JUNOS High Availability: Best Practices for High Network Uptime
by James Sonderegger, Orin Blomberg, Kieran Milne, Senad Palislamovic
Paperback: 688 pages
Publisher: O'Reilly Media
High Praises for JUNOS High Availability
Building a network capable of providing connectivity for simple business applications is a fairly straightforward and well-understood process. However, building networks capable of surviving varying degrees of failure and providing connectivity for mission-critical applications is a completely different story. After all, what separates a good network from a great network is how well it can withstand failures and how rapidly it can respond to them.
While there are a great deal of books and resources available to assist the network designer in establishing simple network connectivity, there aren't many books which discuss the protocols, technologies, and the myriad ways in which high availability can be achieved, much less tie it all together into one consistent thread. "JUNOS High Availability" does just that, in essence providing a single, concise resource covering all of the bits and pieces which are required in highly available networks, allowing the network designer to build networks capable of sustaining five, six, or even seven nines of uptime.
In general, there are a lot of misconceptions and misunderstandings amongst Network Engineers with regards to implementing high availability in Junos. One only needs to look at the fact that Graceful Restart (GR) protocol extensions and Graceful Routing Engine Switchover (GRES) are often mistaken for the same thing, thanks in no small part to the fact that these two technologies share similar letters in their acronyms. This book does a good job of clarifying the difference between the two and steers clear of the pitfalls typically prevalent in coverage of the subject matter. The chapter on 'Control Plane High Availability' covers the technical underpinnings of the underlying architecture on most Juniper platforms; coverage of topics like the separation between the control and forwarding planes, and kernel replication between the Master and Backup Routing Engine give the reader a solid foundation to understand concepts like Non-Stop Routing, Non-Stop Bridging, and In-Service Software Upgrades (ISSU). In particular I found this book to be very useful on several consulting engagements in which seamless high availability was required during software upgrades as the chapter on 'Painless Software Upgrades' discusses the methodology for achieving ISSU and provides a checklist of things to be performed before, during, and after the upgrade process. Similarly, I found the chapter on 'Fast High Availability Protocols' to be very informative as well, providing excellent coverage of BFD, as well as the differences between Fast Reroute vs. Link and Node Protection.
Overall I feel this book is a valuable addition to any networking library and I reference it often when I need to implement certain high availability mechanisms, or simply to evaluate the applicability of a given mechanism versus another for a certain deployment. The inclusion of factoring costs into a high availability design is a welcome addition and one that all too many authors fail to cover. Naturally, it only makes sense that costs should be factored into the equation, even when high availability is the desired end-state, in order to ensure that ultimately the business is profitable. If I had to make one suggestion for this book it is that there should be additional coverage of implementing High Availability on the SRX Series Services Gateways using JSRP, as this is a fundamental high availability component within Juniper's line of security products. To the authors credit however, this book was written just as the SRX line was being released, so I don't fault the authors for providing limited coverage. Perhaps more substantial coverage could be provided in the future if a Second Edition is published.
The bottom line is this - if you are a Network Engineer or Architect responsible for the continuous operation or design of mission-critical networks, "JUNOS High Availability" will undoubtedly serve as an invaluable resource. In my opinion, the chapters on 'Control Plane High Availability', 'Painless Software Upgrades', and 'Fast High Availability Protocols' are alone worth the entire purchase price of the book. The fact that you get a wealth of information beyond that in addition to the configuration examples provided makes this book a compelling addition to any networking library.
IS-IS: Deployment in IP Networks
by Russ White, Alvaro Retana
Hardcover: 320 pages
Publisher: Pearson Education
Better off choosing an alternative selection
As IS-IS is one of the more esoteric protocols, understood only by a few people in large scale ISP environments, I thought this book would be a welcome addition to my library as there isn't much else on the market covering this protocol. There are of course ISO 10589 and RFC 1195 which covers these protocols, but seeing as this is a short book I thought it might be able to shed some light on an otherwise complex protocol.
