Tool Kit Extends Router Security

Juniper lets users determine features.

Looking to add more versatility and flexibility to its line of core routers, Juniper Networks Inc. is rolling out a security tool kit that includes a variety of protection capabilities.

The enhanced functionality is delivered via Junipers PICs (Physical Interface Cards), an architecture that enables customers to select the features they want.

Prominent among the capabilities in J-Protect Toolkit are a stateful inspection firewall and flow monitoring.

So, for example, a service provider can choose to install one PIC with both firewall and network address translation. This configuration would enable the provider to deliver Internet and virtual private network connectivity to its customers on the same circuit.

What makes this kind of configuration possible is the nature of Junipers architecture in all its routers.

The company decided early on to separate the control plane and the forwarding plane in its routers as a way to get the scale that large service providers demanded. But the company quickly discovered that the design opened up other possibilities as well.

"It was a performance issue, but it has a lot of extensibility, too," said Todd Shimizu, security solutions manager at Juniper, based in Sunnyvale, Calif. "The software modules gave us performance and security and scalability. The extra headroom we had in the ASICs [application-specific integrated circuits] gives us the ability to do packet inspection and rate limiting."

New Growth

Features of Junipers J-Protect Toolkit
  • Stateful firewall packet inspection
  • Flow monitoring
  • Inline or offline deployment
  • Full traffic sampling
The flow monitoring capability is designed to allow for full traffic sampling and analysis anywhere on the network.

Each PIC can handle up to 1 million flows, and the ASIC can be used to break out individual flows and send them to another box for deeper inspection.

Designed for high-speed networks, the PICs can each monitor one full OC-48 network.

"The integration is the key advantage for us, as is the scalability aspect," Shimizu said. "The architecture delivers the advantage. We think you should dictate the security policy; the equipment shouldnt."

In addition, the J-Protect solution includes a new set of professional services in support of the technology. The services include vulnerability analysis, security architecture, implementation planning, testing and validation, and deployment.

The new capabilities will be available in August on all Junipers routers.