[j-nsp] New J-net publications: Secure the routing engine and Useful tips/tricks

[Daniel Verlouw]

Hi,

On Wed, Jun 22, 2011 at 02:01, Harry Reynolds <harry at juniper.net> wrote:
> Hey all, Please pardon the wide distribution. I recall seeing postings on this list regarding current best practices for securing Juniper Networks Routing Engines via firewall filters.

just briefly skimmed over it, good stuff!

Perhaps I'm nitpicking here, but my first thought when seeing the
following term was; this will allow anyone to access all open TCP
ports, simply by modifying their host outbound TTL so that the packets
arrive with TTL=1 at the router.

    term accept-traceroute-tcp {
        from {
            destination-prefix-list {
                router-ipv4;
                router-ipv4-logical-systms;
            }
            protocol tcp;
            ttl 1;
        }
        then {
            policer management-1m;
            count accept-traceroute-tcp;
            accept;
        }
    }

Perhaps I misread the rest of the config or maybe I'm being paranoid,
but this something I would definitely not recommend :-)

BR, Daniel.