[j-nsp] Anyone tried ThreatStop on Juniper integration?

Frank Sweetser fs at WPI.EDU
Fri Jan 15 16:43:47 EST 2016


On 01/15/2016 03:51 PM, Phil Shafer wrote:
> Frank Sweetser writes:
>> (For the curious, they integrate by installing some shell scripts on the
>> underlying FreeBSD level.  The scripts pull down customer specific lists of IP
>> addresses, and dynamically create slax scripts to update a set of prefix lists
>> in the local config to match.)
>
> Very cool!  I've never heard of them, but seems like a great service.
> I do see a kb article warning about performance issues:
>
>    https://kb.juniper.net/InfoCenter/index?page=content&id=KB25813&actp=search

I ran into that KB as well, and the issues documented there are part of why 
I'm looking to do more research before we turn their shell scripts loose on 
our precious routers.  I realize that most of the problems there are centered 
around lower end SRX devices, but it's still pretty clear that their 
methodology is stressing the config in ways that are... well, let's just say 
"atypical".

> But most of these issues can be mitigated.  For example, they change
> config using "cat command-file | cli" which churns the change bits
> in the database even when nothing changes; using "load update" will
> solve that.  In addition, between JUNOS-12.1 and 15.1 we've done a
> lot with commit performance which will help.
>
> Another fix would be the use of the ephemeral database, which keeps
> transient data away from human config, and allows us to avoid saving
> it in juniper.conf (and the expense of writing it on every commit).
>
> I've sent ThreatStop an offer to help with the incorporation of
> these suggestions.  But if the bad-guys.list is available via http,
> then we can make an event script that downloads it and "load updates"
> it into the ephemeral database fairly easily.

Awesome!  I'll reach out to the sales reps we've been talking with and let 
them know that we *strongly* encourage them to take you up on your office.

Thanks very much!


Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
Manager of Network Operations | is simple, elegant, and wrong.
Worcester Polytechnic Institute | - HL Mencken


More information about the juniper-nsp mailing list