[j-nsp] NTP Reflection

Tue Jan 14 13:51:45 EST 2014

There is a very detailed day one book

Securing the Routing Engine on M, MX, and T Series

http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/securing-routing-engine/

Nitzan

On Tue, Jan 14, 2014 at 8:07 PM, joel jaeggli <joelja at bogus.com> wrote:

> On 1/13/14, 8:10 PM, Mark Tees wrote:
> > Thanks Ben I will review those links.
> >
> > I have the MX book and have read a decent portion of it. Thats what I was
> > referring to. A quick glance shows some similar examples as to what was
> in
> > the MX book. Same author so it makes sense.
>
> RFC 6192
>
> http://tools.ietf.org/search/rfc6192
>
> Has good examples of juniper and cisco control-plane acls for ipv4 and
> ipv6.
>
> Doug's book is as you noted also rather good.
>
> IMHO this is basic belt and suspenders for router deployment and
> everyone should do this.
>
> >
> > On Tue, Jan 14, 2014 at 2:52 PM, Ben Dale <bdale at comlinx.com.au> wrote:
> >
> >>
> >> On 14 Jan 2014, at 12:31 pm, Mark Tees <marktees at gmail.com> wrote:
> >>
> >>> What I was referring to was a detailed ACL/Filter for lo0 that only
> >> allows
> >>> traffic for enabled services on the routing engine.
> >>>
> >>> For example if Juniper posted a firewall filter template with all the
> >>> possible services customers could then activate/deactivate what they
> need
> >>> from the policy and log fails before discarding etc.
> >>
> >> What you think you're after is "show system connections" which is more
> or
> >> less "netstat -an" and shows all ports that are listening on your RE -
> you
> >> can now filter at will.
> >>
> >> Providing a list of every service for people to modify is not going to
> >> solve these problems - "Oh hey, I'm using NTP, I'd better enable all
> those
> >> rules"..
> >>
> >> What you actually want is an ACL with ONLY the services you've actually
> >> configured and understand from the source/destinations you're using them
> >> from and deny all else - then you *mostly* don't need to worry about
> this
> >> sort of thing.
> >>
> >> If your employer is too tight to spring for the MX book (worth every
> cent
> >> and then some), the following free Day One books will provide everything
> >> you're after (sign up for a J-Net login if you don't already have one):
> >>
> >>
> >>
> http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/securing-routing-engine/
> >>
> >>
> http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/hardening-junos-devices-checklist/
> >>
> >>
> http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/configuring-junos-policies/
> >>
> >> Ben
> >
> >
> >
> >
>
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>