<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif; ">
<div>Don't forget – test, test, test, test and test.</div>
<div><br>
</div>
<div>
<div><a href="https://support.cloudflare.com/entries/23294588-CloudFlare-Post-Mortem-from-Outage-on-March-3-2013">https://support.cloudflare.com/entries/23294588-CloudFlare-Post-Mortem-from-Outage-on-March-3-2013</a></div>
</div>
<div><br>
</div>
<div>You'll probably be waiting a while to see upstreams who accept flowspec announcements directly as well, due to the resources required, scale and potential security holes that may exist in flowspec actions and the vectors that this opens up.</div>
<div><br>
</div>
<div>Macca</div>
<div><br>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Craig Askings <<a href="mailto:craig@askings.com.au">craig@askings.com.au</a>><br>
<span style="font-weight:bold">Date: </span>Monday, 8 July 2013 3:32 PM<br>
<span style="font-weight:bold">To: </span>Zone Networks - Joel Nath <<a href="mailto:joel@zonenetworks.com.au">joel@zonenetworks.com.au</a>><br>
<span style="font-weight:bold">Cc: </span>"<a href="mailto:ausnog@lists.ausnog.net">ausnog@lists.ausnog.net</a>" <<a href="mailto:ausnog@lists.ausnog.net">ausnog@lists.ausnog.net</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [AusNOG] Q sonicwall and juniper<br>
</div>
<div><br>
</div>
<div>
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">
Agreed, if you want to manage DDoS attacks you really want:
<div><br>
</div>
<div>1) Juniper MX out front with BGP flowspec enabled on it. </div>
<div>2) Some tool to identify said DDoS and generate the flowspec rule to match it. (Arbor?)</div>
<div>3) Upstream providers who can automatically sink said traffic at their borders.</div>
<div><br>
</div>
<div><a href="http://www.slideshare.net/sfouant/an-introduction-to-bgp-flow-spec">http://www.slideshare.net/sfouant/an-introduction-to-bgp-flow-spec</a></div>
<div><br>
</div>
<div><br>
<div>
<div>On 08/07/2013, at 3:27 PM, "Zone Networks - Joel Nath" <<a href="mailto:joel@zonenetworks.com.au">joel@zonenetworks.com.au</a>> wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">Firewall wont help protect you against DDOS, especially anything that is software based<br>
<br>
Srx 3400 + might help abit as its ASIC but a decent SYN flood will take it out as well.<br>
<br>
Regards<br>
Joel<br>
<br>
-----Original Message-----<br>
From: AusNOG [<a href="mailto:ausnog-">mailto:ausnog-</a><a href="mailto:bounces@lists.ausnog.net">bounces@lists.ausnog.net</a>] On Behalf Of Alex Samad - Yieldbroker<br>
Sent: Monday, 8 July 2013 3:19 PM<br>
To: <a href="mailto:ausnog@lists.ausnog.net">ausnog@lists.ausnog.net</a><br>
Subject: Re: [AusNOG] Q sonicwall and juniper<br>
<br>
Hi<br>
<br>
Thanks to everyone that has given me feedback, definitely seems like juniper is the router of choice.<br>
This is still early days for me... more of a fact finding mission<br>
<br>
One of the design choices I am looking at. <br>
<br>
It seems like there are units capable of looking after (in 1 HA setup) both Internet FW and internet FW.<br>
<br>
Currently I am using some cisco 2600's for my ext routers ... ie WAN ... BGP and basic ACL's<br>
<br>
The original idea was to replicate this, so outside routers, Internet FW and internal FW with similar setup<br>
<br>
The main reason for that is that a DDOS or any attack via BGP can only attack our outside routers. Thus reducing our foot print our external FW is exposed to the outside world.<br>
<br>
More background, we provide our product via the internet and via private connections (leased lines of sorts, premium service ).<br>
<br>
What we are trying to avoid with separate devices is internet issues affecting premium services. And to some extend our internal traffic.<br>
<br>
So I have thrown my eye over at the srx 550 and find it (and it seems other models / manufactures) provide virtual routers/domains Is this enough to protect a FW device.<br>
<br>
So if I replace my external routers and internet FW and internet FW, with a SRX550 am I leaving myself open to the cpu of the device being taken up with BGP process or DDOS from the internet ... etc etc.<br>
<br>
<br>
Thanks<br>
Alex<br>
<br>
<br>
<blockquote type="cite">-----Original Message-----<br>
From: AusNOG [<a href="mailto:ausnog-">mailto:ausnog-</a><a href="mailto:bounces@lists.ausnog.net">bounces@lists.ausnog.net</a>] On Behalf Of
<br>
Andrew Jones<br>
Sent: Monday, 8 July 2013 2:47 PM<br>
To: <a href="mailto:ausnog@lists.ausnog.net">ausnog@lists.ausnog.net</a><br>
Subject: Re: [AusNOG] Q sonicwall and juniper<br>
<br>
I have quite a few SRX clusters running, and find them very reliable <br>
in general. Most of the issues which were there earlier have been sorted out.<br>
"Commit rollback", which used not to be available in earlier versions <br>
of junos when clustering was enabled now works as well, which is a big <br>
plus in my book.<br>
<br>
<br>
<br>
On 08.07.2013 14:30, Ryan Finnesey wrote:<br>
<blockquote type="cite">Lol never worked with clustering.<br>
<br>
Sent from my iPad<br>
<br>
On Jul 7, 2013, at 9:52 PM, "Skeeve Stevens"<br>
<<a href="mailto:skeeve+ausnog@eintellegonetworks.com">skeeve+ausnog@eintellegonetworks.com</a>> wrote:<br>
