Slashdot Mirror

Excuse me, but even after reading the linked article it eludes me how this is an advancement over existing technology like 100GBase-ZR EtherNet lines (operating at ~ 120 Gbaud per fiber)?

Not sure why this is marked as a troll. It is 100% true: use pfSense, not Cisco. Use an Open Source solution that doesn't require a "support contract" to get fixes to THEIR software they sold you. The only reason to use Cisco Firewalls is to make Cisco rich.

When you tell me that you can support 100 million concurrent sessions and 2Tbps of firewalling throughput across a pfsense firewall then I'll be able to go to my customers and say there is no longer a need to pay enormous amounts of money for a firewall.
https://www.juniper.net/us/en/...

Granted Cisco doesn't have anything even remotely close to this Juniper box in performance but the overall point is that pfsense isn't a replacement for high end firewalls at this point in time.

Do you believe that IP protocol's source routing options make the blocking moot (circumventable) or alternatively constitute a legitimate reason with useful purpose why the source IP may not be the same as the outgoing packet's origin?

Aren't Juniper routers based on a proprietary version of FreeBSD? Is FreeBSD also vulnerable too then?

Juniper had it fixed back in April already...
http://kb.juniper.net/InfoCent...

The hospital had an Internet-facing router that was accessible via SSH or HTTPS?

If they were stupid enough to do that, then someone else had probably stolen all their data already.

What if it was a Juniper SSL VPN Appliance? TFA is a bit vague; but if the system has VPN access and Juniper gear it seems pretty likely that they might be using that, which would necessarily involve SSL on an internet facing device, though not necessarily SSH or HTTPS.

Juniper advisory:
http://kb.juniper.net/InfoCent...

JunOSe and ScreenOS unaffected.

FreeBSD provided some of the key underpinnings to Mac OS X and iOS.

Not to mention JUNOS, the operating system running on Juniper Networks routers. The JUNOS kernel is based on FreeBSD.

Anyone using Facebook, Twitter, AT&T, Verizon (I can go on for about an hour) will have their packets routed through a box runing JUNOS.

Come on Kevin, I'm sure you can donate a bit...

Use 802.1x authentication on the switch ports and you can control access anyway you want.

http://www.juniper.net/us/en/local/pdf/whitepapers/2000216-en.pdf
http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/Sw8021x.html

It's different because Cisco publicly announces their security advisories and publishes security bug information. Full disclosures:
http://www.cisco.com/en/US/products/products_security_advisories_listing.html

Other companies (such as Juniper) are a bit less public, but seem to offer more information than Huawei to their customers too:
http://s-tools1.juniper.net/support/security/report_vulnerability.html

iXsystems. Juniper Networks. Apple

I'm willing to bet that all three have some proprietary stuff that they're not feeding back. It doesn't mean that they completely ignore the community. Apple owns CUPS now. iXsystems picked up FreeNAS development.

GPLv3 wouldn't probably make it anywhere into these companies.

You're new to the intertubes, huh? Lynx has been as unsafe as any browser from time to time.

Me: "rely on your past experience battling viruses on Windows." Mom: "You're my least favorite son. I hate you."

I'm afraid you'll have to find other excuses for your Oedipal crises. The news stories are mostly FUD.

Modern smartphones are much more secure than old ones, and much more resistant than Windows, though you wouldn't know it given the hype in the news. Did anyone notice how there were no hard numbers of malware sources or infections, just the alarming percentage increase? Even the white paper it's based on has no details. The closest it gets to the truth is here:

Symbian and Microsoft Windows Mobile platforms are the oldest and most researched mobile platforms, and devices running those mobile operating systems have been the targets of the most prolific and effective malware known to affect mobile devices. These platforms have been targeted by a range of malicious applications that run the full spectrum of known malware categories, including SMS trojans that send SMS messages to premium rate numbers unbeknownst to users, background calling applications that charge the victim for exorbitant long distance calls, keylogging applications, and self-propagating code that infects devices and spreads to additional devices listed in the address book. The Juniper Networks Global Threat Center also sees polymorphic malware, which changes its characteristics during propagation to avoid detection, on the Symbian and Microsoft Windows Mobile platforms.

http://www.juniper.net/us/en/local/pdf/whitepapers/2000415-en.pdf

Use what the grown-ups use.