In reviewing this book I've come up disappointed in general. There are certainly a few golden nuggets and I give the book a couple of stars just for attempting to bridge the gap between the purely theoretical and the purely vendor specific. However, the book comes up short on most other points. Often times I found myself wanting to scrap this book in favor of some of the other selections on the market, but since I have respect for these authors I read the whole book hoping that they might be able to redeem themselves by the time I finished.
Obviously the authors have a great deal of knowledge about the subject, and I don't fault them entirely. The quality of the editing is poor with many grammatical and syntactical errors littered throughout the text. There are abundant instances throughout the book where the diagrams used do not match the text describing them. I was rather disappointed because I usually find that Addison-Wesley publishes some of the best texts on the market.
All in all, I thought this book could have been a lot better than it was. After all, these authors have several other titles under their belt, most notably "Advanced IP Network Design". But in this case, I would say that you are better off looking for other similar titles available on the market, such as Jeff Doyle's "Routing TCP/IP Volume 1" or "The Complete IS-IS Routing Protocol" by Hannes Gredler and Walter Goralski.
MPLS-Enabled Applications: Emerging Developments and New Technologies
by Ina Minei, Julian Lucek
Paperback: 526 pages
Excellent coverage of VPLS, and Multicast over Layer 3 VPNs
Recently I had to work on a project which involved demonstrating Multicast over Layer 3 VPN interoperability between Cisco and Juniper. I spent several days reading through all the RFCs and working-group drafts which pertained to this subject matter, after which I still had many unanswered questions. In order to round out my understanding, I decided to order the Second Edition of 'MPLS-Enabled Applications'. Looking back, I wish I had read this book instead of wasting my time reading the various RFCs and working-group drafts. This book answered all of my questions and went above and beyond to give me a solid understanding of the concepts and their application. As other reviewers have pointed out, often one needs to read a book to understand the technology basics, and then refer to RFCs or working-group drafts in order to keep abreast of the latest changes. Not so with this book... In fact, this book is so current that reading the working-group drafts is largely unnecessary. It is incredibly comprehensive, concise, and gives the reader a thorough understanding of the business drivers. Furthermore, it illustrates the various ways in which MPLS services can be offered and outlines the pros and cons of each approach so that the network designer can make intelligent decisions with regards to implementation.
In addition to the great coverage that was provided by the First Edition, the Second Edition has updated the text to reflect newer trends and applications such as the transport of IPv6 over an IPv4 MPLS core, and detailed coverage of end-to-end and local protection schemes in MPLS networks. Likewise, the chapter previously called "Point-to-Multipoint LSPs" has now been renamed to "MPLS Multicast", with much more detailed coverage of the P2MP hierarchy and the forwarding-plane and control-plane operation. The biggest value for me was the addition of a completely new chapter on "Multicast over Layer 3 VPNs" which provided comprehensive coverage of this emerging technology and fully illustrates the full gamut of operation of either the PIM/GRE approach, or the NG-VPN approach utilizing BGP and P2MP LSPs. Finally, the addition of a chapter on "MPLS in Access Networks" was well deserved seeing as Ethernet is quickly becoming the access technology of choice and MPLS will likely be utilized as an overlay in order to realize the full potential of Ethernet in these environments.
This book has earned a spot on my bookshelf as one of my most coveted resources, and I refer to it quite often to refresh my memory on the myriad workings of various functions within MPLS. I wish I could give this book a rating higher than five stars! I can't overemphasize how exceptional this book is. If you are in the market for a book covering MPLS and emerging applications offered on MPLS networks, this single book should be at the top of your list!
Extreme Exploits: Advanced Defenses Against Hardcore Hacks (Hacking Exposed)
by Victor Oppelman, Oliver Friedrichs, and Brett Watson
Paperback: 448 pages
Publisher: McGraw-Hill Osborne Media
Good coverage of darknets, honeynets, and triggered blackholes
First I must admit that I know and have worked with several of the authors of this book. I was given an autographed copy of the book late last year, however seeing as the book was published in 2005 I didn't think there would be much along the lines of useable information seeing as many of the security threats and vulnerabilities have evolved quite a bit since then. However, as I started reading the book I quickly realized much of the information was still relevant today as it was several years ago. The chapters on ISP Security Practices and Securing the Domain Name System had very good coverage of many of the techniques used throughout Service Provider networks to secure their network and DNS infrastructure.
