In what executives call its second most important technology release of the year behind Ethernet switches, Juniper Networks unveiled a series of gateways Monday that house high-performance network routing, multiple security functions and network access control (NAC), all running on a single operating system.
Some partners hail the product as progressive, but acknowledge that there could be an uphill battle convincing customers to migrate their existing networks to the new unified strategy.
Most networking companies layer in separate boxes for various security functions and routing throughout the network. Others cram them all into one chassis with each running on a different operating system, causing latency, Juniper execs said.
"The conundrum in the industry has been, 'Do I want security or speed?' But it's imperative to have both," said Mark Bauhaus, Juniper's executive vice president of service layer technologies. "We're taking unnecessary layers out of the network."
The SRX 5600 and 5800 Dynamic Gateways -- which use the new Dynamic Services Architecture -- have a group of I/O cards and a pool of services cards that enable routing, firewall, intrusion prevention, virtual private network and NAC. Each card can be customized with services requested by the user. The architecture has a dedicated management engine and a terabit speed fabric.
Juniper says the firewall in the 5800 gateway is the fastest in the industry, scaling up to more than 120 Gbps, while the 5600 firewall scales to 60 Gbps. The SRX 5800 can also be configured to support more than 400 Gbps interfaces with choices of Gigabit Ethernet or 10 Gigabit Ethernet ports.
"This is an architecture that allows users to scale up and add services over time," said Michael Frendo, senior vice president of high-end security systems.
With this release, Juniper is aiming to address the strain on security architecture that has emerged since users have become increasingly distributed, applications more centralized and data centers more consolidated.
"Many have reacted by saying we should do away with the firewall, but this is flawed thinking. The firewall is not the problem, but rather how the firewalls are deployed and scaled," said Forrester Research analyst Robert Whiteley. "That's where I think Juniper is doing well. [With SRX] companies can migrate the firewalling function away from the perimeter -- which is not protecting applications anyway -- and push it back into the data center where the applications and data reside."
The SRX release is also Juniper's attempt to unify its disparate portfolio sets -- the core carrier and enterprise routing/switching lines and the security products that came though the 2004 acquisition of NetScreen. The SRX could additionally unify the Juniper channel, bringing security-focused partners into the high-performance networking portfolio fold, Bauhaus said.
Basing the SRX series on the JUNOS operating system is part of an overall strategy to move all Juniper equipment to one system. The NetScreen products run on a separate operating system. Juniper is using the unified operating system approach to attack competitors like Cisco Systems that employ multiple systems.
"We've seen customers with hundreds of operating systems in the same network," Frendo said.
For the channel, the SRX leaves room for adding services and capacity over time, as well as customization for vertical markets when it comes to compliance and security. But even from the initial sale, partners can provide customized design for each box depending on the user's need.
"There is a separate [pool of] I/O and service processing. So you can have a lot of I/O or a lot of services," Frendo said. "You can start with 10 [Gbps] and over time grow to over 100 either in I/O or services."
Partners see the potential, but say it could take a while.
"This is a positive step. The biggest hurdle we have is the adoption of the customer base," said Jason Gress, president of Juniper partner InterVision Systems Technologies in Santa Clara, Calif. The feeling is that customers won't rip and replace and will have to slowly integrate the SRX in. "There is still going to be a split portfolio to come."
On a dog-and-pony-show stop in New York City, executives outlined a few strategies for getting SRX boxes into customers' high-performance networks. There is, of course, the approach of selling the boxes into green-field projects or companies that are acquiring and building out branch offices.
But beyond that, partners can sell the gateways as a solution for one specific purpose and then scale them up to address other needs over time.
"[The user] could say, 'I need performance in a production environment' and then over time they migrate," Bauhaus said, adding that partners can also sell SRX boxes as a way to consolidate firewalls and later add routing or security services.
Gress said the SRX boxes are a perfect fit for InterVision, which has a full networking portfolio, but it may be more difficult for Juniper partners that are strictly security-oriented.
"I think they are going to struggle to support an operating system that has been primarily related to routing. The security partners don't always have network engineers, so convergence is going to create some anxiety," Gress said. "You don't have to do a rip-and-replace on all the NetScreen product; you can run them together. Eventually, the NetScreen product will be replaced."
On the upside, Gress added, "If they're not in that [networking] space, this is a new opportunity for them to pick up additional market share." That's exactly what Juniper is banking on.
In the long term, Gress said a unified approach like the SRX series will pick up speed when it addresses lower-end products.
"We'll be really excited when that comes to fruition," he said.
The SRX 5600 and 5800 dynamic services gateways are available now. The SRX 5600 chassis starts at $65,000 while the list price of the SRX 5800 chassis starts at $68,000. Services processing cards and I/O cards start at $100,000.