09-21-2011 03:18 AM
I never touched the IPS/IDP capabilities of the SRX yet. A client of mine is thinking about replacing his dusted Juniper standalone IDP boxes. Is the SRX there yet? Can it be used as a standalone IPS (no firewall), in-line (clustered)?
Would be interested in hearing about your experience.
10-10-2011 06:15 PM
Not sure what features you are looking for it.
SRX may not be 100% feature rich as SA IDP at this point but covers important aspects of IDP in the applicability POV.
If you could elaborate the requirements then maybe it will help understanding the need. For CC case there are few minor limitations in terms of sync over to back node.
10-11-2011 08:52 AM
I have no real requirements yet, other than that a customer of mine complained about his Juniper legacy IDP machines not detecting a recent DDOS attack. And they weren't able to figure out how (if at all possible) to make it detect those attacks in the future. I don't know those devices so I couldn't really help.
Now what I am wondering is are there any features on the SRX that aren't available on the Juniper IDP series. Why would I choose an SRX over the legacy IDP product? Does it handle DDOS attacks better (I seem to remember having read feature names like AppDos and stuff like that).
10-13-2011 05:44 AM
When wanting to stop a DDoS attack, the first order of business is to look at what type of attack it is. Syn flood? Low orbit ion cannon? Something more sophisticated?
Then, with packet captures and analysis of the tool in hand, you can go tweak settings to stop it. In certain cases, you might want to stop it upstream at the ISP, if it's easily enough detected.
AppDoS is a feature that takes DoS protection one further, into the application layer. A more sophisticated DDoS attack will send completely legit requests to a web server, and bring it down by the sheer number of requests. AppDoS attempts to detect this and throttle those connections, so as to give users a reduced (longer load times) but still functional experience.
AppDoS is part of the AppSecure package on DC SRX (SRX1400 and up). Afaik it is not available on Branch at this point in time. Branch has an "early-look" AppFW package, but that's not geared towards stopping DDoS.
Before adding technology, my advice to you would be to layer in consulting. Analyze that DDoS, understand its anatomy. From there, you can figure out how to stop it. It may be quite easy. A lot of DDoS attacks use very primitive tools.
10-13-2011 07:31 AM - edited 10-13-2011 07:31 AM
The SRX will handle DDoS by performing rate-limiting and screening protections, and not by using the IDP functionality to restrict the attacks.
That being said, I absolutely DO NOT RECOMMEND using the IDP functionality on the SRX platforms (in particular, the branch series), especially if your client is used to a stable environment. I have had numerous cases open with JTAC about the lack of stability and performance in their IDP engine, the signatures, logging/integration with NSM, and the SRX as a whole. Don't forget that you also will lose the ability to "fail open" in the event the SRX goes down - no copper bypass modules available.
While I do see the IDP appliances going away, I do not see the SRX being a suitable replacement anytime soon.
10-14-2011 05:32 AM
I was afraid someone would say something like that. And actually, I did not expect to hear anything else. Give then experience we've made with SRX and NSM so far, I had little hope that the IPS features would perform any better than the rest.