Tuesday, November 18, 2008

ScreenOS vs JUNOS

Hi all,

You all know i am a big fan of the Juniper FW/VPN appliances (Old Netscreen firewalls/vpn). This was because of the very powerfull ScreenOS. it is a very easy and power full OS, which had unbelievable debug features.

But 2 years ago i came in contact with a even more nice and powerfull OS: JUNOS.

This was like a new world that had been opened for me ...

The first years of my career i have been working with IOS and after 1,5 year i saw the netscreen products and was sure this is one of the finest OS's out there. But this was because i never saw JUNOS before.

Some examples of what JUNOS has and ScreenOS doesn't:

Cons ScreenOS:

- bindings (objects are bind to eachother so you can't edit or change them)
> This is something i really hate about screenOS
- working directly in running config.
>this is also a big pain of IOS.
- only one active and one saved config.

Pro's ScreenOS:

- Debugging
> this is one of the best debugging engines i have ever seen.
- Vrouters/SBR/SIBR/PBR
- Route based VPN's

Con's JUNOS:

This is really a hard one.
- Debugging (and this is because i still find the screenOS based debugging engine the best i worked with. BUT Juniper is putting a lot of effort in this, and the last release 9.2 was almost the same then the screenos debug output)

Pro's JUNOS:

- Candidate config.
> When you change the config, you work in a candidate config. This is copy of the active config, which means when i change something in this config it isn't active yet.
- commit confirm
> this command will activate your changes, but will ask you to confirm it after a given time. If you don't confirm, he will do a automatic rollback to the previous config version. AND this without a reboot!!
- rename
> you are able to change a config from one interface to other with one one command (just rename the interface name for example.
- macro's
> you are able to make your own macro's. one example is: if your company has a config policy (like always place discription when configuring a interface / when you do a save of a config you need to give comments / etc...). this is all possible with JUNOS.

Because of all these nice features, i can only say one thing.... I love JUNOS!!

For all engineers out there, just try this OS and you will see how powerfull it is.

I will try to give some example later on.

Cu all later

2 comments:

Brandon said...

I can't understand why you find JunOS remotely up to Netscreen standards. We where fooled into buying SRX240 over SSG550 against better judgement, taking an ill advice from a Juniper sales rep. And we've been living in hell ever since. Netscreen is a dream. JunOS is the slowest, most crippled, most buggy OS we've ever used. It is not production ready. Period. What on earth is Juniper thinking? And the WEB GUI is just beyond anything I've ever seen. Extremely slow and buggy. What a disaster.

Brandon said...

ScreenOS Configuration:
set int e0/0 mip 1.1.1.100 host 10.1.1.100
set pol from untrust to trust any mip(1.1.1.100) http permit

Junos OS Configuration:
set security nat proxy-arp interface ge-0/0/0 address 1.1.1.100/32
set security nat static rule-set static-nat from zone untrust
set security nat static rule-set static-nat rule rule1 match destination-address 1.1.1.100
set security nat static rule-set static-nat rule rule1 then static-nat prefix 10.1.1.100
set security zones security-zone trust address-book address webserver 10.1.1.100
set security policies from-zone untrust to-zone trust policy static-nat match source-address any destination-address webserver application junos-http
set security policies from-zone untrust to-zone trust policy static-nat then permit

WTF?!