[j-nsp] NTP Reflection

joel jaeggli joelja at bogus.com
Tue Jan 14 13:07:59 EST 2014 

On 1/13/14, 8:10 PM, Mark Tees wrote:
> Thanks Ben I will review those links.
> 
> I have the MX book and have read a decent portion of it. Thats what I was
> referring to. A quick glance shows some similar examples as to what was in
> the MX book. Same author so it makes sense.

RFC 6192

http://tools.ietf.org/search/rfc6192

Has good examples of juniper and cisco control-plane acls for ipv4 and ipv6.

Doug's book is as you noted also rather good.

IMHO this is basic belt and suspenders for router deployment and
everyone should do this.

> 
> On Tue, Jan 14, 2014 at 2:52 PM, Ben Dale <bdale at comlinx.com.au> wrote:
> 
>>
>> On 14 Jan 2014, at 12:31 pm, Mark Tees <marktees at gmail.com> wrote:
>>
>>> What I was referring to was a detailed ACL/Filter for lo0 that only
>> allows
>>> traffic for enabled services on the routing engine.
>>>
>>> For example if Juniper posted a firewall filter template with all the
>>> possible services customers could then activate/deactivate what they need
>>> from the policy and log fails before discarding etc.
>>
>> What you think you're after is "show system connections" which is more or
>> less "netstat -an" and shows all ports that are listening on your RE - you
>> can now filter at will.
>>
>> Providing a list of every service for people to modify is not going to
>> solve these problems - "Oh hey, I'm using NTP, I'd better enable all those
>> rules"..
>>
>> What you actually want is an ACL with ONLY the services you've actually
>> configured and understand from the source/destinations you're using them
>> from and deny all else - then you *mostly* don't need to worry about this
>> sort of thing.
>>
>> If your employer is too tight to spring for the MX book (worth every cent
>> and then some), the following free Day One books will provide everything
>> you're after (sign up for a J-Net login if you don't already have one):
>>
>>
>> http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/securing-routing-engine/
>>
>> http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/hardening-junos-devices-checklist/
>>
>> http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/configuring-junos-policies/
>>
>> Ben
> 
> 
> 
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 308 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20140114/f174659d/attachment.sig>

More information about the juniper-nsp mailing list