Christofer Hoff

My career in networking and system administration took me from a hobbyist and self-proclaimed accidental tourist in the field of security to someone with a focused, passionate, and all-consuming obsession. It all started with a little thing called the firewall.

Back in the late 1980s and into the early 1990s, the commercial Internet boom began and organizations rushed to connect their computing resources directly to the burgeoning collective that would ultimately become known as the World Wide Web.

As the computing assets under my watch became more exposed and interconnected—and thus potentially ubiquitously accessed—I found myself spending a lot of quality time evaluating the various emerging network firewalls of the period as a way of reducing the scope of the things I had to protect.

These firewalls came in all shapes, sizes, speeds, and architectural designs. They evolved from primitive stateless access control lists in Internet-connected routers to full-fledged proxies, circuit-level gateways, and stateful packet filters that provided more robust protocol and services support, logging, and Network Address Translation capabilities.

Each firewall platform promised a dizzying array of benefits, but given the myriad of designs, each one often forced a trade-off among isolation, usability, manageability, scalability, performance, features, and efficacy.

After a startup or two and deploying many of these firewalls, I found myself in the employ of a large networking service provider that charged me with the creation of a global managed service providing secure Internet ingress and egress to thousands of the largest companies worldwide.

The demand for expanded security services from customers was eclipsed only by the availability of Internet-connected computing resources, the proliferation of easy-to-use “security” tools, and the emergence of skilled and curious “security enthusiasts” to use them.

New classes of threats appeared, and as with any successful economic enterprise, new adversaries, tactics, and motivations emerged also. Keeping up with the velocity, variety, and volume of services, and the creative attacks that followed against the infrastructure providing them, became a challenge.

New operating systems took hold and new programming languages were invented and pressed into service quickly, as were rapidly deployed application frameworks and service delivery platforms, most of which presented a dizzying set of new attack surfaces, vulnerabilities, and risks.

The Internet arms race was officially on . . . and it’s been running strong for the 20 plus years that have followed.

Ironically, if instead of 20 years ago, I began this timeline only five years ago, one would recognize much of it as the present!

The challenges we have in keeping pace with the innovation of attackers, the broad attack surface against which attacks can be launched, the availability of technology, and the skill sets and motivations of the adversaries who seek to do us harm, make it clear that our choice of security solutions is that much more important.

This book describes how to operate, deploy, and optimize a world-class security platform with capabilities that allow security professionals to more effectively defend the assets they are charged to protect.

You might have already made that choice and invested in a Juniper Networks SRX Series security solution, or perhaps you are considering doing so, possibly for some of the scenarios just I described. In either case, you will find this book absolutely invaluable.

The SRX is an instrument of supreme precision, born from the networking heritage of a company long steeped in solving the toughest problems thrown its way. It is designed as a hyperscalable and extensible security services platform that provides next-generation security capabilities as you need them.

While attacks against infrastructure continue at a ferocious pace and with dazzling effectiveness, so will we witness even more surgically targeted and extremely sophisticated application-level attacks in complement.

Designed to be as supremely competent in securing Level 2 and Level 3 connectivity, the SRX also enables intelligent application-aware capabilities for Levels 4 through 7, leveraging features such as intrusion protection services, Unified Threat Management, and the AppSecure suite for application identification, classification, enforcement, control, and protection.

The SRX is a platform that enables the best and brightest engineers to design and implement security solutions that are as capable in their networking capabilities as they are in providing airtight security with the explicit capability to provide a user experience that can bridge the gap between these two disciplines. It’s a security engineer’s best friend and a solution that any networking professional can easily find comfort in using.

Speaking of engineers, I have had the privilege of working with and befriending the two amazing gentlemen who have written this book. Like myself, they, too, have focused their passion, knowledge, and expertise to deliver the best security solutions money can buy, and this book will help you get the most out of your investment.

I am thrilled that Brad and Rob were kind enough to ask me to write the foreword for this invaluable resource, because were there ever a way I could thank them for the endless advice and amazing depth and breadth of knowledge regarding the capabilities of the SRX, doing so publicly and at the beginning of such an excellent resource is one of the best ways I can think of.

Thank you, Brad and Rob, for all you have done to both help create an amazing security solution for our customers and also make it easier to use. What a perfect guide to accompany an amazing security platform.