[j-nsp] NTP Reflection

Mark Tees marktees at gmail.com
Mon Jan 13 23:10:09 EST 2014


Thanks Ben I will review those links.

I have the MX book and have read a decent portion of it. Thats what I was
referring to. A quick glance shows some similar examples as to what was in
the MX book. Same author so it makes sense.


On Tue, Jan 14, 2014 at 2:52 PM, Ben Dale <bdale at comlinx.com.au> wrote:

>
> On 14 Jan 2014, at 12:31 pm, Mark Tees <marktees at gmail.com> wrote:
>
> > What I was referring to was a detailed ACL/Filter for lo0 that only
> allows
> > traffic for enabled services on the routing engine.
> >
> > For example if Juniper posted a firewall filter template with all the
> > possible services customers could then activate/deactivate what they need
> > from the policy and log fails before discarding etc.
>
> What you think you're after is "show system connections" which is more or
> less "netstat -an" and shows all ports that are listening on your RE - you
> can now filter at will.
>
> Providing a list of every service for people to modify is not going to
> solve these problems - "Oh hey, I'm using NTP, I'd better enable all those
> rules"..
>
> What you actually want is an ACL with ONLY the services you've actually
> configured and understand from the source/destinations you're using them
> from and deny all else - then you *mostly* don't need to worry about this
> sort of thing.
>
> If your employer is too tight to spring for the MX book (worth every cent
> and then some), the following free Day One books will provide everything
> you're after (sign up for a J-Net login if you don't already have one):
>
>
> http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/securing-routing-engine/
>
> http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/hardening-junos-devices-checklist/
>
> http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/configuring-junos-policies/
>
> Ben




-- 
Regards,

Mark L. Tees


More information about the juniper-nsp mailing list