Excellent - thanks... I got a spec sheet from Juniper showing IMIX traffic levels with various features enabled which has helped quite a bit... didn't know about how granular you can configure the features which is *really* neat...;)
Related to this, is there any info that compares "basic signature matching" against what their ISG boxes do with an IDP blade installed? I realize the budget changes here but some of our security needs "on the wire" are specific in need... Basically, on the web hosting side we're hoping to use a box that will look for the most common exploits, bad scripts - that kind of stuff.... Cheers, Paul -----Original Message----- From: Stefan Fouant [mailto:sfou...@gmail.com] Sent: Friday, March 06, 2009 9:42 AM To: Paul Stewart; juniper-nsp@puck.nether.net Subject: Re: [j-nsp] SSG - Handling Load Paul, Check the datasheets available on the Juniper site for details on the amount of load these boxes can handle. For just raw FW performance the SSG-140 should easily be able to handle the 20-50 Mbps load you intend to throw at it. One of the nice things that I really like about these boxes is that you can selectively enable which traffic you intend to do perform Anti-Virus and Anti-Spam, rather than all traffic, so if you do your policies correctly you can choose to do Anti-Spam only for SMTP traffic, or AV for SMTP attachments, http, and ftp for example. Similarly you can choose to enable the IDS functions (which for an SSG-140 is really just basic signature matching) for only certain types of traffic. If you choose your configuration wisely you should be able to scale the box to meet your needs. If you can spend a little more you might opt for the SSG 320M which would give you the flexibility to upgrade to JUNOS-ES in the future, should you wish to do so. On 3/6/09, Paul Stewart <p...@paulstewart.org> wrote: > Hi folks.. new to the list and looking for some real-world feedback on SSG > boxes and how they handle load. Perhaps this isn't the proper use for the > box or maybe it works just fine. > > > > We're a service provider that has a small server farm. The traffic on this > server farm is 20Mb/s on average with occasional peaks up to 50Mb/s. > > > > Our first requirement is a good firewall. Then on the ports still exposed > we're looking for packet inspection (IDS) with the idea that when certain > levels of signatures are hit then those packets will be dropped. I believe > at this point that an SSG can handle this.. We're considering an SSG-140 at > this point. > > > > Now, turn on anti-spam and anti-virus - since these servers behind it handle > substantial amounts of email traffic I was wondering if the SSG could "zap > the obvious stuff" before it hits these servers (when also perform > anti-virus and anti-spam).. the theory being that the obvious stuff wouldn't > ever make it to the box...? > > > > If I have the design concept correctly, these boxes are really designed more > for small to large office deployments and not data center deployment. But > with the traffic levels mentioned above, has anyone deployed something > similar? > > > > Thanks, > > > > Paul > > > > > > > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- Sent from Gmail for mobile | mobile.google.com Stefan Fouant Stay the patient course. Of little worth is your ire. The network is down. _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp