Firewall - Looking At Juniper
Oct 5, 2009
I need to protect about 80 servers from certain attacks some of them are being victim of. Altogether, these servers use about 200Mbps being almost all of them webservers. The last time, one of them was a victim of a DDoS attack which made all the rest get some packet loss (because this attack was consuming all the bandwidth we had available).
I was looking at Juniper solutions, however I get a bit confused with all the products they have to offer. First, I was looking at IDP series, but they seem a bit pricey and I believe I don´t need all those IDP functions those devices are capable of. NetScreen is also too expensive for me. I´m looking at a budget of 10.000$ aprox.
I found SRX series and after taking a look at SRX240 and SRX650 specs [url] those firewall numbers seem very nice and perfect for my problem. Would this be a wise choice? This device would act also as the main router for our racks. Please let me know if there are other recommendations that fit the specified budget (10K).
View 14 Replies
ADVERTISEMENT
May 9, 2008
Can anyone give any real world numbers as to what each model of the Juniper-J series router is capable of? How much do these routers cost, and where is the best place to get them from?
View 14 Replies
View Related
Apr 17, 2008
Does anyone have any experience running Juniper SSG-550 firewalls in a high-traffic hosting environment?
I run network operations for a hosting provider in Australia. We currently have two J4350s running as border routers, and we are looking at putting two Juniper SSG-550s behind the border routers to do stateful firewalling / NAT.
We'll be using active/active NSRP on the SSGs for load balancing and failover.
My concern is that these devices may not be able to handle our traffic load. They have a hard-set limit of 256,000 "concurrent sessions" which may not be enough for us in peak times. Almost all of our traffic is HTTP though, so I would imagine sessions would timeout quite quickly?
View 5 Replies
View Related
Dec 26, 2007
In one of our racks, we now just have two Procurve (J4900B) switches, and run software firewalls on our CentOS servers. We are now looking towards a hardware firewall to ease managment and reduce load on our servers.
One of our suppliers reccomends the SSG140 from Juniper, and it seems to cover our needs. The SSG320 however seems to have more features, like layer3 routing. Could this device replace our Procurve switches, and act as a firewall/switch?
Anyone familiar with these devices and have some input on what to choose? How does the anti-ddos and bruteforce attack functions work out, do they hold up? Anyone tested the Deep Inpspection Signature module? Is it worth having for a ISP/Webhost?
View 6 Replies
View Related
Nov 10, 2007
any experience and feedback on Juniper J-series routers?
View 4 Replies
View Related
Oct 11, 2009
I've been reading and searching on here as much as I can to try to help me in making a decision, unfortunately when I think I know what to do, I read something else and get confused again.
We are in the process of moving networks within our datacenter and will have 2 drops coming into our half-cabinet. We have about 7 servers in there, some for our own use and some for clients. In all cases, we manage the servers and are the only ones with root access (no need for VLANs for the purpose of protecting IPs etc).
We currently have a single drop and use an HP procurve 2524 layer2 switch that has been in there for over 6 years and never had a single hiccup. We also don't push much traffic at all though. Under 5mbps combined.
My question though is this: moving to the new network we will have 2 drops that are set up as HSRP on their end (upstream of me, I don't have to worry about having two switches). In order to use the dual feeds, we will need a Layer3 switch. One feed will be active, the other is not, both are connected to the switch via a VLAN and provide a gateway for VLAN2 to use. I have never used a layer3 switch, though I'm not *too* concerned since I don't expect we'll be doing anything too complex. My understanding is that one VLAN (VLAN1) will be set up with an IP address assigned to each drop and that VLAN1 will create a gateway for VLAN2. The second VLAN (VLAN2) will be all our "inside" client IPs that will then route through VLAN1.
I was briefly checking out the cisco 3750, but I think it's overkill...? I don't want to spend too much money, since I don't think we need any complex setups, at the same time, I don't want to waste money by buying something that won't work efficiently down the road.
My immediate short-list is now an HP procurve 2610, an HP procurve 3500 J9470A (not the YL), and a Cisco 3560 24-TS.
Of course, then someone mentioned Juniper (whom I have zero experience with either) and hence the title to my thread... I'm thoroughly confused. I was looking at the EX3200-24T.
