[j-nsp] NTP Reflection
Mark Tees
marktees at gmail.com
Mon Jan 13 21:31:07 EST 2014
Thanks John,
I should have been more specific about what I meant.
Just filtering for NTP traffic in a firewall filter is fine and easy.
What I was referring to was a detailed ACL/Filter for lo0 that only allows
traffic for enabled services on the routing engine.
For example if Juniper posted a firewall filter template with all the
possible services customers could then activate/deactivate what they need
from the policy and log fails before discarding etc.
There was a very good example in the Juniper MX series book under the
security section.
What I am getting at is that Juniper should be providing security templates
like this in a KB article. It should be straight forward easy to access
information. Not "Oh, NTP attacks are the flavour of the day! We better
post a security KB article about it."
Much like what is listed here except maintained by Juniper and detailed
enough to include everything enabled:
http://www.cymru.com/gillsr/documents/junos-template.htm
In the mean time I will use the example from the MX series book in my
config templates.
Mark
On Tue, Jan 14, 2014 at 1:10 PM, John Kristoff <jtk at cymru.com> wrote:
> On Tue, 14 Jan 2014 12:38:12 +1100
> Mark Tees <marktees at gmail.com> wrote:
>
> > Can we get detailed lo0 filters listed too please?
>
> Hi Mark,
>
> While I'll defer to Juniper for their recommendations, we've had this
> for some time (scroll down to the Juniper section):
>
> <
> http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html>
>
> John
>
--
Regards,
Mark L. Tees
More information about the juniper-nsp
mailing list