Management
Showing results for 
Search instead for 
Do you mean 
Reply
Super Contributor
Posts: 353
Registered: ‎04-30-2010
0 Kudos

SPACE 11.4, security design

SPACE 11.4 is out, and with it the new and revamped Security Design. First impression is favorable: This moves away from the too-abstract model that SD used before.

 

I had to uninstall and then reinstall SD, as an upgrade from SD 11.1 left me with a version mismatch error. This is not a great loss, as the old SD was so very much unlike the new SD that I do not expect that anything meaningful would have carried over, anyway. A clean slate suits me just as well.

 

That said, I haven't gone and tried to use it in anger, yet. That will come when I have lab time, likely early February. In the meantime, feel free to use this thread to share your experiences with the newly born SD.

 

Trusted Contributor
Posts: 447
Registered: ‎11-11-2008
0 Kudos

Re: SPACE 11.4, security design

Just launched the new SD in the lab.  Impressions so far:

 

- Importing a device is poor

    - The XML configlet does not work ( caused a crash loop on my SRX-100)

    - Had to manually add the lines that the configlet wanted to use ( The stanza's werent even right anyway.)

 

- Once i had my SRX in there it seems ok.  Creating security policies and Nat are made in a nice screen kinda of like NSM was.

 

- Making changes other then security rules or nat to the device via space has a LONG way to go.  Basicly they just list all the options in a list.  If you know the CLI you can hack you way through making changes to the parts you need but its unuasble to someone who is new to the platform.

 

Il update later as I play with it more

 

Thanks for starting the thread!

Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: SPACE 11.4, security design

**bleep**. And I thought they would have learned something from the NSM disaster. How very disappoiting to read this.

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Trusted Contributor
Posts: 447
Registered: ‎11-11-2008
0 Kudos

Re: SPACE 11.4, security design

In Juniper's defense they do state it wont be ready for production until 12.1 but I dont see them making that big of a change in one version release.

Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: SPACE 11.4, security design


Magraw wrote:

In Juniper's defense they do state it wont be ready for production until 12.1 but I dont see them making that big of a change in one version release.


Still.... After the disaster with NSM I really wonder why they release something that is obvisouly not even close to being finished. This doesn't even deserve a "beta" stamp. At best, this is pre-alpha. Not exactly what I would present to a broad audience.

 

This still seems VERY far away which means we need to live much longer with NSM.

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Trusted Contributor
Posts: 447
Registered: ‎11-11-2008
0 Kudos

Re: SPACE 11.4, security design

Haha.  I feel your pain there.

Contributor
Posts: 196
Registered: ‎09-21-2010
0 Kudos

Re: SPACE 11.4, security design

I'm not sure what your issue was with importing devices, it's working fine for me....

Trusted Contributor
Posts: 447
Registered: ‎11-11-2008
0 Kudos

Re: SPACE 11.4, security design

Did you use the configlet?

Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: SPACE 11.4, security design

So what are your impressions so far guys? Is it worth the time to install and check it out? Is it ready to really do something with it yet?

 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Regular Visitor
Posts: 6
Registered: ‎12-08-2010
0 Kudos

Re: SPACE 11.4, security design

We have installed it and trying to manage SRX device.

 

What Space managed to do (and what I liked Smiley Very Happy ) is to configure 3 SRX in hub-n-spoke multipoint topology with nat/dynamic ip support. That was nice and I like it. It can help not well qualified customers in deployment of new VPN services.

 

Still we coulndn't determine if it is possible to manage SRX from the ground: create zones and manage ALG, also couldn't find anything about cluster management. 

 

Have seen that is can manage even QFX with port templates (FC too).

 

But anyway it is too childish, it would be better if Space has more striaght and serious interface. CIO and VIP's would not understand that the icon with "fireplace and a RJ45 jeck "  means NAT config or that the Spy icon is VPN config! Could that cost 1M$?)) Ha-ha --

No.

 

10-15K$ -- yes.

Super Contributor
Posts: 353
Registered: ‎04-30-2010
0 Kudos

Re: SPACE 11.4, security design

It's got some of the most common features ready. Less often-used features are not yet supported. Example: Route-based VPN yes; policy-based VPN to come.

 

Device-level configuration is done at the SPACE framework level, not the SD level. That's a bit cumbersome, for now.

 

I think it's a much better showing than previous efforts. I don't know that I'd be quite ready to use it in production, yet.

 

Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: SPACE 11.4, security design

how does it "feel" compared to NSM? is it a relief? is it quick and responsive? how about architectural differences? is it still java? do my collegues need to learn something completely new or can they dive right in and feel home? questions upon questions. I need to install this myself. I assume us beaten NSM customers get a free upgrade when it's ready. right?
Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Super Contributor
Posts: 353
Registered: ‎04-30-2010
0 Kudos

Re: SPACE 11.4, security design

It's not Java, it's web-based.

 

It's reasonably responsive for me, but I only use it in the lab and have no real load on it. It does support clustering, which allows you to add processing power.

 

Particularly with the device-level management (outside of what SD handles), people used to NSM will not be able to dive right in. I'd wait until device-based functionality is pulled into SD before thinking about deploying it in production.

 

Definitely, install it and play with it. If you'd like to see something that's less a work-in-progress, you'd want to wait another quarter or two before evaluating.

 

Free upgrades are between you and your Juniper rep. I'm not even going to speculate Smiley Happy.

 

Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: SPACE 11.4, security design

thanks. how about the backend? I understand the frontend is now web based, but the backend? it is java on NSM (not just the gui, NSM itself is Java too).
Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Super Contributor
Posts: 353
Registered: ‎04-30-2010
0 Kudos

Re: SPACE 11.4, security design

Looks like there's Java, postgres and mysql under the hood.

Distinguished Expert
Posts: 979
Registered: ‎09-10-2009
0 Kudos

Re: SPACE 11.4, security design


tbehrens wrote:

...postgres and mysql under the hood.


It's running two completely different SQL databases simultaneously?

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Super Contributor
Posts: 353
Registered: ‎04-30-2010
0 Kudos

Re: SPACE 11.4, security design

At least the processes for both are running. Whether mysql is just running by default, or it is handling something completely unrelated to SPACE, or there are actually two DB engines in use - I wouldn't know. Smiley Happy

Highlighted
Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: SPACE 11.4, security design

can I install this baby in a virtual machine? just for testing of course....
Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Super Contributor
Posts: 353
Registered: ‎04-30-2010
0 Kudos

Re: SPACE 11.4, security design

Yes, there's a VM version of SPACE. Go to http://www.juniper.net/support/products/space/#sw, and you'll find an "image for virtual appliance" right at the top of the page.


SPACE without any additional license is free, and I have seen Juniper encourage all customers to use it just for the service modules it comes with.

 

For Security Design, you'll want the "Standard" package. Talk to your Juniper AE regarding a time-limited demo license.

 

The question is: Do you want to see the evolution of SD, or do you want to see a more functional product? If the latter, waiting until Q3 to demo SD on SPACE may make sense.

 

Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: SPACE 11.4, security design

Is there any migration path from NSM to SPACE? I am thinking about nested groups in particular. SRX does support nested object groups since Junos 11.x, but NSM still does not. So if you use nested groups on NSM, it will actually push a non-nested config to the device. So how would we migrate firewall policies over to SPACE? Importing the device would only give us the non-nested version. Any thoughts on this? Is Juniper thinking about things like that? Sascha
Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860