Connected Security Distributed Services (CSDS) Architecture Datasheet

Network security struggles to keep up with growth, but Juniper's CSDS Architecture solves this by offering scalability, simplified management, and flexibility.

CSDS changes the game by fully separating forwarding and security services. This allows you to leverage your existing Juniper MX Series routers as intelligent forwarding engines and load balancers. Security functions are then offloaded to distributed Juniper SRX firewalls. This design unlocks:

• Unmatched scalability: Effortlessly add SRX firewalls on demand, eliminating rigid chassis limitations and scaling seamlessly with your network
• Simplified management: Manage your entire security infrastructure from a single point, regardless of the number of deployed firewalls

CSDS delivers exceptional reliability with multi-path redundancy. Even if individual firewalls experience issues, traffic gets seamlessly rerouted, ensuring uninterrupted security. Additionally, by offloading security tasks from MX routers, SRX’s MNHA provides flow resiliency and CSDS optimizes resource utilization, potentially reducing hardware investment.

Juniper Security Director Cloud permits organizations to easily leverage CSDS for integration with the existing operations workflow and providing a single pane of glass for configuration, upgrades, and orchestration. This streamlines security operations and simplifies management.

CSDS offers a comprehensive suite of security services, including:

• Stateful firewalls
• IPSec VPNs
• Carrier-Grade NAT (CGNAT)

These services are offloaded to dedicated SRX firewalls, ensuring optimal performance and security. With flexible load balancing options like ECMP/Consistent Hashing or TLB, you achieve granular control over traffic distribution.

Juniper’s CSDS Architecture delivers a distributed security solution with distinct layers, enabling scalability and simplified management:

1. Forwarding layer:

• MX Series routers act as the intelligent core, forwarding traffic and synchronizing configurations to the services layer
• MX Series routers are deployed in 1:1 redundancy for high availability

2. Services layer:

• SRX Series firewalls provide security services like Stateful Firewalls, IPSec VPNs, and CGNAT
• Multiple groups of SRX firewalls, potentially with different sizes and functionalities (e.g., one group for IPsec, another for NGFW) can coexist within the architecture
• Multi-Node High Availability (MNHA) of SRX Firewalls keep sessions active during operations (like upgrades) or individual network downtime

3. Optional distribution layer (large deployments):

• QFX Series switches provide additional ports and potentially different speeds/types when needed
• Layer acts as a switching fabric interconnecting all CSDS components

4. Management layer:

• Single point of management for the entire CSDS solution
• Management of security policies, objects, NAT, and all other services of all SRX firewalls
• Monitoring and management of the utilization of services layer devices (SRX firewalls)

This layered approach empowers you to scale security independently from forwarding capacity, ensuring a future-proof network.

Older security systems can't handle growing networks as well as they should. This can slow things down and make managing security a real headache. Juniper's CSDS takes a new approach by separating the jobs of sending data (forwarding) and keeping it safe (security). This innovative design makes CSDS easier to manage, keeps things running smoothly, and lets you build a security system that can handle whatever the future throws your way.

• Elastic scaling: CSDS breaks free from the limitations of traditional chassis-based firewalls. You can leverage existing MX Series routers for intelligent traffic forwarding and load balancing. Security functions are then offloaded to distributed Juniper vSRX or SRX firewalls. This modular approach allows you to effortlessly add new firewalls on demand, seamlessly scaling your security posture to meet evolving network requirements
• Optimized resource utilization: By offloading security tasks from MX routers, CSDS optimizes their forwarding performance. This efficient use of resources leads to lower overall security infrastructure costs

• Unified management: CSDS eliminates the complexity of managing multiple security appliances. Juniper Security Director Cloud provides a single pane of glass for managing all your security services. This centralized console simplifies configuration, upgrades, and orchestration, saving valuable IT resources.

• Multi-path resiliency: CSDS ensures uninterrupted security with multi-path redundancy and load balancing. Even if individual firewalls encounter issues, traffic is automatically rerouted across available paths, maintaining a robust security posture
• Dead Peer Detection (DPD): CSDS leverages DPD to identify and handle unresponsive VPN peers. This proactive approach ensures optimal VPN tunnel performance and availability. (DPD is a mechanism used in IPsec VPNs to detect when a communication partner becomes unreachable)

• Next-Generation Firewall (NGFW): CSDS offers advanced NGFW services, providing Layer 3 (L3) to Layer 7 (L7) security. By analyzing past communications and application behavior, NGFW dynamically controls new connection attempts, offering an extra layer of defense against sophisticated threats
• IPsec VPN: Establish secure communication channels with remote locations using high-performance IPsec VPNs within the CSDS architecture. The solution supports features like route-based VPNs, NAT-T (Network Address Translation – Translation), AutoVPN, and Remote Access VPN with Juniper Secure Connect
• Carrier-grade Network Address Translation (NAT): CSDS provides carrier-grade NAT functionality for translating private IP addresses to public addresses. This allows efficient use of limited public IP addresses and facilitates internet access for many devices on your network. The solution supports various NAT modes, including NAPT44 (Network Address and Port Translation 44), Persistent NAT, Address-Persistent NAT, Deterministic NAT44, NAT with Policy, and Hair-pinning

CSDS offers deployment options to suit diverse network requirements. You can choose from standalone MX routers with groups of standalone SRX/vSRX devices, MX routers in Active-Active redundancy mode with standalone SRX/vSRX devices, or MX routers in Active-Active redundancy mode with MNHA SRX/vSRX clusters. Regardless of your chosen deployment model, CSDS delivers consistent, unified management through Juniper Security Director Cloud.

For management of vSRX and/or the VM that hosts the vSRX, the solution will use Junos Device Manager (JDM). The JDM is a virtualized root container that manages software components.  

Virtualized Network Functions (VNFs), such as a firewall or NAT functions, is a consolidated offering that contains all the components required for supporting a fully virtualized networking environment. A VNF has network optimization as its focus.

JDM enables:

• Management of guest VNFs during their life cycle
• Installation of third-party modules
• Formation of VNF service chains
• Management of guest VNF images (their binary files)
• Control of the system inventory and resource usage

vSRX being a VNF is managed by JDM in a similar way.

Juniper’s CSDS Architecture is comprised of various components at the forwarding layer (MX routers line cards, software, support, etc.), services layer (SRX/vSRX firewalls, software, support, etc.) and an optional management layer (Juniper switches, Security Director Cloud/on-prem, software, support, etc.).

The solution also requires CSDS node licenses to be purchased and applied on all the SRX and vSRX firewalls that are deployed as part of this solution.

To order Juniper’s CSDS Architecture solution, please visit: www.juniper.net/gb/en/how-to-buy/form.html.

Files uploaded to the cloud for processing are destroyed afterward to ensure privacy. The Juniper Networks privacy policy can be found on the product web portal at: www.juniper.net/gb/en/privacy-policy.html.

Juniper Networks is the leader in performance-enabling services that are designed to accelerate, extend, and optimize your high-performance network. Our services allow you to maximize operational efficiency while reducing costs and minimizing risk, achieving a faster time to value for your network. Juniper Networks ensures operational excellence by optimizing the network to maintain required levels of performance, reliability, and availability. For more details, please visit www.juniper.net/gb/en/products.html.

Juniper Networks believes that connectivity is not the same as experiencing a great connection. Juniper's AI‑Native Networking Platform is built from the ground up to leverage AI to deliver exceptional, highly secure, and sustainable user experiences from the edge to the data center and cloud. Additional information can be found at juniper.net or connect with Juniper on X (formerly Twitter), LinkedIn, and Facebook.

1000797 - 001 - EN OCTOBER 2024