Connected Security Distributed Services (CSDS) Architecture Datasheet
Download DatasheetProduct Overview
Traditional firewall approaches struggle to keep pace with the ever-expanding demands of modern networks as the chips and size of the appliance often constrain them. Traffic surges, new applications emerge, and the number of connected devices explodes, leaving your environment vulnerable.
Juniper’s Connected Security Distributed Services (CSDS) Architecture delivers a revolutionary new hyperscale network security solution. Elastically scale your security on demand, adding new capacity and firewalls to the pool in minutes, not days. Manage everything from a single, intuitive console to simplify complex network security and free your IT team to focus on strategic initiatives. Juniper’s CSDS ensures your security scales seamlessly alongside your business, keeping you protected in today's dynamic threat landscape.
Product Description
Traditional firewalls struggle to keep pace with network growth, leading to performance bottlenecks and management complexity. Juniper's CSDS Architecture offers a revolutionary solution.
CSDS breaks the mold by decoupling forwarding and security services. This allows you to leverage your existing Juniper MX Series Routers for intelligent packet forwarding and load balancing while offloading security functions to distributed Juniper SRX Series Firewalls. This unique design delivers:
- Unmatched scalability: Effortlessly add security firewalls as needed, eliminating limitations of traditional chassis-based systems
- Simplified management: Manage your entire security infrastructure from a single point, regardless of the number of firewalls deployed
- Enhanced reliability: Multi-path redundancy ensures uninterrupted security, even if individual network elements experience issues
- Cost-effectiveness: Optimize resource utilization by offloading security tasks from your MX routers, potentially reducing hardware investment
Juniper Security Director Cloud seamlessly integrates with CSDS, providing a unified user experience for configuration, upgrades, and orchestration. This simplifies security management and streamlines operations.
Security services at your fingertips:
- Offload critical security functions like stateful firewalls, IPSec VPNs, and CGNAT to dedicated SRX firewalls
- Achieve granular control with flexible load balancing options like ECMP/Consistent Hashing or TLB
- Maintain a stateless MX core, maximizing forwarding performance and scalability
- Leverage Multi-Node High Availability (MNHA) of SRX Firewalls to keep sessions active during operations (like upgrades) or individual network downtime
CSDS is the future of network security, empowering you to:
- Securely scale your network to meet ever-growing demands
- Simplify security management and reduce operational overheads
- Achieve cost-effective security without compromising performance
Architecture and Key Components
Network security struggles to keep up with growth, but Juniper's CSDS Architecture solves this by offering scalability, simplified management, and flexibility.
Decoupling for Agility
CSDS changes the game by fully separating forwarding and security services. This allows you to leverage your existing Juniper MX Series routers as intelligent forwarding engines and load balancers. Security functions are then offloaded to distributed Juniper SRX firewalls. This design unlocks:
- Unmatched scalability: Effortlessly add SRX firewalls on demand, eliminating rigid chassis limitations and scaling seamlessly with your network
- Simplified management: Manage your entire security infrastructure from a single point, regardless of the number of deployed firewalls
Enhanced Reliability and Efficiency
CSDS delivers exceptional reliability with multi-path redundancy. Even if individual firewalls experience issues, traffic gets seamlessly rerouted, ensuring uninterrupted security. Additionally, by offloading security tasks from MX routers, SRX’s MNHA provides flow resiliency and CSDS optimizes resource utilization, potentially reducing hardware investment.
Seamless Integration and Unified Experience
Juniper Security Director Cloud permits organizations to easily leverage CSDS for integration with the existing operations workflow and providing a single pane of glass for configuration, upgrades, and orchestration. This streamlines security operations and simplifies management.
Security Services at Your Fingertips
CSDS offers a comprehensive suite of security services, including:
- Stateful firewalls
- IPSec VPNs
- Carrier-Grade NAT (CGNAT)
These services are offloaded to dedicated SRX firewalls, ensuring optimal performance and security. With flexible load balancing options like ECMP/Consistent Hashing or TLB, you achieve granular control over traffic distribution.
