[j-nsp] Loopback Filter - NTP Question

Paul Stewart paul at paulstewart.org
Tue Feb 4 14:43:47 EST 2014


Hi there

We are still finding some JunOS devices vulnerable in our network to the NTP
issue.  For devices with an IP address on the loopback this has proven to be
just an update to existing firewall filters where we allow the remote NTP
servers we query from and include the loopback IP itself.

Most of the remaining devices do not have an IP address on the loopback
which has presented a new challenge we were not expecting.  If we apply an
updated loopback firewall filter and attempt to filter NTP only to specific
sources it will fail every time if there is no actual IP address on the
loopback.  

Juniper says we must put an IP address on the loopback to work around this
issue so I am wondering what other folks are doing in these specific
situations? 

There are several options which to me the best would be to have Juniper
actually fix this issue with a proper NTP implementation

Thanks for any input

Paul






More information about the juniper-nsp mailing list