[j-nsp] ACL for lo0 template/example comprehensive list of 'things to think about'?

Saku Ytti saku at ytti.fi
Thu Jul 12 10:17:38 EDT 2018 

Hey Drew,

No idea. There isn't really command in JunOS to ask which PID is
listening on given port. I'm sure it's possible with dtrace, but I'm
not gonna figure out how to do it. I suspect inetd though.
On Thu, 12 Jul 2018 at 16:51, Drew Weaver <drew.weaver at thenap.com> wrote:
>
> This is probably a silly question but do you have any idea why ftp, http, and https show up as open ports in a port scan on an MX80 even when the services are unconfigured?
>
> Not shown: 997 filtered ports
> PORT    STATE SERVICE
> 21/tcp  open  ftp
> 80/tcp  open  http
> 443/tcp open  https
>
> [drew at nessie drew]# wget http://10.1.25.156
> --2018-07-12 09:49:28--  http://10.1.25.156/
> Connecting to 10.1.25.156:80... connected.
> HTTP request sent, awaiting response...
>
> drew at chuck> show configuration system services
> ssh {
>     root-login deny;
> }
>
> Thanks,
> -Drew
>
> -----Original Message-----
> From: Saku Ytti [mailto:saku at ytti.fi]
> Sent: Thursday, July 12, 2018 6:54 AM
> To: Drew Weaver <drew.weaver at thenap.com>
> Cc: cboyd at gizmopartners.com; Juniper List <juniper-nsp at puck.nether.net>
> Subject: Re: [j-nsp] ACL for lo0 template/example comprehensive list of 'things to think about'?
>
> I have not.
>
> But to answer your question broadly
>
> a) allow in very specific terms what you want to accept
>    - always match on source IP (except UDP traceroute and ICMP, which you'll need to accept from world)
>    - always match on destination IP, if you run any L3 MSPL VPN
>    - always match on destination port, either service port, BGP, SSH
> etc  or JunOS ephemeral (49160-65535)        (TCP requires 2 terns,
> one per direction)
>    - always match on TTL/hop-count 255 when permitted (VRRP, ND)
>    - decide your policy on IP options, and ensure lo0 implements that (transit IP-options are today subject to lo0. they were not in earlier JunOS, not even on Trio)
>    - be sure that source IPs you allow, cannot be spooffed. If I want to DDoS your network, first source address spoofs I'll try are ftp.juniper.net, ftp.cisco.com etc. Ensure you don't admit anything like that to control-plane
>  b) discard rest
>  c) implement ddos-protection
>     - configure _every_ protocol, set 10-100pps aggregate for protocols you don't know you need
>     - disable sub detection, enable ifl detection
>     - set ifl limit to 10th or 5th of aggregate at most (so you need
> >5 or >10 violating ifl to congest aggregate)
>     - have three categories 'dont care', 'care, but not customer impacting', 'customer impacting'. I'd recommend no more than 100pps, 4000pps and 8000pps aggregates per category. There is built-in magic policer from NPU=>LC_CPU, you can't review its drops nor can you reconfigure it, but you MUST NOT congest it, as it will drop packets blindly contract-unaware.
>
>
>
> On Wed, 11 Jul 2018 at 22:09, Drew Weaver <drew.weaver at thenap.com> wrote:
> >
> > Have you tried submitting your recommendations to the authors?
> >
> > -----Original Message-----
> > From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On
> > Behalf Of Saku Ytti
> > Sent: Wednesday, July 11, 2018 3:07 PM
> > To: cboyd at gizmopartners.com
> > Cc: Juniper List <juniper-nsp at puck.nether.net>
> > Subject: Re: [j-nsp] ACL for lo0 template/example comprehensive list of 'things to think about'?
> >
> > I'd say the filters are all kind of broken.
> >
> > Just few issues
> >
> > a) You can't just limit UDP to 2Mbps on every edge port
> > b) LO filter matches on 'port'
> > c) LO filter has wide permit instead of accept 1,2,3,4 drop rest
> > d) hardcore doesnt permit traceroute
> >
> > Just very short review, to me just these errors are monumental misunderstanding of security and goals of filters. To me starting from nothing is superior than starting from those.
> >
> > On Wed, 11 Jul 2018 at 21:23, Chris Boyd <cboyd at gizmopartners.com> wrote:
> > >
> > >
> > >
> > > > On Jul 11, 2018, at 1:17 PM, Drew Weaver <drew.weaver at thenap.com> wrote:
> > > >
> > > > Is there a list of best practices or 'things to think about' when constructing a firewall filter for a loopback on an MX series router running version 15 of Junos?
> > > >
> > > > I'm slowly piecing it together by just 'seeing what is broken next' and I have found some issue specific examples on Juniper.net thus far that tend to help with some of the issues but if anyone has ever seen a decent comprehensive guide that would be tremendously useful.
> > > >
> > > > If anyone has seen anything like this let me know, if not no
> > > > worries will just keep fixing the things one by one =)
> > >
> > > Team Cymru has a “JunOS Secure Template” that I found a good place to start. It quotes version 4 though.  I think that means it’s well tested?
> > >
> > > http://www.cymru.com/gillsr/documents/junos-template.pdf
> > >
> > > —Chris
> > > _______________________________________________
> > > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> >
> >
> > --
> >   ++ytti
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
> --
>   ++ytti



-- 
  ++ytti

More information about the juniper-nsp mailing list