[j-nsp] New J-net publications: Secure the routing engine and Useful tips/tricks
Matt Hite
lists at beatmixed.com
Thu Jun 30 18:42:44 EDT 2011
You are right in that it may present too great a risk for some people
to feel comfortable adopting. Still a nice rule, if even to just use
and activate when needed. YMMV.
-M
On Wed, Jun 22, 2011 at 1:08 AM, Daniel Verlouw <daniel at shunoshu.net> wrote:
> Hi,
>
> On Wed, Jun 22, 2011 at 02:01, Harry Reynolds <harry at juniper.net> wrote:
>> Hey all, Please pardon the wide distribution. I recall seeing postings on this list regarding current best practices for securing Juniper Networks Routing Engines via firewall filters.
>
> just briefly skimmed over it, good stuff!
>
> Perhaps I'm nitpicking here, but my first thought when seeing the
> following term was; this will allow anyone to access all open TCP
> ports, simply by modifying their host outbound TTL so that the packets
> arrive with TTL=1 at the router.
>
> term accept-traceroute-tcp {
> from {
> destination-prefix-list {
> router-ipv4;
> router-ipv4-logical-systms;
> }
> protocol tcp;
> ttl 1;
> }
> then {
> policer management-1m;
> count accept-traceroute-tcp;
> accept;
> }
> }
>
> Perhaps I misread the rest of the config or maybe I'm being paranoid,
> but this something I would definitely not recommend :-)
>
> BR, Daniel.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list