Thanks! -SH Doug Marschke wrote: > Specs on the ASP: > > http://www.juniper.net/products/modules/100087.pdf > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Shawn Hargan > Sent: Monday, June 25, 2007 8:48 AM > To: Jonathan Looney > Cc: juniper-nsp@puck.nether.net > Subject: Re: [j-nsp] Juniper firewall filters/stateful firewalls > bestpractice > > Security-wise, I certainly understand the benefit of layering the > stateless filters and the stateful firewall. My concern probably comes > from working with underpowered, archaic Cisco routers where too many > ACLs or concurrent processes brings the router to its knees during a > traffic spike. I know this isn't much of a worry with the firewall > filters, but I've not found any data on the throughput of the AS2 PIC or > > ASP. > > Now that I actually write that, I feel like an ass. The answer's rather > obvious, isn't it? I'll be configuring my firewalls if anybody needs > me... > -SH > > > Jonathan Looney wrote: > >> On 6/25/07, *Shawn Hargan* <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> >> wrote: >> >> Thanks for the reply. I have gone through that whitepaper, though >> > I've > >> not made it entirely through the Security section of the site just >> yet. >> It did not explain whether it's best to combine firewall filters >> > with > >> the stateful firewall (or if it doesn't really matter), though. >> -SH >> >> >> Technically, the router doesn't care if you combine regular firewall >> filters with stateful firewall filters on the AS PIC. You just need >> to know that regular firewall filters are still stateless and you need >> > > >> to be aware of the state of the packet at the point where you're doing >> > > >> the filtering ( i.e. is the packet pre-NAT or post-NAT, etc.) so you >> can write your filter match conditions correctly. >> >> As far as which approach is better, I don't think anyone can make a >> firm recommendation for you. There are trade-offs in either >> approach. The AS PIC has a finite processing power and there is a >> finite amount of bandwidth available between the FPC and the AS PIC. >> (The numbers are large and these limits likely aren't even a >> consideration with a small chassis, but there are nonetheless finite >> limits.) So, filtering obviously bad unwanted traffic before it >> reaches the AS PIC will preserve some of these finite resources. >> However, doing two-level filtering presents another set of management >> problems (two filters need to be considered when making changes, two >> filters need to be considered during troubleshooting, potentially two >> sets of traffic logs need to be examined, etc.). >> >> So, you can choose to filter before traffic reaches the AS PIC or you >> can choose to do all the filtering on the AS PIC; however, only you >> can make the choice about which is the correct approach in your >> > network. > >> -Jon >> > > >
-- Shawn Hargan--Network Operations Center FRII 866-FRII-NOC [EMAIL PROTECTED] Monitoring FRII's network 24/7/365. _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp