[j-nsp] New J-net publications: Secure the routing engine and Useful tips/tricks
Daniel Verlouw
daniel at shunoshu.net
Wed Jun 22 04:08:57 EDT 2011
Hi,
On Wed, Jun 22, 2011 at 02:01, Harry Reynolds <harry at juniper.net> wrote:
> Hey all, Please pardon the wide distribution. I recall seeing postings on this list regarding current best practices for securing Juniper Networks Routing Engines via firewall filters.
just briefly skimmed over it, good stuff!
Perhaps I'm nitpicking here, but my first thought when seeing the
following term was; this will allow anyone to access all open TCP
ports, simply by modifying their host outbound TTL so that the packets
arrive with TTL=1 at the router.
term accept-traceroute-tcp {
from {
destination-prefix-list {
router-ipv4;
router-ipv4-logical-systms;
}
protocol tcp;
ttl 1;
}
then {
policer management-1m;
count accept-traceroute-tcp;
accept;
}
}
Perhaps I misread the rest of the config or maybe I'm being paranoid,
but this something I would definitely not recommend :-)
BR, Daniel.
More information about the juniper-nsp
mailing list