Management
Showing results for 
Search instead for 
Do you mean 
Reply
Trusted Expert
Posts: 784
Registered: ‎11-01-2007
0 Kudos

Security Design Discussion

Migrating from another thread

Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: Want some examples why NSM is a piece of junk?

Actually, I couldn't care less what they add after I've seen Space SD. By the time NSM 2012.1 will be released, we will also see Space Security Design 12.1, which will be ready for prime time (well, 12.2 and 12.3 will be the real deal, but 12.1 looks very promising already). The only thing that really really bugs me about Space is the lack of logging. If anyone is interested in switching from NSM to Space in the future, you better also ask for STRM pricing.
Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Super Contributor
Posts: 168
Registered: ‎08-02-2010
0 Kudos

Re: Want some examples why NSM is a piece of junk?

Interesting, I read the latest release notes on Space:
• Lightweight logging: Release Candidate Test, with support for single node 11.4 only.
Disabled by default

This lead me to believe they were going for Space logging.
Regards,
Adam

(if my post helped solve your problem, mark it as accepted solution)
Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: Want some examples why NSM is a piece of junk?

I had a chat with a product manager and he said they might add some lightweight logging but I shouldn't hold my breath - it's not officially on the roadmap for any 12.x release. He said logging is just too much stress and doesn't scale well if you think of the massive log amount that the SRX is available to produce. They are thinking of integrating with STRM somehow. That "single node" stuff is just odd. Typical Juniper.
Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Highlighted
Era
Contributor
Posts: 64
Registered: ‎04-06-2009
0 Kudos

Re: Want some examples why NSM is a piece of junk?

Hello Comunity ,

 

It is out.

 

Security Design 12.1 requires Space Platform 12.1

 

I'm on the way to choose of management software between algosec/tufin and junos space . Let's check it out.


Regards,

Alexey

Era
Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: Want some examples why NSM is a piece of junk?

Did anyone find the release notes for Security Design 12.1? I didn't....
Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Trusted Expert
Posts: 784
Registered: ‎11-01-2007
0 Kudos

Re: Want some examples why NSM is a piece of junk?

http://www.juniper.net/techpubs/en_US/junos-space12.1/junos-space-security-design-sub-index.html (it's a bit buried...we're discussing fixing that)

 

Does anyone object if I split this thread to a new discussion? The topic is revolving around Security Design vs NSM (NSM comments can continue on the original thread, but customers might otherwise miss important Security Design discussion)

 

-Keith

Trusted Contributor
Posts: 330
Registered: ‎01-08-2010
0 Kudos

Security Design Discussion

[ Edited ]

Sounds like a good idea to me...

 

[Automate note: Good, as I had to hijack your response so subsequent replies thread properly Smiley Wink ]

Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: Want some examples why NSM is a piece of junk?

Sure, split it off. Makes sense. Thanks for the link to the release notes!
Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: Want some examples why NSM is a piece of junk?

I need a helping hand getting this installed. I am at home with a Mac OS X machine, with a choice of VMWare Fusion or Parallels Desktop. Neither support OVF file format of the virtual appliance version. I tried VMWare's ovftool to convert it, but that tool is throwing errors at me:

 

Virtual machine has 8192 megabytes of memory, which is outside the range of 4 to 3600 megabytes supported on the host. This may be a general limitation of the host software, or specific to the guest OS selected for the virtual machine.

 My Mac has 32 GB of RAM so it must be the tool.

 

Any thoughts? Could I just use the image version of Space which is designated for USB stick installation on the physical hardware?

 

Thanks

 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Trusted Expert
Posts: 784
Registered: ‎11-01-2007

Re: Want some examples why NSM is a piece of junk?

use the --lax flag (will relax the OVF conversion) and you'll get a usable file. I love how it says 'Completed with errors" when what it really means is "Abject failure"

 

Smiley Happy

 

-Keith

Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: Want some examples why NSM is a piece of junk?

Thanks Keith, much appreciated! Here is the result on my end using --lax:

 

reptilehouse:VMware OVF Tool sascha$ ovftool --lax /Volumes/data/Downloads/space-12.1R1.8.ova /Volumes/data/temp/temp/space12.1.vmx
Opening OVA source: /Volumes/data/Downloads/space-12.1R1.8.ova
Opening VMX target: /Volumes/data/temp/temp/space12.1.vmx
Warning:
 - Hardware compatibility check is disabled.
Writing VMX file: /Volumes/data/temp/temp/space12.1.vmx
Disk Transfer Completed                    
Completed successfully

 Worked like a champ. Let's see if VMWare Fusion will eat this.

 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Trusted Expert
Posts: 784
Registered: ‎11-01-2007
0 Kudos

Re: Want some examples why NSM is a piece of junk?

Up your processor cores (it defaults to 1 I think) and give it another or bigger drive before you start it.

 

-K

Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: Want some examples why NSM is a piece of junk?

done. running with 4 cores, 8 GB RAM, second 130 GB hard drive. going through first time setup now and after that off to the couch. cold german beer is waiting Smiley Happy cheers sascha
Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: Want some examples why NSM is a piece of junk?

