[j-nsp] SSH attack
Mark Tinka
mtinka at globaltransit.net
Thu Feb 21 00:05:39 EST 2008
On Thursday 21 February 2008, Chuck Anderson wrote:
> Instead of blocking SSH on every link, block it on lo0.
> Firewall filters applied to the lo0 interface are applied
> to the Routing Engine itself. Be careful if you apply
> filters here--be sure to allow any routing protocols into
> the Routing Engine, or they will break.
On this thread, just for reference, I see the following
protocols as those that would (need to) be allowed when
protecting the RE:
* SSH
* Telnet (don't recommend if you can avoid it)
* SNMP
* NTP
* RADIUS
* TACACS+
* ICMP
* IP Routing protocols (those you use, anyway)
* Multicast control
* LDP/RSVP
* FTP
* VRRP
* DNS
* Layer 2 protocols (as necessary)
Are there any other protocols/applications that could be
added to this list - perhaps to build a BCP for RE
protection in typical service provider environments.
Conversely, I think it would scale better if rather than
allowing specifically, we restricted specifically. Else, it
would potentially be more difficult to scale RE protection
across multiple nodes if an operator had to explicitly
allow for a new protocol/application when the network
decided to support it.
Cheers,
Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 832 bytes
Desc: This is a digitally signed message part.
Url : https://puck.nether.net/pipermail/juniper-nsp/attachments/20080221/0c28bb1c/attachment.bin
More information about the juniper-nsp
mailing list