Specs on the ASP:

http://www.juniper.net/products/modules/100087.pdf



-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Shawn Hargan
Sent: Monday, June 25, 2007 8:48 AM
To: Jonathan Looney
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] Juniper firewall filters/stateful firewalls
bestpractice

Security-wise, I certainly understand the benefit of layering the 
stateless filters and the stateful firewall. My concern probably comes 
from working with underpowered, archaic Cisco routers where too many 
ACLs or concurrent processes brings the router to its knees during a 
traffic spike. I know this isn't much of a worry with the firewall 
filters, but I've not found any data on the throughput of the AS2 PIC or

ASP.

Now that I actually write that, I feel like an ass. The answer's rather 
obvious, isn't it? I'll be configuring my firewalls if anybody needs
me...
-SH


Jonathan Looney wrote:
> On 6/25/07, *Shawn Hargan* <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> 
> wrote:
>
>     Thanks for the reply. I have gone through that whitepaper, though
I've
>     not made it entirely through the Security section of the site just
>     yet.
>     It did not explain whether it's best to combine firewall filters
with
>     the stateful firewall (or if it doesn't really matter), though.
>     -SH
>
>
> Technically, the router doesn't care if you combine regular firewall 
> filters with stateful firewall filters on the AS PIC.  You just need 
> to know that regular firewall filters are still stateless and you need

> to be aware of the state of the packet at the point where you're doing

> the filtering ( i.e. is the packet pre-NAT or post-NAT, etc.) so you 
> can write your filter match conditions correctly.
>
> As far as which approach is better, I don't think anyone can make a 
> firm recommendation for you.  There are trade-offs in either 
> approach.  The AS PIC has a finite processing power and there is a 
> finite amount of bandwidth available between the FPC and the AS PIC.  
> (The numbers are large and these limits likely aren't even a 
> consideration with a small chassis, but there are nonetheless finite 
> limits.)  So, filtering obviously bad unwanted traffic before it 
> reaches the AS PIC will preserve some of these finite resources.  
> However, doing two-level filtering presents another set of management 
> problems (two filters need to be considered when making changes, two 
> filters need to be considered during troubleshooting, potentially two 
> sets of traffic logs need to be examined, etc.).
>
> So, you can choose to filter before traffic reaches the AS PIC or you 
> can choose to do all the filtering on the AS PIC; however, only you 
> can make the choice about which is the correct approach in your
network.
>
> -Jon


-- 
Shawn Hargan--Network Operations Center
FRII
866-FRII-NOC    [EMAIL PROTECTED]
Monitoring FRII's network 24/7/365.

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Reply via email to