Go buy yourself a Juniper SSG 20 with the optional xDSL module, and let the firewall take care of the failover for you.

~dlb

lol... the Cisco subsidiary?

How about Linux or Juniper?

When the usage levels between users can be more than 100 to 1 it can't be fair.

I do so love a challenge. Here's some examples of the theory:

• Beyond Best Effort: Router Architectures for the Differentiated Services of Tomorrow’s Internet (1998)
• The Impact of Active Queue Management on Multimedia Congestion Control (1998)
• Comparison of Tail Drop and Active Queue Management Performance for bulk-data and Web-like Internet Traffic (2001)
• Bandwidth Allocation for Non-Responsive Flows with Active Queue Management (2002)
• A Comparative Study of Active Queue Management Schemes (2004)
• PURPLE: Predictive Active Queue Management Utilizing Congestion Information (2003)
• The Addition of Explicit Congestion Notification (ECN) to IP (2001)

And here's some examples of the practice with CISCO routers:

• WRED
• DWRED
• ECN within WRED
• Hierarchical Queueing Framework

Other systems:

• Juniper's support for WRED and QoS in general
• QoS in HP ProCurve switches
• QoS in Nortel switches

Now, tell me again that only a Marxist would believe that it's possible to have pipe-based fair-service on the Internet.

A little overkill perhaps, but something like this (around $500) is a good option.... http://www.juniper.net/us/en/products-services/security/ssg-series/ssg5/ Alternatively, pretty much any PC with two network interfaces running something like Smoothwall or IPCop should do the trick: http://en.wikipedia.org/wiki/List_of_Linux_router_or_firewall_distributions

Any database can experience data loss. That includes Oracle, SQL Server, and even your beloved PostgreSQL. This can happen for any number of reasons, including (but not limited to) hardware failure, power failure, user error, etc.

Postgres isn't going to help you if you forget a WHERE clause. Oracle isn't going to help you if your RAID is corrupted.

FWIW, I have never had a MySQL database lose data, and I have committed more "user errors" than I'd like to admit. Hell, I once pulled up the wrong window and moved the frickin' database file right out from under a running MySQL server to another volume. No data loss.

Also FWIW, it is possible to experience data loss with Postgres, where it is Postgres's fault (as opposed to the RDBMS not being able to recover from some external fault). Example 1. Example 2.

http://www.juniper.net/security/auto/vulnerabilities/vuln30131.html

That's a whopping list of vulnerable stuff there.
I wonder if Apple took a survey, of who was still using older versions.
I have read probably over 40% of internet users don't use updated browsers. http://blogs.stopbadware.org/articles/2008/07/01/forty-percent-of-users-use-insecure-web-browser
If that many users can't update browsers, how many can update their OS? Especially since browsers (and updates) are mostly free, you'd think they'd be more likely to be updated!

On the off-chance that you're not trolling:

C = Cisco Systems
N = Nortel
J = Juniper Networks

HTH. HAND.

I'd really like to have a turnkey, commercially built router with the security of OpenBSD, NetBSD, or FreeBSD.

A router built like a *BSD platform?

Sounds like Junipers' routers that run JunOS, such as the high-end T320. OS is based on *BSD (with proprietary changes, of course)

These aren't consumer-level units, naturally. *BSD kernels have many features that aren't needed (and therefore waste memory) in a consumer appliance.

Proprietary OSes like VxWorks-based implementations can be much leaner.

There are lower end units with just as much security as the *BSDs in the OS itself.

The OS of lower-end consumer units may be BSD based, but you'll never know, because access to a CLI is considered a high-end enterprise feature by most manufacturers, that adds a cost of many $$$ compared to cost of same device with just menu or web-based UI.

