Quick Intro to the Juniper SRX Series Security Services Gateway Part II

In this second installment of our quick intro (see part I), I thought I would cover some of the performance features of the SRX.  On this blog, I will be speaking primarily about the SRX 100 and SRX 210.  For obviously financial reasons, I will not be covering information on the higher models as I doubt I’ll be working on one of those any time soon.  Fortunately, one of the best features of the SRX series is that, unlike other platforms, the base functionality remains the same despite going to a higher model (e. g. SRX 500 or something).  This means that setting up, for example, an IPSEC VPN on a higher end SRX is the exact same as it would be for a 100 or a 210.  This is a tremendous advantage over competing platforms that require to you to learn an entirely new interface (GUI or command line) the higher up their line you go. 

Anyway, let’s get on with the performance metrics.

For the SRX 100:

Service

Capacity

Connections Per Second 2,000
Max Firewall Throughput 650 Mbps
Max IPS Throughput 60 Mbps
Max VPN Throughput 65 Mbps
Max Anti-virus throughput 25 Mbps
Max Concurrent Connections 16k (512MB) | 32K (1GB) **
Max Firewall Policies 384
Max concurrent users Unlimited
Max IPSEC VPN connections 128

For the SRX 210, we see about a 10% performance increase.

Service

Capacity

Connections Per Second 2,000
Max Firewall Throughput 750 Mbps
Max IPS Throughput 80 Mbps
Max VPN Throughput 75 Mbps
Max Anti-virus throughput 30 Mbps
Max Concurrent Connections 32k (512MB) | 64K (1GB) **
Max Firewall Policies 512
Max concurrent users Unlimited
Max IPSEC VPN connections 256

** All SRX models come in at least two modes:  Standard and High Memory.  The SRX 100 and SRX 210 both come standard with 512MB of RAM.  High memory mode gives them 1GB of RAM.  In order to use any of the Unified Threat Management (UTM) features (e. g. anti-virus, etc.) you MUST have the high memory mode model.  Furthermore, the SRX 100 can be upgraded from 512MB to 1GB by purchasing an unlock key; however, all other models are hardware locked – meaning they cannot be upgraded.  Therefore, it is the recommendation of this blog author that you always purchase the high memory mode model.  It may cost a few more bucks, but you always have the option of purchasing the UTM features later if you wish.  If you get the standard mode model, you cannot upgrade (unless it is the SRX 100) and you cannot use any of the UTM stuff.  I’ll be covering UTM in a later post.

Getting past that, those performance numbers aren’t bad.  Especially considering the high memory mode SRX 100 is $664.99 and the high memory mode SRX 210 is $944.99 from CDW according to the website as of today’s date. 

Speaking of the SRX 210, you can get additional features such as two Power Over Ethernet ports, but I’ll cover additional features part three. 

James

Follow-Up on Hyper-V Recommendations

Previously, I wrote a post about my recommendations for Hyper-V virtualization.  One of the key factors I spoke of was dynamic versus fixed virtual disks.  I also mentioned pass-through disks.  Specifically, I made two points:

  1. Do not use a dynamic disk with any relational database. This includes, but is not limited to: SQL Server, Oracle, DB2, Microsoft Exchange (yes, it uses a relational database to store your email based on the Jet Engine from Microsoft), and so forth
  2. Unless you have a bleeding need for speed (i.e. you run the New York Stock Exchange), do not go out of your way to use pass-through disks.

My friend Aidan Finn, Microsoft MVP for virtualization, recently wrote a post referencing another article that seems to confirm most of what I’m saying but also adds some other very important considerations.  You should check it out by way of Aidan’s excellent blog.

James

The Disconnect Between Big Consultants and Small Companies

I have the pleasure of knowing some outstanding people.  Many of them work for big companies and we share ideas all the time.  Some of these people are not employees, but are consultants.

When speaking with these individuals, I keep running across an interesting problem.  It’s clear to me none of them have ever worked with or for a truly small company before.  An example of a small company would be a doctor’s office with 1 – 5 providers.  Or perhaps a small billing center with only 20 or fewer employees.  You can tell they have never worked with such companies because when they make recommendations for how IT for the small company should be set up, you can watch the owners become horrified as the amount of money the consultant wants to spend goes up and up and up.  Big company consultants are rarely in touch with the budget constraints of small businesses. 

I was once on the phone with a consultant and was telling him about my IT setup at my job.  I mentioned that I had two Hyper-V hosts and about 8 virtual machines.  The consultant was dumbfounded when I explained that I did not have two redundant backup servers and was not managing my virtual machines using Microsoft System Center.  What the consultant did not understand was that the cost of two more servers and System Center would have easily doubled our upgrade costs which were already around $22,000 and the business owner would never have agreed to it.  I’m not saying the consultant’s ideas were bad ideas, they weren’t, just not in synch with the needs of a small business’s budget constraints. 

Many of the consultants, and even some sales reps, I know don’t seem to understand why they always lose their small business clients.  Small businesses just can’t throw around $50,000 on IT upgrades on a moment’s notice.  Yes, they will have to do without some of the nice redundancy and certainly most of the cool toys, but I would argue that most small businesses don’t need all that stuff.  They can handle a day’s downtime in most cases and a day’s lost data in most cases.  As long as they have good 24 hour backups, they are OK.  Yes, of course, losing a day’s worth of data would be painful, but it is far from the end of the world.  If anything, the consultants should explain the pros and cons of what the small business is getting for their money, rather than just expecting them to buy whatever is put on the table like the big boys do.

