[j-nsp] ICMP Recommendation !!
Harri Makela
harri_makela at yahoo.com
Wed Apr 9 08:19:54 EDT 2014
Hi Guys
Do you have any recommendations to block certain ICMP packets on internet facing devices as part of security compliance i.e.
icmp-type unreachable
icmp-type mask-reply
Few devices are J6350
admin at J6350# show security
ssh-known-hosts {
host x.x.x.x {
rsa-key xx
}
host x.x.x.x {
rsa-key xx
}
}
alg {
dns disable;
ftp disable;
h323 disable;
mgcp disable;
msrpc disable;
sunrpc disable;
real disable;
rsh disable;
rtsp disable;
sccp disable;
sip disable;
sql disable;
talk disable;
tftp disable;
pptp disable;
}
forwarding-options {
family {
inet6 {
mode packet-based;
}
mpls {
mode packet-based;
}
}
}
flow {
allow-dns-reply;
tcp-session {
no-syn-check;
no-syn-check-in-tunnel;
no-sequence-check;
}
}
http://www.juniper.net/techpubs/software/junos-es/junos-es92/junos-es-swconfig-security/understanding-ip-address-sweeps.html
Others are MX80
admin at MX80# show security
ssh-known-hosts {
host x.x.x.x {
rsa-key xx
}
host x.x.x.x {
rsa-key xx
}
}
Looking for a brief document as per JUNOS recommendation really. Any advice will be highly appreciated.
Thanks
HM
More information about the juniper-nsp
mailing list