On 1/13/14, 8:10 PM, Mark Tees wrote: > Thanks Ben I will review those links. > > I have the MX book and have read a decent portion of it. Thats what I was > referring to. A quick glance shows some similar examples as to what was in > the MX book. Same author so it makes sense.
RFC 6192 http://tools.ietf.org/search/rfc6192 Has good examples of juniper and cisco control-plane acls for ipv4 and ipv6. Doug's book is as you noted also rather good. IMHO this is basic belt and suspenders for router deployment and everyone should do this. > > On Tue, Jan 14, 2014 at 2:52 PM, Ben Dale <bd...@comlinx.com.au> wrote: > >> >> On 14 Jan 2014, at 12:31 pm, Mark Tees <markt...@gmail.com> wrote: >> >>> What I was referring to was a detailed ACL/Filter for lo0 that only >> allows >>> traffic for enabled services on the routing engine. >>> >>> For example if Juniper posted a firewall filter template with all the >>> possible services customers could then activate/deactivate what they need >>> from the policy and log fails before discarding etc. >> >> What you think you're after is "show system connections" which is more or >> less "netstat -an" and shows all ports that are listening on your RE - you >> can now filter at will. >> >> Providing a list of every service for people to modify is not going to >> solve these problems - "Oh hey, I'm using NTP, I'd better enable all those >> rules".. >> >> What you actually want is an ACL with ONLY the services you've actually >> configured and understand from the source/destinations you're using them >> from and deny all else - then you *mostly* don't need to worry about this >> sort of thing. >> >> If your employer is too tight to spring for the MX book (worth every cent >> and then some), the following free Day One books will provide everything >> you're after (sign up for a J-Net login if you don't already have one): >> >> >> http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/securing-routing-engine/ >> >> http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/hardening-junos-devices-checklist/ >> >> http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/configuring-junos-policies/ >> >> Ben > > > >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp