[j-nsp] Secure Junos template
Michael Loftis
mloftis at wgops.com
Wed Apr 26 11:10:19 EDT 2006
--On April 26, 2006 8:29:20 AM +0100 Ian MacKinnon
<ian.mackinnon at lumison.net> wrote:
> Hi All,
>
> I am looking at the secure Junos template from
> http://www.cymru.com/gillsr/documents/junos-template.pdf
>
> In particular the router-protect term, it is allowing ssh from some
> secure networks and denying it from all others. That I understand.
> However it is only applied to the loopback interface, does this protect
> the whole router? Can you still ssh to interface ip addresses directly?
Yes it protects the whole router (RTFM), no you can't ssh to interface IPs
directly. Further lo filters are applied in hardware, not at the RE, so
traffic dropped (and I think rejects too) via lo filters happens in the
FEB/PICs so it never hits the RE at all. Good win in DoS/DDoS.
More information about the juniper-nsp
mailing list