[j-nsp] Secure Junos template
Ian MacKinnon
ian.mackinnon at lumison.net
Wed Apr 26 11:51:13 EDT 2006
Michael Loftis wrote:
>
>
> --On April 26, 2006 8:29:20 AM +0100 Ian MacKinnon
> <ian.mackinnon at lumison.net> wrote:
>
>> Hi All,
>>
>> I am looking at the secure Junos template from
>> http://www.cymru.com/gillsr/documents/junos-template.pdf
>>
>> In particular the router-protect term, it is allowing ssh from some
>> secure networks and denying it from all others. That I understand.
>> However it is only applied to the loopback interface, does this protect
>> the whole router? Can you still ssh to interface ip addresses directly?
>
> Yes it protects the whole router (RTFM), no you can't ssh to interface
> IPs directly. Further lo filters are applied in hardware, not at the
> RE, so traffic dropped (and I think rejects too) via lo filters happens
> in the FEB/PICs so it never hits the RE at all. Good win in DoS/DDoS.
>
>
Thanks to everyone who responded, makes sense but I just wanted
confirmation.
--
Ian MacKinnon
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender. Any
offers or quotation of service are subject to formal specification.
Errors and omissions excepted. Please note that any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Lumison, nplusone or lightershade ltd.
Finally, the recipient should check this email and any attachments for the
presence of viruses. Lumison, nplusone and lightershade ltd accepts no
liability for any damage caused by any virus transmitted by this email.
--
--
Virus scanned by Lumison.
More information about the juniper-nsp
mailing list