Slashdot Mirror

← Back to Stories (view on slashdot.org)

Configuring Juniper NetScreen & SSG Firewalls

Posted by samzenpus on from the read-all-about-it dept.

r3lody writes "Configuring Juniper Networks NetScreen & SSG Firewalls (CJNNSF), written and edited by Rob Cameron of Juniper, is an ambitious attempt to provide a comprehensive approach to configuring Juniper’s flagship line of firewall appliances. Unfortunately there are a large number of errors in the presentation that distract and detract from its mission. CJNNSF is Rob Cameron’s second book. Helping him are six contributing writers: Matthew Albers and Mike Swarm of Juniper, and security consultants Ralph Bonnell, Mohan Krishnamurthy Madwacher, Brad Woodberg, and Neil R. Wyler. Collectively they have produced a book with a lot of in-depth information that will prove extremely useful to anyone working with Juniper devices. It suffers from an apparent lack of proper editorial oversight. Numerous examples exist of inconsistent styles, bad grammar, notes to other authors that were inadvertently left in, etc. Nonetheless, the actual content still makes this book worthwhile." Read below for the rest of Ray's review. Configuring Juniper& Networks NetScreen& & SSG Firewalls author Rob Cameron (Editor) pages 745 publisher Syngress rating 5/10 reviewer Ray Lodato ISBN 1597491187 summary Provides fairly complete configuration details, but needs a lot of cosmetic improvement.

The progression through the book is well thought out and builds nicely from previous chapters. Each chapter starts with its own introduction, and ends with a summary, a “fast-track” bulleted list of highlights, and a small FAQs section.

Throughout much of the book, the reader is presented with a set of amateurish figures and tables. While the content is there, the presentation is reminiscent of high-school papers. I found myself wondering why the publisher didn't spend more time cleaning up the book to provide a more finished look. Another item that shows a lack of editorial oversight was the inclusion of a note from one author to another that was apparently left in the text by mistake (see the Solutions Fast Track at the end of chapter 5 to see what I mean). I was amused to see this exchange carried over to the duplication of the book online on the Books24x7 website.

I was upset to see some inaccuracies in the text. One key example is mistaking the TCP sequence number as a packet counter instead of a byte counter. When I read that, I began to mistrust the accuracy of the rest of the book. Thankfully, the Juniper-specific information appears accurate. A more in-depth technical review should have caught such an obvious error.

While Chapter 2 provides valuable information comparing the various models of the NetScreen and SSG/ISG series of security devices, I did have a problem with the formatting of the tables. There are a few cases where I had to look at a table a few times before I realized that information wrapped from the last column back into the first. I also took exception to one statement in particular: ScreenOS is more secure than open source operating systems because the general public cannot inspect the source code for vulnerabilities. Huh? Isn’t one of the reasons why open source is so secure is that many eyes have been able to review it and refine it?

There are three ways to manage Juniper devices: the CLI, the WebUI, and NSM (NetScreen Security Manager). While NSM makes the most sense in an enterprise rollout, the book declared it outside its scope. This does limit the usefulness of the book a little, but much of the WebUI detail is replicated in the NSM, so you may not be missing too much.

Later chapters in the book do dig into most of the capabilities of the Junipers, with examples detailed enough to help you understand how to apply it to your own uses. Policy configuration, attack detection and defense, high availability and virtual systems all have their own detailed chapters. Each chapter provides a wealth of information, once you ignore the amateurish styling.

Overall, you can find most of what you would need to know to choose, configure, and manage Juniper firewalls after reading this book. Unfortunately, you will also find many confusing examples, tables, and formatting inconsistencies. So many times I found myself thinking that my high-schooler would have done a better job laying out this book and making sure the reader wasn’t disturbed by the overall look. Despite that, the actual content does make this worthwhile if you need to understand the Juniper line of devices. I just hope that Syngress and the authors will correct these problems and release a second edition of the book.

You can purchase Configuring Juniper& Networks NetScreen& & SSG Firewalls from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

35 comments

  1. Working for a Juniper reseller by Anonymous Coward · · Score: 3, Insightful

    And being tossed this book as my introduction to the topic, I have to agree with this assessment. Juniper's are great firewalls, but this book leaves much to be desired.

    (posted anon to avoid the wrath of my coworkers! ;)

    1. Re:Working for a Juniper reseller by Shadowruni · · Score: 1

      Since we read teh book too, we sorta, kinda, maybe understand how to capture your traffic and identify you....

      --
      "Chinese Amazons, power armor, laser swords.... things just meant to be." - Shampoo, A Very Scary Bet
    2. Re:Working for a Juniper reseller by morgan_greywolf · · Score: 1

      What do you expect? It's a vendor-written book. Most vendor-written books are packed with excellent technical information, but very poor presentation and bad editing.