Ok, so if I have to boil this down to some simple requirements/thoughts... here goes:
1. I only need 24 ports for now.
2. I use SNMP currently to monitor usage for clients (and overall)
3. I like HPs and have used them for layer2, I like their lifetime warranty and software availability
4. I don't have direct experience with Cisco at all.
5. Aside from routing from one VLAN (provider side) to another VLAN (my side), I don't think I need any other special features (hence the hp 2610 being ok I think, since it offers "lite layer3")
6. Some people say HP is great for layer2 but not for layer3? Now I dont' know what to think.
7. Currently use about 2mbps and might jump to 3 or 4mbps, but don't have major needs. I'd like for this switch to be able to last me a while though... so maybe 20~40mbps+? (but still not the hundreds of mbps that others here push
8. If possible, I'd LIKE to limit some servers to 1mbps or 2mbps on a per-port basis... but this is not a hard requirement. (I think this takes the 2610 out).
Budget: I like the $500 price tag of the 2610, but can spend the $1500~$2000 for the HP 3500, Cisco 3560, or Juniper. I would just rather not, if the price/features are not justifiable.
Hopefully I've provided enough information for someone to offer their insight? I think a few strategic key points or questions from someone with more experience might be what I need to help me bust through the "too many choices" fog and end up with the best switch for my situation...
View 14 Replies
View Related
Nov 10, 2007
I am tried of not finding a good documentation on now to configure netscreen-25 firewall.
This is the current setup;
Ethernet Drop -> Netscreen (connected via straight RJ-45)
NetScreen -> Switch (Connected via cross-over cable)
This is the what I want to be able to do...
I am assigned a 76.36.57.32/27 subnet
Netmask 255.255.255.224
Gateway 76.36.57.33
1) Make Netscreen accessible via IP 76.36.57.34 for remote management.
2) I dont want netscreen to assign IPs for my wired devices because I've already set all their IPs and those are the ones I want to use.
Now, I did read the manual [url] and went to Network -> Interfaces -> Ethernet 1 Trust *edit* and in the "IP address" box I typed 76.36.57.34 and netmask "/27".
In the "Manage IP" box, I typed 76.36.57.39/27 according to the manual.
After doing all that, I cant access any of my "wired" devices behind firewall and neither can I access the firewall itself with the IP I assigned.
View 6 Replies
View Related
Dec 19, 2007
we have this Juniper SSG5 firewall, our very first Juniper and wanted to use it.
While I am able to use it in NAT mode, I have been unsuccessful to use it in route mode.
We have Public IPs from the same segment and I wanted to use it with the firewall but it appears that I can't assign IPs for each port if the IP is from the same segment.
Does it mean that we can't use it other than in NAT mode?
What we want to accomplish is to have one of IPs to act as gateway and filter or route in/out traffic to/from our other IPs.
View 0 Replies
View Related
May 3, 2009
We are searching a firewall for our small colocation.
We have chosen the Juniper SSG 520/550 or a Cisco ASA 5520 (eventually the 5540).
We want primaly filter ddos attacks on our webservers (bot-network, attacking a domain, port 80) and syn flood attacks (port 80).
Do you have real experience with the Juniper or Cisco devices?
Can we integrate such device in the fellowing network design:
(where to put the firewall ?)
- Uplink 1gbit datacenter -> our HP Procurve gigabit switch
- HP Procurve switch -> Servers
We are using /30 as eth0 "bridged", and /29 /28 /27 "routed" over eth0.
I would prefer a "live analysis" of our traffic. Is that possible?
View 12 Replies
View Related
Oct 23, 2007
I've been looking at these two Firewalls for a quite some time and I am not sure which one I should go with. Price is not a factor since both are around the same price range.
The firewall is going to be in between my DROP and LAYER3 Switch.
So...FastE -> Firewall -> Layer3
As you can see, I dont want any fancy VLAN stuff or anything like that since my switch can take care of all that. I just want a firewall which is easy to configure and manage and has DDoS protection built-in.
If you have any other hardware based firewalls in the price range of ASA 5505 and Netscreen 5GT then I would want to hear about those as well.
View 14 Replies
View Related
Nov 25, 2008
I have a SSG-320M I manage, and would like to know if I can block traffic to our web servers based on the user agent hitting us? I know user agents that keep using more and more IP addresses to crawl us, one already taking up some 30 or 40 addresses under my policies and its a pain to identify these by hand and keep updating the firewall every few days to add new IP addresses for them. Is there somewhere I can add part of the user agent I do not want to ever see again? Right now I do this by having a policy at the top saying "BadBotsGroup" is denied. But I want to deny anyone with a user agent "OneUserAgent" or "SecondUserAgent"
It seems so important and simple, but I do not see anything about being able to do this. Thanks for help and pointers. Right now we have special code at the top of our sites that blocks these bots, but I would much rather do it in one location at the firewall.
View 3 Replies
View Related
Aug 23, 2009
Looking to upgrade to a new switch and have the following in mind. Budget is around 1-2k. We're pushing 500mbps upstream so i want to make sure that the unit can handle that well. Lots of full speed traffic between servers too.
