[j-nsp] Cisco vs Juniper confused

Payam Chychi pchychi at gmail.com
Thu Apr 14 19:46:02 EDT 2016 

Hi,

Yep, the larger will of course have more ram/cpu but it all depends on how many routes your getting and will have...

Ive setup using 210, 240, 1400, and the large isp size 5xxx series, Checkout juniper.net

Mike, I agree, it's all a balancing act. And I agree, stateless filtering at the edge, if you can do pbr and separate traffic, do inspection on what you need and load balance applicable traffic ... Divide and conquer :)


On Apr 14, 2016, 4:35 PM -0700, Satish Patel<satish.txt at gmail.com>, wrote:
> Does Juniper SRX support BGP? which model i should buy and is there
> additional cost after buying hardware like enable feature etc..
> 
> Cisco always does that buying hardware is cheaper but after that
> enable services cost x3 time.
> 
> On Thu, Apr 14, 2016 at 7:02 PM, Payam Chychi<pchychi at gmail.com>wrote:
> > Having created ddos mitigation solutions and specialized networks, it's not
> > that simple as certain companies can't simply offload data and provide their
> > say ssl key to a ddos mitigation provider (simplest port http/https proxy
> > solution)... and most companies wont have the proper equipment to perform
> > ipsec or gre + bgp offloading nor will the have the funds to pay +10k-15k
> > MRC.
> > 
> > So... if you already have a 10gig pipe and the 'current' bottleneck is your
> > asa5500 'state' then fix that the best you can while assessing what your
> > longer term goals are
> > 
> > try putting in drop ACLs above to deny what you dont need. enable tcp syn
> > proxy if you can and setup aggressive age timeout so the table does not max
> > out. Install proper monitoring to identify attacks and use the information
> > for better drop acls. A decent linux server with latest Iptables which now
> > fully supports a new syn proxy can handle almost 2Mil req/second without
> > impact to other traffic.
> > 
> > Cisco ASA (any of them) were never meant to be ddos mitigation appliances.
> > Replacing the asa with a Juniper SRX will help greatly
> > Put a proper ddos appliance in front to filter bad traffic, then use your
> > asa for your ips/ids/security which will be fine at lower levels.
> > 
> > 
> > Thanks,
> > Payam
> > 
> > 
> > 
> > On 2016-04-14, 3:45 PM, Michael Gehrmann wrote:
> > > 
> > > +1 for for Dave's comment. You can only survive until your upstream is
> > > congested.
> > > 
> > > Mike
> > > 
> > > On 15 April 2016 at 08:05, Dave Bell<me at geordish.org
> > > <mailto:me at geordish.org>>wrote:
> > > 
> > > In my opinion trying to scrub DDoS traffic yourself is a losing
> > > battle. Its
> > > likely that an attacker can easily fill the ingress points onto your
> > > network. If this is the case, then legitimate traffic will be dropped
> > > before it even hits you. The damage is already done. The only way
> > > around
> > > this is bigger links, which can be costly and your not even
> > > guaranteed to
> > > have links big enough to cope with an attack.
> > > 
> > > You're better off looking at your upstreams to assist you with
> > > this. They
> > > likely have some form of traffic scrubbing solution that you can
> > > employ
> > > when under attack. Its likely a lot easier for you to administrate
> > > too.
> > > 
> > > Regards,
> > > Dave
> > > 
> > > On 14 April 2016 at 22:57, Payam Chychi<pchychi at gmail.com
> > > <mailto:pchychi at gmail.com>>wrote:
> > > 
> > > > What gear do you currently have? What do your filtering rules
> > > look like?
> > > > You don't need to buy new gear if your filtering much of the bad
> > > traffic at
> > > > the edge using simple ACLs
> > > > 
> > > > 
> > > > 
> > > > On Apr 14, 2016, 2:39 PM -0700, Dovid Bender<dovid at telecurve.com
> > > <mailto:dovid at telecurve.com>>, wrote:
> > > > > Why not use an external service to scrub your traffic?
> > > > > 
> > > > > Regards,
> > > > > 
> > > > > Dovid
> > > > > 
> > > > > -----Original Message-----
> > > > > From: Satish Patel<satish.txt at gmail.com
> > > <mailto:satish.txt at gmail.com
> > > > > Sender: "juniper-nsp"<juniper-nsp-bounces at puck.nether.net
> > > <mailto:juniper-nsp-bounces at puck.nether.net>>Date: Thu, 14
> > > > Apr 2016 17:35:17
> > > > > To:<juniper-nsp at puck.nether.net
> > > <mailto:juniper-nsp at puck.nether.net
> > > > > Subject: [j-nsp] Cisco vs Juniper confused
> > > > > 
> > > > > This is my first port here, We are small size of company and
> > > now we
> > > > > are getting harsh by DDoS stuff. We have 10G link in our network
> > > > > terminated on L3 Cisco switch and from there other switches.
> > > > > Everything was working great but recently we started seeing
> > > DDoS more
> > > > > and more. They are filling 10G link using NTP, IPFrag etc. attack.
> > > > > 
> > > > > Now we are looking for big gear so we keep bad guys out and scrub
> > > > > traffic but confused between Juniper Vs Cisco war.. I am not
> > > able to
> > > > > decide what to buy and how it will help us. I have following in my
> > > > > mind, We thought about ASR firewall too but not sure because
> > > it can
> > > > > handle DDoS or not.
> > > > > 
> > > > > Need your suggestion what i should buy and why? One more thing
> > > we are
> > > > > planning to run BGP so we can do null triggering etc.
> > > > > 
> > > > > MX80 vs ASR100X - Does this enough to handle DDoS and filter
> > > traffic?
> > > > > 
> > > > > MX240 vs ASR900X
> > > > > _______________________________________________
> > > > > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > > <mailto:juniper-nsp at puck.nether.net
> > > > > https://puck.nether.net/mailman/listinfo/juniper-nsp
> > > > > _______________________________________________
> > > > > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > > <mailto:juniper-nsp at puck.nether.net
> > > > > https://puck.nether.net/mailman/listinfo/juniper-nsp
> > > > _______________________________________________
> > > > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > > <mailto:juniper-nsp at puck.nether.net
> > > > https://puck.nether.net/mailman/listinfo/juniper-nsp
> > > > 
> > > _______________________________________________
> > > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > > <mailto:juniper-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/juniper-nsp
> > > 
> > > 
> > > 
> > > 
> > > --
> > > Michael Gehrmann
> > > Senior Network Engineer - Atlassian
> > > m:+61 407 570 658(tel:+61%20407%20570%20658)
> > 
> > 
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list