[j-nsp] Anyone tried ThreatStop on Juniper integration?

Phil Shafer phil at juniper.net
Fri Jan 15 15:51:02 EST 2016


Frank Sweetser writes:
>(For the curious, they integrate by installing some shell scripts on the 
>underlying FreeBSD level.  The scripts pull down customer specific lists of IP 
>addresses, and dynamically create slax scripts to update a set of prefix lists 
>in the local config to match.)

Very cool!  I've never heard of them, but seems like a great service.
I do see a kb article warning about performance issues:

  https://kb.juniper.net/InfoCenter/index?page=content&id=KB25813&actp=search

But most of these issues can be mitigated.  For example, they change
config using "cat command-file | cli" which churns the change bits
in the database even when nothing changes; using "load update" will
solve that.  In addition, between JUNOS-12.1 and 15.1 we've done a
lot with commit performance which will help.

Another fix would be the use of the ephemeral database, which keeps
transient data away from human config, and allows us to avoid saving
it in juniper.conf (and the expense of writing it on every commit).

I've sent ThreatStop an offer to help with the incorporation of
these suggestions.  But if the bad-guys.list is available via http,
then we can make an event script that downloads it and "load updates"
it into the ephemeral database fairly easily.

Thanks,
 Phil


More information about the juniper-nsp mailing list