We run ours at 1200Mhz and it seems to work just fine.
we are thinking to buy CCR1072 for just firewall is it a right move ?
here our topic:
viewtopic.php?f=13&t=121781
I would definitely not use an CCR as a firewall that you are expecting to take punishment, the clock speed on the CPU isn't good enough for high packet inspection and it will probably fall over.
A firewall (in general) is never going to stop a volumetric DDoS attack, even with drop rules.
This is because a packet still has to come in on the incoming interface in order to be inspected by the firewall before a decission to drop it is made.
Here is a youtube video I made showing this -
https://www.youtube.com/watch?v=SHjBbbF ... e=youtu.be
Even when the drop rule is enabled, traffic still hits the incoming interface and there is still load on the router.
When a blackhole is used, the packets accepted on the incoming interface drop and so does the CPU load.
You better off splitting your protection into DDoS protection and application / access control.
For DDoS protection, use something like fastnetmon or Wanguard to help mitigate volumetric type attacks whereby you can setup BGP with your routers, enable loose RP-Filters and blackhole the destination or source IP addresses.
Then a decent firewall for application / access control. At the highend, I would recommend the fortigate firewalls, we use them extensively for IDS/IPS and firewalling and they work great, however they are expensive. On the lower-end, Use a server with decent 10G network interfaces and a E3-1200v6 or E5-1600v4 Processor (clock speed above cores) and load up pfsense. You can use suricata or snort on pfsense for the IDP/IPS side of things and the pfsense firewall is rock solid.