Chapter 7. High-Performance Attack Mitigation

Attack prevention and mitigation is what separates a high-end, state-of-the-art firewall from your basic run-of-the-mill firewall. Firewalls have been around for a long time, and these days even routers and load balancers can do basic stateful IP filtering and vendors claim their device is a “firewall.” But the SRX has some of the most advanced attack prevention capabilities on the market today. With such built-in features as screens, AppDoS, and AppDDoS, the SRX is capable of blocking most well-known attacks extremely efficiently and can even mitigate huge amounts of denial-of-service (DoS) traffic and distributed denial-of-service (DDoS) attacks without any interruption to normal traffic processing.

Over the course of this chapter, you’ll learn about the various SRX screens and some of the major types of attacks seen in the real world, and how to mitigate those attacks with screens. You’ll learn how to protect the SRX’s control plane from direct attacks and how to protect critical services behind the SRX via screens, firewall filters, and Intrusion Detection and Prevention (IDP).

To simplify the discussion, we have categorized the types of attacks into five major areas. Realize that some attacks may be included in multiple categories, depending on how the attacks are implemented.

The following is a high-level summary of the five different types of malicious traffic:

Network reconnaissance

Network recon is the first thing an attacker does ...

Get Junos Security now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.