Security bugs in lean devices are likely to be in the GUI/web UI for managing the device, vendor add-ons, not the OS core, so much, which tried and true (proven) software may be used for.

It is not like they are running Windows -- but when the web GUI itself runs off the unit's kernel, with no requirement for the web page to authenticate to another OS component, any bug in the web UI/browser code leads to full control of the unit.

Probably because you haven't seen a Juniper T1600. It has 2.5x the per-slot bandwidth of the CRS-1. The Cisco marketing literature may go to 92tbps, but I challenge you to show me a production CRS multishelf system with more than one fabric shelf. Once T1600 modules are available for the TX Matrix the system will provide 6.4tbps in two and a half racks, using far less power than the equivalent real estate worth of CRS hardware (2.4tbps max), at about the same cost. BTW a fully configured 72-rack CRS-1 would require about .8 megawatts of power and belch about 2.5 million BTUs of heat per hour...

Erm, not that that's a biased viewpoint or anything (heh)...

Anyway, IMHO far more important to router scalability is the per-slot and per-watt bandwidth, not how many systems you can chain together (as long as you can chain some reasonably useful number, but I don't see a need for more than 8 chassis in a system). The CRS-1 won't be able to handle 100gE without a system-wide fabric upgrade or double-width cards or something. The T1600 (and for that matter, the Foundry NetIron X series, though not in the same class of capabilities or scalability as the Juniper) will be able to slot in 8 100gE linecards the day they're available.

i would personally like to see something done about on the fly wan compression. it would be great to get a 30Mbps or more connection out of my 20Mbps line. I've looked everywhere for an open source alternative to this but all i can find are overpriced proprietary boxes like these: http://www.juniper.net/products_and_services/application_acceleration/wan_acceleration/index.html

i think Linux dropped the ball on this one.

We use Check Point firewalls. I don't have any direct experience with them because our network team is almost 100 people and it's simply not my area. Been hearing good things about the Junipers as well.

the routers aren't gaining capacity to route packets as quickly as the number of packets to route is rising. No amount of extra fiber will help if the routers can't keep up. Setting up more routers in the same interconnect centers will bring either bigger routing tables or higher latencies depending on how they're connected to one another.

Exactly how fast do you need your router to go? Cisco and Juniper both have routers that can route at 40Gbps and have a massive amount of ports on them. The CRS-1 from Cisco can expand to 1152 slots each doing 40 Gbps. Drop a couple of those around and you've got a backbone that's going to handle the next 10-15 years. Juniper has the T640, pretty soon the T1280 that can expand to a multi-shelf design.

Cisco CRS-1

Juniper T640

E.g., Cisco's AVS (formerly Fineground): http://www.cisco.com/en/US/products/ps6492/product s_white_paper0900aecd80321a32.shtml

• implements the multiple DNS name solution suggested by Mr Hopkins
• has a clever way of eliminating browser cache validation requests
• has a mechanism to transparently measure actual (not simulated) user page load times

• Juniper's DX series (formerly Redline): http://www.juniper.net/solutions/literature/white_ papers/200142.pdf
• The same is true for F5's web accelerator (formerly Swan).: http://f5.com/solutions/technology/pdfs/smartcachi ng_wp.pdf

A Netscreen + WebAuth?

since their backbone routers are already using T640 routing node, it already supports oc-768 modules that are available already. (http://www.juniper.net/products/modules/100046.pd f) they can also consider this interface upgrade as a possible interim solution to the congestion.

also, i guess they should already look into consideration that backbones will already be migrating to those interfaces in the near future. since they are internet2, they should have the advantage over existing networks.

depending on how you define small and what type of access you want to provide; go for the Juniper Networks SSL VPN (the firewalls have been mentioned as well). These devices will allow, depending on which box you have and the license purchased, from 10-5000 concurrent users. You have the option of providing full VPN connectivity to web-based intranet connections to partial intranet access (access to the intranet without providing a node on the network).

There are core routers that can do over 300Gbps. Here is an example: http://www.juniper.net/products/tseries/

http://www.juniper.net/products/appaccel/wan/wxc/

Claims to although its an adaptive compression (builds the dictionary as your apllication is used) they claim an overall net decrease in latency because of the reduction in packets / packet size.

