[j-nsp] Protect-re
Saku Ytti
saku at ytti.fi
Tue Dec 2 02:24:25 EST 2014
I would not use the Cymru as an example. Few points on the
'router-protect-hardcore'
1) it does not enforce destination address - this allows FW filter
bypass in typical L3 MPLS VPN scenario
2) it uses 'from port X' - this allows bgp speakers to connect to any
port on your router
3) it does not use DDoS protection - this allows trivial way to
congest the control-plane
4) it polices ssh to 1Mbps, hardly useful for scp/sftp
I didn't review other parts of the suggestion
On 27 November 2014 at 08:42, <sthaug at nethelp.no> wrote:
>> http://www.juniper.net/us/en/training/jnbooks/day-one/fundamentals-series/securing-routing-engine/
>
> Also worth looking at: http://www.team-cymru.org/ReadingRoom/Templates/
>
> Steinar Haug, Nethelp consulting, sthaug at nethelp.no
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
--
++ytti
More information about the juniper-nsp
mailing list