Junos Security
Rob Cameron
Brad Woodberg
Patricio Giecco
Timothy Eberhard
James Quinn
Beijing Cambridge Farnham Kln Sebastopol Tokyo
Special Upgrade Offer
If you purchased this ebook directly from oreilly.com, you have the following benefits:
DRM-free ebooksuse your ebooks across devices without restrictions or limitations
Multiple formatsuse on your laptop, tablet, or phone
Lifetime access, with free updates
Dropbox syncingyour files, anywhere
If you purchased this ebook from another retailer, you can upgrade your ebook to take advantage of all these benefits for just $4.99. to access your ebook upgrade.
Please note that upgrade offers are not available from sample content.
A Note Regarding Supplemental Files
Supplemental files and examples for this book can be found at http://examples.oreilly.com/0636920001317/. Please use a standard desktop web browser to access these files, as they may not be accessible from all ereader devices.
All code files or examples referenced in the book will be available online. For physical books that ship with an accompanying disc, whenever possible, weve posted all CD/DVD content. Note that while we provide as much of the media content as we are able via free download, we are sometimes limited by licensing restrictions. Please direct any questions or concerns to .
Foreword
Glen Gibson
Product Line Manager, High Performance Security Systems, Juniper Networks
In early 2004, when I was the product manager for Firewall VPN systems at NetScreen Technologies, I remember saying to a coworker, Juniper Networks should acquire us. It just makes sense. They could take advantage of our security expertise, and we could get access to their great routing technologies. And theyve got some great chassis technology that we could take advantage of in our next-generation security systems It would be a real win-win.
Little did I realize that discussions of the pending acquisition were already well underway. Within months, the acquisition of NetScreen Technologies by Juniper Networks was completed, and the combined teams were forging ahead on a plan to build a next-generation security system worthy of the pedigree of the two companies: NetScreens award-winning, high-performance security systems and Juniper Networks market-leading, high-performance carrier-class routers.
But in order to combine these technologies in an optimal manner, it was crucial to understand the environments into which these systems would be deployed. And we did exactly that. We went into the field and worked, and listened, and polled and tested, until we felt confident in our ability to deliver high levels of security, massive performance and scale, rock-solid high availability, and the robustness of the best carrier-class routing systems. The result of these efforts was the Juniper Networks SRX Series Services Gateways .
Having worked with hundreds of network designers, administrators, and operators over the intervening years, its become apparent to me that no two networks are the same. Theres truth to the saying, Networks are like snowflakes; every one is different. Even comparing the network requirements and deployments of two similar companies (such as mid-sized manufacturing companies) consistently illustrates to me how differently various equipment and technologies can be deployed. So when Im out in the field, the ever-present question remains: how do you build a successful, secure, high-performance network without following some vendors cookie-cutter methodology? And my unswerving answer over the many years has never changed: by understanding the requirements of the networkcapacity, performance, traffic types, and interconnectsand by understanding the equipment to be deployed, even if that takes some level of testing and qualification. In other words, you have to work at understanding what you really need, and what fits, and I think this book will help you to do that.
You also really need to follow best practices to ensure that the network deployment is successful. Any scale of network design and implementation is not an easy task, but to understand what is required and what equipment and technologies are available to satisfy those requirements, a methodical, carefully managed design process must be followed to ensure complete success. Its worth the time invested because following established best practices will secure your network. Thats why in this book, from basic introduction, to policy management, to NAT, IPS, and much more, the authors strive to explain not only how these products work, but also how to get the most from them in various network deployments using best practices.
Junos Security discusses and clarifies the practical side of planning, configuring, deploying, and managing these advanced state-of-the-art Junos security systems in real, actual networks. The authors have drawn upon their many man-years of experience deploying thousands of security systems in networks around the world, in industries as diverse as financial services and manufacturing, to the largest wireless carrier networks in the world. Its been a time-intensive, hard-fought battle to document what they know, and what they do, but having worked alongside them, and having read what they have written, I can tell you that you are in for a delightful surprise. This book rocks.
Preface
Juniper Networks built the SRX Series as an answer to the network and security challenges of today that would be ready to scale and adapt to the inevitably larger and more complex demands of tomorrow. Security remains a huge and still growing challenge for any organization grappling with modern communication networks. Whether it is the explosion in traffic (good and bad), the growing complexity of data centers and cloud computing, or the menacing evolution of threats to that infrastructure, the days of the simple firewall are over. Something radically new was needed, and the SRX is leading the charge into a more secure future.
Junos Security is your guide to this brighter future. It readily answers the questions you have, will have, or may even hope to have. The SRX is one awesome beast that is up to matching your challenges whether they are firewalling, routing, NAT, deep inspection, encryption, or the mitigation of nearly any form of network attack.
How do you write about such a thing? Once upon a time, there were firewall books, or routing books, or even data center deployment books. But today, this one book is here to illuminate the elaborate hybrid workings of this next-gen networking marvel. Add to that the fact that the SRX platform has multiple models across two quite distinct device classes covering everything from the smallest networks in the world to the very largest, along with the huge and legendary heritage of the Junos operating system, and you have more than enough material to fill many volumes of books.
Note
Writing a book of this magnitude was no easy task to undertake. In fact, it took five of the best SRX engineers in the world to accomplish it, collaborating for almost a year. Together they have many times more man-years of experience working with the SRX than the device has even existed, so they bring a real-world approach in this book that you can take away to your own work immediately.