[AusNOG] Q sonicwall and juniper

Skeeve Stevens skeeve+ausnog at eintellegonetworks.com
Mon Jul 8 16:35:33 EST 2013


++1


...Skeeve

*Skeeve Stevens - *eintellego Networks Pty Ltd
skeeve at eintellegonetworks.com ; www.eintellegonetworks.com

Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve

facebook.com/eintellegonetworks ;  <http://twitter.com/networkceoau>
linkedin.com/in/skeeve

twitter.com/networkceoau ; blog: www.network-ceo.net


The Experts Who The Experts Call
Juniper - Cisco - Cloud


On Mon, Jul 8, 2013 at 3:32 PM, Craig Askings <craig at askings.com.au> wrote:

> Agreed, if you want to manage DDoS attacks you really want:
>
> 1) Juniper MX out front with BGP flowspec enabled on it.
> 2) Some tool to identify said DDoS and generate the flowspec rule to match
> it. (Arbor?)
> 3) Upstream providers who can automatically sink said traffic at their
> borders.
>
> http://www.slideshare.net/sfouant/an-introduction-to-bgp-flow-spec
>
>
> On 08/07/2013, at 3:27 PM, "Zone Networks - Joel Nath" <
> joel at zonenetworks.com.au> wrote:
>
> Firewall wont help protect you against DDOS, especially anything that is
> software based
>
> Srx 3400 + might help abit as its ASIC but a decent SYN flood will take it
> out as well.
>
> Regards
> Joel
>
> -----Original Message-----
> From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Alex
> Samad - Yieldbroker
> Sent: Monday, 8 July 2013 3:19 PM
> To: ausnog at lists.ausnog.net
> Subject: Re: [AusNOG] Q sonicwall and juniper
>
> Hi
>
> Thanks to everyone that has given me feedback, definitely seems like
> juniper is the router of choice.
> This is still early days for me... more of a fact finding mission
>
> One of the design choices I am looking at.
>
> It seems like there are units capable of looking after (in 1 HA setup)
> both  Internet FW and internet FW.
>
> Currently I am using some cisco 2600's for my ext routers ... ie WAN ...
> BGP and basic ACL's
>
> The original idea was to replicate this, so outside routers, Internet FW
> and internal FW with similar setup
>
> The main reason for that is that a DDOS or any attack via BGP can only
> attack our outside routers. Thus reducing our foot print our external FW is
> exposed to the outside world.
>
> More background, we provide our product via the internet and via private
> connections (leased lines of sorts, premium service ).
>
> What we are trying to avoid with separate devices is internet issues
> affecting premium services. And to some extend our internal traffic.
>
> So I have thrown my eye over at the srx 550 and find it (and it seems
> other models / manufactures)  provide virtual routers/domains  Is this
> enough to protect a FW device.
>
> So if I replace my external routers and internet FW and internet FW, with
> a SRX550 am I leaving myself open to the cpu of the device being taken up
> with BGP process or DDOS from the internet ... etc etc.
>
>
> Thanks
> Alex
>
>
> -----Original Message-----
> From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of
> Andrew Jones
> Sent: Monday, 8 July 2013 2:47 PM
> To: ausnog at lists.ausnog.net
> Subject: Re: [AusNOG] Q sonicwall and juniper
>
> I have quite a few SRX clusters running, and find them very reliable
> in general. Most of the issues which were there earlier have been sorted
> out.
> "Commit rollback", which used not to be available in earlier versions
> of junos when clustering was enabled now works as well, which is a big
> plus in my book.
>
>
>
> On 08.07.2013 14:30, Ryan Finnesey wrote:
>
> Lol never worked with clustering.
>
> Sent from my iPad
>
> On Jul 7, 2013, at 9:52 PM, "Skeeve Stevens"
> <skeeve+ausnog at eintellegonetworks.com> wrote:
>
> +1.
>
> Juniper clustering was developed, coded, and not tested by Satan
> himself.
>
> ...Skeeve
>
> SKEEVE STEVENS - eintellego Networks Pty Ltd
>
> skeeve at eintellegonetworks.com ; www.eintellegonetworks.com [3]
>
> Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve
>
> facebook.com/eintellegonetworks [4] ; [5]linkedin.com/in/skeeve [6]
>
> twitter.com/networkceoau [5] ; blog: www.network-ceo.net [7]
>
> The Experts Who The Experts Call
> Juniper - Cisco - Cloud
>
> On Mon, Jul 8, 2013 at 11:47 AM, James Braunegg
> <james.braunegg at micron21.com> wrote:
>
> I like the Juniper SRX 3400 / SRX 5600 firewalls the nice things
> about these is you can run per device redundant routing engines,
> both of these support hardware line rate 10gbit ports and are full
> ASIC based.
>
> If you don't actually need 10gbit throughput you could look at the
> SRX 650 which can support 10gbit ports but all processing is done
> in software not in ASIC
>
> Juniper had some issues with clustering the SRX in the early days
> but these seem to be all but gone now...
>
> That being said I still avoid clustering where possible and much
> prefer two single devices not linked in anyway other than standard
> routing protocols.
>
> Juniper also has a fantastic CLI … one of the best I've ever used.
>
> Do you have a budget in mind ?
>
> Kindest Regards
>
> James Braunegg
> P: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616
>
> E: james.braunegg at micron21.com | ABN: 12 109 977 666
> W: www.micron21.com/ip-transit [1] T: @micron21
>
> <image001.jpg>
> This message is intended for the addressee named above. It may
> contain privileged or confidential information. If you are not the
> intended recipient of this message you must not use, copy,
> distribute or disclose it to anyone other than the addressee. If
> you have received this message in error please return the message
> to the sender by replying to it and then delete the message from
> your computer.
>
> -----Original Message-----
> From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of
> Alex Samad - Yieldbroker
> Sent: Monday, July 08, 2013 10:01 AM
> To: ausnog at lists.ausnog.net
> Subject: [AusNOG] Q sonicwall and juniper
>
> Hi
>
> Was wondering what the groups thoughts where on sonicwall and
>
> maybe
>
> in relation to juniper.
>
> Most of my experience has been with Cisco and linux (firewalls)
>
> In particular I am looking at
>
> Exterior FW (facing internet)
>
> Or
>
> Interior FW (not facing Internet)
>
> Like to have a cluster (HA setup)
>
> Like to have min 2 x 10G fibre ports per dev and some 1G ports
>
> Don't need any sort of deep packet inspection
>
> I prefer CLI, my initial googling seems to suggest sonic is not
> very cli friendly at all
>
> Again my initial investigation leads me to NSA 5600 (or NSA 6600),
> not sure what the comparably Juniper might be.
>
> Thanks
>
> Alex
>
> _______________________________________________
>
> AusNOG mailing list
>
> AusNOG at lists.ausnog.net
>
> http://lists.ausnog.net/mailman/listinfo/ausnog [2]
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog [2]
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog [2]
>
>
>
> Links:
> ------
> [1] http://www.micron21.com/ip-transit
> [2] http://lists.ausnog.net/mailman/listinfo/ausnog
> [3] http://www.eintellegonetworks.com/
> [4] http://facebook.com/eintellegonetworks
> [5] http://twitter.com/networkceoau
> [6] http://linkedin.com/in/skeeve
> [7] http://www.network-ceo.net/
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20130708/33117ac4/attachment.html>


More information about the AusNOG mailing list