremely challenged by traditional security architectures, he said, because applications are becoming increasingly centralized and complex, yet users are becoming increasingly distributed. This puts a massive stress on the traditional network perimeter security model. The firewall is not the problem, but rather how the firewalls are deployed and scaled.

“That’s where I think Juniper is doing well. Its new platform is services-oriented and a much more powerful platform. As a result, companies can migrate the firewalling function away from the perimeter – which is not protecting applications anyway – and push it back into the datacenter where the applications and data reside. Moreover, companies can add additional services to tack on more application and access control functionality.”

The SRX approach is another step in Juniper’s attempt to run all products on its Junos operating system by merging security features from the company’s ScreenOS operating system.

The SRX line now stands at the top of Juniper’s security lineup. Below it is the NX firewall/VPN series, which runs ScreenOS, followed by the entry-level IDP intrusion protection series. It isn’t clear, though, how far down the SRX line will go.

Lazear acknowledged that there isn’t complete feature parity between the SRX line and its NX brothers. There is an “aggressive plan to close those gaps,” he said. On the other hand, he also said buyers with an investment in the NX gateways expect the devices to have a long life.

Michael Frendo, Juniper’s senior vice-president of high-end security systems, said Juniper came up with the new approach, which it dubs a Dynamic Services Architecture, because the nature of networks are becoming less predictable thanks to unified communications and hyperlinked documents. Data can come from many sources, not just a couple of servers inside the organization, he said. “A single link in a spreadsheet can kick off a firestorm of interactions in a network.” As a result companies struggle to meet the conflicting needs of security and bandwidth. The solution, he argued, is not to add rows of routers, switches, IDP devices, many with their own operating systems.

The SRX line standardizes on Junos for the operating system and the company’s NSM management software, separating the control plane from the data plane. As a result, network administrators can set one policy across all security functions. It also means even if the gateway is under attack or handling spikes in traffic, administrators can still change policies or configurations.

Juniper uses a separate control plane in its routers. This is its first implementation on a security services platform. The physical architecture of putting services on cards allows tremendous flexibility as well, Lazear said.

So far only two types of cards are offered for the chassis. Initially, the security card carries a firewall, routing, IPSec VPN, intrusion detection, NAT, and QoS services. Future services that might be added such as protection for new threats, virtualization or the ability to tie forwarding capability to data content. For I/O there are two options: a 40-port Gigabit Ethernet card, or a four-port 10GbE card. Each card costs US$100,000.

The 12-slot SRX 5800 chassis costs $68,000, and the eight-slot SRX 5600 costs US$65,000. Either chassis can handle 300,000 new sessions a second. To get a working gateway requires the purchase of at least one services and one I/O card per chassis.

Managers can mix cards as they wish, depending on their needs. As a result, Frendo said, they can add new services “without forklifting new hardware out.”

Yankee Group analyst Zeus Kerravala said Cisco Systems’ Calayst line has a similar architecture to the SRX line in that it has swapable cards. However, he added, the SRX family is a dedicated security device. An increasing number of companies making high performance security equipment will turn to this approach, he said. “As you wind up needing more scalable equipment you have to go to this state of architecture. You can only get so much horsepower out of appliances.”