[j-nsp] NTP Reflection

Ben Dale bdale at comlinx.com.au
Mon Jan 13 22:52:51 EST 2014


On 14 Jan 2014, at 12:31 pm, Mark Tees <marktees at gmail.com> wrote:

> What I was referring to was a detailed ACL/Filter for lo0 that only allows
> traffic for enabled services on the routing engine.
> 
> For example if Juniper posted a firewall filter template with all the
> possible services customers could then activate/deactivate what they need
> from the policy and log fails before discarding etc.

What you think you're after is "show system connections" which is more or less "netstat -an" and shows all ports that are listening on your RE - you can now filter at will.

Providing a list of every service for people to modify is not going to solve these problems - "Oh hey, I'm using NTP, I'd better enable all those rules"..

What you actually want is an ACL with ONLY the services you've actually configured and understand from the source/destinations you're using them from and deny all else - then you *mostly* don't need to worry about this sort of thing.

If your employer is too tight to spring for the MX book (worth every cent and then some), the following free Day One books will provide everything you're after (sign up for a J-Net login if you don't already have one):

http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/securing-routing-engine/
http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/hardening-junos-devices-checklist/
http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/configuring-junos-policies/

Ben


More information about the juniper-nsp mailing list