Juniper software. Part 1

-

 Intro

Juniper Networks
The Great Juniper Firewall is welcoming visitors
Over the last decades I was mostly working with routing and switching stack and corresponding protocols and techniques. OSPF, BGP, STP and MPLS were my best friends keeping me busy and feeding my family. What I am spending most of my time nowadays though are different pieces of software. When technologies seems to be stable, management, provisioning, orchestrating, and monitoring systems are booming around.  

This is an attempt to wade through what Juniper offers in this regards, particularly for Juniper SRX firewalls. List is probably not complete: 

  • J-WEB
  • Junos Space
  • Security Director Cloud
  • ATP cloud
  • Sky Enterprise
  • Apstra
  • Contrail
  • Mist

Being heavily involved in this project  Juniper & CTC I'm familiar with Mist only and had to search about the rest. Some of those above came from the Juniper Open Learning training, which by the way is a brilliant initiative. Some are used by my clients. Again the following is a very first glance just to answer those main questions:

  • What are devices\application supported?
  • Is it cloud \ on-prem \ hardware product?
  • When the first announce was and any EOL plans?
  • What is the main feature?

J-WEB. Juniper boxes built in WEB GUI.

Basically J-WEB is a build-in web interface on Juniper boxes. For the SRX firewall it gives you a dashboard with several widgets like interface traffic, security threats and events. The side menu contains "Monitor", "Device administration", Network", "Security Policies", and "Security Services". Most of CLI features are covered in GUI. 

Did not work with J-Web in the production, have a lab experience only. GUI doesn't look very intuitive, lots of menus and tabs. For system administrators managing their branch firewall without a strong CLI experience J-WEB could be a good option. Otherwise not sure what is it's value, as no features beyond CLI.

Junos Space. First attempt to build a Network Management Solution

Junos Space Network director
First release of Junos Space is dated as early as 2009, the current version is 23.1. Junos Space is a platform to run several tools like:
  • Junos Space Network Director–Enables unified management of Juniper Networks EX, QFX, QFabric, wireless LAN devices, and VMware vCenter devices in your network
  • Junos Space Security Director –Allows you to secure your network by creating and publishing firewall policies, IPsec VPNs, network address translation (NAT) policies, intrusion prevention system (IPS) policies, and application firewalls
  • Junos Space Services Activation Director–Collection of the following applications that facilitate automated design and provisioning of Layer 2 VPN and Layer 3 VPN services, configuration of QoS profiles, validation and monitoring of service performance, and management of synchronization
  • Junos Space Service Automation–End-to-end solution designed to streamline operations and enable proactive network management for Junos OS devices. 
  • Junos Space Virtual Director–Enables the provisioning, bootstrapping, monitoring, and lifecycle management of a variety of Juniper virtual appliances and related virtual security solutions
  • Junos Space Log Director–Enables log collection across SRX Series Firewalls and enables log visualization
It can be a physical appliance or a virtual machine. Devices are managed via SSH. Configuration can be schema based or templated. Claim to support RESTful API. Not bad for 2009.

Again never work with this one. Appears to be a first attempt to build an SDN by Juniper. A Security director moved to the cloud and now is part of a SASE Secure Edge. Service provisioning and automation was probably replaced with Contrail\Apstra. Eventually Mist will take them all.

Security Director Cloud. Step towards SASE

Announced in 2021 Security cloud director is inheriting it's old brother Security Director from Junos Space platform. It's a logical step to have a unified policy management from a single UI for all on-prem, cloud and FWaaS instances. 

Moving forward to SASE, Juniper Secure Edge was added to a collection in 2022, offering a Secure Web Gateway, Zero Trust Network Access, etc.

Juniper ATP cloud. The Cloud Sandbox

Announced in 2016 Sky ATP renamed later on into an ATP Cloud started as a sandbox. Now it provides a number of feeds addressing multiple threats. Look at that amazing picture below on how it works together with Security Director\ Security Director Cloud and Policy Enforcer to provide a solid security approach. 

Sky ATP doesn't generate a configuration to SRX devices per say. You have to enroll boxes to the service and buy a license. Free service is available with a limited functional. Once enrolled, Inspection profiles are pushed to the devices. Anti-malware policies have to be configured via CLI or Security Director to send a file or HTTPS\SMTP traffic in question to the cloud. Interested traffic is selected by referring to the inspection profile.  Threshold and default action to be set up in the policy.  Once inspected, ATP cloud is returning a verdict number. Threat prevention policy has to be configured and attached to the security policy to work with the verdicts and take an action.

