[AusNOG] Q sonicwall and juniper

Chris Chaundy chris.chaundy at gmail.com
Mon Jul 8 17:36:54 EST 2013


As does Nextgen...

Does anyone know more about the Telstra and Optus RTBH options?  Last time
I asked, you had to do it through a support call or web page (I don't class
this as RTBH :-).



On Mon, Jul 8, 2013 at 4:19 PM, Ankur Puri <Ankur.Puri at au.ntt.com> wrote:

>   NTT supports RTBH and active mitigation as well.
>
>  Regards
> Ankur Puri
> Global Wholesale Manager
>  NTT Australia Pty Ltd
>
>   From: James Braunegg <james.braunegg at micron21.com>
> Date: Monday, 8 July 2013 4:05 PM
> To: Matt Perkins <matt at spectrum.com.au>, "ausnog at lists.ausnog.net" <
> ausnog at lists.ausnog.net>
>
> Subject: Re: [AusNOG] Q sonicwall and juniper
>
>   Both Optus and Telstra support RTBH … at least that’s what my new
> Telstra and Optus contract say…****
>
> ** **
>
> Kindest Regards**
>
> ** **
>
> *James Braunegg
> **P:*  1300 769 972  |  *M:*  0488 997 207 |  *D:*  (03) 9751 7616****
>
> *E:*   james.braunegg at micron21.com  |  *ABN:*  12 109 977 666
> *W:*  www.micron21.com/ip-transit  *T:* @micron21****
>
> ** **
>
>
> [image: Description: Description: Description: Description: M21.jpg]
> This message is intended for the addressee named above. It may contain
> privileged or confidential information. If you are not the intended
> recipient of this message you must not use, copy, distribute or disclose it
> to anyone other than the addressee. If you have received this message in
> error please return the message to the sender by replying to it and then
> delete the message from your computer.****
>
> ** **
>
> *From:* AusNOG [mailto:ausnog-bounces at lists.ausnog.net<ausnog-bounces at lists.ausnog.net>]
> *On Behalf Of *Matt Perkins
> *Sent:* Monday, July 08, 2013 3:55 PM
> *To:* ausnog at lists.ausnog.net
> *Subject:* Re: [AusNOG] Q sonicwall and juniper****
>
> ** **
>
> An update  on bgp blackwholeing. I asked some transits recently this exact
> question. Here's a summary of there responses.
>
> Telstra: We are considering it. Do you want to buy our arbor package.
> Optus: Good idea we will consider it. Do you want to buy our arbor
> Vocus: Do it and you can buy our arbor package.
> Pipe & Pipe IX. Do it and i have tested.
> AAPT: Confusion followed by a no.
>
>
> Matt.
>
>
>
> On 8/07/13 3:45 PM, Craig Askings wrote:****
>
> I'm not aware of any, but you do have companies like Vocus. Who do accept
> blackhole bgp communities and have Arbor kit within their own network that
> will pickup on attacks. ****
>
> ** **
>
> I've personally seen it detect and suppress attacks on my previous
> employer's transit connection with Vocus in the 5-10 minute range from the
> start of the attack.****
>
> ** **
>
> The most effect way of avoiding DDoS attacks in Australia is to not have
> Game Servers, IRC servers or gambling operations hosted on your network.**
> **
>
> ** **
>
> Craig.****
>
> ** **
>
> ** **
>
> On 08/07/2013, at 3:40 PM, Jonathan Thorpe <jthorpe at Conexim.com.au> wrote:
> ****
>
>
>
> ****
>
> Probably a good time to ask – who supports FlowSpec advertisements?****
>
>  ****
>
> *From:* AusNOG [mailto:ausnog <ausnog>-bounces at lists.ausnog.net] *On
> Behalf Of *Craig Askings
> *Sent:* Monday, 8 July 2013 3:33 PM
> *To:* Zone Networks - Joel Nath
> *Cc:* ausnog at lists.ausnog.net
> *Subject:* Re: [AusNOG] Q sonicwall and juniper****
>
>  ****
>
> Agreed, if you want to manage DDoS attacks you really want:****
>
>  ****
>
> 1) Juniper MX out front with BGP flowspec enabled on it. ****
>
> 2) Some tool to identify said DDoS and generate the flowspec rule to match
> it. (Arbor?)****
>
> 3) Upstream providers who can automatically sink said traffic at their
> borders.****
>
>  ****
>
