05-30-2012 07:10 AM
We utilize a pair of M120 Routers as Internet Gateways and behind them is a pair of ISG2000 Firewalls.
As a mobile network, we frequently have up to half a million active sessions.
We have received a Security Bullentin indicating some DoS attacks and advising us to block about 1000 unique IP addresses [non-contiguous].
We have two options : Firewall Filters on the M120 or add them in the black list of the ISG2000 FIrewalls.
My question is; which is a safer option, and do you have any experience with blocking such a large set of IPs.
Are these some options that are even better? And is there a shortcut to adding 1000 IPs [maybe uploading a file instead of adding one by one]
05-30-2012 03:14 PM
Also, not sure about the ISG, but I do remember seeing something cautionary mentioned in the JUNOS release notes regarding large firewall filters.