[j-nsp] NTP Reflection

Mark Tees marktees at gmail.com
Mon Jan 13 21:31:07 EST 2014


Thanks John,

I should have been more specific about what I meant.

Just filtering for NTP traffic in a firewall filter is fine and easy.

What I was referring to was a detailed ACL/Filter for lo0 that only allows
traffic for enabled services on the routing engine.

For example if Juniper posted a firewall filter template with all the
possible services customers could then activate/deactivate what they need
from the policy and log fails before discarding etc.

There was a very good example in the Juniper MX series book under the
security section.

What I am getting at is that Juniper should be providing security templates
like this in a KB article. It should be straight forward easy to access
information. Not "Oh, NTP attacks are the flavour of the day! We better
post a security KB article about it."

Much like what is listed here except maintained by Juniper and detailed
enough to include everything enabled:
http://www.cymru.com/gillsr/documents/junos-template.htm

In the mean time I will use the example from the MX series book in my
config templates.

Mark


On Tue, Jan 14, 2014 at 1:10 PM, John Kristoff <jtk at cymru.com> wrote:

> On Tue, 14 Jan 2014 12:38:12 +1100
> Mark Tees <marktees at gmail.com> wrote:
>
> > Can we get detailed lo0 filters listed too please?
>
> Hi Mark,
>
> While I'll defer to Juniper for their recommendations, we've had this
> for some time (scroll down to the Juniper section):
>
>   <
> http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html>
>
> John
>



-- 
Regards,

Mark L. Tees


More information about the juniper-nsp mailing list