Understand SRX Services Gateway Flow Processing

By Walter J. Goralski, Cathy Gadecki, Michael Bushong

In TCP/IP, a flow is defined as a set of packets that shares the same values in a number of header fields. The SRX enforces security policy by processing the flow of packets through the device. Therefore, flow processing is an important concept in SRX configuration and management.

The SRX actually does many complex things before it looks at the established security policies (rules), and a lot depends on whether the SRX has already seen the flow (session). If so, a great deal of information about the flow already exists and is installed on the SRX.

When there is no match for the session, the SRX subjects the packet to first path processing. If the packet header fields match an installed session, the SRX subjects the packet to fast path processing (about half the steps of first path processing).

Also, rules called policers are applied to the packets as they enter the SRX. These policers determine if the packet should be processed further or not. (On the output side, rules called shapers are applied to determine if and when the SRX should send the packet.)

image0.jpg

The major SRX flow processing steps are as follows:

  1. Pull the packet from the input interface queue.

  2. Apply policers to the packet.

  3. Perform stateless (that is, non-flow) packet filtering.

  4. Decide on first path or fast path.

  5. Filter the packet for output.

  6. Apply shapers to packet.

  7. Transmit the packet.

Policing and shaping and stateless filtering are things that almost any router can do. The real value of the SRX is in the first path and subsequent fast path flow processing.

Here are the steps for first path flow processing:

  1. Perform a screen check.

  2. Perform destination or static destination NAT to substitute one set of packet header address information with another.

  3. Perform route lookup to determine the next hop.

  4. Find destination interface and zone.

  5. Look up firewall policy.

  6. Perform NAT lookup to substitute address information.

  7. Set the application layer gateway (ALG) services vector (fields).

  8. Apply intrusion detection and prevention (IDP), VPN, or other services.

  9. Install the new session in the SRX.

Here are the steps for fast path flow processing:

  1. Perform screen check.

  2. Perform TCP header and flag checks.

  3. Perform route lookup and NAT translation.

  4. Apply ALG services.

  5. Apply IDP, VPN, and other services.

All security flow processing begins with a screen check. In the SRX, a screen is a built-in (but tunable) protection mechanism that performs a variety of security functions. The tuning can adjust the screen protections for small enterprise or large carrier networks, for the network edge to the internal core. Screens are for detecting and preventing many kinds of malicious traffic, such as denial-of-service (DoS) attacks.

Screen checks take place before other security flow processing in an attempt to eliminate issues before attacks can make a mess of the other steps. Screen checks dig deeper into the packet and flow than firewall filters and allow the SRX to block large and complicated attacks. On high-end SRX models, many of the screen checks take place in hardware, close to the ingress interface.

Notice that even if the flow session is established and the fast path is used instead of the first path, the screen check still takes place. Malicious traffic can still try and piggyback on an established flow, and the SRX can still block and drop mid-session packet attacks.

Screens are evaluated on inbound traffic and are grouped into screen profiles. Great care is required when changing or creating new screens, because they can have serious and unintended side effects.

You can use the alarm-without-drop keyword to detect traffic that would be caught by a screen profile without actually dropping it. This allows you to test the screen profile without affecting live traffic.