Security
Security is top-of-mind, especially right here where Juniper experts share their insights on the latest security trends and breakthroughs
Distinguished Expert , Distinguished Expert Distinguished Expert
Security
Real Men Might Be Clicking Soon
Jan 27, 2014

Quite often, I teach courses on Junos. As I’m sure Juniper blog readers are well aware, Junos has the most powerful CLI an engineer can wish for. So when (and it happens during nearly every course) the question pops up, “Should we use CLI or GUI to configure the device?,” I’ve grown accustomed to giving my standard answer, “Real men don’t click.”

 

Sure, there have always been exceptions for  specific tasks like configuring lots of policies on a SRX. Or, back when ScreenOS was the thing, it was okay to click for policies and VPN, but not on an SRX. I guess this is why, now, I’ve had to muster some courage to write this blog . . . and acknowledge that I may have been wrong.

 

My change of heart grew slowly over the last year. It started with the new, useful, and workable versions of Junos Space and its applications coming out. The more I looked into Space, the more I got over my “NSM and Junos” trauma. One of the past disadvantages of the SRX Series is disappearing—as central management is now possible in a nice way. Add to that the new pricing strategy (Junos Space/Security Director/Network Director are now affordable, even for smaller end users), and you’re there.  The time to click is coming.

 

I recently started working on a project where an enterprise with two data centers—one in London and the other in Amsterdam—saw the light and decided to buy SRX 1400s. The London data center is the active one; Amsterdam is the backup. The policies on the two 1400 clusters should be synchronized. While the network engineer in charge of the SRXs would be very pleased to hand over some of the more standard policy maintenance task to the helpdesk, the helpdesk people have to work with lots of different devices from  many vendorsand that’s just not feasible at this time.

 

My first suggestion had been to replace everything with Juniper. Unfortunately, and for reasons still unclear to me, they opted to stick with Cisco/HP switching. That’s when I started talking about Space and Security Designer. Since this company already uses VMware infrastructure, setting up a demo with Space was rather easy. It took them no time at all to decide to buy a license.

 

I do still believe you need to understand the CLI and the concepts of policies and VPNs when you are responsible for the administration of the device. But using Security Director can make your life easier, especially when dealing with larger numbers of devices and VPN connections. Using one set of address objects certainly reduces the possibility of mistakes in this area due to outdated objects on a device. Applying templates might make it way easier to add new devices with consistent configuration.

 

While we’re not all the way there yet with Space, I’m seeing progress. Logging and reporting, which are still separated from management, are being addressed, and I hope a link between log entries and policies will be made soon. It’d be nice to able to click on a log entry and switch to the policy that’s responsible for this entry. And I’d also like to have some reports on application tracking and firewalling . . . so we will see.

 

What’s more, and in addition to all this on security, I recently read some things about SDN and Contrail.  It looks like the CLI will also get lots of competition in infrastructure as well.  Junos Space might have to be renamed to JCCP soon–for Junos Central Clicking Point. In the meanwhile, it’s looking like I have to find another slogan in CLI/GUI discussions. Suggestions are welcome!

 

space SD.png

 

 


 

Jan 27, 2014
Juniper Employee

Logging & Reporting, integrated into Security Director, will be available in Q2, and it will include the ability to jump to a Policy from  a Log.  Customizable Reports will also be available.

 

Alan Newman

SBU PLM

Jan 28, 2014
Distinguished Expert

Alan: You are my favorite juniper employee of the month !

Jan 30, 2014

Screenie,

 

Fantastic article! I'm working on drafting up a few in regards to Space. I love the product, and have been using it every day for the past 2 years Smiley Happy We pretty much jumped in feet-first when it initially came out.

Jan 30, 2014
Keith Dennis

I have to say Juonos Space is a welcome interface for the enterprise. I love the product, though I will need tons of practice and experiecen to become comfortable with the moving around the GUI. It is one peice that was consistently requested so, I hope it continues to e improved in the future. I am not so sure it is that intuitive especialy when you have to jump to a new menu for something that appears should have been logically placed in one menu. But again, with practice I am sure it will become easily understood. Great write up on the Product.

Feb 1, 2014
tgatewood

When you say it's more affordable, what all do you have to buy now for a VM based deployment?  It looks like the js-secdir-10 is under a grand, but do I still have to buy an Space virtual appliance to get a testbed going?  Thanks for info you got!  

Feb 2, 2014
Distinguished Expert

Hi Tgatewood,

 

yes you still need to license the virutal appliance and the application(s) you want to use. But the price for the virtual appliance is just a few hunderd dollars. The actual proiing depends on the discounts you're getting from your reseller. Just ask for prices and don't forget support/maintenance.

Feb 2, 2014
tgatewood

Michel, thanks for the info, I'll get in touch with our SE.  It used to look like it was going to be a fair bit of cash to get a small deployment going, but this sounds hopeful now.

Feb 10, 2014
syed Parvez

What is the least we have to buy if I just want to manage two SRX firewalls with Junos Space??

May 14, 2014
Distinguished Expert
Top Kudoed Members