James

Quick Intro to the Juniper SRX Series Security Services Gateway

I’ve been using the Juniper SRX for a few months now and I have to say I like it.  They are FAST, cost effective, and get things done.  However, make no mistake that they do have a high learning curve.  Don’t think you’re going to jump into learning these things super fast like you did your Cisco or whatever counterpart.  For one thing, pretty much everything is done via command line.  Sure, they do have a graphical user interface, but no one uses it and the documentation doesn’t reference it that much.  In fact, in this blog I won’t even be covering the user interface.  We’ll be using command line only.

Here is a quick pic of the Juniper SRX Series Security Services Gateway, specifically the SRX 100:

WP_000286

This unit is a bit larger than my hand.  The higher end of the series can be the size of a small refrigerator.  Notice that it has the Dell logo on it.  For a time, Dell contracted with Juniper to sell the SRX under the PowerConnect name as the PowerConnect JSRX Series.  The devices are still Juniper through and through, the only thing Dell did was pain the front of the box black and put their name on it.  Unfortunately, the relationship between Dell and Juniper has dissolved because of Dell acquiring SonicWall so Dell no longer sells Juniper products anymore.  Bummer.  Maybe what I have will be a collector’s item one day.

As we move forward, I’ll be covering the things I have learned about these cool devices.  While I’m certain most of you already have some type of solution in place for your security needs, who knows, it might be nice to know there is another option out there.

James

The Curse of the Delta

Let’s say you are a fresh college graduate who wants to get into managing Active Directory or Exchange or something like that.  Or maybe you’re a seasoned veteran in one technology but you want to expand your knowledgebase into another area. 

Question:  Where do you start?

Many of you, no doubt, already see where I’m going with this.  It’s been hard to learn that other/new technology because buying the latest book on that technology assumes you have read all the previous editions of that book so it only discusses the changes and new features – the Delta – of the product or technologyThe latest book on the latest version of a technology rarely covers the beginning stuff at all.  So if you want to learn, for example, Active Directory then you may find yourself reading stuff from the Windows 2000 days to find a beginning.  But today the latest version of Windows is Windows Server 2008 R2 and that’s what your employer uses.  So now you are reading Windows 2000 documentation and trying to apply that knowledge to Windows Server 2008 R2 and, of course, by now all the tools you would use according to the Windows 2000 documentation have changed or over gone entire overhauls or may have been deprecated and replaced with new stuff in the latest version since 2000.  So, unless you were one of those guys that were with that technology from the beginning and stuck with it all the way through, you’re going to get lost.

Many books are like that.  They assume you used the 200x version before you bought the 201x version.  A good example is Mark Minasi’s audio CD sets on Windows.  If you buy the Windows Server 2008 R2 audio CD set, found here, on the very first CD Mark makes it very clear that you must listen to the Windows Server 2008 audio CD set (found here) if you have no experience with that previous operating system because the Windows Server 2008 R2 stuff builds on what you already know of the Windows Server 2008 stuff.  If you want to learn how to debug blue screens in Windows, you have to go back further and get his Windows XP CD set (found here).  For those of us who started off on Windows 2000, this is no big deal since we are just following along all the way.  But for those jumping on the technology for the first time because we are either fresh out of college or from another field, well, you see the problem.  You have to wade through 12 years of different documentations and so forth and so on and mend it all together at once.

Now, let me be clear about something.  I’m not criticizing Mark Minasi.  Mark has been, is currently, and forever will be a great guy in my book and a good friend.  I swear by Mark and I highly recommend his books and audio courses to all IT professionals.  Mark is not a perpetrator of the Curse of the Delta, he is a victim of it like you and I just on the other side of the fence.  Let me explain. 

Let’s say you are Mark Minasi and you are about to record the audio CD set for Windows Server 2008 R2.  What’s the first thing you are going to do:  You are going to ask yourself who your target audience is.  And now we have hit our problem.  How do you draw the line between the newbies and those who have been loyal followers for the past DECADE?  See, the loyal followers who have been there all along don’t want to spend money on a CD set that’s going to explain the fundamentals of DHCP or DNS to them.  They’ve known that for years.  They want to know what’s new about DHCP and DNS which, by the way, doesn’t help you.  You, who by definition of being a newbie, doesn’t even know how to install DHCP or DNS much less how to administer it, much even more less how to use its latest features in the latest version of Windows. 

And that, as you can see, is the Curse of the Delta.  There is so much new stuff to cover in the latest versions of new technologies that there simply is no room for the newbie stuff.  Authors can’t take the chance on upsetting their loyal fan base that has provided the living they’ve enjoyed for years by covering all kinds of material that same loyal fan base already knows. 

For the time being, I see no solution to this hard problem.  I know for a fact that if Mark released a book or audio CD set on “DNS Fundamentals” that I wouldn’t by it since I already know that beginner stuff.  So, do you stick with the loyal following that has served you well or do you take the chance that there might be enough newbies out there to make a good sale?  This is a good question and I just don’t see an answer.

James