They also claim up to 100x reduction in bandwidth use.

Juniper uses FreeBSD (they call it 'JunOS'). Their routers have become quite popular for very high traffic installations, due in no small part to the efficient networking code of the FreeBSD kernel. Also, don't forget that the f-root name server (actualy a distributed network of servers) is exclusively FreeBSD.

As part of that, when one does a software upgrade on these, I've been trying to talk to the developers (hardware) that fast boot times are actually important. Take a typical Juniper router for example. The "Routing Engine" is a Intel processor running their own flavor of OS. This means when the system boots, it still has to do all those booring POST checks, wait for the disks to seek, run any option roms, etc.. They generally know what the box is going to do, boot from one of the 3 media choices (LS, CF, Disk). If your network is down for a software upgrade of some routing/switching device, and you can't get to your local WoW server (unless it's during a maint window ;-) ) or dial 911 on your cool VoIP phone, it starts to make a difference. The OS can generally decide the best way to bring your hardware online these days, we're not dealing with IRQ conflicts anymore.

Saving 2-3 minutes in router boot time is valuable. While the individual value of a node within the network it may be hard to see where that 2 mins is, if your kernel panics or something else ReallyBad(tm) happens, those 2 mins help in getting the routing protocols back up that much faster..

As part of that, when one does a software upgrade on these, I've been trying to talk to the developers (hardware) that fast boot times are actually important. Take a typical Juniper router for example. The "Routing Engine" is a Intel processor running their own flavor of OS. This means when the system boots, it still has to do all those booring POST checks, wait for the disks to seek, run any option roms, etc.. They generally know what the box is going to do, boot from one of the 3 media choices (LS, CF, Disk). If your network is down for a software upgrade of some routing/switching device, and you can't get to your local WoW server (unless it's during a maint window ;-) ) or dial 911 on your cool VoIP phone, it starts to make a difference. The OS can generally decide the best way to bring your hardware online these days, we're not dealing with IRQ conflicts anymore.

Saving 2-3 minutes in router boot time is valuable. While the individual value of a node within the network it may be hard to see where that 2 mins is, if your kernel panics or something else ReallyBad(tm) happens, those 2 mins help in getting the routing protocols back up that much faster..

I've been working since 1998 on network security and tested a lot of firewalls. My recomendation: Use hardware appliances like Juniper NetScreen (http://www.juniper.net/products/integrated/), Fortinet (http://www.fortinet.com/) or WatchGuard (http://www.watchguard.com/). All of them are >U$$100 but that may be the best deal comparing the price to the US$100 per machine you're asking.

It couldn't be this could it?

Actually, re-reading the last bit - Cisco bought it, I doubt it is, but is it something similar?

> If I don't see Cisco and/or Nortel on the list,
> it's not going to replace SNMP anytime soon.
> Correction: _ever_.

I am afraid this is not really true.

Most vendors (including Cisco and Juniper) are moving away from SNMP, towards an XML-based framework.

See this link:
http://www.juniper.net/solutions/literature/white_ papers/200017.pdf

You can download the JunoScript perl API from their site, it is fully supported in FreeBSD but runs well even on Linux.

http://www.juniper.net/techpubs/software/managemen t/junoscope/junoscope64/index.html

> If I don't see Cisco and/or Nortel on the list,
> it's not going to replace SNMP anytime soon.
> Correction: _ever_.

I am afraid this is not really true.

Most vendors (including Cisco and Juniper) are moving away from SNMP, towards an XML-based framework.

See this link:
http://www.juniper.net/solutions/literature/white_ papers/200017.pdf

You can download the JunoScript perl API from their site, it is fully supported in FreeBSD but runs well even on Linux.

http://www.juniper.net/techpubs/software/managemen t/junoscope/junoscope64/index.html

Not to call you out, but you are pretty screwed when it comes to routers, honestly Juniper is the only other choice for most of this scenario. Honestly Cisco is the best / only choice for many environments. Personally I like Juniper for the Nettoons http://www.juniper.net/nettoons/

but Canada has a LOT to lose.

