[j-nsp] ACL for lo0 template/example comprehensive list of 'things to think about'?

Drew Weaver drew.weaver at thenap.com
Wed Jul 11 15:09:01 EDT 2018


Have you tried submitting your recommendations to the authors?

-----Original Message-----
From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Saku Ytti
Sent: Wednesday, July 11, 2018 3:07 PM
To: cboyd at gizmopartners.com
Cc: Juniper List <juniper-nsp at puck.nether.net>
Subject: Re: [j-nsp] ACL for lo0 template/example comprehensive list of 'things to think about'?

I'd say the filters are all kind of broken.

Just few issues

a) You can't just limit UDP to 2Mbps on every edge port
b) LO filter matches on 'port'
c) LO filter has wide permit instead of accept 1,2,3,4 drop rest
d) hardcore doesnt permit traceroute

Just very short review, to me just these errors are monumental misunderstanding of security and goals of filters. To me starting from nothing is superior than starting from those.

On Wed, 11 Jul 2018 at 21:23, Chris Boyd <cboyd at gizmopartners.com> wrote:
>
>
>
> > On Jul 11, 2018, at 1:17 PM, Drew Weaver <drew.weaver at thenap.com> wrote:
> >
> > Is there a list of best practices or 'things to think about' when constructing a firewall filter for a loopback on an MX series router running version 15 of Junos?
> >
> > I'm slowly piecing it together by just 'seeing what is broken next' and I have found some issue specific examples on Juniper.net thus far that tend to help with some of the issues but if anyone has ever seen a decent comprehensive guide that would be tremendously useful.
> >
> > If anyone has seen anything like this let me know, if not no worries 
> > will just keep fixing the things one by one =)
>
> Team Cymru has a “JunOS Secure Template” that I found a good place to start. It quotes version 4 though.  I think that means it’s well tested?
>
> http://www.cymru.com/gillsr/documents/junos-template.pdf
>
> —Chris
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/juniper-nsp



--
  ++ytti
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp


More information about the juniper-nsp mailing list