<br>
<blockquote type="cite">+1.<br>
<br>
Juniper clustering was developed, coded, and not tested by Satan <br>
himself.<br>
<br>
...Skeeve<br>
<br>
SKEEVE STEVENS - eintellego Networks Pty Ltd<br>
<br>
<a href="mailto:skeeve@eintellegonetworks.com">skeeve@eintellegonetworks.com</a> ;
<a href="http://www.eintellegonetworks.com">www.eintellegonetworks.com</a> [3]<br>
<br>
Phone: 1300 239 038; Cell +61 (0)414 753 383 ; <a href="skype://skeeve">skype://skeeve</a><br>
<br>
<a href="http://facebook.com/eintellegonetworks">facebook.com/eintellegonetworks</a> [4] ; [5]<a href="http://linkedin.com/in/skeeve">linkedin.com/in/skeeve</a> [6]<br>
<br>
<a href="http://twitter.com/networkceoau">twitter.com/networkceoau</a> [5] ; blog:
<a href="http://www.network-ceo.net">www.network-ceo.net</a> [7]<br>
<br>
The Experts Who The Experts Call<br>
Juniper - Cisco - Cloud<br>
<br>
On Mon, Jul 8, 2013 at 11:47 AM, James Braunegg <br>
<<a href="mailto:james.braunegg@micron21.com">james.braunegg@micron21.com</a>> wrote:<br>
<br>
<blockquote type="cite">I like the Juniper SRX 3400 / SRX 5600 firewalls the nice things
<br>
about these is you can run per device redundant routing engines, <br>
both of these support hardware line rate 10gbit ports and are full <br>
ASIC based.<br>
<br>
If you don't actually need 10gbit throughput you could look at the <br>
SRX 650 which can support 10gbit ports but all processing is done <br>
in software not in ASIC<br>
<br>
Juniper had some issues with clustering the SRX in the early days <br>
but these seem to be all but gone now...<br>
<br>
That being said I still avoid clustering where possible and much <br>
prefer two single devices not linked in anyway other than standard <br>
routing protocols.<br>
<br>
Juniper also has a fantastic CLI … one of the best I've ever used.<br>
<br>
Do you have a budget in mind ?<br>
<br>
Kindest Regards<br>
<br>
James Braunegg<br>
P: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616<br>
<br>
E: <a href="mailto:james.braunegg@micron21.com">james.braunegg@micron21.com</a> | ABN: 12 109 977 666<br>
W: <a href="http://www.micron21.com/ip-transit">www.micron21.com/ip-transit</a> [1] T: @micron21<br>
<br>
<image001.jpg><br>
This message is intended for the addressee named above. It may <br>
contain privileged or confidential information. If you are not the <br>
intended recipient of this message you must not use, copy, <br>
distribute or disclose it to anyone other than the addressee. If <br>
you have received this message in error please return the message <br>
to the sender by replying to it and then delete the message from <br>
your computer.<br>
<br>
-----Original Message-----<br>
From: AusNOG [<a href="mailto:ausnog-">mailto:ausnog-</a><a href="mailto:bounces@lists.ausnog.net">bounces@lists.ausnog.net</a>] On Behalf Of
<br>
Alex Samad - Yieldbroker<br>
Sent: Monday, July 08, 2013 10:01 AM<br>
To: <a href="mailto:ausnog@lists.ausnog.net">ausnog@lists.ausnog.net</a><br>
Subject: [AusNOG] Q sonicwall and juniper<br>
<br>
Hi<br>
<br>
Was wondering what the groups thoughts where on sonicwall and<br>
</blockquote>
</blockquote>
</blockquote>
maybe<br>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">in relation to juniper.<br>
<br>
Most of my experience has been with Cisco and linux (firewalls)<br>
<br>
In particular I am looking at<br>
<br>
Exterior FW (facing internet)<br>
<br>
Or<br>
<br>
Interior FW (not facing Internet)<br>
<br>
Like to have a cluster (HA setup)<br>
<br>
Like to have min 2 x 10G fibre ports per dev and some 1G ports<br>
<br>
Don't need any sort of deep packet inspection<br>
<br>
I prefer CLI, my initial googling seems to suggest sonic is not <br>
very cli friendly at all<br>
<br>
Again my initial investigation leads me to NSA 5600 (or NSA 6600), <br>
not sure what the comparably Juniper might be.<br>
<br>
Thanks<br>
<br>
Alex<br>
<br>
_______________________________________________<br>
<br>
AusNOG mailing list<br>
<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a> [2]
<br>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a> [2]<br>
</blockquote>
</blockquote>
<br>
<blockquote type="cite">_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a> [2]<br>
</blockquote>
<br>
<br>
Links:<br>
------<br>
[1] <a href="http://www.micron21.com/ip-transit">http://www.micron21.com/ip-transit</a><br>
[2] <a href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
[3] <a href="http://www.eintellegonetworks.com/">http://www.eintellegonetworks.com/</a><br>
[4] <a href="http://facebook.com/eintellegonetworks">http://facebook.com/eintellegonetworks</a><br>
[5] <a href="http://twitter.com/networkceoau">http://twitter.com/networkceoau</a><br>
[6] <a href="http://linkedin.com/in/skeeve">http://linkedin.com/in/skeeve</a><br>
[7] <a href="http://www.network-ceo.net/">http://www.network-ceo.net/</a><br>
<br>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</blockquote>
<br>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</blockquote>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<br>
<br>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</span>
</body>
</html>