Configuring Juniper NetScreen & SSG Firewalls

r3lody writes "Configuring Juniper Networks NetScreen & SSG Firewalls (CJNNSF), written and edited by Rob Cameron of Juniper, is an ambitious attempt to provide a comprehensive approach to configuring Juniper’s flagship line of firewall appliances. Unfortunately there are a large number of errors in the presentation that distract and detract from its mission. CJNNSF is Rob Cameron’s second book. Helping him are six contributing writers: Matthew Albers and Mike Swarm of Juniper, and security consultants Ralph Bonnell, Mohan Krishnamurthy Madwacher, Brad Woodberg, and Neil R. Wyler. Collectively they have produced a book with a lot of in-depth information that will prove extremely useful to anyone working with Juniper devices. It suffers from an apparent lack of proper editorial oversight. Numerous examples exist of inconsistent styles, bad grammar, notes to other authors that were inadvertently left in, etc. Nonetheless, the actual content still makes this book worthwhile." Read below for the rest of Ray's review.

Configuring Juniper& Networks NetScreen& & SSG Firewalls
author	Rob Cameron (Editor)
pages	745
publisher	Syngress
rating	5/10
reviewer	Ray Lodato
ISBN	1597491187
summary	Provides fairly complete configuration details, but needs a lot of cosmetic improvement.

The progression through the book is well thought out and builds nicely from previous chapters. Each chapter starts with its own introduction, and ends with a summary, a “fast-track” bulleted list of highlights, and a small FAQs section.

Throughout much of the book, the reader is presented with a set of amateurish figures and tables. While the content is there, the presentation is reminiscent of high-school papers. I found myself wondering why the publisher didn't spend more time cleaning up the book to provide a more finished look. Another item that shows a lack of editorial oversight was the inclusion of a note from one author to another that was apparently left in the text by mistake (see the Solutions Fast Track at the end of chapter 5 to see what I mean). I was amused to see this exchange carried over to the duplication of the book online on the Books24x7 website.

I was upset to see some inaccuracies in the text. One key example is mistaking the TCP sequence number as a packet counter instead of a byte counter. When I read that, I began to mistrust the accuracy of the rest of the book. Thankfully, the Juniper-specific information appears accurate. A more in-depth technical review should have caught such an obvious error.

While Chapter 2 provides valuable information comparing the various models of the NetScreen and SSG/ISG series of security devices, I did have a problem with the formatting of the tables. There are a few cases where I had to look at a table a few times before I realized that information wrapped from the last column back into the first. I also took exception to one statement in particular: ScreenOS is more secure than open source operating systems because the general public cannot inspect the source code for vulnerabilities. Huh? Isn’t one of the reasons why open source is so secure is that many eyes have been able to review it and refine it?

There are three ways to manage Juniper devices: the CLI, the WebUI, and NSM (NetScreen Security Manager). While NSM makes the most sense in an enterprise rollout, the book declared it outside its scope. This does limit the usefulness of the book a little, but much of the WebUI detail is replicated in the NSM, so you may not be missing too much.

Later chapters in the book do dig into most of the capabilities of the Junipers, with examples detailed enough to help you understand how to apply it to your own uses. Policy configuration, attack detection and defense, high availability and virtual systems all have their own detailed chapters. Each chapter provides a wealth of information, once you ignore the amateurish styling.

Overall, you can find most of what you would need to know to choose, configure, and manage Juniper firewalls after reading this book. Unfortunately, you will also find many confusing examples, tables, and formatting inconsistencies. So many times I found myself thinking that my high-schooler would have done a better job laying out this book and making sure the reader wasn’t disturbed by the overall look. Despite that, the actual content does make this worthwhile if you need to understand the Juniper line of devices. I just hope that Syngress and the authors will correct these problems and release a second edition of the book.

You can purchase Configuring Juniper& Networks NetScreen& & SSG Firewalls from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Working for a Juniper reseller

[Anonymous Coward]

And being tossed this book as my introduction to the topic, I have to agree with this assessment. Juniper's are great firewalls, but this book leaves much to be desired.

(posted anon to avoid the wrath of my coworkers! ;)

Re:

[Shadowruni]

Since we read teh book too, we sorta, kinda, maybe understand how to capture your traffic and identify you....

Re:

[morgan_greywolf]

What do you expect? It's a vendor-written book. Most vendor-written books are packed with excellent technical information, but very poor presentation and bad editing.

Case in point: Anything from Microsoft Press. *ducks*

Re:

[Shadowruni]

that's all you need, n00bs

I can say with Server 08 ... it is all you really need... but then again n00bs can't install it.

pushing NAS/SAN like it's 2000 again

[heroine]

Why does it feel like the NAS/SAN startups are going to be the next round of layoffs, following AMD & Freescale.

Re:

[MrNaz]

Why Freescale? Because I heard their employees spend too much time reading Slashdot. I was unable to find someone to corroborate this story though.

Re:

[maestro371]

How is this comment relevant to a book on firewalls?

Published in 2006?

[gatekeep]

Is there a new edition of this book out or something? That ISBN dates to 2006 - an eternity in the world of security devices.

Juniper Netscreen Book

[David_Hart]

Personally, I have yet to find a good book on Juniper Firewalls, this one included. the only saving grace is that the Netscreen documentation provided by Juniper is excellent, a bit technical for someone just getting familiar with firewalls, but perfect for senior network professionals.

David

Re:

[maestro371]

Fully agreed. I used this book as a jumpstart for some of the more obscure functions of the Netscreen firewalls last year. Generally speaking a firewall is a firewall and the GUI is enough to get going. However, there are enough things not exposed (or not intuitively exposed) in the Netscreen GUI to make really digging into the CLI worthwhile. This book helped some with that.

The basic errors in language and presentation, however, detract significantly from the overall experience. I would recommend this

Madwacher?

[andawyr]

You couldn't *pick* a better name than that....

Picture him playing 'bop-the-gopher' at the next local Fair :-)

Amazing...

[ZonkerWilliam]

This article couldn't have better timing as I just inherited around 110 Juniper firewalls today.

Re:

[JoeZeppy]

This article couldn't have better timing as I just inherited around 110 Juniper firewalls today.

Wow. Most people just have mutual funds in their retirement accounts.

Re:

[PONA-Boy]

So, do you (or anyone) have alternative recommendations for firewall appliances?

Re:

[l8f57]

A few years ago, I was responsible for approximately 120 Netscreen firewalls. We had about 115 Netscreen 5xt's, 2 x 208's and 3 x 204's.

I found them to be pretty good overall. They are far faster than comparably priced Cisco kit, and the few times that I've needed to use their support, I found them to be able to solve my problem quickly.

Due to a change in management (we decided to go with a telco-provided MPLS network), we have scaled back dramatically on the number of devices, but we are still using

Re:

[David_Hart]

Crappy?

I've worked with Cisco PIX, Shiva Lanrover VPN devices, and Checkpoint firewalls. Of the bunch Juniper is the most powerfull and easiest to implement.

Granted, I started working with the Juniper firewalls on the SSG-520 platform running version 5.4 of the ScreenOS. So, prior equipment and versions could very well have been poor...

But for my money, today, I'd recommend the Juniper SSG platform.

David

Re:

[jbrown313]

After working with PIX's, Checkpoints, Netscreens and Fortigates, I would go for Checkpoints every single time, given the exhorbitent amount that Checkpoints cost. I find the Netscreen web GUI really oddly put together (but administration consoles for any firewall take getting used to), and have seen them go flakey after a couple of months of uptime (dropping random packets to ports, etc.) with the only solution a restart.

The Checkpoints (especially the IPSO based Nokia boxes) are rock solid, and packed wit

Re:

[BitterOak]

Actually, their hardware/software is outstanding. But I agree. Their documentation is crap.

Re:

[kjs3]

AC posting with no specifics. Lame troll.

Oh dear

[superskippy]

Two hours later. 18 posts. Not the most popular slashdot story of all time is it? Editors, you've done it again!

Re:

[bvankuik]

That goes to show you that there aren't a whole lot slashdot readers knowledgable enough to comment on this matter. And as much as this sounds like a troll, in other topics there might be more comments but that doesn't necessarily mean more knowledgable people, just more people thinking it's worth chiming in.

Re:

[Slashdot Suxxors]

There's a difference in having enough knowledge of the article and the article istelf being interesting enough to comment on.

Re:

[bvankuik]

Yeah I agree with you. Reading back, my comment sounded a little pompous. What I really wanted to say is that when I sometimes intimitely know a subject, I'm amazed that half of the +5 comments are vague speculations, half-thruths or even plain wrong... :-/

Juniper Lee security?

[MindPrison]

...Keeping monsters out of your network. Great! Oh wait.... Thats on Cartoon Network...

You should check out the "ScreenOS Cookbook"

[edwardd]

I haven't read this one yet, but the ScreenOS Cookbook is amazing. I've worked closely with a couple of the authors, and they've taken a very pragmatic, recipie approach to configuring Netscreen firewalls. This book is is very concise with numerous real-world examples that will certainly apply in many environments.

Re:

[maestro371]

This one popped up on my Amazon "recommended" list. I'll definitely be snagging it; the reviews look great.

This sucks.

[lullabud]

The Juniper manuals are about the worst I've ever read, with very confusing examples. That this book has confusing examples too is really frustrating. I absolutely *love* Juniper firewalls for the features I understand, but the problem is that they are very difficult to understand when the manuals suck. Bleh.

At least the SSG VPN's were easy to figure out.