As some readers may note I have been using Juniper’s SRX-110 for my home firewall for some time. It is a very cool piece of kit and an extremely flexible, dynamic, and feature rich. In June, Brad Woodberg and Rob Cameron released the SRX bible. Juniper SRX Series by O’Reilly press is over 1000 pages of tasty, richly written, architectural and functional deep dive into the security platform. I was extremely keen to get my hands on this book well before it was scheduled to be published.
This book follows in the same pedigree of which the Juniper MX series book comes from. A reference book which proves invaluable to engineers, architects, and solution engineers. What is great in Juniper books is that there is a topology defined from the outset. This point of reference allows readers to follow along with the authors. It also enables those with access to similar or the same hardware to actually bring up the labs. I have found it hard with some Cisco Press books to get my mind to quickly adapt to new topologies quickly when in learning mode. This also leads to the point that I really like the diagrams, the fonts and the outlay of the examples. Clear and easy to read is something that I really appreciate.
The technical breadth is phenomenal. Like the MX Series book, the SRX Series is just as superb. The hardware breakdowns give insight into product placement, function, and role with the reasons why behind the models hardware minimums and maximums. If you’re a firewall focused engineer or someone who needs to work on an SRX this is for you. No matter if you’re running a branch SRX or DC SRX you will find what you need. UTM, VPN, Security Zones, Policies, Module compatibility – it’s all there.
One of the highlights of this book is the Best Practice section. Each topic covered or technology that is discussed in the book has a Best practices section. A book alone could be published with just the best practices as they are useful for anyone deploying the platform. Juniper does not have the equivalent of Cisco SRND so these tips are invaluable. It explains Some of the best come around my weaker areas. IPsec VPNs and UTM. For example, it is best to use main mode under IKE1 due to the fact identity information isn’t obfuscated.
After being enlightened recently under the doctrine of Ed Horley, I am becoming slowly more aggressive of the ignorance of IPv6 by many people. The book unfortunately misses a dedicated chapter on this. Although IPv6 appears here and there – the NAT and IPsec chapters mainly – the term IPv6 is only found on 69 pages. I’d love to know in detail how the SRX handles v6 packets, what impact it has on hardware TCAM and other modules, and the SRXs place in v6-only networks. I could be a little harsh in raising this point though it is becoming a personal bug bear of mine lately.
If you work on an SRX or are interested in the SRX then this book is for you. This book is waiting to be devoured. The content in this book is designed to complement Juniper Security book from a few years back. Armed with this book you have a superb firewall reference book to aid you when designing your next internet edge, DMZ, or national branch deployment.
Disclaimer – In my dealings Johnny Konstantas and Ashton Bothman, I was asked if I would be interested in reviewing this book back in May. With a delay in getting copies (due to demand I hope) I received a hardcopy of the book in late July. I was asked to consider a blog on the book with my thoughts. My overall disclaimer is listed here. Thank you for considering me Juniper.