[j-nsp] SSG - Handling Load
Paul Stewart
paul at paulstewart.org
Fri Mar 6 10:42:50 EST 2009
Excellent - thanks...
I got a spec sheet from Juniper showing IMIX traffic levels with various
features enabled which has helped quite a bit... didn't know about how
granular you can configure the features which is *really* neat...;)
Related to this, is there any info that compares "basic signature matching"
against what their ISG boxes do with an IDP blade installed? I realize the
budget changes here but some of our security needs "on the wire" are
specific in need...
Basically, on the web hosting side we're hoping to use a box that will look
for the most common exploits, bad scripts - that kind of stuff....
Cheers,
Paul
-----Original Message-----
From: Stefan Fouant [mailto:sfouant at gmail.com]
Sent: Friday, March 06, 2009 9:42 AM
To: Paul Stewart; juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] SSG - Handling Load
Paul,
Check the datasheets available on the Juniper site for details on the
amount of load these boxes can handle. For just raw FW performance the
SSG-140 should easily be able to handle the 20-50 Mbps load you intend
to throw at it. One of the nice things that I really like about these
boxes is that you can selectively enable which traffic you intend to
do perform Anti-Virus and Anti-Spam, rather than all traffic, so if
you do your policies correctly you can choose to do Anti-Spam only for
SMTP traffic, or AV for SMTP attachments, http, and ftp for example.
Similarly you can choose to enable the IDS functions (which for an
SSG-140 is really just basic signature matching) for only certain
types of traffic. If you choose your configuration wisely you should
be able to scale the box to meet your needs.
If you can spend a little more you might opt for the SSG 320M which
would give you the flexibility to upgrade to JUNOS-ES in the future,
should you wish to do so.
On 3/6/09, Paul Stewart <paul at paulstewart.org> wrote:
> Hi folks.. new to the list and looking for some real-world feedback on SSG
> boxes and how they handle load. Perhaps this isn't the proper use for the
> box or maybe it works just fine.
>
>
>
> We're a service provider that has a small server farm. The traffic on
this
> server farm is 20Mb/s on average with occasional peaks up to 50Mb/s.
>
>
>
> Our first requirement is a good firewall. Then on the ports still exposed
> we're looking for packet inspection (IDS) with the idea that when certain
> levels of signatures are hit then those packets will be dropped. I
believe
> at this point that an SSG can handle this.. We're considering an SSG-140
at
> this point.
>
>
>
> Now, turn on anti-spam and anti-virus - since these servers behind it
handle
> substantial amounts of email traffic I was wondering if the SSG could "zap
> the obvious stuff" before it hits these servers (when also perform
> anti-virus and anti-spam).. the theory being that the obvious stuff
wouldn't
> ever make it to the box...?
>
>
>
> If I have the design concept correctly, these boxes are really designed
more
> for small to large office deployments and not data center deployment. But
> with the traffic levels mentioned above, has anyone deployed something
> similar?
>
>
>
> Thanks,
>
>
>
> Paul
>
>
>
>
>
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
--
Sent from Gmail for mobile | mobile.google.com
Stefan Fouant
Stay the patient course.
Of little worth is your ire.
The network is down.
More information about the juniper-nsp
mailing list