Couple of questions on the virtual appliance:

 

The OVF file uses VMWare hardware version 4 (quite old). Could we use newer versions instead (thinking 8)? Also, there are no VMWare tools installed in the virtual machine as far as I can tell. Can we install them to enhance performance?

 

Thanks

Sascha

 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Contributor
Posts: 39
Registered: ‎07-25-2011
0 Kudos

Re: Want some examples why NSM is a piece of junk?

Any feedback thus far on the production release of Security Design, good, bad, or otherwise?

Super Contributor
Posts: 498
Registered: ‎03-29-2008

Re: Want some examples why NSM is a piece of junk?

[ Edited ]

My feedback so far on Security Design (and only that, I am not speaking about the whole Space platform) is this: It's a huge step forward. The interface is so much better than NSM. It's fast, it's easy, it's less complex, it's modern. It has a fantastic search engine built in (think Google for your address object, firewall rules etc.). People knowing other firewall management systems will feel right at home. It has some very nice features.

 

I immediately fell in love with the object merger, which finds duplicates and offers you to merge them into a single object. This is great for "housekeeping". I also like the fact that you can export and import objects in CSV format, which is great for bulk operations. Automatic device re-sync is another feature I noticed. If you enable that, it will automatically re-import devices that you have configured out-of-band (e.. through CLI). No more competing configs!

 

It's those little details that give you the impression that Juniper have done their homework.

 

Security Design has an option to import your NSM configuration. I tried it and it worked really good. Do a database export on NSM, import the resulting xdiff file into Space and voila, you have all your objects and firewall policies. Really well done.

 

The fact that the user interface is basically HTML doesn't feel like a drawback. The interface is quick, even on 500+ rule policies. I am not a web expert, but I guess they are using things like AJAX or HTML5. You do have right-click context menus everywhere. The only thing that is missing compared to a native GUI client is drag and drop support. Maybe that's coming at a later date, who knows (and it never really worked in NSM anyways).

 

Note that these observations were made in a lab and not in a production environment. I can't say much about actual device management, although the process of pushing firewall and NAT policies to devices seemed straight forward.

 

There are a couple of things that I am missing though:

 

Space does not have a logging module, which is a huge drawback in my eyes. People with high end SRXes are probably logging to STRM or something else anyways, but as usual, Juniper does not seem to have the small to mid-size business in mind who have limited ressources and need an integrated solution. In my eyes, that's something Juniper really needs to address. Sooner than later.

 

The other thing I didn't quite like was the fact that you can not manage "legacy" firewalls, e.g. ScreenOS (SSGs). There is a huge SSG install base out there and those devices are left in the dust. I really don't understand that move, given the fact that at least in Space 11.2 there was a ScreenOS adapter which let you manage those beloved "netscreens". I hope Juniper will allow this in future updates (the DMI schema repository in Space 12.1 still lists ScreenOS 6.3 so who knows....). ScreenOS support would also mean that migrations from ScreenOS to Junos could be made easier.

 

One other thing I believe needs improvement is device configuration outside of Security Design. If you open a device in Space you are basically presented with a raw XML tree of the device configuration. Not very intuitive and very tedious to work with. Need to change the IP address of 15 interfaces? You're in for a bad afternoon. That part basically looks the same as on NSM (although it is much faster in terms of interface resposivness).

 

Oh and one more little thing. It's really not important, but the design of Space looks a little dated in some areas. For example, you have dashboards wth widgets that you can drag around like windows. The window borders are blown up and use fat gradient colors. This could use some cleanup. Make the whole design less fat, flatten it. But again, this is just eye candy so it's not important.

 

All in all I can say I am very impressed so far and despite the lack of logging and ScreenOS support, Space SD is a huge step up compared to NSM. In it's current state (12.1) it already has the potential to completely replace NSM if you have a separate logging solution. In other words: I love it so far.

 

To Juniper: If you will offer some sort of upgrade path for NSM users in terms of "special pricing", I think you can win back a lot of customers. I think NSM users deserve to get an upgrade to Space as in free beer. *hint*.

 

Cheers

Sascha

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Contributor
Posts: 39
Registered: ‎07-25-2011
0 Kudos

Re: Want some examples why NSM is a piece of junk?

Thanks for the feedback, cryptochrome.  Your analysis is helpful, and luckily the drawbacks you mentioned aren't relevant to my installation (no legacy ScreenOS, and logging is taken care of). 

Super Contributor
Posts: 498
Registered: ‎03-29-2008
0 Kudos

Re: Want some examples why NSM is a piece of junk?

it's worth checking out in any case. the virtual appliance version is set up in less than 10 minutes, if you have ESX.
Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Contributor
Posts: 13
Registered: ‎01-21-2010
0 Kudos

Re: Want some examples why NSM is a piece of junk?

Tried to use the Space 12.1 space-12.1R1.8.ova virtual appliance from VMWare Workstation 6 (on a Windows XP station) ;

 

when trying to open this .ova from VMWare Workstation, I got the following error message "Failed to query source for information" ;

 

Questions :

1) Can this VA run on VMWare Workstation  ?

2) any idea about this error message ?