Quick Intro to the Juniper SRX Series Security Services Gateway Part II

In this second installment of our quick intro (see part I), I thought I would cover some of the performance features of the SRX.  On this blog, I will be speaking primarily about the SRX 100 and SRX 210.  For obviously financial reasons, I will not be covering information on the higher models as I doubt I’ll be working on one of those any time soon.  Fortunately, one of the best features of the SRX series is that, unlike other platforms, the base functionality remains the same despite going to a higher model (e. g. SRX 500 or something).  This means that setting up, for example, an IPSEC VPN on a higher end SRX is the exact same as it would be for a 100 or a 210.  This is a tremendous advantage over competing platforms that require to you to learn an entirely new interface (GUI or command line) the higher up their line you go. 

Anyway, let’s get on with the performance metrics.

For the SRX 100:



Connections Per Second 2,000
Max Firewall Throughput 650 Mbps
Max IPS Throughput 60 Mbps
Max VPN Throughput 65 Mbps
Max Anti-virus throughput 25 Mbps
Max Concurrent Connections 16k (512MB) | 32K (1GB) **
Max Firewall Policies 384
Max concurrent users Unlimited
Max IPSEC VPN connections 128

For the SRX 210, we see about a 10% performance increase.



Connections Per Second 2,000
Max Firewall Throughput 750 Mbps
Max IPS Throughput 80 Mbps
Max VPN Throughput 75 Mbps
Max Anti-virus throughput 30 Mbps
Max Concurrent Connections 32k (512MB) | 64K (1GB) **
Max Firewall Policies 512
Max concurrent users Unlimited
Max IPSEC VPN connections 256

** All SRX models come in at least two modes:  Standard and High Memory.  The SRX 100 and SRX 210 both come standard with 512MB of RAM.  High memory mode gives them 1GB of RAM.  In order to use any of the Unified Threat Management (UTM) features (e. g. anti-virus, etc.) you MUST have the high memory mode model.  Furthermore, the SRX 100 can be upgraded from 512MB to 1GB by purchasing an unlock key; however, all other models are hardware locked – meaning they cannot be upgraded.  Therefore, it is the recommendation of this blog author that you always purchase the high memory mode model.  It may cost a few more bucks, but you always have the option of purchasing the UTM features later if you wish.  If you get the standard mode model, you cannot upgrade (unless it is the SRX 100) and you cannot use any of the UTM stuff.  I’ll be covering UTM in a later post.

Getting past that, those performance numbers aren’t bad.  Especially considering the high memory mode SRX 100 is $664.99 and the high memory mode SRX 210 is $944.99 from CDW according to the website as of today’s date. 

Speaking of the SRX 210, you can get additional features such as two Power Over Ethernet ports, but I’ll cover additional features part three. 


Follow-Up on Hyper-V Recommendations

Previously, I wrote a post about my recommendations for Hyper-V virtualization.  One of the key factors I spoke of was dynamic versus fixed virtual disks.  I also mentioned pass-through disks.  Specifically, I made two points:

  1. Do not use a dynamic disk with any relational database. This includes, but is not limited to: SQL Server, Oracle, DB2, Microsoft Exchange (yes, it uses a relational database to store your email based on the Jet Engine from Microsoft), and so forth
  2. Unless you have a bleeding need for speed (i.e. you run the New York Stock Exchange), do not go out of your way to use pass-through disks.

My friend Aidan Finn, Microsoft MVP for virtualization, recently wrote a post referencing another article that seems to confirm most of what I’m saying but also adds some other very important considerations.  You should check it out by way of Aidan’s excellent blog.


The Disconnect Between Big Consultants and Small Companies

I have the pleasure of knowing some outstanding people.  Many of them work for big companies and we share ideas all the time.  Some of these people are not employees, but are consultants.

When speaking with these individuals, I keep running across an interesting problem.  It’s clear to me none of them have ever worked with or for a truly small company before.  An example of a small company would be a doctor’s office with 1 – 5 providers.  Or perhaps a small billing center with only 20 or fewer employees.  You can tell they have never worked with such companies because when they make recommendations for how IT for the small company should be set up, you can watch the owners become horrified as the amount of money the consultant wants to spend goes up and up and up.  Big company consultants are rarely in touch with the budget constraints of small businesses. 

