[j-nsp] DDoS protection for J-series and SRX

Mark Menzies mark at deimark.net
Thu Apr 11 06:28:54 EDT 2013


The SRX definitely supports screen options and you can upgrade the J series
to something newer.  I think it was in 9.4 that Juniper got rid of the 2
versions of software for J series, ie the router and enhanced services
versions, so all newer versions have the security stuff built in.

Upgrading the J series to use screen is fairly straightforward but if you
are just looking to run the J series as a router we can turn off the main
security features but you may be better off with just having all interfaces
in same zone and allow intra zone traffic.

Your SRX running as the firewall should be able to cater as the only screen
device but it does make sense to apply DDoS protection as close to your
perimeter if you can to reduce the load on the upstream boxes.


On 11 April 2013 11:15, James Howlett <jim.howlett at outlook.com> wrote:

> Hello,
>
> I think I can't use screen on my J-series in 9.x software / router context.
> Will SRX be able to handle it alone?
>
> all best,
> jim
>
> ------------------------------
> Date: Thu, 11 Apr 2013 10:10:18 +0100
> Subject: Re: [j-nsp] DDoS protection for J-series and SRX
> From: mark at deimark.net
> To: jim.howlett at outlook.com
> CC: juniper-nsp at puck.nether.net
>
>
> Have a look at the screen options on both kits, we can apply basic DDoS
> protection there and limit stuff like max connections over a short period
> etc
>
>
> On 11 April 2013 09:57, James Howlett <jim.howlett at outlook.com> wrote:
>
> Hello,
>
> I have a small network with J6350 as a border router (BGP) and two SRX240H
> in a cluster.
> Since few days my network is a victim of DDoS attacks. Majority of them
> are high pps count attacks.
> Are there any methods to protect my network against such attacks. My
> J-series can handle quite a lot of pps, but my SRX die after getting more
> than 8000 new sessions per second.
>
> Is there anything i can do here?
>
> Regards,
> jim
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>


More information about the juniper-nsp mailing list