Juniper’s CSDS Architecture delivers a distributed security solution with distinct layers, enabling scalability and simplified management:
1. Forwarding layer:
- MX Series routers act as the intelligent core, forwarding traffic and synchronizing configurations to the services layer
- MX Series routers are deployed in 1:1 redundancy for high availability
2. Services layer:
- SRX Series firewalls provide security services like Stateful Firewalls, IPSec VPNs, and CGNAT
- Multiple groups of SRX firewalls, potentially with different sizes and functionalities (e.g., one group for IPsec, another for NGFW) can coexist within the architecture
- Multi-Node High Availability (MNHA) of SRX Firewalls keep sessions active during operations (like upgrades) or individual network downtime
3. Optional distribution layer (large deployments):
- QFX Series switches provide additional ports and potentially different speeds/types when needed
- Layer acts as a switching fabric interconnecting all CSDS components
4. Management layer:
- Single point of management for the entire CSDS solution
- Management of security policies, objects, NAT, and all other services of all SRX firewalls
- Monitoring and management of the utilization of services layer devices (SRX firewalls)
This layered approach empowers you to scale security independently from forwarding capacity, ensuring a future-proof network.
Features and Benefits
Older security systems can't handle growing networks as well as they should. This can slow things down and make managing security a real headache. Juniper's CSDS takes a new approach by separating the jobs of sending data (forwarding) and keeping it safe (security). This innovative design makes CSDS easier to manage, keeps things running smoothly, and lets you build a security system that can handle whatever the future throws your way.
Unveiling Scalability and Performance
- Elastic scaling: CSDS breaks free from the limitations of traditional chassis-based firewalls. You can leverage existing MX Series routers for intelligent traffic forwarding and load balancing. Security functions are then offloaded to distributed Juniper vSRX or SRX firewalls. This modular approach allows you to effortlessly add new firewalls on demand, seamlessly scaling your security posture to meet evolving network requirements
- Optimized resource utilization: By offloading security tasks from MX routers, CSDS optimizes their forwarding performance. This efficient use of resources leads to lower overall security infrastructure costs
Simplified Operations and Management
- Unified management: CSDS eliminates the complexity of managing multiple security appliances. Juniper Security Director Cloud provides a single pane of glass for managing all your security services. This centralized console simplifies configuration, upgrades, and orchestration, saving valuable IT resources.
Built-in Resilience and Reliability
- Multi-path resiliency: CSDS ensures uninterrupted security with multi-path redundancy and load balancing. Even if individual firewalls encounter issues, traffic is automatically rerouted across available paths, maintaining a robust security posture
- Dead Peer Detection (DPD): CSDS leverages DPD to identify and handle unresponsive VPN peers. This proactive approach ensures optimal VPN tunnel performance and availability. (DPD is a mechanism used in IPsec VPNs to detect when a communication partner becomes unreachable)
Comprehensive Security Services
- Next-Generation Firewall (NGFW): CSDS offers advanced NGFW services, providing Layer 3 (L3) to Layer 7 (L7) security. By analyzing past communications and application behavior, NGFW dynamically controls new connection attempts, offering an extra layer of defense against sophisticated threats
- IPsec VPN: Establish secure communication channels with remote locations using high-performance IPsec VPNs within the CSDS architecture. The solution supports features like route-based VPNs, NAT-T (Network Address Translation – Translation), AutoVPN, and Remote Access VPN with Juniper Secure Connect
- Carrier-grade Network Address Translation (NAT): CSDS provides carrier-grade NAT functionality for translating private IP addresses to public addresses. This allows efficient use of limited public IP addresses and facilitates internet access for many devices on your network. The solution supports various NAT modes, including NAPT44 (Network Address and Port Translation 44), Persistent NAT, Address-Persistent NAT, Deterministic NAT44, NAT with Policy, and Hair-pinning
Deployment Flexibility
CSDS offers deployment options to suit diverse network requirements. You can choose from standalone MX routers with groups of standalone SRX/vSRX devices, MX routers in Active-Active redundancy mode with standalone SRX/vSRX devices, or MX routers in Active-Active redundancy mode with MNHA SRX/vSRX clusters. Regardless of your chosen deployment model, CSDS delivers consistent, unified management through Juniper Security Director Cloud.
For management of vSRX and/or the VM that hosts the vSRX, the solution will use Junos Device Manager (JDM). The JDM is a virtualized root container that manages software components.
