[j-nsp] RE filter BCP

Jason Lixfeld jason-jnsp at lixfeld.ca
Fri Jan 4 08:33:46 EST 2019


> On Jan 4, 2019, at 8:10 AM, <adamv0025 at netconsultings.com> <adamv0025 at netconsultings.com> wrote:
> 
> Also in addition to the lengthy, complex and therefore often misconfigured
> RE filter a good practice is to have iACLs as a second layer of defence. 
> By that I mean a policy applied on all edge interfaces allowing only
> selected protocols (e.g. ICMP & BGP) to talk to any of your edge addresses
> (reachable form a particular VRF) and deny anything else destined to these
> or your internal infrastructure addresses.
> Such filters would mitigate the attack vector mentioned above.

In Cisco land, for management, one puts a filter on the VTY range, and also include the vrf-also keyword where required.  Does JunOS have similar functionality, or would you need to put the filter on the fxp0/em0/whatever out-of-band management interface you’re using, or the in-band management lo0 unit, depending on the user’s desired management implementation.


More information about the juniper-nsp mailing list