I'm not aware of this being a "feature" in Cisco IOS either unless it is
a recent enhancement. Once "router bgp xxx" is entered, the it should
be listening on port 179/tcp. In fact, I believe an ACL for this is
created in Rob's template:
http://www.cymru.com/~robt/Docs/Articles/secure-bgp-template.html
The ACL is used there just like the firewall filter in JUNOS. It
certainly does get cumbersome when you have many peers and are looking
for a quick fix for several routers, all of which require unique
filters. I hate having this port open to the public but I also don't
like the work that it takes to keep it hidden.
Since neighbors are uniformly hardcoded in the configuration perhaps a
built-in method of enabling such a lockdown would prove quite
beneficial. Juniper personnel will likely recommend bouncing this
feature request off your local rep and taking it from there.
Cheers,
-- steve
-----Original Message-----
From: Lane Patterson [mailto:lpatterson@equinix.com]
Sent: Tuesday, September 04, 2001 3:16 PM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] BGP tcp/179 security on JunOS
OK, does anyone know of a way, or maybe an accepted feature request ID,
to
secure tcp/179 on Juniper routers? It seems they listen to this by
default
from any source IP, whereas tcp/179 is only visible on IOS if the source
IP
is a configured peer. Some very well known providers have tcp/179
unsecured
on their Juniper deployments...
Rob Thomas and Stephen Gill have provided basic firewall rules for
filtering
out non-peer access to tcp/179, but this is too much effort to
accomplish
something that should be built-in (e.g. why would I EVER listen to
anything
on tcp/179 unless you are a configured peer?):
http://www.qorbit.net/documents/JUNOS_BGP_template.pdf
Cheers,
-Lane
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
This archive was generated by hypermail 2b29 : Mon Aug 05 2002 - 10:42:37 EDT