[j-nsp] Protect router from ssh/telnet DDOS attacks, or unauthorised access.

Dobbins, Roland rdobbins at arbor.net
Mon Jul 29 02:36:59 EDT 2013


On Jul 29, 2013, at 9:45 AM, Huan Pham wrote:

> I think this brings an administrative burden (to keep the interface list updated, as it might change) but that would fix my problem.

If the networks from which you allow administrative access to your network infrastructure devices keep changing, you're Doing Something Wrong, heh.

You should only allow direct access from a relatively small number of hosts, which are essentially 'jump-off' servers - i.e., you ssh into the jump-off server (hopefully using preshared keys and OTP), and then ssh from there to your routers/switches.  Your network management systems, NetFlow collection/analysis systems, confirmation management systems, et. al., shouldn't change very much, either.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton




More information about the juniper-nsp mailing list