I was once on the phone with a consultant and was telling him about my IT setup at my job.  I mentioned that I had two Hyper-V hosts and about 8 virtual machines.  The consultant was dumbfounded when I explained that I did not have two redundant backup servers and was not managing my virtual machines using Microsoft System Center.  What the consultant did not understand was that the cost of two more servers and System Center would have easily doubled our upgrade costs which were already around $22,000 and the business owner would never have agreed to it.  I’m not saying the consultant’s ideas were bad ideas, they weren’t, just not in synch with the needs of a small business’s budget constraints. 

Many of the consultants, and even some sales reps, I know don’t seem to understand why they always lose their small business clients.  Small businesses just can’t throw around $50,000 on IT upgrades on a moment’s notice.  Yes, they will have to do without some of the nice redundancy and certainly most of the cool toys, but I would argue that most small businesses don’t need all that stuff.  They can handle a day’s downtime in most cases and a day’s lost data in most cases.  As long as they have good 24 hour backups, they are OK.  Yes, of course, losing a day’s worth of data would be painful, but it is far from the end of the world.  If anything, the consultants should explain the pros and cons of what the small business is getting for their money, rather than just expecting them to buy whatever is put on the table like the big boys do.


Quick Intro to the Juniper SRX Series Security Services Gateway

I’ve been using the Juniper SRX for a few months now and I have to say I like it.  They are FAST, cost effective, and get things done.  However, make no mistake that they do have a high learning curve.  Don’t think you’re going to jump into learning these things super fast like you did your Cisco or whatever counterpart.  For one thing, pretty much everything is done via command line.  Sure, they do have a graphical user interface, but no one uses it and the documentation doesn’t reference it that much.  In fact, in this blog I won’t even be covering the user interface.  We’ll be using command line only.

Here is a quick pic of the Juniper SRX Series Security Services Gateway, specifically the SRX 100:


This unit is a bit larger than my hand.  The higher end of the series can be the size of a small refrigerator.  Notice that it has the Dell logo on it.  For a time, Dell contracted with Juniper to sell the SRX under the PowerConnect name as the PowerConnect JSRX Series.  The devices are still Juniper through and through, the only thing Dell did was pain the front of the box black and put their name on it.  Unfortunately, the relationship between Dell and Juniper has dissolved because of Dell acquiring SonicWall so Dell no longer sells Juniper products anymore.  Bummer.  Maybe what I have will be a collector’s item one day.

As we move forward, I’ll be covering the things I have learned about these cool devices.  While I’m certain most of you already have some type of solution in place for your security needs, who knows, it might be nice to know there is another option out there.


The Curse of the Delta

Let’s say you are a fresh college graduate who wants to get into managing Active Directory or Exchange or something like that.  Or maybe you’re a seasoned veteran in one technology but you want to expand your knowledgebase into another area. 

Question:  Where do you start?

Many of you, no doubt, already see where I’m going with this.  It’s been hard to learn that other/new technology because buying the latest book on that technology assumes you have read all the previous editions of that book so it only discusses the changes and new features – the Delta – of the product or technologyThe latest book on the latest version of a technology rarely covers the beginning stuff at all.  So if you want to learn, for example, Active Directory then you may find yourself reading stuff from the Windows 2000 days to find a beginning.  But today the latest version of Windows is Windows Server 2008 R2 and that’s what your employer uses.  So now you are reading Windows 2000 documentation and trying to apply that knowledge to Windows Server 2008 R2 and, of course, by now all the tools you would use according to the Windows 2000 documentation have changed or over gone entire overhauls or may have been deprecated and replaced with new stuff in the latest version since 2000.  So, unless you were one of those guys that were with that technology from the beginning and stuck with it all the way through, you’re going to get lost.

Many books are like that.  They assume you used the 200x version before you bought the 201x version.  A good example is Mark Minasi’s audio CD sets on Windows.  If you buy the Windows Server 2008 R2 audio CD set, found here, on the very first CD Mark makes it very clear that you must listen to the Windows Server 2008 audio CD set (found here) if you have no experience with that previous operating system because the Windows Server 2008 R2 stuff builds on what you already know of the Windows Server 2008 stuff.  If you want to learn how to debug blue screens in Windows, you have to go back further and get his Windows XP CD set (found here).  For those of us who started off on Windows 2000, this is no big deal since we are just following along all the way.  But for those jumping on the technology for the first time because we are either fresh out of college or from another field, well, you see the problem.  You have to wade through 12 years of different documentations and so forth and so on and mend it all together at once.