No fancy features required, and the only need is port trunking, which all of these have.
I look at the specs for latency and pps, but I'm not sure if you can trust these figures.
Anyone have experience with the following.
HP Procurve 2910al-24
$1430
latency <2.9us
131 Mpps
176 Gbps
Bonus: 10Gb capability with expansion module
Extreme Networks Summit x350
$1300
latency < ?
65 Mpps
88 Gbps
Bonus: 10Gb capability with expansion module
Juniper Juniper EX3200-24T
$1800
latency < ?
65 Mpps
88Gbps
Bonus: 10Gb capability with expansion module
Bonus: 8 ports are POE
Netgear GS724AT
$350
latency <3us
??? Mpps
48Gbps
View 9 Replies
View Related
Nov 5, 2007
to build a new 10GE network and have received offers from Juniper and Cisco distributors.
Juniper seems to be a bit more expensive. It was our first choice at the beginning untill we saw many big ISP's using cisco 6509 with SUP720-3BXL for routing.
Is there anyone with experience on both products? How about support for both of these?
View 14 Replies
View Related
Dec 17, 2008
Do you recommend a software firewall when behind a hardware firewall?
All of our servers are behind Cisco ASA 5505 firewalls which we rent from Liquidweb. All are being managed correctly and setup to there optimal levels. With hardware firewalls firmly in place, do you still recommend a software firewall such as APF or IPTables (we're talking linux); in our opinion we see it as an extra administration overhead. If this is however untrue, we will change out thinking.
View 3 Replies
View Related
Jun 13, 2008
I've found a dedicated server at a great price and plan to stick with it, my first ( already have 2 vps accounts ). I don't have the money for a hardware firewall. However, I do have a chance to renew a Kerio WinRoute Firewall license from way back.
Does anyone think this would be better than the default windows 2003 firewall?
View 1 Replies
View Related
Sep 30, 2006
after install apf firewall whole server blocked to everyone.. i can't get ping back as well. Any idea?
View 2 Replies
View Related
Oct 24, 2009
I'm planning to place some firewalls in my network, but I'm afraid of something.
I have never used cisco pix, checkpoints and others.. We currently use custom made linux solutions for that
When we use these ready-to-go boxes, do we need to NAT the internal server IPs?
Is it possible to use these ready-to-go solutions with REAL IPs in the servers?
Does cPanel work well with NATed internal IPs? Or shall I have some trouble?
Do you think it's safer to with NATed, or it will be better to use real ips instead?
View 4 Replies
View Related
Apr 8, 2009
I was wondering what everyone thinks the best Firewall software is for a dedicated server?
View 7 Replies
View Related
Jun 3, 2009
Im using the latest cPanel release. Using Pure-FTPD as the ftp server. I have CSF Firewall installed and configured and have also got [url]installed. on the dos deflate software ive set the ban limit to 250 connections.
But what my problem is that while downloading on ftp clients with internet that can download very fast that it will ban them. Ive kinda realised that it is to do with the DDos software but im unsure what i should do. Increase the limit of connections but that would mean that more minor Ddos attacks might get through so that would affect more clients. Or leave the limit at 250 and let clients get blocked for 20 minutes.
Or alternatively is there a way i can stop people getting banned via FTP completly. As i dont see that option on the Ddos or csf.
View 8 Replies
View Related
Jan 14, 2009
I´m running the remote desktop service and configuring a remote dedicated server right now.
So, I need to install a firewall in this machine, but I don´t want to be disconnected after the installation.
So, can anyone tell me of a firewall that don´t stop the connection of RDP just after installation and works with Windows 2003 Server?
View 4 Replies
View Related
May 9, 2008
secure a LAN network with 200 computers, a specific hardware solution (like CISCO PIX or so) might not be available.
Though, I'm considering a Firewall OS based Solution like pfSense, m0n0wall, eBox, Endian Firewall, SmoothWall, etc.
There are so many options and I have no experience with none of this. My Requirements are:
Web based configuration
Clean Interface with graphic statistics
Pretty Secure
Good hardware support
Free usage
Simple configuration
Support for high bandwidth usage
I think OpenBSD is pretty secure, is there any OpenBSD Firewall OS solution with this requirements?
View 11 Replies
View Related
Mar 23, 2008
What better firewall to vps?
In my vps not use csf or iptables
Virtuozzo has bug that.
View 7 Replies
View Related
Mar 30, 2008
What do you think of this two firewall? which one is better overall?
View 14 Replies
View Related
Jul 8, 2008
I am looking to setup a Firewall etc... on a VPS and would like to know what is the better one and easy to use etc...
CSF or APF and BFD ?
View 6 Replies
View Related
Feb 6, 2008
know of any hardware firewall (or suggest) which is under 300 USD and can protect around 5 servers with a total bandwidth capacity of 100 (+/-) Mbps. I am really no security expert
Of course, it should have web based management, online documentation (not really needed) and something special for prevent DoS attacks automatically (really fed up of them).
If possible if you can link me directly to an online store that can ship it Internationally / Europe?
View 0 Replies
View Related
Apr 26, 2008
I was having attacks so I installed CSF firewall which did a great job. However on a few of my sites, specifically proxy ones, every second or third page you visit will be a 403 Forbidden error. After about 20-30 seconds, you can refresh and it goes away. I suspect CSF is causing this, because it just started to happen after I installed it. Is it thinking there are too many connections or too much bandwidth and its blocking me or other users just using the proxy? Is there a way to make it slightly more tolerant?
View 3 Replies
View Related
Mar 2, 2007
I am a non technical type that is trying to start a web based business. I am thnking a dedicated server will be the best option for me but as I looked at the quotes from several different web hosts I noticed that the firewall services that they provide are very expensive. 100$ a month - 150$ a month.
Are there other firewall options that can be installed on the server that we as administrators can install and use?
View 11 Replies
View Related
Jun 10, 2007
I have had a fair few hack attempts from ip numbers that are on the same
provider ;telewest' that i am on - is there anyway of getting this takne further other than contacting isp?
Jun 9 21:49:04 mark-scorfields-computer ipfw: 12190 Deny TCP 122.24.44.198:2426 82.39.142.27:135 in via en0
Jun 9 21:49:04 mark-scorfields-computer ipfw: 12190 Deny TCP 122.24.44.198:2426 82.39.142.27:135 in via en0
Jun 9 21:49:04 mark-scorfields-computer ipfw: 12190 Deny TCP 122.24.44.198:2426 82.39.142.27:135 in via en0
Jun 9 21:49:08 mark-scorfields-computer ipfw: 12190 Deny TCP 211.75.135.2:2261 82.39.142.27:135 in via en0
Jun 9 21:49:08 mark-scorfields-computer ipfw: 12190 Deny TCP 211.75.135.2:2261 82.39.142.27:135 in via en0
Jun 9 21:49:08 mark-scorfields-computer ipfw: 12190 Deny TCP 211.75.135.2:2261 82.39.142.27:135 in via en0
Jun 9 21:50:16 mark-scorfields-computer ipfw: 35000 Deny UDP 204.16.209.44:51324 82.39.142.27:1026 in via en0
Jun 9 21:50:16 mark-scorfields-computer ipfw: 35000 Deny UDP 204.16.209.44:51324 82.39.142.27:1026 in via en0
Jun 9 21:50:16 mark-scorfields-computer ipfw: 35000 Deny UDP 204.16.209.44:51324 82.39.142.27:1026 in via en0
Jun 9 21:50:16 mark-scorfields-computer ipfw: 35000 Deny UDP 204.16.209.44:51324 82.39.142.27:1027 in via en0
Jun 9 21:50:16 mark-scorfields-computer ipfw: 35000 Deny UDP 204.16.209.44:51324 82.39.142.27:1027 in via en0
Jun 9 21:50:16 mark-scorfields-computer ipfw: 35000 Deny UDP 204.16.209.44:51324 82.39.142.27:1027 in via en0
Jun 9 21:50:36 mark-scorfields-computer ipfw: 12190 Deny TCP 121.34.113.29:27207 82.39.142.27:135 in via en0
Jun 9 21:50:36 mark-scorfields-computer ipfw: 12190 Deny TCP 121.34.113.29:27207 82.39.142.27:135 in via en0
Jun 9 21:50:36 mark-scorfields-computer ipfw: 12190 Deny TCP 121.34.113.29:27207 82.39.142.27:135 in via en0
Jun 9 21:59:38 mark-scorfields-computer ipfw: 12190 Deny TCP 58.221.225.230:4151 82.39.142.27:135 in via en0
Jun 9 21:59:38 mark-scorfields-computer ipfw: 12190 Deny TCP 58.221.225.230:4151 82.39.142.27:135 in via en0
Jun 9 21:59:38 mark-scorfields-computer ipfw: 12190 Deny TCP 58.221.225.230:4151 82.39.142.27:135 in via en0
Jun 9 22:00:38 mark-scorfields-computer ipfw: 35000 Deny UDP 220.164.140.236:36236 82.39.142.27:1027 in via en0
Jun 9 22:00:38 mark-scorfields-computer ipfw: 35000 Deny UDP 220.164.140.236:36236 82.39.142.27:1027 in via en0
Jun 9 22:00:38 mark-scorfields-computer ipfw: 35000 Deny UDP 220.164.140.236:36236 82.39.142.27:1027 in via en0
Jun 9 22:00:38 mark-scorfields-computer ipfw: 35000 Deny UDP 220.164.140.236:36236 82.39.142.27:1026 in via en0
Jun 9 22:00:38 mark-scorfields-computer ipfw: 35000 Deny UDP 220.164.140.236:36236 82.39.142.27:1026 in via en0
Jun 9 22:00:38 mark-scorfields-computer ipfw: 35000 Deny UDP 220.164.140.236:36236 82.39.142.27:1026 in via en0
Jun 9 22:00:39 mark-scorfields-computer ipfw: 35000 Deny UDP 220.164.140.236:36240 82.39.142.27:1026 in via en0
Jun 9 22:00:39 mark-scorfields-computer ipfw: 35000 Deny UDP 220.164.140.236:36240 82.39.142.27:1026 in via en0
Jun 9 22:00:39 mark-scorfields-computer ipfw: 35000 Deny UDP 220.164.140.236:36240 82.39.142.27:1026 in via en0
Jun 9 22:00:39 mark-scorfields-computer ipfw: 35000 Deny UDP 220.164.140.236:36240 82.39.142.27:1027 in via en0
Jun 9 22:00:39 mark-scorfields-computer ipfw: 35000 Deny UDP 220.164.140.236:36240 82.39.142.27:1027 in via en0
Jun 9 22:00:39 mark-scorfields-computer ipfw: 35000 Deny UDP 220.164.140.236:36240 82.39.142.27:1027 in via en0
Jun 9 22:03:45 mark-scorfields-computer ipfw: 12190 Deny TCP 125.195.44.229:2212 82.39.142.27:135 in via en0
Jun 9 22:03:45 mark-scorfields-computer ipfw: 12190 Deny TCP 125.195.44.229:2212 82.39.142.27:135 in via en0
Jun 9 22:03:45 mark-scorfields-computer ipfw: 12190 Deny TCP 125.195.44.229:2212 82.39.142.27:135 in via en0
Jun 9 22:03:48 mark-scorfields-computer ipfw: 12190 Deny TCP 82.39.189.11:4628 82.39.142.27:2967 in via en0
Jun 9 22:03:48 mark-scorfields-computer ipfw: 12190 Deny TCP 82.39.189.11:4628 82.39.142.27:2967 in via en0
Jun 9 22:03:48 mark-scorfields-computer ipfw: 12190 Deny TCP 82.39.189.11:4628 82.39.142.27:2967 in via en0
Jun 9 22:03:51 mark-scorfields-computer ipfw: 12190 Deny TCP 82.39.189.11:4628 82.39.142.27:2967 in via en0
Jun 9 22:03:51 mark-scorfields-computer ipfw: 12190 Deny TCP 82.39.189.11:4628
View 11 Replies
View Related
Feb 10, 2007
Lately one of my servers have been getting syn floods and ddos attacks (repeatedly for the last 2 weeks). The attacks are not as bad as they were the last 2 weeks, but my software firewall (iptables and csf) is not doing the job anymore. It can't handle such large attacks.
I picked up a netgear firewall, but it has dhcp and lan, which made it have no use to me. All my servers are on static ips, so I would be unable to use a lan.
Is there a firewall available which would allow me to setup something like this (Server 1 is the one getting attacked):
Internet ---> Firewall ---> 48 Port Switch ---> Server 1, Server 2, and so on
or
Internet ---> 48 Port Switch ---> Firewall ---> Server 1
Other servers come off the Switch
I saw the Cisco Pix on ebay, but am not sure of all the features it holds. I basically need a firewall without any lan capaibilites, no routing, just a plain firewall that will protect from DDoS and Syn Floods (if possible, also email me the logs). Also needs to push up to 20Mbps (100Mbps would be best though).
I looked into m0n0wall and pfsense, but their software didn't make any sense to me. I tried setting it up on a PIII 700Mhz with 768MB Ram but never got the webConfig to work.
Price is not a huge issue, I just need these attacks to end. any suggestions on software firewalls let me know.
View 14 Replies
View Related
Oct 22, 2007
Which is the best firewall in linux unix servers..................
View 4 Replies
View Related
Mar 7, 2007
I have a client who requires a firewall with VPN support. He will be utilizing around 10mbit of traffic at most. What would be a suggested firewall to go with that would properly handle vpn?
View 10 Replies
View Related