      Case in point: Anything from Microsoft Press. *ducks*

      --
      My blog
    3. Re:Working for a Juniper reseller by Anonymous Coward · · Score: 0

      Just getting your digs in against MS, or has their quality actually fallen off? Code Complete is a very high quality book, very well-regarded, and from MS Press.

      Most things out of MS Press aren't written by MS people anyway.

    4. Re:Working for a Juniper reseller by Anonymous Coward · · Score: 0

      Agreed, this book's not so hot.. The ScreenOS Cookbook is much better... I know a couple of the authors, very smart guys..

  2. That book is utter shite ... by Anonymous Coward · · Score: 0

    ... I hope JNPR fired him before he could do more damage.

  3. pushing NAS/SAN like it's 2000 again by heroine · · Score: 1

    Why does it feel like the NAS/SAN startups are going to be the next round of layoffs, following AMD & Freescale.

    1. Re:pushing NAS/SAN like it's 2000 again by Anonymous Coward · · Score: 0

      Why Freescale? Seems to me it's just the opposite

      PS: I work there...

    2. Re:pushing NAS/SAN like it's 2000 again by maestro371 · · Score: 1

      How is this comment relevant to a book on firewalls?

    3. Re:pushing NAS/SAN like it's 2000 again by MrNaz · · Score: 2, Funny

      Why Freescale? Because I heard their employees spend too much time reading Slashdot. I was unable to find someone to corroborate this story though.

      --
      I hate printers.
  4. Published in 2006? by gatekeep · · Score: 2, Informative

    Is there a new edition of this book out or something? That ISBN dates to 2006 - an eternity in the world of security devices.

  5. Juniper Netscreen Book by David_Hart · · Score: 2, Insightful

    Personally, I have yet to find a good book on Juniper Firewalls, this one included. the only saving grace is that the Netscreen documentation provided by Juniper is excellent, a bit technical for someone just getting familiar with firewalls, but perfect for senior network professionals.

    David

    1. Re:Juniper Netscreen Book by maestro371 · · Score: 1

      Fully agreed. I used this book as a jumpstart for some of the more obscure functions of the Netscreen firewalls last year. Generally speaking a firewall is a firewall and the GUI is enough to get going. However, there are enough things not exposed (or not intuitively exposed) in the Netscreen GUI to make really digging into the CLI worthwhile. This book helped some with that.

      The basic errors in language and presentation, however, detract significantly from the overall experience. I would recommend this book only because it is the only book I've found on the topic that covers it in any detail. The execution is pretty shoddy.

      I'm just finishing another technical book which is the exact opposite in terms of execution. "Programming in C" by Stephen Kochan is a great example of how to write a technical book that is relevant, useful, and excellent. The writer for this Netscreen book would be wise to take a few lessons from Kochan.

  6. Madwacher? by andawyr · · Score: 1

    You couldn't *pick* a better name than that....

    Picture him playing 'bop-the-gopher' at the next local Fair :-)

  7. Amazing... by ZonkerWilliam · · Score: 1

    This article couldn't have better timing as I just inherited around 110 Juniper firewalls today.

    1. Re:Amazing... by JoeZeppy · · Score: 1

      This article couldn't have better timing as I just inherited around 110 Juniper firewalls today. Wow. Most people just have mutual funds in their retirement accounts.
  8. Netscreen is pretty crappy by Anonymous Coward · · Score: 0

    Given that Juniper's main documentation and configure manuals for the Netscreens are inconsistent, and inaccurate, I'm not shocked a published book is. If you find yourself needing to configure a netscreen, I'd recommend giving up, and getting better hardware.

    1. Re:Netscreen is pretty crappy by PONA-Boy · · Score: 1

      So, do you (or anyone) have alternative recommendations for firewall appliances?

      --
      +that's funny...I don't FEEL tardy.+
    2. Re:Netscreen is pretty crappy by l8f57 · · Score: 1
      A few years ago, I was responsible for approximately 120 Netscreen firewalls. We had about 115 Netscreen 5xt's, 2 x 208's and 3 x 204's.

      I found them to be pretty good overall. They are far faster than comparably priced Cisco kit, and the few times that I've needed to use their support, I found them to be able to solve my problem quickly.

      Due to a change in management (we decided to go with a telco-provided MPLS network), we have scaled back dramatically on the number of devices, but we are still using a 1/2 dozen or so 5xt's, and all of the 200 series hardware.

      If anybody wants to purchase a bunch of 5xt's, reply here (it will need to be somewhat official) - they are currently sitting in my office taking up space.