Why? There's always juniper networks ;-)

What would Canada really be losing if it couldn't buy Cisco technology? Canadians can just as easily buy a switch or router from Juniper, Nortel, or D-Link (instead of Linksys, which Cisco bought). Do you forget (or neglect, or not know) that Nortel is a *Canadian* company and a leader in optical, wireless, and VoIP technology? And Wi-LAN was a leader in OFDM networking long before wireless LANs became so popular.

"Juniper Networks has individual routers that are at least as fast, but the company cannot combine as many routers to ultimately produce the same speeds, according to Chris Nicoll, a telecommunications industry analyst with Current Analysis, a research firm."

and more....

"The new router design is the first developed by Cisco that allows several routers to be connected, according to the company. A single router would be able to transmit data at 1.2 terabits a second. But as many as 72 routers can be hooked together to send data at 92 terabits a second, far faster than any router sold now. In telecommunications, data transfer is usually measured in bits per second. A terabit is one trillion bits. "

I should have Previewed first! DOH!

BaseN
Amsterdam Internet Exchange
Juniper SDX

In the routers? That would be interesting.

Juniper routers use FreeBSD as the O/S for their routers and I was told by a Cisco certified network engineer that they were better at routing than cisco routers. While I have not ran enough routers to know which is better and why, the fact they use BSD is a plus in my book :-)

Actually, that's not necessarily true. Juniper routers, at least, support a feature called reverse path-forwarding checking that determines whether the source IP is reachable via the interface on which the packet arrived.

If there are multiple interfaces that can reach that address, no problem.

Cisco aren't

Juniper aren't either

Neither of them are because either

• They can't build it, as the cell per second processing load is too high for current technology
• They can't afford to build it, as the customer won't pay, as it will be too expensive, caused by the cost of coming up with a solution to the first point.

They don't even go to OC48c or 2.5 Gigabits speeds with ATM.

ATM is being phased out of carrier backbones because it is overly complicated, and therefore overly expensive for what carriers need. Packet Over Sonet/SDH (POS) or Ethernet is taking over.

Just because a technology is being used doesn't make it successful, in particular when compared to its original design goals. It may only mean that there was not alternative at the time. As soon as something cheaper, yet as or more effective comes along (eg POS, 10Gbps Ethernet), the less effective technology will be replaced and / or avoided.

• Canon BG for 300D
  
• Canon EF 50mm f/1.4 USM
  
• Canon EF35mm 1.4L USM.
  
• Canon EF 35-350mm 3.5-5.6 L USM
  
• Canon EF 28-135mm f/3.5-5.6 IS USM
  
• Canon EF 180 mm f/3.5L Macro USM
  
• Canon TS-E 45 mm f/2.8
  
• 4GB CF
  
• SGI Origin 3900
  
• Sun Fire 15k
  
• Juniper T-Series
  

The warning is to prevent companies from accidentally getting GPL code in something they plan to modify and release for profit. The FreeBSD kernel in the screenshot will be contaminated by GPL and it's viral properties, which means it cannot be used without abiding by the terms of the GPL.

FreeBSD does have lots of GPL code in the (optional) userland tools, although the system tools (cp, mount, etc...) are BSD licensed. This allows you to use FreeBSD on a desktop PC (with Gnome) or in a router. Companies like FreeBSD because they can modifiy the code in interesting ways and sell it without having to give away the farm.

Believe it or not, significant portions of the FreeBSD Kernel and userland come from companies donating the code back to the community, despite the lack of legal requirement that they do so.

You're seriously trying to tell me that production routers would use slow flash rather than battery backed-up SDRAM?

Flash RAM has quite a limited number of writes. This can cause problems if you're writing large numbers of small files to flash RAM as it can cause a huge number of writes to the FAT area of the device.

Ah but you forgot to link to the redemption page:

goodstuff
warning this page requires 'flash' (virus?worm?entertainment?)