Juniper Sky Enterprise. Catching up Meraki Dashboard

Around 2018 Sky Enterprise was announced as a comprehensive and simplified management solution for branch and small offices. It supports SRX, EX/QF campus switches, NFX appliances, centralized configuration management\backup and software management. True ZTP with new devices calling home is supported as well. Claimed to be an SDN with no Junos experience required. Multi tenancy and RBAC are also mentioned. Like the Meraki every device require a license to talk to Sky Enterprise. 

Unlike the Meraki, there is no Wireless solution as Juniper didn't have one at the moment. Mist Wireless monitoring was added later on, configuration is redirecting you to the Mist portal. Generally configuration appears to be device specific rather then abstracted to the site level. Tons of menus and tabs don't contribute to a simplicity. Comparing to Meraki there are much more features supported, but I would rather don't see them all at once and have an easy "Step 1-2-3" button instead.

They call it easy management
They call it easy management

Now the ugly. There is no SD-WAN feature in Sky Enterprise at all.  Still you can create IPSec tunnels between the branches though using a wizard. There is a "Custom SD-WAN" which looks like a direct internet access with application based routing and assurance. 

When with the Meraki you don't have a choice but buy a license, Juniper regular EX\SRX devices can still be configured the old way. Lack of a simple SD-WAN making Sky Enterprise even less attractive. Once Mist and 128T came to the game Sky Enterprise went to it's end even though it is still listed on Juniper web site as an SDN solution.


Место: Новая Шотландия, Канада

Комментарии

Отправить комментарий

Популярные сообщения из этого блога

EDU-JUN-JMV lab on vMX. Part1.

-
Изображение
This time I'm going to continue my experiments with Juniper virtualMX I've started in this getting started post   It was written in Russian, but contains enough pictures and CLI issues which describe themselves. Now I'll cover how to set up Junos MPLS and VPN's labs with vMX. That may be useful for companies with a low education budget as a way to spread knowledge among staff. Objective I intend to solve two main tasks. Firstly, I have to deploy an appropriate topology in a virtual environment and accomplish two basic labs: Lab-1 and Lab-6 so as to prepare baseline configurations used in the rest of labs. Secondly, I must see that it works :) thus I will perform Lab-12 LDP based VPLS - my beloved technology. Physical topology. Almost physical) Let's take a diagram from site provides Juniper labs for rent  and make something similar. It will take two vMX - vr1 and vr2 for the core network and a couple vMX as two PE routers called mx...
Далее...

Cisco Policing and Shaping.

-
Изображение
Общая идея механизмов известна: установить контрактную скорость, считать пакеты, при превышении скорости полисер дропает лишние пакеты а шейпер копит в буфере.  Немного терминов. CIR – committed information rate. Контрактная скорость. Не надо забывать, что механизмы не от хорошей жизни. Их назначение в том, что при покупке полосы у провайдера вы должны отправлять пакеты максимум на этой полосе. Иначе они будут справедливо дропаться.  PIR – peak information rate. Переподписка! Провайдер вам продал полосу, но готов пропускать больше трафика (пока суммарно канал не загружен). Вероятность дропа как бы выше, для этого пакеты с рейтом выше CIR но ниже PIR часто помечают худшим маркером. Tc – time interval (measurement interval) . Фактически это время усреднения, интервал на котором будет отправлено пакетов столько, чтоб не превысить CIR. Bc – committed burst. Пакеты отправляются на физической скорости интерфейса. Так как за время Tc мы должны получить сре...
Далее...

Опять GRE. Мультикаст, MTU и мать всех статей.

-
Изображение
Поздравьте меня, я читаю курс ROUTE в Билайн-университете. Как всегда на каждую попытку поумничать прилетает пять возможностей сеть в лужу, много читать и думать. Вот например, зачем нам GRE  на туннелях?  Говорят без него не работают динамические протоколы. Проверяем: При этом туннель IPIP R1#sh run int tu1 Building configuration... Current configuration : 173 bytes ! interface Tunnel1  ip address 192.168.1.1 255.255.255.252  tunnel source Serial1/0   tunnel destination 20.0.0.1   tunnel mode ipip   tunnel protection ipsec profile CM end И даже зашифрованный IPSec`ом R1#sh int Tu1 Tunnel1 is up, line protocol is up   Hardware is Tunnel   Internet address is 192.168.1.1/30   MTU 17920 bytes, BW 100 Kbit/sec, DLY 50000 usec,      reliability 255/255, txload 1/255, rxload 1/255   Encapsulation TUNNEL, loopback not set   Keepalive not set   Tunnel source 30.0.0.2 (S...
Далее...