I particularly enjoyed reading the sections on using egress packet filters to restrict data leaks from within an organization - a particular problem today with the prevalance of Internet Worms and other Malware which often attempt to communicate back to their centralized Command & Control (C&C) hosts. The chapter on 'Sinkholes and Backscatter' has very good coverage on a wide variety of topics such as using Darknets and Honeynets to monitor malicious traffic and other nasties emanating throughout your network, as well as using techniques such as Triggered Blackhole Routing to propagate filters quickly and dynamically to drop DDoS and other malevolent traffic.
I would have to disagree with Dr. Anton Chuvakin that the chapters on Digital Forensics were disappointing. Personally, I learned quite a bit from these chapters and came away from reading them with a whole arsenal of new tools to use with which I can perform my own digital forensics on compromised systems. The coverage of Foremost, memdump, and some of the advanced digital forensic tools was top notch.
All in all, I would say this is still a good book for anyone involved in Network Security. Much of the information covered is still relevant in today's networks. If the authors attempt to release a second edition I would suggest coverage of adapting Triggered Blackhole techniques to be used in more modern DDoS Mitigation scenarios. Additionally, discussion of new techniques used for Malware C&C and coverage of Fast-flux and Double-flux techniques used by the attackers to create more robust and reliable networks would be welcomed.
OSPF and IS-IS: Choosing an IGP for Large-Scale Networks
by Jeff Doyle
Paperback: 480 pages
Publisher: Addison-Wesley Professional
A welcome addition to any networking library
If you consider yourself a student of routing protocols and enjoy coverage of graph theory from the perspective of its application to link-state routing protocols, this text will certainly be a welcome addition to your library. This book not only provides information regarding 'how' link-state routing protocols work, it also provides information regarding 'why' the link-state routing protocols behave as they do, and why the protocol designers made certain choices in the development of these protocols. While it might seem a daunting task especially to the novice reader to learn about two routing protocols side-by-side, it is this treatment which makes this text so worthwhile. Being able to compare these two protocols and identify their similarities and differences simultaneously will ultimately help the network designer pick the right protocol for the job in a given network environment.
This book goes beyond IGP fundamentals by giving practical advice to the network designer which can assist in the planning and implementation of a scalable IGP deployment. For example, in the chapter on Area Design, the author states that "a useful guideline when designing a network is that network control traffic should never exceed 5 percent of the available bandwidth of any link in the network, and in normal circumstances should not exceed 1 percent". The author then presents various formulas which can be used to determine the amount of bandwidth used by the protocol control traffic based on the number and type of LSAs which are expected to be present in a given network. Arguably one of the best chapters in the book is the chapter on Scaling. This chapter has some of the best coverage of the various modifications which router vendors make to their link-state protocol implementations in order to make routers perform calculations more rapidly, enhance flooding of Link-State updates, and other changes designed to make the protocols scale to support very large networks.
I am a stickler for accuracy, especially when it comes to technical textbooks. I pride myself on my ability to spot technical and grammatical errors in texts such as these, however I must say as I read this book I was very impressed that I found very little errors beyond just the simple grammatical and typographical. Jeff Doyle is an experienced writer, and it should come as no surprise that the technical content in this book is extremely well-vetted, accurate, and error-free. Ultimately, if you are a network operator, designer or architect and are interested in broadening your understand of link-state protocols coupled with the ability to more fully understand the technical distinctions between OSPF and IS-IS, this book is without a doubt one of the best options on the market today.
Designing and Developing Scalable IP Networks
by Guy Davies
Hardcover: 302 pages
Decent information with a hefty price tag...
