Introduction of the FLOW On the SRX securtiy platform
2010-05-20 11:36
239 查看
1. componets
IOC: input/output card
NPC: Network processing Card
SPC: services Processing Card
SCB: Switch Control Board
RE : Routing Engine
2. Physical Packet Flow
1. A packet enters the security platform through the IOC
2. The Packet traverses the switch fabiric from the IOC to the NPC. The NPC performs a flow lookup. If the packet belongs to an existing flow, the NPC forwards the packet to the SPC associsted with the packet's session. If the flow does not currentlu exist, the NPC installs a new session for the flow and assigns the flow to an SPC for processing. The NPC also performs QOS, plolcing and shaping.
3. The packet traverses the switch fabirc to its associated SPC, where security processing and forwarding or routing occurs.
4. The packet travers the switch fabric back to an NPC where additional packet processing such ad shaping and QOS occurs
5. The packet traverses the switch fabric to the IOC associated with the egress interface and travels to the attached physical medium.
3. Logical Packet Flow
1. The software applies staless policing filters and Cos classification to the packet at the ingress
2. If the packet does not drop, the software performs a session lookup to determine whether the packet belongs to an existing session. Junos softwere match on six elements of traffic information for this determination (source IP address, source port number, destination port number, protocol number, and a session token.
3. If the packet does not match an existing session, the software creates a new session for it. This process is refered to as the first-packet path. The packet matches a session, the software performs fast=path processing.
Detailed logical packet flow
first-path processing
1. Based on the protocal used and its session layer (TCP or UDP), the software starts a session timer. For TCP session, the default timeout is 30 minutes. FOr UDP session, the default timeout is 1 minutes. These values are the defaults, and you can change them.
2. The software applies firewall SCREEN options
3. If destination NAT is used, the software performs address allocation
4. Next, the software performs the route lookuo. If a route exists for the destination prefix, the software takes the next step. Otherwise, it drops the packet.
5. The software determines the packet's incoming zone by the interface though which if arrives. The software also determines the packet's outgoing zone by the forwarding lookuo.
6. Based on incoming and outgoing zones, the corresponding security policy is determined and a security policy lookup takes place. The software checke the packet against defined policies to determine how to treat the packet.
7. If source NAT is used, the software performs address allocation
8. The software sets up the ALG service vector
9. The software creates and installs the session. Futhermore, the software caches the decisions made for the first packet into a flow table, which subsequent packets of that flow use.
10. The packet now enters the fast-path processing.
Fast-path processing
1. The software applies firewall SCREEN options
2. The software performs TCP checks
3. The software applies NAT
4. The software applies an ALG
5. The software applies packet forwarding features, which include the following
a. Stateless packet filters
b. Traffic shaping by packet
c. Packet encapsulation and transmission
IOC: input/output card
NPC: Network processing Card
SPC: services Processing Card
SCB: Switch Control Board
RE : Routing Engine
2. Physical Packet Flow
1. A packet enters the security platform through the IOC
2. The Packet traverses the switch fabiric from the IOC to the NPC. The NPC performs a flow lookup. If the packet belongs to an existing flow, the NPC forwards the packet to the SPC associsted with the packet's session. If the flow does not currentlu exist, the NPC installs a new session for the flow and assigns the flow to an SPC for processing. The NPC also performs QOS, plolcing and shaping.
3. The packet traverses the switch fabirc to its associated SPC, where security processing and forwarding or routing occurs.
4. The packet travers the switch fabric back to an NPC where additional packet processing such ad shaping and QOS occurs
5. The packet traverses the switch fabric to the IOC associated with the egress interface and travels to the attached physical medium.
3. Logical Packet Flow
1. The software applies staless policing filters and Cos classification to the packet at the ingress
2. If the packet does not drop, the software performs a session lookup to determine whether the packet belongs to an existing session. Junos softwere match on six elements of traffic information for this determination (source IP address, source port number, destination port number, protocol number, and a session token.
3. If the packet does not match an existing session, the software creates a new session for it. This process is refered to as the first-packet path. The packet matches a session, the software performs fast=path processing.
Detailed logical packet flow
first-path processing
1. Based on the protocal used and its session layer (TCP or UDP), the software starts a session timer. For TCP session, the default timeout is 30 minutes. FOr UDP session, the default timeout is 1 minutes. These values are the defaults, and you can change them.
2. The software applies firewall SCREEN options
3. If destination NAT is used, the software performs address allocation
4. Next, the software performs the route lookuo. If a route exists for the destination prefix, the software takes the next step. Otherwise, it drops the packet.
5. The software determines the packet's incoming zone by the interface though which if arrives. The software also determines the packet's outgoing zone by the forwarding lookuo.
6. Based on incoming and outgoing zones, the corresponding security policy is determined and a security policy lookup takes place. The software checke the packet against defined policies to determine how to treat the packet.
7. If source NAT is used, the software performs address allocation
8. The software sets up the ALG service vector
9. The software creates and installs the session. Futhermore, the software caches the decisions made for the first packet into a flow table, which subsequent packets of that flow use.
10. The packet now enters the fast-path processing.
Fast-path processing
1. The software applies firewall SCREEN options
2. The software performs TCP checks
3. The software applies NAT
4. The software applies an ALG
5. The software applies packet forwarding features, which include the following
a. Stateless packet filters
b. Traffic shaping by packet
c. Packet encapsulation and transmission
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Mobile Python: Rapid prototyping of applications on the mobile platform
- An introduction to the Java 2 Platform, Enterprise Edition specification by way of BEA's WebLogic Server
- Clarifications on Flash Player for Mobile Browsers, the Flash Platform, and the Future of Flash[翻译练习]
- SOS: Autodesk MapGuide Studio - Preview can not display "Feature Label" with Chinese text on the platform of MapGuide Open Source
- Working on Cloud Platforms - The Key attributes of Cloud Computing Platform
- 'WHERE' is the same of 'on' in mysql(many times,but not always)
- 关于GCC的理解——On the understanding of the GCC
- Notes on the implementation of encryption in Android 3.0
- 【闲聊】The style of Sheldon
- On the future of neural networks
- Get the F4 help of a field based on the value of another field in the selction screen(联动的搜索帮助)
- [Flow] The Fundamentals of Flow
- Install Hotfix for WSS(KB974989 x86) ERROR:The expected version of the product was not found on the system
- Paper Notes: On Community Detection in Real-world Networks and the Importance of Degree Assortativit
- How to design DL model(2):Inception(v4)-ResNet and the Impact of Residual Connections on Learning
- Workshop on the Internet of Agents(IoA)
- This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. 此实现不是 Windows 平台 FIPS 验证的加密算法的一部分 解决方案
- [转]ON INCOMPATIBILITY OF GRAVITATIONAL RADIATION WITH THE 1915 EINSTEIN EQUATION
- eclipse中设置.abc--xyz触发提示输入时,提示This compilation unit is not on the build path of java project 异常如何解决?
- Details of GRUB on the PC