Re: [j-nsp] SRX performance

Tue, 22 Dec 2015 09:11:31 -0800 

Hi Mike,
Here is what i got so far, from the testing i had done in the past using the SRX240H, no issues with 800Mbps and 90K pps... also, no issues with 300 Mbps and 150K pps. 
I am Not running it in Packet mode since i have no need to do so.

I am not doing nay IDS/Anti-Virus/IPSEC.
As of last year, the 240H was updated with better hardware and more RAM, really notice the difference. 

Hope this helps.
-Payam



On 2015-12-22, 8:14 AM, Stepan Kucherenko wrote:

Can anyone share real world SRX performance? ?I am looking at the SRX220
or SRX240 for a small website ~150-200Mbps in a co-location environment.
The performance charts state the SRX220 can do 300Mbps with a mix of
traffic and  up to 900Mbps with mostly large packet sizes.
SRX240 can give required bandwidth but it has no redundant power. Anyway, I don't think it's a good idea, see below. 

> If you go down the path of an SRX240 I’d suggest using the
> screen features and tuning it for your needs. It can really
> save the device from dealing with junk / attack traffic at
> higher levels. Can’t help you with a 100Gbps DDoS but can
> help deal with SYN floods and other junk.
Um. No. It'll die under SYN flood even faster than a server would. I've tested its screen options against SYN floods and it's pathetic, epsecially compared to what a Linux box with synproxy can do. Not surprising, SRX CPU is very slow compared to Xeons and it can't offload everything. 

That "other junk" will probably kill it as well.
Even 550/650 or "datacenter" models are not robust enough because state exhaustion attacks are easy and cheap. Magic "screen" is far from a panacea. Any stateful firewall in datacenter is just a fragile SPOF that will eventually keep over, taking your whole setup with it.
With that said, SRX is a very nice box when it's used correctly. I have lots of them in branch offices and some in datacenter, but I wouldn't put it before servers expecting them to hold their ground under attack. And I'm not bashing SRXes specifically, I'm talking about any stateful firewall from any vendor, they all suck.
Don't use stateful firewalls before servers. Ever. Grab an l3 switch and do stateless filtering at ingress and filter everything else on servers. 
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Reply via email to