Specs on the ASP: http://www.juniper.net/products/modules/100087.pdf
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shawn Hargan Sent: Monday, June 25, 2007 8:48 AM To: Jonathan Looney Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] Juniper firewall filters/stateful firewalls bestpractice Security-wise, I certainly understand the benefit of layering the stateless filters and the stateful firewall. My concern probably comes from working with underpowered, archaic Cisco routers where too many ACLs or concurrent processes brings the router to its knees during a traffic spike. I know this isn't much of a worry with the firewall filters, but I've not found any data on the throughput of the AS2 PIC or ASP. Now that I actually write that, I feel like an ass. The answer's rather obvious, isn't it? I'll be configuring my firewalls if anybody needs me... -SH Jonathan Looney wrote: > On 6/25/07, *Shawn Hargan* <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> > wrote: > > Thanks for the reply. I have gone through that whitepaper, though I've > not made it entirely through the Security section of the site just > yet. > It did not explain whether it's best to combine firewall filters with > the stateful firewall (or if it doesn't really matter), though. > -SH > > > Technically, the router doesn't care if you combine regular firewall > filters with stateful firewall filters on the AS PIC. You just need > to know that regular firewall filters are still stateless and you need > to be aware of the state of the packet at the point where you're doing > the filtering ( i.e. is the packet pre-NAT or post-NAT, etc.) so you > can write your filter match conditions correctly. > > As far as which approach is better, I don't think anyone can make a > firm recommendation for you. There are trade-offs in either > approach. The AS PIC has a finite processing power and there is a > finite amount of bandwidth available between the FPC and the AS PIC. > (The numbers are large and these limits likely aren't even a > consideration with a small chassis, but there are nonetheless finite > limits.) So, filtering obviously bad unwanted traffic before it > reaches the AS PIC will preserve some of these finite resources. > However, doing two-level filtering presents another set of management > problems (two filters need to be considered when making changes, two > filters need to be considered during troubleshooting, potentially two > sets of traffic logs need to be examined, etc.). > > So, you can choose to filter before traffic reaches the AS PIC or you > can choose to do all the filtering on the AS PIC; however, only you > can make the choice about which is the correct approach in your network. > > -Jon -- Shawn Hargan--Network Operations Center FRII 866-FRII-NOC [EMAIL PROTECTED] Monitoring FRII's network 24/7/365. _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp