[j-nsp] ACL for lo0 template/example comprehensive list of 'things to think about'?

Drew Weaver drew.weaver at thenap.com
Thu Jul 12 09:51:14 EDT 2018


This is probably a silly question but do you have any idea why ftp, http, and https show up as open ports in a port scan on an MX80 even when the services are unconfigured?

Not shown: 997 filtered ports
PORT    STATE SERVICE
21/tcp  open  ftp
80/tcp  open  http
443/tcp open  https

[drew at nessie drew]# wget http://10.1.25.156
--2018-07-12 09:49:28--  http://10.1.25.156/
Connecting to 10.1.25.156:80... connected.
HTTP request sent, awaiting response...

drew at chuck> show configuration system services 
ssh {
    root-login deny;
}

Thanks,
-Drew

-----Original Message-----
From: Saku Ytti [mailto:saku at ytti.fi] 
Sent: Thursday, July 12, 2018 6:54 AM
To: Drew Weaver <drew.weaver at thenap.com>
Cc: cboyd at gizmopartners.com; Juniper List <juniper-nsp at puck.nether.net>
Subject: Re: [j-nsp] ACL for lo0 template/example comprehensive list of 'things to think about'?

I have not.

But to answer your question broadly

a) allow in very specific terms what you want to accept
   - always match on source IP (except UDP traceroute and ICMP, which you'll need to accept from world)
   - always match on destination IP, if you run any L3 MSPL VPN
   - always match on destination port, either service port, BGP, SSH
etc  or JunOS ephemeral (49160-65535)        (TCP requires 2 terns,
one per direction)
   - always match on TTL/hop-count 255 when permitted (VRRP, ND)
   - decide your policy on IP options, and ensure lo0 implements that (transit IP-options are today subject to lo0. they were not in earlier JunOS, not even on Trio)
   - be sure that source IPs you allow, cannot be spooffed. If I want to DDoS your network, first source address spoofs I'll try are ftp.juniper.net, ftp.cisco.com etc. Ensure you don't admit anything like that to control-plane
 b) discard rest
 c) implement ddos-protection
    - configure _every_ protocol, set 10-100pps aggregate for protocols you don't know you need
    - disable sub detection, enable ifl detection
    - set ifl limit to 10th or 5th of aggregate at most (so you need
>5 or >10 violating ifl to congest aggregate)
    - have three categories 'dont care', 'care, but not customer impacting', 'customer impacting'. I'd recommend no more than 100pps, 4000pps and 8000pps aggregates per category. There is built-in magic policer from NPU=>LC_CPU, you can't review its drops nor can you reconfigure it, but you MUST NOT congest it, as it will drop packets blindly contract-unaware.



On Wed, 11 Jul 2018 at 22:09, Drew Weaver <drew.weaver at thenap.com> wrote:
>
> Have you tried submitting your recommendations to the authors?
>
> -----Original Message-----
> From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On 
> Behalf Of Saku Ytti
> Sent: Wednesday, July 11, 2018 3:07 PM
> To: cboyd at gizmopartners.com
> Cc: Juniper List <juniper-nsp at puck.nether.net>
> Subject: Re: [j-nsp] ACL for lo0 template/example comprehensive list of 'things to think about'?
>
> I'd say the filters are all kind of broken.
>
> Just few issues
>
> a) You can't just limit UDP to 2Mbps on every edge port
> b) LO filter matches on 'port'
> c) LO filter has wide permit instead of accept 1,2,3,4 drop rest
> d) hardcore doesnt permit traceroute
>
> Just very short review, to me just these errors are monumental misunderstanding of security and goals of filters. To me starting from nothing is superior than starting from those.
>
> On Wed, 11 Jul 2018 at 21:23, Chris Boyd <cboyd at gizmopartners.com> wrote:
> >
> >
> >
> > > On Jul 11, 2018, at 1:17 PM, Drew Weaver <drew.weaver at thenap.com> wrote:
> > >
> > > Is there a list of best practices or 'things to think about' when constructing a firewall filter for a loopback on an MX series router running version 15 of Junos?
> > >
> > > I'm slowly piecing it together by just 'seeing what is broken next' and I have found some issue specific examples on Juniper.net thus far that tend to help with some of the issues but if anyone has ever seen a decent comprehensive guide that would be tremendously useful.
> > >
> > > If anyone has seen anything like this let me know, if not no 
> > > worries will just keep fixing the things one by one =)
> >
> > Team Cymru has a “JunOS Secure Template” that I found a good place to start. It quotes version 4 though.  I think that means it’s well tested?
> >
> > http://www.cymru.com/gillsr/documents/junos-template.pdf
> >
> > —Chris
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net 
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
> --
>   ++ytti
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/juniper-nsp



--
  ++ytti


More information about the juniper-nsp mailing list