[j-nsp] Cisco vs Juniper confused

Satish Patel satish.txt at gmail.com
Thu Apr 14 19:35:28 EDT 2016


Does Juniper SRX support BGP?  which model i should buy and is there
additional cost after buying hardware like enable feature etc..

Cisco always does that buying hardware is cheaper but after that
enable services cost x3 time.

On Thu, Apr 14, 2016 at 7:02 PM, Payam Chychi <pchychi at gmail.com> wrote:
> Having created ddos mitigation solutions and specialized networks, it's not
> that simple as certain companies can't simply offload data and provide their
> say ssl key to a ddos mitigation provider (simplest port http/https proxy
> solution)... and most companies wont have the proper equipment to perform
> ipsec or gre + bgp offloading nor will the have the funds to pay +10k-15k
> MRC.
>
> So... if you already have a 10gig pipe and the 'current' bottleneck is your
> asa5500 'state' then fix that the best you can while assessing what your
> longer term goals are
>
> try putting in drop ACLs above to deny what you dont need. enable tcp syn
> proxy if you can and setup aggressive age timeout so the table does not max
> out. Install proper monitoring to identify attacks and use the information
> for better drop acls. A decent linux server with latest Iptables which now
> fully supports a new syn proxy can handle almost 2Mil req/second without
> impact to other traffic.
>
> Cisco ASA (any of them) were never meant to be ddos mitigation appliances.
> Replacing the asa with a Juniper SRX will help greatly
> Put a proper ddos appliance in front to filter bad traffic, then use your
> asa for your ips/ids/security which will be fine at lower levels.
>
>
> Thanks,
> Payam
>
>
>
> On 2016-04-14, 3:45 PM, Michael Gehrmann wrote:
>>
>> +1 for for Dave's comment. You can only survive until your upstream is
>> congested.
>>
>> Mike
>>
>> On 15 April 2016 at 08:05, Dave Bell <me at geordish.org
>> <mailto:me at geordish.org>> wrote:
>>
>>     In my opinion trying to scrub DDoS traffic yourself is a losing
>>     battle. Its
>>     likely that an attacker can easily fill the ingress points onto your
>>     network. If this is the case, then legitimate traffic will be dropped
>>     before it even hits you. The damage is already done. The only way
>>     around
>>     this is bigger links, which can be costly and your not even
>>     guaranteed to
>>     have links big enough to cope with an attack.
>>
>>     You're better off looking at your upstreams to assist you with
>>     this. They
>>     likely have some form of traffic scrubbing solution that you can
>>     employ
>>     when under attack. Its likely a lot easier for you to administrate
>>     too.
>>
>>     Regards,
>>     Dave
>>
>>     On 14 April 2016 at 22:57, Payam Chychi <pchychi at gmail.com
>>     <mailto:pchychi at gmail.com>> wrote:
>>
>>     > What gear do you currently have? What do your filtering rules
>>     look like?
>>     > You don't need to buy new gear if your filtering much of the bad
>>     traffic at
>>     > the edge using simple ACLs
>>     >
>>     >
>>     >
>>     > On Apr 14, 2016, 2:39 PM -0700, Dovid Bender<dovid at telecurve.com
>>     <mailto:dovid at telecurve.com>>, wrote:
>>     > > Why not use an external service to scrub your traffic?
>>     > >
>>     > > Regards,
>>     > >
>>     > > Dovid
>>     > >
>>     > > -----Original Message-----
>>     > > From: Satish Patel<satish.txt at gmail.com
>>     <mailto:satish.txt at gmail.com>
>>     > > Sender: "juniper-nsp"<juniper-nsp-bounces at puck.nether.net
>>     <mailto:juniper-nsp-bounces at puck.nether.net>>Date: Thu, 14
>>     > Apr 2016 17:35:17
>>     > > To:<juniper-nsp at puck.nether.net
>>     <mailto:juniper-nsp at puck.nether.net>
>>     > > Subject: [j-nsp] Cisco vs Juniper confused
>>     > >
>>     > > This is my first port here, We are small size of company and
>>     now we
>>     > > are getting harsh by DDoS stuff. We have 10G link in our network
>>     > > terminated on L3 Cisco switch and from there other switches.
>>     > > Everything was working great but recently we started seeing
>>     DDoS more
>>     > > and more. They are filling 10G link using NTP, IPFrag etc. attack.
>>     > >
>>     > > Now we are looking for big gear so we keep bad guys out and scrub
>>     > > traffic but confused between Juniper Vs Cisco war.. I am not
>>     able to
>>     > > decide what to buy and how it will help us. I have following in my
>>     > > mind, We thought about ASR firewall too but not sure because
>>     it can
>>     > > handle DDoS or not.
>>     > >
>>     > > Need your suggestion what i should buy and why? One more thing
>>     we are
>>     > > planning to run BGP so we can do null triggering etc.
>>     > >
>>     > > MX80 vs ASR100X - Does this enough to handle DDoS and filter
>>     traffic?
>>     > >
>>     > > MX240 vs ASR900X
>>     > > _______________________________________________
>>     > > juniper-nsp mailing list juniper-nsp at puck.nether.net
>>     <mailto:juniper-nsp at puck.nether.net>
>>     > > https://puck.nether.net/mailman/listinfo/juniper-nsp
>>     > > _______________________________________________
>>     > > juniper-nsp mailing list juniper-nsp at puck.nether.net
>>     <mailto:juniper-nsp at puck.nether.net>
>>     > > https://puck.nether.net/mailman/listinfo/juniper-nsp
>>     > _______________________________________________
>>     > juniper-nsp mailing list juniper-nsp at puck.nether.net
>>     <mailto:juniper-nsp at puck.nether.net>
>>     > https://puck.nether.net/mailman/listinfo/juniper-nsp
>>     >
>>     _______________________________________________
>>     juniper-nsp mailing list juniper-nsp at puck.nether.net
>>     <mailto:juniper-nsp at puck.nether.net>
>>     https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>>
>>
>>
>> --
>> Michael Gehrmann
>> Senior Network Engineer - Atlassian
>> m: +61 407 570 658
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp


More information about the juniper-nsp mailing list