      At this point if I had to choose between a Netscreen, and a Pix (we have a couple of these as well), I would pick the Netscreen.

    3. Re:Netscreen is pretty crappy by David_Hart · · Score: 1


      Crappy?

      I've worked with Cisco PIX, Shiva Lanrover VPN devices, and Checkpoint firewalls. Of the bunch Juniper is the most powerfull and easiest to implement.

      Granted, I started working with the Juniper firewalls on the SSG-520 platform running version 5.4 of the ScreenOS. So, prior equipment and versions could very well have been poor...

      But for my money, today, I'd recommend the Juniper SSG platform.

      David

    4. Re:Netscreen is pretty crappy by BitterOak · · Score: 1

      Actually, their hardware/software is outstanding. But I agree. Their documentation is crap.

      --
      If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
    5. Re:Netscreen is pretty crappy by jbrown313 · · Score: 1

      After working with PIX's, Checkpoints, Netscreens and Fortigates, I would go for Checkpoints every single time, given the exhorbitent amount that Checkpoints cost. I find the Netscreen web GUI really oddly put together (but administration consoles for any firewall take getting used to), and have seen them go flakey after a couple of months of uptime (dropping random packets to ports, etc.) with the only solution a restart.

      The Checkpoints (especially the IPSO based Nokia boxes) are rock solid, and packed with features (if you want to pay that high price). We have several of these boxes (IP 330's, IP 350's, IP 390's) that have been running great for years with no issues. We push a hell of a lot of traffic through them, and don't get the issues we've seen with some Netscreens.

      The Fortigates got off to a bad start with us - they do weird things too, especially when they're clustered. The GUI is really slick, but sometimes too many features just get in the way of what you want to get done.

      The PIX's are really nice too, and seem to "just work". I've less experience with these than the others, but I'd go for a PIX over a Netscreen any day.

    6. Re:Netscreen is pretty crappy by kjs3 · · Score: 1

      AC posting with no specifics. Lame troll.

  9. Oh dear by superskippy · · Score: 0

    Two hours later. 18 posts. Not the most popular slashdot story of all time is it? Editors, you've done it again!

    1. Re:Oh dear by bvankuik · · Score: 1

      That goes to show you that there aren't a whole lot slashdot readers knowledgable enough to comment on this matter. And as much as this sounds like a troll, in other topics there might be more comments but that doesn't necessarily mean more knowledgable people, just more people thinking it's worth chiming in.

    2. Re:Oh dear by Slashdot+Suxxors · · Score: 1

      There's a difference in having enough knowledge of the article and the article istelf being interesting enough to comment on.

    3. Re:Oh dear by bvankuik · · Score: 1

      Yeah I agree with you. Reading back, my comment sounded a little pompous. What I really wanted to say is that when I sometimes intimitely know a subject, I'm amazed that half of the +5 comments are vague speculations, half-thruths or even plain wrong... :-/

  10. Juniper Lee security? by MindPrison · · Score: 1

    ...Keeping monsters out of your network. Great! Oh wait.... Thats on Cartoon Network...

    --
    What this world is coming to - is for you and me to decide.
  11. you need a book by Anonymous Coward · · Score: 0

    Juniper has the lamest UI ever. overly complicated, 90's style interface. have 2 netscreens both going in garbage.

  12. Old news by Anonymous Coward · · Score: 0

    This book was published in 2006, what's the point?

  13. You should check out the "ScreenOS Cookbook" by edwardd · · Score: 1

    I haven't read this one yet, but the ScreenOS Cookbook is amazing. I've worked closely with a couple of the authors, and they've taken a very pragmatic, recipie approach to configuring Netscreen firewalls. This book is is very concise with numerous real-world examples that will certainly apply in many environments.

    1. Re:You should check out the "ScreenOS Cookbook" by maestro371 · · Score: 1

      This one popped up on my Amazon "recommended" list. I'll definitely be snagging it; the reviews look great.

  14. Re:What's wrong with Windows Firewall? by Shadowruni · · Score: 1

    that's all you need, n00bs I can say with Server 08 ... it is all you really need... but then again n00bs can't install it.
    --
    "Chinese Amazons, power armor, laser swords.... things just meant to be." - Shampoo, A Very Scary Bet
  15. This sucks. by lullabud · · Score: 2, Insightful

    The Juniper manuals are about the worst I've ever read, with very confusing examples. That this book has confusing examples too is really frustrating. I absolutely *love* Juniper firewalls for the features I understand, but the problem is that they are very difficult to understand when the manuals suck. Bleh.

    At least the SSG VPN's were easy to figure out.