Now, let me be clear about something.  I’m not criticizing Mark Minasi.  Mark has been, is currently, and forever will be a great guy in my book and a good friend.  I swear by Mark and I highly recommend his books and audio courses to all IT professionals.  Mark is not a perpetrator of the Curse of the Delta, he is a victim of it like you and I just on the other side of the fence.  Let me explain. 

Let’s say you are Mark Minasi and you are about to record the audio CD set for Windows Server 2008 R2.  What’s the first thing you are going to do:  You are going to ask yourself who your target audience is.  And now we have hit our problem.  How do you draw the line between the newbies and those who have been loyal followers for the past DECADE?  See, the loyal followers who have been there all along don’t want to spend money on a CD set that’s going to explain the fundamentals of DHCP or DNS to them.  They’ve known that for years.  They want to know what’s new about DHCP and DNS which, by the way, doesn’t help you.  You, who by definition of being a newbie, doesn’t even know how to install DHCP or DNS much less how to administer it, much even more less how to use its latest features in the latest version of Windows. 

And that, as you can see, is the Curse of the Delta.  There is so much new stuff to cover in the latest versions of new technologies that there simply is no room for the newbie stuff.  Authors can’t take the chance on upsetting their loyal fan base that has provided the living they’ve enjoyed for years by covering all kinds of material that same loyal fan base already knows. 

For the time being, I see no solution to this hard problem.  I know for a fact that if Mark released a book or audio CD set on “DNS Fundamentals” that I wouldn’t by it since I already know that beginner stuff.  So, do you stick with the loyal following that has served you well or do you take the chance that there might be enough newbies out there to make a good sale?  This is a good question and I just don’t see an answer.


The Microsoft Office Blogs

Almost everyone I know uses Microsoft Office.  And, everyone of those do not use all of its features.  Fortunately, help is on the way.  The employees of Microsoft who actually make the Office product suites have their own blogs with many useful tips.  Here are just a few:

The Microsoft Excel Blog

The Microsoft Word Blog

The Microsoft PowerPoint Blog

The Microsoft Outlook Blog

I hope the links above help.  I have found many useful tips on those blogs that have saved lots of time.  Be sure to check them out!


Hyper-V Tips That I HIGHLY Recommend

I’ve been using Hyper-V for a couple of years now and there are a few things I’ve seen that just plain work, and if you go a different path you are either taking your chances or wasting your time.  Of course, let me point out first that I am not the true authority on Hyper-V, Aidan Finn is, and you will see me reference his blog from time-to-time.  You can visit Aidan’s blog here: www.aidanfinn.com (it’s also in my links area to the right).  I’m pretty confident, however, that Aidan may agree with me on most of what I’m about to say.  Here goes:

  1. Do not use a dynamic disk with any relational database.  This includes, but is not limited to:  SQL Server, Oracle, DB2, Microsoft Exchange (yes, it uses a relational database to store your email based on the Jet Engine from Microsoft), and so forth.
  2. Always provision 4G of RAM minimum for the host operating system.
  3. Always provide the host operating system with its own NIC.  Do not let is share a connection with a VM.
  4. If you are in a small environment (e.g. 5 or fewer host operating systems), do not join the host to the domain.  The benefits do not equal or exceed the hassle.  For a few host operating systems, it’s easy enough to log on to them individually to update them or check stuff.
  5. Always disable time synchronization if your guest VM’s are Windows XP or higher (I cannot speak for older Windows guests or non-Windows guests) and have Internet connectivity.  I cannot think of a single reason to have that feature on in Hyper-V – especially if the guest is a member of a Windows domain.
  6. Unless you have a solid reason to do otherwise, always set the Hyper-V host to properly shutdown the guest operating system if the host is shutdown (the default is to perform a save).  This is especially true for guests that have a relational database such as SQL Server, Oracle, Exchange, etc..
  7. Do not go out of your way to use SCSI virtual disks for your VM’s.  The IDE and SCSI virtual disk adapters have almost no differences in performance.
  8. Unless you have a bleeding need for speed (i.e. you run the New York Stock Exchange), do not go out of your way to use pass-through disks.
  9. If you are putting your virtual machines on a physical RAID 5 array, your controller should have a minimum of 512MB of RAM on the board – more if all or most of your VM’s are doing heavy writes.  From what I can see, 512MB is pretty much the minimum these days, but there are still some used/cheap controllers out there.
  10. If you are going to virtualize a Terminal Server, stop what you are doing and read the free white papers here:    http://www.projectvrc.com/
  11. If your machine is to be a Hyper-V machine, then that is the only role it should do.  Install no other roles or features.
  12. If your machine is to be a Hyper-V machine, then the backup software agent you are using should be the only software you install on the machine.  Furthermore, you should not install the entire backup suite (e.g. BackupExec), just the agent needed.  If your only physical machine is a Hyper-V host and you need back up software that isn’t some big suite like BackupExec, check out www.backupassist.com.
  13. Never leave your host machine logged on. Once you are done administering the machine, log off.
  14. Guest VM’s on the same machine that need to communicate with one another often should be on the same virtual NIC when possible.
  15. Aidan’s going to kill me for this one, but:  It is OK to install a VM on the same partition as the host operating system as long as the VM is low impact.  Meaning it does not do any heavy reads, does not do any heavy writes, does not consume heavy CPU.  For example, we use Team Foundation Server 2010 as our source code repository.  There are only TWO developers.  How much work do you think that TFS guest does?  Barely noticeable.

