[j-nsp] SSH Filter

Brendan Mannella bmannella at teraswitch.com
Fri May 22 11:25:10 EDT 2009


True, i have seen those.

I understand i would need to think of everything needed. So even OSPF, BGP, basically any protocol i would use. But i dont need to worry about traffic transiting the switch such as customer services, like http, ftp, etc. Correct?

Thanks,

Brendan



----- Original Message -----
From: "Stefan Fouant" <sfouant at gmail.com>
To: "Brendan Mannella" <bmannella at teraswitch.com>, "juniper-nsp" <juniper-nsp at puck.nether.net>
Sent: Friday, May 22, 2009 10:57:42 AM GMT -05:00 US/Canada Eastern
Subject: Re: [j-nsp] SSH Filter

That filter would certainly do what you want but I would strongly
advise against using an accept-all term as your last term. If you
truly want to take a hardened control plane security posture, why not
allow that which is specifically required and drop the rest? Team
Cymru has some good control plane filter templates available on their
website.

Regards,



On 5/22/09, Brendan Mannella <bmannella at teraswitch.com> wrote:
>
>
> All, i know this has been covered a million times, but i just wanted to
> check with the list to see if this is the best/recommended way to restrict
> ssh access to a EX switch. I did google this, but noticed people doing it
> different ways.
>
>
>
>
>
> set firewall family inet filter RE_FILTER term SSH from source-address
> 10.0.0.1/32
>
> set firewall family inet filter RE_FILTER term SSH from source-address
> 10.0.0.2/32
>
> set firewall family inet filter RE_FILTER term SSH from protocol tcp
>
> set firewall family inet filter RE_FILTER term SSH from destination-port 22
>
> set firewall family inet filter RE_FILTER term SSH then accept
>
> set firewall family inet filter RE_FILTER term SSH_BLOCK from protocol tcp
>
> set firewall family inet filter RE_FILTER term SSH_BLOCK from
> destination-port 22
>
> set firewall family inet filter RE_FILTER term SSH_BLOCK then discard
>
> set firewall family inet filter RE_FILTER term everything-else then accept
>
> set interfaces lo0 unit 0 family inet filter input RE_FILTER
>
>
>
>
>
> Please Advise.
>
>
>
> Thanks,
>
>
>
> Brendan Mannella
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

-- 
Sent from Gmail for mobile | mobile.google.com

Stefan Fouant

Stay the patient course.
Of little worth is your ire.
The network is down.


More information about the juniper-nsp mailing list