Security

Real Men Might Be Clicking Soon

By michel.tepper posted 01-27-2014 14:28

  
Mark as Inappropriate

Quite often, I teach courses on Junos. As I’m sure Juniper blog readers are well aware, Junos has the most powerful CLI an engineer can wish for. So when (and it happens during nearly every course) the question pops up, “Should we use CLI or GUI to configure the device?,” I’ve grown accustomed to giving my standard answer, “Real men don’t click.”

 

Sure, there have always been exceptions for  specific tasks like configuring lots of policies on a SRX. Or, back when ScreenOS was the thing, it was okay to click for policies and VPN, but not on an SRX. I guess this is why, now, I’ve had to muster some courage to write this blog . . . and acknowledge that I may have been wrong.

 

My change of heart grew slowly over the last year. It started with the new, useful, and workable versions of Junos Space and its applications coming out. The more I looked into Space, the more I got over my “NSM and Junos” trauma. One of the past disadvantages of the SRX Series is disappearing—as central management is now possible in a nice way. Add to that the new pricing strategy (Junos Space/Security Director/Network Director are now affordable, even for smaller end users), and you’re there.  The time to click is coming.

 

I recently started working on a project where an enterprise with two data centers—one in London and the other in Amsterdam—saw the light and decided to buy SRX 1400s. The London data center is the active one; Amsterdam is the backup. The policies on the two 1400 clusters should be synchronized. While the network engineer in charge of the SRXs would be very pleased to hand over some of the more standard policy maintenance task to the helpdesk, the helpdesk people have to work with lots of different devices from  many vendorsand that’s just not feasible at this time.

 

My first suggestion had been to replace everything with Juniper. Unfortunately, and for reasons still unclear to me, they opted to stick with Cisco/HP switching. That’s when I started talking about Space and Security Designer. Since this company already uses VMware infrastructure, setting up a demo with Space was rather easy. It took them no time at all to decide to buy a license.

 

I do still believe you need to understand the CLI and the concepts of policies and VPNs when you are responsible for the administration of the device. But using Security Director can make your life easier, especially when dealing with larger numbers of devices and VPN connections. Using one set of address objects certainly reduces the possibility of mistakes in this area due to outdated objects on a device. Applying templates might make it way easier to add new devices with consistent configuration.

 

While we’re not all the way there yet with Space, I’m seeing progress. Logging and reporting, which are still separated from management, are being addressed, and I hope a link between log entries and policies will be made soon. It’d be nice to able to click on a log entry and switch to the policy that’s responsible for this entry. And I’d also like to have some reports on application tracking and firewalling . . . so we will see.

 

What’s more, and in addition to all this on security, I recently read some things about SDN and Contrail.  It looks like the CLI will also get lots of competition in infrastructure as well.  Junos Space might have to be renamed to JCCP soon–for Junos Central Clicking Point. In the meanwhile, it’s looking like I have to find another slogan in CLI/GUI discussions. Suggestions are welcome!

 

space SD.png

 

 

 

9 comments
0 views

Permalink

Comments

michel.tepper
05-14-2014 11:15

So the logging reporting is here!!

 

See also this nice blog: http://forums.juniper.net/t5/Security-Mobility-Now/So-How-Good-Is-Your-Network-Firewall-Management-Solution/ba-p/241170 

Elevate
02-10-2014 00:11

What is the least we have to buy if I just want to manage two SRX firewalls with Junos Space??

Elevate
02-02-2014 10:25

Michel, thanks for the info, I'll get in touch with our SE.  It used to look like it was going to be a fair bit of cash to get a small deployment going, but this sounds hopeful now.

michel.tepper
02-02-2014 02:23

Hi Tgatewood,

 

yes you still need to license the virutal appliance and the application(s) you want to use. But the price for the virtual appliance is just a few hunderd dollars. The actual proiing depends on the discounts you're getting from your reseller. Just ask for prices and don't forget support/maintenance.

Elevate
02-01-2014 15:36

When you say it's more affordable, what all do you have to buy now for a VM based deployment?  It looks like the js-secdir-10 is under a grand, but do I still have to buy an Space virtual appliance to get a testbed going?  Thanks for info you got!  

Elevate
01-30-2014 21:48

I have to say Juonos Space is a welcome interface for the enterprise. I love the product, though I will need tons of practice and experiecen to become comfortable with the moving around the GUI. It is one peice that was consistently requested so, I hope it continues to e improved in the future. I am not so sure it is that intuitive especialy when you have to jump to a new menu for something that appears should have been logically placed in one menu. But again, with practice I am sure it will become easily understood. Great write up on the Product.

scottdware
01-30-2014 13:48

Screenie,

 

Fantastic article! I'm working on drafting up a few in regards to Space. I love the product, and have been using it every day for the past 2 years 🙂 We pretty much jumped in feet-first when it initially came out.

michel.tepper
01-28-2014 08:26

Alan: You are my favorite juniper employee of the month !

Elevate
01-27-2014 16:58

Logging & Reporting, integrated into Security Director, will be available in Q2, and it will include the ability to jump to a Policy from  a Log.  Customizable Reports will also be available.

 

Alan Newman

SBU PLM