vSRX

Overview

Data centers increasingly rely on server virtualization to deliver services faster and more efficiently than ever before. But virtualization introduces a new set of security risks. Network and security professionals must perform a delicate balancing act, delivering the benefits of virtualization and cloud technologies without undermining the security of the organization.

This challenge can only be met by a new breed of security solutions that keep pace with evolving threats while matching the agility and scalability of virtualized and cloud environments—without sacrificing reliability, visibility or control.

The vSRX virtual firewall answers this challenge with a complete and integrated virtual security solution, including core firewall, robust networking, advanced security services at Layers 4–7, and automated lifecycle management capabilities for enterprises and service providers alike. Automated provisioning capabilities, enabled through Junos® Space Virtual Director, let you quickly and efficiently deploy scalable firewall protection to meet the dynamic needs of virtualized and cloud environments.

Features

• Extends proven SRX Series Services Gateway capabilities to virtualized and cloud environments.
• Delivers robust connectivity and routing features, including IPsec VPN, Network Address Translation (NAT) and advanced routing.
• Provides mission-critical reliability for business continuity, with support for stateful active/active and active/passive high-availability deployment options.
• Integrates virtualization-specific unified threat management (UTM), intrusion prevention system (IPS) and AppSecure 2.0 services for a comprehensive threat management framework.
• Automates the virtual machine (VM) lifecycle, from provisioning through decommissioning, with Junos Space Virtual Director.
• Centralizes security policy management across physical and virtual environments through Junos Space Security Director.
• Supports SDN and NFV via integration with Contrail, OpenContrail and third-party SDN solutions.

Junos: SRX 'set system ports console insecure' not functioning as expected (CVE-2015-3007)

Product Affected:

This issue affects the SRX Series services gateways running Junos OS 12.1X46-D15 and later releases.

Problem:

On SRX Series services gateways, the 'set system ports console insecure' feature does not work as expected. This feature is intended to prevent non-root users from performing password recovery using the console (see KB22619). This vulnerability may allow a non-root user with physical access to the console port to gain full administrative privileges.

This issue affects SRX Series services gateways only. No other Junos devices are affected.

This feature was first introduced in SRX 12.1X46-D15. Earlier releases are unaffected by this vulnerability.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2015-3007.

Solution:

The following software releases have been updated to resolve this specific issue: Junos OS 12.1X46-D35, 12.1X47-D25, 12.3X48-D15, and all subsequent releases.

This issue is being tracked as PR 1016488 and is visible on the Customer Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.

Workaround:

Protect SRX Series services gateways from unauthorized console and/or physical access.

Implementation:
How to obtain fixed software:
Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request.

Next-gen vSRX firewall

Juniper’s new software evaluation program makes it easy for you to try vSRX and see for yourself how our newest next-generation firewall automates and scales with maximum control and efficiency.
All you have to do is download, install and put it to work for 60 days. If at the end of the trial period you want to purchase vSRX, there’s a simple conversion process—no need to re-install it!

Three Steps to Start Your vSRX Trial

1. Select your version of vSRX from the list below. (By clicking the link, you accept the Juniper End-User License Agreement.)
2. Log into your Juniper user account to start the download. If you don't have an account, you can create one.
3. You have the option to download the trial license key to enable advanced security features, including UTM, IPS, and AppSecure, for 30 days.

Click here for instructions on how to install the license key.

Application Package	Release	Format	Size	File Date
vSRX (Formerly Firefly Perimeter) KVM Appliance Checksum MD5: 11a141629a3896f82cb65d65bceaefd5 SHA1: 6ff650b771fe966e56069c37b0958c737a477b96	12.1X47-D20	jva	233,339,238	09 Mar 2015
vSRX (Formerly Firefly Perimeter) Upgrade TGZ Checksum MD5: ffb80cebee8a685a25bc71fe1a910c49 SHA1: 40f0efc1aac9e2711e697563f66f0ba673eae75f	12.1X47-D20	tgz	231,821,106	11 Mar 2015
vSRX (Formerly Firefly Perimeter) VMware Appliance Checksum MD5: 5a992d618b8b40fa4a3cffd234636643 SHA1: ccbac5b5e4075384dc8657d9d4d0661a9f33e469	12.1X47-D20	ova	235,960,320	09 Mar 2015

Software	Release	Format	Size	File Date
Certificate Chain (Juniper Root Certificate chain file that allows you to validate the signed image) Checksum MD5: f4a12bbd4d3e775b817d50f8aafba702 SHA1: ee06bb219afa18cf6947b6cbcb8f92197dab973b	12.1X47-D20	pem	1,744	27 Aug 2014