[j-nsp] SRX performance

Stepan Kucherenko twh at megagroup.ru
Tue Dec 22 11:14:06 EST 2015


> Can anyone share real world SRX performance? ?I am looking at the SRX220
> or SRX240 for a small website ~150-200Mbps in a co-location environment.
> The performance charts state the SRX220 can do 300Mbps with a mix of
> traffic and  up to 900Mbps with mostly large packet sizes.

SRX240 can give required bandwidth but it has no redundant power. 
Anyway, I don't think it's a good idea, see below.

 > If you go down the path of an SRX240 I’d suggest using the
 > screen features and tuning it for your needs. It can really
 > save the device from dealing with junk / attack traffic at
 > higher levels. Can’t help you with a 100Gbps DDoS but can
 > help deal with SYN floods and other junk.

Um. No. It'll die under SYN flood even faster than a server would. I've 
tested its screen options against SYN floods and it's pathetic, 
epsecially compared to what a Linux box with synproxy can do. Not 
surprising, SRX CPU is very slow compared to Xeons and it can't offload 
everything.

That "other junk" will probably kill it as well.

Even 550/650 or "datacenter" models are not robust enough because state 
exhaustion attacks are easy and cheap. Magic "screen" is far from a 
panacea. Any stateful firewall in datacenter is just a fragile SPOF that 
will eventually keep over, taking your whole setup with it.

With that said, SRX is a very nice box when it's used correctly. I have 
lots of them in branch offices and some in datacenter, but I wouldn't 
put it before servers expecting them to hold their ground under attack. 
  And I'm not bashing SRXes specifically, I'm talking about any stateful 
firewall from any vendor, they all suck.


Don't use stateful firewalls before servers. Ever. Grab an l3 switch and 
do stateless filtering at ingress and filter everything else on servers.


More information about the juniper-nsp mailing list