[j-nsp] Core network design for an ISP
Raphael Mazelier
raph at futomaki.net
Tue Mar 29 15:51:26 EDT 2016
Le 29/03/2016 15:46, Saku Ytti a écrit :
> That is just 10min look. It's very complicated approach yet not
> particularly secure one. But at least it's less broken than Cymru
> secure template.
>
>
> Few basic principles
> a) never use 'port', all bidir TCP needs 'active' and 'passive' rule separately
> b) never use prefix-list, always directional source/desination
> c) if you run l3 mpls vpn, always verify 'destination-address'
> d) have long list of permit/allow, then single discard at the end
> e) if standard makes statement about TTL/hop-limit, use it, it's super
> critical for ICMPv6 ND particularly
> f) only use 'tcp-established' to make rule more strict, not to have
> some handy catch-all return traffic permitter
> g) avoid high level of abstraction, people will need to be able to
> review it, preferably fast, bitrot is serious problem
>
>
I have always found RE protection filter over-complicated and error
prone. I stand with my very simple filter (8 terms) which are far for
perfect (and it break one of your rule), but at least it was understable
and work in my environnement.
The easy part is to protect from the external, you can even use private
IP on your core, or better dedicate a public subnet not announced in the
DMZ.
The difficult part is to protect your core from your customer. And then
filter bgp, vrrp, etc...
I think a collaborative repo on github from different source should be
helpfull for all of us (I've grab many of the filter over the years, and
can publish it if someone are interrested).
--
Raphael Mazelier
More information about the juniper-nsp
mailing list