The title of this book "Designing and Developing Scalable IP Networks" would lead one to believe that reading this book would give the reader special insight into certain architectural approaches that would enable the network designer to build very large and expansive networks. And while the book certainly did provide some useful information, I found it lacking somewhat in details. The author does not delve into the minutiae of the various protocols, such as message types, protocol interaction, etc. Instead, the author assumes the reader already has a solid understanding of the basic principles of IP networking and the protocols associated with IP routing and switching. The author states early on that the book is meant to "examine the architectural and design principles that can be applied to designing and building scalable IP and MPLS networks", however after a thorough reading I did not find that I was substantially more educated in the subject matter. And herein lies the crux - this book, which is priced in at a whopping $130 - is far more expensive than other texts of a similar nature, some of which cover far more expansive material and cost considerably less. Furthermore, the book is too light on details to be sufficiently useful to someone who is new to the industry and looking to gain a better understanding of what is required to build large-scale networks, and is unlikely to provide the experienced network architect with useable knowledge beyond that which he or she may already possess.
That being said, there is decent treatment of MPLS and Generalized MPLS, MPLS VPNs, QoS, and IPv6. And there certainly are a few good nuggets of information to be found throughout the book. For example, there is very good information on route-reflection, such as the pro's and con's of using the same cluster-id on a pair of route-reflectors running in a pair. It also examines practical deployment information for such mechanisms as graceful-restart, citing the fact that enabling BGP graceful-restart without enabling a similar mechanism in the IGP is likely to reduce the benefit of enabling such a mechanism in the first place. And while this is one of the few texts that I have seen on the market that broaches the subject of graceful-restart, I welcome the author to include more information on this subject in subsequent editions.
All in all I would say that this is a good desk side reference if one wants a text which covers the main protocols and mechanisms in use in large Service Provider networks, but if you are looking for a text which will enable you to build large-scale networks you might be somewhat disappointed in the treatment, especially considering the hefty price tag of this item.
Configuring NetScreen Firewalls
by Rob Cameron
Paperback: 600 pages
Better off waiting for a Second Edition...
I read a lot of books, and while I don't review all of them, I am often compelled to write a review when a book stands out, either for it's clear leadership and technical distinction in the marketplace, or for it's extreme lack thereof. In this case, I was compelled to write the review based on the latter.
Seeing as this is the only Netscreen book on the market, I had high expectations for it. When one looks at the credentials of the numerous authors, it reads like a veritable list of leaders in the Security industry. As such, I was rather excited when I picked up this book. As I began reading this book, I quickly realized that it was not going to meet my expectations. Clearly this book was rushed to market, another sign that the primary concern of many publishers is not in producing quality, but rather quantity. This book suffers from many of the same problems I see with other books on the market with multiple contributing authors, which is that the voice isn't consistent throughout the book. Some chapters have diagrams, screen shots, or CLI commands outlining various procedural steps, whereas these details are noticeably absent in others.
In addition, this book is littered with many errors throughout, both typographical as well as technical. In some cases, as other reviewers point out, sentences simply stop abruptly mid-sentence. The text often refers to diagrams which don't even exist. There are numerous references to find additional information in other chapters which are non-existent.
With regards to technical content, the authors certainly could have added more detail, especially considering the number of authors who contributed to this text. For example, the chapter on Routing does a good job of telling the reader how to enable BGP, but provides no details on how to actually configure a BGP neighbor. Another example is URL filtering which is discussed in the chapter on Attack Detection and Defense. While the authors do a good job of describing the various modes to support URL filtering (redirect vs. integrated), there is no explanation of how redirection actually takes place and no diagrams to provide for comprehensive understanding of the subject matter.
I can't blame the authors entirely for the many flaws in this book, as any decent technical editor should have been able to spot many of these errors prior to publication. One wonders whether the technical editors even read the book as many of the errors are so blatant that it's inconceivable that so many managed to slip through. I'm disappointed in Syngress for publishing a book with so many errors, and this has definitely led me to believe that Syngress does not want to maintain a leadership position of publishing technical content of the highest magnitude, but rather they are only concerned with being the first to market with a particular product.
I will give this book 2 stars in that it is indeed a noble attempt at covering a wide array of topics, as well as for being the only book in the industry which covers this subject matter. I suggest that the authors should examine the possibility of releasing a second edition which may fix these blatant errors, as well as hiring some decent technical editors.