[j-nsp] ACL for lo0 template/example comprehensive list of 'things to think about'?
Saku Ytti
saku at ytti.fi
Thu Jul 12 06:54:23 EDT 2018
I have not.
But to answer your question broadly
a) allow in very specific terms what you want to accept
- always match on source IP (except UDP traceroute and ICMP, which
you'll need to accept from world)
- always match on destination IP, if you run any L3 MSPL VPN
- always match on destination port, either service port, BGP, SSH
etc or JunOS ephemeral (49160-65535) (TCP requires 2 terns,
one per direction)
- always match on TTL/hop-count 255 when permitted (VRRP, ND)
- decide your policy on IP options, and ensure lo0 implements that
(transit IP-options are today subject to lo0. they were not in earlier
JunOS, not even on Trio)
- be sure that source IPs you allow, cannot be spooffed. If I want
to DDoS your network, first source address spoofs I'll try are
ftp.juniper.net, ftp.cisco.com etc. Ensure you don't admit anything
like that to control-plane
b) discard rest
c) implement ddos-protection
- configure _every_ protocol, set 10-100pps aggregate for
protocols you don't know you need
- disable sub detection, enable ifl detection
- set ifl limit to 10th or 5th of aggregate at most (so you need
>5 or >10 violating ifl to congest aggregate)
- have three categories 'dont care', 'care, but not customer
impacting', 'customer impacting'. I'd recommend no more than 100pps,
4000pps and 8000pps aggregates per category. There is built-in magic
policer from NPU=>LC_CPU, you can't review its drops nor can you
reconfigure it, but you MUST NOT congest it, as it will drop packets
blindly contract-unaware.
On Wed, 11 Jul 2018 at 22:09, Drew Weaver <drew.weaver at thenap.com> wrote:
>
> Have you tried submitting your recommendations to the authors?
>
> -----Original Message-----
> From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Saku Ytti
> Sent: Wednesday, July 11, 2018 3:07 PM
> To: cboyd at gizmopartners.com
> Cc: Juniper List <juniper-nsp at puck.nether.net>
> Subject: Re: [j-nsp] ACL for lo0 template/example comprehensive list of 'things to think about'?
>
> I'd say the filters are all kind of broken.
>
> Just few issues
>
> a) You can't just limit UDP to 2Mbps on every edge port
> b) LO filter matches on 'port'
> c) LO filter has wide permit instead of accept 1,2,3,4 drop rest
> d) hardcore doesnt permit traceroute
>
> Just very short review, to me just these errors are monumental misunderstanding of security and goals of filters. To me starting from nothing is superior than starting from those.
>
> On Wed, 11 Jul 2018 at 21:23, Chris Boyd <cboyd at gizmopartners.com> wrote:
> >
> >
> >
> > > On Jul 11, 2018, at 1:17 PM, Drew Weaver <drew.weaver at thenap.com> wrote:
> > >
> > > Is there a list of best practices or 'things to think about' when constructing a firewall filter for a loopback on an MX series router running version 15 of Junos?
> > >
> > > I'm slowly piecing it together by just 'seeing what is broken next' and I have found some issue specific examples on Juniper.net thus far that tend to help with some of the issues but if anyone has ever seen a decent comprehensive guide that would be tremendously useful.
> > >
> > > If anyone has seen anything like this let me know, if not no worries
> > > will just keep fixing the things one by one =)
> >
> > Team Cymru has a “JunOS Secure Template” that I found a good place to start. It quotes version 4 though. I think that means it’s well tested?
> >
> > http://www.cymru.com/gillsr/documents/junos-template.pdf
> >
> > —Chris
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
> --
> ++ytti
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
--
++ytti
More information about the juniper-nsp
mailing list