Virtualized Network Functions (VNFs), such as a firewall or NAT functions, is a consolidated offering that contains all the components required for supporting a fully virtualized networking environment. A VNF has network optimization as its focus.
JDM enables:
- Management of guest VNFs during their life cycle
- Installation of third-party modules
- Formation of VNF service chains
- Management of guest VNF images (their binary files)
- Control of the system inventory and resource usage
vSRX being a VNF is managed by JDM in a similar way.
Product Options
Juniper’s CSDS Architecture is comprised of various components at the forwarding layer (MX routers line cards, software, support, etc.), services layer (SRX/vSRX firewalls, software, support, etc.) and an optional management layer (Juniper switches, Security Director Cloud/on-prem, software, support, etc.).
The solution also requires CSDS node licenses to be purchased and applied on all the SRX and vSRX firewalls that are deployed as part of this solution.
SKU # | Description |
SRX-CSDS-C1-LIC-1 | Node license for service device, Class 1 for 16C vSRX, 1 year |
SRX-CSDS-C1-LIC-3 | Node license for service device, Class 1 for 16C vSRX, 3 years |
SRX-CSDS-C1-LIC-5 | Node license for service device, Class 1 for 16C vSRX, 5 years |
SRX-CSDS-C1-LIC-P | Node license for service device, Class 1 for 16C vSRX, perpetual |
SRX-CSDS-C2-LIC-1 | Node license for service device, Class 2 for SRX4300, SRX4600, 1 year |
SRX-CSDS-C2-LIC-3 | Node license for service device, Class 2 for SRX4300, SRX4600, 3 years |
SRX-CSDS-C2-LIC-5 | Node license for service device, Class 2 for SRX4300, SRX4600, 5 years |
SRX-CSDS-C2-LIC-P | Node license for service device, Class 2 for SRX4300, SRX4600, perpetual |
SRX-CSDS-C3-LIC-1 | Node license for service device, Class 3 for 24C/32C vSRX, SRX4700, SRX5400, 1 year |
SRX-CSDS-C3-LIC-3 | Node license for service device, Class 3 for 24C/32C vSRX, SRX4700, SRX5400, 3 years |
SRX-CSDS-C3-LIC-5 | Node license for service device, Class 3 for 24C/32C vSRX, SRX4700, SRX5400, 5 years |
SRX-CSDS-C3-LIC-P | ode license for service device, Class 3 for 24C/32C vSRX, SRX4700, SRX5400, perpetual |
SRX-CSDS-C4-LIC-1 | Node license for service device, Class 4 for SRX5600, SRX5800, 1 year |
SRX-CSDS-C4-LIC-3 | Node license for service device, Class 4 for SRX5600, SRX5800, 3 years |
SRX-CSDS-C4-LIC-5 | Node license for service device, Class 4 for SRX5600, SRX5800, 5 years |
SRX-CSDS-C4-LIC-P | Node license for service device, Class 4 for SRX5600, SRX5800, perpetual |
Ordering Information
To order Juniper’s CSDS Architecture solution, please visit: www.juniper.net/us/en/how-to-buy/form.html.
Files uploaded to the cloud for processing are destroyed afterward to ensure privacy. The Juniper Networks privacy policy can be found on the product web portal at: www.juniper.net/us/en/privacy-policy.html.
Juniper Networks Services and Support
Juniper Networks is the leader in performance-enabling services that are designed to accelerate, extend, and optimize your high-performance network. Our services allow you to maximize operational efficiency while reducing costs and minimizing risk, achieving a faster time to value for your network. Juniper Networks ensures operational excellence by optimizing the network to maintain required levels of performance, reliability, and availability. For more details, please visit www.juniper.net/us/en/products.html.
About Juniper Networks
Juniper Networks believes that connectivity is not the same as experiencing a great connection. Juniper's AI‑Native Networking Platform is built from the ground up to leverage AI to deliver exceptional, highly secure, and sustainable user experiences from the edge to the data center and cloud. Additional information can be found at juniper.net or connect with Juniper on X (formerly Twitter), LinkedIn, and Facebook.
1000797 - 001 - EN OCTOBER 2024