[j-nsp] New J-net publications: Secure the routing engine and Useful tips/tricks

Matt Hite lists at beatmixed.com
Thu Jun 30 18:42:44 EDT 2011


You are right in that it may present too great a risk for some people
to feel comfortable adopting. Still a nice rule, if even to just use
and activate when needed. YMMV.

-M

On Wed, Jun 22, 2011 at 1:08 AM, Daniel Verlouw <daniel at shunoshu.net> wrote:
> Hi,
>
> On Wed, Jun 22, 2011 at 02:01, Harry Reynolds <harry at juniper.net> wrote:
>> Hey all, Please pardon the wide distribution. I recall seeing postings on this list regarding current best practices for securing Juniper Networks Routing Engines via firewall filters.
>
> just briefly skimmed over it, good stuff!
>
> Perhaps I'm nitpicking here, but my first thought when seeing the
> following term was; this will allow anyone to access all open TCP
> ports, simply by modifying their host outbound TTL so that the packets
> arrive with TTL=1 at the router.
>
>    term accept-traceroute-tcp {
>        from {
>            destination-prefix-list {
>                router-ipv4;
>                router-ipv4-logical-systms;
>            }
>            protocol tcp;
>            ttl 1;
>        }
>        then {
>            policer management-1m;
>            count accept-traceroute-tcp;
>            accept;
>        }
>    }
>
> Perhaps I misread the rest of the config or maybe I'm being paranoid,
> but this something I would definitely not recommend :-)
>
> BR, Daniel.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



More information about the juniper-nsp mailing list