[j-nsp] Secure Junos template

Ian MacKinnon ian.mackinnon at lumison.net
Wed Apr 26 11:51:13 EDT 2006


Michael Loftis wrote:
> 
> 
> --On April 26, 2006 8:29:20 AM +0100 Ian MacKinnon 
> <ian.mackinnon at lumison.net> wrote:
> 
>> Hi All,
>>
>> I am looking at the secure Junos template from
>> http://www.cymru.com/gillsr/documents/junos-template.pdf
>>
>> In particular the router-protect term, it is allowing ssh from some
>> secure networks and denying it from all others. That I understand.
>> However it is only applied to the loopback interface, does this protect
>> the whole router? Can you still ssh to interface ip addresses directly?
> 
> Yes it protects the whole router (RTFM), no you can't ssh to interface 
> IPs directly.  Further lo filters are applied in hardware, not at the 
> RE, so traffic dropped (and I think rejects too) via lo filters happens 
> in the FEB/PICs so it never hits the RE at all.  Good win in DoS/DDoS.
> 
> 
Thanks to everyone who responded, makes sense but I just wanted 
confirmation.

-- 
Ian MacKinnon
-- 

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed.  
If you have received this email in error please notify the sender. Any 
offers or quotation of service are subject to formal specification.  
Errors and omissions excepted.  Please note that any views or opinions 
presented in this email are solely those of the author and do not 
necessarily represent those of Lumison, nplusone or lightershade ltd.  
Finally, the recipient should check this email and any attachments for the 
presence of viruses.  Lumison, nplusone and lightershade ltd accepts no 
liability for any damage caused by any virus transmitted by this email.

-- 
-- 
Virus scanned by Lumison.


More information about the juniper-nsp mailing list