That’s pretty much all I have for now.  I may add more to this list as I learn more or read more about Hyper-V.  Of course, comments either confirming or un-confirming what I say here are MORE than welcome.


Working From Home

One conversation I find myself getting into often is how nice it must be to work from home.  While working from home most certainly has its advantages, like everything else there are some disadvantages that must be dealt with.  Consider the following:

  • Family buy-in.

If you have a spouse and/or kids, they have to understand that once you walk through the door of your office, even though that office may be a converted bedroom, you are at work.  You are not available for family stuff.  My wife, in the beginning, had a very difficult time with this concept.  To her, it just didn’t make sense that I couldn’t spend 10 minutes vacuuming the living room or emptying the dish washer because “you’re right there in the next room.”  Also, husbands have to understand that you can’t always stop to cook for them or do some other “wifely duty”.  If your children are home for the summer or on some other type of vacation from school, then you may have to put them in some daycare or your spouse, if available, will need to keep them occupied for you.  You cannot have a six year old demanding food or play time while you’re on a conference call with a client.  Also, family must understand that just because you step out of your office to get a quick drink or have lunch doesn’t mean you suddenly have all kinds of free time to give to them. 

  • Hygiene

It’s easy to not worry about combing your hair, shaving, getting dressed, brushing your teeth, etc. when you work from home.  However, you really should keep those things in mind and you should still do them.  Once you start letting yourself go, you’ll be surprised at how those bad habits will creep into your social life.  Next thing you know, you’ll be at friend’s houses or family reunions looking/smelling like trash.  Despite the fact that you have no co-workers around you and that your journey to work is a mere walk across the house, you should continue to maintain good hygiene and dress like you are going to work.

  • Get a Gym Membership

Most of us barely exercise enough as it is.  At least the walk from the car to the office of a real firm is something and you do walk a little bit when going to meetings or looking for co-workers for help.  When you work from home, however, your already low amount of exercise turns to a flat out zero.  You’ll find yourself getting out of shape even worse than you are now which will not bode well for your work performance.  You must, when working from home, make some time for physical activity.

  • Avoid the Living Room and Kitchen

The living room, with all of that entertainment equipment, will do nothing but distract you.  Do not turn on the TV, do not turn on anything.  You may think you’re just checking the weather real quick, but I can assure you that 10 minute weather forecast can easily turn into the third episode of a Star Trek marathon on Spike TV.  As for the kitchen, marching there to get snacks or something to drink every few minutes will do nothing but drain your productivity while stacking on the pounds.  Avoid the living room altogether and make sure your visits to the kitchen are measured and infrequent.

  • Expect Some Prejudice

Co-Workers who have to drive to the office will always be jealous of you.  Your boss will always be suspicious of your productivity.  These are things you’ll just have to accept and deal with.  While you’re dealing with distracting family members and trying to stay focused, they all think you’ve got it made. 

I hope these tips help.  I may revisit this topic in the future if I think of anything else.  Working from home does have advantages, such as the amount of money I save in fueling the car, but there are clearly some negative attributes to deal with as well.