> http://www.slideshare.net/sfouant/an-introduction-to-bgp-flow-spec****
>
>  ****
>
>  ****
>
> On 08/07/2013, at 3:27 PM, "Zone Networks - Joel Nath" <
> joel at zonenetworks.com.au> wrote:****
>
>
>
>
> ****
>
> Firewall wont help protect you against DDOS, especially anything that is
> software based
>
> Srx 3400 + might help abit as its ASIC but a decent SYN flood will take it
> out as well.
>
> Regards
> Joel
>
> -----Original Message-----
> From: AusNOG [mailto:ausnog <ausnog>-bounces at lists.ausnog.net] On Behalf
> Of Alex Samad - Yieldbroker
> Sent: Monday, 8 July 2013 3:19 PM
> To: ausnog at lists.ausnog.net
> Subject: Re: [AusNOG] Q sonicwall and juniper
>
> Hi
>
> Thanks to everyone that has given me feedback, definitely seems like
> juniper is the router of choice.
> This is still early days for me... more of a fact finding mission
>
> One of the design choices I am looking at.
>
> It seems like there are units capable of looking after (in 1 HA setup)
> both  Internet FW and internet FW.
>
> Currently I am using some cisco 2600's for my ext routers ... ie WAN ...
> BGP and basic ACL's
>
> The original idea was to replicate this, so outside routers, Internet FW
> and internal FW with similar setup
>
> The main reason for that is that a DDOS or any attack via BGP can only
> attack our outside routers. Thus reducing our foot print our external FW is
> exposed to the outside world.
>
> More background, we provide our product via the internet and via private
> connections (leased lines of sorts, premium service ).
>
> What we are trying to avoid with separate devices is internet issues
> affecting premium services. And to some extend our internal traffic.
>
> So I have thrown my eye over at the srx 550 and find it (and it seems
> other models / manufactures)  provide virtual routers/domains  Is this
> enough to protect a FW device.
>
> So if I replace my external routers and internet FW and internet FW, with
> a SRX550 am I leaving myself open to the cpu of the device being taken up
> with BGP process or DDOS from the internet ... etc etc.
>
>
> Thanks
> Alex
>
>
>
>
> ****
>
> -----Original Message-----
> From: AusNOG [mailto:ausnog <ausnog>-bounces at lists.ausnog.net] On Behalf
> Of
> Andrew Jones
> Sent: Monday, 8 July 2013 2:47 PM
> To: ausnog at lists.ausnog.net
> Subject: Re: [AusNOG] Q sonicwall and juniper
>
> I have quite a few SRX clusters running, and find them very reliable
> in general. Most of the issues which were there earlier have been sorted
> out.
> "Commit rollback", which used not to be available in earlier versions
> of junos when clustering was enabled now works as well, which is a big
> plus in my book.
>
>
>
> On 08.07.2013 14:30, Ryan Finnesey wrote:
>
>
> ****
>
> Lol never worked with clustering.
>
> Sent from my iPad
>
> On Jul 7, 2013, at 9:52 PM, "Skeeve Stevens"
> <skeeve+ausnog at eintellegonetworks.com> wrote:
>
>
>
> ****
>
> +1.
>
> Juniper clustering was developed, coded, and not tested by Satan
> himself.
>
> ...Skeeve
>
> SKEEVE STEVENS - eintellego Networks Pty Ltd
>
> skeeve at eintellegonetworks.com ; www.eintellegonetworks.com [3]
>
> Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve
>
> facebook.com/eintellegonetworks [4] ; [5]linkedin.com/in/skeeve [6]
>
> twitter.com/networkceoau [5] ; blog: www.network-ceo.net [7]
>
> The Experts Who The Experts Call
> Juniper - Cisco - Cloud
>
> On Mon, Jul 8, 2013 at 11:47 AM, James Braunegg
> <james.braunegg at micron21.com> wrote:
>
>
>
> ****
>
> I like the Juniper SRX 3400 / SRX 5600 firewalls the nice things
> about these is you can run per device redundant routing engines,
> both of these support hardware line rate 10gbit ports and are full
> ASIC based.
>
> If you don't actually need 10gbit throughput you could look at the
> SRX 650 which can support 10gbit ports but all processing is done
> in software not in ASIC
>
> Juniper had some issues with clustering the SRX in the early days
> but these seem to be all but gone now...
>
> That being said I still avoid clustering where possible and much
> prefer two single devices not linked in anyway other than standard
> routing protocols.
>
> Juniper also has a fantastic CLI … one of the best I've ever used.
>
> Do you have a budget in mind ?
>
> Kindest Regards
>
> James Braunegg
> P: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616
>
> E: james.braunegg at micron21.com | ABN: 12 109 977 666
> W: www.micron21.com/ip-transit [1] T: @micron21
>
> <image001.jpg>
> This message is intended for the addressee named above. It may
> contain privileged or confidential information. If you are not the
> intended recipient of this message you must not use, copy,
> distribute or disclose it to anyone other than the addressee. If
> you have received this message in error please return the message
> to the sender by replying to it and then delete the message from
> your computer.
>
> -----Original Message-----
> From: AusNOG [mailto:ausnog <ausnog>-bounces at lists.ausnog.net] On Behalf
> Of
> Alex Samad - Yieldbroker
> Sent: Monday, July 08, 2013 10:01 AM
> To: ausnog at lists.ausnog.net
> Subject: [AusNOG] Q sonicwall and juniper
>
> Hi
>
> Was wondering what the groups thoughts where on sonicwall and****
>
> maybe
>
>
> ****
>
>  in relation to juniper.
>
> Most of my experience has been with Cisco and linux (firewalls)
>
> In particular I am looking at
>
> Exterior FW (facing internet)
>
> Or
>
> Interior FW (not facing Internet)
>
> Like to have a cluster (HA setup)
>
> Like to have min 2 x 10G fibre ports per dev and some 1G ports
>
> Don't need any sort of deep packet inspection
>
> I prefer CLI, my initial googling seems to suggest sonic is not
> very cli friendly at all
>
> Again my initial investigation leads me to NSA 5600 (or NSA 6600),
> not sure what the comparably Juniper might be.
>
> Thanks
>
> Alex
>
> _______________________________________________
>
> AusNOG mailing list
>
> AusNOG at lists.ausnog.net
>
> http://lists.ausnog.net/mailman/listinfo/ausnog [2]
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog [2]****
>
>
>
>
> ****
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog [2]****
>
>
>
> Links:
> ------
> [1] http://www.micron21.com/ip-transit
> [2] http://lists.ausnog.net/mailman/listinfo/ausnog
> [3] http://www.eintellegonetworks.com/
> [4] http://facebook.com/eintellegonetworks
> [5] http://twitter.com/networkceoau
> [6] http://linkedin.com/in/skeeve
> [7] http://www.network-ceo.net/
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog****
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog****
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog****
>
>  ****
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog****
>
> ** **
>
>
>
>
> ****
>
> _______________________________________________****
>
> AusNOG mailing list****
>
> AusNOG at lists.ausnog.net****
>
> http://lists.ausnog.net/mailman/listinfo/ausnog****
>
>
>
>
> ****
>
> -- ****
>
> /* Matt Perkins ****
>
>         Direct 1300 137 379     Spectrum Networks Ptd. Ltd. ****
>
>         Office 1300 133 299     matt at spectrum.com.au ****
>
>         Fax    1300 133 255     Level 6, 350 George Street Sydney 2000****
>
>         SIP 1300137379 at sip.spectrum.com.au ****
>
>         PGP/GNUPG Public Key can be found at  http://pgp.mit.edu ****
>
> */****
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20130708/9af49534/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2683 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20130708/9af49534/attachment.jpg>


More information about the AusNOG mailing list