[AusNOG] Q sonicwall and juniper

Zone Networks - Joel Nath joel at zonenetworks.com.au
Mon Jul 8 15:44:13 EST 2013


No one in Aus to my knowledge. happy to be corrected J

 

From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Jonathan
Thorpe
Sent: Monday, 8 July 2013 3:40 PM
To: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] Q sonicwall and juniper

 

Probably a good time to ask - who supports FlowSpec advertisements?

 

From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Craig
Askings
Sent: Monday, 8 July 2013 3:33 PM
To: Zone Networks - Joel Nath
Cc: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] Q sonicwall and juniper

 

Agreed, if you want to manage DDoS attacks you really want:

 

1) Juniper MX out front with BGP flowspec enabled on it. 

2) Some tool to identify said DDoS and generate the flowspec rule to match
it. (Arbor?)

3) Upstream providers who can automatically sink said traffic at their
borders.

 

http://www.slideshare.net/sfouant/an-introduction-to-bgp-flow-spec

 

 

On 08/07/2013, at 3:27 PM, "Zone Networks - Joel Nath"
<joel at zonenetworks.com.au> wrote:

 

Firewall wont help protect you against DDOS, especially anything that is
software based

Srx 3400 + might help abit as its ASIC but a decent SYN flood will take it
out as well.

Regards
Joel

-----Original Message-----
From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Alex
Samad - Yieldbroker
Sent: Monday, 8 July 2013 3:19 PM
To: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] Q sonicwall and juniper

Hi

Thanks to everyone that has given me feedback, definitely seems like juniper
is the router of choice.
This is still early days for me... more of a fact finding mission

One of the design choices I am looking at. 

It seems like there are units capable of looking after (in 1 HA setup) both
Internet FW and internet FW.

Currently I am using some cisco 2600's for my ext routers ... ie WAN ... BGP
and basic ACL's

The original idea was to replicate this, so outside routers, Internet FW and
internal FW with similar setup

The main reason for that is that a DDOS or any attack via BGP can only
attack our outside routers. Thus reducing our foot print our external FW is
exposed to the outside world.

More background, we provide our product via the internet and via private
connections (leased lines of sorts, premium service ).

What we are trying to avoid with separate devices is internet issues
affecting premium services. And to some extend our internal traffic.

So I have thrown my eye over at the srx 550 and find it (and it seems other
models / manufactures)  provide virtual routers/domains  Is this enough to
protect a FW device.

So if I replace my external routers and internet FW and internet FW, with a
SRX550 am I leaving myself open to the cpu of the device being taken up with
BGP process or DDOS from the internet ... etc etc.


Thanks
Alex




-----Original Message-----
From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of 
Andrew Jones
Sent: Monday, 8 July 2013 2:47 PM
To: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] Q sonicwall and juniper

I have quite a few SRX clusters running, and find them very reliable 
in general. Most of the issues which were there earlier have been sorted
out.
"Commit rollback", which used not to be available in earlier versions 
of junos when clustering was enabled now works as well, which is a big 
plus in my book.



On 08.07.2013 14:30, Ryan Finnesey wrote:

Lol never worked with clustering.

Sent from my iPad

On Jul 7, 2013, at 9:52 PM, "Skeeve Stevens"
<skeeve+ausnog at eintellegonetworks.com> wrote:



+1.

Juniper clustering was developed, coded, and not tested by Satan 
himself.

...Skeeve

SKEEVE STEVENS - eintellego Networks Pty Ltd

skeeve at eintellegonetworks.com ; www.eintellegonetworks.com [3]

Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve

facebook.com/eintellegonetworks [4] ; [5]linkedin.com/in/skeeve [6]

twitter.com/networkceoau [5] ; blog: www.network-ceo.net [7]

The Experts Who The Experts Call
Juniper - Cisco - Cloud

On Mon, Jul 8, 2013 at 11:47 AM, James Braunegg 
<james.braunegg at micron21.com> wrote:



I like the Juniper SRX 3400 / SRX 5600 firewalls the nice things 
about these is you can run per device redundant routing engines, 
both of these support hardware line rate 10gbit ports and are full 
ASIC based.

If you don't actually need 10gbit throughput you could look at the 
SRX 650 which can support 10gbit ports but all processing is done 
in software not in ASIC

Juniper had some issues with clustering the SRX in the early days 
but these seem to be all but gone now...

That being said I still avoid clustering where possible and much 
prefer two single devices not linked in anyway other than standard 
routing protocols.

Juniper also has a fantastic CLI . one of the best I've ever used.

Do you have a budget in mind ?

Kindest Regards

James Braunegg
P: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616

E: james.braunegg at micron21.com | ABN: 12 109 977 666
W: www.micron21.com/ip-transit [1] T: @micron21

<image001.jpg>
This message is intended for the addressee named above. It may 
contain privileged or confidential information. If you are not the 
intended recipient of this message you must not use, copy, 
distribute or disclose it to anyone other than the addressee. If 
you have received this message in error please return the message 
to the sender by replying to it and then delete the message from 
your computer.

-----Original Message-----
From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of 
Alex Samad - Yieldbroker
Sent: Monday, July 08, 2013 10:01 AM
To: ausnog at lists.ausnog.net
Subject: [AusNOG] Q sonicwall and juniper

Hi

Was wondering what the groups thoughts where on sonicwall and

maybe

in relation to juniper.

Most of my experience has been with Cisco and linux (firewalls)

In particular I am looking at

Exterior FW (facing internet)

Or

Interior FW (not facing Internet)

Like to have a cluster (HA setup)

Like to have min 2 x 10G fibre ports per dev and some 1G ports

Don't need any sort of deep packet inspection

I prefer CLI, my initial googling seems to suggest sonic is not 
very cli friendly at all

Again my initial investigation leads me to NSA 5600 (or NSA 6600), 
not sure what the comparably Juniper might be.

Thanks

Alex

_______________________________________________

AusNOG mailing list

AusNOG at lists.ausnog.net

http://lists.ausnog.net/mailman/listinfo/ausnog [2] 
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog [2]

 

_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog [2]



Links:
------
[1] http://www.micron21.com/ip-transit
[2] http://lists.ausnog.net/mailman/listinfo/ausnog
[3] http://www.eintellegonetworks.com/
[4] http://facebook.com/eintellegonetworks
[5] http://twitter.com/networkceoau
[6] http://linkedin.com/in/skeeve
[7] http://www.network-ceo.net/

_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog


_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog


_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20130708/4888b27e/attachment.html>


More information about the AusNOG mailing list